A thread on Monero and its relationship with pesky coinbase outputs. Coinbase outputs (those created by miners) stick out like a sore thumb and don't align with typical user behaviors.

Users don't usually spend coinbase outputs. Only solo miners and mining pools will spend them. So if you receive a payment from a customer that contains coinbase outputs in their ring(s), they probably *are* decoys, not actual spends of coinbase outputs.

Most Monero hashrate is made up of public pools, which publish a list of blocks they mine. Thus, outside observers know that these coinbase outputs can only be spent by pools. If pools also share transaction lists, observers can usually see which transaction actually spends it.

Möser, et al. focused on tracing mining-related coinbase outputs in later revisions of their original paper, under section 5.1.

https://arxiv.org/abs/1704.04299 

I spoke on these issues publicly in the 10th episode of Breaking Monero "Public Mining Pools." In addition to coinbase outputs, I focused on other change outputs to public mining pools from payouts, which could be deducible if transaction data is known.

In February 2019, I summarized my thoughts about segregating coinbase-only rings here, branded as a "crazy idea." This would require spends of coinbase outputs to *only* include other coinbase outputs as decoys. https://medium.com/@JEhrenhofer/lets-stop-using-coinbase-outputs-da672ca75d43?source=friends_link&sk=48cac958597ddc4be004bbb5d5f59f95

Over the past year (and before that, since I made a deck circulated within MRL since early 2018), I've been trying to convince people that segregating coinbase outputs is a good idea. Typical txs contain ~1-2 coinbase outputs per ring. For "normal" spends, those are wasted decoys

Enter Sarang Noether. He investigated the deducible, pre-RCT outputs to see if there are spend pattern differences between coinbase outputs and non-coinbase outputs. I intuitively assumed that they would be different, and that CB outputs would be spent faster on average over time

My intuition was wrong. Here you can see the current gamma distribution and the spends of coinbase and non-coinbase outputs (pre-RCT, deducible). They're almost exactly the same.

Broken out by 200k block chunks, you can see that on average, coinbase outputs were actually spent slightly slower over time.

Now that we have this data, it helps suggest that the selection algorithms for coinbase and non-coinbase outputs, when segregated as I propose, can have similar gamma distributions. We still would like to run this data on Bitcoin outputs, which we can test with more recent data.

In any case, I strongly support segregating coinbase-only rings for the forthcoming CLSAG Monero protocol upgrade. If the selections are actually similar, then it's easier to implement. If they are truly different, then the privacy enhancements can be even larger.

A 10-15% increase in effective ringsize for users at no efficiency hit is a huge win in my book. While there is still work to be done on other mining pool public information, this is a large step to further enhance the privacy of the Monero network.

And while there are still potential leaked metadata regarding outputs 1 away from coinbase, in practice this still substantially increases the feasibility of association with broader user spend behaviors, which would now easily include miners on pools, not just pool operators.

Coinbase-only rings, enforced by consensus. It appears to no longer be considered a crazy idea by most. Better rings, here we come!