p15.docs

Threat model

Honest privacy means being clear about its edges. This page states what a blind transfer hides, what it does not, and the design choices that follow.

What is hidden

  • The amount. Values live inside notes and proofs. An observer sees a ciphertext and a verified proof, never a number.
  • The recipient. Funds land at a fresh one-time address derived from the recipient's meta-address. Two payments to the same person look unrelated, and neither links back to a known wallet.
  • The link between sends. Notes split and recombine through a shared pool, so amounts in do not line up with amounts out.

What is not hidden

  • That a transfer happened. A blind transfer is a real transaction. On an explorer it reads as a Protocol15 transfer. The fact of activity, its timing, and its fees are public.
  • The two crossings. Making funds private and withdrawing back to public are public moments by construction, and the interface marks them as such. Amounts and timing at these boundaries are visible, so treat them as the points where metadata can leak.
  • Network-level metadata. Protocol15 does not hide your IP address or which RPC you talk to. Use the usual transport-level protections if that is part of your model.

Design consequences

  • Payments are final. Delivery is non-revocable: only the recipient can release a one-time output, and the sender cannot produce the key to claw it back. A payment to a dead or wrong meta-address is lost. Unlinkable and trustless delivery costs reversibility, and the protocol pays that cost on purpose.
  • No privileged shortcut. The release path cannot be bypassed by a re-authorization trick; ownership is structural, derived from the recipient's key. A forged signer fails by construction rather than by a check that could be skipped.
  • Auditability is opt-in, not a backdoor. Nobody can open your activity without a disclosure or viewing key you choose to issue, and both are scoped to one epoch. See Auditability.

Anonymity set

Unlinkability is only as strong as the crowd you hide in. A shared pool with few participants, or a transfer with an unusual amount or timing, narrows the set an observer has to consider. Privacy here is a protocol property and a usage discipline at the same time.