RLN Workshop

Intro

• @oskarth / oskarth.com
• vac.dev - Privacy & Communication

Agenda

1. Intro and overview
2. RLN (construct + code)
3. RLNP2P (construct + code)
4. Conclusion, next steps etc

Motivating problem(s)

• How to we prevent spam in an anon p2p network?
• Rate limiting in a privacy-preserving manner?
• Can we build a decentralized captcha?

RLN

• Rate Limiting Nullifier
• Anonymous rate limiting mechanism
• Based on zkSNARKs
• Anonymity: can’t link message to publisher

History

RLN: Flow

• Register
• Signal
• Verification and slashing

RLN: Registration

• Users register with a membership group to be able to signal
• Can happen with central server, or to a smart contract
• Identity commitment stored in Merkle tree
• Merkle proof to prove membership
• Financial (e.g. ETH) or social stake (e.g. InterRep)

RLN: Signaling

• Registered members can signal once for a given period, external nullifier/epoch
• User can store membership tree locally or get from somewhere
• ZKP is generated to prove membership
• Signal hash is keccak256 hash of content
• Mental model: voting booth, can only vote once

RLN: Verification and slashing

• Verification to ensure ZKP and other parameters are correct
• Slashing: If user double signals, secret credentials revealed

Proof generation - ZK circuit input

// private
signal input identity_secret;
signal input path_elements[n_levels][1];
signal input identity_path_index[n_levels];

// public
signal input x; // signal_hash
signal input epoch;
signal input rln_identifier;

Circuit output

signal output y;
signal output root;
signal output nullifier;

Calculating output

a_0 = identity_secret
a_1 = poseidonHash([a0, external_nullifier])

y = a_0 + x * a_1

internal_nullifier = poseidonHash([a_1, rln_identifier])

Shamir's secret sharing

y1 = a_0 + x1 * a_1
y2 = a_0 + x2 * a_1

(RLN SSS)

RLN illustration (by Tyler)

Sending output message

`
{
  signal: signal, # full signal
  proof: zk_proof,
  internal_nullifier: internal_nullifier,
  x: x, # signal hash
  y: y,
  rln_identifier: rln_identifier,
  
  // application specific
  root: merkle_proof.root,
  external_nullifier: external_nullifier
}

Metadata stored

• Slashing can happen in different ways
• Store metadata per external nullifier, example:

{
    [external_nullifier]: {
        [internal_nullifier]: {
            x_shares: [],
            y_shares: []
        }
    }
}

Verification checks

• external nullifier correctness
• non-duplicate message check
• zk proof verification
• double signal verification

Briefly on various implementations

• Initially: Circom based implementation (slow few years ago, only JS)
• Then: Bellman-based native Rust implementation by Onur (kilic)
• Two different implementations, not ideal from re-use, compatibility, audit etc POV
• Current RLN spec Circom based

Libraries

• rlnjs (JS)
• Zerokit (Rust)
• (js-rln (JS wrapper around Zerokit))
• (No longer used: kilic/rln (Rust))

Zerokit: Circom + Rust with ark-circom

• Goal: get best of both Circom/Solidity/JS and Rust/ZK ecosystem
• Enable people to leverage Circom-based constructs from non-JS environments
• Use Circom circuits via ark-circom, Rust for scaffolding, expose C and WASM API

Demo: RLN

• rlnjs tests
• Zerokit (Rust)
• rln circuits

RLNP2P

• RLN applied in a p2p setting
• Each node keeps track of state and validates messages
• Decentralized, sybil-resistant and privacy-preserving communication channel

Examples

• Waku RLN Relay
• Applies to libp2p GossipSub
• Dandellion++/Tor hybrids
• zkchat: Using RLN on application layer
• RLN+Interrep leveraging web2 reputation

Waku RLN Relay

• Most mature that exists today
• Similar principles can be applied to other topologies
• First to give background, understand p2p messaging context

What is Waku?

• Set of modular protocols for p2p communication
• Focus on privacy, security and running anywhere
• Spiritual successor to Whisper

Waku protocols interactions

Gossiping

graph graphname{
        g [color=Red, penwidth=3.0]
        a [color=Red, penwidth=3.0]
        h [color=Red, penwidth=3.0]
        d [color=Red, penwidth=3.0]
        b [color=Red, penwidth=3.0]
        edge [color=Blue, style=dashed]
        rankdir=LR;
        a -- c;
        e -- a;
        f -- a;
		b -- c;
        f -- e;
        e -- d;
        e -- g;
        h -- f;
        i -- b;
        i -- c;
        a -- i;
        edge [color=Red, style=solid, penwidth=3.0]
        a -- b;
        g -- a;
        a -- d;
        h -- a;
	}

a relays messages to a subset of peers

Waku network

From 30/ADAPTIVE-NODES

Dealing with network spam

• Phone number verification centralized and not private
• PoW in Whisper doesn't work for heterogenerous devices
• Peer scoring open to sybil attacks
• Idea: Use RLN for private economic spam potection using zkSNARKs
• RLN Relay: Relay p2p protocol (GossipSub) + RLN

RLN Relay overview

RLN Relay: Registration

RLN Relay: Routing

Demo: RLNP2P

• Shows messages sent through RLN Relay
• rln-js Waku ex
• js/go/nim p2p chat
• RLN contract

Extra 1: nrln

• Can generalize Shamir's secret sharing to be N messages in M period
• Not currently priority, but circuits exists

Extra 2: RLN+Interrep

• Use social stake instead of financial stake
• Leverage web2 reputation to get sybil-resistance
• Allow for zero-cost entry, people w/o crypto assets
• https://github.com/vacp2p/research/issues/147

Conclusion

• Gone over problem
• RLN construct and code
• RLNP2P construct and code

Links

• RLN docs
• RLNP2P

Q&A

Thanks! Questions?