Post Idea: Tornado Cash

Paper / Discussion Title

Tornado Cash

It can be a great way (popsci) for people to have a better understanding on how to use mixing/shielded transaction solutions correctly i.e., without voiding the security benefits that the project provided, on Blockchain.

The usage of such…I can think of one.
If your legal dept ask your ethereum address to be absolutely clean i.e., without previous transactions - because they worried that the funds that were in/out of the address could be illegal or against the tax law - you may have a slim chance to persuade your legal dept that: since any transaction out from tornadocash contract are (under certain assumptions) unlinkable to any of the input transaction, the funds are clean now.

Just an imaginary scenario though.

6 Likes

Thanks for the thorough post idea, @Jerry_Ho. I think a summary on Tornado cash could be interesting. Mixers have been underutilized in Ethereum because of how easy it is to trace (and taint) balances under the account model.

However, there have been some promising improvements in this area. A paper came out on Research Pulse a couple of weeks ago describing an interesting non-interactive coin mixer for account-based chains: https://eprint.iacr.org/2021/327.pdf

We could follow the same approach as Plonk and write a summary citing different sources in the “background”, “key takeaways”, and “implications” sections. What do you think?

2 Likes

I do agree with your point: Ethereum is inferior for privacy, in a sense. (worse than UTXO model for bitcoin, for example.)

I breifly skimmed Veksel, and I think it’s a good work:

  • It doesn’t assume itself to be Ethereum only
  • No restrictions on anonymity set size
  • A fully? homomorphic commitment scheme, sounds fun and (cryptic to me).
    圖片
    That’d be a great summary to be written, but I don’t think my summary would be beneficial to the community - an ideal way would be to walkthrough the maths used in Veksel, and guide readers in the process, as Vitalik did in his (many) blog posts. This is especially good for this kind of protocol article cause people (engineers) just need a research guy to explain the math, step by styp, to them, in an implementable fashion, thus they can build a library for it.
    I don’t have enough background nor knowledge doing so at the moment, but I’ll definitely find someone to do a pair reading in the future.

Meanwhile, if we were to limit the scope of the summry on “comparision of mixers on Ethereum” as a discussion post, I do have some in mind:

Well so here we are, having tornado.cash as the only active and usable mixer project. (2020) No wonder I saw some ppl complaining here: Ethereum (ETH) Mixer

I could add this paper into the summary/discussion post of Tornadocash, if you think the original direction is not technical enough:
(2020) https://arxiv.org/pdf/2005.14051.pdf
https://twitter.com/istvan_a_seres/status/1266192703307632649?s=21
Check section 6 and section 7:


Honestly, I have 0 idea where to find all the living and ongoing projects of sorts(mixer/zk shielded transaction natively on Ethereum). Please kindly inform me if I did not mention some famous mixers, before I start writing and researching on the discussion post.

4 Likes

Mixers like tornado cash address this. I think their lack of usage is due to how expensive SNARK operations are currently on Ethereum.

A transaction fee equivalent of upwards of ~$125 to enter the mixer and a similar fee to later exit makes such transactions only palatable for large transactions.

Perhaps there is a paper that explains this? I would be interested to know why the account model is inferior to UTXO when it comes to privacy.

1 Like

Yeah, this one did that exactly:

Aside from the discussion on TornadoCash in Sec6 and Sec7, the whole paper is trying to answer your question.

Introduction:


Judging solely from the paragraph in the introduction: I’d say he has a point. It’s not even a security assumption thing - people really tend to reuse address even with deterministic generatable? wallet standard implemented.

And the paper gave a practical result on fingerprinting users with their addresses, although I haven’t check its methodology yet.
圖片
圖片

3 Likes

Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users is an excellent suggestion! It touches upon a lot of these trade-offs and empirically analyses tornado cash.

2 Likes

K, I think I can write this one instead, and put aside mixers/tornadocash at the moment. Will create another thread/github issue.

Just one quick question:
I’m not too familiar with the network stack of internet. While PERIMETER feels like targeting transport layer, network layer, and datalink layer attack/analysis, it seems like that “Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users” is solely focusing on application layer analysis and fingerprinting (without active attack).

So there’s no need to compare the two in the incoming summary, amirite?

1 Like

Broadly speaking, privacy attacks on blockchain networks tend to fall into 2 categories. “PERIMETER” is an excellent example of a transport layer attack whereas “Blockchain is Watching” provides a good background on transaction graph linkage attacks.

Covering “Blockchain is Watching” could provide a pathway for us to discuss the predominance of both attack types.

2 Likes

I have a question what will happen if the merkle tree is full?

2 Likes

Welcome to the forum, @HowJMay!

It would take a gigantic number of mixing rounds for it to become an issue if the hash function used is believed to have what is called “preimage resistance”. Here’s a good resource to learn more about it: