Foundations of Ring Sampling

A ring signature scheme allows the signer to sign on behalf of an ad hoc set of users, called a ring. The verifier can be convinced that a ring member signs, but cannot point to the exact signer. Ring signatures have become increasingly important today with their deployment in anonymous cryptocurrencies. Conventionally, it is implicitly assumed that all ring members are equally likely to be the signer. This assumption is generally false in reality, leading to various practical and devastating deanonymizing attacks in Monero, one of the largest anonymous cryptocurrencies. These attacks highlight the unsatisfactory situation that how a ring should be chosen is poorly understood. We propose an analytical model of ring samplers towards a deeper understanding of them through systematic studies. Our model helps to describe how anonymous a ring sampler is with respect to a given signer distribution as an information-theoretic measure. We show that this measure is robust, in the sense that it only varies slightly when the signer distribution varies slightly. We then analyze three natural samplers – uniform, mimicking, and partitioning – under our model with respect to a family of signer distributions modeled after empirical Bitcoin data. We hope that our work paves the way towards researching ring samplers from a theoretical point of view.

[1]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[2]  Nicholas Hopper,et al.  How Low Can You Go: Balancing Performance with Anonymity in Tor , 2013, Privacy Enhancing Technologies.

[3]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[4]  Man Ho Au,et al.  Re-Thinking Untraceability in the CryptoNote-Style Blockchain , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[5]  Adam Mackenzie,et al.  MRL-0004 Improving Obfuscation in the CryptoNote Protocol , 2015 .

[6]  T. Aven Upper (lower) bounds on the mean of the maximum (minimum) of a number of random variables , 1985, Journal of Applied Probability.

[7]  Ethan Heilman,et al.  An Empirical Analysis of Traceability in the Monero Blockchain , 2017, Proc. Priv. Enhancing Technol..

[8]  Nesir Rasool Mahmood,et al.  Public Key Steganography , 2014 .

[9]  Zoltán Hornák,et al.  Measuring Anonymity in a Non-adaptive, Real-Time System , 2004, Privacy Enhancing Technologies.

[10]  Prateek Saxena,et al.  A Traceability Analysis of Monero's Blockchain , 2017, ESORICS.

[11]  Jun Pang,et al.  Measuring Anonymity with Relative Entropy , 2006, Formal Aspects in Security and Trust.

[12]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[13]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[14]  Dongxi Liu,et al.  Monero Ring Attack: Recreating Zero Mixin Transaction Effect , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[15]  Kenneth G. Paterson,et al.  Remote Side-Channel Attacks on Anonymous Transactions , 2020, IACR Cryptol. ePrint Arch..

[16]  Shen Noether,et al.  Ring Confidential Transactions , 2016, Ledger.

[17]  Shouhuai Xu,et al.  Accountable Ring Signatures: A Smart Card Approach , 2004, CARDIS.

[18]  Joseph K. Liu,et al.  Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (Extended Abstract) , 2004, ACISP.

[19]  Fikret Sivrikaya,et al.  A Combinatorial Approach to Measuring Anonymity , 2007, 2007 IEEE Intelligence and Security Informatics.

[20]  George Danezis,et al.  Quantifying Location Privacy: The Case of Sporadic Location Exposure , 2011, PETS.

[21]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[22]  Charles J. Corrado,et al.  The exact distribution of the maximum, minimum and the range of Multinomial/Dirichlet and Multivariate Hypergeometric frequencies , 2010, Stat. Comput..

[23]  Ira S. Moskowitz,et al.  Metrics for Trafic Analysis Prevention , 2003, Privacy Enhancing Technologies.