If MoneroV is For Real, Then Monero’s RingCT is Broken

If MoneroV is For Real, Then Monero’s RingCT is Broken

In the past few days, there is a big news in Monero community about this new coin planning called MoneroV to chain-split on 14 March 2018. Chain split hard fork is actually not a rare occasion in other cryptocurrencies such as Bitcoin (there is a Bitcoin Cash coming from the same chain until August 2017) and Ethereum (Ethereum Classic was born after the Ethereum engineers tried to mitigate The DAO Hack). But it appears that a chain split in the Monero will create a devastating impact towards the users’ privacy for both chains.

Linkable Ring Signature

The idea of how the privacy feature can be broken is related to the basic technology used by Monero, linkable ring signature. Linkable ring signature (LRS) is basically a weakened version of ring signature by Rivest, Shamir, and Tauman. In the LRS, anyone signing the transaction twice can be detected by inspecting the “key image” (a form of hashed secret key) which needs to be presented in the signature. The same public key will present a duplicate key image if it is reused, thus everyone can detect that these 2 signatures are created by the same public key. The LRS concept was adapted by Nicholas van Saberhagen in his CryptoNote protocol for a double spending protection in his new electronic cash system. The LRS provides an untraceability feature (nobody can determine the real sender) while it could still prevent double spending.

Monero Fork Impact

Now let us go back to the MoneroV case. As with other chain splits, most of the time users are excited about this plan, since they will receive new coins for free. The old coin will also receive a positive impact on the coin market as people are likely to start buying this coin. After the point where the “snapshot” is done, in several days they will receive the promised new coins by the newly forked coin system. Most of the time, after the new coin is received, the users immediately sell the coins to get a profit. The event will not have any impact in systems like Bitcoin as long as the replay protection has been put in place, but in Monero, the users’ privacy can be at risk. A Monero contributor dnale0r has explained the idea how the privacy (untraceability) is broken in Monero subreddit.

In Monero scheme, the privacy of a user depends on the privacy of other users. If, by any means, a user breaks her own privacy, then other users will be impacted in a certain degree. Definitely, the new coin can be used by adversaries to analyse which outputs are associated by new transactions in MoneroV and thus reveal some information in Monero. This relationship, unfortunately, works both ways. The transactions in Monero also reveals information in MoneroV and both coins break each other’s privacy. Imagine if in the future there will be more chain splits, then we will see Monero privacy broken.

Unless all Monero users are convinced not to spend the new coins they receive in the new systems, which is unlikely to happen, the fork will have an impact to the privacy of Monero.

Is RingCT Broken

The fact that MoneroV plans to ship new coins 10 folds of what the users already have is also a shocking news. RingCT implements the idea of Confidential Transaction (proposed by Gregory Maxwell) into a ring signature environment. The result of RingCT is that it is infeasible to determine the amount of coins sent by a sender to a receiver without having the correct secret key (the information is encrypted). The system is convinced that the transaction is correct (not overspending) by using rangeproofs. Thus, noone except the participants, can determine the real money transferred in Monero. RingCT has become a mandatory protocol since Helium Hydra (version 6) release after a successful trial during Wolfram Warptangent release.

The big question is: how would the developers define all users’ coins and multiply each of them by 10, if nobody in the world has been able to decode the amount of coins after RingCT was deployed? Determining if an output has been spent is already an infeasible task to do (unless it is included in the chain reaction of zero mixin) If, by any case, RingCT is not intended to be used by MoneroV, then the snapshot (and the airdrop) is unlikely to happen. At the moment, there is no further explanation from MoneroV developers on how they will commence this plan.

To summarize this writing, the plan of giving 10 times of the users’ current Monero coin is infeasible and should not be done. The plan clearly states that the developers do not have a deep knowledge about Monero system, in this particular case, the part on how RingCT works. The only thing that they can do the airdrop which multiplies every balance by 10 is through a specialised wallet. Meaning, the users need to trust this wallet somehow to decrypt the balance and do the multiplication. The airdrop obviously cannot be done by sending all unspent outputs, because it is so infeasible to determine whether an output has been spent.

Leave a Reply

Your email address will not be published. Required fields are marked *