Zero-Knowledge Proofs

Every shielded operation requires a valid Groth16 zero-knowledge proof verified on-chain. These proofs cryptographically guarantee the validity of hidden transactions without revealing any private data.

Verified

Total proofs verified

System

Groth16

Sapling circuits

Circuits

Spend, Output, Convert

Curve

BLS12-381

Pairing-friendly curve

PROOF CIRCUITS

Spend Circuit

Proves that the spender owns a note in the commitment tree without revealing which note, and reveals a nullifier to prevent double-spending.

Public inputs:anchor, nullifier, rk

Private inputs:note, path, ak, nsk

Output Circuit

Proves that a new note commitment was correctly constructed for the recipient without revealing the note contents (value, address, randomness).

Public inputs:cv, cm, epk

Private inputs:note, rcm, esk

Convert Circuit

Enables multi-asset conversions within the shielded pool (e.g., staking rewards, asset swaps) while maintaining privacy.

Public inputs:anchor, cv

Private inputs:note, path, convert

ON-CHAIN VERIFICATION PIPELINE

User Generates Proof

Client-side proof generation using Sapling parameters (~5-10s)

Transaction Submitted

Proof bytes included in MASP transaction message

CGo/FFI Bridge

Go validator calls Rust MASP library via FFI bridge

Groth16 Verification

Pairing check on BLS12-381 elliptic curve (~2ms)

State Update

Nullifiers revealed, new commitments appended to Merkle tree

SECURITY PROPERTIES

Completeness — Valid proofs always verify
Soundness — Invalid proofs cannot be constructed
Zero-Knowledge — Proofs reveal nothing about private inputs
Trusted Setup — Uses Zcash Powers of Tau ceremony parameters
Double-Spend Prevention — Nullifier uniqueness enforced on-chain

IMPLEMENTATION DETAILS

MASP Librarylibhyve_masp (Rust)

BridgeCGo FFI

Proof Size~192 bytes (Groth16)

Verification Time~2ms per proof

Gas Cost2-5x standard transfer

WASM SupportBrowser proving available