Full-Chain Membership Proofs Development
April 27, 2024
Full-Chain Membership Proofs, as a concept, is a replacement for rings within the Monero protocol. While rings have offered sender privacy to Monero since it launched, they're vulnerable to attacks such as the EAE attack, have difficulties upon chain reorganzations, and in general enable statistical analysis (mitigated by distribution of the decoy selection algorithm). Full-Chain Membership Proofs prove the output spent is one of any output on the chain, effectively removing all of these risks. This means every input goes from an immediate anonymity set of 16 to 100,000,000.
Two proposals have been made for Monero offering such privacy, both under the "Full-Chain Membership Proofs" moniker (further mentions acronymed to "FCMPs"). The first was announced at MoneroKon in 2023, and was intended to be deployed with/after Seraphis. Seraphis distinguished between "membership", the output spent is one of some outputs, and "spend authorization", the output being spent is authorized by the private key holder. With that, much more efficient proofs for membership became possible, including the "Grootle" proofs it was originally proposed with (effectively a ring of 128). FCMPs further improved upon this, requiring Seraphis's new key/transaction format to do so.
The second proposal was made in March of 2024 in response to the spam attacks ongoing at the time. "FCMPs+SA+L", later shortened to simply "FCMP++s", independently adds "Spend Authorization + Linkability", removing the dependency of Seraphis. With further research and development, it was found to add several new features to the Monero protocol, without requiring the migration to Seraphis. These features include,
- Transaction Chaining
Transaction chaining allows signing a transaction spending another transaction, before the spent transaction is published and mined on-chain. This enables certain layer-two designs for Monero (such as some payment channel protocols).
- Outgoing View Keys
Outgoing view keys allow anyone with the outgoing view key to detect when received outputs are spent. Currently, Monero only offers incoming view keys, which do allow detecting spends with extremely high likelihood over the current protocol, yet don't provide 100% certainty. This certainty will make cold wallet setups and multisignature wallets much more efficient, having to bring the private key online far less often. It also allows defining a single "view key", without delineation of "incoming" or "outgoing", simplifying wallet UX.
- Forward Secrecy
Forward secrecy means an adversary with a discrete log oracle, such as an adversary with a quantum computer, cannot break the privacy of the protocol.
While Seraphis also introduces all of these features, it does so with a migration to a new anonymity set and a new address format (invalidating all prior addresses). The FCMP++ proposal not only aims to be faster to deploy yet to do so without the migration. This is enabled by the trade-off of not actually offering any of this functionality at launch however.
The deployed protocol would support all of these features. The wallet code to take advantage of it would be delayed, ensuring that we keep our scope small and achieve the largest goal, full sender privacy, as soon as possible. Wallets could then start taking advantage of these features on their own timeline, without further hard forks nor privacy issues. This would likely be done by merging the Seraphis codebase into Monero, taking advantage of its years of development and improved design. With that, the migration to the new key structures would be optional, and if so, the work done for FCMP++s would provide most of the necessary work for FCMPs with Seraphis.
FCMP++s are based off Curve Trees, and to make the overall proof much more efficient, Eagen's work with elliptic curve divisors. The overall composition has been largely specified, and is currently being reviewed and further detailed as appropriate. The development of the composition was funded, and an earmarked fund for academic review and auditing is still raising. If you are a member of the academic community and are interested in contributing, please feel free to reach out within the Monero Research Lab on IRC or Matrix.
Post tags : Cryptography, Community