BCOS Monero Village - Ring Signatures MONERO
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39796 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | |
| Genre |
DEF CON 26183 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
Electronic signatureRing (mathematics)Database transactionMultiplication signInformationBitCASE <Informatik>Hydraulic jumpConnectivity (graph theory)Perfect groupInformation privacy
00:47
Sign (mathematics)Host Identity ProtocolDatabase transactionRouter (computing)Address spaceRing (mathematics)Information privacyComponent-based software engineeringBroadcasting (networking)Source codeElectronic signatureDatabase transactionFunction (mathematics)Information privacyConnectivity (graph theory)Ring (mathematics)Order (biology)Right angleOcean currentMehrplatzsystemMaxima and minimaVector potentialMedical imagingMathematicsKey (cryptography)Vector spaceChainTouchscreenReal numberGame controllerCASE <Informatik>Computer animation
03:29
Ring (mathematics)Function (mathematics)Flow separationMaxima and minimaRing (mathematics)Electronic signatureOrder (biology)INTEGRALVector spaceInformation privacyDatabase transactionPlanningResultantQuicksortInternet service providerComputer animation
04:44
Ring (mathematics)Function (mathematics)Database transactionElectronic signatureQuicksortSound effectProcess (computing)CASE <Informatik>Computer animation
06:00
Function (mathematics)ChainDatabase transactionElectronic signatureRight angleSound effectRing (mathematics)Order (biology)Mechanism design
07:17
ChainKey (cryptography)Computer-generated imageryFunction (mathematics)Medical imagingHeegaard splittingChainDatabase transactionDifferent (Kate Ryan album)Vector potentialKey (cryptography)Quicksort1 (number)Electronic signatureRing (mathematics)Matching (graph theory)ResultantDrop (liquid)Vector spaceArrow of timeMultiplication signWave packet
09:20
ChainKey (cryptography)Computer-generated imageryFunction (mathematics)ChainDatabase transactionSoftwareDefault (computer science)BitCuboidRing (mathematics)Matching (graph theory)Medical imagingSurfaceElectronic signatureComputer animation
10:30
Data miningBlock (periodic table)Hash functionCASE <Informatik>Ring (mathematics)Electronic mailing listData miningDatabase transactionFunction (mathematics)Electronic signatureINTEGRALInformationOrder (biology)Perspective (visual)Computer animation
11:57
Block (periodic table)outputData miningDatabase transactionElectronic mailing listFunction (mathematics)Electronic signatureComputer configurationFlow separationRing (mathematics)Client (computing)Mechanism designAddress spaceComputer animation
12:42
Standard deviationFunction (mathematics)Data miningDatabase transactionRing (mathematics)INTEGRALDatabase transactionChainFunction (mathematics)MathematicsAdditionVector potentialAlgorithmThresholding (image processing)Selectivity (electronic)Standard deviationCASE <Informatik>Different (Kate Ryan album)Block (periodic table)1 (number)Latent heatComputer animation
14:09
Function (mathematics)Control flowRing (mathematics)Function (mathematics)Electronic signatureInternet service providerInformationVector potentialPerspective (visual)Game controllerSingle-precision floating-point formatComputer animation
15:13
Control flowElectronic signatureComputer-generated imageryMechanism designQuicksortElectronic mailing listMedical imagingDifferent (Kate Ryan album)Key (cryptography)Ring (mathematics)Function (mathematics)InformationElectronic signatureDatabase transactionChainIdentity managementSoftwareArrow of timeComputer animation
16:54
Process (computing)CASE <Informatik>Entropie <Informationstheorie>Arithmetic meanDatabase transactionElectronic signatureRing (mathematics)Function (mathematics)NumberMultiplication signHeuristicSlide rule
18:08
ChainDatabase transactionComputer networkInformationMathematicsLikelihood functionMultiplication signHeegaard splittingArrow of timeFrequencyChainFunction (mathematics)Right angleComputer animation
18:52
Link (knot theory)Type theoryDifferent (Kate Ryan album)Database transactionType theoryFunction (mathematics)Different (Kate Ryan album)Link (knot theory)Associative propertyAddress spaceDatabase transactionWebsiteService (economics)Mechanism designRing (mathematics)Identity managementMereologyInflection pointChainComputer animation
20:22
Database transactionFlow separationDifferent (Kate Ryan album)Touch typingQuicksortFunction (mathematics)Address spaceCASE <Informatik>
21:02
Identity managementDatabase transactionRing (mathematics)Standard deviationIdentity managementSource codeAddress spaceElectronic signatureProfil (magazine)CASE <Informatik>Real numberComputer animation
21:51
Database transactionFunction (mathematics)Associative propertyPhysical systemHeuristicFunction (mathematics)CASE <Informatik>ChainConnected spacePhysical systemMoment (mathematics)QuicksortRight angleHeuristicComputer animation
23:02
Ring (mathematics)Ring (mathematics)Real numberLatent heatDatabase transactionCASE <Informatik>AdditionInformation privacyWeightEndliche ModelltheorieSimilarity (geometry)Formal verificationChainOrder (biology)Multiplication signLevel (video gaming)Computer animation
24:23
Personal digital assistantVariety (linguistics)HeuristicSoftware testingElectronic signatureInformation privacyRing (mathematics)Selectivity (electronic)Physical systemSet (mathematics)Connectivity (graph theory)AlgorithmDifferent (Kate Ryan album)Variety (linguistics)Line (geometry)AdditionOrder (biology)Database transactionHeuristicMoment (mathematics)QuicksortFormal verificationPoint (geometry)Proof theoryFunction (mathematics)Multiplication signSoftware testingCASE <Informatik>Electronic mailing listComputer animation
25:33
Stack (abstract data type)Mechanism designOcean currentReal numberFunction (mathematics)AlgorithmSelectivity (electronic)Database transactionImplementationInformation privacySource codeProof theoryFlow separationMathematicsRing (mathematics)Group actionElectronic signatureLatent heatChainPairwise comparisonLetterpress printingFunctional (mathematics)Different (Kate Ryan album)SoftwareSimilarity (geometry)Multiplication signoutputNumbering schemeAirfoilStandard deviationCASE <Informatik>InformationEmailMetadataAxiom of choiceOrder (biology)AdditionPhysical systemQuicksortEndliche ModelltheorieClient (computing)Default (computer science)Absolute valueRight angleBroadcasting (networking)Computer animation
Transcript: English(auto-generated)
00:00
All right, everyone, I know it's a little bit early, but I'm going to start a little bit ahead of time, because there is a lot of information for me to cover about ring signatures today. So, before I begin, can I just have a quick poll of the room? How many of you know what ring signatures are? Perfect. So, unfortunately, since I have so little time, I'm going to kind of jump right into ring signatures
00:22
without an initial explanation. There are a lot of other resources you can use if you want to have an initial explanation about ring signatures. But we're going to be looking specifically essentially why ring signatures suck and what you can do about it. And under which use cases should you be concerned about how ring signatures work and ultimately what sort of entropy they provide with Monero transactions.
00:46
So, ring signatures, they are one of the four primary components of privacy that Monero offers. The ring signatures are used to obfuscate the sender in the transaction, or more accurately, which output is used in the transaction.
01:03
It makes it seem as if several outputs are each independently being spent. You don't know which source of funds is actually being used. So, we're just going to talk about that one component today. So, if you look at a ring signature, it kind of looks like this. First, it's important to understand outputs.
01:21
Outputs are like pots of gold. They're single-use pots of gold. When you send a transaction to someone else, you create a new pot for them, and you dump whatever gold or Monero you want them to keep, and then you make a new pot for yourself that you dump all the change back into yourself for.
01:41
That is how Monero money is held. It's held in these outputs. It's really important to understand how outputs just generally work. They're stored as essentially pots of gold, so to speak. On the screen here, you can see an example of a ring signature. A ring signature contains several of these outputs. The highlighted one, let's say, is the real source of funds you want to spend.
02:03
If you want to give someone $5, you need to give them a $5 bill. Similarly with Monero, if you want to give someone Monero, you actually need to spend money that you have. That is the output you do control and the output that you are spending in the transaction. These other black pots, so to speak, these other outputs, are called decoys.
02:22
You do not control these outputs, and they are just essentially money other people control, but you select these from the blockchain to make it seem as if these sources of funds are also used in the transaction. Collectively, you have this ring of, in this case, seven outputs, seven is the current minimum ring size for Monero,
02:42
of potential sources of funds that are used in the transaction. These seven potential outputs are the sources of funds that could be used in this transaction. That is the general idea of a ring signature. It is important to also understand the key image. The key image is a reference to the actual output you do control.
03:01
It has nothing to do with any of the decoys. This is important because otherwise you could just fabricate a transaction with everyone else's money and make it seem like you are spending other people's money. You need the key image in order to actually make sure someone is putting something up for stake. They actually have the right to spend the funds that they say they are spending, but the key image is really important because there are potential attack vectors
03:23
with how the key image can be used across several different chains. We will speak about all of that during this talk today. A history of the ring sizes of Monero. Monero was launched in early 2014. When it launched, it had a ring signature feature, but there was no requirement that you actually included decoys in your ring signature.
03:43
You could create a transaction essentially without using the feature where you had no other decoy outputs in your transaction. That was pretty bad. There are several research papers I highly recommend. You read MRL 1 and MRL 4, which are two research papers on this topic,
04:00
or else you can talk to either me or Sarang after. As a result, we decided in order to actually protect the integrity of the privacy in Monero, we need to have a minimum ring size. In March 2016, the minimum was increased to 3. In September, the minimum was increased to 5.
04:21
Early this year, we learned of a new attack vector. It was increased to 7 in order to provide protection against this attack vector. I will speak about this vector later. Going forward, we don't have a super concrete set plan, so I will speak about how we weigh the pros and cons and how we decide what considerations are necessary to increase the ring size.
04:47
This is the first attack I really want to cover, and it's really critical to understand the idea of a zero decoy attack because every single other one of the attacks essentially replicates the same sort of effect but just does it in a different way.
05:01
Once you understand the impact of how zero decoy attacks work, you can pretty much understand anything else. We have the ring signature there, for example. There are seven outputs in the ring signature. Six of them are decoys. In Monero's past, you could create transactions without any other decoys. This is an example here.
05:20
Suppose you had a ring with just this one decoy. In this case, there is absolutely no ambiguity. You know that this output was spent in that specific transaction. If my ring size 7 transaction included this output in my ring signature, you would know, since that output was known to be spent in that other transaction,
05:43
it could not have been spent in this ring signature. Instead of having an effective ring size of 7, you're now down to an effective ring size of 6 because this one output is known to not possibly be a real one. It's known to be a decoy. If you repeat this process for the other six outputs,
06:05
you then are able to determine, now that you know that none of the other decoys are the real one, you know that they are actually decoys, you're able to know that the output that you sent in the transaction, the real money you spent, was actually spent in this ring.
06:21
This is where the chain reaction effect comes in. Even though your transaction used a ring signature, since your ring signature was compromised, it actually negatively impacts other transactions which use your output in their ring signature. As an example here, you have another ring signature, and one of the outputs that they selected was one of yours.
06:44
Since this output is known to be spent in the transaction on the left, it is known as a decoy for the transaction on the right. You know it is not a convincing possible output that realistically could have been spent. That's the general idea of the zero decoy transaction.
07:01
In effect, it's a mechanism to attribute outputs as known to be spent in other transactions in order to ultimately learn more and ultimately break down the ring signature so you know what real output is actually spent in these transactions. Going over a few other potential attack vectors, this is something that we just essentially discovered earlier this year.
07:24
It sort of came out of nowhere. Airdrops were all the rage earlier this year, and someone decided that Monero was a pretty big coin. I'm just going to do one for Monero. And we're like, oh, that actually has a potential for a lot of damage. And I don't know of anyone who hypothesized this ahead of time.
07:42
So we sort of had to adapt to this sort of situation. So if there's a split where Monero might have its existing blockchain and someone forks off, there are a lot of considerations if people spend funds on both of these chains. Because if they spend funds on both of these chains,
08:02
they have the same output that they have on both of the chains. So if I have my one output of Monero before the split, I have the same output on both chains. So when you would send a transaction on both chains, the key image would be the same. You would have the same key image on both.
08:20
Now what you could do is look to say, okay, since it's the same key image, I know that each transaction on both chains, if you made a transaction on each of these chains, would contain one output that was spent on both of these chains because the key images are derived from these outputs. So as a result, you can check to see if there are any shared outputs
08:44
among these different ring signatures. And you can see here, for example, that there's one output that is shared. They have the same TX10 output on both. But all the other ones are different. There's no other overlap in these outputs.
09:01
So you're able to say, okay, since this is the only possible output that could have been spent in both transactions, I know to eliminate all of the other ones here. And therefore you have a situation where, since you have the same key image and only one match of the output, that you're immediately able to tell which output is actually spent in this transaction.
09:21
If instead you use a tool that has been developed in the meantime after we realized this was a potential attack, you could create two transactions on both chains with the same exact ring signature for both. That way, you're able to compare the key images. The key images are the same, but there are several matches of these outputs.
09:42
All of these outputs are potentially spent on both. Now, it's important to remember that if you are spending transactions on two chains, that you increase your attack surface. Because if on either of these networks one of the outputs is known to be spent in a different transaction,
10:01
it reduces the ring size for both of these transactions. Because if for a fork of Monero, it's known that one of these outputs is spent, that also impacts your Monero transactions. So it's a really important consideration, and we're luckily able to understand the attack a little bit better now, but this is something we really needed to address.
10:21
Luckily, this is a tool that is enabled by default. As long as you're using a recent fork of Monero, if there are recent forks, they should include this functionality out of the box. Speaking to another new consideration, the idea of public mining pool data. For the sake of providing transparency to the miners who mine Monero,
10:42
the miners prefer to know when the pools mine blocks, and they prefer to know when they receive payments in order to have some transparency for the pool so that they know there's a lower chance of corruption from the pools stealing their hashes or stealing some of their Monero. And this is fine from that perspective, but unfortunately, since a lot of transaction data is public,
11:04
it actually increases, it makes a situation where many of the outputs that they touch might degrade the integrity of these outputs so that you would know that they could not reasonably be used in other transactions. So here's an example for Support XMR, which is a common Monero pool, and they have a list of all the Coinbase blocks that they mine,
11:22
and they have a list of all the payments that are made. And so, unfortunately, you can use both of these pieces of information to determine, okay, well, they mined this block. They have this Coinbase output that was generated. If this Coinbase output is included in a ring signature somewhere but it is not on this transaction list,
11:42
I know that it is a decoy. I know that I can claim that this is fake in this case because otherwise it would have shown up in this transaction list. So to address this, there are several techniques we can use. Regarding the Coinbase, unfortunately, there is not too much you realistically can do
12:04
because you know that the pool would just reasonably mine it. As a pool, you can churn the output. You can essentially create several transactions without publishing this on the transaction list. Or, perhaps even simpler, as a wallet client,
12:20
there could be an option to say, did you mine any Monero with this address? If you just check no, then it will exclude Coinbase outputs in your ring signature. That is a pretty simple, straightforward mechanism. For the payments made, there is a really unique thing we can do is have a different way of selecting what outputs are included in these ring signatures.
12:40
And so I will speak about this one because it is pretty interesting. So pools, when they send transactions to people, receive an output back to themselves as change. So suppose they mine two blocks, and there is a certain payment threshold such that they are paying three of their miners, but they are not paying out all of the money that they have, they would receive certain ones of these outputs as change back to the pool.
13:02
And what the pool can do is, for subsequent transactions, select exclusively from the outputs that they created, including the outputs that they sent to the miners. So if, for the example of a transaction here, for a pool payout, they pay out to two miners here and one is a change output back to the pool, they could create subsequent transactions with all of these outputs as potential spenders.
13:25
And this is great because it preserves the integrity of these change outputs. It makes it so there is no practical difference between the change output and the outputs that are sent to the miners. So, in a case here, you can see for a standard transaction
13:45
that a pool would have going forward, that someone would have, that it would just look like a standard ringsize. You don't need to instead worry about this output because it is not known to be spent in any specific transaction anymore. Just simply by changing the selection algorithm for these pools,
14:04
we can increase the privacy and preserve the integrity of additional outputs. So, the last one I really want to talk about, and this is pretty straightforward too, is the idea of an exchange or a wallet provider touching a lot of outputs and therefore having high visibility of a large proportion of outputs.
14:23
If I'm an exchange and I possess a very large amount of Monero outputs and you include my outputs in your ring signature, since I own that output, I know you did not spend it. I know you can't spend my money, so I know it is a decoy. If you have large players, this is a potential concern,
14:42
especially if they are able to use this data on top of other public information that is revealed. So, if I create a ring signature here and all of my decoys are used from this attacker's holdings, it compromises the ring signature from this perspective because the attacker knows you could not have spent the money that they have.
15:03
So, this is another concern going forward. It is a reason why with Monero we need to make sure that a single entity does not control all of the outputs that Monero has. So, what can you do at addressing these concerns? What are general mechanisms you can take to protect yourself
15:20
more than the ring signature can currently provide? First, you can what we call blackball or blacklist known bad outputs. In Monero's early history, you had a lot of zero decoy transactions. You just don't include those outputs in your ring signature. You specifically avoid them. There is a tool that has been built out so you can do the same thing for two different chains.
15:43
You can point the tool at the Monero blockchain and a different fork of Monero and say, look for any issues with the key images, the key image reuse, and it will blacklist outputs if they are known to be spent in either of those transactions. So, this is generally just something you can do. Most wallet software will include this. It is currently not intuitive.
16:01
It still takes additional effort from you to actually use. Generally, it is best if you don't accidentally include money that you already knew could not have been a plausible spend for you to make. You can use the blackball list to exclude anything. You can include anything in this list that you want.
16:21
Generally, you should include the zero decoy transactions which are no longer an issue with Monero so it is unlikely you would select them anyway, but you can still blacklist them. You can blacklist the identical key image issue I just explained earlier. You can blacklist public pool data. So, if a pool has an API, you could potentially use that to blacklist certain items.
16:42
And then, if you know that large wallets or exchanges have a certain output list, which is highly unlikely, you could blacklist these. Unfortunately, this is probably going to be private information you would not have access to. Another thing you can do is called churn. I don't want you to think too much into the actual entropy here.
17:01
That is kind of a best-case scenario. It is not exactly realistic in each case. But churning is the process of sending money to yourself. In doing so, you are able to essentially have, instead of one transaction with a ring size of seven, you have additional transactions that each have their own entropy. Each have other transactions that reference all of these different outputs.
17:23
So, overall, it increases the entropy from your ring signature. Instead of increasing your ring signature size, you can just send several transactions. So, that way, if one of these ring signatures is compromised, then you are protected by all the others. So, in general, it is recommended. These numbers are still essentially being ironed out.
17:42
We don't have a lot of definitive research here. But if you are worried, you can use churning to protect against different heuristics, where people might suspect funds are bad. In those cases, we would recommend churning between five and eight times, depending on your use case. Ultimately, this all comes back to the use case again.
18:02
I will speak about that in the next few slides. Ultimately, what does this mean for you if you are using Monero? Finally, make sure that you spend during good times. Unfortunately, you won't necessarily always know the answer to this. Essentially, if you know that it is a bad time to spend Monero,
18:21
you should try to avoid it if possible. So, if you know that there is an upcoming chain split for Monero, you should hold off spending funds shortly before or after this chain split, because during this time period, there is a higher likelihood that a higher proportion of outputs would be compromised. So, you should try and avoid these certain scenarios if possible.
18:43
If Monero was under attack right now, you would not necessarily even know that. You can only do this for things you already know of. Let's talk about the different types of linkability that is available, with how these outputs are connected to each other, and what you really can do about it.
19:01
First is the idea of linking sub-addresses and transactions. There are two very popular Monero ecosystem parts. One is Monero, which is an Android wallet, and one is the Monero art. I have no reason to believe they are connected to each other, but let's suppose you are one person. You control both of these services, but you don't want any association between these two services.
19:23
With Monero, you have a mechanism called a sub-address, where you can publish an address on both of these different websites. Ideally, since there is no link between the sub-addresses at all, it would keep these identities separate. Unfortunately, it becomes a little complicated, depending on your spending habits on the blockchain.
19:41
Suppose I made a donation to each of these sub-addresses. I did not know that they were linked together, but suppose that later I see that there is a single transaction that includes both of my outputs in two different rings. That would be highly suspicious, because it would be incredibly unlikely to happen by chance. It would be unlikely for one transaction to contain both of these outputs.
20:06
This is a situation that is a big concern with sub-addresses, because we tell people that this is a good way to keep your identities private, or the different addresses private. Depending on how you use Monero on the blockchain, you have plausible deniability, but you might still look suspicious.
20:23
There are several things you can do. For this sort of case, I would recommend keep the funds sent to each sub-address separate, and you need to churn each sub-address funds separately. If you don't want to use sub-addresses, it might be simpler just to use two completely different Monero wallets entirely,
20:45
because it might be easier to keep those outputs separate and churn. If I receive five payments to Monero and someone receives three payments to Monero Art, you should churn each set separately. Just make sure they don't touch each other. Make sure there is additional entropy before you put these funds back together.
21:03
On the second situation, you have a situation where you are linking sub-addresses or addresses to a real-world identity. In this case, you need to add additional entropy before you interact with anyone that knows your real-world identity. It is one thing for your online profiles to be linked,
21:24
but if it is also linked to you individually, that is a large consideration that many people have. In that case, especially if you are sending funds to a KYC AML exchange, you need additional entropy before you send funds to an exchange if you don't want any suspicion of the funds coming from you.
21:41
You should churn before sending funds to these exchanges because it will provide you with additional entropy, additional possible sources that these funds could come from, rather than just the standard ring signature. In the most extreme case, you might want to say, every single output I touch should have no connection to any other output.
22:02
Ideally, you are like, wait a minute, isn't this essentially fungibility? Every output is not connected to each other, there is no past history. You are right that ideally, under a perfectly fungible system, it would have a situation where every output is completely independent.
22:21
Unfortunately, that is just not the case at the moment. With Monero currently, you have fungibility through plausible deniability, not through protection against every heuristic. So it still is possible that certain outputs might appear more suspicious than other outputs. So this is a big consideration you have, and it is something to really keep in mind when you are spending Monero.
22:43
In this extreme case, you would have to keep every output separate and add an entropy for each of these outputs independently, which would involve churning each of these outputs independently, which is a lot of work, but it is required if you don't want any sort of on-chain connection, or any reasonable on-chain connection between any of these outputs.
23:03
So what are some of the challenges that we have for increasing ring size in general? First, there are real costs to increasing the ring size. We can't just make a ring size of, I don't know, a million for every transaction, because although that would be great for privacy, you wouldn't really need to worry about any of these concerns anymore.
23:22
It's just not practical. There are real costs in verification time, and real costs in transaction size. And each of these also leads to a cost of additional fees in sending the transaction. So we need to specifically weigh all of the benefits people have from the increased ring size of privacy in Monero against these real costs.
23:42
So technically, from a really strict level, the higher ring size is better. If you're able to increase your ring size, strictly that's better. But when you're specifically trying to weigh pros and cons, it's much more effective if you're able to tie these considerations to specific use cases. So, for example, with ring size 7, that was selected specifically
24:01
to protect against the chain split potential attack. That was a specific threat model that we had in mind, and so ring size 7 was selected for that specific purpose. If we were to further increase the ring size, we should similarly justify it in a similar way in order to say we're increasing it for this reason because it has an actual impact that people have.
24:24
So in summary, we covered four different ways for ring signatures to be compromised. We considered several considerations for the heuristic tests, ways for money to seem more suspicious than not, and we covered some of the best practices for using Monero's ring signatures correctly
24:40
in a variety of use cases, and we covered the challenges of increasing Monero's ring size. If I had more time, I would talk about the difficulties of Monero's selection algorithm and many other components that go into ring signatures, but ultimately the bottom line is that ring signatures are the weakest point of Monero's privacy. Unfortunately, they're the only system we have at the moment
25:01
that provides a sort of trustless privacy for hiding the sending output, and hopefully we can move to a different system or find additional benefits in order to further increase the entropy set for all transactions with Monero. Bulletproofs are an example of an improvement that we have. We have a real opportunity to reduce the verification time, the transaction cost with Monero,
25:24
but ultimately, even with these improvements, we still need more in order to protect Monero against these heuristics that might come up. That's all the information I had. I know I was jumping right into it. We have the standard Monero information on there.
25:42
More specifically, that's my email in case you need to reach out to me with any additional questions. I'll be around. Again, Sarang and I can answer a lot of other questions. I'm going to check on time real quick. I have about seven minutes for questions, so I can take those now, but I appreciate speaking the big concerns with Monero's ring signature mechanism.
26:02
Yes? Instead of the ring signature? The reason zero-knowledge proofs were not chosen. One, Monero started before zero-knowledge proofs became a big thing. Two, it's not a trustless system. You still need to have a trusted party to provide the entropy for that system.
26:23
No one in the Monero community feels comfortable providing the initial setup required to have this system. To have a zk-SNARK implementation, you need to have a specific group of people that create this entropy, and you need to make sure that they destroy this entropy,
26:40
otherwise destroy this essentially toxic waste, as it's called. If they don't, then they can produce money out of thin air, and there's no way to detect that. With Monero, we don't want that obligation. We want to say, okay, this is what we can do without you having to trust that the Monero team can print money out of thin air. This is currently the best scheme that we realistically have.
27:02
Yes, absolutely. The privacy of Monero is provided by the privacy of its users, frankly.
27:25
I think this is most clearly evidenced as Monero had an opportunity for you to send a zero-decoy transaction. At the time, some 70% of transactions did not use any decoys. The best thing you can really do to approach that situation is make tools readily available.
27:43
For the zero-decoy case, it's, okay, we're prohibiting these. You can't send these that hurt other people's privacy. Yes, it's fine. You can argue that it's nice for someone to have the choice of being public, but if that hurts other people's transactions, realistically, you have to make the requirement. For chain splits, there's a possibility for some better mechanisms going forward,
28:04
but by default, the wallet clients that currently exist will use the same ring set on both, so there's a much lower risk. Based off the current ring size that we have, if there ever was an issue where a large proportion of outputs were being compromised,
28:23
we would be able to at least have a high probability of detecting that before it would cause any major issues. We could at least warn people. You're right that it definitely comes back to you need to make sure other people are spending funds in a not completely absurd way, and we just need to do our best to make sure
28:42
that that's how people are generally spending their funds. Yes? In some ways, yes. Mixing with Bitcoin, the idea is you take several sources of funds,
29:02
you send it to a specific party, they jumble up who's is who, and then they send outputs back to each person, and you don't necessarily know which outputs were allocated to which persons. For Monero, it's similar in some ways because you make it seem as if you're spending other funds. The ring signature is most similar to a mixer.
29:21
The big difference is you don't need to trust a person to provide this functionality. You could sign the ring signature offline just with a copy of the blockchain and then broadcast it later to the network. In some ways, it's a fair comparison. In other ways, there are significant differences in how it's actually implemented.
29:42
Yes? Realistically, no. In order to make something mandatory, ultimately you need to make something, a requirement on the consensus layer. I don't know of any way that that would be realistic, and I think the churning is not necessarily something that most people even have in their threat models.
30:04
Unless you are highly concerned, unless you are someone with a really high consideration for your privacy, like if you live in North Korea or something, churning is important to you then, but if I'm just making a simple transaction, I still have plausible deniability
30:22
under any reasonable circumstance we can come up with now. The reason we can't really make it mandatory, though, is because churning transactions, by definition, they look exactly the same as any other transaction. You can't really force people to make transactions necessarily.
30:41
That's the sort of requirement it would take. I think I'm going to take one more question, and then I can hand it off to the next speaker. Did you have one? Yeah.
31:03
That's definitely a big consideration, and I think it manifests itself mostly in two ways. I didn't really talk about the input selection algorithm, but the selection algorithm is not consensus driven, so that is up to the wallet to decide which outputs to select. If your wallet selects outputs really poorly, then it really harms you and the network,
31:26
especially if the wallet was widely used. If it was a widely used wallet, suppose, in exchange, when they had payouts, purposely chose bad outputs to sabotage people. That's an important consideration there. There are some changes you can do to consensus to make sure that X percent of outputs
31:42
are from a certain percent of days to make sure people are generally honest, but that's currently not implemented, and currently there are no wallets I know of that have that sort of undermining situation. My Monero used to have a different selection algorithm, but they have updated to the latest Monero selection algorithm.
32:00
And then the second one is just a different ring size. Ultimately, if you have a different ring size, you have a different piece of metadata that stands out in the network, and so there are some discussions to move to a fixed ring size. Okay. Well, thank you. I'm always here to answer questions later, and I appreciate you coming to hear about ring signatures. Let's give SVP a hand. Thank you so much.