Waku and ZK #112
Description
Sharing some notes about the usage of zero-knowledge and zkVMs in waku + some possible improvements to RLN:
- For context. The main and only (so far) zero knowledge use case in waku is RLN. It's a rather simple mechanism that proves that a given leaf is part of a tree represented by root r without revealing the leaf nor paths. It comes with other nice features such as slashing, possible when a user exceeds the rate limit. Each message reveals a shamir secret share so exceeding the limit allows anyone in the network to reconstruct the private key of the sender.
- Currently, RLN is a simple circuit (v1 and v2) written in Circom. That's used in zerokit where its exposed via FFIs so that it can be used in nwaku. RLN uses zkSNARKS using Groth16 as a proving system, which allows very small and constant sized proofs + quick proving (150ms on a laptop) and verification.
- As it is, the current development of "zk features" in Waku has a bit of a process. It requires knowledge of a domain specific language (circom) + integrating it into a Rust library (zerokit) + integrating it in nwaku. However in the last years, the usage of zkVM (zero-knowledge Virtual Machine) has emerged, and is replacing some of the circuit-based zero-knowledge. The use of zkVM allows to express any provable logic in almost any programming language (eg Rust or other LLVM compiled) removing the need to use a domain specific language like Circom. This could facilitate the introduction of new zk features, since devs won't need to learn a DSL language and any "normal" code can be proved.
- However, it is yet unclear whether:
- The performance of zkVMs is ok for waku. Depending on the tool (SP1, Risc0, etc) and the proving system, proof sizes and proving/verification times vary. A critical requirement for waku is that proving and verification shall be done on desktop (and at some point on mobile?) in << 1 s.
- If we need more zk features beyond RLN.
In an attempt to explore this path, I developed an incomplete prototype implementing RLN using SP1 rln-sp1. I'm still unsure whether SP1 offers the privacy properties waku requires, but note how RLN logic can be expressed with "normal" Rust code. Note also that proving times are far from usable for waku (proving times are few seconds), but no optimizations have been made. SP1 offers some optimized libraries for eg signature verification that are not being used.