Comments (6)
Since it's usually obvious when ancient outputs are spent in a modern transaction, we can mess around with ring membership to better hide them. This technique actually facilitates that, by allowing size-11 ring sizes for every single ancient output, even if the members are from the same era (v1 or v2-v3).
from research-lab.
Commenting for wider discussion:
With Seraphis, existing ("legacy") outputs in the chain would need to be migrated into Seraphis enotes in migration txs. Users won't need to know they're constructing these migration txs. Users just send Monero normally and these migration txs will look like normal txs in their wallet, they don't have to do anything special to migrate. This migration is necessary in order to construct Seraphis membership proofs, which can only be constructed using Seraphis enotes.
In line with the proposal spelled out in this issue, the Seraphis wallet lib constructs these migration txs with ring signatures that include combined {pre-RingCT, post-RingCT, coinbase} legacy outputs (see this comment).
This is at odds with the general push to separate spending coinbase outputs from normal RingCT outputs:
Pre-RingCT txs also didn't have that great of privacy historically (https://www.getmonero.org/2018/03/29/response-to-an-empirical-analysis-of-traceability.html), so including them could potentially reduce the efficacy of ring sigs for post-RingCT outputs.
Worth noting there's also a solid amount of additional work needed to implement support for this in addition to consensus changes:
- A database migration that stores total output counts not keyed by amount.
- The RPC used for legacy wallet scanning will need to include these counts in response.
- The RPC for selecting decoys will need to return the distribution according to this new rule.
Additionally, in order for the Seraphis wallet lib to support legacy scanning that can scan all necessary data wallet2 needs to construct txs before the Seraphis fork, the Seraphis wallet lib would also need to keep track of global output ID's keyed by amount anyway in addition to the global count, so the wallet lib would need both.
from research-lab.
Worth noting there's also a solid amount of additional work needed to implement support for this in addition to consensus changes:
This is not a one-sided equation. Treating coinbase enotes differently in the seraphis code implies a non-trivial amount more wallet code and complexity.
from research-lab.
Ya fair, I mentioned that that in the MRL meeting but should've mentioned that here too.
from research-lab.
This was discussed in the most recent MRL meeting: monero-project/meta#913
My summary of the discussion:
- There is still relatively solid support for spending coinbase outputs separately for the privacy benefit (#109)
- @Rucknium mentioned they plan to do some additional research on pre-RingCT output usage. This would help gauge the benefits of including them in rings alongside RingCT outputs.
- My take (piggybacking off @jeffro256): if the decoy selection algo treats all outputs the same, then when users spend >1 pre-RingCT outputs in a single tx (and rings are composed of both pre-RingCT and RingCT outputs), then pre-RingCT outputs would likely stick out as obvious real spends in each ring of the tx. This would negate the privacy benefit of including pre-RingCT outputs in the same ring as RingCT outputs.
- This can be mitigated with some engineering of decoy selection to distinguish pre-RingCT from RingCT for the purposes of selecting decoys, which would seem to defeat the core point of this proposal.
- There seemed to be rough agreement in the meeting that wallets could warn users if they are spending pre-RingCT outputs in a tx (e.g. wallets could tell users to churn those outputs) to improve privacy when spending pre-RingCT outputs.
- @rbrunner7 points out that probably only the CLI would end up doing this.
- @jeffro256 mentioned (and I support this fwiw) that he would like to see stronger evidence of a net privacy gain before continuing work supporting mixing pre-RingCT and post-RingCT in the same tx.
from research-lab.
I counted the number of non-RingCT rings and outputs created between block height 2689608 (v16 fork on 2022-08-14) and 3003871 (2023-10-25).
-
0.05% (10,024 of 18,712,969) rings were non-RingCT.
-
0.005% (468 of 8,536,690) of transactions had at least one non-RingCT ring. Since there are a higher share of non-RingCT rings than transactions with non-RingCT rings, transactions with non-RingCT rings must have a higher number of inputs than transactions with only RingCT rings, on average. In other words, transactions with non-RingCT rings are more likely to be consolidation transactions.
-
0.0005% (118 of 22,892,724) of transaction outputs were non-RingCT because of this allowed edge case. If a user spends a non-RingCT output today, the real spend will likely be at least a year old, if not older, because there are so few non-RingCT outputs created recently.
We have a potential privacy gain for about 0.005% of transactions if we allow rings to have both RingCT and non-RingCT outputs. We can compare with other ways to improve privacy for subsets of transactions, such as transactions with nonstandard fees. Exodus released a fix to their nonstandard fee calculations in their Desktop wallet after my report to them. About 3% of transactions had the Exodus nonstandard fee. Two weeks after the fix release, the number of these transactions has been cut in half to about 1.5% of transaction volume. There are still at least 7% of transactions that have nonstandard fees with unknown origin. The current Seraphis proposal will implement fee discretization to reduce the nonstandard fee privacy problem.
The numbers on non-RingCT rings above can be produced by running this R script and then running:
ringct.counts <- rings[, .(is.RingCT = input_amount[1] == 0),
by = c("block_height_ring", "block_timestamp_ring", "tx_hash", "input_num")]
ringct.counts.by.tx <- ringct.counts[, .(any.non.RingCT = any(!is.RingCT)),
by = c("block_height_ring", "tx_hash")]
v16.fork.height <- 2689608 # 2022-08-14
ringct.counts[block_height_ring >= v16.fork.height, table(is.RingCT), ]
ringct.counts[block_height_ring >= v16.fork.height, 100 * prop.table(table(is.RingCT)), ]
ringct.counts.by.tx[block_height_ring >= v16.fork.height, table(any.non.RingCT), ]
ringct.counts.by.tx[block_height_ring >= v16.fork.height, 100 * prop.table(table(any.non.RingCT)), ]
output.index[block_height >= v16.fork.height, table(output_amount > 0 & tx_num != 1)]
output.index[block_height >= v16.fork.height, 100 * prop.table(table(output_amount > 0 & tx_num != 1))]
# tx_num == 1 means that it is a coinbase output
from research-lab.
Related Issues (20)
- Exploring Trustless zk-SNARKs for Monero's payment protocol HOT 107
- Bulletproofs++ HOT 2
- Investigate possibility of reducing 10-blocks lock HOT 19
- Remove the burning bug as a class of attack with a modified shared key definition HOT 2
- Remove Extra Coinbase Locktime HOT 5
- Consider Switch commitments for future supply security HOT 29
- Radical idea for forward secrecy and instant wallet sync HOT 13
- Flashproofs
- Coinbase Consolidation Tx Type HOT 8
- Avoid selecting coinbase outputs as decoys HOT 2
- Scale the blockchain with recursive ZK proofs HOT 2
- Archiving historic nullifiers with mutator sets HOT 1
- Porting Utreexo to Monero HOT 7
- increasing uniformity of number of inputs/outputs
- Class Group-based ZK SNARKs
- Add scripting to Monero via the specification of R1CS circuits HOT 14
- based monero address decentralized IP address, Abolish ipv4 and ipv6 HOT 8
- potential measures against a black marble attack HOT 29
- Mining protocol changes to combat pool centralization HOT 16
- Catalogue of Monero decoy selection algorithms HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from research-lab.