sarang :D

-_____-

ur a wizard

casting math spells

on the evil ciphertrace demon

They aren't demons!

Just applying very well-known simple techniques in a FancyTool (tm)

tiny imps?

Chainanalysis company that aims to sell survelliance tools to governments? I think the evil demon is appropriate :)

The banality of evil and all

so you're saying that they're soon going to be guarding concentration camps?

If anything, I'm disappointed they aren't doing more interesting math

Nah, just that dutifully carrying out government directives without introspection as to the end results/world those directives bring into existence can cause people to be evil without realizing it.

The lack of introspection is the big part

I for one I'm thankful they're not doing more interesting math

lol

I was joking needchainalasys90

I wasn't trying to make an explicit reference to the nazis, but yeah, that's where the quote is from

Whoops, sorry to OT in -lab

needmoney: 100% agree. People often confuse "right" with "legal"

Oooof

<nik> Time to increase ring size ?

Yeah, anything not research-related, please take elsewhere

Ring size? Not marginally IMO

If the r/Monero example is to be believed, this is about wallet behavior related to output management

not ring size

<nik> So a churn or two in between would make it pretty much untraceable?

We also have to differentiate between active and passive here

Presumably, the observer here knows that the two outputs belong to the entity

Which is, as a passive observer normally, quite difficult (if not impossible) to discover

Yes, but some (like knaccc) would argue that an exchange breach basically makes every adversary "active" in this way

I'm not sure what I think about this particular threat model

Absent that, the information presented so far suggests this is in _no way_ generalizable to transactions where prior merges are not suspected

However, research on merge distributions is active and ongoing

nonsense! ringsize a bajillion!

Well, IMO there's a big difference between marginal increases and order-of-magnitude increases

OoM increases can certainly help to diffuse certain merge analyses, depending on the setup

Repeated controlled spends? That's a different story that's very hard to mitigate with this type of protocol

or easy with subaddress-tagging :)

Sarang I kinda disagree a little bit

If we look at the number of recent txes that get included in a ring

It's a fraction of the total

Idk, we could prioritize increasing that part

Over historical txes

It makes churn more effective

A lot of this depends on the metrics/methods you're using, and how you threshold them

and at some point it becomes a cat-and-mouse game

Additionally, a lot of this depends on how CipherTrace presents the results of their tools to their customers

In any kind of CoinJoin-type operation, _every_ input was involved in the signature

Even in a merge analysis, there is _no_ guarantee that any particular input signed (assuming no set-theoretic analysis, which no longer applies)

The most this does is say "eh, maybe this input"

and then you hope you can identify the entity via some exchange KYC or something

This whole process is quite subtle

I think we should make a churn wallet

or a mixer

Monero Mixer

:O

No just a wallet. Which a churn button

I've suggested a mixer multiple times, jokingly and not, over the years lol

me2me

The algorithms for a Monero mixer are trickier than you might expect

*with a churn button

I assure you, we've examined them carefully

"The negligible improvement to your privacy that you never knew you needed, and probably don't"

ok, so, get me, what if we make stake-incentivized "master" nodes that facilitate the mixing process

🙃

sarang whoa, i just checked out the forward-in-time references to a particular output, and the number of txs that references the original output directly or indirectly absolutely explodes! this is fantastic news!

i took an output in block 2159385 and searched for all txs that either directly or indirectly referenced it

?

go on

and 313532 of 333463 txs referenced it directly or indirectly

Which tool did you use for this (for verifying)

i have java stuff i've been working on, it's a mess but i'm cleaning it up so it can be released

righto

How old was that output?

i hope i don't have a bug, cos that is a very encouraging finding

Relative to the search space

And at what block did you stop searching forward?

2020-08-07 onwards, block 2159385

knaccc we kinda worked out most of the bugs didn't we

i stopped at the most recent block in monerod

What was that block height, just to be clear?

For verifying later

yeah big time, needmoney90 helped me work through the issues with his challenge

what do you mean by "indirectly"? How many hops to this tx?

i'll check

I assume it means "There is a path from this % of all txes to this particular output"

looks like 94%

yes, you start with one output, and going forward find all outputs that reference that output and add it to the list of observed outputs

and then you keep going forward and looking for references

so, if you have a 'tainted' output, 94% of the time, after that many blocks, it will be implicated in a given tx

essentially this means you can churn two outputs independently of one another, then combine later, and that later combination won't be noticable at all

ehhhh

huh

actually

yes

even with 5 combined txes thats 73% absolute probability

not surprising as this process gives 11 outputs after 1 hop, 121 after 2 hops and so on. 11^N quickly overwhelms the real number of outputs on the blockchain

so they all get covered (almost)

sech1 this is going forwards not backwards

direction doesn't matter, you're dealing with exponent growth here

and i was worried it might not be great if chains of outputs were not as long as we'd want

I am interested to know what metrics CT use in their FancyTool(tm) for this, and how they present to their clients

yeah but if outputs don't keep appearing in long chains it breaks down when going forward

sarang: starting output id 19572539 in block 2159385, ending block 2176676, 313532 of 333463 txs directly or indirectly reference the original output

thanks

good to have this info on record for later checks

this is what's expected from a good decoy selection algorithm, right?

well the decoy selection isn't actively trying to create chains, but it just works out well that it does

ehhhh

our distribution heavily selects for recent outputs

If thats not "actively trying to create chains", its pretty darn close

yes, recent output are selected more often, but this is in line with real usage (outputs are often spent after 1-2 days)

so chains occur naturally with this selection

needmoney90 good point, i agree

"good selection algorithm" depends on your criteria

it turns out that not following spend patterns is bad

just straight-up bad

sarang check this out: paste.debian.net/plain/1162052

controlling for other heuristics can get tricky

Any questions I should ask of CipherTrace's CEO in an interview today?

I mean good selection = breaks all known heuristics (so far)

I don't think "breaking all known heuristics" is uniformly possible

Some are at odds

"Why do you think people 30 years ago were aghast at the mass spying behind the iron curtain, but are clamouring for it now ?"

well, at least if it doesn't break some heuristics, they can only reduce 11 to 7-8 or so if it's good

Thoughts on china's new social ID program? :p

sarang also: paste.debian.net/plain/1162053

I'm curious if ciphertrace supports privacy or intends to subvert it. If they keep any developed tools private, their intention is obviously to use them until we figure it out. If they publish their research in good faith, we can react to it.

knaccc: usercontent.irccloud-cdn.com/file/WKRPTMCB/4ddng5.jpg

Any questions I should ask of CipherTrace's CEO in an interview today? -> sarang instead of asking if they spammed transactions for their analysis i would ask if the transactions they analyzed were organic or created ad hoc.

:)

ErCiccione[m]: yep

So to avoid giving them the possibility to give a "safe" answer :)

already have a set of questions for that

I'm going to assume PR answers

what time is the interview?

It's not live, but starts in ~30 min

great. Yeah, that's what i expect, hopefully that won't be 100% the case. I would be happy with only few straight answers

Yeah, I'm setting my expectations low and hoping to be pleasantly surprised

Actually more than 30 years ago now. Wheee.

obviously ask what monero could do to totally destroy their ability to trace txs and get their contract cancelled

Maybe that's why. People don't remember things before they were born and can't be arsed reading about history.

"Did your grandfather fight in WWII against oppression ?"

o_0

Well, it's well known govt databases were instrumental in rounding up jews in northern europe.

And these people are not waking the fuck up,

are we back to nazis again

I thought I closed that

In the US, close.

fuck I'm feeling angry again

:c

Oof, off topic

ban

:P

sarang and CT are having a chat?

that's good

Along with sgp_ yes, an interview

starts shortly, not live

have fun!

Be nice

can the CEO of monero be involved too

sorry

OT again, keep missing the channel name

Looking forward to the video

just remember the importance of fungibility when there is no central body to decree such

Interview completed!

sgp_ says the video will be posted in a couple of hours

Interesting result: CiperTrace does perform their own transactions as part of analysis