Try   HackMD

Tornado Cash Core

tags: Tornado Cash
  1. When users deposit funds in Tornado Cash, the contract creates a note that includes a commitment and a nullifier hash.
  2. First it generates two random numbers - secret and nullifier. These are hashed together to form a commitment.
  3. The nullifier hash and the commitment is sent along with the deposit.
  4. Then the smart contract takes the commitment hash and adds it to the merkle tree that is stored and built on-chain.
  5. The nullifier hash is then broadcast to the Tornado Cash network, where it is added to a list of spent nullifiers. This prevents anyone else from withdrawing funds using the same note.

The merkle root contains the users node. The contract doesn't need to have the latest version of the tree as the user will be present as a node once inserted.























// computes Pedersen(nullifier + secret)
template CommitmentHasher() {
    signal input nullifier;
    signal input secret;
    signal output commitment;
    signal output nullifierHash;

    component commitmentHasher = Pedersen(496);
    component nullifierHasher = Pedersen(248);
    component nullifierBits = Num2Bits(248);
    component secretBits = Num2Bits(248);
    nullifierBits.in <== nullifier;
    secretBits.in <== secret;
    for (var i = 0; i < 248; i++) {
        nullifierHasher.in[i] <== nullifierBits.out[i];
        commitmentHasher.in[i] <== nullifierBits.out[i];
        commitmentHasher.in[i + 248] <== secretBits.out[i];
    }

    commitment <== commitmentHasher.out[0];
    nullifierHash <== nullifierHasher.out[0];
}

When a user wants to withdraw funds from the contract, they must first prove ownership of a note. To do this, they reveal the commitment and the nullifier hash.

The snark prover submitted by the user contains root, a public input root and private inputs: secret, nullifier, pathElements and pathIndices.

The Proof computes two hashes. A commitment hash of the secret and the nullifier. Second a hash of just the nullifier, called nullifier hash. For an external observer, these two hashes seem uncorrelated

The contract checks that the root is one of the last 100? merkle roots and whether the nullifier hash is unique.

It verifies the nullifier hash against a list of previously spent nullifiers. If the nullifier hash is found in the list, the transaction is rejected as a double spend attempt.

If the nullifier hash is not found in the list, the transaction is added to the blockchain the contract releases the funds to the withdrawer. This mechanism of using nullifier to prevent double spend was first adopted by Zcash.







































// Verifies that commitment that corresponds to given secret and nullifier is included in the merkle tree of deposits
template Withdraw(levels) {
    signal input root;
    signal input nullifierHash;
    signal input recipient; // not taking part in any computations
    signal input relayer;  // not taking part in any computations
    signal input fee;      // not taking part in any computations
    signal input refund;   // not taking part in any computations
    signal private input nullifier;
    signal private input secret;
    signal private input pathElements[levels];
    signal private input pathIndices[levels];

    component hasher = CommitmentHasher();
    hasher.nullifier <== nullifier;
    hasher.secret <== secret;
    hasher.nullifierHash === nullifierHash;

    component tree = MerkleTreeChecker(levels);
    tree.leaf <== hasher.commitment;
    tree.root <== root;
    for (var i = 0; i < levels; i++) {
        tree.pathElements[i] <== pathElements[i];
        tree.pathIndices[i] <== pathIndices[i];
    }

    // Add hidden signals to make sure that tampering with recipient or fee will invalidate the snark proof
    // Most likely it is not required, but it's better to stay on the safe side and it only takes 2 constraints
    // Squares are used to prevent optimizer from removing those constraints
    signal recipientSquare;
    signal feeSquare;
    signal relayerSquare;
    signal refundSquare;
    recipientSquare <== recipient * recipient;
    feeSquare <== fee * fee;
    relayerSquare <== relayer * relayer;
    refundSquare <== refund * refund;
}
Last changed by 
ak36
0
324

Read more

Tornado Nova Cash Demo

Deposit are done from mainnet, L1 and the funds are directed to tornado cash instance on xdai, a layer 2 Blockchain. This is done by omnibridge after confirmations from the nodes, which typically takes 5 minutes for 20 validations. While depositing, users are automatically registered on the Tornado cash network. In a shielded transaction, no external eth involved i.e. no deposits and no withdrawals. This transfer is done on L2, which makes them cheap. However, this requires both the users to be registered on Tornado cash. Note that shielded here means that both the recipient and the amount are kept private from an external observer. While withdrawing funds from tornado pool, the bridge funds the amount back into mainnet. The private inputs here are the balance and address of the user. #show code with inputs and outputs. However, the outputs being on the ethereum mainnet are public. This is why users are advised to withdraw standard amounts to help them blend among other transactions and thus preserve their privacy. Note xdai sponsors withdrawal for 0.05 eth. The user design is elegant in the sense that the client never has to change network from the mainnet. The proof generation takes place in the browser. Tornado cash has a relatively smaller circuit with 30k constraints which takes about 5-10 seconds to compile using Web Assembly. This wasm file is embedded in the static UI of the Tornado cash smart contract.

Apr 17, 2023
Tornado Cash Nova

Tornado cash nova is the latest version of the protocol and is different from core in many ways. Instead of hashing two random numbers in the commitment as in the Core version. The Nova upgrade uses three numbers: amount, public key and blinding. The blinding is a random number used instead of the secret in the previous version. The commitment is now computed by the hash of the three values mentioned above. Whereas the nullifier is the hash of commitment,the corresponding merkle path, and a signature of these two values with the private key. /* Utxo structure: { amount,

Mar 27, 2023
Tornado Cash Trees

Merkle trees are computed offchain and then prove validity on chain The length of the subtrees should be specified before in order to initialize the tree at the start. Moreover, a snark proof for example always requires fixed-sized loops similar to fixed-sized chunks. Each insertion cost 300k gwei for checking the snark proof. The Contracts will check the old root and new root, both as public input.

Mar 26, 2023
Read more from ak36
Published on HackMD