Rucknium submits sensitive CCS proposal aiming to fortify Monero against statistical attacks
The current mixin selection algorithm (MSA) has been acknowledged as a weak point in Monero’s privacy model, but to date no plan has emerged to improve it. Over the last six weeks I have developed an outline of a plan to overhaul the algorithm through a technique I have termed OSPEAD: Optimal Static Parametric Estimation of Arbitrary Distributions.
The proposed fix cannot be disclosed publicly at this point, due to the sensitive nature of the information it contains:
A key difficulty with writing this CCS proposal is that the attack and the plan to overhaul the MSA have some indirect links. In other words, if I were to publicly fully specify the plan to overhaul the algorithm, a truly dangerous adversary — such as a government agency or a criminal gang — might be able to use some information in the plan to help develop its own attack against user privacy.
There are 3 milestones listed:
- Deliver fully specified estimation plan to the scientific review panel (3 weeks)
- Deliver initial probability density function to the scientific review panel (5 weeks)
- Deliver final version of probability density function to Monero developers (2 weeks)
After the scientific review panel examines the report and suggests improvements, a final version of the probability density function for the MSA will be produced.
This finalized probability density function will be delivered to Monero developers for consideration to be included in a subsequent release of the Monero reference wallet.
Rucknium notes that the implementation of a new MSA should not require a hard fork.
The 10 weeks of work will not be completely contiguous, but I expect Milestone 3 to be reached by January or February 2022. I will set the final expiration date for the proposal, for the purposes of the CCS proposal process, to July 2022.
Rucknium’s previous contributions to the Monero ecosystem include:
- statistical contributions to the analysis of the mid-2021 Monero transaction volume anomaly, particularly on the subject of ring member age5
- suggesting the development of a plan to recruit technical talent for the Monero Project6
Total funding needed: TBD ($100/hr rate). ETA: February 2022.
You can post your comments and questions on Gilab in !2552.
The fact that the proposal aims to keep some information confidential, mainly the method of choosing the probability distribution:
The actual mixin selection algorithm will be publicly visible and open source in the Monero code. How the exact probability distribution was determined, however, should not be disclosed [..]9
has been viewed with skepticism10 by some community members:
[..] I don’t see how that would be acceptable.11
This is exactly how the NSA backdoor was put into DUAL_EC_DRBG: algorithm in plain view with “mystery constants” of unexplained provenance.12
What happens when this group determines the probability distribution in a way that is also harmful to privacy either by accident or on purpose? You can’t only assume the convenient outcome in my eyes.13
It is currently unclear if that info could/would be disclosed after OSPEAD implementation or if needs to stay away from the public forever:
[..] it’s unclear to me from reading this post and Reddit, but the statistical model/approach would be published after it is implemented in Monero and binaries are released, etc., correct?14
Most Monero users would probably prefer everything is developed in the open, as that would produce the strongest possible code:
I think open development is the strongest method of producing the strongest code. I would rather all methodologies opened up to everyone, for all to scrutinize, review, and join in collaboration.15
The community is still reviewed the proposal. I will update this or create a new report if needed.
https://repo.getmonero.org/Rucknium, https://github.com/Rucknium ↩