What is ZKLC and How it Works?
ZKLC stands for Zero-Knowledge Light Clients. ZK Light Clients allow us to prove the validity of a transaction, by constructing a zk-proof of its validity which can then be cheaply verified by everyone. Verifiers no longer have to run full consensus.
Let’s dive deeper into how we can construct zk-proofs of transaction validity.
Checking the validity of a transaction can be done via full block verification or light client verification. Both these techniques essentially involve verifying a large number of digital signatures. On rust-based chains, ED25519 is the most popular digital signature scheme.
Hence, we must now figure out an approach to construct a single zk-snark proof for a large batch of ED25519 signatures.
Our approach involves two steps:-
- Construct a snark proof of a single ED25519 signature.
- Combine a batch of ED25519 snark proofs into a single snark proof.
Let’s understand each step in detail.
Step1: Construct a Snark Proof of a Single ED25519 Signature
We first implement the ED25519 signature scheme in R1CS constraints format using circom. R1CS is basically a polynomial representation of the maths behind ED25519. However, this has a problem. All mathematical operations defined in circom and zk-snarks only work with numbers less than or equal to prime number p = 21888242871839275222246405745257275088548364400416034343698204186575808495617. This is because altbn128 curve uses this prime number.
But the mathematics of ED25519 requires number operations beyond this number. To solve this problem, we represent all numbers in base 2⁵¹. This means all numbers always stay below prime p. We select 2⁵¹ as the base since it allows us to exploit certain mathematical properties of the prime number used by ED25519 (q = 2²⁵⁵-19). Finally, we use snarkJS library to construct the zk-proof.
Check out our github repo to see the implementation.
Step2: Recursively Combine many Snark Proofs into One Proof.
We must now combine multiple snarks proofs into one single proof. This single proof will prove all other proofs. How will we do that?
Say, we have two proofs proof1 and proof2. We can construct a third proof proof3 which proves that proof1 and proof2 are valid. The circom circuit would take proof1 and proof2 as input signals and then use a circom implementation of proof verification algorithm (on curve altbn128).
We can extend this to many proofs by creating a merkle tree sort of structure, where we successively combine proofs together to create a single proof.
This technique is adapted from recursive snark technology by Mina Protocol and plonky2 by Polygon Zero.
Zero-knowledge-based light clients have many applications. They allow us to prove transaction validity very cheaply anywhere, such as smart contracts on any blockchain or in cloud applications.
At Electron Labs, we are using them to build ultra-cheap cross-chain bridges. Many cross-chain transactions can be batched into a single snark proof. This makes cross-chain transaction costs very low, and nearly at par with normal blockchain transactions.
We are currently working on building ZKLC light clients for NEAR and tendermint blockchains. In the future, we plan to extend this technology to create proofs of an entire blockchain itself, which will have tremendous applications.