Decoy Selection

The core objective of decoy selection is to provide plausible deniability. By mixing a real UTXO with several decoys, the protocol ensures that an external observer cannot determine which input is the true spend with statistical certainty. This breaks the deterministic link between the sender and receiver on the blockchain.

Different privacy protocols use specific algorithms to choose decoys from the global UTXO set. Common methods include:

• Random Selection: Picks decoys uniformly at random from all eligible UTXOs.
• Time-based (CoinJoin): Selects decoys from UTXOs created in a similar time window to the real coin, based on the assumption that coins of similar age are likely controlled by different users.
• Graph-based (Dandelion++): Uses network analysis to select decoys that obscure the transaction's propagation path.

The effectiveness of decoy selection is measured against specific threat models. A weak selection algorithm is vulnerable to chain analysis heuristics, such as:

• Common Input Ownership: Assuming all inputs in a transaction are controlled by the same entity.
• Temporal Analysis: Clustering UTXOs spent together shortly after creation.
• Amount Analysis: Matching unique output amounts to specific inputs.

Monero's Ring Confidential Transactions (RingCT) is a canonical implementation. In each transaction, the real input is hidden among 10 or more decoy outputs (the ring). The protocol uses a time-based algorithm, preferring newer outputs as decoys, and incorporates a locktime to prevent temporal analysis. The signer produces a ring signature that proves ownership of one of the ring members without revealing which one.

Decoy selection is not foolproof. Known limitations and attacks include:

• Poisoned Outputs: An adversary can create and tag UTXOs to later identify them as decoys, weakening future mixes.
• Statistical Clustering: Over time, advanced chain analysis can probabilistically deanonymize users if the decoy set is not sufficiently large or random.
• Timing Attacks: Correlating transaction broadcast times with network activity.

Decoy selection interacts with other core privacy primitives:

• Zero-Knowledge Proofs: Used in zk-SNARKs-based systems (e.g., Zcash) to prove validity without revealing inputs/outputs, making decoys unnecessary.
• Mixing Pools / CoinJoins: Protocols like Wasabi Wallet or JoinMarket use coordinated, multi-party transactions where decoy selection is implicit among the participants.
• Stealth Addresses: Provide receiver privacy, while decoy selection provides sender privacy.

Decoy selection is fundamental to privacy protocols like Monero's Ring Confidential Transactions (RingCT). When a user spends funds, they must construct a ring signature that includes their real unspent transaction output (UTXO) alongside several decoy outputs from the blockchain's history. The cryptographic proof demonstrates that one of the outputs was spent, but does not reveal which one, creating plausible deniability for the spender.

A primary attack vector arises from non-random or predictable decoy selection. If an adversary can guess which outputs are likely decoys, they can infer the real spent output.

• Temporal Analysis: Selecting only very recent decoys makes older, real outputs stand out.
• Output Graph Analysis: Failing to select decoys that are topologically similar to the real input (e.g., similar amount, age, or transaction graph connectivity) reduces anonymity.
• Poisoned Outputs: An attacker can create marked outputs (e.g., with unique amounts) and wait for them to be selected as decoys, weakening the anonymity set for any transaction that includes them.

The ring size (total number of outputs in the signature, including the real one) is a critical security parameter. A small ring size (e.g., 2) provides minimal anonymity. Most privacy protocols enforce a mandatory minimum mixin count (number of decoys). For example, Monero has enforced increasing minimums over time, from 0 to 16, to raise the baseline anonymity set and resist basic statistical attacks. The trade-off is increased proof size and verification time.

The algorithm for choosing decoys directly impacts security. Naive random selection from the entire UTXO set is insufficient.

• Recent-First Bias: Early implementations favored recent outputs, which were easier to analyze.
• Improved Algorithms: Modern wallets use algorithms that sample decoys based on a probability distribution weighted by output age (e.g., Gamma distribution), mimicking real spending behavior to make real and decoy outputs statistically indistinguishable.
• Deterministic vs. Random: The algorithm must be deterministic for verifiability but appear random to an observer.

If the same decoy output is used repeatedly across multiple transactions by the same wallet, it can create a linkability graph. Advanced clustering analysis can identify wallets that share decoys, potentially breaking anonymity. Robust implementations ensure decoys are selected freshly for each transaction and avoid reuse of outputs that have already appeared in recent rings.

Decoy selection does not operate in isolation; its effectiveness is intertwined with other protocol features.

• Confidential Amounts (RingCT): Hiding transaction amounts prevents attackers from filtering decoys by value.
• Stealth Addresses: Each payment uses a one-time address, preventing the linking of decoys from different transactions to the same recipient.
• Dandelion++ / Kovri: Network-layer privacy (obfuscating IP addresses) complements on-chain decoy selection by preventing timing attacks that could reveal which node broadcast a transaction containing a specific real output.

A cryptographic primitive that enables decoy selection. It allows a signer to produce a signature on behalf of a group (a ring) without revealing which specific member's key was used. Key properties include:

• Anonymity: The actual signer is hidden among the decoys.
• Linkability: In some schemes (e.g., Linkable Ring Signatures), it's possible to detect if two signatures were created by the same signer, preventing double-spending without revealing identity.

An alternative network-level privacy solution. Instead of hiding a transaction among decoys on-chain, a mixnet (mixing network) obscures the link between sender and receiver by routing and encrypting messages through a series of proxy servers. Compared to decoy-based systems:

• Onion Routing: Used by networks like Tor.
• Latency vs. Privacy Trade-off: Introduces delay but can provide strong metadata protection.

A method for proving the validity of a statement without revealing the statement itself. Used in privacy protocols like Zcash as an alternative to decoy selection. Key differences:

• Cryptographic Hiding: Transaction amounts and parties are fully encrypted, with validity proven via a ZKP (e.g., zk-SNARK).
• No Decoy Set: Privacy does not rely on selecting plausible-looking past outputs from the chain.

The adversarial practice of analyzing the public blockchain to de-anonymize users, which decoy selection aims to thwart. Techniques include:

• Common Input Ownership Heuristic: Assuming all inputs to a transaction belong to the same entity.
• Change Output Identification: Identifying which output is the "change" returned to the sender.
• Temporal Analysis: Linking transactions based on timing and network gossip.

The fundamental data model for many blockchain protocols. In UTXO-based chains (like Bitcoin and Monero), decoy selection involves choosing other real, unspent outputs from the blockchain's history to include in a ring. Each UTXO has:

• A cryptographic commitment to an amount.
• A condition (script) for spending it. Decoys must be valid, spendable UTXOs to be plausible.

The effective anonymity group for a transaction. In decoy selection, the privacy set is the group of possible signers (the real spender plus the decoys). Security depends on:

• Set Size (Ring Size): Larger rings increase anonymity but cost more in fees and verification time.
• Set Quality: Decoys must be chosen from a distribution that mimics real user behavior to resist statistical attacks. A poorly chosen set reduces effective privacy.