The worldâs sixth-largest cryptocurrency network, monero, celebrated its third birthday this Tuesday, but not without having weathered a storm in the preceding days.
On Twitter, Reddit and across social media, a heated discussion has been playing out over findings published on MoneroLink.com. Launched on 14th April, the website provides a block explorer that lets users follow the inputs and outputs of a majority (62%) of transactions conducted before January 2017, a feat that was widely thought to be impossible.
The explorer is a practical implementation of techniques published in a research paper by Andrew Miller and Kevin Lee of the University of Illinois at Urbana-Champaign, and Arvind Narayanan and Malte Möser of Princeton University.
Since its publication, much debate has taken place over whether the findings of the paper have been presented accurately, and equally, whether the monero teamâs own research â which founder Riccardo Spagni says highlighted the same findings in 2015 â was communicated well enough to give users of the network a clear understanding of its limitations.
The central finding of the paper centers around âmixinsâ â dummy inputs and outputs used to obscure the true sender and recipient in transactions.
According to the research findings, mixins can be identified with certainty in almost two-thirds of cases, because they have been spent elsewhere in transactions that did not contain mixins (meaning that the input and output were sure to be genuine).
Further, 80% of the time, the real input among mixins can be guessed by looking for the ânewestâ coin; ie that which was most recently committed to the blockchain as the output of a prior transaction.
The technical proofs behind the paper have gone unchallenged and, in fact, findings were echoed in another paper from a group of researchers at Singapore University published just days later.
But the caveat is that the findings presented in the paper and website only apply to the monero blockchain from 2014 to 2016, and no longer hold from the point at which monero transactions implemented the RingCT method (January 2017) â a clarification which supporters of monero believe was downplayed in order to increase the paperâs impact.
Splash page of monerolink.comFurther complicating the matter is Millerâs position on the board of the Zcash Foundation, which is seen as showing allegiance to a similarly privacy-focused cryptocurrency often positioned as a rival to monero.
While this position draws no salary, Miller confirmed to CoinDesk that he has holdings in zcash which provide a financial benefit.
Millerâs involvement with zcash is no secret (itâs disclosed in his Twitter bio, university staff page and elsewhere), yet itâs easy to see how his claim that this professional and financial link has no bearing on his academic research is a tough pill to swallow for a business competitor.
âIn order for zcash to succeed, monero needs to be a small user base comparatively, so thereâs an undeniable conflict of interest to [the research],â monero founder Riccardo Spagni told CoinDesk.
At the same time, judged by the standard of how accurately research has been presented, Spagniâs main rebuttal â that Millerâs findings had already been exposed by Monero Research Labs (MRL) â has also been subject to scrutiny.
Spagni and others in the monero camp have pointed to papers MRL-0001 and MRL-0004 (titled âA Note on Chain Reactions in Traceability in CryptoNote 2.0â and âImproving Obfuscation in the CryptoNote Protocolâ and published in 2014 and 2015, respectively), saying they highlight the same security flaws Miller, Arayanan, Möser and Lee have claimed as new discoveries.
But the level of attention which the MoneroLink traceability proofs have attracted in the cryptocurrency community make it clear that even though the MRL papers were already available, the implications for transaction analysis were not widely understood.
Miller told CoinDesk:
âThe basic vulnerabilities are absolutely talked about in the MRL1 and MRL4 papers. The thing thatâs missing from those papers ⦠is that weâre for the first time looking at the consequences of these vulnerabilities in the monero blockchain as it exists.â
Miller expanded on this view in a post on Hacking, Distributed, arguing that the existence of the MRL reports has at some points stifled rather than encouraged further research (albeit unintentionally), by giving the impression that the outcomes of the noted vulnerabilities had been explored in greater depth than was the case.
Talking to CoinDesk, Spagni conceded that the MRL findings were for the most part listed in technical documents, but also defended the need to put forward a clear message to users who were less familiar with the cryptocurrency.
He said:
âThereâs a big divide between the marketing-style language thatâs on the Monero website and the more technical discussions that happen on IRC, Github and the Monero Stack Exchange, and I donât think itâs possible to simply convey everything in the style of writing thatâs put on the site.â
A second key question to ask of both the MoneroLink paper and the Monero teamâs response is to what degree the research findings have a bearing on monero users who would have expected anonymity during the 2014â2016 time period.
In a Reddit post, monero developer smooth_xmr writes:
âWhen one looked at a block explorer in 2015 or 2016 one saw that 80-90% of transaction used mixin 0 ⦠Most transactions in 2014 and 2015 (and even most of 2016) were mining and trading. There were precious few ways to use it for anything else.â
Itâs hard to confirm the accuracy of the 80-90% figure, but self-evidently users opting not to use any transaction mixin were not expecting to benefit from transaction obfuscation, and are unlikely to suffer a serious loss of privacy from a blockchain analysis for this period.
From Spagniâs perspective, techniques that might deanonymise some of moneroâs early adopters retrospectively have little bearing on the currencyâs users today.
âThe entire userbase has changed in the last six months,â he said. âAcademically this [report] is an interesting piece of information, but it doesnât give us much additional learning that will help moneroâs current users.â
As the security implications of the report continue to be studied, focus is likely to fall on the late 2016 period, during which time monero grew well beyond the initial pool of enthusiasts â largely driven by darknet market AlphaBayâs decision to offer it as a payment option in August.
From August 2016 until the adoption of ring signatures in January 2017, monero users making purchases on AlphaBay would have been vulnerable to transaction linking, though at this stage itâs difficult to say how many people are affected and what the risk of deanonymisation is.
âOur message is that users should have been warned earlier, especially if you were relying on an untraceability guarantee and did not in fact have it during this range,â Miller said.
Though the tense rounds of claim and counterclaim have generated a lot of attention, it would be wrong to characterise the process as unproductive.
The monero community has compiled an unofficial response to the paper which, while disputing some of authorsâ claims, also cites the importance of the work for the continued improvement of the currency.
Miller also acknowledged that discussions with some members of the monero community had been very productive, and that feedback would be incorporated into future updates to the research.
For anyone with a prior sympathy for either monero or zcash, there are certainly actions on both sides that can perhaps be read as bias, but from a detached viewpoint, rigorous and widely publicized research is always a net gain for cryptocurrency as a whole.
Needle in a haystack image via Shutterstock
