p15.docs

Privacy model

Blind Mode hides the amount with a note model, not with on-chain confidential balances. The tokens themselves are plain SPL tokens moved with ordinary transfer_checked. The privacy comes from what sits on top: Noir circuits, Groth16 proofs, and a shared pool.

This is a deliberate choice. An earlier design used Token-2022 Confidential Transfers and ZK ElGamal. That path is disabled. Plain SPL plus notes is simpler to reason about, works with legacy mints like wrapped SOL and USDC, and keeps the proving story in one place.

Notes and the shared pool

A note is a private claim on a balance held inside a shared pool. The pool is a program that owns one token account per mint. Depositing moves real tokens into the pool and records a commitment; spending proves you own a note without revealing which one; withdrawing moves tokens back out.

Each note commits to five fields with a Poseidon hash:

code
commitment = Poseidon5(amount, asset, owner, blind, secret)
  • amount is the value of the note.
  • asset is the mint, folded into a field element, so a note is tied to one token.
  • owner binds the note to a key only the holder controls.
  • blind and secret are randomness that make the commitment hiding and keep notes unlinkable.

Because every note carries an asset, the same pool holds many tokens at once. A transfer circuit asserts that the input and both outputs share one asset, so a transfer never silently changes which token you hold.

What the proof establishes

Spending a note produces a Groth16 proof, verified on chain by a dedicated verifier program, that asserts the spend is well formed: the input note exists, the spender owns it, the output commitments are correctly constructed, and value is conserved. The verifier checks the proof; it never sees the amount, the owner, or which note moved.

The amount stays private because it only ever appears inside the proof. Two new output notes come out of a spend, which is what lets value split and recombine without exposing the figures.

No custody, gated withdrawal

The pool is non-custodial. Funds leave only through withdraw, and only when the caller signs as the note's owner, the commitment recomputes, and a live spend marker is present. The asset is computed on chain from the mint, not trusted from the client, so a withdrawal cannot lie about which token it is taking.

This same note machinery powers private swaps: withdraw a note of asset A, route the swap, and deposit the output as a private note of asset B, with both legs recoverable by scanning. See the Private swap guide for the flow, and Stealth & announce for how recipients discover their notes.