 typically have in these things. All right, so next talk on the list, you're not the money printer or why we should separate Coinbase and non-Coinbase rings. So during the talk today, I mean, this talk might not take the full 30 minutes, but one thing I've been really passionate about over the last few years is the idea of treating Coinbase outputs differently than non-Coinbase outputs because people typically spend them in different ways. So ultimately, I made the joke of you're not the money printer because I'll cover who actually prints these Coinbase outputs, whoever handles or touches them. And I'm also going to be keeping a note of the live chat. So I will be able to answer questions on YouTube. Hopefully the quality is working well for everyone here and the stream is going really well. Lots of really good talks today. Thank you, Daniel Kim, for everything you did at the slide before. So first, let's get started about like what, let's first cover what is an output period, right? So outputs are simply piggy banks. I heard this example from someone else. I can't take credit for considering outputs piggy banks. I previously have called them pots of gold or bills or many different other things. But I like the idea of you taking an amount of money, you put it in a container, this piggy bank, and then in order to spend this amount, the receiver needs to break open the piggy bank and put it in a new set, a new output, a new piggy bank. They are single use. So unlike the pot example, it definitely stresses the idea of these being single use. You cannot continue to keep putting these outputs elsewhere. So as a result, an output, you can think of just as a container of money. It's really horrible name output, honestly, just because there's many things that else you should be referring to. Sorry, I'm checking on the stream again. Making sure it's working just fine. Sorry, Sunday livestream. Okay, perfect. So the outputs of that example, because the source of funds could either be going in or out of a transaction. So it definitely is misleading. With Bitcoin, outputs do have connections to addresses. However, you would have a specific source of funds that is tied to a public address and you would be able to search that on the blockchain. However, for Monero, you need to not think of outputs as tied to addresses. You'll see a specific output on the blockchain. You should think about these having ties to the date they were created not to the address that they are associated with because of course with Monero, we do not have addresses to concern ourselves with. Sure, you send and receive funds with addresses, but the blockchain from a perspective of what it shares publicly does not reveal addresses anywhere. They are never present, so therefore do not think of outputs as addresses. Think of them as containers of funds that are single use. It's important that you understand what an output is before I go through the rest of this presentation. Okay, next, what are ring signatures? Well ring signatures are an important privacy feature of Monero that obfuscates the source of funds. They're often inconsiderately referred to as mixing but it really is very, very different than a Bitcoin mixing process. So the idea is if you want to spend one of your sources of funds, let's say you go to a store with a $10 bill and a $5 bill and you want to spend $11, of course you would give the teller both bills and they would give you $4 back and change. So in this case, what you would do is you take your Monero output which contains a certain number of Monero and you would include it in a single ring and then you would include other possible outputs which we call decoys in Monero. These are not money that you're actually spending but funds that you ideally convincingly seem to spend and you include them all in this one ring. So you would say in the top example there that perhaps the Monero transaction would conceivably spend one of these 11 outputs. Only one is actually spent but the outside observer does not know which source of funds is actually being spent. However, granted, we're able to verify that someone is actually spending funds that they have the right to. They're not just pretending to spend other people's money because that would be absurd. So if a transaction is trying to spend two bills like I described in the $10 and $5 case, there would be two ring signatures, two independent amounts. They're each spending one of these piggy banks, let's say, and for each piggy bank we grab 10 other piggy banks and we say, hey, that might be a source. That might be where the money's coming from and an outside observer ideally would not know any better. However, a ton of Monero research and history has shown that in many cases, people are able to learn information more than what we expect based off how these inputs are selected. One of these is whether or not outputs are coin-based outputs or not, which is an additional point of metadata that you can use to determine whether or not individuals convincingly spending certain outputs. So what are coin-based outputs? And of course, just to get it out of the way, I should very clearly state that coin-based outputs in this example are not in reference to outputs that are associated with coin-based decentralized exchange, not at all. Coin-based outputs refer to the idea of money that is from the block reward. So if you are taking coins and you success, sorry, not taking coins, but if you successfully mine a block, let's say, you have the right to make yourself a coin-based output that consists of a few things. It consists of the block reward. This is basically money that's coming out of thin air, but it's coming out of thin air according to a very set regulated process that the network agrees on. Dr. Daniel Kim talked about this in the earlier talk, of course. And then of course, you are able to pull in the transaction fees that people say that you're entitled to include if people mine them. Of course, fees are included as an incentive for people to choose certain transactions over others. And of course, in Manero's case, they help compensate for the decreased block reward if you are putting in a substantial number of transactions. So those are coin-based outputs. Again, not coin-based the exchange, coin-based outputs refer to outputs that are generated with the mining process. If a coin, let's say, used proof of stake or something, it would be through the staking process, but really you can think of it as coins that are generated new into the system or based off whoever the person who is authorized to sign the transaction in this case, sign the block, sorry, which would be the miner. So you can see I have sets of piggy banks going through here just to try and simplify things, but on the left there, that's the initial source of funds in the piggy bank. Those are generated from the block reward there, highlighted that yellow there. And then the funds in all actuality are passed along further in their histories or no longer coin-based outputs, their other outputs, non-coin-based outputs, let's say. Of course, just because Monero is Monero and we office-kate all this information, you don't necessarily know that there's this nice, lovely straight line going through and all actuality, it looks super, super messy and really looks like this nonsense where transactions may appear to go a bunch of different ways, of course, but that's not the point of this talk. Instead, we're gonna talk about who the actual money printers are. Who has the ability to print money in Monero? Those are the miners. Here is a chart showing who the miners are. You can see that mine, XMR and support XMR are the two dominant pools on the Monero network, but you have a few others. You have ones like XMR pool, F2 pool, nano pool, small pools, two miners. Small pools consist of like everything, like a substantial number of really small pools that in some equal 7% of the total network, and then you have that 5% of unknown. So this is something that mine XMR is not able to associate with a specific mining pool. These can be solo miners. These can be private pools. Ultimately, it's just network hash rate that's coming out of an unknown situation from people that might either just not bother sharing information publicly or care about mining privately or who knows what. So these are who the money printers are in Monero. And a lot of them reveal a lot of information for quite a few reasons. We have a breaking Monero episode about public mining pool data that I strongly recommend you watch, but support XMR, for example, they show the list of all the blocks that they mine. So if someone appears to spend funds that, appears to spend a coin-based output that you know was mined by support XMR, the only convincing way that that output could have actually been spent in that transaction is if it was support XMR, like actually spending it. So if your friend, for example, sent you a transaction that spent funds that support XMR publicly describes as mining, your friend either better run support XMR or they are not actually sending you that money. That's a fake decoy and it's known to you to be fake given the information that the public mining pool publishes. So I put it red there because it does reveal a pretty substantial amount of metadata. Most pools will show the blocks that they mine. I only looked up support XMR, mine XMR and nano pool because they're the largest but this continues for many pools. Mine XMR also shows the blocks mine, so does nano pool. And then a few also reveal information about what transactions they make to users. And as I show in other talks, this allows outsiders to pretty reliably form a list of all transactions, really all outputs that the pool has controlled. So as a result, support XMR does not actually show the specific payouts as far as the transactions are concerned. They don't say, this is the specific transaction we sent. Instead they say, we sent this much money which is much better than revealing the exact transactions. It makes things much more difficult, but it's still likely, you know, incurs possible limitations related to timing attacks where, okay, well, what if it's the only transaction that gets mined around this time period? Well, then it would be, you know, more visible. It still reveals more information, but it's not as bad. Nano pool, for example, shows all payout details. You can see who the specific miners are. You can see how the payments are specifically made. You can see the exact Monero transactions that go to these users. So they reveal a ton of information. So within, you know, nano pool, they are making a lot of information public. Mine XMR is only showing payouts to users that are the actual miners. You have to put in your mining address first and then it will show what payouts were made. This makes it more difficult for someone who's trying to track this sort of information, reveal a lot of information, you know, learn a lot about pool held outputs. So this is really who the money printers are. But of course, you also have this unknown portion here that I talked about like who these potentially could be. Well, we really do not, to all intents and purposes, know anything about who's mining these funds. But at the maximum, this unknown refers to, again, the maximum amount of the amount of solo miners or private miners that might be potentially impacted if we start meddling with Coinbase outputs, because clearly these exchange, sorry, these mining pools don't really care about revealing information publicly because they have done so for ages and continue to do so. So the only people that do care about their privacy from this perspective happen to actually be those that are mining in unknown pools or solo mining, right? So we need to talk about who actually owns these outputs. Who is the one that's actually likely to spend, control, et cetera, these outputs? Well, Coinbase outputs are only spent by two groups of people, mining pools or people that are solo mining or mining on a private pool. And there's only about like 10 total mining pools that like consistently mine blocks. And for solo miners aren't that many of those either. There's a relatively small number, let's say. Well, there's also the next set. So instead of just funds that come from Coinbase, there's also, okay, what's the from Coinbase outputs, let's say, the next set. Once they're spent from Coinbase, who convincingly may actually hold these outputs? Well, it's still the mining pools because you know, mining pool mines a block, they send a transaction to someone, the Coinbase block, sorry, the Coinbase output, and then they receive change back to the mining pool. So they still will hold onto these blocks. So they are convincing holders of the from Coinbase outputs. But solo miners are still also convincing holders, but really the extra layer of protection for users comes in the idea that pool miners, not just the pool operators, but the pool miners are likely recipients of these from Coinbase outputs. Because a mining pool again will mine a block and they'll send a payout to someone. They need to send that payment somehow so they need to spend that Coinbase output. They might give the output that's generated next to specific users. And so therefore the entropy set of who actually may touch these outputs, even though on chain, it's only one level away from the mining, so the Coinbase outputs. In all actuality, holding one of these outputs covers a much wider scope of activity. And so it's much more convincing. If your friend, let's say, sends you a decoy that includes one of these outputs, they perhaps might have just been mining with their laptop on a mining pool and eventually got a tiny fraction of a payout. That's possible. That's certainly much more possible than them sending you an actual Coinbase output. It's completely different. It's much, much more convincing. So it's important to consider who actually touches these outputs. And this wraps around to the scope of the talker, in the name of the talk again, in saying that are you a convincing money printer? Are you a convincing person to actually touch these initial Coinbase outputs? For the vast majority of people, the answer is no. Very, very few predictable people are the ones that typically touch these Coinbase outputs. So what can we do? Well, we can handle Coinbase outputs differently. We can optionally decide to say, hey, we would like Coinbase rings to remain separate from non-Coinbase rings. One thing we can also do with consensus changes is say that Coinbase rings must be a certain size and non-Coinbase rings must be a certain size. Of course, for mineral transactions right now, we mandate a ring size of 11 for all transactions, whether they're spending Coinbase outputs or not spending Coinbase outputs. But we could say, well, since there's so much information available public anyway for Coinbase outputs because mining pools are made so much information public, we can instead say, well, let's just say that these can have a smaller ring size. We'll drop them down to three. We will inform network participants that Coinbase outputs themselves are not reasonably protected because it's predictable to figure out who actually owns them. So therefore, we can save transaction efficiency, network efficiency for these specific outputs. And those who are actually solo mining or mining on private pools will just be told, well, don't specifically send these funds you generate to someone else. You will at least want one level of separation. So you include a much wider scope of activity there. And then of course, with the non-Coinbase ring, we can say, oh, well, we can keep this at size 11, let's say, or maybe we can pop it up to size 12 or 13 just to take advantage of those additional efficiency of the benefits. So the network overall is still as efficient as it was before to verify, but the users who do care about privacy are actually getting it and the people who don't care are not having efficiency wasted on them in a way. So yeah, again, in the Coinbase rings, the only ones that actually would construct these are mining pools and solo miners. For the non-Coinbase rings, these would be constructed by everyone, including mining pools and solo miners, of course. So the whole network is constructing these, but we can make separate rules for Coinbase rings and that might be warranted if network activities suggest that it will actually be impacting certain users' behavior. So Serang Noether looked at the actual spend distribution of Coinbase and non-Coinbase outputs in Monero. Now granted, the only way we were actually able to look at these is by looking at Monero's traceable old history. So Monero from 2014 to 2017 definitely did not have very strong ring signature protections. And so we were able to determine when certain outputs were spent. And then we, you know, Dr. Serang Noether broke them down to whether or not they were Coinbase or non-Coinbase outputs. And as you can see, there's very little difference. So we have the option too to say, oh, well, we can have different time selection periods for whether or not we're selecting decoys for Coinbase or non-Coinbase rings. But the evidence so far shows that there's no need to actually do this. But if there was a need to do that, then the benefit to overall privacy for people would be far greater because we're able to segregate by this required point of network metadata whether or not an output is a Coinbase output or not. So just something to think about that's something we can do, but there's no need to given current research so far. So I know the point of the talk is like, you know, why we should, but ultimately one of the big takeaways I want is you don't need to panic as a result of this. Coinbase outputs are increasingly rare as a portion of, sorry, a portion of total network activity. And ring sizes are pretty large already and they will most likely get substantially larger in the future. So looking at some transaction data on total number of transactions per block, there are about two outputs per transaction. There are at least two. So actually the output, the average is a little bit more than two. But to all intents and purposes, let's just consider it two. Over the past month, the year, there's been about 13 Manero transactions per block, which is quite a bit, a lot more than in Manero's, you know, early history. So that means 13 transactions times two outputs per transaction. We're generating 26 outputs per block just by non-coin-based related transactions. And then of course we have that one coin-based output that's being generated per block. So really the total proportion of coin-based outputs that are being generated is a pretty low 3.7%. So all things being equal, if you are selecting decoys from the blockchain, the likelihood you're gonna choose a new coin-based output is much lower than choosing a non-coin-based output. In the past with a smaller transaction amount, this used to be closer to 20% even a year or so ago. So it really has changed with the additional adoption of Manero activity. That is really what has changed, you know, the discussion here is based off of Manero having far more transactions that will make the absolute impact of coin-based outputs, you know, or proportional, sorry, the proportional impact be small and the absolute for each transaction be smaller too. So that's pretty exciting to think about. Also, large ring sizes still will minimize, like pretty much for all things Manero attack related, one solution is always, well, why don't we just bump the ring size, just increase the ring size, you know, keep just keep bumping the ring size, right? So with the current situation, you have 11 ring members and on average, you're probably gonna select one or zero coin-based outputs per transaction. Again, it used to be more like one to three, but really at the moment, it's zero or one for most transactions. So you can say that, oh, well, if one coin-based output is selected, really unless you know that they're a miner, you know, a mining pool operator, not even just a miner, the effective ring size is actually 10, it's reduced by one. Well, if we do not segregate coin-based rings, well, we still will have a proportional scale where the total proportion of coin-based outputs are still going to be selected for even larger ring sizes. And so more outputs are going to be compromised, but ultimately at the end of the day, the effective ring size is still going to increase quite substantially, right? Where, you know, the difference between 128 and 116 is far lower, even though it's a proportional same, than the difference between 11 and 10, right? The actual decoy difference is much bigger in practice for smaller numbers than bigger numbers. So in conclusion, you are not the money printer, right? You are not actually spending coin-based outputs. There's no convincing way that you would ever control these for any reason, but this only materially matters if Monero has small adoption. If Monero has only a handful of transactions per block, then yes, it does matter. The proportion of coin-based outputs would be quite significant. However, if you have the tune of dozens of Monero transactions per block on average, then really coin-based outputs aren't getting in the way that much. They just aren't. So, you know, the most important thing for resolving this problem is making sure that coin-based outputs are rare, proportional to the total number of transaction amounts. And really the total number of coin-based outputs is not changing per day. That's like stagnant. Every two minutes on average, a block is gonna be mined. That's predictable. So network activity for all other transactions needs to be substantial in order to cover users, right? So really we should, in my opinion, still separate coin-based outputs because in all reality, if you see a transaction still that appears to spend a coin-based output, the likelihood it actually is spending this is very, very low, very, very low. It's not super likely. So we should still separate it, but at the end of the day, it's also not the end of the world if we don't. And so that's one of those good problems to have, I guess. And then as ring sizes increase too, you also will have an increase in the absolute protection provided by the rings anyway, even if a few of them are going to be selecting from these toxic coin-based output pools. So ultimately, that's the main takeaway from this whole talk. Okay, so if you wanna get more educated on Monero, learn more, get started, join the communities, you can get educated by going to masteringmonero.com, you can get a read a free book there by a print version, you can go to MoneroMeans.money and watch a movie that Dr. Daniel Kim was the star in. It was actually number one box office in the United States for two days and number two for the week and weekend back in April. You can download cakewallet.com and get the app there. You can go to gitmonero.org and download that wallet. There's also other great wallets like Moneroio you can download or you can join the Monero communities. The Monero community workgroup is communityworkgroup.org. It will actually be changing shortly to monerocommunity.org and the other communities are listed on gitmonero.org. My specific information is contact there at above. Just really was interested in coin-based outputs and felt that it was necessary to have a talk about them at some point. I know it's kind of niche, but it's important to think about certain points of metadata on the Monero blockchain and then try and connect these points of metadata to user behavior to see if anything is revealing and will potentially degrade Monero privacy. So it's important to think about these things going forward. All right, that's the end of my talk. We have some wonderful other talks coming up. So I'm going to hand it off to the rest of the Monero village and hope you enjoy the rest of your time here. Take care.