Merkle membership
For every spent note, the circuit verifies that the note's commitment exists in the Merkle tree at the specified index. It reconstructs the root from the leaf and sibling path, asserting equality with the public merkleRoot.
Nullifier integrity
The circuit enforces that the nullifier is derived correctly from the user's secret key and the note's spend nonce. This binds the spending authority to the note owner without revealing their identity.
nullifier === VoidHash(receiverViewPriv, inSpendNonce[i])
Value conservation
The sum of all inputs plus any external deposit must equal the sum of all outputs plus the public withdrawal. This prevents inflation.
Σ inBalance[i] + extAmountIn === Σ outAmount[j] + publicAmount
Output commitments
For every new note created, the circuit checks that the output commitment is correctly formed from the output amount and nonce. This ensures recipients receive valid, spendable notes.
outputCommitment[j] === VoidHash(outAmount[j], outNoteNonce[j])