DarkNet Protocol logo

zkEVM & Groth16 Proofs

DarkNet Protocol uses Groth16 zk-SNARKs on the BN254 pairing curve, with circuits authored in Noir. This page specifies the proving system, the shielded transaction flow, and the zkEVM compatibility layer.

Groth16 Proving System

Proofs are triples π = (A, B, C) ∈ G1 × G2 × G1 verified by the pairing equation:

e(A, B) = e(α, β) · e( Σi=0..l ai ( β ui(τ) + α vi(τ) + wi(τ) ) / γ, γ ) · e(C, δ)

~192-byte Proofs

Smallest of any major zk-SNARK. Directly minimises on-chain verification gas.

3 Pairings, Constant Cost

Verification cost is independent of circuit size — essential for L1-posted validity proofs.

Battle-Tested

snarkjs, SnarkPack, bellman, Barretenberg. Deployed in Zcash, Tornado Cash, Hermez, Polygon zkEVM.

Trusted Setup Ceremony

Groth16 requires a circuit-specific Structured Reference String (SRS) produced by a multi-party computation in which at least one participant is honest. DarkNet will conduct a Powers-of-Tau ceremony with a minimum of 50 independent, geographically distributed participants, following the precedent of Zcash Sapling and Hermez. Ceremony transcripts will be published for independent verification.

Circuit Language: Noir

Circuits are authored in Noir, a Rust-inspired DSL that compiles to ACIR and targets Groth16 via Barretenberg. Noir's type system reduces constraint-undercounting bugs that have historically caused critical Circom vulnerabilities. Circom with snarkjs remains a validated fallback where Noir tooling is insufficient.

Shielded Transaction Flow

1. Note Creation

On deposit, the protocol creates a note:

note = Commit(v, ρ, r) = PedersenHash(v ‖ ρ ‖ r)

where v is value, ρ a nullifier seed, and r a blinding factor. The commitment is appended to a Merkle tree of depth 32 in contract storage.

2. Spend Authorization

To spend, the owner proves knowledge of the preimage without revealing it. The spend circuit consumes:

  • Private: note preimage (v, ρ, r), spending key sk with pk = PRF(sk), Merkle opening (c1, …, c32).
  • Public: nullifier η = PRFsk(ρ), new output commitments, Groth16 proof π.

3. On-Chain Verification

The verifier contract checks three conditions:

  1. π is valid against the circuit's verifying key.
  2. The Merkle root used matches a recent root in the commitment-tree history window.
  3. The nullifier η has not been previously recorded (prevents double-spend).

The verifier never learns the input note, the spending key, or the transfer amount.

4. L2 → L1 Settlement

Transaction proofs are batched into validity proofs periodically submitted to Ethereum L1. L1 verification uses the same constant-cost Groth16 procedure, so DarkNet inherits L1 security without re-execution.

zkEVM Compatibility Layer

DarkNet deploys on either the Polygon CDK or the zkSync ZK Stack, extended with a shielding layer. The zkEVM execution model is modified in two ways:

Dual State Root

A public trie (for unshielded assets and contract code) alongside a private note-commitment tree (for shielded assets). Transitions between them require a valid zk-SNARK shield / unshield proof.

Private Contract Execution

Contracts may operate on shielded inputs and produce shielded outputs. Contract code is publicly auditable; inputs and outputs of any given invocation are not.

EVM bytecode compatibility is preserved: Solidity contracts written for Ethereum deploy on DarkNet without modification, with optional shielding wrappers for privacy-sensitive flows.

Previous
The Privacy Crisis
Next
Viewing Keys & Selective Disclosure