I saw this thread on Twitter and thought it was interesting. Apparently the “US department of justice plans to perpetually hold onto the Monero they seize”.
According to @gojomo on Twitter the reason they are doing this is to execute a de-anonymization attack called FloodXMR.
What exactly is FloodXMR and is it actually possible to conduct de-anonymization via this method?
Is it possible a state actor would try to conduct this attack even if they could potentially lose a bunch of money trying to do so?
I think you are conflating two different tweet’s to mean the same thing.
That could be true, but it would assume that they have already siezed the Monero from someone. Not necessarily directly related a de-anon attack.
There is a paper called floodXMR that describes a theoretical attack against Monero by “flooding” the network with transactions. I don’t know if it’s accurate or has been done before but here is the paper:
Many of the Monero guys are saying that XMR uses Zero Knowledge Proofs now to hide transactions in the way Zcash does. From what I understand, they use Bulletproofs which are a form of Zero Knowledge Proofs but has many inefficiencies compared to what we use here.
Does Monero still use mixins at all to obfuscate transactions? In what way does it use these Zero Knowledge Bulletproofs to hide transactions? Is it using Bulleproofs in the same way Zcash uses SNARKS in Z addresses to encrypt transactions?
Bulletproofs were added to Monero to implement their range proofs, which enable hiding the transaction amounts while proving that they are valid. They replaced an older, less efficient range proof, but otherwise maintain similar amount hiding properties.
No. Monero’s use of Bulletproofs hides the transaction amount but not the transaction graph (the latter relies instead on their ring signatures and mixins). Zcash’s use of Groth16 proofs hides both the transaction amount and the transaction graph (the latter by proving that the note being spent exists in the global note commitment tree).
This is a preposterous accusation. Anyone can spam the blockchain with transactions. The seized XMR doesn’t suddenly gives the US government with near-unlimited resources the new capability of doing this. By the nature of an open, permisisonless network, anyone can attempt attacks by flooding the network with outputs at any time. Natural defenses against this include the ringsize, block size increase limits, and the public transaction count.
Contrary to the OP’s assertion, I couldn’t say that this is the reason DoJ is keeping seized Monero. My tweet is just musings.
But I believe all of the following are true, and far from “preposterous”:
One of the costs of executing FloodXMR-style attacks is holding Monero
The DoJ & associated groups would like to deanonymize Monero, but might not want that to appear as a formal budget-item, and for bureaucratic reasons might practically have a freer hand in deploying seized Monero than that acquired via usual government procurements.
The FloodXMR attack becomes prohibitively expensive, or progressively fails, if multiple non-coordinating groups all attempt it at the same time. Thus there’s a strong incentive for multiple surveillance groups to form a cooperating cartel.
Savvy Monero users can adopt countermeasures (such as “churning”) to reduce their individual exposure to such tactics.
But, because Monero’s “default” level of privacy includes no churning, and the intro documentation doesn’t mention this countermeasure, and Monero promotion often touts “privacy by default” without mentioning these caveats, naive users may be especially at risk from such tainting attacks.
Happy to be corrected if any of these are wrong.
Of course it’s also true that the US Government & others, as a whole & especially in their more covert departments, could have been attempting these attacks at any time. The DoJ’s decision is no “bright line” that anything has changed - just a reminder that now one of the slightly-more-transparent departments has some interest in retained Monero.
Notably, CoinCenter’s Jerry Brito highlights a section of the DoJ report which ostensibly claims they hold “AEC” (Anonymity Enhanced Cryptocurrencies) to not let them “re-enter the stream of commerce for potential future criminal use”:
I agree with Brito this is a really odd rationalization. By most ways of understanding cryptocurrency value, there’s no way such withholding could create an effective scarcity of units - the existing stocks (& flow from mining) can expand in value to support any need.
And if their “internal utility function” tells them, “at the margin, we get more than $X of future crime-prevention by warehousing this $X of cryptocurrency than by using it for $X of other crime-fighting activities”, then the next logically-self-consistent step from investment theory would be to start buying more of those tokens, on the market, until the price rises to exactly match the expected value of purchased “removed-from-the-stream” crime-prevention. I think there might be some holes in that strategy, but perhaps they should try it, just in case.
Putting aside the other points, technically spending money on transaction fees DOES make the money “re-enter the stream of commerce” since it goes to the miners. Not that this technicality matters to anyone, hence why the discussion is not especially relevant imo. MRL-0001, released in September 2014, covers some concerns with this exact same basic idea. It hasn’t exactly crept up on anyone.
I agree that anyone can do this, and that they don’t need large amounts of XMR to do so. So yes, the seized XMR is a red herring in this context.
FloodXMR is potentially a very practical attack — although it’s likely to be quite “noisy”.
Note that there’s no corresponding attack on Zcash; you can’t reduce the anonymity set of anyone using shielded transactions by adding more shielded outputs to the block chain. (Dust attacks, which are applicable to both Zcash and Monero, are a different thing, since they require sending outputs directly to the target of the attack.)
This has been studied quite extensively. Here’s an example for ringsize 11. For the total proportion of outputs controlled/known (for example through a spam attack) on the x axis, the proportion of rings (y axis) are compromised.
It’s the proportion of arbitrary rings you will compromise (on average) by whatever method you get ownership/oversight over these outputs, including spamming/flooding transactions to create new outputs, subpoenaing exchanges for their outputs, watching mining pools, or any other method. In practice, I expect targeted attacks via poisoned outputs / EAE to be more dangerous in practice, because targeted attacks allows attackers to more directly target people/entities in question.
Isn’t that chart (and also the FloodXMR paper itself), a bit missleading? IRRC Monero samples decoys/mixins from a skewed distribution that favors recent UTXOs. Per the monerolink paper, most transactions spend recent UTXOs. So this helps to hide them better. But as a result, flooding the blockchain for maybe a week actually gives you a fair amount of information about many transaction right?
I purposefully use the term “weighted outputs.” This means the % of outputs controlled by selection weight, not the % of outputs controlled of all outputs on the blockchain. You are correct that the selection is weighted to match historical spend activity on XMR and BTC. For napkin math, you can say 50% of the outputs are selected from the last 2 days. If you had visibility over, say, 100% of the outputs generated in the last 2 days, you would have insight over about half of the outputs in rings created at that point in time (not full visibility over half of these rings).
Let’s consider a targeted attack scenario. Suppose an attacker already did the obvious of sending the attacker poisoned outputs. But suppose they also know the approximate spend time. Attackers could spam transactions for the short window before they expect the victim to spend their funds to have a higher change of having these outputs selected as decoys. However, note that the daily transaction count is public information and could be indicative of an attack like this. In almost every case, simply sending another poisoned output is more effective.
Edited for a bit more clarity, then edited again for a more plausible attack example.
You didn’t actually use the term “weighted outputs” before this comment. You used “outputs”, which was indeed misleading in the way that @secparam pointed out.
