1

There is one thing I don't understand about the MLSAG signature.

The additional public keys mixed into the signature ring, must correspond to real unspent outputs in the blockchain, isn't it? Otherwise one could identify them as just obfuscating keys.

But in that case traceability will increase over time, at the pace those additional outputs are spent.

S. Noether's paper is not very clear at this respect, so perhaps I'm not interpreting this correctly ... Is there another source that could shed light on this issue?

Kurt

Kurt
  • 131
  • 2

1 Answers1

2

There are in-depth ways to answer your concerns, but it seems like you probably already understand most of it already, and it's just a matter of stepping back and seeing the whole picture.

There are very, very few instances now where outputs can be shown to be provably spent. For this reason, it's not fair to assert that traceability will increase over time.

It is true that there are cases where outputs can be shown to be provably spent. One such example would be when ring members were all outputs from a prior ring with only one ring member. This type of situation did happen prior to the enforcement of a mandatory minimum ring size.

Since the hard fork / protocol upgrade in September 2017, there has been a manadatory minimum ring size of 5. Though through mere chance the occasional output in a post-Septemer 2017 transaction may be shown to have been provably spent, a series of events allowing for that would be exceedingly (though, for me, unquantifiably) rare.

scoobybejesus
  • 5,495
  • 18
  • 42
  • Just wondering one thing. If the same public key would appear in n different rings, then due to linkability we could conclude that it's not a signing key in at least (n-1) of those rings.

    This observation would allow us to carry out a statistical analysis and narrow down probabilistically the signers in transactions.

    Does the protocol try to reduce this risk? I presume that a simple strategy such as using preferably addresses from recent blocks would reduce this risk considerably

     – Kurt Dec 02 '17 at 19:16
  • The public address (public viewkey plus public spendkey) is not included in any ring, since it is never recorded on the blockchain. Various questions could provide more details about stealth addresses, but here's one I picked https://monero.stackexchange.com/questions/3897/whats-the-point-of-ring-signatures-if-stealth-addresses-hide-the-actual-address. Also, check out SE questions on output selection. – scoobybejesus Dec 03 '17 at 00:09
  • Yes, I agree. What I meant was the public stealth addresses. If an output is spent you must include the address as an input in the spend transaction. If you collect all those possible links, you may be able to deduce which output was spent when. – Kurt Dec 03 '17 at 08:12