Everybody is always saying to churn by sweeping the coin. Makes sense, works neatly to keep coins apart. But my thinking is when sweeping your tx only has 1 output. As most transactions have at least a second output for change, doesn’t this make a sweep tx look like a high probability churn in the blockchain?

  • VirtualbeekOP
    link
    fedilink
    arrow-up
    2
    ·
    6 months ago

    Right thanks. I buy small amounts of XMR whenever I have to spare and have lots of inputs. What exactly is visible when aggregating those if different sub addresses were used for all? Is it smart churn all inputs individually one time first before aggregating?

    • kenkenken@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      I wouldn’t assume the right strategy for inputs. To an outsider they are all indistinguishable, but the sender, an exchange for example, can mark operations (withdrawals) done with the same account and store that information. Every input has 16 potential members selected from the blockchain. But if tx has many inputs, and each input has among the ring one previously marked input associated with the same exchange account, it will be likely that tx was created by the person with that exchange account. If the person later will try to deposit this coins to another account of the exchange, probably exchange could link two account, at least as potentially linked. So input aggregation can give additional hints for EABE attack.

      Probably, it is better to aggregate inputs earlier, before churning, and don’t mix churned coins with unchurned. But Monero need more general improvements as FCMP/FCMP++.

      • VirtualbeekOP
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        Interesting. Could you explain a bit more? I understand ring signature makes guessing the origin a 1/16 chance. But with stealth addresses and RingCTs you can’t know where it was sent or the amount that was sent. Lets say XMR gets transferred from A to B to C to D. Even without ring signatures, how could you derive that A’s XMR ended up at D? All we know is that A,B and C sent XMR but not knowing the amounts or where it was sent, there is no knowable or guessable relation between those transactions right?

        And even you aggregate lets say 10 inputs marked by an exchange, wouldn’t churning that new single input a few times make it hard to link transactions from the newly churned input to the 10 original ones from the exchange?

        FCMP that’s the proposed change that increases the ring signature size effectively from 16 to 100k right? Is that update already in the making and expected ready for release in the near future?