On Defeating Graph Analysis of Anonymous Transactions

TL;DR

This work analyzes the global anonymity of ring-sampler based anonymous systems by modeling ring memberships as transaction graphs and examining their induced digraphs. By reducing the problem to the strong connectivity of chunk-induced digraphs and focusing on regular partitioning samplers, the authors show that choosing the ring decoy parameter $k$ on the order of $\ln(2|U|)+\sqrt{2\ln(2|U|)}$ yields an upper bound $\Pr[G\neq\textsf{Core}(G)] \le \tfrac{1}{k+1}$, making graph-based deanonymisation no more effective than random guessing up to a factor of 2. The approach relies on conjectures linking $k$-in-degree regular and binomial random digraph models, supported by extensive empirical evidence, and extends to active attacks via the black-marble framework. Practically, the results provide concrete guidelines for selecting partitioning-sampler parameters to resist graph-based deanonymisation in LRS-based cryptocurrencies and similar decoy-based anonymity systems. The work thus contributes a global-security perspective to anonymity guarantees beyond local measures, with implications for coin-mixing, mix-nets, voting, and related applications.

Abstract

In a ring-signature-based anonymous cryptocurrency, signers of a transaction are hidden among a set of potential signers, called a ring, whose size is much smaller than the number of all users. The ring-membership relations specified by the sets of transactions thus induce bipartite transaction graphs, whose distribution is in turn induced by the ring sampler underlying the cryptocurrency. Since efficient graph analysis could be performed on transaction graphs to potentially deanonymise signers, it is crucial to understand the resistance of (the transaction graphs induced by) a ring sampler against graph analysis. Of particular interest is the class of partitioning ring samplers. Although previous works showed that they provide almost optimal local anonymity, their resistance against global, e.g. graph-based, attacks were unclear. In this work, we analyse transaction graphs induced by partitioning ring samplers. Specifically, we show (partly analytically and partly empirically) that, somewhat surprisingly, by setting the ring size to be at least logarithmic in the number of users, a graph-analysing adversary is no better than the one that performs random guessing in deanonymisation up to constant factor of 2.

Figures (5)

• Figure 1: Toy example of transaction graph. Edges correspond to ring memberships, e.g. $(u_1,r_3)$ means user 1 is a member of ring 3. The red edges are the only maximum matching.
• Figure 2: Example of a transaction graph $G$ ($U$ and $R$ being nodes on left and right respectively) and its induced digraph $\mathsf{id}_{}(G)$. The subgraph in the dotted rectangle is $G^\smalltriangle$. The yellow, blue and red edges correspond to edges considered in \ref{['lem:tassa']}\ref{['item:ii']} to \ref{['item:lownode']} respectively, the black edges are none of them.
• Figure 3: Induced transaction graph sampler $\mathcal{G}\xspace^\mathsf{Samp}(U,m)$ and Experiments for the security of $\mathsf{Samp}$ against graph-based deanonymisation attacks. The variant incorporating black marble attacks is in dashed boxes.
• Figure 4: Plots of $p^{\mathtt{reg}}_{k,n}$, $p^{\mathtt{bin}}_{k,n}$, and $\bar{p}^{\mathtt{bin}}_{k,n}$ against $k$ for selected values of $n$ in both linear- and log-scale.
• Figure 5: Plots of $p^{\mathtt{reg}}_{k,n}$, $p^{\mathtt{bin}}_{k,n}$, and $\bar{p}^{\mathtt{bin}}_{k,n}$ against $n$ for selected values of $k$ in both linear- and log-scale.

Theorems & Definitions (38)

• Definition 2.1: Matching
• Definition 2.2: Core
• Definition 2.3: Transaction Graph
• Definition 2.4: Upper Graph
• Definition 2.5: Transaction Graph Partitioning
• Definition 2.6: Edge Reachability
• Definition 2.7: Strong and Weak Connectivity
• Definition 2.8: Strongly Connected Component
• Definition 2.9: Induced Digraph
• Definition 2.10: $k$-In-Degree Regular Digraphs