Skip to main content
This document explains the core protocol mechanics: how notes work, what commitments and nullifiers are, how the Merkle tree stores state, and what happens step-by-step during deposits, transfers, and withdrawals. Prerequisites: Familiarity with EVM smart contracts, hash functions, and Merkle trees. Basic understanding of what a zero-knowledge proof does (proves a statement without revealing the witness).

The UTXO Model

Privacy Boost uses a UTXO (Unspent Transaction Output) model. Instead of maintaining account balances, the system tracks individual notes, each representing a specific amount of a specific token owned by a specific user. Think of it like cash. You don’t have a “balance of $47,” you have a $20 bill, a $20 bill, a $5 bill, and two $1 bills. To pay someone $15, you hand over the $20 and get $5 back as change. In Privacy Boost:
  • Spending a note publishes a nullifier (marks it as consumed)
  • Receiving creates new notes (adds commitments to the Merkle tree)
  • A transfer consumes input notes and creates output notes, with the ZK circuit enforcing that inputs = outputs + fees

Notes and Commitments

What’s Inside a Note

A note contains three fields:
FieldDescription
NPK (Note Public Key)Unique per-note key derived from the owner’s identity + randomness
Token IDWhich ERC-20 token (compact ID from the TokenRegistry)
ValueAmount of tokens
The NPK is derived from the owner’s Master Public Key (MPK) and a per-note random value: 
MPK = Poseidon2(accountId, nullifyingKey)
NPK = Poseidon2(MPK, noteRnd)
All Poseidon2 hashes in the protocol use domain separators to prevent cross-context collisions; the Glossary lists the specific values. The per-note randomness ensures that even if the same user receives the same token and amount twice, the resulting commitments are different.

Commitments

A commitment is the Poseidon2 hash of a note’s contents: 
Commitment = Poseidon2(NPK, tokenId, value)
This is what gets stored onchain as a Merkle tree leaf. It reveals nothing about the note’s contents; an observer sees only a 256-bit hash. The 128-bit randomness in NPK makes brute-force inversion computationally infeasible.

Nullifiers

A nullifier is a one-time-use tag that marks a specific note as spent. It prevents double-spending without revealing which note was consumed.

How Nullifiers Work

Each nullifier is derived from the user’s secret nullifying key and the note’s position in the Merkle tree: 
Nullifier = Poseidon2(nullifyingKey, leafIndex)
The tree number is encoded in the hash domain to prevent cross-tree collisions. An observer sees commitments going in and nullifiers coming out, but can’t link them: the nullifier depends on a secret key and a leaf index, while the commitment depends on NPK, token, and amount. There’s no algebraic relationship between the two. The contract enforces uniqueness: each nullifier can only be recorded once, preventing double-spending.

How Ownership Is Proven

To spend a note, you prove three things inside the ZK circuit:
  1. You know the note’s secrets: The circuit verifies your private fields hash to the correct commitment.
  2. Your auth key is registered: You sign with your EdDSA auth key, and the circuit proves it exists in the AuthRegistry.
  3. The note exists: The circuit verifies a Merkle proof for your commitment.
All three checks happen in zero knowledge: the contract sees only the proof result, the nullifiers, and the new output commitments. It never learns which note was spent, who signed, or what the amounts were.

Merkle Trees

Fixed-Depth Incremental Merkle Tree

All note commitments are stored in an append-only, fixed-depth binary Merkle tree using Poseidon2 hashing. Each tree has a fixed depth of 24 (~16.7M leaves); empty subtrees are filled with precomputed zero hashes, so an append only recomputes the hashes along one path to the root. Leaves are never modified or deleted.

Multi-Tree Architecture

When the active tree fills up, a new tree is created (rollover). Input notes can reference commitments in any historical tree, so old notes remain spendable indefinitely. Each tree maintains a ring buffer of recent roots, allowing proofs to reference slightly stale roots. This accommodates the delay between proof construction and onchain submission.

Tree Transitions in Circuits

When new notes are created, the ZK circuit proves that the tree state transition is valid, and the contract just verifies the proof and updates the stored root. This means the contract never has to compute Poseidon2 hashes onchain for leaf insertions.

Transaction Lifecycle

Transaction lifecycle swimlane: deposit, transfer, and forced withdrawal flows across User/SDK, TEE Server, and Smart Contract

Deposit (Public → Shielded)

Deposits are a 2-step process:
  1. User locks tokens: The user computes note commitments, encrypts the metadata using the dual-path ECDH scheme, and submits everything to the contract. The contract transfers the ERC-20 tokens and stores the pending deposit with replay protection.
  2. TEE processes the batch: The TEE detects pending deposits, generates a Groth16 proof verifying that commitments are correctly computed and the tree state transition is valid, then submits it onchain.
Cancellation: If the TEE doesn’t process a deposit within the cancel delay period, the depositor can reclaim their tokens.

Transfer (Shielded → Shielded)

Transfers move value between shielded notes. Sender identity, recipient identity, token type, and amounts are all hidden from onchain observers.
  1. User prepares: Select input notes to spend, construct output notes for the recipient (and change for yourself), sign with your EdDSA auth key, and encrypt the output metadata using dual-path ECDH
  2. User submits to TEE: The TEE verifies the signature and ciphertext integrity, then batches the transfer into an epoch
  3. TEE submits epoch: The TEE generates a Groth16 proof covering signature validity, note existence, nullifier correctness, value conservation, and tree state transition, then submits it onchain
  4. Contract verifies: Checks the proof, marks nullifiers as spent, updates the tree root
How the recipient discovers the transfer: The TEE decrypts the output ciphertexts and indexes the new notes. The recipient queries their balance from the TEE indexer. For manual recovery, the recipient can also decrypt the onchain ciphertext independently using their viewing key.

Withdrawal (Shielded → Public)

Withdrawals use the same mechanism as transfers. The difference: instead of creating an output note, the contract sends ERC-20 tokens to a public address. Withdrawals are batched alongside transfers in the same epoch.

Forced Withdrawal (Emergency Exit)

Forced withdrawal is the self-custody escape hatch: exit the shielded pool without any TEE involvement.
  1. Reconstruct your notes: Scan onchain events and decrypt metadata with your viewing key
  2. Generate a ZK proof locally: Prove you own the notes and derive correct nullifiers (this runs on consumer hardware)
  3. Submit to the contract: The contract verifies the proof and starts a configurable delay period
  4. Execute after the delay: The contract transfers your tokens
Why the delay? It gives the account owner time to cancel unauthorized requests (e.g., from a compromised device) and allows the TEE to process any racing normal transactions.

Epoch Batching

Multiple user transactions are aggregated into a single epoch, one Groth16 proof covering the entire batch. This is a key design choice for throughput:
  • A single Groth16 proof verifies the entire epoch, so the fixed cost of proof verification is amortized across every transaction in the batch
  • The larger the batch, the lower the proof-verification overhead per transaction
  • At Base’s gas target, this enables 300+ sustained TPS; at the gas limit, 1,800+ TPS
Epochs are submitted when the batch reaches the configured size. Transfers are not instant; they settle when the epoch is submitted onchain. To bridge the gap between submission and on-chain settlement, the TEE exposes a preconfirmed state. Once a transfer is committed to an upcoming epoch, the TEE reserves its input nullifiers cluster-wide and materializes the output note in the indexer overlay. The SDK reports this state through the transaction status field and surfaces it as phase: 'spendable' so applications can chain the next private action (another transfer or a withdrawal) without waiting for the epoch to land. Preconfirmation is a soft confirmation: a reorg can still force the TEE to re-batch or fail the request, so clients keep polling until completed. Shields and unshields also pass through preconfirmed, but neither produces a spendable output, so that state is progress UI only. See Transaction Lifecycle for the full state machine. To prevent key-rotation attacks during an epoch, an epoch proof must reference a sufficiently fresh AuthRegistry root. When a root is replaced, the AuthRegistry records the block at which it was superseded, and the pool accepts an auth root only if it is current or still within a configured staleness window.

Fee Model

  • Deposits are fee-free
  • Transfers and withdrawals charge configurable fees (in basis points)
  • The ZK circuit enforces conservation: inputs = outputs + fees
  • Forced withdrawal fees are deducted at execution time

Earn: Private DeFi

Earn lets users put shielded funds to work in external DeFi and generate yield without publicly revealing their wallet identity. All DeFi activity is linked to Privacy Boost rather than to any individual user. The high-level flow:
  • Supply: move assets from your shielded balance into an approved vault and hold the resulting position privately.
  • Redeem: redeem that position back into assets in your shielded balance.
  • Asynchronous redeem: for vaults that settle redemptions over time, request a redemption and claim the assets once the vault fulfills it.
Privacy Boost supports both standard ERC-4626 vaults and asynchronous ERC-7540 vaults, and only vaults approved by the operator can be used. What stays private. Your wallet identity is never revealed. The action at the vault itself is visible onchain (the vault, the token, and the amount), the same way a public withdrawal is, but it cannot be tied to your Privacy Boost account. Self-custody is preserved. Earn positions sit in the same shielded pool as the rest of your funds, with the same exit guarantees. Token swaps and other DeFi actions are not supported yet (see Coming Soon).

Smart Contracts

ContractRole
PrivacyBoostCore shielded pool: Merkle trees, nullifier registry, deposits, epochs, forced withdrawals
AuthRegistryBinds account IDs to EdDSA signing keys. Supports multi-device, rotation, and revocation. Maintains its own Poseidon2 Merkle tree; epoch proofs reference a recent (non-superseded) auth root within a staleness window.
TokenRegistryMaps compact token IDs to ERC-20 addresses (append-only)
AuditGatewayAuditor registry and onchain audit logging (see Auditability)
Groth16 VerifiersProof verification for each circuit type (Epoch, Deposit, ForcedWithdraw)
All core contracts are deployed behind upgrade proxies.

Coming Soon

More privacy-preserving capabilities are in development, each designed to preserve the same privacy and self-custody guarantees:
  • Portal deposit addresses: give each user a reusable public deposit address, similar to a centralized-exchange deposit address, that can be funded by others and displayed on a profile or invoice. Incoming tokens are automatically credited to the owner’s shielded balance, and observers see the address but never which account is credited.
  • Claimable transfers: send shielded funds to a wallet address, even if the recipient has not joined Privacy Boost yet. The recipient can claim the funds by proving ownership of that address, and the sender can reclaim unclaimed funds after a set deadline.
  • DeFi swaps: swap between tokens from a shielded balance without publicly exposing the user’s wallet identity, extending Earn beyond yield vaults.

Next Steps