[cornholio]

I'm going to need more context here on the ChipMixer claims. Let's say a tracked party deposits amount A in CM style mixer, and then receives private keys corresponding to amounts B, C, D, E, F, G, previously deposited in the blockchain, which happen to add up to A minus a random 0 to 4% mixing fee. You have full view of A and know that it's being deposited to CM with 100% confidence.

As long as nothing moves on the blockchain, and the trust requirement you mention is fulfilled, I hope you agree that, save from some bug in the implementation, you will have no idea what private keys were received by the original owner of A. It's logically impossible, since CM has already pre-deposited many more other funded private keys (in fact, the entire previous volume of their laundry) and by the definition you don't know which ones of those were disclosed to the client A. The number of combinations is a factorial of the number previous clients, the vast majority you won't know.

So the attack scenario has to be more convoluted than that, perhaps the client immediately consolidates his received keys into a single address, perhaps we assume the attacker has perfect information over all amounts A deposited, which is clearly not practical etc. But that's another discussion altogether that deals with breaking a certain implementation of finding a launderer with a certain behavior. Research papers always make bold claims to raise interest, and often deliver crypto style failures, that require "only" 2^64 attempts, so the system is "broken".

But the issue we debated above - address pseudoanonymity enabling untraceable off chain asset swaps - is already settled if you agree to the second paragraph.

[ivancho]

But we don't have to search for those keys in all of the deposits that CM ever made - only in the ones that stopped churning and mixing. Maybe they try to control the dynamics of their lots to be statistically indistinguishable from the withdrawals - but that requires a vastly larger pool of capital and continuous operational effort, and I have a hunch they do not in fact do that.

Furthermore, if you are a client, how long are you willing to keep your money in private keys that you know CM also has? Even if you don't mistrust them, you still need to worry about the exact scenario that happened - they get busted and all their private keys get seized. So chances are those amounts leave the CM network of addresses pretty quickly, even if they don't get added up in a single address. So now all that combinatorial explosion drops down to a pretty tractable k-NN classification problem.

I would advise against making strong statements like "logically impossible" about things that seem to require a lot of very narrow conditions like perfect actor behavior and strong stationarity in order to be true.

[cornholio]

The point is, if law enforcement needs for the launderer to mess up after the invisible off chain transfer, or for the mixer to betray them, you have already conceded that address pseudoanymity is a strong, sometimes unremovable layer of privacy. Forensics exist even for physical cash, you can trace banknote serial numbers, lift physical fingerprints or DNA etc. Yet, that doesn't mean it's a good idea to leave people cross borders with sacks of money, there is wide agreement in our society that cash offers a privacy that is very conducive to anti-social actions. Bitcoin privacy is much, much stronger than physical cash, and pushed to 11 for things like Monero or Zcash.

In the restricted scenario provided, it really is logically impossible to know the ownership transfer happened. Your attack requires knowing all inputs into the laundry, which you won't have in the general case, they'll look like any other transfers in the blockchain.

Even if a mixer is busted, I can be pretty sure they abide by their public claim to not keep any history older than a few hours after the mixing is complete, secret keys and all, because it's not in their interest for such evidence of crimes to exist.

[ivancho]

I have not conceded anything. Many crimes would be perfectly unsolvable if everyone did everything perfectly, and yet.. You are again using "logically impossible" while insisting on a very specific condition, "not knowing all inputs into the laundry", which is very much solvable to a high degree of certainty - CM mixes so hard that their addresses are all connected to each other - I just need to send them a single transfer, watch it tumble, then connect the dots, and then list all transactions leading into that giant hairball of connections. Just read the Justice Dept complaint against CM - it has an extensive inventory of specific customers and crime proceeds, using "Company A [..] tracking approximately 118,500 bitcoin addresses associated with ChipMixer". Now how would they do that if it was so logically impossible?

And why would having a private key to an output address that no one else has touched be an evidence to a crime? They probably only delete them after the user has transferred the funds out, if they even bother.

I don't know why you are so bought into Bitcoin privacy specifically, but it holds as much water as the privacy statements in the App Store - anyone with sufficient motivation and data analysis skills can poke right through it. Monero is likely stronger, but if it can't be cracked, then as soon as it becomes big enough it will get blocked.

[cornholio]

Ah, I see, the real ChipMixer had a major flaw. I had no idea how the entire system operated, I used it just as an example to illustrate off-chain custody handovers. My "logically impossible" scenario was that the mixer has an array of addresses on the chain funded by previous customers, and when a new customer comes in it just runs a knapsack on that set and assigns them a subset of keys. Perhaps add a single layer of coinjoins to dilute each "really bad" incoming transaction, so clients won't directly get the bitcoins laundered by kidnappers and it's transparent to the whoever is doing the tracking that the coins have been laundered.

> why would having a private key to an output address that no one else has touched be an evidence to a crime?

An address is a hash over an ECDSA public key and a public key is a computational derivation of the random private key. If you have the private key, you can derive the associated address which is publicly connected on the blockchain to known proceeds of crime that have been laundered. That they were spent or not (by an another customer than the criminal) is irrelevant, it proves that you handled them.