Summary
Privacy tech makes “public blockchains” usable for sensitive activity by hiding who did what, with whom, and how much—without trusting another centralized intermediary to keep secrets.
So What
(1) Defense for traders: public order flow leaks intent (MEV extraction = hundreds of millions to billions on ETH. “private order flow” exists largely to reduce this) [1][2] (2) Commercial ops: payroll, treasury ops, supplier payments, and customer billing don’t work if counterparty can infer margins, runway, and compensation from a block explorer.[3] (3) Personal safety + coercion resistance: public balances create targeting risk (phishing, extortion, physical threats) and make donations/affiliations doxxable.[4] (4) New mechanism design: sealed-bid auctions, private governance, hidden collateral/positions (reduced targeted liquidations). “Private” DeFi strategies become feasible.[5]
History
(1) “Bitcoin privacy” = pseudonymity: addresses aren’t names, but flows are linkable forever - “Bitcon’s original sin” 😀 (2) Gen 1 privacy coins (2014–2016): Zcash & Monero made privacy a base-layer property; they persist because they optimize sovereignty (strong guarantees, fewer ways for users to screw up) over composability.[6][7]. Context: Silk Road was a major use-case (3) Gen 2 mixers (2019–2025): Tornado Cash showed privacy can be added onto ETH. Gen 3 private DeFi access (2021–): RAILGUN kept users inside major ecosystems while shielding flows and enabling DeFi calls from a private balance.[9] (5) Gen 4 programmable private execution (2020s): Aztec aims for “privacy as a computation layer” = private app logic + state + intent, not just a transaction.[10][11] [Question]: In TradFi, we seek freedom as the base is closed/centralized. In crypto, the base is open - so we seek protection, but not protection that depends on 1 gatekeeper. Is privacy that protection? It makes individuals harder to control without handing control to a single “protector.”
Key Innovation
(1) Untraceable payments: Ring signatures + one-time addresses hide sender/receiver (Monero foundation) — CryptoNote v2.0 — Nicolas van Saberhagen (2013). (2) Hidden amounts: Pedersen commitments hide values while validating “inputs = outputs” — Ring Confidential Transactions — Shen Noether, Adam Mackenzie (2016). (3) Efficient range proofs: Bulletproofs shrank range proofs (~10KB → <1KB) with no trusted setup — Bulletproofs — Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, Gregory Maxwell (2017). (4) ZK-based privacy: Unlinkable e-cash → shielded notes + nullifiers (Zcash blueprint) — Zerocoin — Ian Miers, Christina Garman, Matthew Green, Aviel Rubin (2013); Zerocash — Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, Madars Virza (2014). (5) Practical verifiable computation: QAP-based SNARKs made arbitrary computation verification feasible — Pinocchio — Bryan Parno, Jon Howell, Craig Gentry, Mariana Raykova (2013). (6) Tiny proofs, cheap verification: Groth16 became the workhorse (small proofs, fast verify; per-circuit trusted setup) — On the Size of Pairing-Based Non-interactive Arguments (“Groth16”) — Jens Groth (2016). (7) On-chain SNARK verification: Ethereum BN254 precompiles made pairing-based SNARK verification gas-feasible — EIP-196 + EIP-197 — Vitalik Buterin et al. (2017). (8) Mixer contract pattern: Fixed-denomination pools + Merkle commitments + zk withdrawal with nullifiers (Ethereum mixer blueprint) — Tornado Cash Privacy Solution — Alexey Pertsev, Roman Semenov, Roman Storm (2019). (9) Universal SNARKs + lookup acceleration: Reusable setup + KZG commitments + lookup tables made real-world circuits practical — PLONK — Ariel Gabizon, Zac Williamson, Oana Ciobotaru (2019); KZG — Aniket Kate, Gregory Zaverucha, Ian Goldberg (2010); plookup — Ariel Gabizon, Zac Williamson (2020). (10) Trustless recursion: Recursive proof composition without trusted setup — Halo — Sean Bowe, Jack Grigg, Daira Hopwood (2019). (11) Developer Experience: ZK languages/tooling made “write constraints” accessible to app engineers — Noir (Aztec ecosystem tooling; docs/specs).
Deep Dive
Deep Dive - Details inside Dustin Lau’s Privacy Slides: Privacy Preservation on Ethereum.pptx
| Zcash (ZEC) | 🚇LIKE a Tunnel Network with an Optional Skybridge: you can use the hidden tunnel (shielded) or the visible bridge (transparent); privacy is strongest when the tunnel has many users.Tech: (1) Shielded pool (note/UTXO-like): value becomes encrypted “notes”; spends reveal only a nullifier to prevent double-spend. (2) zk-SNARK proofs: prove “this spend is valid” without revealing sender/receiver/amount. (3) Sapling → Orchard/NU5: major upgrades improved proving efficiency and, with NU5/Orchard, deployed a proving system that removed the need for new per-circuit trusted setups and simplified addresses for UX.[7][16][17]History: (1) Mainnet 2016. (2) Sapling activated Oct 28, 2018 (major performance/UX jump). (3) NU5 activated May 31, 2022 (Orchard shielded pool; major cryptographic/UX milestone). (4) Zcash Foundation formed in 2017 to support ecosystem development alongside ECC.[16][17][18]Core Contributors: (1) Zooko Wilcox-O’Hearn (creator; ECC): long-time cypherpunk builder; led ECC; stepped down as CEO in Dec 2023.[19][20] (2) Sean Bowe (ECC cryptography): central contributor to Sapling-era engineering and later cryptographic direction; widely associated with bringing recursive proof ideas into practical deployments and driving performance/UX feasibility.[21][22] (3) Zcash Foundation + grants: institutional counterweight and funding pathways that keep the protocol from being “one-company run.”[18]Use cases + adoption: (1) Selective disclosure/auditability: compatible with “prove privately, reveal optionally” workflows (e.g., view keys) that some institutions prefer. (2) Trade-off: opt-in privacy can reduce anonymity set if most users stay transparent; Zcash’s value proposition is strongest when shielded usage is default in wallets and exchanges.[7][16] |
|---|---|
| Monero (XMR) | LIKE Tunnel Network: You’re seen entering and exiting, but the route and companions inside the tunnel are hidden; the tunnel works because everyone uses it (no transparent mode).Tech: (1) Stealth addresses (Single-Use PO Boxes 📬): receiver publishes a public address; sender derives a one-time destination so observers can’t link “many payments to one person.” (2) Ring signatures: each spend is signed among decoys; verifiers know one input is real but not which. (3) Confidential amounts (RingCT + Bulletproofs): amounts are committed and range-proven so validators can check conservation without learning values.[6]History: (1) Launched April 2014 (BitMonero → Monero). (2) RingCT enabled (hiding amounts) in 2017. (3) Bulletproofs upgrade reduced proof/tx overhead in 2018. (4) RandomX PoW upgrade in 2019 to reduce ASIC advantage. (5) Tail emission started end-May 2022 (fixed block reward) to keep incentives after main emission.[6][12][13]Core Contributors: (1) CryptoNote / “Nicolas van Saberhagen” (pseudonym): authored the CryptoNote lineage that influenced Monero’s privacy design; identity remains unknown.[6] (2) Riccardo “fluffypony” Spagni: long-time public-facing maintainer; stepped down from lead maintainer role in late 2019 (Monero remains community-run, not company-led).[14][15] (3) Core-team/community model: Monero development is intentionally decentralized; governance is informal and funding often community-driven.Use cases + traction (what it’s “best at”): (1) Default private payments + fungibility: “all private” reduces user error and makes the asset harder to taint-by-history. (2) Sovereignty trade-off: minimal composability (no DeFi-by-design), plus ongoing exchange/regulatory friction risk.[6] |
| Tornado Cash (Ethereum mixers) | 🏦LIKE a Shared Vault: deposit into a common vault; later withdraw the same denomination to a new identity; the vault breaks the deposit↔withdrawal link if the crowd is big.Tech: (1) Commitment + Merkle tree: deposit stores a commitment on-chain. (2) zk-SNARK withdrawal: prove you own some commitment in the tree and haven’t withdrawn it before (nullifier), without revealing which one. (3) Relayers: pay gas to avoid linking withdrawal to a funded EOA.[23]History: (1) Sanctioned by OFAC Aug 2022; major legal shock for “code as infrastructure.”[24] (2) Fifth Circuit ruled OFAC exceeded authority as applied to immutable smart contracts (Nov 2024).[25] (3) U.S. Treasury/OFAC delisted Tornado Cash on Mar 21, 2025.[8]Core Contributors: (1) Roman Storm / Roman Semenov / Alexey Pertsev (publicly reported as co-founders/developers): became focal points for “developer liability” and intermediary questions.[26] (2) Key lesson (for Privacy 101): even “immutable contracts” can have social/legal chokepoints (frontends, devs, relayers, governance), and privacy tooling sits on a spectrum from infrastructure to service.[25][26]Use cases + adoption: (1) One job extremely well: unlink deposits/withdrawals for supported assets/denoms. (2) Trade-off: does not make DeFi activity private end-to-end; users typically re-expose themselves when they leave the vault and interact elsewhere. |
| RAILGUN | 🏙️ LIKE Underground City: you enter a private zone and can trade/lend inside it; the outside mostly sees entry/exit and the city interacting with DeFi, not you.Tech: (1) Shielded balances as encrypted notes: deposits become private notes tracked via commitments/nullifiers. (2) Private DeFi calls (“adapter” pattern): the system can execute interactions with DeFi protocols while keeping the user’s balance/history shielded, so you don’t have to “go public” just to swap or farm.[9] (3) Proofs-of-innocence direction: optional ZK proofs can show funds are not from a specified bad set without revealing the whole history (a compliance-oriented primitive).[27][28]History: (1) Launched 2021; expanded across multiple EVM chains over time.[9] (2) “Privacy + compliance narratives” hardened after 2022 sanctions era; RAILGUN explicitly invested in tooling like proofs-of-innocence to reduce blanket deplatforming risk.Core Contributors: (1) Core team is not consistently public/fully doxxed → treat founder identity claims as uncertain; what matters is the audit trail + open implementation surface.[Unclear from source] (2) Security/audits: published audits exist for RAILGUN components; use these as the primary trust anchor rather than personality-based trust.[29] (3) Ecosystem contributors: relayer operators + integrators (wallets/frontends) are critical because metadata privacy is often an integration problem, not just a proof problem.Use cases + traction: (1) Trader value: hide accumulation/distribution patterns; reduce copy-trading/strategy leakage; route complex multi-step DeFi privately. (2) Trade-off: L1 gas + proving overhead can make privacy “expensive at peak,” and metadata leaks remain possible if users bridge in/out poorly. |
| Aztec (programmable private execution) | 👤LIKE Anonymous Carrier Network: you post an intent; indistinguishable couriers/solvers/provers fulfill it, so observers can’t easily link the economic activity back to you.Tech: (1) Private smart contracts: aim is not just “private transfers,” but “private app logic” (hidden state, hidden inputs, selective reveals). (2) ZK proving stack: Aztec helped pioneer PLONK-style systems; Noir is built to make writing ZK apps tractable for non-cryptographers.[10][11] (3) Rollup model: batch many private transactions into proofs posted to Ethereum (privacy + scalability are coupled through proof aggregation).[10]History: (1) Aztec’s PLONK-era work (2019) influenced the broader ZK ecosystem.[11] (2) Aztec Connect (privacy-to-DeFi bridge era) was sunset as the project refocused on a more general private execution platform.[30]Core Contributors: (1) Zac Williamson (co-founder): key PLONK-era author/contributor and protocol architect; background includes engineering in traditional finance contexts.[11][31] (2) Ariel Gabizon: co-author of PLONK and long-time ZK researcher/engineer; moved across ZK projects as the field shifted from “private payments” to “private computation.”[11][31] (3) Noir contributors: the “DX layer” (language/tooling) is strategically as important as cryptography—Aztec’s bet is that developer tooling determines whether privacy becomes mainstream.[10]Use cases + adoption: (1) Private markets: sealed-bid auctions, dark-pool-like settlement, private lending/positions, private governance. (2) Trade-off: any rollup-style system inherits sequencing/prover market structure risks; privacy doesn’t remove centralization questions—it changes where they live. |
List of Projects (non-exhaustive): (1) Aleo — ZK app platform for private-by-default programs (Leo tooling) (2) Anoma — intent-centric architecture for privacy-preserving, solver-mediated execution (3) Aztec — programmable private execution layer (ZK rollup + Noir) (4) Beam — MimbleWimble chain + confidential assets (5) Circom — ZK circuit language/tooling used widely for SNARK apps (6) Elusiv — Solana privacy system (shielded/private transfers approach) (7) Firo — privacy coin using modern anonymity-set protocols (Lelantus family) (8) ** Grin — MimbleWimble payments chain (confidential transactions) (9) HOPR — mixnet-style private routing for metadata privacy (10) Iron Fish — L1 private payments using zk proofs (shielded transactions) (11) Light Protocol — Solana privacy primitives (shielded-style constructs / ZK programs) (12) MACI — ZK anti-collusion voting (private, manipulation-resistant governance) (13) Manta Network — zkAddress / privacy primitives + ecosystem (Polkadot/EVM context) (.) Miden - programmable privacy network. (14) Monero — privacy-by-default cash (ring sigs + stealth addrs + RingCT) (15) Namada — MASP multi-asset shielded pool for IBC/Cosmos assets (16) Noir — ZK-friendly language/tooling (Aztec ecosystem) for private logic (17) Nym — mixnet network privacy layer (metadata protection) (18) Oasis OPL — privacy layer for EVM apps (confidential compute services) (19) Oasis Sapphire — confidential EVM runtime using TEEs (private smart contracts) (20) Penumbra — multi-asset shielded pool + private DEX (Cosmos/IBC) (21) Privacy Pools (0xbow) — “compliant” mixer design using association sets/screening (22) RAILGUN — shielded balances + private DeFi interactions on EVM (ZK proofs + adapters) (23) Secret Network — TEE-based private smart contracts (Cosmos) (24) Semaphore — ZK anonymous signaling / group membership (identity privacy primitive) (25) snarkJS — JavaScript SNARK tooling used to build/verify proofs (26) Threshold — threshold cryptography/MPC infrastructure (privacy-adjacent) (27) Tornado Cash — Ethereum mixer (Merkle commitments + zk withdrawals + relayers) (28) World ID — proof-of-personhood with selective disclosure (privacy-adjacent identity) (29) Zcash — zk-SNARK shielded pool + view keys (selective disclosure) (30) zkBob — zk-based private stable transfers / payments app (31) zkEmail — prove claims about emails with ZK (private attestations) (32) zkTLS — prove claims about HTTPS/TLS sessions with ZK (private web attestations)
References
[0] Dustin Lau Privacy Slides: Privacy Preservation on Ethereum.pptx
[1] Ji & Grimmelmann, “Regulatory Implications of MEV Mitigations” (2025), citing measured MEV totals around the Merge. 
[2] ESMA, “Report on Trends, Risks and Vulnerabilities” (2025) discussing MEV and measured revenues. 
[3] Nasdaq commentary on off-exchange/dark trading share and market-structure context (2024). 
[4] General privacy risk framing for public ledgers (Zcash Learn; Monero intro pages). 
[5] Aztec documentation / explainers on private computation and developer tooling (Noir). 
[6] Monero official resources: tail emission, maintainer transition; plus community history context. 
[7] Zcash official materials on creators, upgrades, and protocol milestones. 
[8] U.S. Treasury / OFAC “Tornado Cash Delisting” (Mar 21, 2025). 
[9] RAILGUN documentation and ecosystem descriptions (protocol + privacy DeFi approach). 
[10] Aztec Network official materials on rollup privacy vision and architecture. 
[11] PLONK paper (Gabizon, Williamson, Ciobotaru), IACR ePrint 2019/953.
[12] Monero Bulletproofs / upgrade coverage (Monero community + historical reporting).
[13] RandomX upgrade reporting + Monero core/team note. 
[14] Monero maintainer step-down announcement (official). 
[15] Contemporary coverage of maintainer transition (2019). 
[16] ECC + Zcash upgrade pages for Sapling/NU5 facts. 
[17] Zcash protocol specification PDFs referencing Sapling activation details. 
[18] Zcash Foundation and “Who created Zcash” pages (ecosystem structure). 
[19] ECC CEO transition reporting (Dec 2023). 
[20] ECC transparency report noting leadership change (Mar 2024). 
[21] ECC blog on Sapling (Sean Bowe author). 
[22] ECC blog look-back on NU5/Halo framing. 
[23] Tornado Cash mechanics explainers (general technical coverage). 
[24] OFAC designation coverage (Aug 2022). 
[25] Reuters + legal analysis on Fifth Circuit decision (Nov 2024). 
[26] Reuters on delisting + developer prosecutions background. 
[27] RAILGUN “Proofs of Innocence” explanation (protocol docs / technical description).
[28] Coverage discussing RAILGUN + compliance framing and relayer/multisig realities.
[29] RAILGUN audit report (published). 
[30] Aztec Connect sunset announcement / context. 
[31] PLONK authorship + Aztec leadership context (paper + public profiles).
Session Notes
Why privacy resurging: (i) Tech: ZK proof systems got faster + easier to use (better provers, recursion/aggregation, parallelism/HW acceleration) → cheaper/faster proofs → better UX (faster client proving, less on-chain data, fast verification). (ii) Social: norm shift → “privacy = default safety” (like HTTPS/TLS for the web). (iii) Market: MEV/front-running/strategy leakage = “privacy tax” → demand for shielded execution. Core tension: (i) Blockchains: public verifiability (anyone can check rules were followed) (ii) Goal: verifiable correctness without revealing sensitive data → publish “checkable crumbs” (commitments/nullifiers) + a proof; when that proof is zero-knowledge, it convinces without leaking the hidden details.
Practical privacy buckets (i) Hide-in-crowd: “which person did this?” (blend into an anonymity set) (ii) Confidentiality + verifiability: hide amounts/participants/state, still enforce rules via a zero-knowledge proof (ZKP) (iii) Selective disclosure: reveal-to-some via view keys / auditing keys.
Use cases beyond “payments”: (i) Private aggregation: compute stats / compliance metrics without exposing raw user data (ii) Proof of innocence / membership: “I’m NOT on list X”, “I satisfy policy Y” without revealing the underlying personal details.
View keys / auditability: (i) Zcash: viewing keys let someone see activity (incoming, and in some setups outgoing) without being able to spend; outgoing-view features also help with wallet recovery/audits. (ii) Monero: sharing a view key typically lets others see incoming; outgoing visibility is limited / not consistently supported. (iii) Why it matters: full privacy breaks accounting, custody ops, and “show me what happened” workflows → selective disclosure is the escape hatch.
Misconception: (i) “proofs without privacy vs proofs with privacy” ≠ “witness encrypted” (ii) Zero-knowledge is a property of a proof: a ZKP already hides the witness from verifiers; privacy comes from keeping sensitive tx/state details out of what’s publicly revealed (use commitments/nullifiers + recipient ciphertexts), then proving validity with a zero-knowledge proof.
Hard problem: (i) shared private state (ii) DeFi apps often need shared state updates (AMM price, orderbook, lending utilization). (iii) If state is fully private, many users can’t easily “read → compute → write” the same shared variable at the same time → contention + weaker composability; needs special designs (private/public splits, TEEs, MPC/FHE hybrids, etc.)