6

In MRL-0004, it's said:

Bob wishes to send 0.75 XMR to Alice, and will pay 0.01 XMR in fees. The Monero that Alice receives, 0.75 XMR, will be delivered as two new unspent transaction outputs with amounts 0.7 XMR and 0.05 XMR. Further, an output of 0.01 XMR must be delivered as a fee. This leaves 0.24 XMR as change, which will be delivered to Bob in two unspent transaction outputs of amount 0.2 and 0.04 XMR each. At some point in time later, Alice realizes she has 0.75 XMR and decides to go spend it some place. When she does so, both of her outputs, 0.7 XMR and 0.05 XMR, are included in her ring signature. An observer could then look at her ring signature and draw a conclusion that whoever signed that ring signature probably is the owner of both the 0.7 XMR and the 0.05 XMR.

Is it possible to trace an output among many transactions like this? Because when I spend an output and then inspect the transaction (like in here), I find the "key image" field of each output completely different from the transaction that created those outputs in the past. Is there some other field that's not shown here that uniquely identifies an output?

And if the outputs can be traced, then the mentioned attack seems almost trivial to carry out. Am I missing something here?

Imagin Ation
  • 448
  • 5
  • 11
mwdddgcs
  • 195
  • 7

1 Answers1

4

An output's public key uniquely identifies an output [1]. A ring signature takes N outputs, one of them being the one that's actually spent, and makes a signature that can be verified, such that:

  • one of the outputs in this ring is spent

  • all the outputs in this ring have equal probability of being the one being spent

Now, the scenario in MRL-0004 is more complex than just looking at which outputs are spent, because (assuming N > 1) we can't tell which are spent with certainty just by looking at the ring. The scenario considers that a transaction contains two rings, one for 0.7, and one for 0.05. Each of these two rings will contain the real output (Alice's), plus N-1 others from the blockchain. However, you'll note that Alice received those two real outputs from the same transaction, so a blockchain observer can see that one of the inputs in the first ring and one of the inputs in the second ring were created in the same transaction. While this could be chance, it is more likely that those two outputs belong to the same address. This is a probabilistic inference, and not a certainty.

This is adressed in the RingCT branch, which has code to prefer spending unrelated outputs, if possible: https://github.com/moneromooo-monero/bitmonero/commit/f478336e68995ebd65a96ba249a3fc8e0f159fca. This code will first select outputs which do not share a transaction, or similar block height.

Cases where it might not be possible to spend unrelated outputs are typically if you're trying to spend a large part of your balance at once, and you do not have enough unrelated outputs.

[1] in the vast majority of cases, unless a bad RNG is used, or someone deliberately burns coins in this way

user36303
  • 34,928
  • 2
  • 58
  • 123