Alias is a privacy crypto project with some unique features. Alias uses ring-signatures like Monero for example as one of the privacy-enhancing features. This provides plausible deniability through the use of decoys in transactions. However, Alias has a unique advantage over other decoy-based systems, such as Monero in that Alias has a dual-coin system that can in fact increase privacy in certain circumstances. The dual-coin system allows for the creation of ‘taint free‘ anonymous outputs for a user upon conversion between the public and private transaction outputs. Alias also has a unique anonymous staking protocol that will further add output entropy through consolidation and splitting algorithms. These features of Alias might aid to mitigate certain attacks on decoy-based systems.
Ring-signatures use decoys to obscure the real input in a transaction.
This feature is based around observations made in the following articles; Blockchain Privacy: Equal Parts Theory and Practice by Ian Miers, Breaking Mimblewimble’s Privacy Model by Ivan Bogatyy and the response to this article Factual inaccuracies of “Breaking Mimblewimble’s Privacy Model” by Daniel Lehnberg. This relates to a series of possible attacks on decoy-based systems.
The discussions above have highlighted a potential use case for Alias’s dual-coin system and has shown how in fact the dual-coin system can be utilised to increase the level of privacy and counter a so-called “flashlight attack” or similar attacks that MimbleWimble coins (Grin and others) and Monero might still be susceptible to. I know Monero uses RingCT and amounts are obscured but that does not prevent the possibility of linking sender and receiver.
Monero, Grin, and Alias all use “decoy-based” strategies to achieve un-likability of transactions. That means that in Alias’s private ALIAS transactions we use ‘anonymity sets‘ in the ring-signatures so only 1 in 10 inputs in a particular transaction is actually being spent, i.e. 1 real input and 9 decoys. Monero and Grin also utilise ‘anonymity sets‘ in their protocols to conceal the real input. Decoy-based anonymity then clearly assumes that the decoys can not be identified as such and that the outputs/inputs are not ‘tainted‘ in such a way that they can be identified. If a decoy or output/input can be identified by an adversary then the level of anonymity decreases and link-ability becomes more likely.
The example used to describe the problem with ‘tainted coins‘ and the so-called “flashlight attack” is the following scenario:
“I’m a dissident in an authoritarian country who needs to accept donations, but I cannot reveal my real identity; my life is at risk in the country where I do my activism. But I need to be able to fund my work. Of course, the government of that locale is trying to identify me. They have intel agencies and secret police at their disposal.“
Ian Miers (Blockchain Privacy: Equal Parts Theory and Practice)
In order for our ‘activist‘ to accept any payments at all he/she will have exposed his/her address at some point to the public, maybe on a website or in a forum. In the case of Monero and Alias, the ‘activist’ would share a stealth address thinking that he/she would be safe. Now imagine that your adversary starts sending payments to this stealth address in an attempt to later trace the transactions. Maybe the adversary would send three payments, maybe 10, maybe even 100 payments or more. The payments could be tiny, insignificant amounts. The amount transacted in this case has no relevance at all. It is the fact that the adversary creates unspent outputs that he/she now knows belong to the ‘activist’. Remember that every anonymous unspent output can be uniquely identified by its public key. At some point, the ‘activist’ is going to deposit the funds from those payments, maybe to an exchange. That exchange could be compromised in some way.
The ‘activist’ thinking he/she is safe could actually be in serious trouble. An exchange or anyone who controls or has access to that exchange can attempt to link the depositor to the ‘activist’. It would be possible to inspect the sets of ‘coins‘ / ‘inputs‘ used in the deposit to the exchange and infer the possible origin of the deposits.
As the adversary has ‘injected’ a large number of ‘tainted coins’ you might expect that some of the ‘tainted coins’ would appear in random transactions as decoys (by ‘tainted’ here we mean that they can trace the movement of their inputs or their involvement in transactions by scanning the blockchain for the corresponding public keys). Therefore, it could be expected that a certain number of transactions involved ‘tainted coins’ and this would not be suspicious. Decoys of course are picked at random so some of the ‘tainted coins‘ could have been chosen as decoys in random transactions. The adversary could look through all deposits to the exchange and build a ‘taint tree’ and if it was found that a large majority of the ‘tainted coins’ were included in a specific user’s deposits, it would be exceptionally likely that this user was, in fact, the ‘activist’.
It is also plausible that an adversary could “follow” the ‘tainted coins‘ they own on the blockchain as they get included in future transactions as decoys and use statistical methods to deduce the real inputs over time. A sufficiently motivated and funded adversary could potentially own thousands, maybe hundreds of thousands of ‘tainted coins‘ on the Monero blockchain for example.
Alias’s dual-coin system could mitigate such an attack if used correctly. When considering the above scenario the dual-coin system comes into its own and we will see that the ‘activist‘ should, in fact, use a public address to receive donations and later convert the funds to anonymous SPECTE through the balance transfer function in the Alias wallet. Let’s see how the ‘activist‘ would be more private by using Alias in the right way. This is how Alias could be more private:
- Use a public ALIAS address to receive payments (only use this address once). There is a possibility that this might make it easier to trace the sender, however.
- Convert all public ALIAS to private ALIAS through the balance transfer function in the wallet.
- Stake the private ALIAS for some time in your wallet. This would consume and create anonymous outputs through the consolidation and splitting algorithms that compliment the “Proof-of-Anonymous-Stake” protocol.
- Convert back to public ALIAS to sell on exchanges. The initial public coins (donation) and the newly generated public coins would be un-linkable through the anonymous staking protocol.
It is as though you have a private exchange in the Alias wallet that can swap public coins for private coins and vice versa and in effect make your funds truly anonymous. The fact that Alias’s anonymous staking protocol constantly consumes and created anonymous outputs makes your coins even harder to trace. This potentially creates a greater level of un-linkability than Monero.