Tornado Cash - How it Works | DeFi + Zero Knowledge Proof
HTML-код
- Опубликовано: 26 авг 2021
- This video explains how Tornado Cash uses zk-SNARK to protect privacy.
Deposit 0:45
Why does everyone deposit the same amount of ETH? 1:52
Wrong way to withdraw 2:46
Correct way to withdraw - zero knowledge proof 4:04
Nullifier? 5:17
How is deposit hash (commitment) stored? 6:58
How to build a Merkle tree 7:19
Merkle tree in Tornado Cash 7:53
How to insert commitment into Merkle tree of Tornado Cash 8:32
How to prove commitment is in the Merkle tree 10:18
Tools used by Tornado Cash (Circom, snarkjs) 11:51
tornado.cash/
github.com/tornadocash/tornad...
#Solidity #SmartContract #TornadoCash #ZeroKnowledgeProof #Ethereum #スマートコントラクト
Follow
/ programmersmart
/ discord
t.me/smartcontractprogrammer
smartcontractprogrammer.com - Наука
Deposit 0:45
Why does everyone deposit the same amount of ETH? 1:52
Wrong way to withdraw 2:46
Correct way to withdraw - zero knowledge proof 4:04
Nullifier? 5:17
How is deposit hash (commitment) stored? 6:58
How to build a Merkle tree 7:19
Merkle tree in Tornado Cash 7:53
How to insert commitment into Merkle tree of Tornado Cash 8:32
How to prove commitment is in the Merkle tree 10:18
Tools used by Tornado Cash (Circom, snarkjs) 11:51
just wanted to say your videos have been super helpful. please keep creating them. thank you!
This explanation was excellent! Thank you.
Great video! Keep on going man!
Nice work as always. Your channel will blow up as DeFi continues to see more adoption. Keep it up 👍🏾
MESSIER M87 IS THE BEST CRYPTOCURRENCY OF 2022-23. 1000X FOR LONG TERM HOLDERS. @messierM87 #M87 #cultdao #shiba #shibainu #shibarium #hex #pulsechain #pulsex #volt #eth #ada #kiba #crypto #1000x
youre a gem, taz. thank you
AMAZING SIMPLE EXPLANATION
仕組みの動画待ってました!
You are a G ! Respect !!!
Love the diagrammatic analysis, makes it simplier
Beautifully explained
MESSIER M87 IS THE BEST CRYPTOCURRENCY OF 2022-23. 1000X FOR LONG TERM HOLDERS. @messierM87 #M87 #cultdao #shiba #shibainu #shibarium #hex #pulsechain #pulsex #volt #eth #ada #kiba #crypto #1000x
Thank you for your video, it's really helpful
Hi! First off, I want to say that your channel is a gold mine for blockchain programming! Keep up the good work!
I have one question related to this vid: Does a (successful) withdrawal action change the Merkle tree?
no, only deposits
@@smartcontractprogrammer Thanks, I was thinking so after a quick look over the source code, but wasn't sure.
Great video!
MESSIER M87 IS THE BEST CRYPTOCURRENCY OF 2022-23. 1000X FOR LONG TERM HOLDERS. @messierM87 #M87 #cultdao #shiba #shibainu #shibarium #hex #pulsechain #pulsex #volt #eth #ada #kiba #crypto #1000x
Excellent explain.
Really amazing video I became a fan in 1 day....please please can you make a fully detailed video about flash loan arbitrage using AAVE or DYDX please....
Lots of love form india
Really great video! I just have one question, if we ask tornado for the c2 hash in order to provide the hashes to zk-snark, wouldn't it know that we are looking for the c3 hash and therefore revealing our identity? Or is there something I'm missing?
All commitments are logged
github.com/tornadocash/tornado-core/blob/master/contracts/Tornado.sol#L69
So the merkle tree can be built offchain without querying the contract
Awesome question
This is incredible!
But you mentioned that the withdrawer needs the proof and the nullifier to take out funds and the contract uses the nullifier to make sure double spend does not happen.
But as the withdrawer is providing the nullifier, can’t this be used to identify the depositor? Ie as she knew the the nullifier and sent the proof - we can just compare nullifiers and identify them?
nullifier hash is provided into the smart contract.
nullifier is part of the zero knowledge proof.
no knowledge is leaked.
😍 awesome follow up video !! Visual was super helpful ~~ although my mind is still spinning in tornado trying to think about it !! By the way, 🦁 is protesting ~
Leo the Lion asked Charlie the Cat to deposit for him
@@smartcontractprogrammer 🤣🤣
@@salem232 LOL you are the stable member of his great videos!
@@startat3098 😎 I have OG memership
@@salem232 Plus one!
The US government: tHiS maTh iS ilLegal!
Thanks for the video, it's been 2 years and it still rocks!
I have a question, why Merkle tree? can't a simple map store the "coin" hash and a simple index to be used instead of passing the root?
If I remember correctly, I think the point of using a merkle tree is that it can be used with zero knowledge proof so that no one except the sender knows which merkle leaf they are spending
Thanks for the video! I would love to watch you program a clone of tornado cash, and see in code this explanation work!! Do you think you can do it? Cheers
ps: could we make a tornado cash smart contract in other chains, like avalanche and fantom, or even on layer 2 like Polygon??
Mind blowing
MESSIER M87 IS THE BEST CRYPTOCURRENCY OF 2022-23. 1000X FOR LONG TERM HOLDERS. @messierM87 #M87 #cultdao #shiba #shibainu #shibarium #hex #pulsechain #pulsex #volt #eth #ada #kiba #crypto #1000x
It was soooo goodie
Hey Taz can you clarify, the merkle root is a public parameter? And the rest of the hashes are private? Or are only the initial hashes of the secret and nullifier public only? But if the all the initial hashes are public anyone can find out the hash of the merkle root, right?
merkle root is public
github.com/tornadocash/tornado-core/blob/master/contracts/MerkleTreeWithHistory.sol#L31
hashes (commitments) used to construct the merkle tree is public
> But if the all the initial hashes are public anyone can find out the hash of the merkle root, right?
yes
proving that your hash is in the merkle tree is zero knowledge
@@smartcontractprogrammer Thanks, that makes more sense
@@smartcontractprogrammer Hi, I still don't get the point. If hashes are public, anyone can see hashes of c2 and c3 (example from video) and construct the merkle root.
@ Same question here, how do I actually prove that my hash is in the merkle tree?
@ there is a bug there in my opinion, at the lowest level you don't store a c0, c1 etc you store h(c0), h(c1) etc... this is how it works
Rocket 🚀 🚀 🚀
The best tool for scammers, hackers, and robbers! :D
Cars are very useful to these types of people as well. Along with cellphones, computers, guns, costumes, boats, mail, email etc. The list goes on and on. Yet nobody ever suggests we get rid of these things, except for guns. I think the motivation to get rid of guns is the same one trying to ban crypto and privacy block chains.
How to hide the connections between the tx that deposited and one that withdrew w.r.t. tx fee? Both need fee which needs to come from *somewhere*. This fee source can be used to link deposits and withdrawals.
submit transaction to relayers
I don't understand one thing, the whole Merkle tree with all of the leaves' hashes is public, so anybody can generate proof for any leaf hash. C3 hash is also public so I can take, c2, z1, z2 and generate the proof. That doesn't prove that I know the secret and nullifier for c3.
How does the tornado cash algorithm know that I actually know the secrets and nullifier for that c3 leaf?
yea i also dont understand this
@@mattdaf1sh195 Same here
there is a bug there in my opinion, at the lowest level you don't store a c0, c1 etc you store h(c0), h(c1) etc... this is how it works
It's one year later though here is the answer. Since hashes are not reversible even if you know c3 you cannot figure out the seed and thus the secret and nullifier.
And to generate the proof you need that exact secret and nullifier.
At the end you said without revealing c3, we are able to prove. But we had to pass c3 and the other hashes right?
I don't remember but I think yes. You need to pass your hash and the Merkle proof that includes your hash
great video
this video is a gem. zk-snark videos please!
how can you generate the root hash, if you only have your own hash?
you dont have any of the other hashes, thats where im lost
EDIT: oh ok figured it out
hey im doing a show on tornado cash today - id love to have you on - ill be showing this video on stream
Sorry I can't make it
And I’m not getting what you mean with wrong way to withdrawal.. there is only 1 way, pasting they key that is given at the time of deposit , at least that’s all I saw
wrong way to implement a withdraw, a withdraw that doesn't protect privacy
@@smartcontractprogrammer but there is only 1 way to withdrawal which is using the key note , that’s it.
would love to listen more about the zk smart contract creation..
How long should you wait to withdraw l?
depends on activity of smart contract
@@smartcontractprogrammer English please
@@BlackSkyMusicTV that is english
This is only for Eth, How about Bitcoin,
bitcoin doesn't support complex smart contracts, so no
Now they banned it. Sad
912
Will we ever see the next episode now that tornado has been sanction by the us government?
Wtf did i just watched???😅😅😅
This is the old dial up internet system. VPN for crypto wallet is coming soon please.
Have you done the video about zk-SNAKRS?
no
Nice work. Looking forward to future videos on zk-snarks