> if your threat model is a global passive adversary they clearly know where payments begin and end
they don't know which of your messages are real and which are decoys
they also don't know the contents of your messages
> they can have *reasonable certainty* where payments originate and end up
they can "say" they have reasonable certainty about that, but in many jurisdictions they would have to prove it in court, and that's often a pretty tough standard
how do you know the person who *looks* like the sender (or the recipient) isn't just another routing node? Even mobile phones can route payments and are incentivized to do so, so you just don't know
> the node pubkey is part of a bolt11 invoice
The pubkey in a bolt11 invoice simply signs the invoice, it does not control any money
You can put a dummy pubkey in there and the sender has no way to detect that you did so
If he shows it to authorities, they can end up on a wild goose chase watching for a pubkey that doesn't even exist anymore to do something it will never do
That's the thing, lightning allows this to happen. You can drop a payment onto the internet and know that only one person can pick it up, without knowing anything useful about who they are or how they collect it. But to have this feature, you have to drop the blockchain and get on lightning.
> of course I know I'm giving you money. How else is it supposed to work?
It is supposed to work like in lightning, where the sender doesn't know what node receives the money or what channel receives the money or what pubkey receives the money. That way, if the cops ask you where you sent the money to, you have as little useful information as possible. Monero gives the sender useful information, specifically, the recipient’s real, unfavorable pubkey.
> users trust information isn't being recorded and shared
Even if routing nodes collude they cannot identify the sender or the recipient
> that isn't tracing
It is
To trace is to identify the destination
If you "pick" the destination, as in monero, it's particularly easy to trace
Narrator: But it was tracing the payment. Identifying the destination is tracing and the fact that monero makes that easy doesn't change the definition of the term, no matter how much Kanzan wanted it to.
It is tracing when you follow the money
It doesn't stop being tracing just cuz the first step is easy in monero
Then do it
A lightning invoice is attached
Why don't you pay it and tell me (1) what pubkey received the money (2) what its total balance is?
I'll do the same for monero if you like. Give me any xmr address, I will pay it and tell you (1) what pubkey received the money (2) what its total balance is
lightning:lnbc10103770p1p5rsh7mpp5dnjxpfcnt769h8l4xf7wxl3lsuluvf2f25qzjextw0k492mxq7ashp598ktapplptj7q0jg65flj8texw4rul208lljstt84adxp88kakxscqzdyxqyz5zpsp52h2ntu5c5luklflx53su43x202m2fukujrykmq3zcseaxmtjdq0s9qxpqysgqrflep2rykypncpenk6gt9flssljt9sdz2akgh6wq7s6te0ree20pa8dttqjp330fh66rscrpjn249ujw6tynnutzpf87prtncr5f88gp9eglxh
Your irony is self defeating because the guy got arrested precisely because step 1 was so easy
"Hey Morphtoken, where did you send the XMR?" -- "No problem coppers, I sent to to this pubkey, here's the proof!" -- "Great, now let's watch to see where the money moves next."
LN offers two huge fixes here: Morphtoken does not know what pubkey gets the money (due to onion routing) and even if it did, you can watch a pubkey for ten thousand years and not see its next transaction (due to no blockchain).
> the monero user might churn their output at some point
And the tracer might be able to detect that
In the attached chainalsysis video, between 34:51 and 36:44, they observe that the user sent some of his xmr and they identify the "main" recipient as either a self custodial wallet (Exodus) or a mining pool. After logging that, they follow the change output and watch to see where *that* goes next. Churning (i.e. sending to yourself) clearly helps but since there's a public record of the tx and what happens next, it is not foolproof. LN is better on this front: there's no public record of the transactions and not even the sender knows where his money goes.
Wanna trace your $2 bill? Start a journal:
Step 1. I gave it to John.
^ Kanzan thinks this step doesn't count because it ruins his narrative
If that doesn't count as tracing then why do tracers start the trace by doing precisely that?
This is literally how cops trace cash
They mark the bills and hand them to criminal A, who they suspect works for criminal B. Then they wait for criminal B to deposit them at a bank, whereupon they arrest criminal B and use the marked bills (i.e. the trace) as evidence that he is part of the same mafia as criminal A
It's also very similar to how they arrest monero users: get some XMR to the criminal, wait for him to move it, trace the money to a KYC exchange, get his identity info, and arrest him
Lightning offers two huge fixes for this: you don't know what channel received the money (thanks to onion routing), and there's nothing to watch to see where it moves next (thanks to no blockchain)
Oh yeah, I've heard of that! I use lightning because its tor-like routing protocol offers really good privacy protections if you run a node. Monero is that one cryptocurrency that's traceable by default, right?
https://cointelegraph.com/news/chainalysis-leak-monero-traceability
> I said "the sender knowing the address of he recipient isn't 'tracing the transaction'"
...but that *is* the first step of a trace. If it "isn't tracing" then it obviously "doesn't count" as tracing (in your worldview) so why is it dishonest for me to say so? I'm just pointing out how silly it is to say that "identifying the recipient of tx A" doesn't count as tracing when that's how all tracing starts. Why do all tracers start there if that's not tracing? Why do they always either send money to the target themselves or find someone who already did and get the tx info from them?
To me it is obvious why they do that: because monero makes this part easy, it gives the sender (and anyone they share the data with) cryptographic proof of wat pubkey has the money which allows them to watch the blockchain to see where that pubkey shows up next. This is tracing 101.
> on LN the sender sees the node pubkey
...which might be a decoy
> just like a stealth address on XMR
...except that does not support decoys due to the lack of transaction chaining on monero. If Jimmy sends money to a monero "public address" he can cryptographically prove that the pubkey therein controls the money. (Btw, that is the first step of every trace, unless the tracer can find someone who already sent money to whoever they're looking for, which has the same result.)
Not so with LN: if Jummy sends money to a lightning invoice he does not know if the pubkey therein ever controls the money even for a second. It might be a trampoline node serving as a decoy recipient, because every lightning has built in support for this. It's part of the protocol design to allow this: thanks to how HTLC forwarding works, the recipient can always put a decoy recipient in the bolt11 invoice without the sender being able to detect it, and if the recipient does that, the decoy recipient looks like the recipient but never controls the money.
> then proceeds to mention how it's and added workaround
The nice thing about this "added workaround" is, it's undetectable. Consequently, the sender cannot know if you're doing it. They don't know if the node that looks like the destination is the real destination or a decoy. Monero does not have this feature because it is sender-traceable by design.
> every output is always a proxy output
Zero monero outputs are ever proxy outputs if by that you mean "they hide the real recipient from the sender." They cannot be because the sender creates them in monero. He necessarily knows exactly where the money goes because he picked the destination and did not create a decoy.
> if I know the coins I sent to you end up at "node x"
This is the fundamental difference: with lightning, you never know that. The destination might be a decoy and you as the sender have no way of detecting that.
> this is optional transparency by design
It is "letting the sender trace his payment" be design and it gives chain analysts a great first step in tracing a series of monero transactions
> there is no concealment
That's the flaw
> i.e. not tracing
Only in bizarro world does the first step of a trace not count. In the real world, we "start at the very beginning, a very good place to start," to quote Mary Poppins. But in your world, apparently that is a terrible place to start -- it's not even real tracing (says you)! Question: then why do all the tracers start there?