Moneros Köder-Auswahlalgorithmus: Wie Ring-Mitglieder ausgewählt werden

Why Köder Selection Matters

Monero's Ringsignaturen work by mixing a real spent output with a set of Köder outputs drawn from the Blockchain. When a user spends Monero, their Wallet selects several other outputs that plausibly could be the real one and constructs a cryptographic proof that the spender owns one of them without revealing which. The security of this scheme depends critically on how those Köder are chosen. If the selection algorithm has predictable biases, statistical analysis can narrow down which output is the real spend, potentially deanonymizing the sender.

Consider a naive approach where Köder are selected uniformly at random from all outputs on the Blockchain. This seems fair, but it creates an immediate problem. Real spends tend to occur relatively soon after outputs are received. People receive Monero and spend it within days or weeks, not years. If Köder are selected with equal probability from the entire Blockchain history, most Köder will be old outputs, and the one recently created output in the ring will stand out as the most likely real spend. An attacker who knows the spending behavior distribution can assign probabilities to each Ring-Mitglied and significantly reduce the effective anonymity.

This is why Monero uses a carefully designed probability distribution for Köder selection rather than uniform random sampling. The goal is to make the Köder selection pattern match the actual spending pattern so closely that statistical analysis cannot distinguish real spends from Köder.

The Gamma Distribution Model

Monero's current Köder selection algorithm uses a modified gamma distribution to determine the age of Köder outputs. The gamma distribution is a continuous probability distribution that, when parameterized appropriately, produces a curve that assigns higher probability to recent outputs and lower probability to older ones, closely mimicking how people actually spend their Monero.

The specific parameters of the gamma distribution used by Monero have been calibrated through empirical analysis of spending patterns on the Blockchain. Researchers studied the distribution of time intervals between when outputs are created and when they are actually spent across a large sample of Transaktionen. The gamma distribution was found to provide a good fit for this observed spending behavior.

When your Wallet constructs a Transaktion, it samples from this gamma distribution to determine the age offset for each Köder. It then selects an actual output from the Blockchain that matches this age as closely as possible. The result is a set of Ring-Mitglieder whose ages are statistically indistinguishable from a set of real spends, making it difficult for an observer to determine which one is genuine based on timing alone.

Why Even Distribution Is Not Optimal

Intuitively, one might think that selecting Köder with equal probability from all outputs would provide the best anonymity since every output looks equally likely. Jedoch, this reasoning is flawed because it ignores the attacker's knowledge of spending patterns.

An attacker who knows that most real spends occur within a few days of output creation can immediately assign very low probability to Ring-Mitglieder that are months or years old. If the Köder selection process chose uniformly, most rings would contain many old outputs and one or two recent ones, making the recent outputs obvious candidates for the real spend. By instead selecting Köder according to the same distribution as real spends, every member of the ring has a plausible age profile, and the attacker's prior knowledge of spending patterns provides no advantage.

Ringgröße Evolution

The number of Ring-Mitglieder in Monero Transaktionen has increased several times over the project's history, reflecting the community's ongoing commitment to strengthening Datenschutz.

• Early Monero (2014-2016) - Ring sizes were optional and variable. Users could choose their own Ringgröße, with a minimum as low as 3. Many users chose the minimum, and some even used Ringgröße 1, which provided no sender Datenschutz at all.
• Mandatory minimum Ringgröße 5 (2016) - A Hard Fork established a mandatory minimum Ringgröße, ensuring that all Transaktionen provided at least basic sender Datenschutz.
• Ring size 7 (2018) - The mandatory Ringgröße was increased to 7, providing stronger anonymity guarantees.
• Ring size 11 (2019) - A further increase brought the Ringgröße to 11, which was the standard for several years.
• Ring size 16 (2024) - The most recent increase expanded rings to 16 members, significantly increasing the Anonymitätsmenge for each Transaktion.

Each increase in Ringgröße makes statistical deanonymization harder by expanding the set of plausible real spends. Jedoch, larger rings also increase Transaktion sizes and verification times, creating a trade-off between Datenschutz and efficiency. The community carefully evaluates these trade-offs before each increase.

The Poisoned Output Attack

One of the most studied attacks against Monero's Ringsignatur scheme is the poisoned output attack, also known as the flooding attack or the Heuristic attack. In this attack, an adversary creates a large number of outputs on the Blockchain that they control. Because the adversary knows which of their outputs are spent and which are unspent, they can eliminate their own outputs from consideration when they appear as Köder in other users' rings.

Here is how it works in practice. An adversary generates thousands of Transaktionen sending Monero to themselves, creating a large pool of outputs they control. When a regular user creates a Ringsignatur, some of the randomly selected Köder may be outputs belonging to the adversary. The adversary knows whether their own outputs have been spent, so they can determine that those outputs are Köder in the victim's ring. By eliminating their known Köder, the adversary reduces the effective Ringgröße, potentially identifying the real spend.

Mitigations

Several factors mitigate the effectiveness of poisoned output attacks. First, executing the attack at scale is expensive because it requires creating many Transaktionen with real Monero, incurring Transaktionsgebühren. Second, the larger the Ringgröße, the more outputs the attacker must control to meaningfully reduce anonymity. With a Ringgröße of 16, an attacker would need to control a very large fraction of all Blockchain outputs to have a significant impact. Third, Monero's community has implemented output age restrictions and other heuristics that make it harder for recently created flood outputs to be selected as Köder.

Temporal Analysis Risks

Even with a well-designed selection algorithm, temporal analysis remains a concern. Temporal analysis exploits the timing of Transaktionen and outputs to make inferences about which Ring-Mitglied is the real spend.

Zum Beispiel, if a Transaktion is broadcast immediately after a specific output is created, and that output appears in the Transaktion's ring, there is a higher probability that this output is the real spend. The Wallet software mitigates this by ensuring that rings always contain a mix of ages consistent with the gamma distribution, but timing correlations at the network level can still provide clues.

Another temporal analysis vector involves watching the memory pool. If an observer sees an output arrive in the Mempool and then shortly afterward sees a new Transaktion that includes this output in its ring, the timing correlation suggests the output may be the real spend. Dandelion++, Monero's network-level Datenschutz protocol, helps mitigate this by obscuring the origin and timing of Transaktion broadcasts.

Known Weaknesses in Historical Köder Selection

Research has identified several weaknesses in earlier versions of Monero's Köder selection algorithm. Before the gamma distribution model was adopted, the selection algorithm had biases that allowed statistical deanonymization of a significant fraction of Transaktionen. Academic papers demonstrated that by analyzing the age distribution of Ring-Mitglieder across many Transaktionen, researchers could identify the real spend with accuracy significantly better than random chance.

These findings prompted the switch to the gamma distribution model and motivated ongoing research into improving the selection algorithm. The Monero Research Lab actively collaborates with academic researchers to identify and address weaknesses before they can be exploited in practice.

Current Research and Improvements

The Monero research community continues to study and refine the Köder selection process. Active areas of investigation include better modeling of real spending behavior using larger datasets, adaptive selection algorithms that adjust their parameters as spending patterns change over time, and techniques for making the selection process more resistant to adversarial manipulation.

One promising line of research involves binning outputs by age brackets and selecting from within these bins to create more natural-looking distributions. Another approach considers the Transaktion graph structure, avoiding selections that create statistically unusual patterns when multiple Transaktionen are analyzed together.

FCMP++: Eliminating the Köder Problem Entirely

The most exciting development in Monero's Datenschutz roadmap is Full-Chain Membership Proofs, known as FCMP++. This protocol upgrade will fundamentally change how sender Datenschutz works by eliminating the concept of Köder entirely.

With FCMP++, instead of selecting a small ring of 16 Köder outputs, each Transaktion proves that the real spent output belongs to the set of all outputs on the entire Blockchain. The Anonymitätsmenge expands from 16 to millions, making statistical analysis of ring composition completely infeasible. There are no Köder to analyze because every output on the Blockchain is equally a candidate.

FCMP++ achieves this using advanced cryptographic techniques including curve trees and zero-knowledge proofs that can efficiently prove membership in very large sets. The computational and storage overhead is manageable despite the enormous Anonymitätsmenge, making this approach practical for real-world deployment.

When FCMP++ is activated, the entire category of attacks based on Köder selection analysis becomes obsolete. Poisoned output attacks, temporal analysis of ring composition, and statistical deanonymization through spending pattern matching will all be rendered ineffective. This represents a quantum leap in Monero's Datenschutz guarantees and demonstrates the project's commitment to continuous improvement.

Until FCMP++ arrives, the current Köder selection algorithm with its gamma distribution model and 16-member rings provides strong practical Datenschutz. For those who want to transact with Monero today, MoneroSwapper offers anonymous Börsen that complement the On-Chain Datenschutz provided by Ringsignaturen and Köder selection.