This is a transcript of Breaking Monero series Episode 04: Chain Splits (Key Image Reuse Attack)

Published under CC-BY RyoRU

Justin: [00:00:00] Welcome back to “Breaking Monero”. Today we are covering a sensitive topic — chain splits. Chain splits are a really complex topic to cover in fact it’s one of the real main motivators for having these breaking Monero episodes but to give a brief key takeaway if you get nothing else the best thing you can do is to not claim parts and if you do realize that you’re sort of playing with fire and you can easily screw up with many many consequences. So again it’s something seeming too complicated. Just go back to that main point and we can proceed from there.

Justin: [00:00:32] But I would like to initially talk about initially how this topic is really tricky to talk about because you can not only just easily screw yourself over if you do something wrong but you can also contribute to reduce security and privacy for others through the sort of chain split…chain reaction scenario we described during the last episode so see that if you’re skipping to this one. But first let’s head over to Sarang who is going to talk about what key images are and other introductions about sort of important parts and chains.

Sarang: [00:01:05] Thanks. So it’s good to have everybody back so in the previous episodes we talked a little bit about kind of the structure of Monero’s transactions where the sending elements of the transaction are included in a so-called ring has some consequences for things like zero mixins and chain reactions. And one thing that I want to emphasize about the way the transactions are structured with rings — it’s going to be very very relevant here. It’s something that we call a “key image” or it might be called a “tag” in some versions of the literature of an important thing to remember with that is if I have for example as Monero does now a ring containing eleven one-time use keys and I’m spending one of those. Well I want to make sure that I can’t use one of those keys in a future transaction and double spend. Remember a given one-time key might appear in many different rings but can only be spent one time. So every transaction has where you can kind of think of as like a one way representation of the actual spending one-time key called the key image associated to it. It’s important to note that you cannot look at a transaction look at its key image which is completely out there and publicly posted and determine from that which of the ring members was used. However, if the person who made that transaction attempts to spend the same..apriori unknown one time key in a later transaction they will share the same key image.The signature construction make sure that when you’re doing this you can’t lie about how you constructed the key image mathematically. So it is an effective double spend protection. If you look at two transactions and if they have the same key image then you know that the exact same one-timed ring input was used as the center and that’s all you ideally should not be able to determine which it is. So this will become relevant we’re talking about this. I know the Justin you wanted us to talk a little bit about the different kinds of forks since that’s a word that appears sometimes at some of those different ways you can look at the word “fork”.

Sarang: [00:02:54] It’s important to note that just kind of in the natural mining process of the network we occasionally do get small forks since different miners might find different blocks at around the same time but eventually those small forks and have going away and that’s what we end up meaning when we find consensus among you know a longest chain for example. So at the end of the day even though we have many small forks in the network naturally — they’re very short lived typically. It’s also worth noting that we do regular network upgrades to the Monero system. These are sometimes called “Hard forks” but I prefer the term “network upgrade” so technically we are forking away from an old chain to a new chain. But in general these are non contentious. Everyone follows the new chain and it’s not a big deal. So nothing to worry about there.

Sarang: [00:03:34] There’s also the idea of what’s called a “code fork” we’re an open source project. You can go on github and look at them on Monero source code. You are free to do what’s called a “code fork” and basically take that code modify it and start your own asset. As long as that asset starts its own chain and its own ledger from scratch nothing to worry about. We have plenty of examples of projects like that, projects like Wownero, Aeon or RYO that are completely safe to use. Because they use different keys and they have a completely different ledger. But the thing we really want to talk about is what I might call a project-based “chain fork” with these are they are typically..new projects with new assets with new names and there’s a ton of different ones. You know, you might have your diy Monero with lime that claims to be better. And what’s unique about these is that they actually share part of the older Monero ledger. The older Monero chain but at a given time it will basically split off from the actual Monero chain that’s going off in some direction and then basically start their own version of the chain. So it kind of forms a Y shape. You have the original share chain and then you split off there. So those are the kind of course that we’re going to talk about that are contentious and can cause problems.

Justin: [00:04:41] And just to clarify Sarang, with the example where they often share some of the previous existing chain and then form their own two chains and a Y shape. These are sometimes referred to as “airdrops” in many cases, correct?

Sarang: [00:04:53] Yeah yeah they are and typically what might happen with these projects is they might ask you to go up to their wallet and might ask you to input your Monero private keys and they’ll promise you that they’ll you know drop some of the new diy-Monero in your diy-Monero account.

Justin: [00:05:07] OK thank you. So I actually want to go through now take the time to walk through some of the previous slides that I gave at defcon again to talk about this sort of chain split analysis with the key image use. Just so you can see exactly how this happened so I’m going to share that screen right now…OK, this presentation is coming a lot of handy.

Justin: [00:05:27] So you can see it as an example here. Two different rings one on the left one on the right each ring the green circle are two different transactions. On the left you have chain one. Let’s say that’s the Monero chain on the right you have chain two. Let’s say that is that Monero diy with lime for instance.

[00:05:47] And if you wanted to make two transactions on both chains you would ultimately spend one origin source of funds so this one source of fund would be before the Y split would be generated before this Y split. And then after the split these funds would be present on both of these chains. You can see that this yellow output here in this sort of pot of gold is explained in other episodes is the money that you actually are spending and from each of these you have a key image that is derived all these black pots or other decoys that are selected from the blockchain. Moneros blockchain so you can see if you start sort of send two transactions on the two different chains incorrectly or without much care- that in most cases you’re highly likely to choose different outputs in each. So what you would basically do is say “OK well here are two transactions with the same key image but there is only one output in each set of rings that actually can be spent”. Sure there are like independently one of these alive and one of these seven in this example outputs could be spent. But when you look at these two together — there is only one overlapping output that could be spent in both of these transactions. So as a result what you can do is simply say “OK well I know that that’s the real output spent”. So both of these rings are compromised and then therefore this one output would continue on to do a further chain reaction where you would know this output is spent in this specific transaction so it could impact other transactions too.

Justin: [00:07:23] Now if you are able to take a more mitigating route like we explained earlier instead of choosing completely different decoys or again these black pots in both transactions if you reuse the same exact decoys for both transactions then you could again look for a key image match but every single one of these outputs would be overlapping and you’re no longer able to narrow down which outputs are specifically spent. So this is a really nice high level overview about what chain splits are and how you can sort of see how you’re able to find how you’re able to use this as an analysis tool.

Justin: [00:07:58] And from now on Brandon is going to actually speak with us about what happens if you actually decide to participate in this chainsplit, what the risks are to users and what the mitigation methods are if any.

Brandon: [00:08:10] So it’s it’s funny if you’re going to develop a new project and you want to use Bitcoin’s code for example you’re going to copy it over and if you want people to use your project soon you may want them to be able to claim funds from the Bitcoin blockchain on your new chain.

Brandon: [00:08:29] But if you do that you’re at a boom in Monero. in Bitcoin maybe not a big deal, but in Monero you’re going to have a problem because of the diagrams that Justin just showed you. If you have a single key image and two totally disjoint key rings that overlap over only on one key you’re out of luck. In fact if you take the intersection of two rings and you only have three keys you still have excluded all of those other keys. So the problem is is that then an observer can go onto the Monero blockchain and can scratch off all of those keys that have been revealed from other rings, excuse me — the key that you spent in your intersected transaction. They can cross that out from other rings and that can lead to what’s known as chain reactions.

Brandon: [00:09:17] But although. Generally you don’t really have to worry about it too much of it. Aaron talked about more about that in a moment here. But…what are you risking exactly if you use multiple chains. If you provide a signature on two different chains from the same key you’re giving more information away than if you only provide one signature. That seems like a really obvious observation but one of the big things that’s going on right now in the data science world is that if you have two anonymous sets of data and you combine them you can totally deanonymize them. So if you start spending your private information or private keys on a different ledger you’re gonna be risking the built in anonymity that Monero is trying to provide. But actually one of the biggest risks is the wallet software just because a development team has come out with a new project doesn’t mean that they’re necessarily the ones who are going to come out with a wallet for that project and they should. For safety reasons. But if some third party developer comes along and comes out with some “diy-Monero with lime vanilla wallet” then what’s going to end up happening is that you put your own Monero keys into somebody’s random developer’s wallet and who knows if they’re emailing themselves your keys. Who knows that the only way that you can really check is to go through line by line through their code which is why open source is great. But it also means that in order to really safely do this you need to know what you’re doing and you need to be kind of subject matter experts.

Brandon: [00:10:56] So these airdropped coins are pretty dangerous for a variety of reasons. So one way that you can mitigate this which was described by Justin’s diagram a few moments ago is to use the same ring on both chains. If you’re going to construct a ring signature you should use both. The same ring and both of them. The problem with that is that unfortunately sometimes you end up with some of the ring members from before the split and some of the ring members from after the split and then the ones that are from after the split can be excluded. Right, and you have an effectively smaller ring size. So lets see here. I mean I go through my list here make sure that I’ve touched everything. Yeah. So if you only use pre-fork decoys in your ring signatures you’re probably pretty good. If you make sure that you don’t construct transactions for two or three days before or after the fork you’re probably pretty good. And if you do what we call in the Monero world “churning” you’re also pretty good although (“churning” is the practice of sending transactions to yourself over and over again the term actually comes from anonymous communication networks). But the main thing is unfortunately for all of these mitigation methods we don’t really have strong security claims for any of them. I can’t tell you to turn seven eight nine times and be confident that you’re going to get 256 bits of security out of that in terms of your anonymity. So even though these are mitigation methods the main thing that you can avoid doing to prevent problems with chain splits is to simply not use them. Another way is to just use brand new burner keys and every single time that you need to spend money on your new chain you make sure that you’re spending it from keys that either don’t exist on your other chain because you churned incent transactions to yourself or or you just generate a whole account and you just never ever touch those funds again.

Justin: [00:12:54] Yeah thanks Brandon. One really important just point of clarification is that when you if you decide to claim funds you should in addition to just using a burner account for your Monero. You need to move your Monero out of that account first or else your Monero is also at risk. Like it if someone if you have Monero on account and I say “give us your Monero private key and we’ll give you new coins”. For instance while you’re giving away your Monero private key your Monero coins are at risk just makes you remember that at the bare minimum. Send your Monero to a new account before giving that private key and make sure there’s no other history associated with that account. So thanks Brandon for covering a lot of those basic mitigations that people can take. But ultimately as you said you really need to be a subject matter expert to cover at least a very difficult usecase if you if you really care about your privacy you really shouldn’t be touching this at all. So..Sarang can you cover what users to do if they’re a bystander. They don’t want to get involved in any of this change but nonsense. They just want to stick with Monero what ultimately can users do. What risks are they exposed to and how can they mitigate their exposure.

Sarang: [00:14:05] Yeah absolutely. So as we’ve said there are a lot of potential pitfalls that can occur if you decide to participate in one of these chain slits. So the safest bet is to just not participate. I do not participate nor do I wish to participate in any. But as was already hinted at the folks who do end up spending funds on both chains of course can reveal which ring member is going to be the true spender on both chains and as was hinted at. And we can use this in a chain reaction analysis based on being able to remove that particular spent one time key from other rings on both chains in which they appear. So we are going to whole chain reactions work. And we also know that one of the reasons that we have increasingly larger ring sizes over time is to make the effects of chain reactions less of a big deal. If I have a ring size 11 and one of those decoys happens to be part of a chain split and I’ve reduced my ring size down to 10. And if this happens a lot that is that there’s very very large participation in such a chain split. Then I reduce my effective ring size more and more. And again I haven’t participated in anything. I’m just using Monero as expected and my transactions all have rings that contain other decoys that could have participated in it. So if we’re not participating what should you do? Well in general because a lot of this has to do with which decoys you’re choosing. The safest possible thing if you’re not sure how popular a change is going to be and how effective a chain reaction might be against your outputs. In general maybe if usability is not a big deal for you around that time consider not sending any transactions on your original Monero chain for about maybe two days before and after the split. Now the reason for this we’ll talk about our next episode has to do with the way that we select decoys in general, but that’s probably the absolute safest thing that you can do. So, decoys that are exist in between that is decoys that were created in transactions within this kind of two day range before and after. You should consider those fairly high risk decoys as in are at higher risk of being revealed by someone who created them and then use those in a chainsplit. So if you’re very worried maybe avoid usage.

Sarang: [00:16:08] Again this is not great for usability but it’s a consequence of the way the Monero transactions and double spend protection work. However if you must use Monero in those times and of course if we want Monero to be usable we have to assume that some people might need to use it in that time. Well if that’s the case you generally are going to want to prioritize among the decoys. You choosing your transaction decoys that occurred after the chainsplit. After all if a decoy was created after the chain split it does not exist on the other side of that Y. And therefore it cannot be spent on the other side of that Y so post split decoys are a better option. Now of course again as we’re going to talk about in the next episode how outputs are actually selected is actually very very subtle topic. So this isn’t necessarily a fully ideal solution but it’s a reasonable one if you must use Monero within kind of this two day before and after region. We also talked before about a previously so-called blackball or a spent output analysis tool that (although it takes a while to run) can be used to analyze different Y forks and figure out which outputs are absolutely spent and should not be used in a ring. Again this is really only necessary if you’re very very worried about the popularity of a chain split as we’re gonna talk about we typically have not had much popularity with such splits. So it’s not really an issue. And finally just kind of a nice social advice is you know follow the community when these occur you know typically the community is very much on top of how popular we think such a chain split might be. We have a history of dealing with these pretty well. So if you want to know when such a split might occur and when this two day range might happen — follow the community as much as possible. And of course we have talked again about the idea of churn which is sending funds to yourself. This is something you could also do if you have to use it during this time period. But again churn is not something that is fully understood to our satisfaction. So the absolute safest bet is to avoid that time range. And if you must use that time range consider prioritizing outputs that were created after the split as the decoys.

Justin: [00:18:05] Excellent. Thank you so much Sarang. So I actually used that spent output tool at the time when I ran it it was still called the blackball tool on several of these Y splits of Monero. So I ran it with Monero with Monero version 6 which was the original zero classic fork it and also the Monero V4 in order to sort of determine what the actual results were. What’s the real measurable impact that these forks had on individuals, and by speaking about these we can help explain how Moneros ring signatures have provided protection and what we sort of need to do going forward. So I ran the two on August 2018 and I found that 31359 rings. This is about half a percent of the rings had reused a key image in an obvious way so it is really obvious what output was actually spent in these rings. So you knew “OK. This is the clear output it has to be spent in this exact transaction”. And as a result this had a chain reaction impact that impacted eight other rings on the block chain which is less than a 0.001 of a percent of Monero transactions.

Brandon: [00:19:17] I have a quick question. Is getting 8 rings compromised when starting from thirty two thousand roughly. Is that acceptable to you guys. In your opinion in terms of anonymity?

Sarang: [00:19:31] Well those numbers are very very different. So keep in mind that this thirty one or thirty two thousand rings That was basically outputs that people who participated in the fork itself had effect. For themselves. So to some extent you know again we advise not participating if you participate. It is extremely likely that you would compromise your own up but you’d be one of the thirty two thousand, the eight rings or eight entirely different rings from people who presumably did not participate in that fork. So it’s not 8 of 32000 it’s that 32000 outputs basically chose to screw themselves over and the effect of that was each other outputs that were affected. That is an extremely low number. I think that any number that is not zero is ..ideally not acceptable. However again this is a consequence of the fact that chain splits have effects on others. It’s also important and I’m sure Justin was going to mention this anyway but (let me steal the thunder for a moment) to note that this was around the time when we were actually increasing our ring size. And remember that increasing a ring size we talked about before — mitigates against these effects of chain reaction. So were we to have another similar scale chain split now that our ring size is 11. You could expect that number it would..I would say..probably going to be 0 which is great.

Justin: [00:20:49] Yeah absolutely. So speaking to the first the first what I observed that was when Monero was upgrading from ring size 5 to 7. So the previous chain that sort of continued on that other split stayed at ring size 5. Now we’re up to ring size 11 so luckily ring signatures have a built in buffer.

Justin: [00:21:08] They have a built in protection against these very attacks. So ultimately 8 luckily it is a really small fraction of the total transactions. But ultimately I also want it to be zero. Going forward. I don’t want another chain reaction effect to happen as a result of these chain splits. So.. but I’m generally confident that unless there is a really significant split that has a community torn in Monero that we’re unlikely to see such large chain reactions going forward. Luckily. So hopefully this is worse is sort of behind us so to speak. In my opinion.. and I guess one last thought. One less closing thought I had is that chain split attacks are partially social attacks. You can’t just sit on your home computer and keep splitting Monero over and over. Keep making more these forks and observe information. You have to get a lot of people that are interested in Monero to really become a part of this. So as a result we can simply say that..sorry I lost my train of thought there.. Oh yeah. So these are partially social attacks. You have to get a lot of community involved and luckily since these are social attacks and part they’re relatively easy to observe, because people need to know about this actual claim of fund the funds and make an impact. So it’s sort of a multileveled, multitiered attack surface here. Any final comments from the two of you. Before we sort of wrap up this episode?

Brandon: [00:22:43] Well I do have one observation. This is not the only problem with the airdrop coins right. There’s a variety of other security issues with them. This is the problem with airdropped coins that applies specifically to ring signature based cryptonote-like currencies. So you may be able to go find other articles describing other problems with airdropped coins that are beyond the scope of this discussion.

Sarang: [00:23:09] And I guess the only thing that I would really close on is, like so many other things that affect personal financial digital security. It’s very very subtle. And in general you know I kind of you know kind of take on the mantra that if “I am not extremely confident in how to do such a thing correctly the best thing to do is just to not do it”. So..we’ve already talked about very subtle it is to participate in these chain splits if not extremely confident that you know exactly how to do it correctly to protect yourself. You really shouldn’t do it. And as we know there are very simple mitigations you can do if you are not participating that can mitigate against the effects of others.

Justin: [00:23:49] All right. Thank you so much Sarang and Brandon we’re happy to have both of you on again in this episode. Again the next episode is specifically on the Monero input selection algorithm and how this has consequences of everything to do with ring signatures. It’s a really big topic that we have in the next episode. So hopefully, this chainsplit episode is really helpful for you. It is one of the really unique parts about Monero and consequences about how Monero prevents double spending and there’s ways to mitigate it. But it’s important to sort of communicate exactly what the consequences and impacts are to the rest of the community. So hopefully this has been really helpful to everyone here and we’re going to.. And so with that I’m just going to wrap up the episode. Thank you everyone for joining us. See you in the next one. Thank you. Bye.