Tornado: Introducing hidden trading mechanism for Ethereum

Author: Tornado Cash

Translation & Proofreading: Zeng Yan & A Jian

Source: Ethereum enthusiasts

By default, all your transaction history and balances on Ethereum are public. You can view all transactions through a block browser such as Etherscan. If someone knows your address, you can easily get your payment records, track your source of funds, calculate your positions, and even analyze your Activities on the chain.

However, sometimes you don't want to disclose your trading history and balance, right? If you want to achieve anonymity and privacy in transactions, is there a good way?

For years, people have been trying to develop hidden trading mechanisms on Ethereum. Some people's thinking is to cover up the flow of funds, such as using a centralized exchange or a managed mixed currency service. However, doing so will inevitably introduce a high degree of counterparty and surveillance risks. As a result, these tools have never been able to rival other privacy-focused cryptocurrencies (such as Zcash). Zcash uses various cryptographic methods, including zero-knowledge proofs, to achieve privacy protection.

Today, we are very happy to announce to you that it is also possible to realize a real hidden transaction on Ethereum! Our new tool, tornado.cash, has developed a breakthrough technology and unmanaged funding model based on strong cryptography. With it, you can send cryptocurrency on Ethereum 100% anonymously.

How does Tornado.cash implement privacy on Ethereum?

The main idea is to break the link between the payee and the destination address of the funds on the chain. You can deposit Ether into a smart contract in Tornado.cash and then use a different address to withdraw money. Whenever you withdraw Ether to a new address, no one else can link the deposit address to the withdrawal address , thus ensuring absolute privacy .

In this approach, Tornado.cash acts as a proxy, using zkSnark proofs to ensure 100% anonymity of transactions.

What's even better is that it is still 100% unmanaged , which means that you have full control over the deposit. It's time to say goodbye to the centralized service that often runs.

deposit

The user needs to generate a secret when depositing, and send its hash value (also known as "commitment") along with the amount of the deposit to Tornado's smart contract. After the contract receives the deposit, its commitment is also added to the contract's deposit list.

In the future, when a user wants to withdraw money, the TA needs to provide a certificate to the contract to prove that the TA has a secret that can correspond to the unspent commitments in the deposit list in the smart contract. Thanks to the blessing of zkSnark technology, we can complete the matching without revealing which funds this secret is related to. The Tornado smart contract will check this proof and then transfer the deposit amount to the designated withdrawal address. For outside observers, there is no way to know which deposit the withdrawal came from.

This is how it works. Next I explain why anonymous sets are so important.

Anonymity Set

The size of the anonymous set is essentially a measure of anonymity. It shows how many deposits are still waiting to be withdrawn. In other words, how many ether deposits you want to withdraw may come from mixed deposits.

Chicken or egg first?

You may notice that there are two options when you withdraw:

  • Use wallet (Metamask, Trustwallet, etc.)
  • Relayer

The first method requires that you have a brand new Ethereum address and some Ethereum in it. This raises a question.

How to get some Ethereum while keeping the address anonymous?

Because usually we get Ethereum from other people (whether or not we use an exchange), but (this will make this address associated with other people's addresses) we just want to avoid exposing information ?

That's why we provide the second option. You only need to generate a new Ethereum address, and the rest of the work can be safely given to the zkSnark proof and relayer to complete. This process will charge you some Ethereum, just to pay the transaction fee of the Ethereum network.

Anonymous Tips

  • Regardless of whether you use a repeater or not, please remember to maintain normal network anonymity, such as using VPN, proxy, Tor and other tools to hide your active IP address. Since you are using a browser, it is also useful to use anonymous tabs.
  • Make sure you clear the dApp's cookies before using the new address, because when the dApp finds that the old and new addresses use the same cookies, it will know that the two addresses belong to the same owner.
  • Some of the data in Note can be used to link your deposits and withdrawals. Therefore, after you complete the withdrawal, it is best to ensure that you have safely destroyed the note data.
  • Do not withdraw money immediately after making a deposit. If you raise it immediately after depositing, the observer will guess that it is the same person who is operating, then you are exposed. Therefore, we recommend that you wait for at least 5 new deposits before making a withdrawal.
  • Not only wait for new deposits to be deposited, but also for a while. Because even after you make multiple deposits, they may be issued by the same person who is trying to send multiple junk deposits, making users mistakenly believe that the anonymous set is already large. We recommend that you wait at least 24 hours to ensure that multiple people deposit during this period.