OSPEAD estimates the age distribution of the real spend in Monero's ring signatures. Monero's decoy selection algorithm could be changed to closely mimic the real spend age distribution, yet an anti-privacy adversary can also use the real spend distribution to execute the MAP Decoder attack on past ring signature data. The attack raises the probability of correctly guessing the real spend in a 16-member ring from 6.25% to 23.5%, on average.

Multiple nonstandard decoy distributions are modeled as repeated measurements drawn from unknown distributions components, then estimated by the method of Bonhomme, Jochmans, & Robin (2016). The age distribution of ring signatures associated with a given decoy distribution is modeled as a two-component mixture distribution. The decoy distribution is subtracted from the on-chain data distribution to obtain the real spend distribution.

According to recent analysis by the Monero Research Lab, one or more anti-privacy adversaries have set up many spy nodes on the Monero network, composing up to 40 percent of reachable node addresses. Connections to these spy nodes would make up an estimated 15 percent of the privacy-sensitive outbound connections established by honest nodes that use the default configuration. This talk will quantitatively estimate the privacy impact of spy nodes even when Monero's Dandelion++ protocol is used. The following countermeasures will be evaluated: opt-in IP address ban lists, anonymity networks like Tor and I2P, a Dandelion++ alternative called Clover, subnet deduplication, and protocols that verify that an internet address is really operating a distinct node. The Confidentiality, Integrity, and Availability triad in information security will guide comparisons of these countermeasures.