A Note on Chain Reactions in Traceability in CryptoNote

A Note on Chain Reactions in Traceability in CryptoNote

Free Download // Login or Register
A Note on Chain Reactions in Traceability in CryptoNote 2.0
Monero Research Lab Papers

This research bulletin describes a plausible attack on a ring-signature based anonymity system. We use as motivation the cryptocurrency protocol CryptoNote 2.0 ostensibly published by Nicolas van Saberhagen in 2012. It has been previously demonstrated that the untraceability obscuring a one-time key pair can be dependent upon the untraceability of all of the keys used in composing that ring signature. This allows for the possibility of chain reactions in traceability between ring signatures, causing a critical loss in untraceability across the whole network if parameters are poorly chosen and if an attacker owns a sufficient percentage of the network. The signatures are still one-time, however, and any such attack will still not necessarily violate the anonymity of users. However, such an attack could plausibly weaken the resistance CryptoNote demonstrates against blockchain analysis. This research bulletin has not undergone peer review, and reflects only the results of internal investigation.

The CryptoNote protocol has a problem: my anonymity depends on your anonymity. If I use 5, 6, or 18 of your outputs when I compose my ring signature then you can see the true signer. If you spend all 5,6, or 18 outputs with no foreign outputs used as mixins in your ring signatures, you reveal yourself as the spender, and now any observer can also see the true signer of my transaction. This may not be malicious if you spent your outputs non-anonymously for legitimate business or legal reasons. Hence, any party with a large proportion of the UTXO set may gain knowledge of the traceability of others’ transactions and reveal that information to the network at will. One may fancifully interpret this problem as an abstract, cryptocurrency implementation of Gresham’s Law: bad money drives out good. If the unspent transaction output (UTXO) set is filled with a lot of transactions that aren’t really anonymous, there are fewer ways to make untraceable ring signatures. At this point it must be noted that, even in this scenario, the one-time key pairs (so-called “stealth addresses”) used in CryptoNote protocols are not violated in this scenario, and so the anonymity of users is still not directly violated. Rather, this attack violates the untraceability between one-time ring signatures, but this development is still somewhat worrying. Hence, even non-malicious entities can execute this attack on accident, malicious entities can spam the network to own lots of the UTXO set, and malicious entities can break untraceability for others.

An attacker’s intent may be perhaps in the interest of a pump-n-dump scheme by undermining the credibility of a currency, perhaps in the interest of spying on other users, or perhaps in a disinterest in paying the extra cost of adding more foreign unspent transaction outputs to their ring signatures. In all cases, despite the a priori hope that any particular user should always be interested in using a large number of mixins for a ring signatures as a matter of principle, both in the interest of personal security and the common good, we should have no expectation of this in practice. A version of the tragedy of the commons may take place and cause traceability throughout the network for everyone due to a subset of users.

However, we should also keep in mind the forest, not the trees: since any user can always compose a trivial ring signature with no additional outputs, immediately exposing outputs down the line, there is a second-order problem here. A new transaction has been exposed, creating exposure risk for any ring signatures that used the newly exposed transaction as an obfuscating mixin. Is it possible that a chain reaction could occur, even if a malicious entity stops actively attacking early in the history of the coin? This research bulletin was written to analyze this problem, determine the plausibility of a conservative route of such an attack, and assess network parameters to ensure graceful degradation of untraceability.