How buying pot with Monero will get you busted — Knacc attack on Cryptonote coins

Introduction

This is part 3 out of 4 of my Cryptonote Tracking series. We created a permanent home for it in /r/CryptoNoteTech subreddit. Feel free to drop by if you are interested in the privacy side of Cryptonote coins.

This attack, as the name suggests, was found by Knacc somewhere in early 2017. The original write-up that his article is based on can be found here. TLDR readers should be aware that solutions suggested there are deeply flawed. This article discusses the current state of my own knowledge on this attack.

Another source of information on this attack is the official “Breaking Monero” series [ 1 ]. It is fairly long and waffly, as tends to happen when an inexperienced person does a live podcast without a good script.

Hiding in a crowd of one, or perils of a small anonymity set

Essence of a Knacc attack is extremely simple. In our simplified example let’s say that exchange E tags an output that buyer B withdraws on some kind of database. B then uses that output to pay seller S. S then deposits the money back with E.

Tagged output for ring size of 3 (3² = 9 possibilities)

In case of Monero and our simplified example when E receives money from S there are 11^2 = 121 possible outputs, one of which happens to be our tagged output. The next question we need to ask ourselves, is what is the possibility that our tag was selected as a decoy by accident.

To answer this we need to estimate the amount of outputs considered by the wallet as decoys. Since it will be heavily biased towards recent outputs (to mimic user behaviour) let’s say that we consider 10 million out of roughly 20 million outputs created since 2014.

This gives us 1 in 10 million chance of accidental selection for each of 121 candidates. After setting up a quick binomial distribution for P(x=0), we can calculate that the probability that this output found itself there by pure accident is 1–0.99998790007 = 0.0012%. May the odds be in your favour.

My umbrella will stop the spy satellite from seeing me! And other fanciful notions

I know my seller uses a different exchange!

E does not have to be a person. All you need is a state database of “our exchange gave output Y to person X”.

But what if a surveillance state tags every output! Then you will have multiple tags in your set!

Firstly, congratulations on trying to fix something by breaking it further. Secondly, a DNA test has about 1 in 10 million probability of a false positive. This means that for every murder suspect there are about 10 to 20 people in the country that will also test positive. But you are not testing every person in the country, you are testing a guy that was picked up while running away from the murder scene (statistics can be complicated like that).

How can I actually protect myself?

The hard answer here is that there are no easy answers. Properly anonymous coin needs gigantic (1000+) ring sizes.

Suggestion to send the coins to yourself is deeply flawed — DO NOT — do this. As I demonstrated in the previous episode, it turns suspicion into hard evidence.

Response from some Monero “community members”

At the request of a Monero moderator I’m adding a link to a community discussion on the topic here. Please keep in mind that it is populated with people whose financial incentive is to deny existence of any problems, whereas we are acting contrary to that incentive as the problems apply to Ryo too.