Crypto Gloss

Tornado Cash: Ethereum Privacy Solution

Authors Semenov, Roman; Storm, Alexey; Pertsev, Alexey
Year 2019
Project Tornado Cash
License MIT
Official Source https://tornado.cash/Tornado.cash_whitepaper_v1.4.pdf

This page is an educational summary and analysis of an official whitepaper or technical paper, written for reference purposes. It is not a verbatim reproduction. CryptoGloss does not claim authorship of the original work. All intellectual property rights remain with the original author(s). The official document is linked above.

“Tornado Cash: Ethereum Privacy Solution” is the documentation by Roman Semenov, Alexey Storm, and Alexey Pertsev of the Tornado Cash team, published in 2019 with the initial protocol specification. Tornado Cash is a decentralized, non-custodial private transaction protocol on Ethereum: users deposit fixed amounts of ETH (or ERC-20 tokens) and can later withdraw to a fresh address, with the deposit-withdrawal link broken by a zk-SNARK proof.

Tornado Cash became the primary Ethereum privacy tool, handling billions in volume. In August 2022, the US Treasury’s OFAC sanctioned Tornado Cash smart contract addresses — a landmark regulatory action against immutable smart contract code itself.

> PDF hosting: The Tornado Cash whitepaper is at tornado.cash/Tornado.cash_whitepaper_v1.4.pdf. The smart contracts are at github.com/tornadocash.

Publication and Context

By 2019, Ethereum had no native privacy. Every ETH transaction is publicly visible: from which address to which address, when, exactly how much. For users who received salary in ETH, paid for personal services, or simply wanted financial privacy, this was deeply problematic.

Tornado Cash drew directly on the academic work of the Zcash/Zerocash team: using zk-SNARKs to prove that a withdrawal is authorized by someone who made a valid deposit, without revealing which deposit. The key difference from Zcash: Tornado Cash is an Ethereum smart contract, not a separate blockchain.

Core Design: Commitment-Nullifier Scheme

The Tornado Cash privacy protocol uses a classic cryptographic commitment scheme:

Deposit:

  1. User generates a random secret: a 31-byte nullifier and a 31-byte secret
  2. Computes a commitment: C = hash(nullifier || secret)
  3. Deposits exactly 1 ETH (or 10 ETH, 100 ETH — fixed denominations) along with C into the contract
  4. C is inserted into a Merkle tree maintained by the contract
  5. User stores their (nullifier, secret) offline — this is their “withdrawal ticket”

Withdrawal:

  1. User generates a zk-SNARK proof showing:
    They know a (nullifier, secret) pair such that hash(nullifier || secret) is a leaf in the contract’s Merkle tree
    The Merkle path from their commitment to the current root is valid
    The nullifier hash (H(nullifier)) has not been used before
  2. User sends the proof + the nullifier hash to the contract
  3. The contract verifies the SNARK proof (O(1) verification: one pairing check)
  4. The contract records the nullifier hash as “spent”
  5. The contract sends 1 ETH to any recipient address the user specifies

Privacy guarantee: The SNARK proof reveals nothing about which commitment in the Merkle tree the user is withdrawing from — only that they know a valid commitment.

Fixed Denomination Design

Tornado Cash uses fixed denominations (e.g., 0.1 ETH, 1 ETH, 10 ETH, 100 ETH pools) rather than arbitrary amounts. This prevents amount-based linking:

  • A 0.1 ETH deposit is indistinguishable in the pool from any other 0.1 ETH deposit
  • The larger the pool (anonymity set), the stronger the privacy

AZTEC-style variable amounts would require more complex proofs and smaller anonymity sets.

Anonymity Set and Timing

Tornado Cash’s privacy strength depends on the anonymity set size — the number of deposits between a given deposit and its withdrawal:

  • Small anonymity set (few deposits): high probability the specific deposit can be identified by timing correlation
  • Large anonymity set (many deposits): strong privacy

Practical limitation: A user who deposits and immediately withdraws has a near-zero anonymity set. Users must wait for many others to deposit between their deposit and withdrawal to gain meaningful privacy.

Relayers

Gas fees require ETH to pay — but if a user sends ETH from a fresh address to pay gas, that ETH itself is traceable. Tornado Cash addresses this with a relayer network:

  • Third-party relayers submit withdrawal transactions on behalf of users
  • The user’s SNARK proof authorizes a portion of the withdrawal (e.g., 0.1 ETH) to be sent to the relayer as payment
  • The user’s fresh withdrawal address never needs ETH — the relayer sends both the main amount and pays gas

Governance and Tornado Cash Nova

The TORN token launched in December 2020 for protocol governance. Holders vote on relayer whitelisting, fee modification, and supported token additions.

Tornado Cash Nova (2021) is an upgraded version supporting arbitrary amounts and cross-chain privacy using Gnosis Chain (xDai) as an intermediate layer — addressing the fixed-denomination limitation.

The OFAC Sanction

On August 8, 2022, the US Treasury OFAC sanctioned Tornado Cash:

  • Added Tornado Cash address contracts (immutable smart contracts) to the SDN list
  • Ethereum users in the US are prohibited from interacting with these contracts
  • Several US-based frontends and RPC providers immediately blocked access

Alexey Pertsev, Tornado Cash’s lead developer, was arrested in Amsterdam on August 10, 2022 and was sentenced in May 2024 to 5 years and 4 months in prison in the Netherlands for money laundering facilitation.

The sanctions sparked widespread debate about the legality of sanctioning immutable neutral code and developer liability for how software is used.

Reality Check

Tornado Cash was used for legitimate privacy purposes (journalists, activists, salary recipients) but also by major hackers: North Korea’s Lazarus Group laundered an estimated $455M+ through Tornado Cash (per US Treasury allegations). The mix of legitimate and illicit use reflected the dual-use nature of privacy tools.

Legacy

Tornado Cash demonstrated that practical zk-SNARK-based privacy was deployable on Ethereum. Its design influenced subsequent privacy protocols and privacy-preserving DeFi tools. The sanctions and prosecution represent a significant test of legal frameworks for immutable smart contracts and open-source software.

Related Terms

Research

  • Semenov, R., Storm, A., & Pertsev, A. (2019). Tornado Cash: Ethereum Privacy Solution. tornado.cash.

— Primary source. The commitment-nullifier scheme (Section 2) and SNARK proof construction (Section 3) are the core.

  • Ari, E., et al. (2022). Tornado Cash: A Legal and Technical Analysis. Stanford Center for Internet and Society.

— Analysis of the OFAC sanctions’ legal basis and implications.

  • Bünz, B. (2020). Zero Knowledge Proofs for Technology Lawyers.

— Accessible explanation of the SNARK mechanics underlying Tornado Cash.