An innovation of anti-crime via zk-snark


  • Tornado is a great product providing assets privacy for users. However Torn is also a complete anonymous tool, which makes everyone invisible, honest users are mixing with hackers and criminals, who are using Tornado for crime.

  • How to make Tornado regulatory without sacrificing any anonymity? If there a way to create a new coins shielding protocol preventing hackers outside but serves those really need privacy.

Technical Scheme

Asymmetric Encryption

  • Consider the effect of nullifier, it’s something mapping with the deposit position in Merkle Tree, which must be used in withdrawal.

  • Create a public key and a private key for asymmetric encryption, we could call them regulatory keys. Use the public key to encrypt the nullifier to a nullifier-cipher, which must be filled as an argument in deposit progress transaction.

  • Zk-snark could enforce users to encrypt nullifier correctly. So there should be a circuit especially for asymmetric encryption at deposit stage, and nullifier-cipher should be a public input of the circuits and nullifier is a witness variable.

  • Besides, deposit users should encrypt nullifier with random paddings, like nullifier_cipher = ENC(nullifier | paddings). Then no one could convert nullifier back to nullifier-cipher but himself.

  • Only those who own the private key could decrypt nullifier-cipher to get the nullifier, and establish the relationship between deposit and withdrawal progress.

Who owns the private key

  • The private key is the only way to reveal the relationship between deposits and withdrals. To avoil abusing, it must be stored safely enough and decentralized.

  • A effective way is to generate and store the private key in a enclave of privacy contract, such as phala network, nucypher, etc. The enclave should implement following functions:

    • Generate the regulatory private key on the enclave, and export the public key outside.

    • Decrypt ciphers with the private key.

    • Decryption is Controlled by a multi-sig signer