ZK-XGen-AI — Privacy Infrastructure Platform

🖥️

Best Viewed on Desktop

The technical documentation and app previews are optimized for desktop viewing.

⚡

ZK Circuits

Nine Circom circuits spanning the full protocol evolution — from basic deposit to V9 relayer binding and V11 partial withdrawals.

ℹ️ Open Source

All circuit source code is published below. Click any circuit card to view the full Circom source. Constraint estimates are from the circuit comments — exact counts after compilation may vary slightly.

Core Circuits (Deployed)

withdraw_dual_v9_relayer.circomdeployed

Main withdrawal circuit. Dual nullifier, Poseidon₄ commitment, Merkle proof (20 levels), passphrase verification, relayer binding anti-frontrun.

Constraints

~3,800

Signals

5 public + 8 private

association_set_membership.circomdeployed

Proof of Innocence — proves commitment ∈ ASP clean set via Merkle proof, without revealing which commitment. Based on Buterin et al. 2023.

Constraints

~3,000

Signals

2 public + 40 private

partial_withdraw_v1.circomdeployed

V11 partial withdrawal. Amount cryptographically bound to leaf via Poseidon₂(commitment, amount). Change commitment for remainder. Full dual nullifier anti-coercion preserved.

Constraints

~4,500

Signals

8 public + 14 private

selective_disclosure_v1.circomdeployed

Dual Merkle proof (pool + ASP). Configurable range checks on amount and timestamp. Audit nonce binding prevents replay. Optional checks via trivial ranges.

Constraints

~6,800

Signals

7 public + 44 private

Helpers & Evolution

deposit.circombase

Basic deposit: Poseidon₂(secret, nullifier) → commitment + nullifierHash.

Constraints

~400

Signals

0 public + 2 private

selector.circomhelper

Arithmetic primitives: Selector (mux), OR, AND gates. No branching — mathematical indistinguishability.

Constraints

~3 each

Signals

—

withdraw_dual.circomv1

First dual-logic: panic_bit OR ia_inference → coercion detection. Poseidon₂ commitment.

Constraints

~3,200

Signals

2 public + 7 private

withdraw_sentinel.circomv9

V9 with passphrase + biometry. NOT(estrés) AND frase_correcta. Poseidon₄ commitment.

Constraints

~3,500

Signals

2 public + 8 private

withdraw_dual_v9.circomv9

V9 refined: direct acceso_real = biometria_normal * frase_correcta. Uses CommitmentHasherV9 template.

Constraints

~3,600

Signals

2 public + 8 private

Source Code

Circuit Evolution

V1deposit.circom — Poseidon₂(secret, nullifier)
│
V2withdraw_dual.circom — Add dual nullifier + panic_bit OR ia_inference
│
V9withdraw_sentinel.circom — Add passphrase hash → Poseidon₄ commitment
│
V9withdraw_dual_v9.circom — Simplify: acceso_real = biometria_normal * frase_correcta
│
V9Rwithdraw_dual_v9_relayer.circom — Add relayer + fee binding (DEPLOYED)
├── association_set_membership.circom (Proof of Innocence)
├── partial_withdraw_v1.circom (V11: amount-bound leaves)
└── selective_disclosure_v1.circom (V11: dual Merkle + range proofs)

Compilation Pipeline

circuit build pipelinebash

# 1. Compile circuit → R1CS + WASM
circom withdraw_dual_v9_relayer.circom --r1cs --wasm --sym -o build/

# 2. Trusted setup — Phase 1 (Powers of Tau)
snarkjs powersoftau new bn128 16 pot16_0000.ptau
snarkjs powersoftau contribute pot16_0000.ptau pot16_0001.ptau --name="ZK-Sentinel Ceremony"

# 3. Phase 2 — Circuit-specific
snarkjs groth16 setup build/withdraw_dual.r1cs pot16_final.ptau withdraw_0000.zkey
snarkjs zkey contribute withdraw_0000.zkey withdraw_final.zkey

# 4. Export verification key + Solidity verifier
snarkjs zkey export verificationkey withdraw_final.zkey vkey.json
snarkjs zkey export solidityverifier withdraw_final.zkey Verifier.sol

# NOTE: vkey is embedded in Verifier.sol at compile time
# The .zkey file is NOT used at runtime by the contract
# Flow: r1cs → zkey → Verifier.sol (vkey embedded)

⚠️ Important: vkey and .zkey clarification

The verification key (vkey) is embedded directly into the Solidity Verifier contract at compilation time. The .zkey file is used only during proof generation (client-side) and is NOT required at runtime by the on-chain verifier. This means the contract is self-contained for verification.