Next lesson →

Decoy Selection, Flooding & Poisoned Outputs (EAE)

How poor decoy distributions make the real input an outlier, the EAE known-spent flooding attack, and how gamma-based decoy selection and larger rings mitigate.

Once zero-decoy transactions were banned, every Monero input has been hidden among decoys. But a decoy only helps if an observer cannot tell it apart from the real spend. This lesson examines the two most important attacks on that premise: exploiting a poor decoy-selection distribution so the true input becomes a statistical outlier, and the poisoned-output family of attacks in which an adversary manufactures the decoys themselves. Both aim at the same target — shrinking the effective anonymity set below its nominal ring size.

Why Decoy Selection Is the Whole Game

A ring signature proves the spender owns one of the ring's members without revealing which. If the ring has 16 members, the naive anonymity set is 16. But that number is a ceiling, not a guarantee. If an adversary can assign different probabilities to the members — say, one output is 80% likely to be the real spend — then the effective anonymity is far smaller than 16. The entire security of the scheme therefore rests on the decoys being chosen from a distribution that is statistically indistinguishable from how people actually spend. Get the distribution wrong and the ring leaks even though no cryptography is broken.

The Outlier Problem

Real spending has structure. People tend to spend outputs relatively soon after receiving them, so genuinely spent outputs skew young. If decoys were sampled uniformly across the whole chain, the real input — being recent — would almost always be the newest member of its ring, and an attacker could simply "guess the newest." That was precisely the early weakness. The defense is to mimic the real spend-age distribution when selecting decoys, so that a young real output is surrounded by other plausibly young decoys and no longer stands out. This is why decoy selection is modeled on a carefully chosen curve rather than picked at random, a topic developed fully in Decoy Selection and Distribution.

Getting this exactly right is genuinely hard. If the model even slightly mismatches real behavior — because spending habits shift, or a popular wallet uses a different selection algorithm and its transactions become fingerprintable — the residual bias can be mined statistically. It is an ongoing arms race, not a solved problem, and honesty demands acknowledging that some measurable bias has existed in past implementations.

The EAE / Poisoned-Output Attack

The sharper threat comes when the adversary stops observing and starts participating. In a poisoned-output or known-spent flooding attack, the attacker creates a large number of outputs that they themselves control and can therefore mark as "known." The classic framing is the EAE (Eve–Alice–Eve) pattern: the adversary Eve transacts with the victim Alice on both sides — sending her funds and later receiving from her — so that Eve knows the origin and destination outputs around Alice's activity, and can strip her own known outputs out of any rings they appear in.

The general mechanism is anonymity-set poisoning. If an attacker controls a large fraction of the outputs on the chain, then when those outputs are selected as decoys in your transaction, the attacker recognizes them as their own and mentally deletes them from your ring. A ring of 16 that happens to contain, say, 12 attacker-controlled decoys collapses to an effective anonymity set of 4. Flood the chain with enough known outputs during a low-activity period and you can meaningfully erode everyone's rings — not by breaking the signature, but by ensuring the decoys are ones you can rule out.

Defenses, Old and Growing

Several factors blunt these attacks, though none is a silver bullet:

  • Gamma-distribution decoy selection. Modeling decoy ages on a distribution fitted to real spend behavior removes the "guess-the-newest" outlier signal and forces the adversary back to weaker probabilistic guessing.
  • Growing ring sizes. Larger mandatory rings raise the baseline anonymity set, so even after an attacker removes some known decoys, more genuine uncertainty remains. Each increase also raises the cost of poisoning to a given effectiveness.
  • High organic transaction volume. The more real, honest outputs exist on the chain, the smaller any attacker's controllable fraction becomes, and the harder flooding gets. Anonymity is collective: healthy usage protects everyone.
  • Fee and spam pressure. Flooding the chain with poisoned outputs is not free; dynamic fees make sustained large-scale poisoning economically painful.
  • Protocol research toward larger, cheaper anonymity sets. Longer term, designs that dramatically enlarge the anonymity set aim to make output-poisoning economically hopeless by raising the number of decoys an attacker would need to control into the impractical range.

Keeping the Threat in Proportion

Poisoning attacks are real and worth understanding, but their practical power depends on the attacker controlling a large, sustained share of chain outputs and often on transacting directly with the victim — expensive, conspicuous conditions. For most users the effective ring size remains close to nominal. As always, do not let a subtle on-chain concern distract you from the coarser, cheaper attacks at the network layer.

Decoy quality is a moving target that improves with every protocol upgrade and every honest transaction added to the chain — which sets up the next question: even with good decoys, what can an adversary still infer from timing and the shape of the transaction graph?

Comments

Log in or create a free account to comment.

No comments yet — be the first.

🎓 Graduate from Monero Academy

Create a free account, ace every quiz across all courses, and earn your place on the Graduates wall — with your own Monero address for donations. An account also tracks your progress through the courses, and graduating is the prize for finishing.