Wallets and Keys
RAILGUN wallets (and by extension 0zk addresses/keys) can be created by any wallet infrastructure linked to the RAILGUN SDK. The first such wallet is the Railway Wallet, developed by a partner project of RAILGUN.
The RAILGUN SDK follows the BIP-32 standard for key derivation from a seed, which allows for hierarchical deterministic wallets along an elliptic curve.
Users have access to 2 kinds of keys in their RAILGUN wallets:
- 1.Spending Key – The key that allows users to cryptographically prove they own their assets and send transactions. Spending Keys are analogous to a regular cryptocurrency wallet private key, only with a private 0zk address.
- 2.Viewing Key – A key that allows only viewing of all transactions (including private ones) sent by a particular address. Users can define the beginning and ending block for which, the Viewing Key can observe in a scoped way. This is useful for auditability purposes, for example, a user can define the beginning and end of a tax year for their Viewing Key by block number.
Both the public Viewing Key and Spending Key are encoded in the 0zk address, hence why private addresses on RAILGUN are longer than standard 0x addresses. The key generation method is identical to how most other crypto keys are generated. Private keys are of course, not revealed publicly at any stage in wallet generation nor are they shared with any components of the RAILGUN system such as provers, verifiers, or Relayers.
Spending Keys are generated along the Baby Jubjub elliptic curve which is a zk-SNARK friendly elliptic curve and follow the BIP-32 standard. Zk-SNARK proof verification on a blockchain requires the embedding of an elliptic curve inside a zk-SNARK circuit to enable succinctness and to fit within a block gas limit. Baby Jubjub enables efficient cryptographic functions to be built on-chain.
Viewing Keys are implemented on Edwards-curve Digital Signature Algorithm (EdDSA) curves, specifically Ed25519. Viewing Keys enable the holder to decrypt the encoded transaction information but not send transactions. They merely scan the RAILGUN smart contract events to reveal what has been sent to users and what transactions users have sent. A different key derivation scheme is used for viewing keys as Ed25519 is more efficient if no zk-SNARK circuits need to be used.
NOTE: Once a Viewing Key is generated, they are irrevocable, meaning that whoever holds the key can see private transactions forever. An upcoming update will allow Viewing Keys to be scoped by block number, i.e. only display transactions from Block Number X to Block Number Y.