As an actual cryptographer who has looked into it, I wouldn't put too much faith in Monero's fungibiliry. The story is not as good as the PR would have you believe, and is really not all that different from Bitcoin with CoinJoin.
I don't know why you are being down voted, since you said exactly what I was alluding to. Monero's ring signature traceability is very hard to analyze. Even if the ring signature is not broken in a cryptographic sense, transactions can still be linked by the other fingerprints they leave, or by wide spectrum analysis.
It's a bit like a game of sudoku. A mixin input could have 4 different coins, and technically you can't be certain from the signature which is the real input. But in reality you can do downstream or source analysis and come up with probabilities for whether the prior transactions were authored by the same wallet, or associate with other keys used by other mixin inputs. Every little bit adds to the probability of two addresses being linked, and it really doesn't take many bits of information to confirm or eliminate mixin inputs as being real or fake.
This is notably different from how ZeroCoin operates, where the anonymity set is everyone and it is fully untraceable. However ZeroCoin has problems with respect to performance and deployment :\
You also forget Confidential Transactions. How can you do any kind of useful downstream or source analysis when you don't know the amounts and you have stealth addresses? Also you can have huge amount of mixins which use the total pool of TXs ever done.
It's the same as RSA4096, in theory you could bruteforce eventually crack a key, but in reality it's not a viable attack.
You're just saying abstract things without backing them up with details. Also Zcoin has scaling issues with TXs being 50x of Zcash (another Zerocoin-based implementation)
While I won't say that Monero offers heat privacy, it's clearly much better than CoinJoin or JoinMarket on bitcoin. For one thing they have thousands of users and transactions. The number of people participating in mixing gives you a big shield to hide behind.
For another, they hide balances, and they do actively pay attention to the information leaks, and they employ strategies to fight that. When the drug markets were busted, dash and pivx users were discovered, but Monero users were kept hidden.
It's pretty clear to me that they are at least moderately successful where nobody else really is yet. New strategies may come out tomorrow to unmask everyone, I certainly wouldn't bet my own life on Monero's safety, but they overall are outperforming everyone else in a practical sense.
How are Confidential Transactions in combination with Ring Signatures not way better than Bitcoin+CoinJoin?
If you focus on the transactions after the RingCT merge and not older 0-mixins, it's seems pretty strong to me.
Monero works by ring signatures. When you make a spend, in addition to the coin you are spending you pick a small number of other coins, presumably at random. Validators don't know which coin of the set is being spent, but they do have assurance that any specific coin can't be spent more than once.
The problem is that there are a lot of knobs to tweak here. Which coins do you pick? They're not all random because at least one of the coins is from your wallet. People have specific usage patterns that give a prior on what output is the user's vs a randomly selected one. (E.g. an output that is 2 years old is less likely than one that is 2 weeks old to be the user's, since most outputs being spent are recent.) In addition, details of the transaction such as how many other coins are selected per signature, reveal what client might be used.
It has been our experience with bitcoin that it is incredibly hard to mask what software is used to generate a transaction. It turns out that there are a ton of things that can watermark a transaction and thereby decrease your anonymity set -- from coin selection to serialization choices to the default settings of optional knobs like fee or locktime. And these generally interact very badly with ring signature systems. If your wallet version makes transactions a certain way, and none of the other mixin inputs you included do exactly the same thing, then it is blindingly obvious which input is actually yours -- the one from a transaction that matches yours in these other respects.
