BCOS Monero Village - Ring Signatures MONERO

Video thumbnail (Frame 0) Video thumbnail (Frame 1183) Video thumbnail (Frame 5214) Video thumbnail (Frame 7090) Video thumbnail (Frame 9007) Video thumbnail (Frame 10919) Video thumbnail (Frame 13993) Video thumbnail (Frame 15758) Video thumbnail (Frame 17935) Video thumbnail (Frame 19056) Video thumbnail (Frame 21218) Video thumbnail (Frame 22823) Video thumbnail (Frame 25344) Video thumbnail (Frame 27190) Video thumbnail (Frame 28290) Video thumbnail (Frame 30556) Video thumbnail (Frame 31544) Video thumbnail (Frame 32780) Video thumbnail (Frame 34559) Video thumbnail (Frame 36586) Video thumbnail (Frame 38328)
Video in TIB AV-Portal: BCOS Monero Village - Ring Signatures MONERO

Formal Metadata

Title
BCOS Monero Village - Ring Signatures MONERO
Alternative Title
Examining Moneros Ring Signatures
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Ring (mathematics) Information Personal digital assistant Multiplication sign Database transaction Bit Hydraulic jump Electronic signature
Ocean current Game controller Connectivity (graph theory) Mehrplatzsystem Real number Source code Function (mathematics) Information privacy Database transaction Host Identity Protocol Medical imaging Mathematics Ring (mathematics) Touchscreen Key (cryptography) Database transaction Maxima and minima Information privacy Electronic signature Vector potential Sign (mathematics) Component-based software engineering Broadcasting (networking) Ring (mathematics) Vector space Personal digital assistant Chain Order (biology) Right angle Router (computing) Address space
INTEGRAL Planning Sound effect Maxima and minima Database transaction Function (mathematics) Information privacy Flow separation Electronic signature Ring (mathematics) Vector space Personal digital assistant Internet service provider Ring (mathematics) Order (biology) Quicksort Resultant
Multiplication sign Computer-generated imagery 1 (number) Function (mathematics) Drop (liquid) Wave packet Heegaard splitting Medical imaging Chain Mechanism design Different (Kate Ryan album) Arrow of time Matching (graph theory) Sound effect Database transaction Electronic signature Vector potential Ring (mathematics) Vector space Order (biology) Chain Right angle Key (cryptography) Quicksort Resultant
INTEGRAL Computer-generated imagery Function (mathematics) Perspective (visual) Medical imaging Chain Data mining Cuboid Default (computer science) Matching (graph theory) Information Block (periodic table) Surface Electronic mailing list Bit Database transaction Electronic signature Data mining Ring (mathematics) Software Hash function Personal digital assistant Chain Order (biology) Key (cryptography)
Standard deviation INTEGRAL 1 (number) Client (computing) Function (mathematics) Database transaction Thresholding (image processing) Mechanism design Mathematics Computer configuration Different (Kate Ryan album) Data mining Selectivity (electronic) output Address space Addition Algorithm Standard deviation Block (periodic table) Electronic mailing list Database transaction Flow separation Electronic signature Vector potential Ring (mathematics) Personal digital assistant Function (mathematics) Chain Block (periodic table)
Game controller Mechanism design Ring (mathematics) Information Function (mathematics) Internet service provider Single-precision floating-point format Function (mathematics) Quicksort Control flow Perspective (visual) Electronic signature
Slide rule Key (cryptography) Information Multiplication sign Computer-generated imagery Electronic mailing list Database transaction Function (mathematics) Control flow Electronic signature Electronic signature Number Medical imaging Arithmetic mean Process (computing) Software Ring (mathematics) Different (Kate Ryan album) Personal digital assistant Chain Arrow of time Heuristic Identity management
Link (knot theory) Link (knot theory) Multiplication sign Computer network Function (mathematics) Database transaction Likelihood function Heegaard splitting Frequency Type theory Chain Mathematics Type theory Different (Kate Ryan album) Chain Different (Kate Ryan album) Arrow of time Information
Service (economics) Link (knot theory) Database transaction Function (mathematics) Mereology Database transaction Flow separation Inflection point Mechanism design Ring (mathematics) Personal digital assistant Different (Kate Ryan album) Chain Touch typing Website Quicksort Associative property Address space Identity management
Standard deviation Real number Source code Moment (mathematics) Function (mathematics) Database transaction Electronic signature Connected space Ring (mathematics) Profil (magazine) Personal digital assistant Function (mathematics) Chain Heuristic Right angle Quicksort Identity management Physical system Address space Identity management Physical system Associative property
Addition Weight Multiplication sign Real number Similarity (geometry) Database transaction Information privacy Latent heat Ring (mathematics) Personal digital assistant Ring (mathematics) Formal verification Chain Order (biology) Energy level Endliche Modelltheorie
Axiom of choice Group action Multiplication sign Source code Set (mathematics) Numbering scheme Function (mathematics) Client (computing) Information privacy Mechanism design Mathematics Different (Kate Ryan album) Personal digital assistant Formal verification Heuristic Endliche Modelltheorie Physical system Algorithm Email Moment (mathematics) Electronic mailing list Database transaction Flow separation Electronic signature Proof theory Ring (mathematics) Order (biology) Chain output Software testing Heuristic Quicksort Point (geometry) Ocean current Functional (mathematics) Implementation Variety (linguistics) Connectivity (graph theory) Real number Letterpress printing Similarity (geometry) Metadata Latent heat Selectivity (electronic) Software testing Addition Default (computer science) Pairwise comparison Airfoil Standard deviation Variety (linguistics) Information Stack (abstract data type) Line (geometry) Software Personal digital assistant
all right everyone I know it's a little bit early but I'm gonna start a little bit ahead of time because there is a lot of information for me to cover about ring signatures today so before I begin can I just have a quick pull of the room how many of you know what ring signatures are perfect so unfortunately since I have so little time I'm gonna kind of jump right into ring signatures without an initial explanation there are a lot of other resources you can use if you want to have an initial explanation about ring signatures but we're going to be looking specifically essentially Weibring signature sock and what you can do about it and under which use cases should you be concerned about how ring signatures work and ultimately what sort of entropy they provide with Manero transactions so ring signatures they are
one of the four primary components of privacy that Monaro offers the ring signatures are used to obfuscate the sender in the transaction or more accurately which output is used in the transaction it makes it seem as if several outputs are each independently being spent you don't know which source of funds is actually being used so we're
just going to talk about that one component today so if you look at a ring signature kind of looks like this first it's important to understand outputs outputs are like pots of gold there's single-use pots of gold when you send a transaction to someone else you create a new pot for them and you dump whatever gold or Manero you want them to keep and then you make a new pot for yourself that you dump all the change back into yourself for that is how Minero money is held it's held in these outputs it's really important to understand how outputs just generally work they're stored as essentially pots of gold so to speak and so on these on the screen here you can see an example of a ring signature a ring signature contains several of these outputs the highlighted one let's say is the real source of funds you want to spend if you want to give someone five dollars you need to give them a five dollar bill similarly with Manero if you want to give someone monaro you actually need to spend money that you have that is the out but you do control and the output that you are spending in the transaction these other black pots so to speak these other outputs are called decoys you do not control these outputs and they're just essentially money other people control but you select these from the blockchain to make it seem as if these sources of funds are also used in the transaction so collectively you have this ring of in this case seven outputs seven is the current minimum ring size for Manero of potential sources of funds that are used in the transaction these seven potential outputs are the sources of funds that could be used in this transaction so that's the general idea of a ring signature now it's important to also understand the key image the key image is a reference to the actual output you do control not it has nothing to do with any of the decoys this is important because otherwise you could just fabricate a transaction with everyone else's money and make it seem like you're spending other people's money you need the key image in order to actually make sure someone's putting something up for stake they actually have the right to spend the funds that they say they are spending but the key image is really important because there are potential attack vectors with how the key image can be used across several different chains will speak about all of that during this talk today so a history
of the ring sizes of Manero Manero was launched in early 2014 when it launched it had a ring signature feature but there was no requirement that you actually included decoys in your ring signature you could create a transaction essentially without using the feature where you had no other decoys decoy outputs in your transaction and that was pretty bad there are several research papers I highly recommend you read in the M RL 1 and M are all four which are two research papers on this topic or else you can talk to either me or Saran after and as a result we decided in order to actually protect the integrity of the the privacy really in Manero we need to have a minimum ring size and so in March in March 2016 the minimum was increased to 3 and then in September the minimum was increased to 5 in early this year we learned of a new attack vector and it was there it was increased to 7 in order to sort of provide protection against this attack vector I'll speak about this vector later and going forward we don't we don't have a super like concrete set plan so I'll speak about how we weigh the pros and cons and how we decide like what considerations are necessary to increase the ring size so this is the
first attack I really want to cover and it's really critical to understand the idea of a zero decoy attack because every single other one of the attacks essentially tries to it replicates the same sort of effect but just does it in a different way so once you understand the impact of how zero decoy attacks work you can pretty much understand anything else so when we have the ring signature there for example there's seven outputs in the ring signature six of them are decoys in Manero was passed you could create transaction that's without any other decoys this is an example here suppose you had a ring with just this one decoy in this case there's absolutely no ambiguity you know that this output was spent in that specific transaction so if my ring size seven transaction included this output in in my ring signature you would know since that output was like known to be spent in that other transaction it could not have been spent in this ring signature so instead of having an effective ring size of seven you're now down to an effective ring size of six because this one output is known to not possibly be a real one it's known to be a decoy and if you repeat this process for several other if you repeat this process for
likely the other six outputs you then are able to determine okay well now that you know that none of the other decoys are the real one you like you know that there are actually decoys you're able to know that the output that you sent in the transaction the real money you spent was actually spent in this ring and this is where the chain reaction effect comes in so even though your transaction used a ring signature since your ring signature was compromised it actually negatively impacts all their transactions which to use your output in their ring signature so as an example here you have another ring signature and one of the outputs that they selected was one of yours it is known since this output is known to be spent in the transaction on the left it is known as a decoy for the transaction on the right you know it is not a convincing possible output that realistically could have been spent so that's the general idea of the zero decoy transaction in effect it's a mechanism to attribute outputs as known to be spent in other transactions in order to ultimately learn more and like ultimately break down the ring signature so you know what real output is actually spent in these transactions so going
over a few other potential attack vectors this is something that we just essentially discovered earlier this year it sort of came out of nowhere air drops were all the rage earlier this year and someone decided that Manero is a pretty big coin I'm just gonna do one from an arrow and we're like oh that actually has a potential for a lot of damage and I don't know of anyone who hypothesized this ahead of time so we sort of had to adapt to this sort of situation so if there's a split with where Manero might have its existing blockchain and someone Forks off there are a lot of considerations if people spend funds on both of these chains because if they spend funds on both of these chains they have the same output that they have on both of the chains so if I have my one output of an arrow before the split I have the same output on both chains so when you would send a transaction on both chains the key image would be the same you would have the same key image on both now what you could do is look to say okay well I know that since it's the same key image I know that each transaction on both chains if you made a transaction on each of these chains would contain one output that was spent on both of these training chains because the key images are derived from these outputs so as a results you can check to see if there are any shared outputs among these ring these different ring signatures and you can see here for example that there's one output that is shared they have the same Transat t x10 output on both but all the other ones are different there's no other overlap in these outputs so you're able to say okay since this is the only possible output that could have been spent in both transactions I know to eliminate all of the other ones here and therefore you have a situation where since you have the same p image and only one match of the output that you're immediately able to tell which output is actually spent in this transaction if
instead you use a tool that have been developed in the meantime after we realized this was a potential attack you could create it for two transactions on both chains with the same exact ring signature for both that way you're able to compare the key images the key images are the same but there are several matches of these outputs all of these outputs are potentially spent on both now it's important to remember that if you are spending turns out like its transactions on to chains that you increase your attack surface because if on either of these networks one of the outputs is known to be spent in a different transaction it reduces the ring size for both of these transactions because if like if for a fork of monaro that it's known that one of these outputs is spent that also apat impacts your Manero transactions so it's a really important consideration and we're luckily able to understand the attack a little bit better now but this is something we really needed to address luckily this is a tool that is enabled by default as long as you're using a recent fork of an arrow if there are recent Forks they should include this functionality out of the box speaking to
another new consideration the idea of public mining pull data for the sake of providing transparency to the miners who mined Manero the miners prefer to know when the pools mined blocks and they prefer to know when they receive payments in order to have some transparency for the pool so that they know there's a lower chance of corruption from the pool stealing their hashes or stealing some of their Manero and this is fine but from that perspective but unfortunately since a lot of transaction data is public it actually increases it makes the situation where many of the outputs that they touch might like degrade the integrity of these outputs so that you would know that they could not reasonably be used in other transactions so here's an example for support XMR which is a common mineral pool and they have a list of all the coin based blocks that they mined and they have a list of all the payments that are made and so unfortunately you can use both of these pieces of information to determine okay well they mined this block now they have this coin base output that was generated if this coin base output is included in a ring signature somewhere but it is not on this transaction list I know that it is a decoy I know that I can claim that this is faked in this case because otherwise it would have shown up in this transaction list so to address this there are several techniques we can use so first and so you have the case there where sorry yeah we've several
techniques we can use so regarding the coin base unfortunately there's not too much you realistically can do because you know that the pool would just reasonably mine it but you can as a pool you can churn the output you can essentially create a transaction as several transactions without publishing this on the transaction list or perhaps even simpler as a wallet client there could be an option to say did you mine any manera with its address if you just check no then it will exclude coinbase outputs in your ring signature that's a pretty simple straightforward mechanism for the payments made there's a really unique thing we can do is have a different way of selecting what outputs are included in these Rings signatures and so I'll speak about this one because it's pretty interesting
so pools when they send transactions to people receive an output back to themselves as change so I suppose they mind two blocks and there's a certain payment threshold such that they're paying three of their miners but they're not paying out all of the money that they have they would receive certain ones these outputs as change back to the pool and what the pool can do is for subsequent transactions select exclusively from the outputs that they created including the outputs that they sent to the miners so if for the example of a transaction here for a pool payout they pay out to two miners here and one is a chain put back to the pool they could create subsequent transactions with all of these outputs as potential spenders and this is great because it it preserves the integrity of these change outputs there it makes it so there's no practical difference between the change output and the output that is used or the outputs that are sent to the miners so in a case here you can see for a standard transaction that a pool would have going forward or that that's that someone would have that it would just look like a standard ring size you don't need to instead worry about this output because it is not known to be spent in any specific transaction anymore so that's just simply by changing the selection algorithm for these pools we can increase the privacy and preserve the integrity of additional outputs so the
last one I really want to talk about and this is pretty straightforward - is the idea of an exchange or a wallet provider touching a lot of outputs and therefore having high visibility of a large proportion of outputs if I'm an exchange and I possess a very large amount of my narrow outputs and you include my outputs in your ring signature since I own that output I know you did not spend it right so it's like I know you can't spend my money so I know it is a decoy and if you have large players this is a potential concern especially if they're able to use this data on top of other public information that's revealed so if I create a ring signature here and all of my decoys are used from this attackers Holdings you're a it compromises the ring signature from this perspective because the attacker knows you could not have spent the money that they have and so this is another concern going forward it's a reason why we need with mineiro we need to make sure that a single entity doesn't control like all of the outputs that Minero has so what
can you do as sort of addressing these concerns what are general mechanisms you can take to protect yourself more than
the ring signature can currently provide so first you can what we call black ball or blacklist known bad outputs so if you like Inman arrows early history you had a lot of zero decoy transactions you know just don't include those outputs in your ring signature you specifically avoid them there is a tool that has been built out so you can do the same thing for two different chains you can point the tool at the Monaro blockchain and a different Fork of Manero and say look for any issues with the key images the key imagery use and it will blacklist outputs if they are known to be spent in either of those transactions and so this is generally just something you can do most Wallet software will include this it's currently not intuitive it still takes additional effort from from you to actually use but generally it's best if you don't accidentally include money that you already knew could not have been a plausible spend for you to make and so you could use the black you can use the black ball list to exclude anything you can include anything in this list that you want but generally you should include the zero decoy out the zero decoy transactions which are no longer an issue with Manero so it's unlikely you would select them anyway but you can still blacklist them you can blacklist the identical key image issue I just explained earlier you can blacklist public pool data so if a pool has an API you could potentially use that to blacklist certain items and then if you know that like large wallets and our exchanges have a certain output list which is highly unlikely you could blacklist these unfortunately this is probably going to be private information you would not have access to another
thing you can do is called churn and I don't want you to look or think too much into the actual entropy here that's kind of a best-case scenario it's not exactly realistic in each case but churning is the process of sending money to yourself so you in doing so you're able to essentially have instead of one transaction with a ring size of seven you have additional transactions that each have their own entropy each have other transactions that reference all of these different outputs so overall it increases the entropy from your ring signature instead of increasing your ring signature size you can just send several transactions so that way if one of these ring signatures is compromised then you're protected by all the others so in general it's recommended these numbers are still essentially being ironed out we don't have a lot of definitive research here but if you're worried you can use turning to protect against different heuristics where people might suspect funds are bad and in those cases we would recommend churning between five and eight times depending on your use case and ultimately this all comes back to the use case again and I'll speak about that in the next few slides about ultimately what does this mean for you if you're using monaro and then so
finally make sure that you spend during good times unfortunately you won't necessarily always know the answer to this but essentially if you know that it is is a bad time to spend Manero you should try to avoid it as if possible so if you know that there's an upcoming change split from an arrow you should hold off spending funds shortly before or after this chain split because during this time period there's a higher likelihood that a certain purport a higher proportion of outputs would be compromised so you should try and avoid these certain scenarios if possible but like if manera was under attack right now you wouldn't not necessarily even know that right so it's hard to you can only do this for things you already know of right so let's talk about the
different types of link ability that is available with how these outputs are connected to each other and what you can really can do about it so first is the
idea of linking sub addresses and transactions there are two very popular like monaro ecosystem parts one of is Mon Arroyo which is an Android wallet and one is the Mandara art I have no reason to believe they're connected to each other but let's suppose you're one person you control both of these services but you don't want any association between these two services with Manero you have a mechanism called a sub address where you can publish an address on both of these different websites and ideally since there's no link between the sub addresses at all that it would keep these identity separate unfortunately it becomes a little complicated depending on your spending habits on the blockchain so suppose I made a donation to each of these sub addresses I didn't not know that they were linked together but suppose that later I see that there's a single transaction that includes both of my outputs in two different rings that would be highly suspicious because it would be incredibly on likely to happen by chance it would be unlikely for one transaction to contain both of these outputs and so this is a situation that is like a big concern with sub addresses because we tell people that this is a good way to keep your identities private or the different address is private but depending on how you use manera on the POIs chain you have plausible deniability but you might still look suspicious and so there's
several things you can do in general for this sort of case I would recommend keep the funds sent to each sub address separate and you need to turn each sub address funds separately and if you don't want to use sub addresses it might be simpler just to use two completely different Manero wallets entirely because it might be easier to keep those outputs separate insurance so if I receive five payments to Moana Rubio and someone receives three payments to manera art you should turn each set separately just make sure they don't touch each other make sure there's additional entropy before you put these funds back together on the second
situation you have a situation where you're linking sub addresses or addresses to a real-world identity so suppose that in this case you need to add additional entropy before you interact with anyone that knows your real world identity so it's all it's one thing for like your online profiles to be linked but if it's also linked to you individually that's a large consideration that many people have and in that case especially if you're sending funds to a kyc AML exchange you need additional entropy before you send in funds to in exchange if you don't want any suspicion of the funds coming from you so you should churn before sending funds to these exchanges because it will provide you with additional entropy additional possible sources that these funds could come from rather than just the standard ring signature and
then in the extreme case you might want to say every single output I touch should have no connection to any other output and ideally you're like okay wait a minute isn't this essentially fungibility right that every output is it's not connected to Eden at each other there's no past history and you're right that ideally under like a perfectly fungible system it would have a situation where every output is completely independent unfortunately that's just not the case at the moment with monaro currently you have fungibility through plausible deniability not through protection against every heuristic so it still is possible that certain outputs might appear more suspicious than other outputs and so this is a big consideration you have and it's something to really keep in mind when you're spending the Monaro so in this extreme case you would have to keep every output separate and add an entropy for each of these outputs independently which would involve churning each of these outputs independently which is a lot of work but it's required if you don't want any sort of on chain connection or any reasonable on chain connection between any of these outputs
so what are some of the challenges that we have for increasing ring size in general so first there are real costs to
increasing the ring size we can't just make a ring size of I don't know million for every transaction because although that would be great for privacy you wouldn't really need to worry about any these concerns anymore it's just not practical there are real costs in verification time and real costs in transaction size and each of these also leads to a cost of additional fees in sending the transaction so we need to specifically weigh all of the benefits people have for private from the increased ring size of privacy and Manero against these real costs so technically from like a really strict level the higher ring size is better if you're able to increase your ring size strictly that's better but when you're specifically trying to weigh pros and cons it's much more effective if you're able to tie these considerations to specific use cases so for example with ring size 7 that was selected specifically to protect against the chain split potential attack that was a specific threat model that we had in mind and so ring size 7 was selected for that specific purpose if we were to further increase the ring size we should similarly justify it in a similar way in order to say we're increased seeing it for the reason because it has actual impact that people have so in
summary we covered four different ways for ring signatures to be compromised we considered several considerations for the heuristic tests ways for money to seem more suspicious than not and we covered some of the best practices for using my nose ring signatures correctly in a variety of use cases and we cover the challenges of increasing my nose ring size if I had more time I would talk about the difficulties of maneras selection algorithm and many other components that go into ring signatures but ultimately the bottom line is that ring signatures are the weakest point of my nose privacy unfortunately they're the only system we have at the moment that provides a sort of trust list privacy for hiding the sending output and hopefully we can move to a different system or find additional benefits in order to further increase the entropy set for all transactions with Manero and so bullet proofs are an example of an improvement that we have we have a real opportunity to reduce the verification time the transaction cost with Manero but ultimately even with these improvements we still need more in order to protect Manero against these sort of heuristics that might might come up so
that's all the information I had I know it's all while I was jumping right into it there you have the standard Manero information on there more specifically that's my email in case you need to reach out to me for with any additional questions I'll be around again stirring and I can answer a lot of other questions I'm gonna check on time real quick I have a few minutes about seven minutes for questions so I can take those now but I appreciate speaking kind of the big concerns with Meniere's ring signature mechanism yes instead of the ring signature so the reason zero knowledge proof swear not chosen so one mineiro started before is their knowledge proofs became a big thing and two it's not a trustless system so you still need to have a trusted party to provide the entropy for that system no one in the Monaro community feels comfortable providing the the initial setup required to have this system so if to have like a ZK snark implementation you need to have a specific group of people that create this entropy and you need to make sure that they destroy this entropy otherwise the story this essentially toxic waste is that's called and if they don't then they can produce money in a fair and there's no way to detect that so with Manero we don't want that obligation we want to say okay this is what we can do without you having to trust that the Monaro team can print money out of thin air and that's currently this is currently the best scheme that we realistically have yes absolutely so the privacy of Manero is provided by the privacy of its users frankly and you I think this is most like clearly evidenced as Manero had an opportunity for you to send a zero decoy transaction and at the time some 70% of transactions did not use any decoys and the best thing you can really do to a protest situation is make tools readily available and for the zero decoy case it's okay we're prohibiting these you can't send these that hurt other people's privacy because yes it's fine you can argue that it's nice for someone to have the choice of being public but if that hurts other people's transactions realistically you have to make it a requirement for chain splits we're still there's a possibility for some better mechanisms going forward but by default the wallet clients that currently exist will use the same ring set on both so there's a very much lower risk and based off the current ring size that we have if there ever was an issue where a large proportion of outputs were being compromised we would be able to at least have a high probability of detecting that before it would cause any major issues if we could at least warn people so you're right that it definitely comes back to you need to make sure other people are spending funds and a not completely absurd way and we just need to do our best to make sure that that's that's how people are generally spending their funds yes so in some ways yes so mixing with Bitcoin it's the ideas you take several sources of funds you send it to a specific party they jumble up who's is who and then they send outputs back to each person and you don't necessarily know which outputs were allocated to which persons for Manero it's it's it's similar in some ways because you make it seem as if you're spending other funds the ring signature is most similar to a mixer the big difference is you don't need to rust a person to provide this functionality you could sign the ring signature offline just with a copy of the blockchain and then broadcast it later to the network so it in some ways it's a fair comparison in other ways there are significant differences and how it's actually implemented yes realistically no in order to make something mandatory ultimately you need to make something a requirement on the consensus layer I don't know of any way that that would be realistic and I think the churning is not necessarily something that most people even have in their threat models unless you are highly concerned if unless you are like a someone with a really high consideration for your privacy like if you live in North Korea or something then you would like churning is important to you then but if I'm just making a simple transaction I still have plausible deniability under any reasonable circumstance we can come up with now so the reason we can't really make it mandatory though is because churning transactions by definition or like they are they looked exactly the same as any other transaction and so you can't really force people to make transactions necessarily that that's the sort of requirement it would take okay so I think I'm gonna take one more question and then I can hand it off to the next speaker did you have one yeah okay so that's that's definitely a big consideration and I think it manifests itself mostly in two ways so I didn't really talk about the input selection algorithm but the selection algorithm is not consensus driven so that is up to the wallet to decide which outputs to select and if your wallet selects outputs really poorly then it really harms you and the network so especially if the wallet was widely used if it was a widely used wallet suppose in exchange when they had payouts purposely chose bad outputs to sabotage people so that's an important consideration there there are some changes you can do to consensus to make sure that X percent of outputs are from a certain percent of days to make sure people are generally honest but that's currently not implemented and currently there are no wallets I know of that have that sort of like undermining situation my Monaro used to have a different selection algorithm but they have updated to the latest Manero selection algorithm and then the second one is just a different ring size ultimately if you have a different ring size you have a different piece of metadata that stands out in the network and so there are some discussions to move to a fixed ring size okay well thank you of well I'm always here to answer questions later and I appreciate you coming to hear about ring signatures let's give us a few hands thank you so much [Applause]
Feedback