This article was originally published on The Daily Chain, 21st October 2019.
“I was successfully able to prove z-utxo links of spends”
ITM, October 2019
Metaverse Metadata is a new method of linking private transactions in cryptocurrencies. Currently the focus is on zero knowledge transactions like those found in Zcash. However cryptonote coins like Monero and even mimblewimble coins like Grin may also be susceptible to this form of analysis, or “attack”.
While the theoretical implications of Metaverse Metadata analysis are immense, they are currently just that — theoretical. We await a working proof-of-concept (POC) and paper detailing the technique, and are told they are coming by the end of this year.
In the very simplest terms the Metaverse Metadata attack (if that is the correct term) is able to deanonymize private transactions due to metadata leaks when spending outputs in UTXO cryptocurrencies.
As though this wasn’t enough to catch your attention, Metaverse Metadata becomes more intriguing still on learning that ITM, its anonymous creator, held a twitter account for over nine years before posting. Until a couple months ago when he retweeted this @MyHushTeam post . ITM’s first original tweet, a rather ominous missive, came a few days later.
Metaverse Metadata first came to public attention a couple weeks ago in the Hush discord in a dialogue between Komodo’s inimitable core dev JL777 and ITM. Duke Leto, lead dev of Hush, who has sparred on twitter with well-respected figures in the crypto community regarding this subject, has been involved from an early stage. Thanks to him I can provide a copy of that conversation I read a couple weeks ago. Here is a small excerpt from that chat:
“ITM made the first way to extract information out of ztransactions, even z->z ! even making a dependency graph seems to be a breakthrough and any optional zaddr chain will very quickly have amounts and dependency graph deanonymized”
A dependency graph is a visual representation for the interconnections of things, and in crypto-currency shows the links between addresses and transactions and people’s identities.
These graphs were applied to Bitcoin addresses and transactions in the paper “Bitcoin Transaction Graph Analysis” by Fleder, Kester and Pillai (2014).
Figure 7: The transaction graph for Oct 25, 2013 showing the top page ranked nodes and their first order edges with annotations from web-scraped results. Several noticeable activities, including the seizure of bitcoins from Silk Road entities to a single known FBI address, tend to be involved with the top page ranked nodes.
The paper ends by saying:
In conclusion, we showed that by leveraging several sources of publicly available information via web-scraped forums and Bitcoin’s transaction ledger, the bitcoin transaction network is shown to be not entirely anony- mous. Furthermore, we were able to tie bitcoin forum users with the original Silk Road nodes with only a single intermediary. We were also able to successfully find transactions that directly linked the scraped bitcoin forum users with known entities like SatoshiDICE, and Wikileaks implying that they may have dealt with, supported, or interacting with such entities.
In today’s world blockchain analysis is now a big business with companies like Chainalysis whose mission is to “build trust in blockchains and for us that begins with transparency”
“We create transparency across blockchains so government agencies, cryptocurrency businesses, and financial institutions can engage confidently with cryptocurrency.”
The point of all this is that the creation of dependency graphs for zk-SNARKs or “zero knowledge” transactions is thought to be impossible. To prevent the linking of transactions is the raison d’être and entire value-proposition of Zcash and other privacy coins. These revelations suggest that they may no longer be doing that.
A new crypto-currency?
Ever since Metaverse Metadata was first discussed there has been speculation about a new coin. Metaverse Metadata’s analysis is accelerated by GPUs, and we may yet see a Machiavellian plot twist where miners are incentivized to deanonymize transactions from other networks. Is it a crazy idea? ITM seems to think not.
What follows are the answers to a series of questions I asked ITM, the anonymous creator of Metaverse Metadata.
Minor grammatical changes have been made to his text to improve clarity.
WHO ARE YOU?
“I am a Software Engineer. I love Game Programming and Researching.”
WHAT’S THE MOTIVATION BEHIND METAVERSE METADATA?
“I’m always doing research. The focus shifts, but lately I’ve had time to focus on research and this time I decided to pick up ZK-Snarks. So a few months ago Zcash moved from sprout to sapling and had a trusted setup. One of my main concerns is what do other researchers know that we don’t know? I want to know what the ECC [Electric Coin Company] or others know about ZK-Snarks. I love understanding algorithms and cryptography algorithms is one of them.”
“I had to start somewhere and about six months ago when HUSH moved to pure sapling I started playing around. Lots of failed attempts. I did not want to know how HUSH is implemented or what software bugs it has, or how the consensus works. My focus was the mathematics behind ZK-Snarks.”
“I came up with dozens of different assumptions. Each was proven invalid and each time I got to understand Zcash better. One was that I wanted to know how Zero Knowledge hides yet is able to prove its valid. How it prevents double spending of shield transaction not known to anyone. “
So I produced a hypothesis. To prevent double spending the shielded transactions should have a dependency on an input and produce an output.
“Then after seven weeks, with three failed attempts I was able to determine the dependency of a shielded transaction. It’s all mathematics and completely different from my hypothesis. There is no known input or output since its zero knowledge.”
WHAT IS METAVERSE METADATA?
“The concept is not an attack, but purely mathematical proofs. Lots of people get the wrong assumption its an attack but it’s actually mathematical proofs. “
You prove a dependency exists by removing a required spent nullifier.
“One could completely reverse proof to get an invalid proof + a constant curve and by putting the same constant curve + dependency input, the Original will be valid. So we first have to disprove a mathematical equation and then prove it. On a couple of runs I got a lot of invalid proofs. All the test data was unspent inputs.”
After a lot of altering and modifying the framework I was successfully able to prove zutxo links of spends (ZChain to ZChain — 1).
So a zTx1 -> zTx2 -> zTx3. I was able to prove zTx2 depends on zTx1. I ran the test on a live network (ARRR) and
was able to determine which exchange the funds came from to which exchange it went to
(of coarse only targeting my txid’s and my withdrawal since processing time will be a lot)”
WHEN WILL YOU RELEASE A PROOF-OF-CONCEPT?
“The next step going forward is moving the proof of concept (POC) research to a public POC. Since the research framework used is huge and has a lot things we don’t want to disclose due to IP rights and even personal academic interest. When the POC is done we are going to optimize it and start the next research (shield transaction to tx). We will also allow teams to independently prove other advanced concepts and build a platform so anyone can research and play around.”
“My initial aim for a proof-of-concept was 2020, but since things have sped up we can expect a full POC before this year’s end. Duke has been helping since day one. He’s done a lot and lately he started helping with writing functionality required for an isolated POC. I pulled-in two friends to help with low level stuff so I can focus on the mathematics and proofing. There are three of us.”
ARE MIMBLEWIMBLE AND CRYPTONOTE COINS VULNERABLE?
I really haven’t looked into Mimblewimble, I cannot claim they are affected or not. Cryptonote uses a similar technology but I’m also not 100% sure bulletproofs are affected. I have 1 member setting up certain environments for XMR (a completely separate chain) to see if the bulletproofs can be affected by the method.
WILL YOU PUBLISH MITIGATIONS FOR METAVERSE METADATA?
“Duke Leto is working on mitigations before releasing the POC to the public. We will need to mitigate the attack, but for now one should learn how zk-snarks works to understand the correct usage for maximum privacy.”
WHAT IS YOUR BACKGROUND, AND WHAT’S THE STORY WITH YOUR TWITTER ACCOUNT?
“I was in crypto for a long time (2011), but before that I was working with a lot security software and creating tools before 2010. I decided to keep a low-profile after I started in academia, and decided it was best to stay incognito.”
“Only when I was done with my academic studies did I start posting on twitter.”
I did get Banned the first week Litecoin (LTC) was released (I told them ASIC resistant is a lie), and also got banned from Monero (XMR) for claiming RingCT was flawed.
“I decided to remove my tweets in 2013 since they were not well received.”
“In 2013, I helped a company build a Scrypt ASIC (codenamed Fusion ASIC) with a friend that coded the chips. I showed LTC the strength of the ASIC by running it on Feathercoin (FTC) which increased the difficulty sooo high that legal miners left, and I left. When the difficulty dropped a bad player 51% attacked the network and I was seen as the attacker which I had nothing to do with the attack.”
“Since then I decided to keep quiet and keep information to myself.”
“So after a year, Scrypt miners flooded the market, and after 3 years XMR was proven incorrect:
XMR could be analyzed with ease.
If XMR just decided to understand the theory behind it, they would have understood and mitigated the attack 5 years ago. I had POC ready on my framework in 2015
“but I decided that it would take a lot of time which I didn’t really have since I was working a full-time job.”
WILL WE SEE A METAVERSE METADATA COIN?
The main purpose of a new protocol is to allow a research platform to utilize miner GPUs and in return get paid in a coin. So the starting goal is to show how realistic it is to deanonymize a blockchain using a community effort.
“Since bad actors will have 1000’s more resources than us this will also force blockchain projects to improve on privacy and not take it for granted.”
WHAT’S YOUR INTEREST IN HUSH?
“Hush messages are encrypted. When HushList is completed this will allow people to communicate securely. There a lot of applications HushList can be used for. It can be used for whistle-blowing in companies, ratings platforms, and in data protection between companies.”
“Yes, Hush might be cloned or HushList integrated into other projects, but investing in Hush allows HushList to become better. HushList was near completion and Hush did get a lot of major setbacks like sprout to sapling, and a lot catch-up. Moving to Komodo was a good decision since now the focus on HushList will soon be back as the priority. “
“This year Hush’S focus was getting exchanges, and wallets up and running. Many blockchains moved to Komodo DPoW and the Komodo community are working together which I have never seen in the past happen. Also there was a lot of progress Duke made in Hush that helped hundreds of other blockchains.”
Only in crypto does one really get stories like these, where a single person can challenge the assumptions we all make about security and privacy. At this stage, with no proof-of-concept or documentation it is impossible to gauge how damaging Metaverse Metadata will be to the incumbent privacy coins.
Long-term though, the work carried out by ITM and his researchers is in our best interests and good for privacy. Our journey to better privacy could yet be a tumultuous one.
I hope the above chat with ITM gave you a flavor for what to expect in the coming months.
The Daily Chain readers will be updated on Metaverse Metadata following the release of a proof-of-concept.
Thanks to ITM for taking the time to discuss his past and the future of Metaverse Metadata.