Pay Less for Your Privacy: Towards Cost-Effective On-Chain Mixers

Authors Zhipeng Wang, Marko Cirkovic, Duc V. Le, William Knottenbelt, Christian Cachin

Thumbnail PDF


  • Filesize: 1.28 MB
  • 25 pages

Document Identifiers

Author Details

Zhipeng Wang
  • Imperial College London, UK
Marko Cirkovic
  • University of Bern, Switzerland
Duc V. Le
  • Visa Research, Sunnyvale, CA, USA
William Knottenbelt
  • Imperial College London, UK
Christian Cachin
  • University of Bern, Switzerland


The authors thank anonymous reviewers for helpful feedback.

Cite AsGet BibTex

Zhipeng Wang, Marko Cirkovic, Duc V. Le, William Knottenbelt, and Christian Cachin. Pay Less for Your Privacy: Towards Cost-Effective On-Chain Mixers. In 5th Conference on Advances in Financial Technologies (AFT 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 282, pp. 16:1-16:25, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)


On-chain mixers, such as Tornado Cash (TC), have become a popular privacy solution for many non-privacy-preserving blockchain users. These mixers enable users to deposit a fixed amount of coins and withdraw them to another address, while effectively reducing the linkability between these addresses and securely obscuring their transaction history. However, the high cost of interacting with existing on-chain mixer smart contracts prohibits standard users from using the mixer, mainly due to the use of computationally expensive cryptographic primitives. For instance, the deposit cost of TC on Ethereum is approximately 1.1M gas (i.e., 66 USD in June 2023), which is 53× higher than issuing a base transfer transaction. In this work, we introduce the Merkle Pyramid Builder approach, to incrementally build the Merkle tree in an on-chain mixer and update the tree per batch of deposits, which can therefore decrease the overall cost of using the mixer. Our evaluation results highlight the effectiveness of this approach, showcasing a significant reduction of up to 7× in the amortized cost of depositing compared to state-of-the-art on-chain mixers. Importantly, these improvements are achieved without compromising users' privacy. Furthermore, we propose the utilization of verifiable computations to shift the responsibility of Merkle tree updates from on-chain smart contracts to off-chain clients, which can further reduce deposit costs. Additionally, our analysis demonstrates that our designs ensure fairness by distributing Merkle tree update costs among clients over time.

Subject Classification

ACM Subject Classification
  • Security and privacy → Pseudonymity, anonymity and untraceability
  • Privacy
  • Blockchain
  • Mixers
  • Merkle Tree


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Cyclone. Available at: URL:
  2. Ganache. Available at: URL:
  3. Jubjub. Available at: URL:
  4. Tornado cash. Available at:, before August 8th, 2022.
  5. Available at: URL:
  6. Available at: URL:
  7. Martin Albrecht, Lorenzo Grassi, Christian Rechberger, Arnab Roy, and Tyge Tiessen. Mimc: Efficient encryption and cryptographic hashing with minimal multiplicative complexity. In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, pages 191-219. Springer, 2016. Google Scholar
  8. Karim Baghery, Markulf Kohlweiss, Janno Siim, and Mikhail Volkhov. Another look at extraction and randomization of groth’s zk-snark. In Financial Cryptography and Data Security: 25th International Conference, FC 2021, Virtual Event, March 1-5, 2021, Revised Selected Papers, Part I 25, pages 457-475. Springer, 2021. Google Scholar
  9. Jordi Baylina, Kobi Gurkan, Roman Semenov, Alexey Pertsev, adria0, Ehud Ben-Reuven, arnaucube, Eduard S., and Marta Bellés. circomlib, 2020. Available at: URL:
  10. Jordi Baylina, Kobi Gurkan, Roman Semenov, Alexey Pertsev, adria0, Ehud Ben-Reuven, arnaucube, Eduard S., and Marta Bellés. snarkjs, 2020. Available at: URL:
  11. Josh Benaloh and Michael De Mare. One-way accumulators: A decentralized alternative to digital signatures. In Advances in Cryptology—EUROCRYPT’93: Workshop on the Theory and Application of Cryptographic Techniques Lofthus, Norway, May 23-27, 1993 Proceedings 12, pages 274-285. Springer, 1994. Google Scholar
  12. Dan Boneh, Benedikt Bünz, and Ben Fisch. Batching techniques for accumulators with applications to iops and stateless blockchains. In Advances in Cryptology-CRYPTO 2019: 39th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2019, Proceedings, Part I 39, pages 561-586. Springer, 2019. Google Scholar
  13. Dan Boneh and Victor Shoup. A graduate course in applied cryptography. Draft 0.6, 2023. Google Scholar
  14. Chainalysis. Understanding tornado cash, its sanctions implications, and key compliance questions, 2022. Available at: URL:
  15. Dmitry Ermilov, Maxim Panov, and Yury Yanovich. Automatic bitcoin address clustering. In 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), pages 461-466. IEEE, 2017. Google Scholar
  16. Davide Frey, Mathieu Gestin, and Michel Raynal. The synchronization power (consensus number) of access-control objects: The case of allowlist and denylist. arXiv preprint arXiv:2302.06344, 2023. Google Scholar
  17. Rosario Gennaro, Craig Gentry, and Bryan Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In Advances in Cryptology-CRYPTO 2010: 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings 30, pages 465-482. Springer, 2010. Google Scholar
  18. Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, and Markus Schofnegger. Poseidon: A new hash function for zero-knowledge proof systems. In USENIX Security Symposium, volume 2021, 2021. Google Scholar
  19. Jens Groth. On the size of pairing-based non-interactive arguments. In Advances in Cryptology-EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II 35, pages 305-326. Springer, 2016. Google Scholar
  20. Joe Hurd. Verification of the miller-rabin probabilistic primality test. The Journal of Logic and Algebraic Programming, 56(1-2):3-21, 2003. Google Scholar
  21. Aggelos Kiayias, Markulf Kohlweiss, and Amirreza Sarencheh. Peredi: Privacy-enhanced, regulated and distributed central bank digital currencies. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 1739-1752, 2022. Google Scholar
  22. Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In 2016 IEEE Symposium on Security and Privacy (SP), pages 839-858. IEEE, 2016. Google Scholar
  23. Duc V Le and Arthur Gervais. Amr: Autonomous coin mixer with privacy preserving reward distribution. ACM Conference on Advances in Financial Technologies (AFT’21), 2021. Google Scholar
  24. Greg Maxwell. Coinjoin: Bitcoin privacy for the real world. In Post on Bitcoin forum, 2013. Google Scholar
  25. Sarah Meiklejohn and Rebekah Mercer. Möbius: Trustless tumbling for transaction privacy. Proceedings on Privacy Enhancing Technologies, 2018(2):105-121, 2018. Google Scholar
  26. Silvio Micali, Michael O. Rabin, and Joe Kilian. Zero-knowledge sets. In 44th Symposium on Foundations of Computer Science (FOCS 2003), 11-14 October 2003, Cambridge, MA, USA, Proceedings, pages 80-91. IEEE Computer Society, 2003. URL:
  27. Ian Miers, Christina Garman, Matthew Green, and Aviel D Rubin. Zerocoin: Anonymous distributed e-cash from bitcoin. In 2013 IEEE Symposium on Security and Privacy (SP), pages 397-411. IEEE, 2013. Google Scholar
  28. Malte Möser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, et al. An empirical analysis of traceability in the monero blockchain. Proceedings on Privacy Enhancing Technologies, 2018(3):143-163, 2018. Google Scholar
  29. Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008. Available at: URL:
  30. Leonid Reyzin and Sophia Yakoubov. Efficient asynchronous accumulators for distributed pki. In Security and Cryptography for Networks: 10th International Conference, SCN 2016, Amalfi, Italy, August 31-September 2, 2016, Proceedings 10, pages 292-309. Springer, 2016. Google Scholar
  31. Phillip Rogaway and Thomas Shrimpton. Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In International workshop on fast software encryption, pages 371-388. Springer, 2004. Google Scholar
  32. Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In 2014 IEEE Symposium on Security and Privacy (SP), pages 459-474. IEEE, 2014. Google Scholar
  33. Peter Todd. Merkle mountain ranges, 2018. Available at: URL:
  34. Alin Tomescu, Adithya Bhat, Benny Applebaum, Ittai Abraham, Guy Gueta, Benny Pinkas, and Avishay Yanai. Utt: Decentralized ecash with accountable privacy. Cryptology ePrint Archive, Paper 2022/452, 2022. URL:
  35. TornadoCash. governance proposal, 2020. Available at: URL:
  36. U.S. DEPARTMENT OF THE TREASURY. U.s. treasury sanctions notorious virtual currency mixer tornado cash, 2022. Available at: URL:
  37. Friedhelm Victor. Address clustering heuristics for ethereum. In Financial Cryptography and Data Security: 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10-14, 2020 Revised Selected Papers 24, pages 617-633. Springer, 2020. Google Scholar
  38. Zhipeng Wang, Stefanos Chaliasos, Kaihua Qin, Liyi Zhou, Lifeng Gao, Pascal Berrang, Benjamin Livshits, and Arthur Gervais. On how zero-knowledge proof blockchain mixers improve, and worsen user privacy. In Proceedings of the ACM Web Conference 2023, pages 2022-2032, 2023. Google Scholar
  39. Zhipeng Wang, Marko Cirkovic, Duc V. Le, William Knottenbelt, and Christian Cachin. Pay less for your privacy: Towards cost-effective on-chain mixers. Cryptology ePrint Archive, Paper 2023/1222, 2023. URL:
  40. Zhipeng Wang, Xihan Xiong, and William J. Knottenbelt. Blockchain transaction censorship: (in)secure and (in)efficient? Cryptology ePrint Archive, Paper 2023/786, 2023. URL:
  41. Gavin Wood. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper, 2014. URL:
  42. Lei Wu, Yufeng Hu, Yajin Zhou, Haoyu Wang, Xiapu Luo, Zhi Wang, Fan Zhang, and Kui Ren. Towards understanding and demystifying bitcoin mixing services. In Proceedings of the Web Conference 2021, pages 33-44, 2021. Google Scholar
  43. Karl Wüst, Kari Kostiainen, Noah Delius, and Srdjan Capkun. Platypus: a central bank digital currency with unlinkable transactions and privacy-preserving regulation. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 2947-2960, 2022. Google Scholar
  44. Haaroon Yousaf, George Kappos, and Sarah Meiklejohn. Tracing transactions across cryptocurrency ledgers. In 28th USENIX Security Symposium (USENIX Security 19), pages 837-850, 2019. Google Scholar
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail