Privacy Wallet · Technical Docs

Security model

Privacy guarantees

Privacy comes from mixing many users' notes in a single Merkle tree and proving correctness with ZK proofs.

Summary

This section outlines what privacy you can and cannot expect from the protocol, covering unlinkability, confidentiality, and anonymity sets.

Transaction unlinkability

Deposits and withdrawals are mixed with many others in the Merkle tree. Because the mapping between inputs and outputs is known only inside the circuit, external observers can at best infer probabilistic links based on timing or amounts, not exact connections.

Amount confidentiality

Individual note values are hidden in commitments and ciphertext. Outside the circuit, observers only see aggregate changes in the pool balance and public withdrawal amounts.

Sender anonymity

The tree holds notes from many users. Since notes are simply commitments, there is nothing on-chain that labels a specific leaf as belonging to a particular user.

Recipient privacy

The circuit commits to the recipient address, but this address is not tied back to any specific deposit. The only public link is between the pool and the final recipient in the Execute phase.

Temporal unlinkability

Because the root history permits the use of slightly older roots, users can delay proof generation and execution. This reduces timing-based correlation between when funds are deposited and when they are withdrawn.