Ethereum co-founder Vitalik Buterin has published a research paper diving into privacy pools systems as a tool to achieve more privacy in financial transactions, allowing users to prove dissociation from illicit funds through zero-knowledge proof technology.
The document initially discusses one of the most popular privacy-enhancing protocols, Tornado Cash, which allows users to deposit and withdraw cryptocurrencies without creating an identifiable link between the two addresses. Recently, United States authorities filed criminal charges against its founders, alleging extensive use by bad actors.
“The critical issue with Tornado Cash was essentially that legitimate users had limited options to dissociate from the criminal activity the protocol attracted,” reads the paper co-authored by Jacob Illum, Matthias Nadler, Fabian Schar and Ameen Soleimani.
The analysis then elaborates on an extension of Tornado Cash’s approach that would enable users to publicly prove the source of funds on-chain by allowing membership proofs — “I prove that my withdrawal comes from one of these deposits” — and exclusion proofs — “I prove that my withdrawal does not come from one of these deposits.”
According to the authors, the concept could provide a balance between honest and dishonest protocol users, potentially enabling financial compliance on-chain in the future:
“The core idea of the proposal is to allow users to publish a zero-knowledge proof, demonstrating that their funds (do not) originate from known (un-)lawful sources, without publicly revealing their entire transaction graph. This is achieved by proving membership in custom association sets that satisfy certain properties, required by regulation or social consensus.”
With Privacy Pools, users can exclude themselves from anonymity sets that include addresses related to illegal activities based on zero-knowledge proofs — a method of proving a statement without disclosing the statement’s details.
The underlying idea presented in the document asserts that instead of simply using zero-knowledge to prove that a “withdrawal is linked to some previously-made deposit, a user proves membership in a more restrictive association set.”
The association set can include all previously made deposits, only the user’s own deposits, or anything in between. As a public input, the user specifies the set by providing its Merkle root. “For simplicity, we do not directly prove that the association set actually is a subset of the…