Verge - Reading Assignment

Couldn’t find much about privacy at that link, but in other research…

Verge shields IP addresses and data by integrating Tor in the wallet and the receiving party’s address using Dual-Key Stealth Addressing. They are supposed to add optional RingCT transactions which would also hide the amounts and send/receive addresses, but as of late 2018, this has not yet been implemented. In fact, at one reading, even Stealth Addresses were not yet implemented.

Verge does not mask amounts and does a pretty crappy job of sheilding transactions once they are on the blockchain, allowing several methods of blockchain analysis.

If Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known, an attacker could link Bob and Alice together by using malicious Tor nodes, waiting for a transaction to a KYC/AML exchange (which would lose all anonymity), or by using most other blockchain analyses, such as timing.

1. What two pieces of information are shielded on Verge?
   IP address, recipient address

2. What information is NOT shielded on Verge?
   sender, amount of transaction

3. Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.
   They could be linked by analyzing transactions.

1. IP address, public key of receiver
2. Amounts sent, UTXO spent, UTXO received
3. The attacker can see which UTXO from ALice was used to send to which address of Bob, because the masterkey will show which to which address of Bob this transaction was sent to.

1. User’s IP address, receiver’s address.

2. Transaction value, sender’s address

3. If we had the master public keys we would still not be able to identify the stealth address with a particular wallet. We do know the amount but it is of little use if Bob does not re-send the 15 XVG right away.

1. What two pieces of information are shielded on Verge?
   IP address, as Tor is integrated in all wallets, and addresses through Dual-key Stealth Addressing.

2. What information is NOT shielded on Verge?
   Amount of payments.

3. Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.
   As far as I understood Verge is sending always to different public addresses, but from the “Master Public Key” you can derive ALL the public addresses.

1 - What two pieces of information are shielded on Verge?

	- Sender IP address is hidden with the use of the Tor, Onion Router 
	- The receiver is obfuscated with the use of Dual-Key Stealth Addressing.

2 - What information is NOT shielded on Verge?

The amount sent is not hidden.

3 - Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.

This may suffer issues similar to Monaro(Timing Analysis Mitigations). A well-known weakness of Tor is the lack of delay in data transmits. This has the side effect of leaking the timing of data transmits through the Tor network, and sometimes the size of a message being sent (if the link is often idle). This timing issue can result in the leaking of transaction origin purely by watching the timing and volume of traffic being sent over Tor.

1. IP and addresses
2. The transaction amount
3. The attacked will know the addresses in which they received UTXOs and once they use a UTXO to one another they will be revealed as transacting.

#1 - What two pieces of information are shielded on Verge?
IP and the reciver

#2 - What information is NOT shielded on Verge?
Sender

#3 - Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.
An attacker could track the amount of the transaction

1. IP addresses through TOR integration and receiver addresses via dual key stealth addresses

2. Amount of spending, sender address

3.Via the Master Public key all further addresses are derived. So, the attacker could link them together because he knows all of their addresses in combination with the amount spent when Bob send those funds to his personal accounts/addresses.

1. Verge shield’s the IP address and also receiver addresses.

2. The transaction amounts. Information about the sender, you can search by address on the blockchain explorer and this shows address for both sender and receiver but they do only talk about hiding the receivers address by using a Stealth Address. Does that mean the other address is the senders address.

3. This could be achieved by following the UTXO’s. Following the stealth address to see where that then sends on UTXO’s.

1. What two pieces of information are shielded on Verge?

• IP and recipient address

2. What information is NOT shielded on Verge?

• Sender and amount

3. Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.

Linking the transaction with timestamp, the receiver address and the amount received.

1. What two pieces of information are shielded on Verge?
IP address, recipient address

2. What information is NOT shielded on Verge?
Amount, sender

3. Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.
Not 100% sure of this but if you looked at amounts and timing perhaps.

1. What two pieces of information are shielded on Verge?
   IP address and addresses trough Dual-key

2. What information is NOT shielded on Verge?
   The amount of transactions

3. Suppose Alice sends 15 XVG to Bob, and Alice’s and Bob’s ‘Master Public Keys’ are publicly known. Describe how an attacker could link Bob and Alice together, even using the privacy features mentioned above.
   By analyzing the transactions. Track where Bob did send the XVG and link this later to his identity

• IP address and sender/receiver.
• Amounts
• I think he could guess with the amount sent vs received, but if you have high usage this would very unlikely, unless you make some real awkward Tx…wouldn’t it?

1. The two pieces of information shielded on Verge are the IP address of the sender and the receiver’s address.

2. The information that is not shielded on verge is the amount in the transaction and the sender’s address.

3. An attacker could link Alice and Bob together by checking the time Alice sent the 15XVG and the time Bob received that amount.

My understanding only if Bob gave us the ‘secret-scan-key’ that an attacker could make the connection between values and wallet addresses, or else there are no ways to make conclusions because ‘master public key’ shows nowhere in the tx explorer.

1. Thanks to TOR it is possible to hide the IP address and thanks to Dual-Key Stealth Addressing, it is possible to hide the addresses, in particular the receiver.
2. The amount of transactions.
3. I believe that by analyzing the amount of the transaction spent and received and looking at the timing of the transaction on the blockchain, it is possible to connect the two addresses.

1. The IP addresses of the sender and receiver.
2. The amount.
3. Comparing timestamps with the same amounts.

1. The two pieces of information shielded on Verge are the IP address of the sender and the receiver’s address.
2. The information that is not shielded on verge is the amount in the transaction and the sender’s address.
3. An attacker could link Alice and Bob together by checking the time Alice sent the 15 XVG and the time Bob received that amount.