The "privacy" that the crypto world pursues often cannot be regulated or compliant, and is even suppressed by governments. How can we ensure the on-chain privacy of crypto users under the premise of legality and compliance? This article is based on a piece by lawyer Chuyan, organized and translated by Foresight News. (Background: Vitalik's ideal crypto wallet: cross-L2 transaction experience, account privacy security, becoming a data wallet...) (Background supplement: Privacy coins should die! International academic paper: Government responses to public chain 51% attacks, suppression of coin prices...) In November 2024, the U.S. Fifth Circuit Court ruled that the sanctions imposed by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) against the mixer Tornado Cash violated the International Emergency Economic Powers Act (IEEPA). The Fifth Circuit Court held that Tornado Cash's smart contracts are decentralized, self-executing, uncontrollable code that cannot be owned, are not property, and should not be included on OFAC's sanctions list; OFAC's sanctions exceeded its statutory authority. Although the Fifth Circuit Court's ruling in the Tornado Cash case is seen as a victory for the crypto industry, it must be acknowledged that North Korean hackers and coin theft criminal organizations are indeed using Tornado Cash for money laundering, evading sanctions from regulatory enforcement agencies. So is it possible to ensure the on-chain privacy of crypto users under the premise of legality and compliance? Today, we will share how the mixing protocol Railgun complies with regulations to protect users' on-chain privacy. The execution model of the Railgun protocol Railgun is a privacy protocol based on smart contracts that guarantees users' on-chain privacy payments through zero-knowledge proofs and Merkle trees, and uses a "proof of innocence" approach to ensure the security and compliance of funds flowing into the protocol. This method achieves a balance between on-chain privacy payments and regulatory compliance. The parent company of Grayscale, DCG Group, has currently invested $10 million in Railgun protocol tokens (RAIL) and has donated over $7 million in stablecoins to the Railgun DAO and allocated resources through its subsidiary Foundry Labs to ensure the back-end pressure capacity of the Railgun protocol. Execution Mechanism 1. Token Privacy Users use Railway Wallet to hide the tokens in their 0x address into Railgun's 0zk address. After waiting for one hour, the token balance in the 0zk address can be used for transfers and other privacy interactions on the privacy chain between 0zk addresses, with transfers between 0zk addresses being instantaneous. Railway Wallet supports the privacy of ERC20 tokens, ERC-721, and ERC-1155 NFTs. 2. Interaction with the underlying chain through Broadcasters to ensure transaction privacy After token privacy is established, users perform on-chain interaction operations through Broadcasters in the Railgun protocol. Broadcasters refer to public 0x addresses that replace protocol users to pay gas with the underlying blockchain, completing on-chain interaction operations. Therefore, throughout the entire on-chain interaction operation, users do not need to spend ETH/MATIC/BNB as GAS. In theory, any 0x address can serve as a Broadcaster, and users can choose Broadcasters based on gas and availability. Broadcasters do not control the tokens in users' addresses; they merely relay interaction information and cannot access detailed information such as the transfer address, amount, receiving address, and token type of on-chain interactions, ensuring transaction privacy and security. Broadcasters can collect a total GAS fee of 10% during the entire process. 3. Privacy release after completing on-chain interactions After users designate Broadcasters to complete private transactions on their behalf, they can input any 0x address to initiate a privacy release interaction to withdraw their remaining tokens from the Railgun protocol. In the operations of token privacy and release of privacy, the Railgun protocol smart contract will charge a fee of 0.25%, which will be sent to the treasury address of the Railgun DAO. These protocol revenues will be distributed to the protocol governors and stakers. Railgun uses zero-knowledge proofs to ensure on-chain privacy Zero-Knowledge Proof (ZKP) is a cryptographic technique that allows the prover to demonstrate the truth of information to the verifier without revealing the source details. In the Railgun protocol, users can prove their right to use tokens without disclosing the type and quantity of tokens, while Broadcasters and liquidity pools can anonymize the sending and receiving addresses. For example, Railgun users are like senders of letters, ZKP verifies the content of the letter, the Railgun protocol's smart contract is a sealed envelope, and Broadcasters are the postmen. From the public chain, only the fact that the letter has been sent is visible, but the content, sender, and recipient remain undetermined. Railgun utilizes Merkle Tree to prevent double spending and ensure transaction security A Merkle Tree, also known as a hash tree, is commonly used to verify the integrity of transaction data on-chain. Each block header contains the root hash value of the Merkle tree to verify whether the transaction data in the entire block has been tampered with. After the incident where FTX misappropriated user assets, most mainstream centralized exchanges now use Merkle trees to verify the custody security of user assets, preventing misappropriation. After users anonymize their addresses using the Railgun protocol, the tokens will be added to the privacy pool. The token balances in the Railgun protocol privacy pool are constructed through a UTXO log similar to BTC, with the Railgun UTXO list forming a Merkle tree data structure used to verify the balance state during transactions. All tokens within the Railgun protocol share the Merkle tree, and each operation of token privacy updates the state of the Merkle tree, generating a new Merkle root/leaf. This ensures that users have sufficient tokens when sending private transactions, preventing double spending and ensuring transaction security. How the Railgun protocol achieves regulatory compliance The reason Tornado Cash was sanctioned is mainly due to the North Korean hacker organization Lazarus Group and coin laundering criminal groups using it for mixing, evading tracking and investigation by regulatory enforcement agencies like the FBI. Proof of Innocence As mentioned above in the execution mechanism of the Railgun protocol, there is a one-hour waiting period when users anonymize their 0x addresses. During this waiting period, Railgun will conduct on-chain anti-money laundering checks on the tokens in the user’s address to ensure that the funds in the user’s address do not originate from high-risk crimes or sanctioned addresses. The Railgun protocol's on-chain anti-money laundering is different from centralized exchanges...