RAILGUN wallets (and by extension 0zk addresses/keys) can be created by any wallet infrastructure linked to the RAILGUN SDK. The first such wallet is the Railway Wallet, developed by a partner project of RAILGUN.

The RAILGUN SDK follows the BIP-32 standard for key derivation from a seed, which allows for hierarchical deterministic wallets along an elliptic curve. To learn more about key derivation standards:

- For bip32, start here with bip39 mnemonics for how seed phrases work.

- Here for the method to take the randomness the seed phrase represents and derive keys from it, being bip32.

- SLIP-44 which defines standard paths that wallets derive along to get the key for a particular coin.

Users have access to 2 kinds of keys in their RAILGUN wallets:

1. Spending Key – The key that allows users to cryptographically prove they own their tokens and send interactions. Spending Keys are analogous to a regular cryptocurrency wallet private key, only with a private 0zk address.

2. Viewing Key – A key that exclusively allows viewing of all interactions (including private ones) sent by a particular address. Users can define the beginning and ending block for which the Viewing Key can observe in a scoped way. This is useful for auditability purposes, for example, a user can define the beginning and end of a tax year for their Viewing Key by block number.

Both the public Viewing Key and Spending Key are encoded in the 0zk address, hence why private addresses on RAILGUN are longer than standard 0x addresses. The key generation method is identical to how most other crypto keys are generated. Private keys are of course, not revealed publicly at any stage in wallet generation nor are they shared with any components of the RAILGUN system such as provers, verifiers, or Broadcasters.

Spending Keys

Spending Keys are generated along the Baby Jubjub elliptic curve, which is a zk-SNARK-friendly elliptic curve, and follows the BIP-32 standard. Zk-SNARK proof verification on a blockchain requires the embedding of an elliptic curve inside a zk-SNARK circuit to enable succinctness and to fit within a block gas limit. Baby Jubjub enables efficient cryptographic functions to be built on-chain.

Viewing Keys

Viewing Keys are implemented on Edwards-curve Digital Signature Algorithm (EdDSA) curves, specifically Ed25519. Viewing Keys enable the holder to decrypt the encoded interaction information but not send interactions. They merely scan the RAILGUN smart contract events to reveal what has been sent to users and what interactions users have sent. A different key derivation scheme is used for viewing keys as Ed25519 is more efficient if no zk-SNARK circuits need to be used.

NOTE: Once a Viewing Key is generated, they are irrevocable, meaning that whoever holds the key can see private interactions forever. An upcoming update will allow Viewing Keys to be scoped by block number, i.e. only display interactions from Block Number X to Block Number Y.