Rivellum uses zero-knowledge proofs for execution validity and optional transaction privacy.

ZK Backends

Rivellum supports three ZK proof systems:

Proof Circuits

1. Balance Circuit

Proves an account holds sufficient balance without revealing the exact amount.

2. Transfer Circuit

Proves a value transfer is valid (sender has funds, amounts balance) without exposing transaction details.

3. Nullifier Circuit

Proves a nullifier has not been previously used, preventing double-spends in private transactions.

4. Merkle Inclusion Circuit

Proves a state entry exists in the Sparse Merkle Tree using Poseidon hashes over BN254.

5. Batch Validity Circuit

Proves an entire batch of intents was executed correctly — aggregating individual proofs via recursive composition.

Proof Lifecycle

1. Intent execution produces an execution trace
2. Trace is hashed (BLAKE3) and stored as a content-addressed blob
3. PoUW job is created referencing the trace
4. Prover claims job, downloads trace, generates ZK proof
5. Prover submits proof to the node
6. Node verifies proof on-chain
7. Proof is attached to the batch for inclusion in consensus

Recursive Composition

For batch-level proofs, individual intent proofs are composed recursively:

Intent Proof A ─┐
Intent Proof B ─┼──→ Recursive Aggregation ──→ Batch Proof
Intent Proof C ─┘

This allows a single compact proof to attest to the validity of an entire batch.

Privacy Mode

When submitting with --private or using encrypted envelopes, the ZK pipeline provides:

• Confidential amounts: Balance and transfer amounts are hidden
• Sender privacy: Sender identity is hidden behind a commitment
• Nullifier-based spend tracking: Prevents double-spending without revealing which note was spent

Privacy API Endpoints

PoUW Integration

ZK proof generation is the "useful work" in Proof-of-Useful-Work. See PoUW Setup for how provers participate in the proof market.

For the overall architecture, see Architecture Overview.