How Umbra and Tornado can help protect payment privacy

On Twitter I recently shared an announcement blog post about Umbra, a new stealth address implementation written in Solidity for Ethereum-compatible blockchains (currently running on the Ropsten test network).

NuCypher cryptography engineer and generally rad person @__tux replied:

If the Payee withdraws from “stealth addresses” (these aren’t stealth addresses) to a mixer, it’s relatively trivial to learn the Payee’s “stealth addresses”.

The Payer should, instead, deposit into a mixer where they Payee is only capable of withdrawing. Umbra doesn’t do this.

This wouldn’t fix everything though. There’s a lot of ways to deanonymize payments between these steps, like when withdrawing from a mixer.

I started writing out an answer on Twitter and realized it got way too long, so I decided to move my reply over to a blog post.

To the comment “these aren’t stealth addresses”, I do think Umbra enables stealth addresses.

Some background info

Stealth addresses are a category of cryptocurrency technology that enables Payees to publish a static, re-usable address that Payers can then use to generate unique, one-time addresses. This can make it harder/ nearly impossible for observers who only know the static “stealth address” to know when the Payee has received payments, who is paying them, and what the amounts of the payments are. I will let the Umbra blog post explain technically how it implements this functionality.

The post-withdrawal problem I highlight in my thread arises from the fact that once the Payee has received a bunch of payments to their one-time addresses, they have to do something with those funds. Most likely, the Payee will want to consolidate those funds somehow, so they can make larger payments with them.

This consolidation is where linkages between the one-time addresses occurs and it becomes possible for, at a minimum, previous Payers to learn the amounts and sources of other possible payments to the stealth address. (I say “possible” because they do not know 100% those payments were sent via Umbra, they just know that the funds are controlled by a common party; this is also known as the “mystery shopper payments” vulnerability).

A mixer like Tornado can help here by allowing the Payee to consolidate funds a little at a time in different addresses, deposit the funds into a mixer, and later withdraw to a common address that is de-linked from the pre-mix addresses. Instead of 100% of the funds being linked together in a common consolidation address (as would occur if no mixer is used) only some of the funds are linked pre-mix. After funds are withdrawn from the mixer, there’s no way to conclusively link the pre-mix addresses to the post-mix address.

An example
Imagine Alice has received four Umbra payments of 0.051 ETH at one-time addresses A1, A2, A3, and A4. She consolidates A1 + A2 into address C1, and A3 + A4 into C2. The addresses that were consolidated together are now linked, but C1 and C2 are still unlinked.

The reason for consolidating pre-mix is because Tornado only supports specific denominations of ETH in each pool, so she needs to combine enough ETH to meet the denomination threshold she wants to mix into (0.1 ETH being the smallest ETH Tornado pool currently). If the Umbra payments are by themselves large enough to go into a Tornado pool, then no consolidation is needed pre-mix and even more privacy is possible.

Alice deposits the funds from C1 into Tornado, waits some time, then also deposits the funds from C2 into Tornado. C1 and C2 are still not linked together.

After a couple of weeks, she withdraws her Tornado funds to withdrawal address W1, which has no links to either her Umbra address or to her one-time addresses. Tornado has successfully helped her privately consolidate 0.2 ETH from C1 and C2 into a single new address.

Of course, as tux points out, there are ways that Alice can de-anonymize herself post-mix. Maybe she sends some funds from one of her pre-mix addresses to W1. Or maybe she sends some other funds from W1 to an address publicly linked to her. Post-mix behavior is as important for maintaining privacy as pre-mix behavior. This is the main reason why privacy on transparent blockchains is so fragile, and why I advocate for fully shielded, end-to-end encrypted transactions as the ideal standard for on-chain payment privacy.

Email is probably the most popular decentralized messaging protocol, and I expect it to be around for a while. Add yourself to my email contacts if you would like to stay in touch!

Tornado review

Last December I published “The State of the Art in Cryptocurrency Privacy“, based on a lightning talk I gave at an Aragon One offsite providing an overview of the latest and greatest cryptocurrency privacy techniques at the time. I was disappointed to report at the time that the privacy story for Ethereum, the blockchain used by Aragon, was not good:

the state of the art in cryptocurrency privacy(18)

I quoted geth core developer Peter Szilagyi, who said in his Devcon4 talk: “Privacy on ethereum is bad, really, really bad.” And I asked the question: zk-SNARKs when?

Well friends, less than eight months after publishing that blog post, I’m happy to provide a positive update: zk-SNARKs now.

Enter Tornado

A few weeks ago a tweet crossed my feed and grabbed my attention:

I was intrigued. The clean, minimalist interface seemed to have the important elements expected. But as it was a work in progress, I would have to wait to try it out. Then, a few weeks later, the Tornado touched down:

You can now mix ETH with zk-SNARK-based privacy at

The announcement blog post has some additional information about the app. My own caveats and feedback follows. Tornado also mentions some of the following points in their blog post and in the app itself, but it’s worth mentioning again here to drive the points home. Stay safe and remember this is beta software.

How to protect yourself when using Tornado

  • Don’t use the same IP address to withdraw as you used to deposit*
    • Worst is to use your personal IP address. Better is to use a VPN and switch servers. Best is to use Tor and reset the circuit.
  • Don’t use the same Ethereum address to withdraw as you used to deposit*
    • Use a new, unused address instead.
  • Don’t use Infura or another centralized node provider with your wallet*
    • Always connect your wallet to your own full node, or else your deposit and withdrawal addresses will be trivially tied together by the node provider and anyone who gains access to their data.
  • Don’t make a withdrawal via wallet and pay gas with an account connected to your deposit address.*
    • Save yourself the trouble and potential privacy leak, use the Tornado Relayer.
  • Don’t lose your note or you’ll lose all your money
    • Save the note in your password manager (you are using a password manager, right?)

* Doing things that damage your own privacy also damages the privacy of all other Tornado users by shrinking the anonymity set. Seriously, don’t do these things.

Some feedback/ suggestions for the Tornado devs

  • The app looks great. Seems intuitive enough. The essentials are there. Great job with everything so far. That said I think more can and should be done to prevent users from damaging their privacy and the privacy of others.
  • Consider using aragonPM to beef up security on your dapp deployments. (Read how we use it at Aragon here.)
  • If it must be web-based, consider running exclusively as a Tor hidden service (better for anonymity and security).
  • Ditch Infura. Run your own node (and auto-delete logs). Although Infura shouldn’t be getting any useful data from your users if they’re using Tornado properly, it’s better to not even give them the opportunity.
  • Reject entering the same withdrawal address as a previously used deposit address. Users should know better, but sometimes they need saving from themselves.
  • Open up the higher deposit amounts. At 0.1 ETH deposit amount, total fees to deposit and withdraw added up to 3.734% of the mixed amount when I paid the standard gas price.
  • User privacy is compromised by allowing users to connect with a centralized node provider like Infura on both sides of the mix (e.g. if their wallet uses an Infura backend for both the deposit address and the withdrawal address). I’m not really sure how to solve this. But it makes for an easy foot-gun scenario, so worth thinking about how to fix this, or at least warn users about it. Worth looking at how Wasabi deals with this.
  • Since there are other Ethereum providers than MetaMask (for example I use Frame as my daily driver) I suggest using “Ethereum provider” in place of “MetaMask” in the app copy to keep it generic. Or “Ethereum signer”, or “Ethereum wallet”… whatever more generic term makes the most sense to you. (We use “Ethereum provider” throughout the Aragon client.)

Remaining questions

  • Is there any advantage to using one’s own wallet vs Relayer for withdrawal? Might be easiest / safest to just remove the “wallet” option.
    • Answer: “It is there to make sure that users can withdraw their funds even if relayer is down.” (source)
  • How were the parameters for the zk-SNARK generated?
    • Answer: “For this beta version the setup was done on a single build machine, so you kinda have to trust that we didn’t save toxic waste… Currently there is no way to make a trusted setup for Ethereum BN256 curve, as soon as Gnosis and Matter finish working on it (soon) we will redeploy the mixer with a proper multiparty trusted setup.” (source)
  • When desktop app with local node + Frame support? 😀

Link: r/ethereum discussion

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!


A better app store

What would a new and improved app store look like? The Aragon App Center is in development so I’m excited to think about how we can improve on existing app store designs.

There are three new features I’d love to see:

Decentralized publishing

Today only one person is required to push the “publish” button, and this creates a central point of failure. What if multiple devs and community members had to sign off before a new app update was pushed? This could prevent problems like devs going on power trips or burning out and giving their publishing rights away to hackers. With a decentralized package manager it would be possible to require multiple sign-offs before a new app update is published. This update could then be cryptographically verified to be published by the correct author (see the next section).

Trusted publisher profiles

When I look at an app download page in an app store, how do I really know it’s being published by who I think it is? I might look at how many people downloaded it, or go to the download page straight from the publisher’s website (the address of which I got from another trusted source, etc). What if there was a way to trust the download page no matter how I arrived at it?

With trusted publisher profiles, that becomes possible. Publishers could publish proofs to their profile showing that they control certain website domains, social media accounts, and crypto keys. They can sign app install files using these keys so that I can trust that the file came from the right publisher. Various solutions like this exist but they aren’t adopted consistently and no app store that I’ve seen has been able to blend the freedom of decentralization with the security of trusted publisher profiles.

Cryptocurrency payments

I want to pay for good software. But I don’t want the app store to know who I am and I don’t want to worry about whether it can actually secure my credit card data. Besides, credit cards are an ill-suited medium for the <$0.99 payments I imagine for software installs and updates. It might not seem like much, but multiplied by thousands or millions of users and a developer (or team) that puts out consistent and consistently good app updates could make a good living off these small payments alone, not to mention any in-app monetization mechanisms.

I want to pay for good software and I want it to be fast, cheap, and private. Cryptocurrency is a great fit for this.

The State of the Art in Cryptocurrency Privacy

An abridged overview of production systems.

At a recent offsite with the Aragon One team, I presented a lightning talk about state-of-the-art systems for privately buying, selling, and using cryptocurrency.

A PDF of the slides is published here. The slides are pretty self-explanatory, so I’m sharing as-is. If there are any questions or feedback about the content, I’m happy to discuss in the comment section.

This slideshow requires JavaScript.

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!

New year, new job 2018 edition

I have some exciting – if somewhat belated – news to share. As you could probably tell from the title of this post, I have a new job. In November I accepted an offer to join the Aragon team as their new Community Lead!


Aragon is a project that I have been following since I first met the co-founder Luis Cuende at a Blockstack meetup in San Francisco. I was excited when they released the alpha version of their testnet client in early 2017 and blown away when they went on to raise $25 million later that year in the fourth-largest crowdfund and the second-largest token sale at the time.

After leaving Abra in July 2017, I took a few months off to explore the cryptocurrency space and see what other opportunities were out there. I considered several offers but kept my options open. The market had changed significantly since my last job search less than a year earlier. One significant change was that there were many projects outside of the Bay Area hiring for remote positions. Aragon was one of those projects.

I reconnected with the Aragon team while I was attending the Crypto-Economic Security Conference in Berkeley, CA. Zooko Wilcox, CEO of Zcash, knew I was looking for a job and had generously offered me one of the tickets his company was given for sponsoring the sold-out event. I accepted the ticket and went to the event, looking forward to meeting new crypto people in the Bay Area and watching interesting talks by the presenters.

I was surprised and delighted to meet María Gómez, Strategy and Operations Lead at Aragon, in person at the event (we’d previously met online while I was working at Abra). María asked what I was doing at the time. I told her I was looking for a new full-time gig, something in a marketing or community role. She told me that Aragon was hiring a Community Lead to replace their then-Community Lead Tatu Kärki, who was transitioning into a Communications Lead role. The rest, as they say, is history.

Within a few weeks, I had gone through several rounds of interviews and flew to Finland to do a trial week with Luis and Tatu. We worked on several community projects throughout the week, and on what would have been Thanksgiving day in the US, they offered me something to be extra thankful for: an opportunity to join the Aragon team as their new Community Lead. I gladly accepted, and have been dutifully serving the Aragon community ever since. Join us!

P.S. Aragon is hiring!

New job FAQ

Congrats on the new job! What does Aragon do?

Thanks! Aragon is building a platform that makes it easy to create and participate in Decentralized Autonomous Organizations, or “DAOs” for short. In the future, the Aragon project itself will be run as a DAO on the Ethereum blockchain. The Aragon DAO will be governed by holders of Aragon Network Tokens (ANT), an ERC-20 token that was sold in mid-2017 to raise the funds needed to develop the Aragon software.

Is $ANT a good buy?

Maybe! DYOR.

What’s it like being part of an Ethereum project?

Although I’ve been following the Ethereum project since its inception in 2013, I haven’t been closely involved since the very early days. After leaving Abra I took some time to explore all the projects that have formed in the ecosystem in the intervening time. Many of the smart contract applications that first got me excited about Ethereum have begun to come to fruition, including p2p prediction markets, asset exchanges, gambling platforms, and, my personal favorite, DAOs. This, along with the amazing team that Luis and Jorge have assembled, is what led me to join Aragon.

Now is a very exciting time to be involved in the open-source cryptocurrency community. There’s no shortage of funding for extremely ambitious projects, including important blockchain research and development work. It seems like the only limitation right now is the supply of engineering talent and the imagination necessary to build the p2p future so many of us envision. I’m excited to help Aragon overcome these limitations in our own community and share what we create with the broader p2p ecosystem.

Are you still working with Bitseed?

Yes! I think 2018 will be a big year for Bitseed. We have started shipping orders for Bitseed 3, the next-generation version of our plug-and-play bitcoin full nodes. And we’ll also soon be relaunching our developer community so that devs who are interested in helping us improve Bitseed have an easy way to get involved and work together.

The kind of projects I’m really excited to work on with the Bitseed community include adding support for Layer 2 protocols such as Blockstack and the Lightning Network. Then Bitseed owners could have a node that not only secures their bitcoin transactions, but can also resolve decentralized domain names for them or even earn bitcoin by providing liquidity to the Lightning Network. Future work could even include using the node as a decentralized storage device or a crypto-incentivized mesh router. The possibilities are endless.

If you’re interested in helping us with any of these projects, please get in touch.

So what’s next for John Light?

Bitseed 3 ships this month, the Bitseed developer community relaunches shortly after, and Aragon goes live on Ethereum mainnet sometime in Q1/Q2 2018. I’ll probably be traveling a lot for Aragon community events this year, so if there are any cool crypto events you think I should be at let me know in the comments below or ping me on Twitter or @light in the Aragon Chat.

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!

What appcoin startups have in common with Midwest logging companies

Logging companies in the 19th century Midwest had a problem. In the remote forests where they set up shop, cash was hard to come by. Still, workers needed to be paid so they could buy food and other basic necessities. So the logging companies came up with a solution to the cash shortage: they would print their own currency.

This private currency, known as “scrip“, was denominated like U.S. currency and redeemable for goods and services exclusively at company-run stores. If a worker who received scrip in lieu of cash wanted to spend their paycheck elsewhere, the scrip would often trade at a steep 10 percent to 25 percent discount. Exchanging scrip for cash would result in additional exchange fees. And so most business was done at the company store.

Company scrip for the Network Age

Fast-forward 125 years and private currencies are once again being used by cash-strapped companies to keep operations running smoothly. Only this time, the companies are high-tech software startups instead of Midwest logging companies, and the currencies they are issuing aren’t simply a stand-in for cash. Private currencies have become a core part of new business models emerging around digital networks.

Often referred to as “appcoins”, these new private currencies are being used by issuers to simultaneously fund their businesses and bootstrap networks around their products. Unlike the company scrip of the past, appcoins are neither denominated in another currency nor redeemable for a fixed quantity of goods. Instead, the issuer designs their product in such a way that users have to dispose of some quantity of the appcoin to receive the value offered by the product. As a result, demand for the product results in demand for the appcoin, creating a virtuous cycle of adoption and price discovery.

The power of incentives

For early adopters of the appcoin, this virtuous cycle can result in a significant financial return, similar to the way that an early investor in a company can earn significant returns if the company is later successful and the value of their equity increases substantially. For example, if an early adopter of a product receives appcoins when there are only 1,000 users and the appcoin is valued at 100 satoshis each, and several years later the product has over 100,000 users and the price of the appcoin has increased to 10,000 satoshis each, this results in a 10,000 percent “return” for the early adopter.

The potential for financial return creates an incentive for people to adopt an appcoin product early on, even when the “cost” to doing so may be higher than using a more established alternative (for example, using a new social network app when there aren’t as many people to connect with as on other, more established apps). This incentive helps bootstrap the network, giving the app a fighting chance in the face of well-funded incumbents and speeding up the time-to-critical-mass that gives the network value and makes the app “sticky” for end users (or so the theory goes).

The future of appcoins

I have written before about why I am skeptical of appcoins. Disintermediation and centralization remain my top concerns. But given that there is no sign of the appcoin trend slowing down, with even “mainstream” apps with millions of existing users announcing plans to release an appcoin, it is worth thinking about what it would take for appcoin issuers to address these concerns and succeed with this model.

Appcoin issuers could reduce the likelihood of disintermediation by ensuring that there is as little friction as possible when exchanging currencies to use their app, while simultaneously doing all they can to increase the value of using the appcoin. And to minimize the risk that centralization has on the long-term value of their appcoin, issuers could create a succession plan to cede control of development to a more decentralized open source community.

The long-term future of appcoins is unknown. They could overcome these and other challenges and become a powerful tool for building products and bootstrapping networks. Or, they could disappear as dramatically as they appeared, destined to be a footnote in the pages of history like the company scrip that came before.

Featured image via

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!