Just send it to wallet to new wallet to new wallet a few times. Easy peazy and cheap even for people with only pennies.

Stop playing games and use it “by default” like how it’s intended and it even defeats the problems most apparent in “breaking monero” series.

How did you not figure this out already?

  • anesthesia@monero.town
    link
    fedilink
    English
    arrow-up
    5
    ·
    22 days ago

    I think there is one very good usecase for churning though.

    And before anything, yes I know that one should not use CEX but in some cases it is just much more convenient. Although I am now starting to use Haveno, I get not everyone is up to it, and CEX is just plain easier.

    Imagine the following scenario:

    I buy a shitcoin over at a KYC’d CEX.

    I send that coin to a centralized swap, or trade it with a compromised person, in exchange of XMR.

    Lets say I repeatedly do that procedure with the same person or CEX. Then I end with multiple “small” outputs on my wallet, all from the same entity. Let’s say for example 10 outputs of 0.1 XMR, which all have been sent to me by the same entity.

    Now I want to buy something that costs 1 XMR. I need to use my 10 existing outputs. I make a transaction that takes 10 inputs and 2 outputs (what I buy + change). The transaction has 10 inputs, and all of those inputs have a ring, where one of the members of each ring is an output controlled by the compromised entity.

    The likelihood of someone making a transaction with 10 inputs, where those 10 inputs happen to contain a member in the ring that was sent by that specific exchange and that is linkable to my identity is near zero, unless it is me who is spending those 10 outputs.

    Therefore, the person that sent me those 10 outputs can make a very well educated guess that it was me who bought that item for 1 XMR.

    This “vulnerability” is actually talked about in the Breaking Monero series, and as far as I know, it will be solved when FCMP++ comes, since we will get rid of rings altogether.

    However let’s say I do one step of churning with all those outputs without mixing them with eachother. That is, I send to myself 10 transactions of 0.1 XMR, so I just “forward” each output to myself once, without making any transaction that contains two poisoned inputs at the same time.

    Then I will still end up with 10 outputs of 0.1 XMR, but all the “poisoned” outputs are present in different and unlinkable transactions, and the negative actor does not know whether they are truly spent or not.

    Then I can actually join those 10 outputs into one 1XMR transaction safely, knowing that I am the only person who knows where those 10 outputs come from.

    Am I wrong in this thought process?

    • azalty@jlai.lu
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      19 days ago

      You’re right and wrong. Churning will reduce the traces linking back to you, but you’re still exposed at 1 churn per output, when including 10 outputs. You would even be exposed when spending 2 outputs from the same source

      As you know, each ring currently has 16 transactions, including you. This means, on average (more or less because of other factors, but still), each output will be featured in 16 transactions. We can therefore assume that 1 in 16 of those transactions is real (in reality the distribution is not that perfect, but as an average, it is important to know the consequences).

      You now have a 1 in 16 chance of being traced. Statistically, the transaction you made has 6,25% chance of being made by you. That’s pretty high for a single poisoned output, right?

      Now imagine you spend 2 poisoned outputs… the distribution algorithm is not evenly distributed: older outputs are less likely to be picked than newer. This means you get a situation where the older your 2nd poisoned output is, the more you’ll stand out. The math is not that easy the make, but just knowing that each output will only be included 16 times on average, and that there are a lot of transactions so a lot of outputs, it becomes really unlikely that 2 of the poisoned outputs that are linked to the same individual end up in the same transaction if it was not made by the individual of question itself.

      With 3+ poisoned outputs you basically confirm that it was the same person. Might not hold up in court, but they’ll definitely know

      10+ poisoned outputs? Definitely you.

      Churning each output only multiplies the number of possibilities by 32 (16 for one output, 32 in reality because 2 outputs are generated). This will certainly throw off the basic chain analysis methods, but if you’re a person of interest, all the linked outputs will be analyzed. All outputs that are created by including poisoned inputs might be considered, effectively multiplying the number of possibilities by 32 as said earlier. If I tried to spy on someone with this, I would probably set a higher suspicion level on the first transaction level, then less on the second… assuming chain analysis software does that as well, churning would actually divide the chances of being caught by more than 32 but lets assume they don’t do that as it’ll be easier. You now have 1 chance on 16^2=256 so 0,39% chance of having done a transaction with a churned output in between for a single poisoned output. Still pretty high if you want my opinion. If you do that multiple times, you’ll stand out for sure. Including multiple outputs will also expose you a lot. Spending 10 churned poisoned outputs will definitely expose you.

      I should just make a blockchain analysis program and test transactions with it 😂

      My recommendation: if you’re going to spend multiple poisoned outputs at once: churn them together into 1 output (it’s called sweeping afaik), then churn this individual output. The initial churn merge will make the transaction stand out, but since you only have one output to churn, you reduce the traces.

      Please correct me if I’m wrong, I have put a lot of time thinking about all of this but I might have forgot to include some specific things. I already noticed that all transactions include 2 outputs (at least), so the possibilities are multiplied by 32, not 16 as was my initial assumption

      • anesthesia@monero.town
        link
        fedilink
        English
        arrow-up
        2
        ·
        19 days ago

        I didn’t know the protocol tried to use every output in around 16 transactions. I know about the 16 ring size, but I didn’t know it also tried to use each output 16 times. If so, that is very smart and interesting. You learn something new every day!

        The idea of sweeping them and then churning the merged output is also smart.

        Oh well I guess we just have to wait for FCMP++ where theoretically all this will be no longer relevant :)

        I remember watching the breaking monero series, when it was mentioned that (paraphrasing) “Rings are what give security to Monero but I really hope we get rid of them”… That time is finally getting closer :)

        • azalty@jlai.lu
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          19 days ago

          The protocol doesn’t try to use each output 16 times actually, that could be pretty nice I guess. I was just saying that statistically, you should get an average of 16 times because, well, the ring size is 16. The actual may vary quite a bit, and your output might potentially never be featured as a decoy, or featured 100+ times. It isn’t likely though. I just used 16 because it is simpler this way.

          I never watched the breaking Monero series, I should take the time to do it

          And yea, really excited for FCMP++ as well :) - most chain analysis stuff will go bye bye

          • anesthesia@monero.town
            link
            fedilink
            English
            arrow-up
            2
            ·
            19 days ago

            Yes you are right, it was too early in the morning for me to process properly…

            Statistically you should see each output used an average of 16 times, that makes sense.

            Cheers!