Comment on page
Details on RAILGUN zk-SNARKS
RAILGUN heavily leverages Zero-Knowledge Proofs (ZKPs). ZKPs allow for advanced logic and contract interactions without any information leakage and are a revolutionary tool for privacy preservation.
Zero-Knowledge proofs are methods whereby one party, the prover, can mathematically satisfy another party, the verifier, the veracity, or truth of information without revealing the originating details of the information. This is achieved by the prover passing components of mathematical problems that relate to the truth of the information being proved onto the verifier multiple times. These interactions occur until the verifier is satisfied that it is statistically impossible for the information to not be true or is being faked by the prover, all without revealing the contents of the verified information.
zk-SNARK stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge”. Put simply, a zk-SNARK is a form of ZKP that does not require direct interaction between the prover and verifier. Rather, they achieve their non-interactivity through the prover simulating the interactions between prover and verifier, and the verifier simply needs to check that the simulation was performed correctly. These proofs rely on computational assumptions that cannot be cracked or will take millions of years to crack with currently available computational power.
For zk-SNARKs to be “succinct”, the proof size and verification cost must be small, logarithmic, or lower. Elliptic curves allow for smaller key generation and therefore more succinct ZK proof outputs. Elliptic Curve Cryptography use points on an elliptic curve graph to generate public and private keys from mathematical equations between the points on the curve. They form the basis of the RAILGUN privacy system as zk-SNARKs allow a smart contract to act as a verifier. The verifiers in RAILGUN’s privacy system are the smart contracts themselves. This breakthrough was powered by EIP 197 and EIP 198 which together enables RAILGUN to generate zk-SNARK circuits on-chain. These zk-SNARK circuits are created on the client side and can then be submitted for confirmation on-chain.
zk-SNARKs can prove the veracity of any form of information, such as valid unspent token balances or, in other terms, who has the right to spend what asset on a blockchain without revealing details about the person originating the transaction.
Within RAILGUN, zk-SNARKs take the form of arithmetic circuits. Arithmetic circuits are like Boolean circuits or even hardware circuits in computers/electronics. Like all other circuits, they contain wires and gates. Wires transmit information and gates are conditions that must be met for information to move through all the way until it reaches an output. In an arithmetic circuit like the ones used in RAILGUN, the gates are mathematical operations like addition or multiplication. In the context of RAILGUN’s zk-SNARKs, circuits are how verifiers can reach mathematical certainty that provers are providing true information.
For RAILGUN’s privacy system, zk-SNARK circuits prove the validity of a transaction senders address and balances by checking they have a corresponding note on the Merkle Tree.
Example arithmetic circuit to prove the output using the mathematic gates and inputs a, b, and c
The advanced cryptography contained in RAILGUN’s privacy system uses multiple circuits to enable complex transaction types. Each circuit is differentiated by the number of inputs and outputs and together they form the cryptographic basis for RAILGUN.
Multiple circuits are needed to account for different transaction types as circuits require the number of signals (that is inputs and outputs) to be instantiated at the setup phase. For example, a transaction that sends DAI to 2 different 0zk addresses might require a circuit with 1 input to 2 outputs. Extending this idea, a transaction that sends DAI comprised of 7 UTXO balances to 2 0zk address would require a 7 to 2 circuit. Inputs in these scenarios are equivalent to UTXOs and outputs would be recipients.
Currently, there are 54 circuits, each with different numbers inputs (UTXOs) and outputs (UTXO destinations). Circuits can be chained together to handle all possible combinations of UTXOs and outputs and the system will automatically route a transaction through the most gas & cost efficient combination.
RAILGUN also supports multiple inputs to singular outputs, such as 5 to 1. These circuits are used for multi-sends, where users send more than 1 token type in the same transaction to a singular recipient. They are also useful for swaps where the price of the token has changed, leaving some leftover change in the original swap token or for paying a Relayer fee in a token other than the one being sent, e.g., if WETH is sent as a Relayer fee to send DAI.
RAILGUN’s circuit design is flexible in terms of supporting not just ERC-20 tokens and RAILGUN can Shield ERC-721 and ERC-1155 NFTs. For example, with RAILGUN’s circuits and smart contracts, users could potentially provide liquidity on Uniswap v3 privately and shield their LP NFT privately as well. This kind of composability is only possible with the flexibility of RAILGUN’s privacy system and is a result of it being designed from the ground up for real world DeFi use cases.