Tornado Cash is a coin mixer that you can use to anonymize your Ethereum transactions. Because of the logic of the blockchain, every transaction is public. If you have some ETH on your account, you cannot transfer it anonymously, because anybody can follow your transaction history on the blockchain. Coin mixers, like Tornado Cash, can solve this privacy problem by breaking the on-chain link between the source and the destination address by using ZKP.

Deposit:

Users deposit the same amount of ETH to the contract.

Actual Process.

Deposit and get the private note.

_commitment the note commitment, which is PedersenHash(nullifier + secret)

Withdraw:

Smart contract checks the hash of secret and nullified, if equal it returns true.

It sends 1 ETH back to the user after correctly checked

Actual Process:

The problem in the previous illustration:

Hash function is a one-way function so we can deduce the user who deposited ETH according to the parameters which we can find on-chain.

Zero Knowledge Proof

To solve this problem, Tornado Cash uses Zero Knowledge Proof.

Another problem arises: hackers can withdraw many times if Tornado Cash doesn’t know who is withdrawing.

zk-SNARK prevent this:

When you send proof you also need to send hash of nullifier.

Inside of zk-snark, it would check 2 things:

1. check the hash of secret and nullififer is recorded on the Tornado Cash.
2. check the hash of nullififer is equal to nullifier hash.

The purpose of nullifier is to prevent double-spending.

Input data of withdraw funciton:

proof is a zkSNARK proof data, and input is an array of circuit public inputs
input array consists of:

• merkle root of all deposits in the contract
• hash of unique deposit nullifier to prevent double spends
• the recipient of funds
• optional fee that goes to the transaction sender (usually a relay)

How does Tornado store the commitment hash when users deposit?

Use Merkle Tree

How to prove commitment is in Tornado Merkle Tree?