Zero-Knowledge Proof System

This document provides an in-depth technical explanation of StyxPay's zero-knowledge proof implementation for transaction privacy and settlement.

Overview

StyxPay employs zero-knowledge proofs (specifically ZK-SNARKs) to enable private, verifiable transactions on Solana while maintaining regulatory compliance and auditability.

Key Properties

Privacy: Transaction amounts and parties remain confidential
Verifiability: Proofs can be verified without revealing underlying data
Succinctness: Proofs are small (~200 bytes) and fast to verify (~5ms)
Non-interactivity: No back-and-forth communication required

ZK-SNARK Stack

┌─────────────────────────────────────┐
│   Application Layer (StyxPay)      │
├─────────────────────────────────────┤
│   Circuit Layer (R1CS)              │
├─────────────────────────────────────┤
│   Proving System (Groth16)          │
├─────────────────────────────────────┤
│   Elliptic Curve (BN254/BLS12-381)  │
├─────────────────────────────────────┤
│   Solana Blockchain (Settlement)    │
└─────────────────────────────────────┘

ZK-SNARK Implementation

Proving System: Groth16

We use Groth16 for its optimal proof size and verification time.

Characteristics:

Proof Size: 128 bytes (2 G₁ points + 1 G₂ point)
Verification Time: ~2-5ms
Proving Time: ~50-200ms (depends on circuit size)
Setup: Requires trusted setup ceremony

Trade-offs:

✅ Smallest proof size
✅ Fastest verification
❌ Circuit-specific trusted setup
❌ Not updatable

Elliptic Curve: BN254

BN254 (also known as BN128) provides 128-bit security level.

Parameters:

Prime field: p = 21888242871839275222246405745257275088696311157297823662689037894645226208583
Curve equation: y² = x³ + 3
Embedding degree: k = 12
Security level: 128 bits

Point Representations:

// G₁ point (base field)
struct G1Point {
    x: Fr,  // 256 bits
    y: Fr,  // 256 bits
}

// G₂ point (extension field)
struct G2Point {
    x: (Fr, Fr),  // 512 bits
    y: (Fr, Fr),  // 512 bits
}

Transaction Settlement Flow

Phase 1: Transaction Initiation

User → Authorization Request → StyxPay Backend

Data Structure:

struct TransactionRequest {
    pub merchant_id: PublicKey,        // 32 bytes
    pub amount: u64,                   // 8 bytes
    pub currency: CurrencyType,        // 1 byte
    pub timestamp: i64,                // 8 bytes
    pub nonce: [u8; 32],              // 32 bytes (prevents replay)
    pub metadata_hash: [u8; 32],      // 32 bytes
}

Phase 2: Authorization Check

Backend validates against user's authorization policy:

fn check_authorization(
    request: &TransactionRequest,
    policy: &AuthorizationPolicy,
    user_state: &UserState,
) -> Result<bool, AuthError> {
    // 1. Check daily limit
    if user_state.daily_spent + request.amount > policy.daily_limit {
        return Err(AuthError::DailyLimitExceeded);
    }

    // 2. Check merchant whitelist
    if policy.whitelist_enabled {
        if !policy.allowed_merchants.contains(&request.merchant_id) {
            return Err(AuthError::MerchantNotAllowed);
        }
    }

    // 3. Verify signature
    verify_signature(&request, &user_state.public_key)?;

    Ok(true)
}

Phase 3: ZK Proof Generation

Generate proof that transaction is valid without revealing details.

Public Inputs:

struct PublicInputs {
    pub nullifier: [u8; 32],          // Prevents double-spending
    pub commitment: [u8; 32],         // Commitment to transaction
    pub merkle_root: [u8; 32],        // Root of account tree
    pub policy_hash: [u8; 32],        // Hash of authorization policy
}

Private Inputs (witness):

struct PrivateInputs {
    pub amount: u64,
    pub sender_balance: u64,
    pub receiver_address: PublicKey,
    pub sender_secret: [u8; 32],
    pub merkle_path: Vec<[u8; 32]>,   // Path to prove account existence
    pub salt: [u8; 32],
}

Proof Generation Code:

use bellman::{groth16, Circuit, ConstraintSystem, SynthesisError};
use bls12_381::Bls12;

pub fn generate_transaction_proof(
    public: PublicInputs,
    private: PrivateInputs,
    params: &groth16::Parameters<Bls12>,
) -> Result<groth16::Proof<Bls12>, SynthesisError> {
    let circuit = TransactionCircuit {
        public_inputs: Some(public),
        private_inputs: Some(private),
    };

    // Generate random proving key
    let mut rng = rand::thread_rng();

    // Create proof
    let proof = groth16::create_random_proof(circuit, params, &mut rng)?;

    Ok(proof)
}

Phase 4: On-Chain Verification

Submit proof to Solana program for verification.

Solana Program Instruction:

use anchor_lang::prelude::*;

#[program]
pub mod styxpay_settlement {
    use super::*;

    pub fn verify_and_settle(
        ctx: Context<VerifyAndSettle>,
        proof: Vec<u8>,
        public_inputs: Vec<u8>,
    ) -> Result<()> {
        // 1. Deserialize proof
        let groth16_proof = deserialize_proof(&proof)?;

        // 2. Deserialize public inputs
        let inputs = deserialize_public_inputs(&public_inputs)?;

        // 3. Verify ZK proof
        require!(
            verify_groth16_proof(&groth16_proof, &inputs, &ctx.accounts.vk),
            ErrorCode::InvalidProof
        );

        // 4. Check nullifier hasn't been used
        require!(
            !ctx.accounts.nullifier_set.contains(&inputs.nullifier),
            ErrorCode::NullifierAlreadyUsed
        );

        // 5. Update state
        ctx.accounts.nullifier_set.insert(inputs.nullifier);
        ctx.accounts.merkle_root.update(inputs.commitment);

        // 6. Execute settlement
        settle_transaction(ctx, inputs)?;

        Ok(())
    }
}

Phase 5: Settlement Execution

fn settle_transaction(
    ctx: Context<VerifyAndSettle>,
    inputs: PublicInputs,
) -> Result<()> {
    // Compute encrypted amount from commitment
    let encrypted_amount = decrypt_with_homomorphic_encryption(
        &inputs.commitment,
        &ctx.accounts.settlement_key,
    )?;

    // Transfer tokens
    let cpi_accounts = Transfer {
        from: ctx.accounts.vault.to_account_info(),
        to: ctx.accounts.recipient.to_account_info(),
        authority: ctx.accounts.vault_authority.to_account_info(),
    };

    let cpi_program = ctx.accounts.token_program.to_account_info();
    let cpi_ctx = CpiContext::new(cpi_program, cpi_accounts);

    token::transfer(cpi_ctx, encrypted_amount)?;

    // Emit event (encrypted)
    emit!(TransactionSettled {
        nullifier: inputs.nullifier,
        commitment: inputs.commitment,
        timestamp: Clock::get()?.unix_timestamp,
    });

    Ok(())
}

Cryptographic Primitives

1. Pedersen Commitments

Used to commit to transaction amounts.

Definition:

C = amount · G + blinding_factor · H

Where:

G and H are elliptic curve points
amount is the secret value
blinding_factor is random field element

Implementation:

use curve25519_dalek::ristretto::RistrettoPoint;
use curve25519_dalek::scalar::Scalar;

pub fn pedersen_commit(
    amount: u64,
    blinding_factor: &Scalar,
) -> RistrettoPoint {
    let g = RistrettoPoint::generator();
    let h = RistrettoPoint::hash_from_bytes(b"StyxPay_H_Point");

    let amount_scalar = Scalar::from(amount);

    g * amount_scalar + h * blinding_factor
}

Properties:

✅ Hiding: Cannot deduce amount from C
✅ Binding: Cannot find different amount' that produces same C
✅ Homomorphic: C₁ + C₂ = (a₁ + a₂)·G + (r₁ + r₂)·H

2. Poseidon Hash Function

ZK-friendly hash function optimized for proving.

Specification:

Poseidon-128 with:
- t = 3 (state size)
- R_F = 8 (full rounds)
- R_P = 57 (partial rounds)
- Field: BN254 scalar field

Implementation:

pub fn poseidon_hash(inputs: &[Fr]) -> Fr {
    let mut state = [Fr::zero(); 3];

    // Absorb inputs
    for (i, input) in inputs.iter().enumerate() {
        state[i % 3] = state[i % 3] + input;
        if (i + 1) % 3 == 0 {
            state = permute(state);
        }
    }

    // Final permutation
    state = permute(state);

    state[0]
}

fn permute(state: [Fr; 3]) -> [Fr; 3] {
    let mut s = state;

    // Full rounds
    for round in 0..4 {
        s = add_round_constants(s, round);
        s = apply_s_box(s, true);
        s = apply_mds_matrix(s);
    }

    // Partial rounds
    for round in 4..61 {
        s = add_round_constants(s, round);
        s = apply_s_box(s, false);
        s = apply_mds_matrix(s);
    }

    // Full rounds
    for round in 61..65 {
        s = add_round_constants(s, round);
        s = apply_s_box(s, true);
        s = apply_mds_matrix(s);
    }

    s
}

Advantages:

10x fewer constraints than SHA-256 in circuits
~50 constraints per Poseidon hash
Constant-time execution

3. Nullifiers

Prevent double-spending without revealing transaction ID.

Generation:

pub fn generate_nullifier(
    secret: &[u8; 32],
    transaction_hash: &[u8; 32],
) -> [u8; 32] {
    let input = [secret, transaction_hash].concat();
    let hash = poseidon_hash_bytes(&input);
    hash.to_bytes()
}

Properties:

Each transaction produces unique nullifier
Cannot link nullifier to transaction without secret
Can verify nullifier hasn't been used before

4. Merkle Trees

Prove account existence without revealing entire state.

Tree Structure:

                    Root
                   /    \
                  /      \
               H₁₂        H₃₄
              /  \        /  \
            H₁   H₂     H₃   H₄
           / \   / \   / \   / \
          A₁ A₂ A₃ A₄ A₅ A₆ A₇ A₈

Implementation:

pub struct SparseMerkleTree {
    depth: usize,
    root: [u8; 32],
    nodes: HashMap<[u8; 32], ([u8; 32], [u8; 32])>,
}

impl SparseMerkleTree {
    pub fn insert(&mut self, index: u64, leaf: [u8; 32]) {
        let path = self.index_to_path(index);
        let mut current = leaf;

        for (i, direction) in path.iter().enumerate().rev() {
            let sibling = self.get_sibling(i, *direction);

            current = if *direction {
                poseidon_hash_bytes(&[sibling, current].concat())
            } else {
                poseidon_hash_bytes(&[current, sibling].concat())
            };

            self.nodes.insert(current,
                if *direction { (sibling, current) }
                else { (current, sibling) }
            );
        }

        self.root = current;
    }

    pub fn prove(&self, index: u64) -> MerkleProof {
        let path = self.index_to_path(index);
        let mut siblings = Vec::new();

        for (i, direction) in path.iter().enumerate() {
            siblings.push(self.get_sibling(i, *direction));
        }

        MerkleProof {
            leaf_index: index,
            siblings,
            path,
        }
    }

    pub fn verify(
        proof: &MerkleProof,
        leaf: [u8; 32],
        root: [u8; 32],
    ) -> bool {
        let mut current = leaf;

        for (sibling, direction) in proof.siblings.iter()
            .zip(proof.path.iter()) {
            current = if *direction {
                poseidon_hash_bytes(&[*sibling, current].concat())
            } else {
                poseidon_hash_bytes(&[current, *sibling].concat())
            };
        }

        current == root
    }
}

Circuit Design

R1CS (Rank-1 Constraint System)

All computations in ZK-SNARKs are expressed as quadratic constraints:

A · B = C

Where A, B, C are linear combinations of variables.

Transaction Circuit

Circuit Constraints:

Balance Check:

fn constrain_balance<CS: ConstraintSystem<Fr>>(
    cs: &mut CS,
    sender_balance: LinearCombination<Fr>,
    amount: LinearCombination<Fr>,
    new_balance: LinearCombination<Fr>,
) {
    // sender_balance - amount = new_balance
    cs.enforce(
        || "balance_check",
        |lc| lc + sender_balance - amount,
        |lc| lc + CS::one(),
        |lc| lc + new_balance,
    );

    // new_balance >= 0 (range proof)
    range_proof(cs, new_balance, 64);
}

Commitment Consistency:

fn constrain_commitment<CS: ConstraintSystem<Fr>>(
    cs: &mut CS,
    amount: LinearCombination<Fr>,
    blinding: LinearCombination<Fr>,
    commitment: LinearCombination<Fr>,
) {
    // commitment = amount · G + blinding · H
    let g = cs.alloc_input(|| "G", || Ok(G_POINT))?;
    let h = cs.alloc_input(|| "H", || Ok(H_POINT))?;

    // amount_point = amount · G
    let amount_point = scalar_mult(cs, amount, g)?;

    // blinding_point = blinding · H
    let blinding_point = scalar_mult(cs, blinding, h)?;

    // commitment = amount_point + blinding_point
    point_add(cs, amount_point, blinding_point, commitment)?;
}

Merkle Proof Verification:

fn constrain_merkle_proof<CS: ConstraintSystem<Fr>>(
    cs: &mut CS,
    leaf: LinearCombination<Fr>,
    path: &[LinearCombination<Fr>],
    directions: &[bool],
    root: LinearCombination<Fr>,
) {
    let mut current = leaf;

    for (sibling, direction) in path.iter().zip(directions.iter()) {
        let (left, right) = if *direction {
            (sibling.clone(), current)
        } else {
            (current, sibling.clone())
        };

        // current = hash(left, right)
        current = poseidon_hash_gadget(cs, &[left, right])?;
    }

    // Final hash must equal root
    cs.enforce(
        || "merkle_root_check",
        |lc| lc + current,
        |lc| lc + CS::one(),
        |lc| lc + root,
    );
}

Nullifier Uniqueness:

fn constrain_nullifier<CS: ConstraintSystem<Fr>>(
    cs: &mut CS,
    secret: LinearCombination<Fr>,
    tx_hash: LinearCombination<Fr>,
    nullifier: LinearCombination<Fr>,
) {
    // nullifier = hash(secret, tx_hash)
    let computed = poseidon_hash_gadget(cs, &[secret, tx_hash])?;

    cs.enforce(
        || "nullifier_check",
        |lc| lc + computed,
        |lc| lc + CS::one(),
        |lc| lc + nullifier,
    );
}

Range Proofs:

fn range_proof<CS: ConstraintSystem<Fr>>(
    cs: &mut CS,
    value: LinearCombination<Fr>,
    num_bits: usize,
) {
    let bits = value.into_bits_le(cs, num_bits)?;

    // Ensure each bit is 0 or 1
    for (i, bit) in bits.iter().enumerate() {
        cs.enforce(
            || format!("bit_{}_boolean", i),
            |lc| lc + bit,
            |lc| lc + CS::one() - bit,
            |lc| lc,
        );
    }

    // Reconstruct value from bits
    let mut reconstructed = LinearCombination::zero();
    let mut coeff = Fr::one();

    for bit in bits {
        reconstructed = reconstructed + (coeff, bit);
        coeff = coeff.double();
    }

    cs.enforce(
        || "range_proof_reconstruction",
        |lc| lc + reconstructed,
        |lc| lc + CS::one(),
        |lc| lc + value,
    );
}

Complete Circuit

use bellman::{Circuit, ConstraintSystem, SynthesisError};

pub struct TransactionCircuit {
    // Public inputs
    pub nullifier: Option<[u8; 32]>,
    pub commitment: Option<[u8; 32]>,
    pub merkle_root: Option<[u8; 32]>,
    pub policy_hash: Option<[u8; 32]>,

    // Private inputs (witness)
    pub amount: Option<u64>,
    pub sender_balance: Option<u64>,
    pub receiver_address: Option<PublicKey>,
    pub sender_secret: Option<[u8; 32]>,
    pub merkle_path: Option<Vec<[u8; 32]>>,
    pub blinding_factor: Option<Fr>,
}

impl Circuit<Fr> for TransactionCircuit {
    fn synthesize<CS: ConstraintSystem<Fr>>(
        self,
        cs: &mut CS,
    ) -> Result<(), SynthesisError> {
        // Allocate public inputs
        let nullifier = cs.alloc_input(
            || "nullifier",
            || self.nullifier.ok_or(SynthesisError::AssignmentMissing)
                .map(|n| Fr::from_bytes(&n).unwrap())
        )?;

        let commitment = cs.alloc_input(
            || "commitment",
            || self.commitment.ok_or(SynthesisError::AssignmentMissing)
                .map(|c| Fr::from_bytes(&c).unwrap())
        )?;

        let merkle_root = cs.alloc_input(
            || "merkle_root",
            || self.merkle_root.ok_or(SynthesisError::AssignmentMissing)
                .map(|r| Fr::from_bytes(&r).unwrap())
        )?;

        // Allocate private inputs (witness)
        let amount = cs.alloc(
            || "amount",
            || self.amount.ok_or(SynthesisError::AssignmentMissing)
                .map(Fr::from)
        )?;

        let sender_balance = cs.alloc(
            || "sender_balance",
            || self.sender_balance.ok_or(SynthesisError::AssignmentMissing)
                .map(Fr::from)
        )?;

        let sender_secret = cs.alloc(
            || "sender_secret",
            || self.sender_secret.ok_or(SynthesisError::AssignmentMissing)
                .map(|s| Fr::from_bytes(&s).unwrap())
        )?;

        // Constraint 1: Balance is sufficient
        constrain_balance(cs, sender_balance, amount)?;

        // Constraint 2: Commitment is well-formed
        constrain_commitment(cs, amount, self.blinding_factor, commitment)?;

        // Constraint 3: Merkle proof is valid
        constrain_merkle_proof(
            cs,
            sender_secret,
            &self.merkle_path.unwrap(),
            merkle_root,
        )?;

        // Constraint 4: Nullifier is correctly computed
        let tx_hash = poseidon_hash_gadget(cs, &[
            amount,
            commitment,
            cs.alloc(|| "receiver", || Ok(self.receiver_address.unwrap().into()))?,
        ])?;

        constrain_nullifier(cs, sender_secret, tx_hash, nullifier)?;

        // Constraint 5: Amount is in valid range (64 bits)
        range_proof(cs, amount, 64)?;

        Ok(())
    }
}

Circuit Complexity

Constraint Count:

Balance check: 2 constraints
Commitment: 150 constraints (elliptic curve ops)
Merkle proof (depth 20): 1,000 constraints (50 × 20)
Nullifier: 50 constraints
Range proof: 64 constraints
Total: ~1,266 constraints

Performance:

Proving time: ~50ms
Verification time: ~2ms
Proof size: 128 bytes
Public input size: 128 bytes

Proof Generation

Setup Phase (One-Time)

use bellman::groth16::{
    generate_random_parameters,
    prepare_verifying_key,
};

pub fn setup_ceremony() -> (
    Parameters<Bls12>,
    PreparedVerifyingKey<Bls12>,
) {
    let mut rng = OsRng;

    // Create dummy circuit for setup
    let circuit = TransactionCircuit {
        nullifier: None,
        commitment: None,
        merkle_root: None,
        policy_hash: None,
        amount: None,
        sender_balance: None,
        receiver_address: None,
        sender_secret: None,
        merkle_path: None,
        blinding_factor: None,
    };

    // Generate parameters
    let params = generate_random_parameters::<Bls12, _, _>(
        circuit,
        &mut rng,
    ).unwrap();

    // Prepare verifying key
    let pvk = prepare_verifying_key(&params.vk);

    (params, pvk)
}

Proving Phase

use bellman::groth16::create_random_proof;

pub fn prove_transaction(
    params: &Parameters<Bls12>,
    public_inputs: PublicInputs,
    private_inputs: PrivateInputs,
) -> Result<Proof<Bls12>, ProofError> {
    let mut rng = OsRng;

    // Create circuit with actual values
    let circuit = TransactionCircuit {
        nullifier: Some(public_inputs.nullifier),
        commitment: Some(public_inputs.commitment),
        merkle_root: Some(public_inputs.merkle_root),
        policy_hash: Some(public_inputs.policy_hash),
        amount: Some(private_inputs.amount),
        sender_balance: Some(private_inputs.sender_balance),
        receiver_address: Some(private_inputs.receiver_address),
        sender_secret: Some(private_inputs.sender_secret),
        merkle_path: Some(private_inputs.merkle_path),
        blinding_factor: Some(private_inputs.blinding_factor),
    };

    // Generate proof
    let proof = create_random_proof(circuit, params, &mut rng)?;

    Ok(proof)
}

Proof Serialization

pub fn serialize_proof(proof: &Proof<Bls12>) -> Vec<u8> {
    let mut buffer = Vec::new();

    // Serialize A (G₁ point)
    proof.a.write(&mut buffer).unwrap();

    // Serialize B (G₂ point)
    proof.b.write(&mut buffer).unwrap();

    // Serialize C (G₁ point)
    proof.c.write(&mut buffer).unwrap();

    buffer
}

pub fn deserialize_proof(bytes: &[u8]) -> Result<Proof<Bls12>, DeserializationError> {
    let mut cursor = std::io::Cursor::new(bytes);

    let a = G1Affine::read(&mut cursor)?;
    let b = G2Affine::read(&mut cursor)?;
    let c = G1Affine::read(&mut cursor)?;

    Ok(Proof { a, b, c })
}

Verification Process

Off-Chain Verification

use bellman::groth16::verify_proof;

pub fn verify_transaction_proof(
    pvk: &PreparedVerifyingKey<Bls12>,
    proof: &Proof<Bls12>,
    public_inputs: &PublicInputs,
) -> Result<bool, VerificationError> {
    // Convert public inputs to field elements
    let inputs = vec![
        Fr::from_bytes(&public_inputs.nullifier).unwrap(),
        Fr::from_bytes(&public_inputs.commitment).unwrap(),
        Fr::from_bytes(&public_inputs.merkle_root).unwrap(),
        Fr::from_bytes(&public_inputs.policy_hash).unwrap(),
    ];

    // Verify proof
    let valid = verify_proof(pvk, proof, &inputs)?;

    Ok(valid)
}

On-Chain Verification (Solana)

use anchor_lang::prelude::*;

#[program]
pub mod zkproof_verifier {
    use super::*;

    pub fn verify_groth16(
        ctx: Context<VerifyProof>,
        proof: [u8; 128],
        public_inputs: [u8; 128],
    ) -> Result<()> {
        // Load verifying key from account
        let vk = &ctx.accounts.verifying_key;

        // Parse proof
        let proof_a = parse_g1_point(&proof[0..64])?;
        let proof_b = parse_g2_point(&proof[64..96])?;
        let proof_c = parse_g1_point(&proof[96..128])?;

        // Parse public inputs
        let inputs = parse_public_inputs(&public_inputs)?;

        // Compute verification equation
        // e(A, B) = e(α, β) · e(L, γ) · e(C, δ)
        let lhs = pairing(&proof_a, &proof_b);

        let rhs = pairing(&vk.alpha, &vk.beta)
            .mul(&pairing(&compute_l(&inputs, &vk.gamma_abc), &vk.gamma))
            .mul(&pairing(&proof_c, &vk.delta));

        require!(lhs == rhs, ErrorCode::InvalidProof);

        Ok(())
    }
}

fn compute_l(
    inputs: &[Fr],
    gamma_abc: &[G1Affine],
) -> G1Affine {
    let mut acc = gamma_abc[0];

    for (input, base) in inputs.iter().zip(gamma_abc.iter().skip(1)) {
        acc = acc.add(&base.mul(input));
    }

    acc
}

Optimized Pairing Check

use ark_ec::pairing::Pairing;
use ark_bn254::Bn254;

pub fn verify_proof_optimized(
    proof: &Proof,
    public_inputs: &[Fr],
    vk: &VerifyingKey,
) -> bool {
    // Compute linear combination of public inputs
    let l = multi_scalar_mul(
        &vk.gamma_abc_g1[1..],
        public_inputs,
    ).add(&vk.gamma_abc_g1[0]);

    // Single pairing check using batch verification
    // e(A, B) · e(-α, β) · e(-L, γ) · e(-C, δ) = 1
    let result = Bn254::multi_pairing(
        &[proof.a, vk.alpha.neg(), l.neg(), proof.c.neg()],
        &[proof.b, vk.beta, vk.gamma, vk.delta],
    );

    result.is_one()
}

Privacy Guarantees

Information Leaked

Public Information:

Nullifier (unlinkable to transaction)
Commitment (hiding transaction amount)
Merkle root (reveals total number of accounts, not balances)
Policy hash (reveals which policy, not its contents)

Private Information (never revealed):

Transaction amount
Sender identity
Receiver identity
Account balances
Merkle path (account position in tree)

Security Assumptions

Discrete Logarithm Problem: Cannot solve x in g^x = h
Decisional Diffie-Hellman: Cannot distinguish (g^a, g^b, g^ab) from (g^a, g^b, g^c)
Trusted Setup Security: Toxic waste properly destroyed
Collision Resistance: Poseidon hash is collision-resistant

Attack Resistance

Replay Attacks:

Prevented by nullifier tracking
Each nullifier can only be used once
Stored in Solana account state

Double Spending:

Prevented by nullifier uniqueness
Cannot create two transactions with same secret
Merkle root prevents unauthorized balance modifications

Linkability Attacks:

Transactions cannot be linked to same user
Nullifiers are pseudorandom
Commitments hide amounts

Timing Attacks:

Constant-time arithmetic operations
No branching based on secret data
Side-channel resistant implementation

Performance Benchmarks

Proof Generation

Circuit constraints: 1,266
Proving time: 52.3ms
Peak memory: 145 MB
CPU cores: 1

Proof Verification

Verification time: 2.1ms
Gas cost (Solana): ~50,000 CU
Throughput: 476 tx/sec (single core)

On-Chain Storage

Proof size: 128 bytes
Public inputs: 128 bytes
Nullifier: 32 bytes
Total per tx: 288 bytes

Scalability

Transactions per second (TPS):
- Single prover: 19 TPS
- 8-core prover: 140 TPS
- 64-core prover: 950 TPS

Solana verification:
- Single validator: 476 TPS
- Parallel verification: 5,000+ TPS

Future Improvements

1. Plonk/Halo2 Migration

Benefits:

Universal trusted setup
Updatable circuits
Better recursion support

Trade-offs:

Larger proof size (~400 bytes)
Slower verification (~5-10ms)

2. Recursive Proofs

Prove multiple transactions in one proof:

Proof₁ + Proof₂ + ... + Proofₙ → Single Recursive Proof

Benefits:

Constant verification time
Batch settlement
Lower gas costs

3. Bulletproofs for Range Proofs

Replace range proof constraints with Bulletproofs:

Benefits:

No trusted setup
Logarithmic proof size
Better for large ranges

4. zkEVM Integration

Run StyxPay logic in zkEVM:

Benefits:

Smart contract programmability
Easier auditability
Ethereum compatibility

Last Updated: January 2026 Version: 1.0.0 Authors: StyxPay Security Team

PreviousFrontend Architecture NextTransaction Settlement

Last updated 22 hours ago

Good evening

Table of Contents

Overview

Key Properties

ZK-SNARK Stack

ZK-SNARK Implementation

Proving System: Groth16

Elliptic Curve: BN254

Transaction Settlement Flow

Phase 1: Transaction Initiation

Phase 2: Authorization Check

Phase 3: ZK Proof Generation

Phase 4: On-Chain Verification

Phase 5: Settlement Execution

Cryptographic Primitives

1. Pedersen Commitments

2. Poseidon Hash Function

3. Nullifiers

4. Merkle Trees

Circuit Design

R1CS (Rank-1 Constraint System)

Transaction Circuit

Complete Circuit

Circuit Complexity

Proof Generation

Setup Phase (One-Time)

Proving Phase

Proof Serialization

Verification Process

Off-Chain Verification

On-Chain Verification (Solana)

Optimized Pairing Check

Privacy Guarantees

Information Leaked

Security Assumptions

Attack Resistance

Performance Benchmarks

Proof Generation

Proof Verification

On-Chain Storage

Scalability

Future Improvements

1. Plonk/Halo2 Migration

2. Recursive Proofs

3. Bulletproofs for Range Proofs

4. zkEVM Integration

Related Documentation