This is very cool and really impressive! Nice work, both on a conceptual level and on getting everything to actually work :)
If anyone is curious, here are a couple pointers to related work on problems similar to this.
First, the ideas used here are vaguely related to the way that ZCash works under the hood. The ideas in ZCash come from a sequence of three academic papers: ZeroCoin, PinocchioCoin, and Zerocash:
More directly related in terms of application, but quite different in mechanism: the Handshake airdrop in early 2020 could be claimed anonymously. This was slightly tricky because the idea was to retrofit to existing RSA keys. We (full disclosure, I worked on this project) called the resulting protocol a "GooSig":
Section 3 of that paper gives a way of anonymously airdropping to existing ECDSA or EdDSA keys without using a SNARK. The setup may not be quite the same as in the case being discussed above, though. Notably, it requires sending a short message to the recipient before they can claim their funds. But the message can be encrypted to an existing key of theirs and posted publicly, so this probably isn't much of a limitation in many practical cases.
Those papers are some of the densest ones, so maybe as a starter I would recommend Vitalik’s blog posts on ZK[1].
If folks are interested in a complexity theoretic introduction to ZK proofs, incidentally, in the interest of being self recommending, I authored one myself I’d be curious to hear thoughts on :)[2]
Yeah, those papers are very dense. You might want try reading zerocoin[0] first, it was the starting point of all the zero-knowledge proofs for private payments on a blockchain. Then another academic paper, Pinocchio coin, had a proposal for zkSNARKs. And Zeorcash built the zksnark + merkle tree+ serial umber (later called a nullifiers ) approach.
If anyone is curious, here are a couple pointers to related work on problems similar to this.
First, the ideas used here are vaguely related to the way that ZCash works under the hood. The ideas in ZCash come from a sequence of three academic papers: ZeroCoin, PinocchioCoin, and Zerocash:
- ZeroCoin: http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf
- PinocchioCoin: https://www.microsoft.com/en-us/research/wp-content/uploads/...
- Zerocash: https://eprint.iacr.org/2014/349
More directly related in terms of application, but quite different in mechanism: the Handshake airdrop in early 2020 could be claimed anonymously. This was slightly tricky because the idea was to retrofit to existing RSA keys. We (full disclosure, I worked on this project) called the resulting protocol a "GooSig":
- GooSigs: https://eprint.iacr.org/2020/676
Section 3 of that paper gives a way of anonymously airdropping to existing ECDSA or EdDSA keys without using a SNARK. The setup may not be quite the same as in the case being discussed above, though. Notably, it requires sending a short message to the recipient before they can claim their funds. But the message can be encrypted to an existing key of theirs and posted publicly, so this probably isn't much of a limitation in many practical cases.