L'algoritmo di selezione delle esche di Monero: come vengono scelti i membri dell'anello

Why Decoy Selection Matters

Monero's firme ad anello work by mixing a real spent output with a set of esca outputs drawn from the blockchain. When a user spends Monero, their wallet selects several other outputs that plausibly could be the real one and constructs a cryptographic proof that the spender owns one of them without revealing which. The security of this scheme depends critically on how those esche are chosen. If the selection algorithm has predictable biases, statistical analysis can narrow down which output is the real spend, potentially deanonymizing the sender.

Consider a naive approach where esche are selected uniformly at random from all outputs on the blockchain. This seems fair, but it creates an immediate problem. Real spends tend to occur relatively soon after outputs are received. People receive Monero and spend it within days or weeks, not years. If esche are selected with equal probability from the entire blockchain history, most esche will be old outputs, and the one recently created output in the ring will stand out as the most likely real spend. An attacker who knows the spending behavior distribution can assign probabilities to each membro dell'anello and significantly reduce the effective anonymity.

This is why Monero uses a carefully designed probability distribution for esca selection rather than uniform random sampling. The goal is to make the esca selection pattern match the actual spending pattern so closely that statistical analysis cannot distinguish real spends from esche.

The Gamma Distribution Model

Monero's current esca selection algorithm uses a modified gamma distribution to determine the age of esca outputs. The gamma distribution is a continuous probability distribution that, when parameterized appropriately, produces a curve that assigns higher probability to recent outputs and lower probability to older ones, closely mimicking how people actually spend their Monero.

The specific parameters of the gamma distribution used by Monero have been calibrated through empirical analysis of spending patterns on the blockchain. Researchers studied the distribution of time intervals between when outputs are created and when they are actually spent across a large sample of transazioni. The gamma distribution was found to provide a good fit for this observed spending behavior.

When your wallet constructs a transazione, it samples from this gamma distribution to determine the age offset for each esca. It then selects an actual output from the blockchain that matches this age as closely as possible. The result is a set of membri dell'anello whose ages are statistically indistinguishable from a set of real spends, making it difficult for an observer to determine which one is genuine based on timing alone.

Why Even Distribution Is Not Optimal

Intuitively, one might think that selecting esche with equal probability from all outputs would provide the best anonymity since every output looks equally likely. Tuttavia, this reasoning is flawed because it ignores the attacker's knowledge of spending patterns.

An attacker who knows that most real spends occur within a few days of output creation can immediately assign very low probability to membri dell'anello that are months or years old. If the esca selection process chose uniformly, most rings would contain many old outputs and one or two recent ones, making the recent outputs obvious candidates for the real spend. By instead selecting esche according to the same distribution as real spends, every member of the ring has a plausible age profile, and the attacker's prior knowledge of spending patterns provides no advantage.

Ring Size Evolution

The number of membri dell'anello in Monero transazioni has increased several times over the project's history, reflecting the community's ongoing commitment to strengthening privacy.

• Early Monero (2014-2016) - Ring sizes were optional and variable. Users could choose their own dimensione dell'anello, with a minimum as low as 3. Many users chose the minimum, and some even used dimensione dell'anello 1, which provided no sender privacy at all.
• Mandatory minimum dimensione dell'anello 5 (2016) - A hard fork established a mandatory minimum dimensione dell'anello, ensuring that all transazioni provided at least basic sender privacy.
• Ring size 7 (2018) - The mandatory dimensione dell'anello was increased to 7, providing stronger anonymity guarantees.
• Ring size 11 (2019) - A further increase brought the dimensione dell'anello to 11, which was the standard for several years.
• Ring size 16 (2024) - The most recent increase expanded rings to 16 members, significantly increasing the insieme di anonimato for each transazione.

Each increase in dimensione dell'anello makes statistical deanonymization harder by expanding the set of plausible real spends. Tuttavia, larger rings also increase transazione sizes and verification times, creating a trade-off between privacy and efficiency. The community carefully evaluates these trade-offs before each increase.

The Poisoned Output Attack

One of the most studied attacks against Monero's firma ad anello scheme is the poisoned output attack, also known as the flooding attack or the Heuristic attack. In this attack, an adversary creates a large number of outputs on the blockchain that they control. Because the adversary knows which of their outputs are spent and which are unspent, they can eliminate their own outputs from consideration when they appear as esche in other users' rings.

Here is how it works in practice. An adversary generates thousands of transazioni sending Monero to themselves, creating a large pool of outputs they control. When a regular user creates a firma ad anello, some of the randomly selected esche may be outputs belonging to the adversary. The adversary knows whether their own outputs have been spent, so they can determine that those outputs are esche in the victim's ring. By eliminating their known esche, the adversary reduces the effective dimensione dell'anello, potentially identifying the real spend.

Mitigations

Several factors mitigate the effectiveness of poisoned output attacks. First, executing the attack at scale is expensive because it requires creating many transazioni with real Monero, incurring transazione fees. Second, the larger the dimensione dell'anello, the more outputs the attacker must control to meaningfully reduce anonymity. With a dimensione dell'anello of 16, an attacker would need to control a very large fraction of all blockchain outputs to have a significant impact. Third, Monero's community has implemented output age restrictions and other heuristics that make it harder for recently created flood outputs to be selected as esche.

Temporal Analysis Risks

Even with a well-designed selection algorithm, temporal analysis remains a concern. Temporal analysis exploits the timing of transazioni and outputs to make inferences about which membro dell'anello is the real spend.

Ad esempio, if a transazione is broadcast immediately after a specific output is created, and that output appears in the transazione's ring, there is a higher probability that this output is the real spend. The wallet software mitigates this by ensuring that rings always contain a mix of ages consistent with the gamma distribution, but timing correlations at the network level can still provide clues.

Another temporal analysis vector involves watching the memory pool. If an observer sees an output arrive in the mempool and then shortly afterward sees a new transazione that includes this output in its ring, the timing correlation suggests the output may be the real spend. Dandelion++, Monero's network-level privacy protocol, helps mitigate this by obscuring the origin and timing of transazione broadcasts.

Known Weaknesses in Historical Decoy Selection

Research has identified several weaknesses in earlier versions of Monero's esca selection algorithm. Before the gamma distribution model was adopted, the selection algorithm had biases that allowed statistical deanonymization of a significant fraction of transazioni. Academic papers demonstrated that by analyzing the age distribution of membri dell'anello across many transazioni, researchers could identify the real spend with accuracy significantly better than random chance.

These findings prompted the switch to the gamma distribution model and motivated ongoing research into improving the selection algorithm. The Monero Research Lab actively collaborates with academic researchers to identify and address weaknesses before they can be exploited in practice.

Current Research and Improvements

The Monero research community continues to study and refine the esca selection process. Active areas of investigation include better modeling of real spending behavior using larger datasets, adaptive selection algorithms that adjust their parameters as spending patterns change over time, and techniques for making the selection process more resistant to adversarial manipulation.

One promising line of research involves binning outputs by age brackets and selecting from within these bins to create more natural-looking distributions. Another approach considers the transazione graph structure, avoiding selections that create statistically unusual patterns when multiple transazioni are analyzed together.

FCMP++: Eliminating the Decoy Problem Entirely

The most exciting development in Monero's privacy roadmap is Full-Chain Membership Proofs, known as FCMP++. This protocol upgrade will fundamentally change how sender privacy works by eliminating the concept of esche entirely.

With FCMP++, instead of selecting a small ring of 16 esca outputs, each transazione proves that the real spent output belongs to the set of all outputs on the entire blockchain. The insieme di anonimato expands from 16 to millions, making statistical analysis of ring composition completely infeasible. There are no esche to analyze because every output on the blockchain is equally a candidate.

FCMP++ achieves this using advanced cryptographic techniques including curve trees and zero-knowledge proofs that can efficiently prove membership in very large sets. The computational and storage overhead is manageable despite the enormous insieme di anonimato, making this approach practical for real-world deployment.

When FCMP++ is activated, the entire category of attacks based on esca selection analysis becomes obsolete. Poisoned output attacks, temporal analysis of ring composition, and statistical deanonymization through spending pattern matching will all be rendered ineffective. This represents a quantum leap in Monero's privacy guarantees and demonstrates the project's commitment to continuous improvement.

Until FCMP++ arrives, the current esca selection algorithm with its gamma distribution model and 16-member rings provides strong practical privacy. For those who want to transact with Monero today, MoneroSwapper offers anonymous exchanges that complement the on-chain privacy provided by firme ad anello and esca selection.