How Light Protocol Works
co-authored by swen schäferjohann and jorrit palfner
Last week we wrote about our vision for Light Protocol and why we think Light Protocol might be able to scale privacy to one billion crypto users.
Today’s post provides a high-level explanation of how Light Protocol works and it’s written with crypto-savvy non-devs in mind. We’ll also touch on some things like ecosystem infrastructure and our roadmap.
To understand how Light Protocol works at its core, let’s consider the most basic use case: funding an anonymous address.
To fund an anonymous address you shield tokens to a liquidity pool, then wait for an arbitrary amount of time and eventually unshield the tokens to a new address. During that process the Light program breaks any on-chain link between sender and recipient address.
To facilitate this user flow Light uses liquidity pools on Solana (one for every asset) and relayers which are similar to miners.
Let’s break it down:
Shield
First, you shield a number of tokens in the liquidity pool. The receipt for your shield is a cryptographic note similar to a Utxo (unspent transaction output) in Bitcoin.
When you shield into the liquidity pool, the program stores your note in two places:
- The note is stored in your personal encrypted on-chain storage so that only your own wallet’s private key can decrypt the notes. This is a pure UX feature that allows you to manage your private funds with your regular wallet.
- A hash of your note is stored inside the liquidity pool. The pool is actually nothing but a big collection of note hashes— with each hash proving ownership of a shield in the pool. This will be important for the unshielding process.
unshielding
Using your note, you can unshield tokens from the liquidity pool to a fresh recipient address.
For an unshielding your application creates a zero-knowledge proof from one or several notes, the amount to be unshielded and the recipient address. The zero-knowledge proof (ZKP) proves that you own a specific amount of tokens in the pool without revealing any information about yourself or the amount.
The Light program verifies the ZKP on Solana and— if successful — sends the unshield amount to the recipient address.
It is possible to unshield a fraction of a shield or several shields in one transaction. If you unshield a fraction you get a new note for the change that remains private in the liquidity pool.
The new address is private in the sense that nobody can identify you as the owner of the address since it is not connected to your prior transaction history.
In practice however, there are three more factors that influence your effective privacy:
1) First, keep in mind that the recipient address is just a regular address. So the amount you unshield to it as well as any subsequent transactions from or to it will again be visible on the blockchain.
2) Second, while there’s no direct on-chain link between the sender and recipient address your effective privacy is based on how many other shields are in the pool at the same time. For example, if you were the only one shielding into the pool and then went on to unshield with a different address it would be clear that the sender address is in cahoots with the recipient addresses.
A very simplified calculation would approximate this: If there are two active shields at the time of your unshielding the chance that the funds you unshield originate from one of the shields is 1/2. With three shields it’s 1/3, and so on. In practice, there are some other factors like time and similarity between shields. But those are negligible for the purpose of demonstration.
3) Third, to guarantee full on-chain anonymity of your unshielding one more step is needed: the unshielding has to be requested via a relayer. This step is necessary because someone needs to pay for the unshielding with a transaction on Solana. You should not send this transaction yourself (i.e. your regular wallet) because then your wallet would be linked to the recipient address. In that case, it would be clear that you did the unshielding.
That’s where relayers come in. Relayers are service providers who initiate the unshielding for you in turn for a small fee. Now, your application simply sends a unshield request to a relayer. The relayer receives the ZKP, unshield amount and recipient address from your application. Note that these values cannot be manipulated by the relayer, since the unshield amount and recipient address are included in the ZKP; in case the relayer tries to tamper with any of the parameters the transaction will fail. Therefore you do not need to trust the relayer. (For complete anonymity your application should talk to the relayer via Tor, or similar.)
That’s a lot to keep in mind to really maintain privacy. Luckily, it’s our mission at Light Protocol to provide great user experiences for privacy. So in the future you can expect features that take care of most of those things under the hood; the first focus of ours will be:
- Optimizing liquidity (The amount of active shields at any given time)
The more other shieldings are in the pool, the faster your shielding reaches decent levels of privacy.
On a different note, there will be some other features too, including:
- Compliance tool
After a successful unshielding you can use the notes you just spent to generate a compliance proof. This proof re-establishes the link to the origin of your funds for anyone you show it to. - Shielded transactions
In between the shield and unshield transactions you can do private internal transactions within Light`s liquidity pools. Such internal transaction are completely private and conceal both the amount as well as the recipient. These transactions are very similar to shielded zCash transactions. Such transactions can be used i.e. to unify Utxos to save storage or simply send a transaction to another address within the liquidity pool.
So this is how Light Protocol enables privacy. Let’s talk about some other things regarding Light: Light Ecosystem Infrastructure and our roadmap.
Light Ecosystem Infrastructure
- Relayers — similar to miners. They receive unshield requests from users and submit these as transactions to the blockchain. In turn, relayers are rewarded with fees.
- Relayer list — A list of all registered relayers is saved on Solana. Relayers will be sampled from this list with priority based on a metric including uptime, successful relayed transactions and current load.
- Liquidity pools — Every asset will have a liquidity pool. These pools allow private aka shielded transactions within the liquidity pool.
- Liquidity pool list — The user interface or API retrieves the list of liquidity pools from Solana. New pools can be created and added to the liquidity pool list.
Roadmap
Implemented
- PoC Devnet launch
Upcoming
- V1 Devnet launch
- V1 audit
- V1 + Light Shield Mainnet launch
- SDK Devnet launch
- Integrations & partnerships
V1 spec
Light Protocol V1 will launch on Mainnet together with Light Shield. Light Shield is a graphical user interface that enables end users to fund wallets anonymously.
The Mainnet launch will be incremental, which means functionality of the protocol will at first be limited to a single SOL liquidity pool and permissioned relayers.
Future versions will have features and updates with the grand goal of optimizing for liquidity and user experience for both developers and end-users alike.