It's time for my monthly research report for June. As always, my thanks to the community for ongoing support of research in applied cryptography.
Research this month focused primarily on major updates to the CLSAG security model, proofs, and preprint in response to initial results from the ongoing review; as well as work on an analysis toolkit for obtaining useful data from the blockchain.
The CLSAG linkable ring signature construction is currently undergoing formal review by JP Aumasson and Antony Vennard. The review is being conducted in two stages: the first to assert the correctness and applicability of the underlying mathematics and security model presented in the preprint, and the second to examine the implementation code for correctness and robustness. The reviewers found no major issues with the preprint, finding that the mathematics are correct and the security model reasonable. However, they made many suggestions for minor corrections and changes, as well as requested that some of the proofs be expanded for clarity. In particular, the proof that non-slanderability and unforgeability are equivalent has been entirely rewritten. Further, one of the cryptographic hardness assumptions has been reverted to another from an earlier draft with minor modifications. Finally, I completely overhauled and rewrote the proof of linkable anonymity security. Once the reviewers complete the second stage of the review process, they will release a final report that will be posted publicly. In the meantime, the reviewers and I have been discussing some of the specifics of their initial draft report. The revised preprint will be posted to the IACR archive after additional review.
After reading a preprint that looked at deducible transactions and related statistics from the Monero blockchain, I decided to independently verify the results. This grew into a Python toolkit that can be used to extract block, transaction, input, and output data from local block explorers for analysis. The results have been useful; in particular, the analysis showed that while a nonzero number of recent transactions are deducible (that is, they are susceptible to so-called chain reaction analysis), all such transactions spend old funds generated prior to the confidential transaction protocol upgrade. Indeed, precisely zero confidential transactions are deducible. This analysis led to ongoing discussion with the preprint authors, who confirmed the results and are making further updates to their work; several of their conclusions are rendered incorrect by this transaction classification.
The analysis toolkit was also used to analyze spend age patterns. Early work by Andrew Miller and collaborators examined these patterns in deducible Monero transactions and on the Bitcoin blockchain; their work led to the implementation of updated output selection algorithms. My updated analysis further examined whether coinbase outputs follow the same distribution, and how the distribution changed over time among deducible transactions. Results indicate that while there is variation over time, the spend age distribution reasonably matches the output selection distribution used by default, and that coinbase outputs follow the same distribution very closely. Ongoing work is in progress to conduct additional analysis using the toolkit.
On an unrelated note, I delivered a presentation to a cryptography study group held by MakerDAO at the group's invitation. This was a great opportunity to give an overview of how cryptographic constructions and building blocks are used to produce privacy-focused transaction protocols.
And now on to Sarang's Reading Corner, a short listing of some interesting papers that I have come across this month. The appearance of a paper in this list does not mean that I necessarily agree with its contents or correctness, or that I endorse it. Papers are in no particular order.
- Counting Down Thunder: Timing Attacks on Privacy in Payment Channel Networks
- Everything is a Race and Nakamoto Always Wins
- Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users
- Lelantus (revised)
- Bulletproofs+: Shorter Proofs for Privacy-Enhanced Distributed Ledger
- On the Confidentiality of Amounts in Grin
Dr. Sarang Noether