Breaking Monero Episode 06: Unusual ring size

This is a transcript of Breaking Monero series Episode 06: Unusual ring size

Published under CC-BY RyoRU

Justin: [00:00:00] Hello everyone and welcome back to another episode of Breaking Monero. Today we have a much simpler topic than the last two episodes at least. Just the idea of an unusual ring size. This should be a pretty short episode for you all today. We already spoke about what Monero-s ring signatures are. So make sure to go watch those episodes if you haven’t seen them yet but instead we were simply covering how many arrows rings has a sort of changed and how as a result you can’t really send transactions with unusual ring sides of the coin. So to begin with we’re going to start with a brief history lesson and help us with this. There’s this one contributor called stoffu who has a real fantastic tool over here in regards to Moneros the ring size of Monero transactions over time. You can see back when that was first started that most of the transactions you know there about 98 percent of them had a ring size of a one in that you did not hide the output at all. There was essentially no ring signature. And as we increase the minimum as you can clearly see here that the minimum became three. So as a result most became ring size 3 and then 5 and then 7 and now 11. But as you can see going up to this process it wasn’t that everyone only used one specific number. You can see here for example on June 30th 2017 that sure most transactions used ring size 3. But there were several other transactions that were sent as an example here. There were 130 transactions on that day about 5 percent that sent transactions of ring size 11 and this was one of the options in the gui.

Justin: [00:01:46] So you can tap the gui wallet software so it was more likely for someone to use a ring size 11 than a ring size 14 say. But if we zoom in on the current history if we go in just to the recent day we can see that now ring size 11 which is the current ring size of Monero is the only transaction size that people can use. No it’s not just the case that coincidentally everyone’s saying transactions this way. It’s actually mandated on the network that you send transactions this way that you actually have a mandatory ring size now. So this is a little bit of just you know history going back and so hopefully this two of you don’t want to play around still cause a ton of great data too on their Web site. You can see the link just up there. So a lot of cool data there even beyond just Monero ring sizes for whatever you’re interested in but just warning that it will destroy your browser window as you’re trying to use that just tap fair warning to everyone who’s trying to set this up for the first time.

Justin: [00:02:50] All right. But as far as light introductions here I apologize. But yes I’m Justin here as always. And just like we always do — we have Sarang over there.

Sarang: [00:03:01] Hey.

Justin: [00:03:02] Excellent. So you want to talk about some of the the sort of crazy outliers we had with Monero rings in the past and sort of what people were doing there?

Sarang: [00:03:10] Yeah. So I mean you kind of pointed out up until very very recently on the ring size was not fixed. So there were minimum ring sizes established the minimum originally was one because you had to send something which is effectively meant the ring signatures were more or less optional. And as you said the minimum has increased over time but that was just a minimum. So in the wallet software you could choose in theory any ring size that you wanted and then you’re all a software would choose you know approximately that many decoys along with your real you real sent output and generate a transaction with it. And then different wallets of course could kind of make their own decisions on you know what they wanted to offer as kind of fixed options as you pointed out some software. Well it would let you choose any ring size that you really wanted to would also offer kind of some preset options to kind of make things easy for you. But some folks definitely have had some outliers when they presumably wanted to increase their privacy a great deal. We discussed before..before we recorded discussed a couple of interesting ones one of which was looks like on October 10th 2018. That was you know greater than 100 for example but I think kind of the biggest stand out even so you actually have a screen to show for this one was an April 2017 which had as far as I have seen one of if not the greatest ring sizes of all time at 4501.

Justin: [00:04:30] So yeah I can pull that up and to show people that out really briefly. You can just see this example block explorer page here that you had a mixin of 4501. So this is a quite large ring size. Remember that at the time. This is an April 2017 so the default was either five or seven. So..

Sarang: [00:04:57] Yeah it’s pretty crazy.

Sarang: [00:04:58] And remember you know the way the ring signatures work among those four thousand five hundred and one outputs that occurred in that signature. Only one of them was truly spent outputs. Absent external information we don’t know what it is. We noticed as we did a little bit of digging in there a lot of the a lot of the decoys that presumably decoys that were used in that transaction actually had ring size one. So would’ve been trivially vulnerable to the whole zero mixin and and possibly leading to a chain reaction attack. So and as we talked about when we talked about our output selection algorithm there’s more to it than just ring size when it comes to safely building a transaction. But those are kind of some interesting standouts. And of course why this can be a problem is has to do with fingerprinting and the idea of fingerprinting is that your wallet software behaves abnormally or in any way that kind of stands out when it’s generating a transaction an adversary can kind of use that as a heuristic to try to figure out what software you’re using. Does that break your privacy immediately? Well no not necessarily but at the same time the goal is for everyone’s kind of blending uniformly. So you know if you have you decide for whatever reason to have ring size 69 because you know that’s the thing you want to do then presumably someone could look at the chain and be like “oh what transaction with ring size 69 must be that one ring 69 guy” does that tell who you are? Not necessarily, but it does make you stand out and you can see different wallet software over time. That’s kind of giving users options that presumably was to offer them different levels of privacy presumably in those cases a smaller ring would have meant lower privacy and a larger ring could have meant higher privacy. But of course that’s not necessarily the case. Right. And we do know that if wallet software offers different values for those options than other wallet software that’s a method to fingerprint while that wallet you were using. And of course there’s much more that goes into what determines the level of effective privacy of a ring than just its ring size. Now of course we have a fixed mandatory ring size of 11 which means a real input and 10 decoys and that’s no longer a minimum.

Sarang: [00:07:01] Regardless of what your wallet software tries to do if it tries to broadcast a transaction with any number besides that the network grow rejected and it will not be added to the blockchain which is why we’ve looked at that graphic earlier. We saw that 100 percent of transactions since that fork or upgrade date now have that precise ring size. And that’s a good thing. You know will we ever consider re raising the ring size in the future? If we see a definite user benefit. Yes we will consider that. But there are tradeoffs. So you know absent all other information in theory having a larger ring size in the absence of other information can be better for your privacy.

Sarang: [00:07:37] Why? Because a ring signature guarantees that one out of however many outputs are in your ring are these true signer. And again absent external information but it tends to be more complicated in practice. For example we saw in our previous episode on the output selection algorithm we know that that can be all the complicated if you choose those decoys poorly for example that can start to leak a little bit if of heuristic information to an adversary. And there’s other forms of analysis that are a bit less sensitive to that for which just purely increasing the ring size might not get as much benefit as you want. And there are downsides. Right. If we choose to have a larger ring size. Well that means the transactions become bigger. The blockchain grows faster depending on our fee model it could yield higher fees and it means that it’s also slower to sink the block chain over time. And that could discourage people from running full nodes…large scale effect if we were to do that.

Sarang: [00:08:30] Do we get better privacy according to some models? Yes. But according to other models not necessarily. So kind of the big model behind all of this I think. Is that our goal is to make sure that every transaction to the extent possible blends in with every other transaction. If there’s a way that a transaction can stand out that could allow any kind of fingerprinting or leak of information we want to avoid it.Researchers and developers and Monero community decided that allowing for large ring sizes while it could have some marginal benefit was outweighed by the fact that that could allow fingerprinting and in general just standing out from other transactions and that because of that we decided to go to a fixed ring side. So we really want to make it fairly difficult for people to make choices that are unsafe for them and other people.

Sarang: [00:09:10] And I think that this was one way in which we were able to help that.

Justin: [00:09:14] To give a brief examples that suppose that I was paying Sarang for any reason and say I want to buy Sarang coffee mug. He sells coffee mugs. OK.

Justin: [00:09:26] Suppose that Sarang was really concerned about your privacy and that you said “OK any payments sent to me must have a ring size of this number or greater because I want the most privacy possible when I’m receiving pay”. So. Supposed Sarang just goes off the wall. He says if you’re sending me a transaction you need to send me a transaction with the ring size 100 or greater. There aren’t that many people that are sending transactions with those ring sizes so you can fingerprint essentially by looking at the blockchain and say “OK this is a this is a transaction that meets Sarangs merchants store minimum requirement of one hundred”. So there is a I mean there’s a greater chance this transaction went to him than any other transaction with a smaller ring size. So it was really balancing those sort of things.

Justin: [00:10:13] It’s weird because on one hand you can go to one strict extreme where you can say that any like any larger ring size is better. Like I can send a ring size of 5 a transaction with the ring size of 10 or one hundred. Why shouldn’t I send one hundred it’s larger.

Justin: [00:10:31] And then you can go to the other extreme that says while you’re exposing more information and really in for reality’s purpose. It’s kind of somewhere between the two and we need to manage fingerprinting against actual size and use cases.

Sarang: [00:10:44] Yeah. Increasing the ring size. You know according to some forms of analysis can be very beneficial but you end up paying for it in other ways. So there’s always a balance and we have to try to meet that balance at any point in time as best we can. And that’s what we do.

Justin: [00:10:59] Great Sarang..Any Last closing thoughts you have on this short topic here?

Sarang: [00:11:03] We turn it up to eleven min.

Justin: [00:11:06] Excellent. Well thanks. Thanks again for joining us Sarang. Thanks for watching this very brief episode today. We’ll have others coming up to you later. Take care and have a great rest your day.