Zerokit RLN Module

This module provides APIs to manage, compute and verify RLN zkSNARK proofs and RLN primitives.

Pre-requisites

Install dependencies and clone repo

sh make installdeps git clone https://github.com/vacp2p/zerokit.git cd zerokit/rln

Build and Test

To build and test, run the following commands within the module folder bash cargo make build cargo make test

Compile ZK circuits

The rln (https://github.com/privacy-scaling-explorations/rln) repository, which contains the RLN circuit implementation is a submodule of zerokit RLN.

To compile the RLN circuit

``` sh

Update submodules

git submodule update --init --recursive

Install rln dependencies

cd vendor/rln/ && npm install

Build circuits

./scripts/build-circuits.sh rln

Copy over assets

cp build/zkeyFiles/rln-final.zkey ../../resources/treeheight15 cp build/zkeyFiles/rln.wasm ../../resources/treeheight15 ```

Note that the above code snippet will compile a RLN circuit with a Merkle tree of height equal 15 based on the default value set in vendor/rln/circuit/rln.circom.

In order to compile a RLN circuit with Merkle tree height N, it suffices to change vendor/rln/circuit/rln.circom to

``` pragma circom 2.0.0;

include "./rln-base.circom";

component main {public [x, epoch, rln_identifier ]} = RLN(N); ```

However, if N is too big, this might require a bigger Powers of Tau ceremony than the one hardcoded in ./scripts/build-circuits.sh, which is 2^14. In such case we refer to the official Circom documentation for instructions on how to run an appropriate Powers of Tau ceremony and Phase 2 in order to compile the desired circuit.

Currently, the rln module comes with three pre-compiled RLN circuits having Merkle tree of height 15, 19 and 20, respectively.

Getting started

Add RLN as dependency

We start by adding zerokit RLN to our Cargo.toml

toml [dependencies] rln = { git = "https://github.com/vacp2p/zerokit" }

Create a RLN object

First, we need to create a RLN object for a chosen input Merkle tree size.

Note that we need to pass to RLN object constructor the path where the circuit (rln.wasm, built for the input tree size), the corresponding proving key (rln_final.zkey) and verification key (verification_key.json, optional) are found.

In the following we will use cursors as readers/writers for interfacing with RLN public APIs.

```rust use rln::protocol::; use rln::public::; use std::io::Cursor;

// We set the RLN parameters: // - the tree height; // - the circuit resource folder (requires a trailing "/"). let treeheight = 20; let resources = Cursor::new("../zerokit/rln/resources/treeheight_20/");

// We create a new RLN instance let mut rln = RLN::new(tree_height, resources); ```

Generate an identity keypair

We generate an identity keypair

```rust // We generate an identity pair let mut buffer = Cursor::new(Vec::::new()); rln.key_gen(&mut buffer).unwrap();

// We deserialize the keygen output to obtain // the identiysecret and idcommitment let (identitysecrethash, idcommitment) = deserializeidentitypair(buffer.intoinner()); ```

Add ID commitment to the RLN Merkle tree

```rust // We define the tree index where idcommitment will be added let idindex = 10;

// We serialize idcommitment and pass it to setleaf let mut buffer = Cursor::new(serializefieldelement(idcommitment)); rln.setleaf(id_index, &mut buffer).unwrap(); ```

Note that when tree leaves are not explicitly set by the user (in this example, all those with index less and greater than 10), their values is set to an hardcoded default (all-0 bytes in current implementation).

Set epoch

The epoch, sometimes referred to as external nullifier, is used to identify messages received in a certain time frame. It usually corresponds to the current UNIX time but can also be set to a random value or generated by a seed, provided that it corresponds to a field element.

rust // We generate epoch from a date seed and we ensure is // mapped to a field element by hashing-to-field its content let epoch = hash_to_field(b"Today at noon, this year");

Set signal

The signal is the message for which we are computing a RLN proof.

rust // We set our signal let signal = b"RLN is awesome";

Generate a RLN proof

We prepare the input to the proof generation routine.

Input buffer is serialized as [ identity_key | id_index | epoch | signal_len | signal ].

rust // We prepare input to the proof generation routine let proof_input = prepare_prove_input(identity_secret_hash, id_index, epoch, signal);

We are now ready to generate a RLN ZK proof along with the public outputs of the ZK circuit evaluation.

```rust

// We generate a RLN proof for proofinput let mut inbuffer = Cursor::new(proofinput); let mut outbuffer = Cursor::new(Vec::::new()); rln.generaterlnproof(&mut inbuffer, &mut outbuffer) .unwrap();

// We get the public outputs returned by the circuit evaluation let proofdata = outbuffer.into_inner(); ```

The byte vector proof_data is serialized as [ zk-proof | tree_root | epoch | share_x | share_y | nullifier | rln_identifier ].

Verify a RLN proof

We prepare the input to the proof verification routine.

Input buffer is serialized as [proof_data | signal_len | signal ], where proof_data is (computed as) the output obtained by generate_rln_proof.

```rust // We prepare input to the proof verification routine let verifydata = prepareverifyinput(proofdata, signal);

// We verify the zk-proof against the provided proof values let mut inbuffer = Cursor::new(verifydata); let verified = rln.verify(&mut in_buffer).unwrap(); ```

We check if the proof verification was successful: rust // We ensure the proof is valid assert!(verified);

Get involved!

Zerokit RLN public and FFI APIs allow interaction with many more features than what briefly showcased above.

We invite you to check our API documentation by running rust cargo doc --no-deps and look at unit tests to have an hint on how to interface and use them.