Mixing bad; pooling good.

Why am I excited about the potential of Tornado.cash when I haven’t been excited about other privacy-preserving thingamabobs?

I’ve never liked ‘mixers’ like CoinJoin or CashShuffle, because they don’t match the way I want to use my ‘spending’ money. I want to receive some money, store it someplace safe, and have it available to spend whenever I decide to spend it.

I could use a fancy mixing wallet that mixes coins in the background automagically, but I’d have to remember to run it so it can find other people to mix with. And to get a large enough ‘anonymity set’ probably means several rounds of mixing, meaning my money might be tied up in the middle of a transaction when I want to spend it. Also, every round of mixing means paying more transaction fees… which can be significant if the network is congested (fees on the ETH and BTC networks are high as I write this).

Tornado.cash is much simpler; one transaction to deposit, another to withdraw. The Ethereum ‘account balance’ model, which is usually worse for privacy than the Bitcoin ‘unspent transaction output’ model, is an advantage– the ‘anonymity set’ gets bigger every time somebody new uses a Tornado contract. If you deposit into the 1-ETH Tornado contract, your ether is pooled with over a thousand other deposits. The longer you let it sit in that shared account, the better– your deposit gets more anonymous over time as other deposits and withdrawals flow in and out.

Storing some of my money in Tornado.cash contracts does require several leaps of faith. I have to have faith that the Ethereum chain will still be around when I want to redeem my deposit. And faith that there isn’t a bug in the Tornado zero knowledge proofs that might let somebody else withdraw my money. I have more faith today than I did a week ago– the Tornado developers recently gave up all ability to modify the contracts. But I’ll still limit the amount of money I store inside Tornado at any one time, just in case.

 
96
Kudos
 
96
Kudos

Now read this

Classic? Unlimited? XT? Core?

Almost two years ago, when I stepped down as lead maintainer for Bitcoin Core, I wrote: I’m pleased to be able to focus more on protocol-level, cross-implementation issues and less on issues specific to the Bitcoin Core software. I’d... Continue →