The definition that you use of fungibility is fine and correct. The issue I take with your position is that you selectively ignore parts of the definition in order to promote a false narrative about fungibility. How so? Look below:
we could say that dollar bills are NOT fungible because each one has a serial number that makes it distinguishable from every other unit.
You could NOT say that, even by a strict definition. In order to take this strict interpretation you would have to ignore a key word in your own definition and that is “essentially”. By saying something is “essentially interchangeable” the definition explicitly rejects strict interpretations such as yours.
In other words, because serial numbers have nothing to do with the function of currency, they do not represent an essential distinguishment. In other words, legally, you are NOT allowed to reject a USD for payment just because it has a serial number that you don’t like, or a different number than another bill. This is the meaning of the phrase “essentially interchangeable”, i.e. in essence the fundamental properties of each bill are the same.
So your strict interpretation of the definition is NOT correct. All intact USD are legally required to be accepted as payment for debts, goods and services regardless of their serial number thus they become legally fungible despite having a different marker which allows tracking and historical comparisons. This essentially completely destroys your position that UTXO coins “are not fungible because of the history”.
In essence, that’s completely irrelevant because every UTXO cryptocurrency is interchangeable with another of the same coin, so there can be NO LOSS OF FUNGIBILITY BY DEFINITION. This is the error in your position.
So even your “less strict view” completely misses the mark. Fungibility is NOT about acceptance, nor is it about “history”, it is strictly about interchangeability. If two equal units are interchangeable they MUST BY DEFINITION be fungible. Claiming anything else is inaccurate and misleading. You even admit that blacklists exist for dollars. … … … That is you admitting that the idea of blacklists for currencies are NOT a fungibility issue. Cryptocurrency blacklists are checked much less frequently than dollar black lists, as Russia finds out these days (their funds have been blacklisted by western powers).
There is no need for a “fungibility scale”, the only thing that is in question, imo, is whether or not the units are essentially interchangeable. Even with Russian funds being blacklisted and unable to be used, nobody in their right mind is claiming that the USD is not fungible because of it. Therefore, the same standard must be applied to cryptocurrencies as well or the definition of the word is violated. Such a violation is what I allege your position holds.
Your gold example continues to miss the point. Fungibility has nothing to do with blacklists or acceptance. It is about interchangeability only. If you can use a piece of gold the same as another piece of gold of equal weight and value, then it is by definition fungible. The definition that you cited has NO MENTION of blacklisting or denial of service for political reasons, therefore, it is disingenuous to claim that UTXO cryptocurrencies are less fungible than XMR for the same reasons.
Bitcoin
Your comments here are equally off the mark; Bitcoin and other UTXO cryptocurrencies are NO LESS FUNGIBLE because of the history. They were literally designed this way. The history is a feature, not a bug. And according to the definition you yourself cited there is NO loss of fungibility thereof. Furthermore, Coinjoin is not a “minor exception” and Bitcoins so mixed are not “highly trackable”. In fact, they are not trackable at all.
Coinjoined cryptocurrencies have no transaction history! See for yourself, attempt a coinjoin and look on the blockchain, there will be only a single address (the current one). That’s it. It is extremely disingenuous to pretend that this is “highly trackable” and a “minor exception” when your entire argument rests on the premise that a Bitcoin’s history makes it less fungible than gold and cash (which basically has the same history with serial numbers and manual tracking).
ZCash
Your use of language here is deceptive. There is nothing “unfortunate” about the use of transparent addresses, you are placing spin from the XMR community onto other cryptocurrencies because it is in your interests that uninformed third parties view your coin as “uniquely fungible”.
To do this not only do you ignore part of your own cited definition (i.e. "essentially interchangeable which all UTXO coins are), but you also use emotionally charged and incorrect language. No one in the ZCash, BTC, DASH or other UTXO communities feels that the transparency of their chains is “unfortunate.” That is spin from your community and it is dishonest to misrepresent that subjective opinion as fact.
Monero
Of course, the most egregious of the misinformation is in this section. Monero is VERY vulnerable to several different forms of transaction analysis and has been, by the admission of its developer community, since its inception in 2014.
Statistical heuristic analysis, various timing and side channel attacks, as well as a weak decoy selection algorithm being four major pain points that other cryptocurrencies with a UTXO model do not suffer from (ZEC excepted, they also suffered from two similar sidechannel attacks in 2019). This makes your claims even more disingenuous, because the purported solution that you’re offering is worse than the alternatives that you malgin!
If I’m correct, and please point out where if you think I am not, then my distaste for the XMR community and their proselytizing should be readily apparent. If you were to succeed, you would in essence be tricking individuals into using an INFERIOR privacy solution. There is NO solution to the above-cited OSPEAD attack. Also, timing analyses from 2018 were able to deanon 90% (!) of XMR transactions!
Monero Privacy Protections Aren’t as Strong as They Seem - The Dark Web’s Favorite Currency Is Less Untraceable Than It Seems
The researchers also found a second problem in Monero’s untraceability system tied to the timing of transactions. In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction.
Before a recent change from Monero’s developers, that timing analysis correctly identified the real coin more than 90 percent of the time, virtually nullifying Monero’s privacy safeguards.
After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.
These analyses while eventually mitigated to a degree, still exist as viable modalities of attack for XMR. What’s more, in response to the allegations:
On the issue of identifying coins based on analyzing the timing of transactions, however, [Riccardo] Spagni [Monero core developer and spokeperson] admits there’s no simple solution. “There are steps we can take to continue to improve the sampling, but the reality is that this isn’t a solvable problem by just pecking away at it,” he says.
“We need to have a better scheme that allows us to sample a much bigger set [of coins].” But he also notes that the larger the set of decoy coins in every transaction, the more storage Monero requires on users’ computers and the longer its transactions take. “We’re trying to find the balance,” he says.
All of which means Monero may continue to leak small amounts of information that could be used to point to likely spenders—even if not providing a smoking gun. Even so, the researchers warn that small information leaks can build up over time, and can be combined with other data sources to provide that more concrete evidence.
This not only prevents XMR from being an acceptable privacy solution, but exposes the hypocrisy of your position vis a vis fungibility, as obviously being able to trace transactions would break your (incorrect) version of fungibility. This is an egregious oversight that forms the basis of my displeasure with your community and the narrative you’re crafting.
DASH
Further you incorrectly imply that DASH’s coinjoin is not effective, in complete contravention to the research on coinjoin. DASH’s coinjoin is the MOST EFFECTIVE form of coinjoin.
Relying on masternodes, which total over 4,000 in number (ZEC only has 330 full nodes, XMR around 1500, BCH has 1600 for comparison), which are full nodes that routinely (every day) prove both ownership over 1000 DASH as well as service to the network (i.e. instant transaction locking, selecting coinjoin participants, storing the block chain etc. etc.) removes both trust in malicious third parties (like previous coinjoin implementations that rely on a single central server, like Bitcoin Cash’s CashShuffle implementation does), as well as removing possibility of user error.
A single button click allows a user to indicate they wish to coinjoin, join a round as well as participate in a preselected amount of rounds (up to 16) at low cost (DASH transaction fees are less than 1 c, again thanks to the masternodes).
Other coinjoin implementations are expensive, slow, lack liquidity (due to not having dedicated infrastructure like DASH does), many are trustful (requiring custody of funds unlike DASH where you never lose custody of your funds) amid other problems that come from relying on volunteer efforts and third parties.
Finally, the information you provide is also incorrect vis a vis Coinjoin functionality. DASH’s Coinjoin does hide amounts and is perfectly unlinkable. DASH doesn’t just coinjoin the amount in your wallet, it breaks up each value to be coinjoined into separate denominations of 10, 1, .1, .01, and .001 DASH.
So if you want to coinjoin 6.5 DASH from a single address, for example, you will get back 6 addresses containing 1 DASH each and 5 addresses containing .1 DASH each, which effectively completely hides the total balance because UTXO blockchains have no linkages between addresses that aren’t historically tied together. Every coinjoined address is created newly, so you basically recieve 11 new addresses with ZERO history (check the blockchain to verify) which hides both the balance amount as well as the history of funds.
Furthermore, the anonymity set size for a coinjoin transactions is (3-5)^number of rounds. its 3-5 because the wallet will randomly select between 3 to 5 total participants. The default number of rounds is 2, but you can select up to 16 in the wallet. So a 16 round coinjoin provides an anonymity set size of 3^16 = 43,046,721 different possible linkages.
This is for all intents and purposes IMPOSSIBLE TO TRACE, and provides DASH the ability to " sample a much bigger set [of coins]" that the Monero core developer cited as a wanted feature above. XMR by comparison has a ring size of only 11, which means that your transaction is included with 10 other decoy transactions, giving an anonymity set size of 11. This is several orders of magnitude LESS than a DASH coinjoin session and this fact alone makes your interpretation of the “fungibility scale” extremely suspect.
Finally, you state that “coinjoin tx are a relatively small percentage of the total number of Tx”. This again is a misleading argument. As cited above, when you mix any amount of DASH, you only have to do it once. So for example if you mix 350 DASH (roughly $37,000), you’re going to have roughly 16 transactions at 16 rounds.
But at the end, you’re going to have $37,000 of mixed DASH, which means that when you spend from that amount, you don’t have to mix any of it again. You can generate for example 1000 transactions of $37 from that amount and still have only performed 16 total mixing transactions.
And because DASH separates the act of mixing DASH and sending that DASH, DASH breaks the link between mixing funds and spending them, which automatically prevents the very same timing analyses that broke XMR’s privacy that I cited above. XMR was vulnerable because every XMR transaction is a mixing event which artificially links the two together and makes the coin vulnerable to timing analyses and statistical heuristic attacks.
I.e. you can mix 10 DASH today and not spend it until next year. Or spend small amounts over time. There is no way to link a DASH spending event with a DASH mixing event, which not only breaks the transaction graph on the blockchain but obviates all forms of timing analysis. This fact is what underpins my contention that DASH’s coinjoin is the best form of privacy.
So DASH is just more efficient than XMR is, which creates the decoys and “mixes” every single transaction you make with them, causing blockchain bloat. So its misleading to use the “low number of coinjoin transactions” as a painpoint, that’s a feature not a bug. You only have to mix once in DASH which dramatically lowers the total number of coinjoin transactions necessary. But that doesn’t mean coinjoin isn’t used.
That $37,000 will be mixed FOREVER. You don’t need to mix it more than that. But XMR would require you to “mix” every time you send a transaction. Which artificially pads both the number of mixing transactions as well as blockchain bloat. This is part of the reason that XMR’s blockchain is much larger than DASH’s at over 120 GB (DASH’s is only 34 GB).
In general, there is no such thing as a “fungibility scale” because fungibility is a binary. You’re either fungible with other units or you’re not. A torn dollar is NOT fungible because it is not legally considered to be a dollar. But every intact dollar is fungible with other dollars of equal value. It is the same with UTXO cryptocurrencies. And with that, I conclude my comments in regards to fungibility and the current best-in-class of the cryptocurrency space. I welcome all criticism and dissent from my position.