Understanding Tornado Cash - The Appeal of Anonymity
Consider the following scenario: Alice wants to transact anonymously. She has tried several methods, but none have provided the anonymity she desires. Then, she stumbles upon Tornado Cash.
-
Alice decides to shield her funds using Tornado Cash. She begins by selecting her anonymity set - a pool with different denominations. Her options are 0.1 ETH, 1 ETH, 10 ETH, or 100 ETH. For this example, let's say she chooses 1 ETH.
-
Alice deposits 1 ETH into the mixing pool. Tornado makes use of anincremental Merkle Tree ( we will read about this later ) to obfuscate the transaction origin. A note is generated representing her portion of the funds from the pool.
-
When Alice decides to withdraw her funds, she provides the note (ZK proof of the funds). This note serves as a secret "handshake" between her and the pool, proving that she is part of the pool without revealing any sensitive information.
-
Using Relayers: Alice can also use relayers, who can provide the note instead of her doing so directly.
-
Receiving Funds: After proving her secret "handshake", the Tornado smart contract sends her funds to a new address.
It's important to note that on August 8th, 2022, the U.S. Treasury’s Office of Foreign Asset Control (OFAC) blacklisted Tornado Cash. This means that Tornado Cash's smart contracts are now subject to sanctions under U.S. law.
In this blog, we will delve deeper into how Tornado Cash operates, why it's so appealing, and why tracing transactions through it poses such a challenge.
Zero-Knowledge Proofs
At the heart of Tornado Cash's privacy model lies the application of zero-knowledge proofs. This cryptographic technique enables users to prove the validity of a statement without disclosing the actual information behind it. In the context of Tornado Cash, zero-knowledge proofs play a pivotal role in transactions.
Users can demonstrate the knowledge of a hash preimage without revealing the preimage itself. This ensures a robust layer of privacy, allowing users to engage in financial transactions with confidence that their sensitive information remains concealed.
Incremental Merkle Tree
Tornado Cash uses the power of the incremental Merkle tree to efficiently manage and verify transaction data on-chain. The Merkle tree, which has a binary tree structure, is constructed incrementally as new transactions occur. Every leaf node represents a commit, and the tree's structure facilitates easy verification of the integrity of the transaction history.
The incremental approach enables quick updates and ensures that even with a large number of transactions, the computational cost remains manageable. This Merkle tree architecture is the backbone of Tornado Cash's ability to maintain anonymity throughout the mixing process.
As Alice's transactions occur, the Merkle tree dynamically evolves. Tornado Cash keeps a history of the last 30 roots of this tree, providing snapshots of the tree at different points in time. When Alice decides to withdraw her funds and provides her note (the ZK proof of funds), she is effectively referencing a specific root of this tree. This root serves as a reliable and consistent basis for her proof, ensuring that her "handshake" with the pool can be verified without revealing any sensitive information about her.
MiMC Hashing Algorithm
In Alice's quest for anonymity, the use of the MiMC hashing algorithm by Tornado Cash plays a key role. This distinctive choice separates Tornado Cash from other platforms that might use more traditional methods like keccak256.
MiMC is designed to be "zk-friendly" – aligning seamlessly with the requirements of zero-knowledge proof generation.
This cryptographic hash function is employed in the computation of Merkle tree roots on-chain. While MiMC offers computational advantages for zero-knowledge proofs, it introduces an interesting challenge – the need for on-chain computation. To overcome this, Tornado Cash implements MiMC as raw bytecode, showcasing the platform's commitment to cutting-edge privacy technologies.
Relayers
Relayers are the trusted partners, ensuring the steps remain secret and secure. The relayer mechanism in Tornado Cash serves as a crucial security layer with a specific focus on countering front-running risks.
Front-running Defence
Front-running occurs when someone snatches an opportunity by copying a transaction and replacing it with their own. To guard against this, Tornado Cash introduces a clever tactic. The relayer mechanism includes a set of dummy signals in the withdrawal process, essentially creating a protective shield.
The proof now extends beyond just the transaction details; it verifies that the user correctly squared the recipient's address. It's like a secret code within the proof, ensuring that even if someone tries to copy, they need to get every part right to pass the test.
Collaborative Privacy
Relayers, acting as off-chain facilitators, enable users to transact without revealing their addresses. Users can request relayers to conduct transactions on their behalf, solving the challenge of new addresses lacking the initial gas needed for withdrawal. This collaborative approach enhances privacy, creating a win-win scenario for both users and relayers.
How can we potentially de-anonymize tornado cash?
Now that we’ve seen that Tornado Cash definitely anonymizes transactions. It poses a problem for compliance people and investigators who want to track crime. While there isn't a guaranteed method to de-anonymize Tornado Cash transactions, there are several strategies that could offer some insight.
Timing Analysis
A possible strategy involves examining the timing of transactions. Studying when transactions occur might help in identifying patterns linking transactions to specific users.
Network-level Pattern Identification
Identifying patterns and behaviors on a network level can also offer valuable leads. If a user exhibits consistent behavior, it may be possible to trace it back to them.
External Data Correlation
Data external to the blockchain could also prove useful. This could include information from social media or other online platforms that could be correlated with transaction data.
Malicious Relayers
When users wish to withdraw funds from Tornado Cash, they can employ relayers. These relayers handle on-chain transactions and cover the gas fees, allowing users to avoid direct interaction with the blockchain. However, if a relayer were to act maliciously, they could potentially disclose information about the user.
Blockchain Analysis
Several techniques can be employed to analyze the blockchain:
-
Transaction Graph Analysis: This involves identifying the flow of funds. Over time, certain patterns and correlations might become apparent.
-
Address Clustering: This approach can reveal relationships between different entities.
-
Input-output Analysis: If multiple addresses contribute inputs, this could suggest common ownership.
-
Network Vulnerabilities: Certain network aspects, such as IP addresses (which are tracked by Metamask), could reveal identities.
-
Fungibility Analysis: Tracing the history of tokens could offer insights. For instance, what is their “anonymity score”? Are there tokens actively striving to maintain anonymity?
-
Transaction Metadata: Some blockchains allow for additional metadata to be attached to transactions. This could provide further information for analysis.
About Bitquery
Bitquery is your comprehensive toolkit designed with developers in mind, simplifying blockchain data access. Our products offer practical advantages and flexibility.
-
APIs - Explore API: Easily retrieve precise real-time and historical data for over 40 blockchains using GraphQL. Seamlessly integrate blockchain data into your applications, making data-driven decisions effortless.
-
Coinpath® - Try Coinpath: Streamline compliance and crypto investigations by tracing money movements across 40+ blockchains. Gain insights for efficient decision-making.
-
Data in Cloud - Try Demo Bucket: Access indexed blockchain data cost-effectively and at scale for your data pipeline. We currently support Ethereum, BSC, Solana, with more blockchains on the horizon, simplifying your data access.
-
Explorer - Try Explorer: Discover an intuitive platform for exploring data from 40+ blockchains. Visualize data, generate queries, and integrate effortlessly into your applications.
Bitquery empowers developers with straightforward blockchain data tools. If you have questions or need assistance, connect with us on our Telegram channel or via email at sales@bitquery.io. Stay updated on the latest in cryptocurrency by subscribing to our newsletter below.
Subscribe to our newsletter
Subscribe and never miss any updates related to our APIs, new developments & latest news etc. Our newsletter is sent once a week on Monday.