This is inaccurate and in a hilarious way.
Treasury is not coming after Bitcoin. There's an update in an ongoing rulemaking process that got reported here[0] as banning mixing and privacy tools. It may have been blown out of proportion[1], but I am not a lawyer, and certainly banning these tools would be bad. The thing is, Bitcoin's not private—every transaction is public for everyone to download. It's Twitter for your bank account. And that comes with serious privacy, safety, and boring commercial counterparty risks that should be addressed. These kinds of tools exist to mitigate that problem. The irony is that Bitcoin has largely refused to address this obvious issue, so no, Treasury isn't coming for Bitcoin. Indeed, there been years of people arguing Bitcoin would be just fine with no privacy protections.
[0] https://www.therage.co/us-government-to-bring-patriot-act-to...
[1] https://x.com/valkenburgh/status/1966174324701778071"
This is by no means a comprehensive analysis. This analysis misses the most major limitation with Monero's decoy based approach to transaction obfuscation: Eve-Alice-Eve attacks (also known as ABA attacks). It also misses an analysis of the possible insecurity of churning and a significant history of randomness implementation errors and flooding attacks specific to Monero. The exact consequences of some of these attacks remain an open question, but worthy of mention.
A simple and surprising limitation of Monero and any other decoy-based approach is that if you repeatedly withdraw money from one exchange and then deposit it to another, those transactions are not private (edit: even if we ignore payment value). This is a form of Eve-Alice-Eve attack.
Monero uses decoy transactions to obscure the transaction history on-chain, but it does not remove the history. There's a reason every other major privacy protocol (Zcash, Tornado Cash, Railgun, Aleo, Penumbra, etc.) does not use Monero's decoy-based approach, and even the Monero developers are moving to the standard zero-knowledge proof over an accumulator (IIRC a merkle tree like everyone else) based approach that they call Full Chain Anonymity Proofs.
As a meta-comment, this is one of a genre of Monero "privacy" analysis documents that are circulated as a way to claim there are no known actively used exploits. This is little better than the classic "my scheme is secure; here's a bounty for anyone who breaks it" form of cryptographic analysis we often see with flawed encryption schemes. Breaks will not always be public.
I will word this carefully since I previously worked on crypto de-anonymization attacks, but nothing in this "analysis" seems to be grounded in more than the blockchain developers echo chamber of self congratulation.
Amusingly, assume the CIA has figured out a clever trick for opening up Acme Secure Envelopes in transit. If they publish a report detailing at length how amazing and tamper proof Acme products are, the world would take note and sales would plummet overnight. If, however, you publish the same report on a blog about how to mail documents securely...
Your point is correct, you sound like salty CIA spreading FUD because it is job of NSA to provide them with solution which did not came. :) So you are saying that ZKSnarks are CIA approved ? XD
100% agree that this is not a comprehensive analysis.
For instance, recently a core Monero dev published something called OSPEAD which is a proposed fix to the "Map Decoder Attack" which he also publicly disclosed at the same time : https://github.com/Rucknium/OSPEAD
The TLDR is that Monero has about 75% less privacy than anybody thought, and this attack is still "live" in production.
It requires a mandatory upgrade by every node on the network to fix and as far as I know, no fix has been decided upon yet. The attack can be combined with other attacks to completely de-anonymize transactions.
I recently wrote about the bug and my proposed mitigation that users can do to regain privacy here: https://duke.hush.is/memos/6/ . AMA, if you desire.
This attack (and mitigation) is not getting the attention it deserves, partially because it is technical and hard to explain and partially because it does not serve the interests of content marketers and Monero influencers.
Monero is indeed moving to ZK proofs because they are mathematically superior in every way. At a very high level, they are moving towards being more like Zcash but they are not using Zcash ZK machinery, they are rolling their own. They are called "Full Chain Membership Proofs" or FCMPs. You can read the paper about those here: https://github.com/kayabaNerve/fcmp-plus-plus-paper/blob/dev...
As another example, recently an anonymous researcher published http://maldomapyy5d5wn7l36mkragw3nk2fgab6tycbjlpsruch7kdninh... (you will need Tor Browser to access that) which explains how the Monero network is being spied on by malicious nodes, with the end result being that transaction id's can be linked to IP addresses.
There are various other examples of de-anonymization attacks on Monero but OSPEAD and network spying (which can be combined) are some of the worst, because they are very inexpensive and effective.
Correct, I don't find these to be limitations for any user of Monero, its just a way not to use it.
> repeatedly withdraw money from one exchange and then deposit it to another
right, don't do that. Withdraw to your wallet. Wait several days. Transfer elsewhere in different denominations.
Problem solved for everything you wrote, and its been nearly the same for the entire lifespan of Monero, 11 years now.
> Breaks will not always be public.
There are court cases that give the confidence necessary. It is also something to stay abreast of. Always just ask yourself who the transaction is intended to be hidden from.
>right, don't do that. Withdraw to your wallet. Wait several days. Transfer elsewhere in different denominations.
Unfortunately, it doesn't work like that. The EAE attacks only require that the end destination is colluding with the start destination.
Like everything with decoys, privacy is stochastic. So I wouldn't go around making absolute claims about the privacy as many proponents of monero like to do. The developers advise against making these sorts of claims. Monero makes privacy a lot easier, but it's not perfect.
>There are court cases that give the confidence necessary. It is also something to stay abreast of. Always just ask yourself who the transaction is intended to be hidden from.
In the free world, we have the concept of innocent-until-proven-guilty and evidence-beyond-a-reasonable-doubt. Decoy-based approaches give you plausible deniability, but this often isn't enough for more domains where a lower standard of proof is needed.
Fortunately, all this and more will be fixed in FCMP++ upgrade.
Right now it seems Eve just needs to do a dust attack and addresses she’s seen before
And wallets like Featherwallet just need to segregate dust from the pool of outputs, and that kind of attack is totally thwarted
Fortunately Eve doesnt know if an address is part of the same wallet and Featherwallet hides the ability to reuse addresses, although users are lazy and may rely on old addresses being accepted destinations for anyone sending them funds. It would be great if wallets notified of dust, or asked you to recognize transactions in.
As a non-user of Monero, how do I find out what the security properties are and what information is leaked when various actions are taken? The OP's analysis is deeply lacking in this and the apparent rule against repeated transactions is non-obvious
"There are court cases that give the confidence necessary. " NO!
many times police will made up "plausible way" how they uncovered something, but this "plausible way" was constructed after the "secret" or illegal way was employed to do it.
rephrase : police will do illegal thing to obtain info where you stash your drugs. for example installing NGO Pegasus to your phone, gps tracker under car... so they already have that info. then they call anonymously 911 saying there is smell of gas on street. (maybe they even spray some of mercaptan to make it even more plausible) firefighters, etc will come investigate gas leak and police will say that they uncovered drug stash in investigation of gas leak... illegal way to obtain info, then brainstorming how to make that data available "lawfully". they will not tell in front of judge/court about first part... so no your assumption is not correct.
in computer world it is million time easier.
99% of youtube videos about criminals failing at operational security is intentionally bad information.
IF you are believed to be criminal / "bad person" police(men) will justify doing almost anything, because you are bad person IN THEIR EYES.
also they are trained to and expected to disinform :
For example, Ross Ulbricht. every news paper said that "closing his laptop lid will lock his computer and police will be unable to decrypt it" they pushed it and said it so many times that researchers jumped on LUKS and in 1.5 years there was almost complete rewrite of LUKS.... (not even talking about constant TOR effort)
Whole not closing his notebook also proves that they obtain data legally. It does not say they did not have that data already.
One info can mean multiple things to multitude of people.
Parallel construction is possible and I agree that Ross got railroaded with some unanswered and questionable and paradoxical evidence gathering tactics
My confidence in Monero comes from following what the administrative state has said in court cases
Often times they don’t know the balance, location, and are unable to seize it. As designed
if you just sent Mick down the left path and he came out the right, then a video would conclusively show he knew the password.
And this is why "How to explain zero-knowledge protocols to your children" is probably the worst way to explain zero-knowledge protocols to anyone. Its not explaining what a zero-knowledge proof is or how it works. It's explaining what a simulator is when proving a protocol is zero-knowledge . Oh, and the explanation only works for interactive protocols.
Paying in cash, in addition to being a minor inconvenience that non-the-less outweighs most people's desire for privacy, does not work in online payments. It also doesn't work in businesses that get robbed.
The better question is, why do you need a new currency to get privacy? Why couldn't we have a private crypto currency backed by dollars or euros? There's no technical reason, indeed several groups are building this. What remains to be seen is if there's sufficient incentives to build anything around these or for any portion of the economy to move to them. Most purchases aren't sensitive, so for private payments to work, they need to be ubiquitous for non privacy reasons and just give people who need it the option for privacy. Much like cash does. But again, cash doesn't work online or increasingly offline
>>Why couldn't we have a private crypto currency backed by dollars or euros?
Yes, you can utilize dollar backed and dollar pegged stablecoins, like USDC and DAI, respectively, in privacy-shielding protocols like https://zk.money and https://tornado.cash.
The problem at the moment is that Ethereum has very limited scalability, and privacy-shielded transactions are about five to ten times more compute-intensive than vanilla transactions, making them prohibitively expensive to conduct for most applications.
Ethereum layer 2 solutions that preserve the base layer's decentralization hold the promise to make such transactions viable at scale, but they are still quite immature in their feature set. For example, all of the general computation L2s still rely on a centralized coordinator.
> Paying in cash, in addition to being a minor inconvenience that non-the-less outweighs most people's desire for privacy, does not work in online payments
In some countries it's fairly popular and super common with kids to check out, get a barcode/receipt and pay at, for example, a 7-11 with cash for in game purchase top ups.
Ah, that takes me right back to adolesence. Getting a paysafecard in the morning near the school from a tobacco shop to redeem it in the evening at home.
Fun fact, AMMs were considered well before cryptocurrency.
" The most popular automated market maker used in Internet prediction markets is
Hanson’s logarithmic market scoring rule (LMSR), an automated market maker with
particularly desirable properties [Hanson 2003, 2007]. The LMSR is used by a number of companies including Inkling Markets, Consensus Point, Yahoo!, Microsoft, and the large-scale non-commercial Gates Hillman Prediction Market at Carnegie Mellon [Othman and Sandholm 2010a]."
From https://www.cs.cmu.edu/~sandholm/liquidity-sensitive%20autom...
Yeah, those papers are very dense. You might want try reading zerocoin[0] first, it was the starting point of all the zero-knowledge proofs for private payments on a blockchain. Then another academic paper, Pinocchio coin, had a proposal for zkSNARKs. And Zeorcash built the zksnark + merkle tree+ serial umber (later called a nullifiers ) approach.
This is pretty cool. But you might want to update the credit for the zksnark +merkle tree + nullifier idea. It's from an academic paper, Zerocash in 2014. The approach is used in Zcash and then in Tornado.cash Though Tornado.cash is actually an odd hybrid between Zerocash's merkle tree+snark approach and an older academic paper, Zerocoin, which proposed a zk mix protocol as an add on to Bitcoin.
I don't think tagging people as ex 8200 is very helpful. Israel has mandatory military service and at this point if you have aptitude or are in a high school computer club in Tel Aviv or a few other places, you probably end up in 8200 for your service. For that matter, half the people who say there were in 8200 were either 1) listening to telephone calls 2) relegated to writing memos about the data people did hack and get. Of course, there are things one could have done that would raise serious questions. See, e.g., the issues raised for the people we know who worked on DualEC_DRBG.
On the other hand, there are other sketchy things about express VPN.
FWIW, I once worked at NSA, and likely care more about privacy than anyone you know. These places employ 10s of thousands of people, and the people that come out are as varied as the industry at large.
This has already happened. A catholic newspaper bought commercial location and app data and used it to out a gay priest who was forced to resign. They broke the joke "privacy protections" by knowing his home, office, and a conference he went to.
https://arstechnica.com/tech-policy/2021/07/catholic-priest-...
NSO group is ex unit 8200, which is military signals intelligence. So in American terms, it's the NSA not the CIA. The distinction is important in a country with mandatory military service. You get a large number of people who go through, get trained, and then leave because it never was a career. A number of them take their skills to the private sector.
Mossad, on the other hand, is a civilian intelligence service and I'm told there's a strong tradition that its members don't freelance their services after leaving.
"Most of this data is shared internally across the
IDF (as well as sometimes externally, cf. 3.3 below) to
the Unit’s relevant stakeholders, whether combat
troops, decision-makers or other intelligence agencies
such as Mossad. Or as Yair Cohen, who served 33 years
in Unit 8200, the last five (2001–05) as its commander,
put it, "90% of the intelligence material in Israel is
coming from 8200 […] there isn't a major operation,
from the Mossad or any intelligence security agency,
that 8200 is not involved in"
>"...Mossad, on the other hand, is a civilian intelligence service and I'm told there's a strong tradition that its members don't freelance their services after leaving..."
Tradition is not what it used to be:
"Black Cube: The Bumbling Spies of the ‘Private Mossad’"
"...Despite some missteps, Black Cube “has to turn clients away
because it cannot service all the demands,” said Mr. Halevy,
a former head of the Mossad, an Israeli government intelligence agency. He said Black Cube has worked on 300 cases since being founded in 2010 by two former Israeli military intelligence officers,
Dan Zorella and Avi Yanus..."
"Harvey Weinstein hired ex-Mossad agents to suppress allegations, report claims"
It's an important distinction. The fact that huge numbers of people rotate through the hacking side of 8200 (like the NSA, vast majority of 8200 members don't work on that) is what drives the supply.
Intelligence services typically have less turnover. Though that is changing, particularly for NSA, where people leave to go to contractors.
Also, frankly, describing NSO as ex Mossad just makes phone malware sound much more complicated than it is and much harder to stop. At the end of the day, its software, written by people in much the same way any software is written. It just exploits mistakes other software devs made so that it can run.
"by two former Israeli military intelligence officers, Dan Zorella and Avi Yanus."
emphasis on "military intelligence officers" i.e. not mossad. this is like mixing up the CIA and FBI. to an outsider they might appear the same, but that's not really the case.
"Ilan Mizrachi, a former deputy head of the Mossad, Israel’s intelligence agency, said that he sees nothing inherently wrong with former intelligence operatives working for civilian enterprises. “Some people I know went into journalism, some are consultants,” he said. “Among many other professions, some work for companies like Black Cube.”
Quote from the article:
"Despite some missteps, Black Cube “has to turn clients away because it cannot service all the demands,” said Mr. Halevy, a former head of the Mossad, an Israeli government intelligence agency..."
