Breaking Monero Episode 05: Input Selection Algorithm

00:00

welcome back to breaking monaro today we

00:02

are talking about Manero

00:03

ring input selection algorithm we've

00:06

spoken in the past about ring signatures

00:08

and decoys in other previous episodes

00:10

and suring specifically has talked about

00:12

how the decoys are selected but it uses

00:15

a very vague word called a vague phrase

00:18

at least called randomly selected right

00:21

and in this episode we're gonna get far

00:23

more nuance far more specific about what

00:26

we mean by this this mysterious phrase

00:28

and also the phrase itself isn't very

00:30

accurate either so it's important to add

00:33

some additional clarification here on

00:35

what's actually happening and there's a

00:38

lot more to random than

00:40

behind-the-scenes so I'm going to start

00:41

with the screenshare showing an example

00:43

of some of my narrows input selection

00:46

algorithms over the past so on the top

00:49

here you can see an example of a

00:51

completely random distribution algorithm

00:55

algorithm so on the Left you have old

00:57

outputs that were generated at the very

00:59

very beginning of my narrows history on

01:01

the right you have new outputs that are

01:03

generated very very recently especially

01:05

within the past few days or so let's say

01:08

that the green circle is the actual

01:11

output that was spent this is the real

01:13

money to sent and the blue ones are the

01:15

decoys that are selected now a

01:17

completely random distribution method

01:20

might sound great to begin with because

01:22

you know any input could be selected for

01:24

any reason but this leads to a lot of

01:27

unintended like consequences as a result

01:30

so you can make pretty strong heuristics

01:33

that say people are far more likely to

01:36

spend new money than old money so as a

01:40

result the latest input the green one

01:43

highlighted here is most likely to be

01:45

the real one and well you don't

01:48

necessarily have the ground truth to

01:50

prove that this is true it could be

01:52

tested as very reliable over time you

01:55

could make the potentially very strong

01:57

heuristic there and you can see in the

01:58

example on the screen on the first on

02:00

the first line there that is the case

02:02

because that's often the case right so

02:05

Manero sought to improve upon this

02:07

iterate upon this and you can see on the

02:09

second line there there's an example of

02:11

a recent zone selection

02:13

so you have again the whole history of

02:16

Menards outputs but you have a short

02:19

recent zone period where you're more

02:22

likely to select other decoys from the

02:25

specific period so the narrows code

02:28

might specify for instance that the

02:30

recent zone needs to be about 1.8 days

02:33

and that you should select about half of

02:35

the decoys from this said recent zone so

02:38

you can see on this example here that

02:40

about half the decoys are selected from

02:42

this recent zone and then for the rest

02:44

of the tale going back to previous tie

02:46

like the very beginning of my narrows

02:47

history you still have the ability to

02:49

select these outputs but they're less

02:52

common than new outputs and this helps

02:54

address the specific heuristic we're

02:57

speaking about where the the latest

02:58

output is the most the latest output in

03:01

the ring is usually the true one because

03:03

now you have a more latest out latest

03:06

decoys included in this ring so

03:08

therefore you have a more plausible

03:11

selected outputs in this case and the

03:13

recent zone was nice and simple it was a

03:15

really easy way to implement this sort

03:16

of feature and it would definitely was

03:18

an improvement over the existing

03:22

completely random system Manero began

03:24

with but it's not ideal

03:26

and so Manero has moved to what more

03:29

resembles the bottom line there which is

03:31

a matching distribution one that is

03:34

based on empirically observed

03:37

distributions based off what we've

03:39

Manero and outside Reacher's researchers

03:42

found with Bitcoin and Manero it's a

03:45

mathematical model so you can see that

03:47

in this case the newest outputs are even

03:50

more likely to be selected for instance

03:51

so this hopefully this diagram helps

03:55

show how it's not just about how many

03:58

inputs there are in a transaction it's

04:00

also about how you select them and

04:02

there's a lot of implications on how

04:04

these are actually selected but it's

04:06

more than just timing as I show here

04:08

timing is just one part of how this is

04:10

done and for it to this end Sarang is

04:13

going to speak a little bit more

04:14

specifically about other factors

04:16

involved in the selection algorithm yeah

04:19

absolutely

04:19

I mean and it's worth noting that you

04:21

know technically the way that we still

04:22

do it and the way that we've always done

04:23

it did have elements of randomness to it

04:25

I mean random is kind of it's a

04:27

it's often a really poor word right so

04:29

for example even though typically the

04:31

outputs that you'll choose kind of

04:32

follow that particular mathematical

04:34

model there is an element of randomness

04:36

involved so you know two people can

04:38

definitely choose very very different

04:39

rings but you know on average they'll

04:41

follow a pattern that looks

04:41

approximately like the pattern that

04:43

you've showed so there's always still

04:45

randomness into it but like you said

04:47

timing heuristics or you know guesses

04:49

that an adversary might they make make

04:51

based just on the age of the output like

04:53

you said are only one heuristic they're

04:55

pretty big heuristic right because you

04:57

know in general for a lot of old

04:59

transactions you could guess what you

05:00

thought the newest one was and and you

05:02

know you might be right although you

05:03

couldn't prove it you know implicitly

05:05

but timing is just one part and we've

05:08

iterated since then to kind of mitigate

05:10

against other smaller heuristics that

05:12

were not timing based on us the one

05:14

example deals with something called

05:15

coinbase outputs if you're not familiar

05:17

with the term basically every Manero

05:20

block of transactions that is generated

05:21

has a special output in it that

05:23

generates new money as part of the

05:24

protocol that's kind of what helps to

05:26

reward miners for doing work in part and

05:28

those coinbase outputs I like to think

05:30

of as you know newly generated money so

05:32

in general do people spend newly

05:34

generated money or coin based outputs as

05:36

the true spender you know probably not

05:38

necessarily as often as non-new might or

05:41

nonpoint base outputs so for example if

05:43

I happen to choose ring that contained I

05:45

don't know 10 coin based outputs and

05:47

then my true output which was not a coin

05:49

base output an adversary might look at

05:52

that and think hmm I would say it's much

05:53

more likely that this person you know

05:55

didn't spend a coin base out because

05:57

that's all very new money so that could

05:59

be a heuristic that they might use they

06:01

might think coin based outputs are

06:02

probably decoys well in that case that

06:04

would kind of imply that we should

06:05

select fewer a coin based outputs as

06:07

part of our rings how many is too many

06:09

or too few I mean that's not a very

06:11

well-defined problem with a very

06:12

well-defined solution but as we've

06:15

iterated our selection algorithm to make

06:16

it better against this you know guess

06:18

newest heuristic involving output age

06:20

you know we probably introduced more

06:22

coin based outputs then some people

06:24

would have liked so we made a slight

06:25

modification to the algorithm where

06:27

instead of just choosing a block and

06:29

then yanking a decoy out of it which

06:31

tends to give us more coin based outputs

06:33

than fewer instead we actually look at a

06:35

very small window around that particular

06:37

block so our effectively increasing the

06:39

size of the bin from which we get to

06:41

choose our outputs and what that ends up

06:42

meaning statistically is that we end up

06:44

choosing fewer coin based outputs which

06:46

kind of mitigates against this much

06:48

smaller heuristic and that of course is

06:50

not the only heuristic type you might

06:51

come up with either so coin based

06:53

outputs are one thing an adversary might

06:54

use to look at to try to make guesses

06:56

timing which we've worked on of course

06:58

and have talked about might be one that

07:00

a adversary might use um there's other

07:02

ones for example if I have a transaction

07:05

that has two different inputs each of

07:07

those has a separate ring maybe the

07:09

adversary is able to look at the

07:11

different decoys and outputs that are in

07:13

those rings and maybe the adversary will

07:15

find that there's a transaction way back

07:17

when in the blockchain that generated

07:19

two different outputs and maybe one of

07:21

those outputs appears in one of the

07:23

inputs to my new transaction and the

07:25

other output appears as an input to the

07:27

other one again it's just a guess

07:28

because it may have happened by chance

07:30

but probably not the adversary might try

07:32

to conclude that the outputs that were

07:34

generated in a previous transaction are

07:36

now being spent by me and might make

07:38

some conclusions based on that again

07:40

without external information a heuristic

07:42

is not a proof but it gives the

07:44

adversary something that they might try

07:45

to guess so in general this is very very

07:49

complex I will say right now it is

07:51

pretty impossible to get rid of all

07:53

possible heuristics so we can always

07:55

make our selection algorithms better and

07:57

as Justin pointed out and as I've kind

07:58

of hinted at we have done this over time

08:00

we iterate to get better and better a

08:02

good way to think about this is

08:04

something that Justin brought up in fact

08:05

kind of with like a plugging of a whole

08:07

analogy if you want to give that what

08:08

you kind of liked yeah of course so um

08:12

what an example like we we know of a

08:14

specific heuristic for instance the the

08:17

guessed newest heuristic might be an

08:19

example so we can iterate Manero

08:22

selection algorithm to help counter this

08:25

sort of heuristic and the actual

08:26

effectiveness of it but in doing so

08:28

we're still choosing some other way to

08:32

select outputs that people can't develop

08:34

heuristics for so there's no limit to

08:37

the number of heuristics that people can

08:38

come up with they can continue making

08:41

complicated heuristics over time pretty

08:43

much no matter what we do so we're

08:45

always plugging these holes that we're

08:47

aware of and the biggest holes we know

08:49

of but we might indirectly be making

08:52

smaller holes we might

08:54

making holes that were not necessarily

08:55

aware of because maybe the heuristics

08:57

haven't been conceived yet especially by

08:59

participants in the Monaro community so

09:01

this is definitely something that will

09:04

need continuous improvement it needs

09:07

continuous iteration in order to make it

09:09

better to keep patching these holes

09:11

you can't just pave a road and never

09:13

expect to have potholes you have to

09:14

suffer through it like the Minnesota

09:16

winters like I have where you go and

09:18

have to keep patching these potholes

09:19

that keep appearing right they keep

09:21

coming out and when you think you're

09:23

done some trucks gonna drive over it and

09:24

come up with and make a new one right so

09:27

these these sort of circumstances keep

09:29

happening apologies for that terrible

09:30

analogy I'm trying to place terrain here

09:33

but yeah we try to address the big ones

09:35

first the example of the guest nuke uist

09:38

but there might have been some

09:39

consequences as an example by changing

09:42

the selection algorithm to follow a more

09:45

mathematical distribution we actually

09:47

selected more of those coin based

09:48

outputs and we needed to go back and

09:50

sort of refine how we did this work was

09:52

every improve was every iteration still

09:54

an improvement overall from what we can

09:57

see now it should be yes we addressed

09:59

the existing heuristics and done more

10:02

good than harm but there's always going

10:04

to be some sort of trade-off that we're

10:06

going to sort of keep playing with and

10:09

so to speak yeah absolutely I mean we we

10:12

definitely receive reports all the time

10:14

about people who come up with you know a

10:15

particular small pattern that they might

10:17

see among certain transactions or

10:19

outputs based on the way that we make

10:20

our selections and some of those are

10:22

very very small um doesn't mean that you

10:24

know as optimal that we keep them in

10:25

there but you know to some extent it's

10:29

not necessarily always obvious how to

10:30

make an absolute good change to counter

10:34

some of those small heuristics without

10:35

inadvertently kind of ruining the work

10:37

that we've done for some of the much

10:39

bigger heuristics so you know if we see

10:41

a small heuristic pointed out and we

10:42

don't change our algorithm because of it

10:44

you know it doesn't mean that we are not

10:46

concerned about those heuristics but it

10:48

means that we always have to balance the

10:49

good that we'd be doing by making such a

10:51

change with the inadvertent harm that

10:53

might be caused by it so it's it's

10:55

always an arms race right financial

10:57

privacy as a whole as you're probably

10:58

learning from this video series is an

11:00

arms race analysis only gets better over

11:03

time and that's great you know just

11:05

because we receive small reports

11:06

sometimes and big reports other

11:08

about different heuristics that come up

11:10

doesn't mean we don't want to see them I

11:11

love seeing those reports I love

11:13

learning more about what other people

11:14

are doing with this analysis but it just

11:16

reminds me that it is an arms race

11:17

analysis gets gets better we get better

11:20

because of that you know that might

11:22

invite more analysis which just has kind

11:24

of this spiraling effect toward us

11:25

getting better

11:26

yes speaker speaking about spiraling

11:29

effects towards getting better one of

11:31

the great things about ring signatures

11:32

is that the selection algorithm and the

11:35

ring size sort of go hand in hand and

11:37

sort of a positive or negative feedback

11:39

loop it's supposed you're purposely

11:41

making things worse but as Mineiro

11:44

increases its ring size it sort of

11:46

decreases the severe negativeness of

11:50

perhaps a bad selection algorithm there

11:52

are some limitations of a selection

11:54

algorithm if you just keep picking more

11:56

and more inputs for example right more

11:58

and more decoys the you know

12:01

shortcomings of a specific algorithm

12:03

might decrease will or should ideally

12:05

decrease meanwhile if you improve your

12:07

selection algorithm you make better use

12:10

of the decoys that you have so these two

12:12

components are really critically

12:15

important and having strong privacy in

12:18

venero making the most out of his ring

12:20

signatures because if you have a larger

12:24

ring size with the terrible selection

12:25

algorithm then you're not going to have

12:27

great privacy because you're able to

12:29

develop really strong here as six

12:30

potentially and likewise if you have a

12:32

really even if you had a some mechanism

12:36

of having a perfect algorithm under

12:38

every circumstance but you had a like

12:41

really small ring size for example then

12:43

you're also not great either so these

12:44

things really critically work hand in

12:47

hand at providing really the privacy

12:50

that ring signatures offer it's more

12:52

than just what they say they provide out

12:54

of the box which is one out of inman

12:57

arrows cases he's now 10 11 one out of

12:59

11 are possibly spent it's all the

13:02

additional metadata itami analysis

13:04

coinbase metadata that is associated

13:07

with this and so the selection algorithm

13:09

needs to adjust over time to to

13:11

compensate for this otherwise we could

13:14

just pick the first 10 outputs that were

13:16

ever generated on maneras blockchain and

13:17

be like oh it's either the latest order

13:19

of the first 10 and that's obviously not

13:21

very

13:22

so you know it's input selection

13:25

algorithm is very important from

13:27

narrowing signatures

13:28

all right Sarang do you have any last

13:29

closing thoughts to leave the viewer

13:31

with just that our goal still remains to

13:34

provide the best plausible deniability

13:35

possible with ring signatures and over

13:38

time we continue to learn about better

13:39

and better ways to do that and so we

13:41

keep iterating and iterating and

13:42

iterating to get better and we're

13:44

absolutely not perfect now but we

13:46

continue to try to get better and better

13:49

all right Thank You Sarang thank you

13:52

everyone for watching this episode of

13:54

breaking Manero we will catch you in the

13:55

next one thank you