Suyash Bagad
h=H(
)
f1
f2
f3
f4
f5
f6
f7
f8
f1
f2
f3
f4
f5
f6
f7
f8
H(f1)
H(f2)
H(f3)
H(f4)
H(f5)
H(f6)
H(f7)
H(f8)
H(f1)
H(f2)
H(f3)
H(f4)
H(f5)
H(f6)
H(f7)
H(f8)
H′(H(f1),H(f2))
H′(H(f3),H(f4))
H′(H(f5),H(f6))
H′(H(f7),H(f8))
h11
h21
h31
h41
h12
h22
h13
H′(h11,h21)
H′(h31,h41)
H′(h12,h22)
H(f1)
H(f2)
H(f3)
H(f4)
H(f5)
H(f6)
H(f7)
H(f8)
h11
h21
h31
h41
h12
h22
h13
H(f1)
H(f2)
H(f3)
H(f4)
H(f5)
H(f6)
H(f7)
H(f8)
h11
h21
h31
h41
h12
h22
h13
H(f1)
H(f2)
H(f3)
H(f4)
H(f5)
H(f6)
H(f7)
H(f8)
h11
h21
h31
h41
h12
h22
h13
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
h11
h21
h31
h41
h12
h22
(ii) Send N ETH to contract C which adds C1 to the Merkle tree
h13
C1
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
h11
h21
h31
h41
h12
h22
(ii) Send N ETH to contract C which adds C1 to the Merkle tree
h13
C1
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
h11
h21
h31
h41
h12
h22
(ii) Send N ETH to contract C which adds C1 to the Merkle tree
h23
h13
C1
C2
H(0)
H(0)
H(0)
H(0)
H(0)
H(0)
h11
h21
h31
h41
h12
h22
(ii) Send N ETH to contract C which adds C1 to the Merkle tree
h33
h13
h23
C1
C2
C3
C4
H(0)
H(0)
H(0)
H(0)
h11
h21
h31
h41
h12
h22
(ii) Send N ETH to contract C which adds C1 to the Merkle tree
h53
h13
h23
h33
h43
(i) Select a withdrawal address A
(ii) Select a root R among the stored ones and compute opening O(l) w.r.t R
(iii) Compute nullifier hash h=H(k)
(iv) Compute a proof using Groth16 proof system s.t. :
(v) The contract verifies the proof and uniqueness of the nullifier hash.
If that succeeds, the contract transfers N ETH to A.
C1
C2
C3
C4
H(0)
H(0)
H(0)
H(0)
h11
h21
h31
h41
h12
h22
h53
Anonymity | ||
Non-custodial | ||
Variable amounts | ||
Shielded payments | ||
ZK Rollup | ||
Proof system |
† Concerns with Tornado.cash: https://lightco.in/2019/08/07/tornado-review/
Groth16
PLONK
‡ Theoretically, ZK Rollups with Groth16 is possible. Loopring uses Groth16 with ZK Rollups.
†
‡