Analysis
The two-phase withdrawal architecture maintains strong privacy guarantees at every step of the process, breaking the link between the depositor and the final recipient.
Privacy properties
Input–output unlinkability
The mapping from input notes to output notes and public withdrawal is fully hidden by the circuit.
Recipient privacy
Recipients are not linked back to specific deposits, only to the final payout from the pool.
Amount confidentiality
Exact note values are hidden in commitments and ciphertext; only publicAmount is revealed.
Relayer isolation
Relayers learn payout and fee amounts, but not the composition of internal notes or the original depositor.