Privacy Pools are a novel smart contract-based privacy-enhancing protocol would enhance the privacy of user’s transactions while also separating criminal activity from innocent funds in different sets.^[2]

Overview

Ethereum and other blockchains today are public by default because the visibility allows users to securely transact in a peer-to-peer fashion at a global scale. However, this feature is also a bug that hinders many potential real-world use cases.

Financial transactions cannot just be secure on the blockchain. They must also be private for regulatory, compliance, and commercial reasons. A business running on-chain payroll would risk exposing the salaries of all their employees to anyone with a block explorer.

Privacy pools are a new concept that allows users to deposit cryptocurrency into a shared pool while keeping ownership of the currency private. The pool uses cryptographically hidden records to track ownership, and users can withdraw without any connection to previous deposits. Privacy pools also allow users to demonstrate the legitimacy of their transactions without revealing specifics.

Privacy pools are a proposal by Ethereum founder Vitalik Buterin alongside members of the Ethereum community as well as researchers from blockchain analytics firm Chainalysis that offer a compelling solution to this problem. While imperfect, privacy pools are a promising first step in demonstrating that user privacy and regulatory compliance don't have to be mutually exclusive concepts.^[3]

The core idea of the proposal for Privacy Pools is to allow users to publish a zero-knowledge proof, demonstrating that their funds originate from known lawful sources, without publicly revealing their entire transaction graph.^[1]

Background

There have been many solutions proposed to enable on-chain privacy, from dedicated privacy blockchains such as Monero and ZCash to clever, “moon-math” smart contracts that cryptographically break the link between a deposit address and a withdrawal address. The more deposits into the smart contract’s “anonymity set”, the more ambiguous (hence private) a withdrawal would be.

Tornado Cash was one such protocol on Ethereum. Tornado Cash was so good at this that it drew the attention of OFAC (US Office of Foreign Assets Control) and the smart contract was placed on the SDN blacklist (Specially Designated Nationals and Blocked Persons List), normally reserved for dictators and terrorists. The Tornado Cash smart contract and its developers became criminalized overnight, even though much of the anonymization activity was legitimate transactions of users simply desiring robust financial privacy. Clearly there is a tension between legitimate user privacy and regulatory oversight/compliance. This tension was only exacerbated by the fact that nation states could not stop the activity but could only create the naughty list.^[4][5]

In the paper “Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium,” Buterin acknowledged that Tornado Cash was a good solution to privacy issues, but that it had limited options to dissociate from criminal activity on the network.

How Privacy Pool work

Privacy Pools aim to protect the privacy of transactions while separating criminal activities from lawful funds by organizing them into isolated sets or categories, allowing users to prove to regulators that their funds are not mixed with illicit funds.

This is accomplished through the use of techniques like zero-knowledge proofs to demonstrate the legitimacy of the transactions and the absence of involvement with criminal activities. Zero-knowledge proofs are cryptographic techniques that allow one party (the prover) to demonstrate knowledge of a specific piece of information to another party (the verifier) without revealing any details about the information itself.

When users want to take their money out of the Privacy Pool, they can choose to create a zero-knowledge proof. This proof does two things: First, it confirms that the user’s transaction is legitimate and does not involve a blockchain address associated with criminal activity. Second — and more importantly for users — it keeps their identities private.^[6]

Privacy pools that make use of zero-knowledge technology could theoretically solve part of this issue since they would give users privacy around transaction data while also distinguishing it from any criminal activity. By pooling honest transactions together, users could prove that their transactions come from one of the honest deposits.

Privacy Pool operates similarly to Tornado Cash by mixing multiple user transactions to obscure their true origins. However, when users choose to withdraw funds, they have the option to generate a zero-knowledge proof.^[7]

Criticism

• Vulnerability to private key transfers
  Even with rigorous KYC procedures, the system cannot inherently prevent a verified user from simply handing over their private keys – and thus their KYC-approved identity – to someone else. This loophole means that while a wallet might appear compliant, there's no absolute guarantee that the person transacting is the one who initially passed the KYC process.^[3]
• Innocent-until-proven-guilty
  Others criticized the notion of privacy pools on a more fundamental, philosophical level. For example, Zooko Wilcox, founder of Zcash, one of the earliest and most prominent blockchain networks that uses zero-knowledge proofs for private transactions, believes the strongest possible privacy guarantees for individuals come from systems that look as close to "cash" as possible. His criticism of privacy pools focuses on the fact the construction is expressly the opposite of the “innocent-until-proven-guilty” principle upon which U.S. and European legal systems are based.^[3]