Tornado Cash is a decentralized, non-custodial protocol designed to provide transaction privacy on Ethereum and other EVM-compatible chains. It offers a cryptographic mechanism to break the direct deterministic link between deposit and withdrawal addresses. This repository is the central place for the protocol specification, cryptographic design notes, audit-friendly documentation, and research resources to support community development, security review, and academic study.
We build and maintain this project guided by three fundamental principles:
-
Financial Privacy Rights
We affirm that individuals have a legitimate right to financial privacy on public ledgers. Privacy protects people against undue surveillance, profiling, and the potential exploitation of transaction history. -
Open Source Transparency
All protocol specifications, explanatory implementations (non-operational), and cryptographic descriptions are public and auditable. Transparency enables peer review, reproducible security analyses, and community trust. -
Decentralization & Immutability
The architecture is intended to avoid central points of control. Protocol guarantees such as censorship resistance and immutability are core design objectives.
Tornado Cash-style privacy constructions use Zero-Knowledge Proofs (ZKPs) to unlink deposits from withdrawals while preventing double-withdrawals.
High-level flow (conceptual):
-
Deposit (Commitment Registration)
- A user generates two secret values (commonly called nullifier and secret), computes a commitment and submits it with a fixed denomination to a deposit registry.
- The commitment is appended to a Merkle tree stored in the registry contract/state; the sender address is not recorded in a way that links to later withdrawals.
-
Mixing (Anonymity Set Growth)
- Funds corresponding to commitments are pooled in fixed denominations. As more participants deposit, the anonymity set increases, improving unlinkability between deposits and withdrawals.
-
Withdrawal (Zero-Knowledge Proof)
- The user proves, via a zk-SNARK, that they know a commitment present in the Merkle tree and that the corresponding nullifier has not been used before — without revealing which leaf belongs to them.
- Upon successful verification, the registry marks the nullifier as used and releases the funds to a recipient address provided by the prover.
This conceptual model prioritizes privacy while ensuring soundness properties like no double withdrawal.
| Technology | Role |
|---|---|
| Ethereum / EVM Chains | Primary execution environment for smart contracts and on-chain registry. |
| Solidity (for smart contracts) | Language used for illustrative/non-operational contract specifications and interface definitions. |
| zk-SNARKs / ZK Proof Systems | Core cryptographic primitive enabling succinct proofs of set membership and nullifier uniqueness. |
| Merkle Trees | Efficient data structure for managing deposit commitments and providing membership proofs. |
| IPFS / ENS | Decentralized hosting and naming for front-end and documentation (research artifacts). |
Privacy technologies sit at the intersection of ethical utility and regulatory scrutiny. They can protect vulnerable users and activists, but they may also be misused for illicit purposes. This repository is committed to responsible, lawful research and to encouraging users to comply with applicable laws.
- We do not provide operational deployment code.
- Contributors should understand relevant legal frameworks and consider the ethical implications of their work.
- Use of privacy tools must adhere to local laws and regulations.
We welcome contributions focused on safety, correctness, and academic advancement:
- Documentation & Specifications — Improve protocol descriptions, threat models, and formal definitions.
- Security Audits & Reviews — Submit audit reports, formal verification notes, and responsible disclosure of vulnerabilities.
- Research & Analysis — Publish analyses of anonymity sets, attack vectors, zk-proof optimizations, and privacy metrics.
- Educational Content — Tutorials, diagrams, and worked examples that explain ZKPs, Merkle proofs, and privacy tradeoffs in approachable ways.
Process: For major proposals, open an Issue to discuss scope and security implications prior to substantial PRs.
- Tornado Cash: a reference manual for developers
- RareSkills ZK Book | Ultimate Zero Knowledge Proof Tutorial
- How Tornado Cash Works (Line by Line for Devs)
- Breaking Down Tornado Cash
- Provide threat model and attacker capabilities for every research artifact.
- Include reproducible test vectors and verification scripts that do not enable a production mixing deployment.
- Prefer formal proofs or clear definitions for security properties (soundness, completeness, unlinkability).
- Document assumptions (trusted setup, CRS, trusted ceremony) explicitly.
This repository uses an open, research-friendly license for documentation and non-operational artifacts. It explicitly prohibits use of repository materials to construct or deploy operational money-mixing services intended to obfuscate illicit activity.