As far as I know we've never claimed that the distribution is flat or that the "effective anonymity" is equivalent to a uniform distribution over prior notes (I certainly didn't claim that). One of the advantages of Zcash's approach is that you don't need to know the distribution in order to have a strong privacy claim. As I said, this is because the content of a transaction is not revealed, and so the attacker's advantage is no better than guessing based on their prior knowledge (plus the little information that can be inferred from timestamps and number of JoinSplits in a transaction).It's the same claim as for semantically secure encryption, for example: no competent cryptographer would claim that encrypting a message implies that the adversary's knowledge of the plaintext distribution is uniform; only that the ciphertext gives the attacker no further information (apart from length, typically) about the distribution.
polarized|8 years ago
It is, in the same sense that the first order anonymity set of Monero transactions is all outputs included in the ring signature which can't be proven implausible (e.g. using the methods in Section 3 of the paper). However, Section 4 of the paper points out that a non-uniform distribution means this is reduced, in practice, to a smaller effective degree. The same method can be used with Zcash to estimate a smaller effective degree since many previous shielded transactions are probabilistically unlikely.
This is certainly not 'deanonymization' or 'tracing' or any such thing, but it isn't that in the Monero case either.