Deposit are done from mainnet, L1 and the funds are directed to tornado cash instance on xdai, a layer 2 Blockchain. This is done by omnibridge after confirmations from the nodes, which typically takes 5 minutes for 20 validations. While depositing, users are automatically registered on the Tornado cash network. In a shielded transaction, no external eth involved i.e. no deposits and no withdrawals. This transfer is done on L2, which makes them cheap. However, this requires both the users to be registered on Tornado cash. Note that shielded here means that both the recipient and the amount are kept private from an external observer. While withdrawing funds from tornado pool, the bridge funds the amount back into mainnet. The private inputs here are the balance and address of the user. #show code with inputs and outputs. However, the outputs being on the ethereum mainnet are public. This is why users are advised to withdraw standard amounts to help them blend among other transactions and thus preserve their privacy. Note xdai sponsors withdrawal for 0.05 eth. The user design is elegant in the sense that the client never has to change network from the mainnet. The proof generation takes place in the browser. Tornado cash has a relatively smaller circuit with 30k constraints which takes about 5-10 seconds to compile using Web Assembly. This wasm file is embedded in the static UI of the Tornado cash smart contract.

Tornado cash nova is the latest version of the protocol and is different from core in many ways. Instead of hashing two random numbers in the commitment as in the Core version. The Nova upgrade uses three numbers: amount, public key and blinding. The blinding is a random number used instead of the secret in the previous version. The commitment is now computed by the hash of the three values mentioned above. Whereas the nullifier is the hash of commitment,the corresponding merkle path, and a signature of these two values with the private key. /* Utxo structure: { amount,

When users deposit funds in Tornado Cash, the contract creates a note that includes a commitment and a nullifier hash. First it generates two random numbers - secret and nullifier. These are hashed together to form a commitment. The nullifier hash and the commitment is sent along with the deposit. Then the smart contract takes the commitment hash and adds it to the merkle tree that is stored and built on-chain. The nullifier hash is then broadcast to the Tornado Cash network, where it is added to a list of spent nullifiers. This prevents anyone else from withdrawing funds using the same note. The merkle root contains the users node. The contract doesn't need to have the latest version of the tree as the user will be present as a node once inserted. // computes Pedersen(nullifier + secret) template CommitmentHasher() {

Merkle trees are computed offchain and then prove validity on chain The length of the subtrees should be specified before in order to initialize the tree at the start. Moreover, a snark proof for example always requires fixed-sized loops similar to fixed-sized chunks. Each insertion cost 300k gwei for checking the snark proof. The Contracts will check the old root and new root, both as public input.