Skip to content

Nightfall

  • Engineering review
  • Truffle box

Nightfall is comprised of 6 contracts...

  • ERC20 (aka coins)
  • ERC721 (unique items)
  • 2 shield contracts (one for ERC20 / ERC721 respectively)
    • F_Token_Shield
    • NF_Token_Shield
  • GM17_v0 - verifier (returns a true if the proof is valid, and false if otherwise)
  • PKD.sol - Public Key Directory (Alice can lookup Bob in this...e.g. his public key, which is separate to the Ethereum key)

ERC20 shields are a little more complex

Shield contract has 2 data structures (merkle tree)

Each shield contract has 3 functions you can call...

  • Mint - takes an ERC20 and hides
  • Transfer - sending it from Alice to Bob (under zero knowledge)
  • Burn - let's you take a hidden token and take it back into a normal ERC20

Type of ZK-Proofs

Imagine we

Pre-image of the hash (as the original body of work)... Take a document and generate a hash...typically the only way you could prove the validity of the hash is by passing along.

"I assert that I know the document that I ... " You then recieve the document and generate the hash and "believe" that the originator has the pre-image

Alternative Instead of giving you the pre-image, I generate a ZK proof...I give you that proof instead. You have a verifier algo...you run the proof through the verifier algo and now believe that has the originator has the pre-image

Example - Proof that the first word in the document is "the"

Z - think of it as a hidden version of an ERC20 token

Alpha - Value of the coin PK - Need to prove knowledge of the secret / private key...you do this by generating a hash of the private key Sigma - Random number / 216 bits long (long enough)

H is a concat of all of the above...this then represents a "commitment"

Minting commitments

Alice has paid for a commit Z of value Alpha... Outside world know

Transfer

  • Much more like a Bitcoin UTXO transfer (send a tx and you get change)
  • Salts can't be the same

Using hashes in the merke tree + the path, Alice is able to prove knowledge

Nullifer

A nullifier is a Alice's secret key + the secret salt...this prevents her double-spending. She's then going to take those commitments she had earlier and destroy them. She's going to prove to the smart contract that she's done that.

These commitments are never removed from the merkle tree, it just keeps growing forever and ever.

Sends anonymously to the blockchain...5 things (commitments, nullifiers, etc) Don't know whom has sent what to whom...so perfect hiding.

Burn

Rather than sending to someone, you just nullify. Same as a transfer...

Zokrates container

NFTs

Very similar to ERC20...except for the transfer (given you can't subdivide). One input, one output, one nullifier.

Questions

  • Real world readiness...
  • Ideal use of the box
  • What would "success" look like over the next few weeks?
  • Could you transfer to a contract (versus a EOA)?

Random Notes

Nightfall - template shield contract ("guarding application state") / List holder or "totality" Nightfall with existing tokens such as DAI (point the shield contracts at the right contracts)