-
jberman[m]
-
jberman[m]
Gonna spam my thoughts on it because I think it's an interesting problem and think others would find it interesting too (and maybe I'm thinking about it wrong?)
-
jberman[m]
I think the best place to start with researching it would be to just randomly pick an output in the chain at point A, then pick another random output a certain number of blocks later at point B (maybe a week later?), then determine the expected number of paths (and hop characteristics of each path) between the 2 points
-
jberman[m]
The optimal way to churn would be to create a path between the 2 points that blends in with all the other paths
-
jberman[m]
The worst way to churn would be to create a path between the 2 points that is exceptionally unusual
-
jberman[m]
So the research would necessarily involve determining expected paths between 2 points in the chain. I think it could be generalized to say with ring size X, Y outputs per block, you would expect Z paths between points that are a certain distance apart (where average hop size is A with variance B)
-
jberman[m]
Then the optimal way to churn would factor in those variables ("Hey user, if you plan to spend in a week, churn this output at block N, N + 143, N + 352, etc.")
-
jberman[m]
Clearly there are a ton of variables at play, but maybe starting to look at chain data and making inferences along the above lines could be a good starting point. That's all i got
-
sech1
jberman I'm afraid it's an NP-hard problem to find _all_ paths between 2 nodes in a directed graph
-
sech1
and given the size of Monero transaction graph... It's probably easier to find all shortest paths using Floyd–Warshall algorithm, but it will still be very slow (cubic complexity)
-
sech1
I'm not even sure it's in NP class because how can you check in polynomial time that it's indeed _all_ paths?
-
merope
I think a better starting point would be to pick a random output A, and then pick one of its subsequent outputs B, 2-3 transactions directly downstream from it.
-
merope
After all, the odds of two random points in the graph being connected are very slim - what we're really interested in is how many alternative paths there are between two *connected* points with only 0 or 1 intermediate nodes (EAE and EABE scenarios)
-
sech1
6 churns fan out to more than a million transactions. 1 million is 40 days worth of transactions currently. So 6 churns with random intervals over in total 40-50 days should be safe enough
-
sech1
many churns over shorter intervals (like a week) are probably traceable with high probability
-
sgp_1
the reasonable application should be as follows in my opinion:
-
sgp_1
someone buys XMR on a KYC exchange and withdrawals to their noncustodial wallet. This withdrawal should be considered a poisoned output
-
sgp_1
then they spend over the course of a month or whatever
-
sgp_1
then they deposit back to the KYC exchange
-
sech1
on the other hand, daily tx volume is ~25000 which is enough for 3 churns within 24 hours. So it probably depends on how long you want to make your churn chain.
-
sgp_1
the exchange should be able to piece together with a relatively high success rate what the tx graph looked like. That said, noise is unpredictable and could be large, so at the end of the day it is still anyone's guess
-
sgp_1
and they could try to use this graph to see if they can associate any of the intermediary txs with any shared info from their information-sharing partners, which ideally would include the merchants you used to purchase things from
-
sgp_1
obviously this takes many assumptions, I'm just spelling out an example where someone specifically knows the start and ends points, and what sort of analysis may be performed
-
sech1
also we need to consider how long paths can get on a random graph with gamma distribution Monero uses. If paths with length > 20 (for example) are statistically impossible on a random graph with V vertices and E edges then most likely it's the real flow of funds
-
merope
Yep, hence my suggestion to pick a random output and then another one a few txes downstream: see how many alternate paths between the two, how many other paths come out of A, and how many other lead to B (with the same depth). Rinse and repeat for a large sample of A and B
-
sech1
I didn't read Rucknium's submission, sorry if I accidentally stumbled on the same thing :D
-
merope
<sech1> "6 churns fan out to more than..." <- This would be a nice conclusion to reach: x churns every n days based on tx volume
-
merope
<sech1> "many churns over shorter..." <- Also it would be nice to quantify this
-
sech1
to quantify this, we need to list properties of fully random "Monero gamma-distribution" graphs
-
sgp_1
I think a primitive test would be to select 1000 outputs at point 1, and then for each of those outputs, see how many of them connect with 1+ and 2+ paths to 1000 outputs around point 2 (let's say ~1 week) and 1000 outputs around point 3 (let's say ~2 months)
-
sech1
like how long paths can get, what's the average path length between 2 connected vertices etc.
-
merope
sgp_1: Nice! Also parametrized by the number of days between the two points A and B: presumably two points more days apart have more paths between them - but is this actually true?
-
sgp_1
clearly I chose 1 week and 2 months arbitrarily, but yeah I wanted 1 further away than the other
-
merope
Ooops, I was still thinking in terms of separation by distance, not by time
-
merope
But yeah, that would be another interesting scenario
-
sech1
yes, thinking about path length a bit more... If someone does 100 churns (even over months), it literally paints a target on this chain of transactions
-
merope
Then again - if someone actually did 100 churns, what are the odds that anyone else could figure it out?
-
sgp_1
this would be a different test to see if an initial output at point 1 would connect with another arbitrary output at points 2 and 3 (of specified lengths away), and how many possible paths would exist
-
sech1
if 100 connected transactions are improbable on a truly random graph and this 100-churn chain is fully uncovered
-
sech1
*then this 100-churn chain is fully uncovered
-
sgp_1
The reason I'm framing it this was is because jberman 's scenario assumes someone knows a point 1 and a point 2
-
sgp_1
This was we can take arbitrary points and see if there is noise in practice
-
Rucknium[m]
One of the Noethers was working on this churning question at a very abstract level. Anyone know if there is a draft available?
-
sgp_1
And see if there is a certain time period whereby there is another formed path >x% of the time
-
sgp_1
Rucknium[m]: It's public but it's totally unusable, let me see if I can find it
-
Rucknium[m]
Unusable, eh?
-
sgp_1
If you find use of it I will be very, very impressed
-
Rucknium[m]
jasminks and isthmus are working on some related theoretical work.
-
Rucknium[m]
My main barrier here is that my understanding of graph theory is pretty limited.
-
sgp_1
-
sgp_1
Will look into further later
-
merope
sgp_1: It's empty? Or is it a private repo?
-
sgp_1
My guess is that it was made private. I'll ask tomorrow
-
ErCiccione
We have a suggestion for a "transaction weight" moneropedia entry. Feedbacks appreciated:
monero-project/monero-site #1461#issuecomment-931294988
-
sgp_1
-
coinstudent2048[
<Rucknium[m]> "My main barrier here is that..." <- atomfried I'll just do a mention because he/she did graph theory.
-
atomfried[m]
<sech1> "and given the size of Monero..." <- there can exists graphs for which there are exponential many shortest paths between two nodes s,t just sayin
-
atomfried[m]
for example a grid graph using the manhattan metric between nodes has lots of shortest paths between two nodes
-
sech1
Monero graph has more edges than manhattan-like graphs
-
sech1
so it's probably even more paths there
-
atomfried[m]
asuming that we assign to each edge the same weight, yes this would also be my educated guess
-
spackle[m]
Something I am curious about that is related to churning, is there anything preventing an output used in one transaction being used as a decoy in other transactions in the same block?
-
spackle[m]
Say you had a particular output you wanted to obscure as much as possible, and you send a genuine transaction along with a large set of other/unrelated transactions that you forced to select the same output as a decoy. Would 50 transactions in the same block that all have the output you are concerned with be allowed?
-
spackle[m]
I'm guessing that isn't an option as a check against double-spends.
-
sech1
double spends are done against key images, not outputs
-
sech1
*are checked
-
spackle[m]
Understood. It is interesting to consider the maximum density that one can pack a churning candidate into a given number of blocks.
-
carrington[m]
Seth For Privacy could you please update the channel topic to show the meeting next week
-
Rucknium[m]
carrington: Did you see my suggestion for a new agenda item?
-
Rucknium[m]
-
carrington[m]
I hadn't but I think it sounds very relevant. I'll add it shortly
-
sethsimmons
<carrington[m]> "Seth For Privacy could you..." <- Will do
-
Rucknium[m]
We should recruit this guy:
-
Rucknium[m]
-
sech1
so he basically found a transaction with multiple input (consolidation tx) which was known as easy to track since long time ago
-
Rucknium[m]
I mean I'm not saying his work was particularly difficult to carry out. It just reflects dedication, depth of knowledge of Monero, attention to detail, technical skills, ethics (he disclosed a vulnerability to ShapeShift before publishing), and some time availability.
-
Rucknium[m]
I am maybe biased since he cited our work on the tx volume anomaly :P
-
UkoeHB
Looks like that guy has a company that "provides consulting services on a variety of cryptocurrency-related topics including forensics." What do you want to recruit (hire) him to do?
-
Rucknium[m]
Well, examine churning would be a good start. Have him submit a CCS or something
-
UkoeHB
-
Rucknium[m]
UkoeHB: Fantastic. I'm glad you decided to submit the CCS. 💪
-
rbrunner
Seconded.
-
UkoeHB
Rucknium[m]: to get your proposal in the gitlab description, you have to paste it there manually. Use the `Edit` button in the upper right corner.
-
sethsimmons
<UkoeHB> "funding request for Seraphis PoC..." <- Very glad to see this!
-
sethsimmons
Shared on Twitter as well, do you mind sharing it on Reddit UkoeHB?
-
sethsimmons
If not I can post it.
-
Rucknium[m]
UkoeHB: Thanks! It is now fixed :)
-
sethsimmons
-
selsta
How much would a Lelantus Spark audit apply to Seraphis?
-
selsta
I know that's difficult to quantify...
-
selsta
I guess that can only be said once an audit is done.
-
UkoeHB
Not sure, would depend on scope
-
carrington[m]
Is the idea to have separate audits of the theory and the implementation eventually?
-
UkoeHB
Peer review of the paper, audit of the implementation.
-
carrington[m]
What I mean is, are we likely to try to raise funds for multiple paid audits? I can see that Bulletproofs+ had two audits
-
UkoeHB
Seems wise to do so, or at least focused audits for different components.
-
UkoeHB
The Groth/Bootle proof is quite hefty, although not nearly as challenging as bulletproofs.