Narrator: But it was tracing the payment. Identifying the destination is tracing and the fact that monero makes that easy doesn't change the definition of the term, no matter how much Kanzan wanted it to.
Discussion
another strawman
monero does not "make it easy"
you give me an address and I send you something. a letter through the mail, a payment through monero, whatever.
the sender knows the address of the recipient.
that isnt "tracing."
> that isn't tracing
It is
To trace is to identify the destination
If you "pick" the destination, as in monero, it's particularly easy to trace
Imagine arguing that unless you can drop money in the ocean and have it magically go to your intended destination, whom you don't even know who you're trying to pay, it's "tracing."
and all this from the guy who accuses monerobros of playing "semantic games"
That's the thing, lightning allows this to happen. You can drop a payment onto the internet and know that only one person can pick it up, without knowing anything useful about who they are or how they collect it. But to have this feature, you have to drop the blockchain and get on lightning.
But isn't that information (the destination) useless (from a tracking perspective) even if you have it?
its not totally useless.
you can see where that stealth address pops up as a *possible input in the future.
you just dont know if its a decoy or a true spend.
nostr:nprofile1qqsd4dkxqewy8xum47ctpu0ltgxxsfemeewpjkdyzk9ddfcg286s0dsppemhxue69uhkummn9ekx7mp0qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uq36amnwvaz7tmwdaehgu3wvduhq6r9wfc82mnt9e6x7erp0yhs4deh46 illustrates this technique here
But shouldn't it be statisticallly impossible to determine if its a decoy or not, if decoys are selected in an intelligent manner (ie. in a random distribution)?
thats basically correct
but theres nuance, as always.
Because we know the age of outputswWe don't want a *completely random distribution* we want a distribution that matches the age distribution of *how people actually spend*
But we don't know how people actually spend because everything is obfuscated
What we can do is guess and do statistical analysis on how we *think people spend and compare that to what actually appears on chain
As I recall STN's Monero tracing tool (which doesn't actually trace Monero 🙄) heuristically identifies old outputs as the likely spend because the generally used decoy selection algo is biased towards recent outputs, making old output stick out.
That sounds like a glaring issue. Are heuristics like that any good?
nobody knows, which is kind of the point.
pretty much every agrees that older outputs are more likely to be cold storage or lost coins or whatever.
but nobody knows *how much more likely*
theres considerable debate if it's even knowable at all.
so for now, its just comparing a guess about what someone thinks the real age distribution of spends should be
against the age distribution that appears.
decoy selection is hard and this has always been a problem. which is why Monero will move to full chain membership proofs and dump ring signatures altogether.
Check the video. If you do three purchases and then there's a single transactions that has all the three txout in their ring sets, it's probably a sweep transaction spending all three outputs, the chance of all three selected as decoys randomly is almost zero.
If you know the address, you can poison it by sending some XMR to it and then you can identify the spend with almost 100% probability - if they choose to use them in the same tx.
So you come from "no one can see anything" assumption to "I need to do coin control to keep my privacy".
So what's the fix? That like something that's easy to accidentically do...
use Feather wallet and manually churn each output at random times 😕
consolidate in a similar fashion, 2 outputs at a time
Exactly. And donate unwanted spam small Monero to GrapheneOS foundation.
The thing is - you can't just ignore it and assume Monero solves privacy problems for you like magic.
BTW: I think also Cake has coin control
on that note
I use another mobile wallet, Monfluo (fork of pokkst's Mysu) which also has basic coin control.
I wish I had the problem of incoming spam transactions...
If you have multiple outputs you can combine them two at a time at random intervals until you end up with 1 output. Then churn that a few times. I keep all my monero in one output.
*cops* identifying the destination is tracing. *you* knowing where *you* sent the money is not tracing.
Identifying the destination is tracing regardless of who does it
Lol surely you're well aware of how full of shit you're being. I can't imagine you actually buy this nonsense, maybe I'm giving you too much credit.
When I give you money, of course I know I'm giving you money. How else is it supposed to work? And that's the same thing as the cops tracing the money and then somehow doing it again when it gets subsequently spent? You know that you're working against your own goals with these arguments right?
> of course I know I'm giving you money. How else is it supposed to work?
It is supposed to work like in lightning, where the sender doesn't know what node receives the money or what channel receives the money or what pubkey receives the money. That way, if the cops ask you where you sent the money to, you have as little useful information as possible. Monero gives the sender useful information, specifically, the recipient’s real, unfavorable pubkey.
no.
the node pubkey is part of a bolt11 invoice.
this line is both a strawman and a red herring.
> the node pubkey is part of a bolt11 invoice
The pubkey in a bolt11 invoice simply signs the invoice, it does not control any money
You can put a dummy pubkey in there and the sender has no way to detect that you did so
If he shows it to authorities, they can end up on a wild goose chase watching for a pubkey that doesn't even exist anymore to do something it will never do
its understandable you will take any opportunity to change the subject 👍
It seems to me that when the subject is "what pubkey key receives the money" it is entirely relevant to discuss whether the pubkey in a bolt11 invoice receives any money
this is the topic of the conversation.
you sneaky guy 😂
No, Monero has subaddresses for that very reason. There are no nodes that route payments, only nodes that broadcast obfuscated transactions, so that's immaterial. The only thing you have is a one time payment address that can't be used to derive the public key of the user. It is literally as little useful information as possible. It's a completely random number that connects to nobody unless you have the recipients private keys.
Subaddresses are cool but they two unfortunate characteristics: (1) the sender derives a real pubkey from the subaddress and sends money to it (2) if the recipient spends that money, their pubkey shows up again as a member of a ring signature
Chain analysts use that fact to trace monero payments. They have ways to eliminate decoys from the ring signature and, in many cases, identify the real spender, and this privacy flaw has led to several arrests. Lightning fixes it.
FCMP++ fixes it too. You gonna be a Monero bro after that upgrade?
It is known that ring sigs aren't foolproof. This is why the ring size has been raised every time we get an improvement that affords more space in transactions. This is why we are excited to move to a whole network anonymity set. That's not what you've been talking about this whole time though, you've been saying that because you know who you're paying and how much, something that will always be the case for payments, that that means traceable.
I like FCMP and it sounds like it does fix most of my monero criticisms
But it fixes them by achieving what we already have in lightning (a blob of indecipherable sender data that anyone could have produced), and it achieves it in a way that unnecessarily bloats the chain with big blobs that everyone has to store forever
Just use lightning, that's my recommendation
Re: the sender tracing his payment to the recipient in a post FCMP world, yes, even in that world (if it ever arrives) the sender will be able to identify the recipient’s pubkey, which is tracing -- it's the first step. I think it's a lot less useful in a post FCMP world because every future tx will reference that pubkey as a possible spender, along with every other pubkey, and I suspect it will be infeasible to eliminate enough decoys in that world. Exiting stuff!
I don't think it's unnecessary bloat, but yes, having to store everything forever is a big problem, for bitcoin as well as Monero. We have solutions to this, light nodes and the like, but they're really just stopgaps. The real solution is a scheme that doesnt require spent outputs to be stored forever by anyone, like mimblewimble. This solves all kinds of other problems too, block size whatever and all that. Lightning and stateless L2 offchain stuff are *not* solutions to this problem as they cause other even worse problems, particularly in bitcoin. You can browse my public bookmarks if you want to understand what I'm talking about, I've written extensively about this.
It is not tracing lol. I pay you, I know I paid you, that's not tracing. It's tracing if I can tell where you spend it next, or if someone else can tell I paid you.
It's all about trade offs. Only the users have access to their specific needs. Monero bros are rarely against BTC. Since many of us gave been earliest Bitcoiners we figured that we have a need for it in today's world. This may change in the future, become more or less.
I like Bitcoin, LN, Monero, ecash all for different reasons and I hope we come up with even better solutions in the future.