How Umbra and Tornado can help protect payment privacy

On Twitter I recently shared an announcement blog post about Umbra, a new stealth address implementation written in Solidity for Ethereum-compatible blockchains (currently running on the Ropsten test network).

NuCypher cryptography engineer and generally rad person @__tux replied:

If the Payee withdraws from “stealth addresses” (these aren’t stealth addresses) to a mixer, it’s relatively trivial to learn the Payee’s “stealth addresses”.

The Payer should, instead, deposit into a mixer where they Payee is only capable of withdrawing. Umbra doesn’t do this.

This wouldn’t fix everything though. There’s a lot of ways to deanonymize payments between these steps, like when withdrawing from a mixer.

I started writing out an answer on Twitter and realized it got way too long, so I decided to move my reply over to a blog post.

To the comment “these aren’t stealth addresses”, I do think Umbra enables stealth addresses.

Some background info

Stealth addresses are a category of cryptocurrency technology that enables Payees to publish a static, re-usable address that Payers can then use to generate unique, one-time addresses. This can make it harder/ nearly impossible for observers who only know the static “stealth address” to know when the Payee has received payments, who is paying them, and what the amounts of the payments are. I will let the Umbra blog post explain technically how it implements this functionality.

The post-withdrawal problem I highlight in my thread arises from the fact that once the Payee has received a bunch of payments to their one-time addresses, they have to do something with those funds. Most likely, the Payee will want to consolidate those funds somehow, so they can make larger payments with them.

This consolidation is where linkages between the one-time addresses occurs and it becomes possible for, at a minimum, previous Payers to learn the amounts and sources of other possible payments to the stealth address. (I say “possible” because they do not know 100% those payments were sent via Umbra, they just know that the funds are controlled by a common party; this is also known as the “mystery shopper payments” vulnerability).

A mixer like Tornado can help here by allowing the Payee to consolidate funds a little at a time in different addresses, deposit the funds into a mixer, and later withdraw to a common address that is de-linked from the pre-mix addresses. Instead of 100% of the funds being linked together in a common consolidation address (as would occur if no mixer is used) only some of the funds are linked pre-mix. After funds are withdrawn from the mixer, there’s no way to conclusively link the pre-mix addresses to the post-mix address.

An example
Imagine Alice has received four Umbra payments of 0.051 ETH at one-time addresses A1, A2, A3, and A4. She consolidates A1 + A2 into address C1, and A3 + A4 into C2. The addresses that were consolidated together are now linked, but C1 and C2 are still unlinked.

The reason for consolidating pre-mix is because Tornado only supports specific denominations of ETH in each pool, so she needs to combine enough ETH to meet the denomination threshold she wants to mix into (0.1 ETH being the smallest ETH Tornado pool currently). If the Umbra payments are by themselves large enough to go into a Tornado pool, then no consolidation is needed pre-mix and even more privacy is possible.

Alice deposits the funds from C1 into Tornado, waits some time, then also deposits the funds from C2 into Tornado. C1 and C2 are still not linked together.

After a couple of weeks, she withdraws her Tornado funds to withdrawal address W1, which has no links to either her Umbra address or to her one-time addresses. Tornado has successfully helped her privately consolidate 0.2 ETH from C1 and C2 into a single new address.

Of course, as tux points out, there are ways that Alice can de-anonymize herself post-mix. Maybe she sends some funds from one of her pre-mix addresses to W1. Or maybe she sends some other funds from W1 to an address publicly linked to her. Post-mix behavior is as important for maintaining privacy as pre-mix behavior. This is the main reason why privacy on transparent blockchains is so fragile, and why I advocate for fully shielded, end-to-end encrypted transactions as the ideal standard for on-chain payment privacy.

Email is probably the most popular decentralized messaging protocol, and I expect it to be around for a while. Add yourself to my email contacts if you would like to stay in touch!

The dark side of the decentralized web

On a recent Bloom Network community call introducing the decentralized web, a couple of people asked about the potentially harmful uses of the technology. We didn’t have much time to get into it on the call, but there are valid concerns here that I think warrant further discussion.

The issue at hand

To summarize the concerns, it makes sense to first give a brief introduction to decentralized web technologies and explain why they’re important and different from the web most of the world uses today.

The basic goal of the decentralized web is to remove centralized points of weakness on the web, making the web more secure, private, resilient, and censorship-resistant. For example:

  • Domain names in the traditional web are controlled by a corporation called ICANN, who can revoke the names from users whenever they want. Yes there are technically conditions that must be met before the name can be seized, but ICANN itself defines these conditions so… anyways if they (or your government) don’t like what you’re publishing on your website, they can make your site harder to find by taking away the domain name. Blockchain name systems are a decentralized web technology that provides an alternative to the ICANN-owned domain name system and gives end users true ownership of their domain names.
  • TLS/SSL Certificates in the traditional web are issued by organizations called Certificate Authorities. There are hundreds of Certificate Authorities and your browser will trust a certificate issued for a website by any one of them. This power has been abused to man-in-the-middle entire countries, likely in an attempt to spy on political dissidents. Decentralized public key infrastructure is a decentralized web technology that provides an alternative to Certificate Authorities, where users can issue their own certificates and cryptographically link them to their domain name using a blockchain name system.
  • File hosting in the traditional web is provided by organizations that host digital files on centralized servers. While these web hosts do their best to keep the files available using backups and data redundancy, they can still experience issues that lead to catastrophic losses. Distributed file and data storage systems are decentralized web technologies that decentralize the job performed by file hosts. Files (or pieces of files) are stored on computers operated by multiple hosts instead of relying on a single web host to make the files available. This makes it less likely for data to get lost and permanently taken offline if one or multiple hosts go down.
  • Electronic payments over the traditional web have historically relied on centralized intermediaries such as payment processors and banks. These middlemen have abused their privileged positions of power to attack their own customers for political reasons, or for no good reason at all. Cryptocurrency is a decentralized web technology that makes it possible to send payments online without an intermediary, so payments can be sent by anyone, to anyone, anytime and anywhere – a simple yet powerful concept.

While all of these decentralized web technologies help provide strong protections for normal web users against security vulnerabilities, privacy intrusions, and censorship, because these technologies are freely available, they also provide these protections to bad people too. The main concern that people have brought up about decentralized web technologies is that they believe these technologies make it harder to catch bad people or stop them from using the internet to do crime.

Before addressing the concern, first a brief trip down memory lane…

The Four Horsemen of the Infocalypse

To provide some more context, it’s worth pointing out that concerns about bad people using the internet to do bad things are as old as the internet itself. Back in the early 1990s, during the first Crypto War (which cryptographers won, btw), such concerns were brought up as a reason for backdooring encryption or otherwise breaking the security of the internet so often that Timothy May came up with a name for them: The Four Horsemen of the Infocalypse. So these concerns are not new or unique to the decentralized web.

Still, how do we (people developing and promoting decentralized web technologies) respond to these concerns? Here’s how I think about it:

The positives outweigh the negatives

Ok so the concerns aren’t new. But that doesn’t mean they’re not valid, right? Only that we’re still grappling with them, almost thirty years later.

Indeed. As technologists, it is certainly important to think about the ethics of the technology we are developing. Is this technology a net benefit for the world? Does the technology do more harm than good? From personal firearms and nuclear weapons to smartphones and the internet, humans have constantly grappled with the question of whether the positives of the technologies we develop outweigh the negatives.

As someone who helps develop decentralized web technology and promotes its usage, I personally believe that the positives far outweigh the negatives. The benefits that billions of people could gain from a more secure, more private, more resilient and censorship-resistant web to me far outweighs the bad that a relatively small number of people could do with the technology.

Striking at the root of evil

That brings the discussion to the actual concern being raised: bad people doing bad things online. Ok, so there’s this technology that can be used to publish harmful content online in a way that could be hard to censor or track back to the source. What do we do about that? Well, we cannot un-invent the technology. It’s out there, it’s open source software published in public repositories that anyone can use now. So how do we deal with online-based crime in a world where information can now be strongly encrypted and permanently published to the internet?

To answer this question, I would first interrogate further: why is there crime to begin with? Why do people do the bad things that they do? How do their victims end up in situations where they are victimized? What can we do to stop crime before it happens? Trying to answer these questions exposes deep societal problems that are out of scope for this blog post, but suffice to say that when it comes to criminals using software to commit crimes, there’s a lot the government itself could do to fix their own policies that create crime in the world (drug prohibition, supporting terrorists, sex work criminalization, as just a few examples) before we even think about how open source software comes into the equation.

Now let’s assume that governments and everyone else have done just about everything possible to reduce crime caused by or enabled by bad policies and bad personal habits. There will still be a small minority of people who are just born to do bad things, and they will probably use the internet and decentralized web technologies to do some of those bad things. How do we deal with that?

I think that, just as it’s difficult to erase something off the internet today, it will continue to be difficult to erase something off the internet in the future. Decentralized web technology doesn’t necessarily create a new capability here, it just makes that level of resilience more accessible to more people. Similarly, end-to-end encryption has been widely available since the release of PGP in the early 90s, and today is made easier to use by end-to-end encrypted messaging apps such as Signal. Again, decentralized web technology doesn’t introduce new encryption capabilities here, but rather can help make secure end-to-end encryption more easily usable with DPKI and more private by removing messaging intermediaries.

So to answer the question “how do we deal with bad people who do bad things using decentralized web technologies” we could ask law enforcement, military, and other people in the security industry how they deal with the crime on the internet today. Many tactics they use will probably still be relevant. They may have to shift tactics or develop new tactics. And, yes, in some cases (such as deleting links to illegal content stored on the bitcoin blockchain) they won’t be able to do anything about it at all, except to track and find the source of the content and cut the problem out at the root to prevent further harm.

My computer, my business

“But, but,” the concerned people protest, “couldn’t we just force developers to make it possible for law enforcement to break decentralized web technologies in limited circumstances?”

This request for a “golden key” or “backdoor” is another old zombie policy proposal that just won’t die, and the answer is, was, and always will be: no.

Quoting a tweet I sent recently:

think of my computer as an extension of my brain. you can’t force a company to give you access to the contents of my brain. you shouldn’t expect to be able to force a company to give you access to the contents of my computer, either.

Under the U.S. Constitution, people have a right to privacy and the right to remain silent. These rights exist to protect innocent people from having their private life unfairly intruded on by the government. We also have a right to free speech, a right that an increasingly large number of people are finding hard to exercise on the internet, with unaccountable corporations acting as the final arbiter of what speech is allowed and what is not.

Decentralized web protocols provide a technological means of protecting these rights. Remember that not everyone in the government is acting with the best of intentions. It’s important that these rights be protected by the Constitution, but in case the government fails to respect our rights (it wouldn’t be the first time), or in cases where such rights are weak or nonexistent, it’s also important that we have these technological means of protecting our rights.

Besides, even if we did put backdoors in decentralized web software, bad people would just create versions of the software that do not have a backdoor, so they could continue their bad activities unconcerned about unwanted guests intruding on their business. It’s better that we have secure software that protects everybody, rather than expect innocent people to use software with backdoor vulnerabilities on the delusional hope that it would make it easier to catch and stop criminals. All a backdoor in the decentralized web would really accomplish would be to make innocent people less safe online while criminals continue their business using software without backdoors.

Making the best of it

Decentralized web technologies such as cryptocurrency, blockchain name systems, DPKI, and distributed file and storage systems are exciting new tools that can help improve on existing shortcomings with the web, including security and resilience problems. They can also help protect our rights to privacy and free speech. Yes, like every other tool ever invented, it is also possible to use these tools for bad as well. We will have to adapt and accept that some problems that are created by these new technologies cannot be completely eliminated, only mitigated. We have accepted this trade-off for countless other technologies in human history, including for the internet itself, and I think it’s reasonable to accept this trade-off for the decentralized web as well.

There’s so much good that the decentralized web makes possible. Let’s make the best of this new reality and use these technologies to improve our world, to liberate ourselves and others and improve our digital lives.

P.S. One final point: although it is possible for other people to use the decentralized web to host objectionable content, remember that as a user of this technology you are in no way obligated to help host that content! You can delete any data off your computer that you do not want to host. Part of the benefit of the decentralized web is that you are in control. Such content filtering can even be automated, so if you are running a file hosting node for example any objectionable material can automatically be rejected as soon as it’s detected on your computer. It’s like avoiding the bad part of town – you can just not go there!


Email is probably the most popular decentralized messaging protocol, and I expect it to be around for a while. Add yourself to my email contacts if you would like to stay in touch!

Liberty and responsibility in the time of pandemic

(Image source)

We are now over a month into nationwide lockdowns (or in some cases “cargo cult lockdowns”, as Balaji Srinivasan calls them) here in the United States due to the SARS-CoV-2 (aka “coronavirus”) pandemic. While I agree with physical distancing in response to the pandemic – I put out the idea that people “stay home for the next month” back in early March before lockdowns in the U.S. started – I share some concerns that liberty-minded folks have raised about the use of lockdown policies by the government. I’m writing this post to think through these concerns and comment on some of the opposition to the lockdowns that I’ve seen spring up since the lockdowns began, particularly in my home state of New Hampshire.

At risk of generalizing, I want to first try and group together the forms of lockdown opposition that I’ll be commenting on so that it’s clear what I’m referring to. There are two main groups, with some overlap in practice:

  • “The lockdown is wrong for health reasons”. This group opposes the lockdown because they don’t believe that there is any health risk to most or all people to re-opening and resuming life as it was before the lockdown.
  • “The lockdown is wrong for political reasons”. This group opposes the lockdown because they don’t believe the government should have the power to order private businesses to close or otherwise restrict their business practices in response to the pandemic.

“The lockdown is wrong for health reasons”

I won’t comment much on this argument except to say that I do not agree with this group’s assessment of the situation at this time. We have already seen at least one new outbreak following the relaxing of distancing in Seoul, South Korea. I do think people living and working in sufficiently distanced environments (such as rural or desert areas) may be an exception, especially if other precautions are taken such as mask wearing. But for the vast majority of Americans living and working in urban and suburban areas, or other tight quarters, I think it’s too soon to resume life as it was before the lockdowns began. According to a recent ABC News/Ipsos poll, most Americans agree.

“The lockdown is wrong for political reasons”

This argument I have mixed feelings about.

On the one hand, in principle, I agree that, as a response to the pandemic, the government should not be able to force businesses (under the threat of death) to close shop or otherwise heavily restrict how they serve their customers (such as in states like New Hampshire where restaurants can now only do takeout or delivery, if they stay open at all). Businesses and their customers should be free to make their own risk assessment and decide whether or not to mingle in close quarters, and accept any negative consequences as they come.

Perhaps in a world where people didn’t rely on governments to force a pandemic response onto everyone, a voluntary system for implementing widespread physical distancing and other necessary measures to fight a pandemic would emerge. In such a world, businesses might have pandemic clauses included in their liability insurance policies requiring them to implement some sane measures to help slow the spread of novel viruses or else risk losing their insurance coverage. Customers might voluntarily choose to shop exclusively by delivery or takeout, or only visit grocery stores that implement distancing measures. Hospitals might refuse to treat coronavirus patients who are known to have violated distancing and other health requirements, to prevent healthcare resources from being exhausted by people who are reckless during a pandemic. I’m not saying it would be perfect (the current response hardly is either) only that there are alternatives to government-enforced lockdown that could still keep most people safe.

On the other hand, we don’t live in that world. In the world we live in, governments have either monopolized the pandemic response role or crowded out alternatives in the healthcare, insurance, and regulatory industries. Laws have been passed giving governments sweeping emergency powers to react to sudden disasters such as pandemics. And nearly all of society is set up to rely on governments to use those powers responsibly, with few to no fallback options available if governments fail in their response. Hospitals have limited resources to treat waves of pandemic patients, relying on the government to supplement with additional supplies and convince the public to effectively distance to keep case counts within the available treatment capacity.

In the real world that we actually currently live in, rewinding back to early March, before lockdowns started in the U.S., how would liberty-minded people opposed to government-imposed lockdown propose that people in urban and suburban areas respond to the pandemic? Would they really take the chance that people voluntarily adhere to distancing measures and not get them sick or overwhelm the health system?

Evidence already shows that, in our current political reality, voluntary measures wouldn’t work very well: while the U.S. got its first confirmed coronavirus case in February, and countries around the world were instituting distancing policies as early as January, people in the U.S. largely ignored the pandemic until states began issuing stay-at-home orders in late March. Similarly, although all scientific evidence and common sense says that wearing a mask is one of the best ways to slow the spread of the virus in confined spaces, Americans did not start wearing masks en masse until the government told them to.

So now we’re over a month into nationwide lockdowns, and many people are itching to get “back to normal”. With no coronavirus vaccine expected for up to 18 months or longer, people are understandably concerned about the economic impacts that the lockdowns will have if we must maintain these conditions for that long. But when the alternative is a return to constant fear of infection and overwhelmed hospitals, resulting in the worst of both worlds as people both retreat back to distancing and suffer the risks created by those who don’t, lifting the lockdowns and reversing distancing guidelines seems to me irresponsible.

Again, yes, in principle, governments should not have the authority to forcibly close businesses. But we do not currently live in a world where voluntary-yet-effective protocols for responding to an emerging pandemic exist. To leave the social response to chance in the current political reality is to guarantee mass death. Much as I would love to live in a stateless society with appreciation for free markets and personal responsibility baked in at the core of people’s value systems, such that most people would do the right thing in a pandemic without being forced to, that is evidently not the society we live in. And so we must do the best we can with what we’ve got, which today means using the established protocols that governments have adopted to enforce distancing and suppress the spread of the virus.

What comes next

Personally, I will continue physical distancing and wear a mask whenever I go out until there’s a vaccine and it seems like most people have gotten vaccinated. I will begrudgingly tolerate reasonable lockdown policies as long as governments are humane about it until testing coverage improves and we’re able to confirm that there are no new cases of community spread in my area, under the condition that people be prepared to lockdown again if new cases appear. I generally believe that governments should find non-violent ways to enforce the lockdown in all but the most egregious cases where people are genuinely putting the health of others at risk and a forceful intervention is the only means available to prevent harm (and even then, the use of force should be proportional to what’s needed to neutralize the threat, not over-the-top Rambo-cop types of responses). On that, I’m relieved to see that so far the New Hampshire state and local governments seem to be taking a reasonable and measured approach to their pandemic response and lockdown enforcement.

I also support measures to ease the economic burden of these lockdown policies, such as the suspension of rents and debt service, for those put out of work, for the duration of the lockdown and for at least a few months after as people re-adjust to re-opening. It wouldn’t be fair to tell people they can’t earn income while at the same time requiring them to continue paying these bills. Combined with unemployment insurance, stimulus payments (paid for via tax cuts), personal savings, and charity, I think the vast majority of people who lose their income due to the business closures should be able to cover their basic needs long enough to make it through the pandemic.

Politically speaking, I think Americans are overdue for a rude awakening regarding the system of statism that we have lived under our entire lives. As if it weren’t obvious enough before the pandemic that the State is a cancer on society and statism-as-religion must be tossed into the dustbin of history, serious government abuses and failures during the pandemic response should be eye opening. And governments have not only exacerbated the pandemic with their interventionist policies, they practically gave birth to it; as Kevin Carson argues, it is our globalized economy, architected by corporations and subsidized by governments, that created the environment that made it possible for the virus to spread so widely and so quickly in the first place. We should absolutely be skeptical and resistant to government power grabs during this turbulent time, but we should also think about how we can transcend the imaginary “need” for government going forward.

Sensible distancing requirements are necessary to keep the healthcare system functioning and prevent avoidable deaths for now. But we should not accept that government-enforced lockdowns are the only – or even the best – defense against a pandemic of this scale should we ever face one again.  We should endeavor to build and rely on stateless systems for managing the response to emerging biological threats, from coordinated physical distancing to income safety nets to healthcare supply reserves to vaccine development to testing, tracing, and isolation programs and everything else we need. It’s clear that we cannot rely on the government to carry out these necessary tasks properly, and by allowing governments to monopolize the role of “pandemic response coordinator” and crowd out alternative solutions we allow our society to be less resilient to this kind of disaster than we otherwise could be.

Rather than simply protest and complain about the current government response, let’s imagine how we could do better and build the alternative. Then, god forbid, next time there’s a pandemic maybe we won’t end up the collective victims of a systematically broken and incompetent institution of government.


The difference between XCAT and Drivechain

In response to a series of tweets about the Zcash XCAT (cross-chain atomic transaction) project and Drivechain, mineZcash asks on Twitter:

Genuinely curious how drivechains differ from cross chain atomic swaps. ELI5 anywhere?

This is not an ELI5, more like “ELI am familiar with blockchains and cryptocurrencies but not familiar enough with the specifics of XCAT or Drivechain to be able to compare the two.”

I’ll try to break it down here at that level.

The Zcash XCAT project can be used to atomically swap ZEC for BTC. This means that if two traders, one holding ZEC on the Zcash blockchain and the other holding BTC on the bitcoin blockchain, commit to a swap of BTC and ZEC, the swap of the two assets will either complete successfully or not at all; a trader cannot get stuck without either the BTC or ZEC.

A BTC holder might perform this cross-chain atomic swap for ZEC if they want to store, send, and receive value in a fully shielded form on the Zcash blockchain, where currently ZEC is the only asset supported and the only asset that miners accept as payment for transaction fees.

A Zcash-like Drivechain is a type of sidechain that is merge-mined with bitcoin. It has the main features of the Zcash blockchain that make it special vs bitcoin (namely, shielded transactions), and features a two-way peg mechanism linked to the bitcoin blockchain (the “mainchain”).

The two-way peg works like this: someone who wants to peg-in from the mainchain to the Drivechain will send their BTC to a deposit address on the mainchain along with a message specifying their Drivechain address. Drivechain full nodes will see that transaction on the mainchain and mint an equal amount of pegged tokens on the Drivechain (let’s call this token “DC-BTC”) and assign the DC-BTC to the specified Drivechain address.

When someone wants to redeem their DC-BTC and “peg-out” BTC back to the mainchain, they perform a similar process in reverse. They will send a “withdrawal transaction” that destroys DC-BTC and specifies a mainchain withdrawal address to which the BTC should be redeemed. After some period of time, a transaction that transfers the specified amount of BTC from the Drivechain deposit address to the withdrawal address is confirmed on the mainchain, and the redemption is complete.

Now that we know what XCAT and Drivechain are we can see how they are different:

  • XCAT is a method for atomically swapping tokens that exist on different blockchains. Blockchains do not need to know anything about each other for the cross-chain atomic swap mechanism to work.
  • Drivechain is a way to lock tokens on a mainchain (e.g. bitcoin) in a special address, mint a pegged amount of tokens on a second “sidechain” that is merge-mined with the mainchain, and destroy the pegged tokens in exchange for a specific amount of the corresponding mainchain token. The mainchain and the Drivechain do need to know some information about each other in order for the two-way peg mechanism to work.

The cross-chain atomic swap mechanism implemented in XCAT can in theory be used to swap Drivechain and mainchain tokens, or tokens on different Drivechains, or any other tokens that exist on different XCAT-compatible blockchains. In short, cross-chain atomic swaps are complimentary to Drivechain, rather than a replacement for it.

I hope this explanation helps folks understand the differences between these technologies and why each are important.

More about Drivechain:

More about XCAT:

Email is probably the most popular decentralized messaging protocol, and I expect it to be around for a while. Add yourself to my email contacts if you would like to stay in touch!

Creating local marketplaces with OpenBazaar

OpenBazaar is a global online marketplace for anything and everything. Unlike centralized marketplaces such as Amazon, Alibaba, Craigslist, eBay, Mercado Libre, and nearly every other online marketplace you can think of, OpenBazaar is a decentralized marketplace. Being decentralized means that there is no single company or web host that controls OpenBazaar. It also means that there is no single company or web host that can be targeted to shutdown OpenBazaar. This has some interesting benefits for buyers and sellers who choose to use OpenBazaar.


One benefit – perhaps the most important – is that there is ultimate freedom regarding what people can buy and sell on OpenBazaar. While centralized marketplaces are forced by law to have policies that restrict the types of items that people can buy and sell, and will often take down listings to enforce these policies, OpenBazaar has no such policies. In fact, OpenBazaar fundamentally can’t have such policies; even if the developers of OpenBazaar tried to build such policies into their software, the policies could easily be circumvented by end-users because the code that runs OpenBazaar is open source and freely modifiable. So in theory and in practice, users can create listings to buy or sell anything they want and the only way that their listings can be taken down is if their internet goes down or the computer they use to run the OpenBazaar software is turned off. And even then, there is a possibility that the listings stay online. OpenBazaar is very resilient against censorship and downtime.

Another benefit is that OpenBazaar users have a lot of creativity regarding how they use the marketplace to promote and discover products. Listings on OpenBazaar can be given tags such as “books” or “gardening” so that they show up in searches for these types of items. If users add the “Local pickup” shipping option and also put their location as a tag on their listings, for example tagging with a zip code and the name of their city or state, then it makes it easy for people in their area to find their listings, contact them, and plan to meet up for a local sale.

This turns OpenBazaar into an unstoppable alternative to popular local-focused marketplaces such as Backpage and Craigslist.

Here is an example of what such a local marketplace listing could look like with the appropriate tags:


With this, anyone looking for the book “An Agorist Primer” by the author Samuel Edward Konkin III in the Beverly Hills, California area could easily find it and meet up with the seller to buy the book in person with cash.

Although this use of OpenBazaar is not currently officially supported, OpenBazaar developers could develop this concept further and give users the ability to search for similar listings within a certain distance from their location, such as all zip codes or cities within 10 miles. This way users would only need to enter their location and a search term to pull up all similar listings near them and connect with their local buyers or sellers.

There are some products or services that may be legal in various jurisdictions but are still suppressed by centralized marketplaces for one reason or another. With the previously mentioned benefits of OpenBazaar in mind, here are a few ideas for local marketplaces for otherwise suppressed goods and services that could thrive on OpenBazaar if users add these tags and their location tags to related listings:

#bookfair – a local marketplace for buyers and sellers of books and comics

#glassmarket – a local marketplace for buyers and sellers of functional glass art

#localcoins – a local marketplace for buyers and sellers of digital currencies

#gunshow – a local marketplace for buyers and sellers of firearms, ammo, and accessories

#redlight – a local marketplace for buyers and sellers of sexual products and services

#silkroad – a local marketplace for buyers and sellers of cannabis and entheogens

… and many, many more local marketplaces like these are possible. Give it a try and let me know what you think about this idea in the comment section below.

P.S. OpenBazaar is not the only decentralized marketplace out there. Check out the full list I maintain of other decentralized marketplaces that you can try this out with. You are also welcome to add any decentralized marketplaces to the list that you think are missing by creating an issue or sending a pull request.

Tornado review

Last December I published “The State of the Art in Cryptocurrency Privacy“, based on a lightning talk I gave at an Aragon One offsite providing an overview of the latest and greatest cryptocurrency privacy techniques at the time. I was disappointed to report at the time that the privacy story for Ethereum, the blockchain used by Aragon, was not good:

the state of the art in cryptocurrency privacy(18)

I quoted geth core developer Peter Szilagyi, who said in his Devcon4 talk: “Privacy on ethereum is bad, really, really bad.” And I asked the question: zk-SNARKs when?

Well friends, less than eight months after publishing that blog post, I’m happy to provide a positive update: zk-SNARKs now.

Enter Tornado

A few weeks ago a tweet crossed my feed and grabbed my attention:

I was intrigued. The clean, minimalist interface seemed to have the important elements expected. But as it was a work in progress, I would have to wait to try it out. Then, a few weeks later, the Tornado touched down:

You can now mix ETH with zk-SNARK-based privacy at

The announcement blog post has some additional information about the app. My own caveats and feedback follows. Tornado also mentions some of the following points in their blog post and in the app itself, but it’s worth mentioning again here to drive the points home. Stay safe and remember this is beta software.

How to protect yourself when using Tornado

  • Don’t use the same IP address to withdraw as you used to deposit*
    • Worst is to use your personal IP address. Better is to use a VPN and switch servers. Best is to use Tor and reset the circuit.
  • Don’t use the same Ethereum address to withdraw as you used to deposit*
    • Use a new, unused address instead.
  • Don’t use Infura or another centralized node provider with your wallet*
    • Always connect your wallet to your own full node, or else your deposit and withdrawal addresses will be trivially tied together by the node provider and anyone who gains access to their data.
  • Don’t make a withdrawal via wallet and pay gas with an account connected to your deposit address.*
    • Save yourself the trouble and potential privacy leak, use the Tornado Relayer.
  • Don’t lose your note or you’ll lose all your money
    • Save the note in your password manager (you are using a password manager, right?)

* Doing things that damage your own privacy also damages the privacy of all other Tornado users by shrinking the anonymity set. Seriously, don’t do these things.

Some feedback/ suggestions for the Tornado devs

  • The app looks great. Seems intuitive enough. The essentials are there. Great job with everything so far. That said I think more can and should be done to prevent users from damaging their privacy and the privacy of others.
  • Consider using aragonPM to beef up security on your dapp deployments. (Read how we use it at Aragon here.)
  • If it must be web-based, consider running exclusively as a Tor hidden service (better for anonymity and security).
  • Ditch Infura. Run your own node (and auto-delete logs). Although Infura shouldn’t be getting any useful data from your users if they’re using Tornado properly, it’s better to not even give them the opportunity.
  • Reject entering the same withdrawal address as a previously used deposit address. Users should know better, but sometimes they need saving from themselves.
  • Open up the higher deposit amounts. At 0.1 ETH deposit amount, total fees to deposit and withdraw added up to 3.734% of the mixed amount when I paid the standard gas price.
  • User privacy is compromised by allowing users to connect with a centralized node provider like Infura on both sides of the mix (e.g. if their wallet uses an Infura backend for both the deposit address and the withdrawal address). I’m not really sure how to solve this. But it makes for an easy foot-gun scenario, so worth thinking about how to fix this, or at least warn users about it. Worth looking at how Wasabi deals with this.
  • Since there are other Ethereum providers than MetaMask (for example I use Frame as my daily driver) I suggest using “Ethereum provider” in place of “MetaMask” in the app copy to keep it generic. Or “Ethereum signer”, or “Ethereum wallet”… whatever more generic term makes the most sense to you. (We use “Ethereum provider” throughout the Aragon client.)

Remaining questions

  • Is there any advantage to using one’s own wallet vs Relayer for withdrawal? Might be easiest / safest to just remove the “wallet” option.
    • Answer: “It is there to make sure that users can withdraw their funds even if relayer is down.” (source)
  • How were the parameters for the zk-SNARK generated?
    • Answer: “For this beta version the setup was done on a single build machine, so you kinda have to trust that we didn’t save toxic waste… Currently there is no way to make a trusted setup for Ethereum BN256 curve, as soon as Gnosis and Matter finish working on it (soon) we will redeploy the mixer with a proper multiparty trusted setup.” (source)
  • When desktop app with local node + Frame support? 😀

Link: r/ethereum discussion

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!


A better app store

What would a new and improved app store look like? The Aragon App Center is in development so I’m excited to think about how we can improve on existing app store designs.

There are three new features I’d love to see:

Decentralized publishing

Today only one person is required to push the “publish” button, and this creates a central point of failure. What if multiple devs and community members had to sign off before a new app update was pushed? This could prevent problems like devs going on power trips or burning out and giving their publishing rights away to hackers. With a decentralized package manager it would be possible to require multiple sign-offs before a new app update is published. This update could then be cryptographically verified to be published by the correct author (see the next section).

Trusted publisher profiles

When I look at an app download page in an app store, how do I really know it’s being published by who I think it is? I might look at how many people downloaded it, or go to the download page straight from the publisher’s website (the address of which I got from another trusted source, etc). What if there was a way to trust the download page no matter how I arrived at it?

With trusted publisher profiles, that becomes possible. Publishers could publish proofs to their profile showing that they control certain website domains, social media accounts, and crypto keys. They can sign app install files using these keys so that I can trust that the file came from the right publisher. Various solutions like this exist but they aren’t adopted consistently and no app store that I’ve seen has been able to blend the freedom of decentralization with the security of trusted publisher profiles.

Cryptocurrency payments

I want to pay for good software. But I don’t want the app store to know who I am and I don’t want to worry about whether it can actually secure my credit card data. Besides, credit cards are an ill-suited medium for the <$0.99 payments I imagine for software installs and updates. It might not seem like much, but multiplied by thousands or millions of users and a developer (or team) that puts out consistent and consistently good app updates could make a good living off these small payments alone, not to mention any in-app monetization mechanisms.

I want to pay for good software and I want it to be fast, cheap, and private. Cryptocurrency is a great fit for this.