Stealth addresses are super simple bit of crypto and also pretty easy to implement.
When Peter Todd wrote a paper describing the technique for Bitcoin in Jan 2014 I wrote the first implementation. [1, 2]
At the time I wanted to call them re-usable addresses, because the published address by the person wanting to receive funds is truly and privately re-usable. This is super useful for writing static addresses in places (like GitHub pages or on business cards) which don’t implicitly divulge the full transaction history for that address. So for example taking donations for your open source project without having to show a public record of all those donations.
The trade-off of not having to provide a server for generating one-time addresses is that the receiver has to scan the whole blockchain and perform a bit of work to check if each one might actually be for them.
Anything you do to reduce this scanning burden also reduces the privacy of the scheme, necessarily.
So although the usability of the paying semantics are fantastic, the usability of receiving requires network and computation. Typical PIR trade-off.
However, one thing I really love is that on the receiving side you can have just one private key which will allow you to discover all sent funds. Under the hood on the blockchain no addresses are actually being reused.
So you have to scan for your funds, but they will all be there with just one key to keep secure and one public address that can be “paid-to” without being able to actually lookup any transactions that were actually sent to that address.
I don’t know if they ever standardized an address form to use this scheme in Bitcoin but in my opinion it is a really fantastic way to use a public blockchain.
At the time, I tried and failed to write the receiver-side scanning code into bitcoind because I didn’t know enough C++.
This reminds me of how bitmessage works. You'd not know if a message was for you without trying to decrypt it so you just attempt to decrypt every message. They reduced the burden by using "streams" where your address might be on "stream 7" and everyone could tell a message was for stream 7 but not who for on that stream. So you'd only have to decrypt everything on the stream your address is on. With the more users being on a stream, the more anonymous it is but the more network and cpu work it is.
Penumbra has a scheme for trustless 3rd party scanning that they use for private addresses that you might be interested in. It uses a "Fuzzy Massage Detection" cryptographic protocol that is analogous to a Bloom filter, so you can delegate the scanning to a full node and ask a stream of transactions, which include all the transactions you care about plus some other false positives. https://protocol.penumbra.zone/main/crypto/fmd.html
This is already doable with most wallets today. Most wallets enable you to create 2^64 addresses from the same seed phrase. These are hardened and can't be linked together by just creating them.
So if Alice wants to send Bob an NFT, Bob creates a new address (recoverable with the same seed phrase) and Alice sends it there. Bob can then fund the wallet with tornado cash to use the NFT.
It's a stupidly complex way to achieve privacy and Tornado Cash is illegal. That's why we need private by default chains like Aztec & Aleo
Tornado cash is illegal for US citizens. Not illegal for anyone else. And a lawsuit against the overreach of the Treasury department will likely make it legal again.
What exactly is the "overreach" argument? In terms of statutory authority, the Treasury hasn't done anything particularly unusual in adding a known money-laundering vehicle to the OFAC list.
All tornado notes generate a proof that you can use to show where it came from. It’s the same as monero, another privacy coin which is not illegal.
There is a long list of issues here but tornado is just a program. The users of that program can use it for good or bad. They sanctioned the creators and Tornado is still chugging along. It’s equivalent to banning cryptography because money launderers encrypt their messages.
Here is a good summary of the argument against Treasury by Coin Center
None of this amounts to an "overreach" argument. Again: statutorily, where has the Treasury Department mis-stepped?
You'll note that all kinds of entities, including full banks, are on the OFAC list[1]. This doesn't amount to a blanket ban on banking, and "it's just a bank, there are others" is not an argument that anyone finds convincing.
Pretty straightforward — Treasury said we couldn't use a particular
computer program rather than interact with a particular entity, and that's outside their authority.
I think you are misunderstanding the Treasury's position. You are free to run the code on your own computer on a VM for a made up Blockchain however many times you want, no problem. You can even run a permissioned version of it yourself, where you and your 40 permissioned friends mix their transactions for privacy, and everyone knows (through, let's say, off chain trust) that none of them are committing crimes, I personally don't think that would be a problem either. However, if you are running the same code on a public Blockchain and mixing your transactions with literal criminals [0], well, that is a crime now.
"Running a computer program" is too vague, and legality of it depends on the context.
[0] since everything on this Blockchain is public, you can easily see proceeds of cybercrime coming into tornado. It's not really a point of contention.
> You can even run a permissioned version of it yourself, where you and your 40 permissioned friends mix their transactions for privacy, and everyone knows (through, let's say, off chain trust) that none of them are committing crimes,
Even if you 100% knew that all of the money was legal mixing is money transmission according to the government which means you need to register in every state you operate, register with the federal government, and have a compliance program, or you will get up to 5 years in prison. Hawaladars/various ethnic equivalents especially post 9/11 have learned the rules on money transmission the hard way, even when they literally "know their customers" in a much more real way than banks do. Here's an example where I'm from https://apnews.com/article/yemen-us-news-ap-top-news-mi-stat... - fortunately these guys were spared prison though.
I think there are procedural issues not statutory ones. Procedure can undermine the statutory one, in this case there is a requirement for an entity to be able to argue on its own behalf to be removed from the sanctions list, this is not possible with the Tornado Cash contract addresses.
There is also the issue of determining how it is a Foreign Asset to begin with. Is it based on the developer they identified? They have to prove that it was not deployed by an American which probably cannot be proven by the nodes (maybe records of an API could do it, but not when running your own nodes)
This is an interesting point, but is it uniformly true? The OFAC list also includes aircraft and boats, which presumably can't argue on their own behalf.
Tornado Cash autonomous contracts cannot. They need to establish proof of who or what organization deployed it. I believe they skipped this step for incompetence or for needing it clarified in court
The previously linked article makes 4 arguments but this is the one I find most compelling:
even Treasury’s own regulations and past executive orders limit the applicability of sanction controls to transactions with persons, entities, or their property. The Tornado Cash sanction was made without statutory and also without regulatory authority. It was made contrary to law.
I've read that post a couple of times, and even wrote a response to it[1]!
TL;DR: The Treasury Department doesn't care that Tornado Cash is "just" a computer program, because a computer program is an instrument made and operated by human beings. Even an autonomous program does not escape this, for the same reason that you can't escape a murder charge by throwing a bomb into the air and claiming gravity as a defense.
I genuinely don’t see any link between a bomb going off and a privacy protocol used to move financial assets.
The government is not allowed to put a camera in my house and watch me 24/7. Sure, I might be committing crimes inside my house. But unless the government can convince a judge that they suspect me of committing crimes that justify such a camera, they cannot install said camera.
Similarly, merely using a technique to obfuscate the origin of my own money is not enough to claim I am a criminal. I can do similar with gold coins and paper cash, and in high dollar amounts.
Eventually I’ll want to use my financial assets to purchase something, and at that point the receiver should ask me where I got my money (if legally required to) and with Tornado Cash I can fully explain the origin of my legal funds.
Acting like Tornado itself is enabling crime is absurd.
> I genuinely don’t see any link between a bomb going off and a privacy protocol used to move financial assets.
The link is explained in the post: in both instances, a human is the prime mover. No court in the world draws a distinction between "Joe kills Bob" and "Joe builds a Bob-killing robot that kills Bob." Similarly, no court in the world is likely to draw a distinction between "North Korea launders money" and "North Korea uses an autonomous program to launder money." It simply isn't relevant.
> Similarly, merely using a technique to obfuscate the origin of my own money is not enough to claim I am a criminal. I can do similar with gold coins and paper cash, and in high dollar amounts.
To be clear: if attempt to obfuscate your cash transactions by structuring them beneath the limits that trigger CTR reporting, you're committing a crime. You can have reasonable opinions about whether that ought to be a crime, but it is absolutely not legal in the current regulatory scheme to intentionally avoid your reporting requirements.
> Acting like Tornado itself is enabling crime is absurd.
We have a precise, material example of Tornado enabling a specific crime. That crime is the reason it's on the OFAC list, and it's stated in clear, precise language on the Treasury's site. Again: you can claim that Tornado is an instrument, and anything can be used to commit crime, but it is a matter of fact that Tornado was both used to commit crimes and made committing those crimes easier than they otherwise would have been (by sidestepping financial regulatory frameworks).
I philosophically disagree that something known to be used for a crime, or known to make crimes easier, ipso facto means that thing should be banned. I see a lot of benefits to society with privacy solutions like Tornado Cash. I also like paper cash, gold coins, and guns for that matter, all of which have been documented to be used in crimes and all of which are legal.
I believe the law requires presumption of innocence. We shall see what the judge says. I think your arguments are unconvincing and actually, when analyzed, see them as dangerous and given to statist authoritarian tendencies.
We are not in meaningful disagreement about these things: the question is not whether the government is justified in banning anything that can be used to do crime (which is everything), but whether the government is justified in banning something that have an efficient cause in crime. That's what Tornado Cash is, and no amount of hemming and hawing around other potential uses meaningfully changes this.
Correct - we are debating the merits and demerits of Tornado Cash for society. My position is it’s helpful and all negatives already have laws that solve them.
Furthermore once the software is no longer gray, it could be embedded via API in many other entities to enable privacy, just as encryption was once taboo and now is everywhere. It’s only the gray nature of this privacy solution that prevents its normalization.
The discussion you are participating in does not make any philosophical claims, but just states how the law works. A libertarian disagreeing with this on a philosophical is not just obvious, it's also uninteresting.
I linked to several legal arguments as to why the person I’m speaking to is wrong. They are not a lawyer as their blog states. And my philosophical arguments go to the heart of the law, which is how much authority Treasury claims they have vs. what their actual authority is as written.
I don’t even know what your comment adds to the discussion, it is very boring and also uninteresting and perhaps you should exit this thread before you degrade it further.
Bitcoin from silk road was seized as proceeds of crime. Those btc were actually used in crime. Government later cleaned those coins and auctioned them off.
In this curious land of the free, government can take criminal proceeds and clean and resell it while also claiming the freedom-taxpayers may not express themselves with others in computer code.
I expect Tornado Cash will be found to have the same protections as PGP in the 90s.
regurgitating anti encryption talking points to justify regulating other people’s wallets, I guess it’s only natural to oppose financial privacy when your economic policies depend on having the right to other people’s money.
I'm very pro-encryption. I'm not convinced that sanctions against Tornado Cash pose a serious risk to E2EE or other civically important (necessary!) applications of encryption.
I don’t need to justify my right to privacy to prevent you from violating it. Come up with a better defence than the redistribution of consequences, this not the EU.
The EVM can actually check digital signatures, hashes, lamport signatures etc.
The problem is that once Bob actually spends something from this address, everyone knows that Bob controls the address. Because if Alice can calculate an address for Bob, so can anyone else.
Monero uses ring signatures, which as far as I know haven't gotten much traction on Ethereum so far, since gas payments undermine their privacy.
Zcash uses zksnarks, which have advanced considerably since Zcash launched. Ethereum's zkrollups use more recent types of zksnarks.
Stealth addresses "using elliptic curve cryptography were originally introduced in the context of Bitcoin by Peter Todd in 2014," according to Vitalik's post.
>Given the uses for crypto in practice, it's a safe bet that the majority of use will be for illegal activities.
For the moment, that appears to be a good bet.
I'm not aware of any current practical use case for cryptocurrency, that government-backed currencies don't provide, other than purchasing illegal goods and services.
That said, government-backed currencies are also used for doing so as well, except cash transactions require physical proximity while cryptocurrencies do not.
Ukraine uses(used) normal funding markets and is accessible via standard transfer avenues. Not sure why crypto is needed - certainly billions being transferred to Ukraine are not in crypto.
"I'm not aware of any current practical use case for cryptocurrency, that government-backed currencies don't provide"
"that government-backed currencies don't provide." That's the important part which you ignored.
Sending money using established, government-backed currencies/ecosystems that you're not trying to hide from the government (for legal stuff, generally) is currently (note the adverb here) more secure and less risky than using cryptocurrencies to do so.
Is it poor reading comprehension your part, did you just not like what I said and so ignored it, or are you unable to process information if it contradicts your trained-in prejudices?
>Ukraine received a bunch of international crypto donations last year, for example.
While cryptocurrency was used to donate to Ukraine, a bank transfer or Western Union would have done the trick too -- since no one (except maybe the Russians) would consider such donations criminally actionable.
Which was my point. Sure, foreign remittances, sending money to friends/family and other mechanisms allowing money to be transmitted around the world is certainly a use case for cryptocurrency.
The rub is that for the vast majority of legal transactions (i.e., those that won't raise government hackles), cryptocurrency is currently riskier and less reliable than using a government-backed currency.
That's not a dig at cryptocurrencies. Rather, it's an assessment of the current financial ecosystem. Cryptocurrencies have lots of potential but, like most immature technologies, it's not quite ready for prime time.
As such, the vast majority of folks who choose to use cryptocurrencies as a medium of exchange are those who either don't want their transactions detected by the government (the vast majority of which are those things that raise government hackles) and/or those who are risk tolerant.
Which is why cryptocurrencies are mostly used as a medium of exchange on the fringes of society/legality.
As the technology matures, you'll see cryptocurrencies become more and more mainstream -- even government-backed currencies. Because, in the end, cryptocurrencies are just another form of money.
For now, the primary use case for cryptocurrencies as a medium of exchange is avoidance of government knowledge/involvement. Eventually that will change, but I'll probably be dead[0] before that happens.
[0] If I'm still alive in 2050, I'll be surprised.
Edit: Clarified my estimate for when cryptocurrencies will be pretty mainstream.
According to Ukrainian officials, yes, some of their military suppliers did in fact accept crypto directly, and it was quicker and easier than using the banking system.
>I actually think there are plenty of legitimate uses of cryptocurrency, and that it is being used in those ways today.
Absolutely. I never said anything that contradicts that statement.
Rather, I pointed out that the majority of those legitimate use cases are currently better served with the global financial system. And as such, the current, practical* use cases for cryptocurrency are as a medium of exchange for goods and services that governments frown upon.
I make no judgement as to whether that's good or bad, just that it is.
I'll remind you that I said currently, not forever, not it's just a scam, not everyone who touches cryptocurrency is a criminal and most certainly not there are no legitimate uses for cryptocurrency; Just that currently the most compelling use case for cryptocurrency is as a medium of exchange for "illegal" goods and services.
Most (not all, I'm not being categorical here) other use cases are currently better served via the global financial ecosystem based on government-backed currencies.
When Peter Todd wrote a paper describing the technique for Bitcoin in Jan 2014 I wrote the first implementation. [1, 2]
At the time I wanted to call them re-usable addresses, because the published address by the person wanting to receive funds is truly and privately re-usable. This is super useful for writing static addresses in places (like GitHub pages or on business cards) which don’t implicitly divulge the full transaction history for that address. So for example taking donations for your open source project without having to show a public record of all those donations.
The trade-off of not having to provide a server for generating one-time addresses is that the receiver has to scan the whole blockchain and perform a bit of work to check if each one might actually be for them.
Anything you do to reduce this scanning burden also reduces the privacy of the scheme, necessarily.
So although the usability of the paying semantics are fantastic, the usability of receiving requires network and computation. Typical PIR trade-off.
However, one thing I really love is that on the receiving side you can have just one private key which will allow you to discover all sent funds. Under the hood on the blockchain no addresses are actually being reused.
So you have to scan for your funds, but they will all be there with just one key to keep secure and one public address that can be “paid-to” without being able to actually lookup any transactions that were actually sent to that address.
I don’t know if they ever standardized an address form to use this scheme in Bitcoin but in my opinion it is a really fantastic way to use a public blockchain.
At the time, I tried and failed to write the receiver-side scanning code into bitcoind because I didn’t know enough C++.
[1] - https://www.mail-archive.com/bitcoin-development@lists.sourc...
[2] - https://gist.github.com/jspilman/8396495