Zcash Advisor’s Research on Monero Linkability, Refuted by Monero Community

On April 13, Zcash advisor and assistant director of IC3 Andrew Miller stated that transactions on the Monero blockchain from 2014 through 2016 could be linked.

To begin with, Monero uses decoy links called mixins to obscure inputs and outputs of a transaction. Such process anonymizes Monero transactions as it disables users from following traces of a transaction to its origin, unlike bitcoin.

However, in a research paper entitled “An Empirical Analysis of Linkability in the Monero Blockchain” written by Miller and his team of researchers including Malte Moser, Kevin Lee and Arvind Narayanan, Miller claimed that mixins of Monero did not execute properly prior to February 2017.

“We show that in fact for most of Monero’s blockchain history, the mixins haven’t done much good. Most transactions made prior to February 2017 actually are linkable. Here’s the problem. In the past, most coins were spent by 0-mixin transactions (those that opt-out of privacy altogether) were commonplace. Including these coins as decoys doesn’t do any good, because it’s already obvious where they’ve actually been spent. However, the Monero wallet does not take this into account. The result is that we are able to identify the correct links for the majority (62 percent) of 1+ mixin Monero transactions made from 2014 through 2016. The Monero blockchain has provided little more privacy than Bitcoin,” Miller explained.

Response of the Monero Development Team

Almost immediately after the release of Miller’s research, Monero Lead Developer Riccardo Spagni, better known as Fluffypony, admittedly explained that the issue addressed in the research paper was a well-understood problem by both the Monero development team and community. In that sense, the research paper wasn’t inaccurate. But, Fluffy Pony explained that the research paper was falsely presented as a “Monero deanonymization paper.”

Fluffypony went as far to accuse the president of the Zcash foundation of initiating a paid-for hit piece against its competitor Monero.

“The problem is not the paper,” said Fluffypony. “The problem is that it was presented as a ‘Monero deanonymization’ paper, released an hour before a hard fork, and even lauded itself by one of the authors as ‘New research: serious anonymity weaknesses in privacy-centric cryptocurrency Monero; 80 percent of transactions linkable.’ It’s NOT new research, it’s additional research on a problem that is well understood. 80 percent of transactions are NOT traceable. It wasn’t researchers trying to improve the ecosystem, it was a paid-for hit piece by the president of the ZCash foundation,” he added.

Simply put, according to the Monero development team, the issue with Miller’s research is that it addresses a problem which was introduced long before Miller’s discovery. The community criticized Miller’s research due to the team’s utilization of a sensationalist title linked or referenced to an outdated paper. Specifically, the timing of the release of Miller’s research was quite odd, as it was based on an old research paper of which the community was already fully aware.

The Monero community particularly criticized Narayanan’s statement, in which he described Miller’s research as an exploitation of Monero’s anonymity and privacy features. Narayanan wrote: “New research: serious anonymity weaknesses in privacy-centric cryptocurrency Monero; 80 percent of transactions linkable.”

Moreover, an unofficial response of the Monero community to Miller’s research addressed the technical issues of the paper. According to the response, the linkable transactions from 2014 to 2016 should not have come across as a surprise to most users as they were disclosed pool payouts.

“We believe that a large proportion of 0-mixin transactions are pool payouts. These transactions should come to no one’s surprise that they are traceable since the pools themselves publish the payment amount to each address. Thus, we believe that the claims stemming from the traceability of transactions before 0-mixin transactions were banned to be misplaced,” the response read.

Monero utilizes a technology called RingCT, which was invented by the Monero development team to use Bitcoin Core developer Greg Maxwell’s Confidential Transactions together with Monero’s ring signatures to hide all amounts of Monero transactions. Overall, while Miller’s research was not factually inaccurate, it falsely portrayed Monero and its technology by stating that Monero transactions were “deanonymized,” when they were not.