docs/src/runtime/zk-token-proof.md
The native Solana ZK Token proof program verifies a number of zero-knowledge proofs that are tailored to work with Pedersen commitments and ElGamal encryption over the elliptic curve curve25519. The program was originally designed to verify the zero-knowledge proofs that are required for the SPL Token 2022 program. However, the zero-knowledge proofs in the proof program can be used in more general contexts outside of SPL Token 2022 as well.
ZkTokenProof1111111111111111111111111111111The ZK Token proof program verifies zero-knowledge proofs for Pedersen commitments and ElGamal encryption, which are common cryptographic primitives that are incorporated in many existing cryptographic protocols.
ElGamal encryption is a popular instantiation of a public-key encryption scheme. An ElGamal keypair consists of an ElGamal public key and an ElGamal secret key. Messages can be encrypted under a public key to produce a ciphertext. A ciphertext can then be decrypted using a corresponding ElGamal secret key. The variant that is used in the proof program is the twisted ElGamal encryption over the elliptic curve curve25519.
The Pedersen commitment scheme is a popular instantiation of a cryptographic commitment scheme. A commitment scheme allows a user to wrap a message into a commitment with a purpose of revealing the committed message later on. Like a ciphertext, the resulting commitment does not reveal any information about the containing message. At the same time, the commitment is binding in that the user cannot change the original value that is contained in a commitment.
Interested readers can refer to the following resources for a more in-depth treatment of Pedersen commitment and the (twisted) ElGamal encryption schemes.
The ZK Token proof program contains proof verification instructions on various
zero-knowledge proofs for working with the Pedersen commitment and ElGamal
encryption schemes. For example, the VerifyRangeProofU64 instruction verifies
a zero-knowledge proof certifying that a Pedersen commitment contains an
unsigned 64-bit number as the message. The VerifyPubkeyValidity instruction
verifies a zero-knowledge proof certifying that an ElGamal public key is a
properly formed public key.
The proof data associated with each of the ZK Token proof instructions are logically divided into two parts:
VerifyRangeProofU64
instruction data is the Pedersen commitment that holds an unsigned 64-bit
number. The context component for a VerifyPubkeyValidity instruction data is
the ElGamal public key that is properly formed.The ZK Token proof program processes a proof instruction in two steps:
The simplest way to use a proof instruction is to execute it without producing a context state account. In this case, the proof instruction can be included as part of a larger Solana transaction that contains instructions of other Solana programs. Programs should directly access the context data from the proof instruction data and use it in its program logic.
Alternatively, a proof instruction can be executed to produce a context state account. In this case, the context data associated with a proof instruction persists even after the transaction containing the proof instruction is finished with its execution. The creation of context state accounts can be useful in settings where ZK proofs are required from PDAs or when proof data is too large to fit inside a single transaction.
The ZK Token proof program supports the following list of zero-knowledge proofs.
VerifyPubkeyValidity:
VerifyZeroBalance:
VerifyCiphertextCommitmentEquality:
VerifyCiphertextCiphertextEquality: