Алгоритм выбора ложных выходов Monero: как выбираются участники кольца

Why Decoy Selection Matters

Monero's кольцевые подписи work by mixing a real spent output with a set of ложный выход outputs drawn from the blockchain. When a user spends Monero, their wallet selects several other outputs that plausibly could be the real one and constructs a cryptographic proof that the spender owns one of them without revealing which. The security of this scheme depends critically on how those ложные выходы are chosen. If the selection algorithm has predictable biases, statistical analysis can narrow down which output is the real spend, potentially deanonymizing the sender.

Consider a naive approach where ложные выходы are selected uniformly at random from all outputs on the blockchain. This seems fair, but it creates an immediate problem. Real spends tend to occur relatively soon after outputs are received. People receive Monero and spend it within days or weeks, not years. If ложные выходы are selected with equal probability from the entire blockchain history, most ложные выходы will be old outputs, and the one recently created output in the ring will stand out as the most likely real spend. An attacker who knows the spending behavior distribution can assign probabilities to each участник кольца and significantly reduce the effective anonymity.

This is why Monero uses a carefully designed probability distribution for ложный выход selection rather than uniform random sampling. The goal is to make the ложный выход selection pattern match the actual spending pattern so closely that statistical analysis cannot distinguish real spends from ложные выходы.

The Gamma Distribution Model

Monero's current ложный выход selection algorithm uses a modified gamma distribution to determine the age of ложный выход outputs. The gamma distribution is a continuous probability distribution that, when parameterized appropriately, produces a curve that assigns higher probability to recent outputs and lower probability to older ones, closely mimicking how people actually spend their Monero.

The specific parameters of the gamma distribution used by Monero have been calibrated through empirical analysis of spending patterns on the blockchain. Researchers studied the distribution of time intervals between when outputs are created and when they are actually spent across a large sample of транзакции. The gamma distribution was found to provide a good fit for this observed spending behavior.

When your wallet constructs a транзакция, it samples from this gamma distribution to determine the age offset for each ложный выход. It then selects an actual output from the blockchain that matches this age as closely as possible. The result is a set of участники кольца whose ages are statistically indistinguishable from a set of real spends, making it difficult for an observer to determine which one is genuine based on timing alone.

Why Even Distribution Is Not Optimal

Intuitively, one might think that selecting ложные выходы with equal probability from all outputs would provide the best anonymity since every output looks equally likely. Однако, this reasoning is flawed because it ignores the attacker's knowledge of spending patterns.

An attacker who knows that most real spends occur within a few days of output creation can immediately assign very low probability to участники кольца that are months or years old. If the ложный выход selection process chose uniformly, most rings would contain many old outputs and one or two recent ones, making the recent outputs obvious candidates for the real spend. By instead selecting ложные выходы according to the same distribution as real spends, every member of the ring has a plausible age profile, and the attacker's prior knowledge of spending patterns provides no advantage.

Ring Size Evolution

The number of участники кольца in Monero транзакции has increased several times over the project's history, reflecting the community's ongoing commitment to strengthening конфиденциальность.

• Early Monero (2014-2016) - Ring sizes were optional and variable. Users could choose their own размер кольца, with a minimum as low as 3. Many users chose the minimum, and some even used размер кольца 1, which provided no sender конфиденциальность at all.
• Mandatory minimum размер кольца 5 (2016) - A хардфорк established a mandatory minimum размер кольца, ensuring that all транзакции provided at least basic sender конфиденциальность.
• Ring size 7 (2018) - The mandatory размер кольца was increased to 7, providing stronger anonymity guarantees.
• Ring size 11 (2019) - A further increase brought the размер кольца to 11, which was the standard for several years.
• Ring size 16 (2024) - The most recent increase expanded rings to 16 members, significantly increasing the набор анонимности for each транзакция.

Each increase in размер кольца makes statistical deanonymization harder by expanding the set of plausible real spends. Однако, larger rings also increase транзакция sizes and verification times, creating a trade-off between конфиденциальность and efficiency. The community carefully evaluates these trade-offs before each increase.

The Poisoned Output Attack

One of the most studied attacks against Monero's кольцевая подпись scheme is the poisoned output attack, also known as the flooding attack or the Heuristic attack. In this attack, an adversary creates a large number of outputs on the blockchain that they control. Because the adversary knows which of their outputs are spent and which are unspent, they can eliminate their own outputs from consideration when they appear as ложные выходы in other users' rings.

Here is how it works in practice. An adversary generates thousands of транзакции sending Monero to themselves, creating a large pool of outputs they control. When a regular user creates a кольцевая подпись, some of the randomly selected ложные выходы may be outputs belonging to the adversary. The adversary knows whether their own outputs have been spent, so they can determine that those outputs are ложные выходы in the victim's ring. By eliminating their known ложные выходы, the adversary reduces the effective размер кольца, potentially identifying the real spend.

Mitigations

Several factors mitigate the effectiveness of poisoned output attacks. First, executing the attack at scale is expensive because it requires creating many транзакции with real Monero, incurring транзакция fees. Second, the larger the размер кольца, the more outputs the attacker must control to meaningfully reduce anonymity. With a размер кольца of 16, an attacker would need to control a very large fraction of all blockchain outputs to have a significant impact. Third, Monero's community has implemented output age restrictions and other heuristics that make it harder for recently created flood outputs to be selected as ложные выходы.

Temporal Analysis Risks

Even with a well-designed selection algorithm, temporal analysis remains a concern. Temporal analysis exploits the timing of транзакции and outputs to make inferences about which участник кольца is the real spend.

Например, if a транзакция is broadcast immediately after a specific output is created, and that output appears in the транзакция's ring, there is a higher probability that this output is the real spend. The wallet software mitigates this by ensuring that rings always contain a mix of ages consistent with the gamma distribution, but timing correlations at the network level can still provide clues.

Another temporal analysis vector involves watching the memory pool. If an observer sees an output arrive in the mempool and then shortly afterward sees a new транзакция that includes this output in its ring, the timing correlation suggests the output may be the real spend. Dandelion++, Monero's network-level конфиденциальность protocol, helps mitigate this by obscuring the origin and timing of транзакция broadcasts.

Known Weaknesses in Historical Decoy Selection

Research has identified several weaknesses in earlier versions of Monero's ложный выход selection algorithm. Before the gamma distribution model was adopted, the selection algorithm had biases that allowed statistical deanonymization of a significant fraction of транзакции. Academic papers demonstrated that by analyzing the age distribution of участники кольца across many транзакции, researchers could identify the real spend with accuracy significantly better than random chance.

These findings prompted the switch to the gamma distribution model and motivated ongoing research into improving the selection algorithm. The Monero Research Lab actively collaborates with academic researchers to identify and address weaknesses before they can be exploited in practice.

Current Research and Improvements

The Monero research community continues to study and refine the ложный выход selection process. Active areas of investigation include better modeling of real spending behavior using larger datasets, adaptive selection algorithms that adjust their parameters as spending patterns change over time, and techniques for making the selection process more resistant to adversarial manipulation.

One promising line of research involves binning outputs by age brackets and selecting from within these bins to create more natural-looking distributions. Another approach considers the транзакция graph structure, avoiding selections that create statistically unusual patterns when multiple транзакции are analyzed together.

FCMP++: Eliminating the Decoy Problem Entirely

The most exciting development in Monero's конфиденциальность roadmap is Full-Chain Membership Proofs, known as FCMP++. This protocol upgrade will fundamentally change how sender конфиденциальность works by eliminating the concept of ложные выходы entirely.

With FCMP++, instead of selecting a small ring of 16 ложный выход outputs, each транзакция proves that the real spent output belongs to the set of all outputs on the entire blockchain. The набор анонимности expands from 16 to millions, making statistical analysis of ring composition completely infeasible. There are no ложные выходы to analyze because every output on the blockchain is equally a candidate.

FCMP++ achieves this using advanced cryptographic techniques including curve trees and zero-knowledge proofs that can efficiently prove membership in very large sets. The computational and storage overhead is manageable despite the enormous набор анонимности, making this approach practical for real-world deployment.

When FCMP++ is activated, the entire category of attacks based on ложный выход selection analysis becomes obsolete. Poisoned output attacks, temporal analysis of ring composition, and statistical deanonymization through spending pattern matching will all be rendered ineffective. This represents a quantum leap in Monero's конфиденциальность guarantees and demonstrates the project's commitment to continuous improvement.

Until FCMP++ arrives, the current ложный выход selection algorithm with its gamma distribution model and 16-member rings provides strong practical конфиденциальность. For those who want to transact with Monero today, MoneroSwapper offers anonymous биржи that complement the on-chain конфиденциальность provided by кольцевые подписи and ложный выход selection.