2020-minaei-moneymorph
findings extracted from this paper
-
MoneyMorph's threat model exploits the economic cost of blocking entire cryptocurrency networks: the censor is left with a binary choice — ban the full blockchain (incurring economic harm to the censored region) or allow all transactions including covert bootstrapping traffic. This assumption is grounded in the censor's observed tolerance of Bitcoin despite known circumvention use.
-
A prototypical Python implementation of MoneyMorph completes all cryptographic operations in under 50 milliseconds on a commodity Intel Core i7 (2.2 GHz, 16 GB RAM): fresh key-pair generation takes approximately 120ms, shared key derivation approximately 41ms, and symmetric encryption/decryption under 1ms. The dominant latency in practice is blockchain confirmation time, not computation.
-
MoneyMorph provides provable chosen-covertext attack security (SBS-CCA) for proxy bootstrapping, unlike prior email or social-media rendezvous approaches which offer only heuristic security. Under SBS-CCA, the censor's advantage in distinguishing a covertext-bearing transaction from a random transaction in the same space is negligible.
-
Sibling transaction analysis across 45 million Bitcoin transactions (blocks 580,000–600,000, June–Oct 2019) shows 32% use the Pay2PKeyHash + Pay2ScriptHash combination MoneyMorph employs. In Monero, the two-input two-output structure matches 42% of all transactions. In Zcash, only 11–19% of transactions are shielded, giving it the lowest sibling rate despite the highest bandwidth.
-
Zcash shielded transactions provide the highest per-transaction bandwidth of any tested cryptocurrency: 1148 bytes for the challenge covertext and 1168 bytes for the response, at a transaction fee of less than 0.01 USD. Bitcoin yields only 20/40 bytes at $0.34 fee and Ethereum only 20 bytes at $0.18 fee.