It seems that everyone is in crypto because they have dollar signs in their eyes. ICOs are making a lot of noise in the cybersphere; many projects have no working prototype and want to change the world with just a white paper. Away from the buzz and hype, in the background is Monero showing some real progress; the strong and silent type of the crypto-world. With no ICO, no investor funds, and no appeals to outsiders for money, the cryptocurrency project has quietly hired a Ph.D. Mathematician to help ‘future proof’ Monero, entirely funded by the goodwill of users and community members.
More than 50 individuals contributed 1,153 XMR (worth over $47,000 at the time of writing) in May 2017 to hire a Ph.D. Mathematician for three months up to August 2017, who goes by the name of Brandon Goodell. Monero’s community even overfunded the bid by more than 100 XMR so the promising academic could work toward three goals; to incorporate a zero-knowledge protocol, make a start on post-quantum cryptography and reduce the bloat of the blockchain.
Three Goals to ‘Future Proof’ Monero
Why these three goals? They are pretty ambitious, to say the least, but these are the problems, as Goodell puts it, preventing Monero from winning the ‘crypto arms race.’ According to the Mathematician, ‘unless a protocol is provably zero-knowledge then a non-trivial amount of information is made available by definition.’ Goodell points to the timing of a transaction as an illustration; if someone is able to pinpoint a transaction within two minutes using the block height, a lot of information is revealed from that transaction. Exchanges may be able to determine not only the purchasing habits of its customers but also the which times they tend to purchase.
“You or I may not be clever enough to figure out how to piece that information together, but someone might be clever enough, or an advanced machine learning algorithm crawling the Monero blockchain may be clever enough in a few years.”
A draft paper reviewing zero knowledge protocols is already complete and awaiting peer review, which can be found here. As explained above, integrating a zero-knowledge protocol, it will reduce the effectiveness of which the timing of a transaction can be used to uncover the identity of the user in question and ensure no information is leaked at all. After completion and reflection upon the literature review, the community will then be able to decide best how exactly to adopt this technology to strengthen Monero’s privacy offering further.
While this goal is rather precise, the other research goals still need to be sharpened, such as the quantum proofing goal, as Goodell stated in June, “Secretly I want Monero to be the first quantum-proof cryptocurrency: signatures, hashing algorithm, proof of work. Publicly, I have sincere doubts if PQC will ever be lightweight enough to build a decentralized blockchain that is remotely reasonably sized.”
Goodell Updates the Community for July
On July 27, Goodell delivered his two-month update to the Monero community, highlighting some of the progress made and steps going forward, “My first order of business in September will be to revise and update the research road map and release MRL-002.” The first research road map was released June 12, 2017, which stated the priorities for Monero Research Lab (MRL) and includes the peer-reviewed literature review on zero-knowledge schemes and their applications in cryptocurrencies, due by the end of August. Goodell has also already proposed an algorithm for threshold multi-signatures on Monero and it is currently under testing. After revisions are made to the initial paper, the multi-sig method will also be published in a future Monero Research Bulletin.
For the July update, the majority of Goodell’s effort was directed to an issue that had come up, known as an EABE attack (Eve-Alice-Bob-Eve attack) and is directly related to the need for the research and action on reducing the bloat of the blockchain. If there are very few transactions between two transaction outputs owned by a KYC exchange Eve, then Even can use the KYC knowledge and one-time receiving addresses of her users to reduce the variance in her estimates of culpability in that chain of transactions.
“The problem with EABE? Alice gave Eve her personal identity and allowed Eve to link it to certain one-time addresses of Alice’s. Alice willfully, by using a KYC exchange, sacrificed the anonymity properties granted by stealth addresses. This isn’t really a cryptographic problem; it’s a human behavior problem.”
The solution for a user would be to churn, described by monero.how as, “sending all of your funds to yourself 12 times over. Since Monero will automatically assign five possible sources of funds for every transaction, your funds will be hidden within a theoretical 5^12 = 244 million other transaction funds, which at the time of writing is more than ten times the number in existence.”
Goodell stated that his first-order estimates for using a churn-based solution for EABE suggested that with a ring size of around 10, users can conceal their purchasing habits with at most seven churns. With a ring size of ten, any transaction sent will authorized by ten one-time public keys (outputs); nine are foreign ‘outputs’ used for obfuscation while one belongs to the actual sender. The marginal effect on the number of churns for higher ring sizes diminishes soon enough:
“Bigger ring size, fewer churns, but the effect is rather mild; you still need six churns with a ring size of something like 20. This computation is based solely on the pigeon-hole principle.”
Second-order estimates were obtained according to the hypergeometric distribution and also suggest that ring sizes of 20 or more would be necessary to avoid EABE attacks, “…as minimum ring sizes get bigger than 15-20, “most” old cryptonote transaction outputs are implicated in “most” new randomly fashioned transaction outputs.”
From the estimates provided, a larger minimum ring size means that churning would be effective enough to counter any potential EABE attack, and given that, “the beefy part of our [Monero’s] transactions right now are range proofs, not ring signatures,” increasing the minimum ring size correspondingly “seems like a not-so-bad solution.”
The Mathematician goes on to state that a third order estimate is in progress, “I’m working on a third order estimate right now where an observer sees many transaction outputs bundled into transactions, many of which are bundled into blocks, which are observed over time. The goal is to select system parameters to get close to the “all transaction output” scenario without causing a huge blockchain bloat.”
But Goodell seems to favor setting an arbitrarily large number for ring sizes which would let users send funds to themselves once so that KYC exchanges, for instance, cannot narrow down customer buying habits using the one-time addresses, “Yet, rather than putting effort into detailing a computational model to get precise security bounds on this particular mode of attack, though, it would be far better to set ring sizes to something absurdly large, say ring size = 300 or 3000, and just recommend to users they send funds to themselves once before using with a merchant.”
To realize the goal of efficient ring signatures, Goodell wrote in the July update of the potential for a customized pairings-based cryptography solution:
“Of course, in order to justify ring signatures that large (heck, in order to compute ring sigs that large), we need more efficient ring signatures. I have found at least one set-up for O(sqrt(N)) ring signatures that doesn’t require a trusted set-up, but it uses pairings-based cryptography. I’m currently working on converting this to something more suitable for our purposes.”
To counteract any potential EABE attack, ring signatures need to be more efficient, that is they need to be smaller, and there are a “few hot leads in that regard,” which has taken up the bulk of Goodell’s time in July:
“…it turns out that the best way to protect against EABE is blockchain compression and making signatures and range proofs smaller. Consequently, this idea has taken up the vast majority of my time this past month. I have a few hot leads in that regard.”
Monero Traceability Paper: “…So Far I’m not Seeing a Security Concern Here.”
Two research papers, closely linked to Zcash advisor Andrew Miller,which claimed the traceability of Monero were also mentioned in Goodell’s update, where he finds no reason for security concerns as a result of the research:
“So… to be clear… these guys [Miller, et al. paper] develop a decision rule based on an unfalsifiable hypothesis, then construct a Monte Carlo simulation based on that same unfalsifiable hypothesis, and then showed their decision rule did a good job with their MC simulation. Okay, so far I’m not seeing a security concern here.”
Nevertheless, he did praise the attempt of one of the papers, even though their criticisms were outdated, “The Kumar et al. paper is a little bit better, I actually think somewhat highly of it… they actually try to justify their work, they seem to grasp the idea of sensitivity vs. specificity and that they can’t quite nail down both with Monero. Unfortunately, most of the criticisms from the Kumar paper are no longer relevant (although they certainly were at one time) because now RingCT transactions obfuscate amounts.”
As highlighted by BTCMANAGER in April 2017, many of the criticisms levelled against Monero were just out of date. Goodell reiterated the community’s response at the time, that many arguments were valid but have ‘subtle flaws.’
The research-driven approach is exciting to see, especially since it seems to be preemptively tackling issues in Monero. Goodell will write a formal update at the end of each three-month period and explained that some of the objectives on the research road map are high urgency and will be resolved quickly.
The longer-term goals would be impressive if achieved and it is encouraging to see the bar set so high. Investing in Monero for the long term means not just buying the cryptoasset and holding, but also contributing to projects such as this one, which has funded a Ph.D. Mathematician to help Monero win the ‘crypto arms race.’ In the life of an academic, first you must ‘read, read,… and read’ to build a picture of the available literature, ideas and theories. Then these findings are used to formulate possible solutions and outcomes, meaning that the most exciting times lie ahead for Goodell’s work.
The way the project has done it alone, without the help of outsiders, investors or big business, displays a level of integrity and community cohesion that will ensure Monero remains one of the standout cryptoassets for years to come.