# Off Chain Privacy Stack for Railgun Railgun solves on chain privacy. Off chain privacy is the natural next layer, and it splits into two parts: the network side (who you are) and the query side (what you're asking for).  This document walks through both, [Nox Mixnet](https://hisoka.io/blog/introducing-nox/) for the network side, Raven (a PIR framework) for the query side, and highlights the off chain queries in a Railgun client that actually leak user patterns. ## Two Layers of Off Chain Privacy Interacting with a blockchain privately requires hiding two separate things: who you are, and what you're asking for. They leak through different channels and need different fixes. | Layer | What leaks | Solution | |-------|-----------|----------| | Network layer | Your IP, request timing, submission patterns | [Nox Mixnet](https://hisoka.io/blog/introducing-nox/) | | Query layer | What data you're requesting | Raven (PIR) | Either layer alone is not enough: - **Network privacy without query privacy** means the provider knows what you asked for, just not who you are. What you asked for is usually enough to identify you anyway, since shielded-pool queries are tied to specific notes. - **Query privacy without network privacy** means the provider can't see what you want, but they know your IP and can correlate timing with on chain activity. Both have to be solved together. ### Network layer: Nox For the network layer we have [Nox](https://hisoka.io/blog/introducing-nox/), a Sphinx mixnet co-designed with an anonymous transaction relay for EVM chains. Encrypted packets pass through three mix nodes before an exit relay submits the transaction on chain, so: - No IP link back to the user - No mempool timing signal - No gas payment trail ### Query layer: Raven For the query layer we have Raven, a production multi-PIR system for fetching smart contract state and other EVM state privately. It sits where an RPC provider would sit in a wallet's data path, with one difference: every query is encrypted before it leaves the client, and the operator computes over the full dataset without ever decrypting the request. - Every query encrypted end to end - Operator sees that a query happened, never which entry was fetched - Same data as RPC - Same interface as RPC ## Why it matters Railgun is already the strongest shielded pool on EVM. The on chain anonymity story is solved. What remains is the off chain side, and it is the last piece between Railgun today and end to end private usage. Vitalik makes the same point in his [maximally simple L1 privacy roadmap](https://ethereum-magicians.org/t/a-maximally-simple-l1-privacy-roadmap/23459/46)): wallets should route to different RPC providers, optionally through PIR. He frames PIR as the eventual replacement for TEE based solutions, once the tech is production ready. hisoka stack to close that gap exists today. Nox covers the network side, Raven covers the query side, both are trustless. The rest of this document shows where they fit in a Railgun client. ## Raven ### What PIR Actually Does PIR stands for [Private Information Retrieval](https://en.wikipedia.org/wiki/Private_information_retrieval). The client encrypts a query under a scheme that lets the server compute over the full dataset without ever decrypting the request. The server returns an encrypted answer. The client decrypts it locally. The operator sees that a query happened and how big the dataset is, never which index or key was looked up. Common variants: 1. **Index PIR**: lookup by position 2. **Keyword PIR**: lookup by arbitrary key 3. **Batched PIR**: multiple queries in one round trip ### How Raven Is Built Raven uses the sidecar approach proposed in the [sharded PIR design for Ethereum state](https://ethresear.ch/t/sharded-pir-design-for-the-ethereum-state/24552). Under the hood it runs a multi-PIR pipeline that combines [InsPIRe](https://eprint.iacr.org/2025/1352) and [iSimplePIR](https://eprint.iacr.org/2026/030.pdf). The pipeline lets the system absorb fresh blockchain updates without adding query latency on the client side, which is what makes it practical for live state instead of static datasets. Raven is fully trustless: - Anyone can run a Raven server. - Every query is encrypted end to end. - The operator never sees what was asked for, and neither does anyone watching the wire. ### How Raven Fits Railgun A Railgun client today has two specific privacy leaks on the query side. **1. Merkle tree sync** - The Railgun contract holds multiple merkle trees, each up to 2^16 (65,536) leaves. - To compute a proof for a partial commitment, the wallet downloads these trees in full and builds the proof locally. - Fetching only the leaf the user needs would tell the RPC provider which leaf the user cares about, so the wallet is forced into the full download. - This works for a desktop wallet but breaks down for web apps and browser extensions: every session pulls and re-syncs hundreds of thousands of leaves across multiple trees against an RPC provider, and background sync creates a poor UX. - Privacy forces the heavy path. **2. POI list fetching** - When the wallet checks POI status, it sends its own commitment list to the POI node. - The operator now sees the full set of commitments that belong to one user. - Future spends from those commitments can be linked back to the same wallet. - This is the most direct fingerprint of a Railgun user in the stack today. Raven removes both: - The merkle tree and POI status table load into Raven once. - The client queries Raven for the specific leaf or commitment it needs. - Every query is encrypted; the operator never sees which entry was fetched. - The wallet stops downloading full trees, the web app stops syncing them, and the POI node stops learning which commitments belong to which user. This also unlocks something bigger. As of [Railway Wallet v5.24.4](https://github.com/Railway-Wallet/Railway-Wallet/releases/tag/v5.24.4), mobile apps are no longer shipped due to app store policies, and desktop is the only supported client. Web apps and browser extensions are the natural next distribution paths, and they are exactly the environments where full-tree sync hurts most. Raven turns those environments from painful to viable. The core Raven deployment for Railgun holds two datasets: 1. **POI status by blinded commitment** what `POIsPerList` returns today. The wallet sends a single blinded commitment, the operator returns its status without seeing which one was asked. 2. **Merkle proofs for owned commitments** what `MerkleProofs` returns today. The wallet fetches the leaf and path it needs to prove ownership of a note, without the operator learning which note. These are the two queries that fingerprint a Railgun user most directly. Closing them is the floor under off-chain privacy. Everything else `rootHistory`, `tokenIDMapping`, validation calls, price feeds, sanctions screening is a refinement on top. > [!NOTE] Raven is not yet open-source. The codebase will be released publicly in the 2/3 days, and the **first integration demo will be Railgun**. Additional demos are in progress for the broader zk ecosystem, including Semaphore and Zcash, with the goal of giving every shielded protocol a drop-in PIR layer for off-chain queries. ## Nox - Mixnet for Ethereum ### What a Mixnet Does A mixnet hides who is talking to whom by routing each message through several relays and breaking the timing link between input and output. Each hop strips one layer of encryption, holds the packet for a random interval, and forwards it alongside cover traffic. By the time a packet exits the network, no observer (including the operators of the relays themselves) can tie it back to its sender. Tor is the closest thing most people have used, but Tor is an onion router, not a mixnet. It forwards immediately to keep latency low, which preserves the timing patterns that defeat anonymity in practice. Mixnets accept a small latency cost in exchange for actual unlinkability. ### How Nox Is Built Nox is a Sphinx mixnet co-designed with an anonymous transaction relay for EVM. Three things make it specifically suited for blockchain use: - **ZK gas payment.** A single-use proof pays the relay fee from a shielded note, bound to the exact transaction. The exit node submits and collects payment without ever learning who paid. - **Anonymous replies via SURB.** Reads come back through pre-built return envelopes, so responses route home without revealing the requester. - **Cover traffic at constant volume.** All packets are 32 KB and structurally identical. Quiet periods don't leak. End-to-end latency at production delay settings is around 300 ms. Ethereum block time is 12 seconds, so the budget is comfortable. ### How Nox Fits Railgun A Railgun transaction today exposes the user on the network side at three points: - The RPC provider sees the IP that submitted the call. - The mempool sees the timing of the broadcast and can correlate it with the user's other network activity. - The relay (or wallet) pays gas from an address that links the transaction back to a public identity. Nox closes all three: - Encrypted packets pass through three mix nodes before an exit relay submits the transaction on chain. - Gas is paid through the ZK circuit from a shielded note. - The submitter sees a transaction; nobody sees a user. Reads route through the same network. Balance checks, contract calls, and event scans go out via the mixnet and come back through SURBs. The RPC operator sees the exit node, never the user. ### Client SDK Nox ships with a [client SDK ](https://docs.hisoka.io/)that routes traffic through the mixnet without changing the application above it. The same SDK handles: - Any HTTPS request - EVM transactions - Smart contract calls - RPC queries - ZK proof submissions A Railgun client integrating Nox does not have to reshape its data path. Existing RPC and POI calls go through the SDK, which mixes them through the network and returns the response on the same interface. ### Where Nox Stands Today > [!NOTE] Nox is [open sourced](https://github.com/hisoka-io/nox) and live on Arbitrum Sepolia. Mainnet deployment is planned within the next 1–2 weeks. The public map at [map.hisoka.io](http://map.hisoka.io) has been **running for over 20 days with zero downtime**, and the network has processed more than **11 million packets to date.** A live demo is available at [demo.nox.hisoka.io](https://demo.nox.hisoka.io/) an RPC explorer where every HTTPS request the page makes is routed through the Nox mixnet. It is the SDK described above, running against the public network, on real traffic. We are also in active conversation with the [Private Reads team at the Ethereum Foundation](https://privreads.ethereum.foundation/) on benchmarking Nox and on how the mixnet layer fits into the broader on-chain privacy stack. Private Reads is the EF workstream focused on PIR for Ethereum state and anonymized routing for wallets and dApps, which is the same two-layer problem this document is built around.