Since, as others have noted, Zcash nodes already receive transactions privately by dint of downloading everything, probably the highest impact use of Tor for Zcash would be to broadcast transations privately, because that isn’t private right now. So it sounds like Arti would be extremely helpful for fixing this by adding anonymous broadcast functionality into full nodes and light wallets.
I’m planning to recommend light wallets take the same approach—download everything to acheive transaction receipt privacy—so I want to play devil’s advocate and push back a little bit on Tor’s overall utility to light wallets.
As I explain in that post, fetching transactions over Tor doesn’t plug some of the important information leaks that are visible to network eavesdroppers, even ones who are only local to the wallets they are spying on. Wallets’ actions (downloading blocks, broadcasting transactions, fetching memos) are probably still visible through bandwidth side-channels, so eavesdroppers like an ISP or a country monitoring its inbound/outbound traffic can probably still figure out the graph of who’s paying who.
Even from a compromised lightwalletd perspective, Tor doesn’t plug the privacy leaks. Once transparent addresses are implemented, the wallet will be asking lightwalletd for its UTXOs by disclosing its transparent address. Even if all of the wallet’s actions happen over fresh Tor circuits, by matching up transaction fetches with UTXO fetches by timing, the adversary can still learn a lot about the transaction graph (modulo things we might do to minimize that leakage, like gating it behind a button click).
These are two reasons are why I don’t consider Tor to be as helpful for light wallet privacy specifically. Thinking longer term, and realizing that Zcash is an anonymous communication network, to scale Zcash we will need an ACN that’s as scalable as we want Zcash to be and has privacy properties as strong as we want Zcash’s to be (for example, do we care about global passive adversaries?). With that in mind, perhaps we should instead be funding mixnet R&D to replace Tor where we’re currently using it.
(Note that Arti is quoted as requiring two years to complete, and by that time I imagine Zcash will have implemented zk rollups and will be in the market looking for an ACN that’s secure against global passive adversaries. But in the shorter 3-6 month term quoted for a minimal safely usable version, I still see a strong need for Tor to broadcast transactions.)
Even with these caveats, it sounds like there’s enough existing use of Tor and user demand for Tor that Arti would be worth funding—and I love the concept—let’s just be careful that we don’t think of Tor as a magic bullet and end up bolting it onto things under mistaken beliefs about how well it will plug the privacy leaks, and let’s make sure it’s not taking away from mixnet R&D that we will need as Zcash scales.