Privacy Pools vs Tornado Cash — The New Compliance-Friendly Architecture

The architectural shift began with a 2023 paper, "Blockchain Privacy and Regulatory Compliance: Towards a Practical Equilibrium," authored by Vitalik Buterin, Jacob Illum, Matthias Nadler, Fabian Schär, and Ameen Soleimani. The paper is the operational blueprint for the protocols that followed.

The core observation: regulators and compliance officers do not, in most cases, need to know everything about every transaction. They need to know that the funds in front of them are not from a small set of explicitly prohibited sources — sanctioned addresses, theft proceeds, terrorism financing. They are willing to accept proof-of-negative as sufficient compliance evidence.

Zero-knowledge cryptography can produce proof-of-negative. A user can prove, mathematically, that their funds belong to an "association set" that excludes the flagged addresses, without revealing which specific funds in the set are theirs. The compliance officer accepts the proof. The user retains privacy. The flagged addresses cannot use the protocol because they cannot produce the proof.

The paper formalized this as "association sets" — defined subsets of all wallets that a privacy protocol can serve. Association Set Providers (ASPs) curate the sets according to their policy. Different ASPs serve different policies: a conservative ASP excludes all addresses with any flagged history; a moderate ASP excludes only directly sanctioned addresses; an aggressive ASP serves anyone.

A user choosing which ASP to use is choosing the compliance posture they are willing to attest to. A compliance officer receiving the funds checks the ASP attestation and decides whether it meets the officer's risk tolerance.

Privacy Pools, launched on Ethereum mainnet on March 31, 2025 by 0xbow, is the direct implementation of the 2023 paper. Vitalik Buterin was among the first depositors.

The Privacy Pools architecture has three components:

1. **The pool contract.** A smart contract that accepts deposits and lets users withdraw to fresh addresses after proving membership in a specified Association Set. 2. **The Association Set Providers (ASPs).** Independent third parties that maintain lists of "good" wallets. Users specify which ASP they will prove inclusion in. The pool accepts the proof if the ASP's list is published in a verifiable form. 3. **The user's wallet client.** Generates the zero-knowledge proof at withdrawal time, proving the deposit was made from an address in the specified ASP's set, without revealing which deposit.

The user experience is similar to Tornado Cash from the outside — deposit, wait, withdraw to a fresh address — but the withdrawing wallet now arrives with an attached attestation: "this withdrawal proved membership in ASP-X's set, which excludes addresses Y, Z, ..." A compliance officer who trusts ASP-X can accept the withdrawal without further investigation. A compliance officer who does not trust ASP-X can require additional documentation.

By March 2026, Privacy Pools expanded into a multi-asset model. Sky's USDS stablecoin was the first non-ETH asset added. The system became, in practice, a settlement layer for compliance-friendly privacy across stablecoins.

Railgun took a different architectural path to the same destination. Railgun is a privacy system at the smart-contract layer, not the protocol layer — it provides shielded balances on Ethereum, Polygon, BNB Chain, and Arbitrum.

The compliance attestation mechanism Railgun uses is called **Private Proofs of Innocence**, integrated via Chainway. When a user shields funds in Railgun, they can generate a proof, retained off-chain, that the funds came from an address with no flagged on-chain history at the time of shielding. The proof is verifiable by any third party who receives the funds later; the user can present it on demand.

Railgun's cumulative volume crossed $4.5 billion in early 2026, up roughly 100 percent year-over-year. Daily average shielding transactions hit a record 326. The growth was led by self-custody users who wanted privacy for legitimate financial reasons — protection from on-chain stalking, asset-protection planning, professional discretion — and who were willing to retain a proof to demonstrate their funds were clean.

Aztec took yet another path: a full privacy-preserving Layer 2 with native private smart contracts.

The Ignition Chain mainnet launched November 20, 2025, triggered when the validator queue reached 500 sequencers. Subsequent private-smart-contract phases on the Ethereum L2 are in iterative rollout through 2026 per Aztec Labs' published roadmap. Aztec's privacy model is composable: protocols built on Aztec can offer shielded balances and shielded execution as default, with attestation hooks for downstream compliance.

The Aztec team has been explicit that the early mainnet phase carries technical risk. Their public communication includes the line "deposit only what you can afford to lose" — an unusually direct disclosure that the protocol is still in iteration. Audits are ongoing.

The point of Aztec for this piece is not that it is the dominant privacy protocol in 2026 — it is not. The point is that its existence pushes the privacy stack one layer deeper. Privacy Pools and Railgun handle privacy at the asset layer. Aztec handles it at the execution layer. The two stacks compose: a user could shield in Privacy Pools, transact privately on Aztec, and exit with a clean attestation.

Sanctuary's screening model — and the equivalent models at Chainalysis, TRM Labs, and Elliptic — were built when Tornado Cash was the dominant primitive. The model assumes that mixer interactions are inherently high-risk because the protocol design makes attestation impossible.

That assumption is now contestable. A withdrawal from Privacy Pools with an attached ASP-X attestation is not categorically equivalent to a Tornado Cash withdrawal. The Privacy Pools withdrawal carries a verifiable claim that the funds are not from a flagged set. The Tornado withdrawal carries no such claim.

Compliance vendors are working through how to score this. The current Sanctuary approach is to distinguish three categories:

1. **Unattestable privacy** (Tornado-class, eXch-class, THORChain anonymous routing). Score elevated to High or Critical depending on hop history. Pre-2026 default behavior. 2. **Attestable privacy with weak ASP** (Privacy Pools with low-credibility ASPs, Railgun without Private Proof of Innocence). Score elevated to Medium. The user opted into a privacy primitive but the attestation strength is low. 3. **Attestable privacy with strong ASP** (Privacy Pools with a credible ASP like 0xbow's own set, Railgun with a current Private Proof of Innocence). Score not categorically elevated. Treated equivalently to a non-mixer transaction with similar hop history.

The category model accommodates compliance-friendly privacy. The unattestable category still exists and still scores high. The shift is that the new architecture now produces transactions that should not score high, and the screening engine has to recognize the difference.

The harder question is which ASPs to treat as credible. Privacy Pools' default ASP (0xbow's own) is the largest and most-used. A future ecosystem of competing ASPs — some operated by compliance vendors themselves, some by trade bodies, some by regulators — is foreseeable. The credibility map will evolve.

If you are an individual or institution that wants privacy and is not engaged in criminal activity, the new architecture is a real upgrade.

You can shield funds in Privacy Pools or Railgun and retain a verifiable attestation that the funds came from a non-flagged source. If a counterparty asks "where did these funds come from?" you can present the attestation without revealing your identity or transaction history. The attestation is portable and re-verifiable.

You can transact privately on Aztec for any subset of your activity. The exit back to public Ethereum carries an attestation hook if you want one.

You can choose ASPs and proof-systems that match your risk tolerance. Conservative ASPs give you stronger attestations but exclude more counterparties; aggressive ASPs include more counterparties but produce weaker attestations.

The catch — and there is one — is that the attestation is the new compliance artifact. In a regime where every privacy withdrawal carries a proof, a privacy withdrawal without a proof becomes notable by its absence. The user who refuses to use the new architecture, and instead routes funds through unattested primitives, increasingly looks like the user who has something to hide.

The new architecture is, by intent, a compromise design. It is not an argument for unrestricted privacy; it is an argument that privacy and compliance can coexist if the protocol architecture is built to support both.

Coin Center has been pushing this framing in its 2026 policy priorities. The European AMLR's July 2027 effective date, with its mixer-related prohibitions, is the largest near-term regulatory hurdle for the new architecture. EU member-state regulators will need to decide whether Privacy Pools, Railgun, and Aztec count as "anonymity-enhancing services" under AMLR Article 79 — which would ban CASPs from interacting with them — or whether the attestation architecture makes them categorically different.

The argument for distinction is structural. Article 79 was written with Tornado Cash in mind. Privacy Pools is not Tornado Cash. The architecture produces attestation, not just privacy. If the AMLR rule is applied to the architectural class rather than the specific protocols, the rule will catch Privacy Pools. If the rule is applied to the attestation-vs-no-attestation distinction, it will catch only the older primitives.

The regulator's choice will define the privacy stack of the 2027–2030 period. Coin Center, EFF, and the Privacy Pools team are all working to push the distinction line in their direction. The outcome is not yet settled.

Privacy is not the same as anonymity in 2026. Privacy with an attestation is a different compliance category than privacy without one.

For users: choose attestable privacy protocols if you want both privacy and clean counterparty relationships. For compliance vendors: build the attestation distinction into the screening model. For regulators: define the distinction in rule rather than in case-by-case enforcement, so the industry can build to a clear target.

The architecture has changed. The screening should change with it.