ZK-XGen-AI — Privacy Infrastructure Platform

🖥️

Best Viewed on Desktop

The technical documentation and app previews are optimized for desktop viewing.

👁️

Shadow Passphrase

The canary phrase — a deliberate decoy trigger that formalizes peace of mind as a cryptographic parameter (Paper §5.4).

🚨 The $5 Wrench Attack (Paper §1.1)

Over 189+ documented physical attacks on cryptocurrency holders with estimated losses exceeding $84M. The attack chain: KYC leak → identity correlation → target selection → physical coercion → theft. No encryption algorithm protects assets when an adversary applies physical force (XKCD #538). YoY growth: +292% (2018-2020), +89% (2021-2023).

Why Existing Anti-Coercion Fails (Paper §1.2)

Proposed mechanisms like decoy wallets and panic passwords share a fundamental vulnerability: their logic is visible on-chain. A sophisticated attacker can read the contract source, identify duress branches, demand both passwords, and verify which branch executed.

Listing 1 — Detectable anti-coercion logic (VULNERABLE)Solidity

// This code is PUBLICLY VISIBLE on Etherscan
function withdraw(bytes32 _password) external {
    if (keccak256(_password) == duressHash) {
        // Decoy branch — ATTACKER CAN SEE THIS EXISTS
        transferDecoy(msg.sender);
    } else if (keccak256(_password) == realHash) {
        // Real branch — ATTACKER CAN DEMAND BOTH
        transferReal(msg.sender);
    }
}

✅ ZK-Sentinel's Paradigm Shift (Paper §1.3)

Move the decision logic inside the zero-knowledge circuit. In a ZK circuit, private inputs and internal computations are mathematically impossible to observe — the verifier learns nothing beyond the validity of the statement. The contract sees only: valid proof + nullifier + recipient. No branches, no duress flags, no detectable logic.

Formal Construction (Paper §5)

Definitions 5-7 — Dual Nullifier + Shadow PassphraseMath

── Definition 5: Dual-Nullifier Generation ────────────────
Given secret s ∈ F_p and Poseidon hash H:
  N_real  = H(s, 0)
  N_decoy = H(s, 1)

Lemma 1 (Nullifier Independence): N_real and N_decoy are
computationally independent. Given one, computing the other
requires knowledge of s. (Poseidon PRF under Sponge assumption)

── Commitment Structure ───────────────────────────────────
  C = H(s, N_real, N_decoy, H_frase)
  → inserted into on-chain Merkle tree

── Definition 6: Arithmetic Selector ──────────────────────
  a = ia_inference × frase_correcta

  N_output = a · H(N_real) + (1 − a) · H(N_decoy)

Lemma 2: Expression expands to N_output = H(N_decoy) + a · (H(N_real) − H(N_decoy))
→ exactly 2 R1CS constraints regardless of a ∈ {0,1}
→ same gas, same proof size, same verification time

── Definition 7: Shadow Passphrase (Canary Phrase) ────────
A secondary phrase that deliberately triggers decoy mode
without generating any observable indicator.

  frase_correcta = frase_real × (1 − frase_shadow)

Where:
  frase_real   = (frase_hash == frase_esperada)
  frase_shadow = (frase_hash == frase_shadow_hash)

"Canary" — sings (activates protection) before danger materializes.

Extended Truth Table (Paper Table 5)

Real Phrase	Shadow Phrase	IA Inference	a	Result	On-Chain
1	0	1	1	REAL: Normal operation	Valid TX ✓
1	0	0	0	DECOY: AI detects coercion	Valid TX ✓
0	1	X	0	DECOY: Shadow Passphrase (canary)	Valid TX ✓
0	0	X	0	DECOY: Incorrect phrase	Valid TX ✓

Defense in depth: real funds released ONLY when both conditions satisfied. Any single indicator of duress activates decoy mode.

🟢 Normal Withdrawal (a = 1)

Phrase: Real passphrase ✓
IA: Normal biometrics ✓
Nullifier: H(N_real, secret)
Result: Full deposit withdrawn

🟠 Coerced Withdrawal (a = 0)

Phrase: Shadow/wrong OR stress
IA: Stress detected OR phrase wrong
Nullifier: H(N_decoy, secret)
Result: Decoy pool withdrawal

Circuit Implementation (Real Code)

withdraw_dual_v9_relayer.circom — dual nullifier logicCircom

// COMMITMENT: Poseidon₄(secret, η_real, η_decoy, H_frase)
component commitmentHasher = Poseidon(4);
commitmentHasher.inputs[0] <== secret;
commitmentHasher.inputs[1] <== nullifier_real;
commitmentHasher.inputs[2] <== nullifier_decoy;
commitmentHasher.inputs[3] <== frase_hash_stored;

// PASSPHRASE VERIFICATION
component fraseHasher = Poseidon(1);
fraseHasher.inputs[0] <== frase_input;
component fraseComparator = IsEqual();
fraseComparator.in[0] <== fraseHasher.out;
fraseComparator.in[1] <== frase_hash_stored;
signal frase_correcta;
frase_correcta <== fraseComparator.out;  // 1 si coincide, 0 si no

// DUAL LOGIC — acceso_real = ia_inference AND frase_correcta
// ia_inference: 1 = normal, 0 = estrés (from ZKML model)
signal acceso_real;
acceso_real <== ia_inference * frase_correcta;
ia_inference * (1 - ia_inference) === 0;  // binary constraint

// NULLIFIER HASHES — both computed, one selected
component nullifierRealHasher = Poseidon(2);
nullifierRealHasher.inputs[0] <== nullifier_real;
nullifierRealHasher.inputs[1] <== secret;
signal nullifier_hash_real;
nullifier_hash_real <== nullifierRealHasher.out;

component nullifierDecoyHasher = Poseidon(2);
nullifierDecoyHasher.inputs[0] <== nullifier_decoy;
nullifierDecoyHasher.inputs[1] <== secret;
signal nullifier_hash_decoy;
nullifier_hash_decoy <== nullifierDecoyHasher.out;

// ARITHMETIC SELECTOR — no branching, proof reveals nothing
signal selectedNullifier;
selectedNullifier <== acceso_real * (nullifier_hash_real - nullifier_hash_decoy)
                    + nullifier_hash_decoy;

// On-chain: both nullifiers are valid → indistinguishable
nullifierHash === selectedNullifier;

Formal Proof of Indistinguishability (Paper §9.1)

Theorem 2 — Dual-Logic Indistinguishability (sequence of games)Proof

Theorem 2: Given only public outputs (root, nullifierHash, recipient,
relayer, fee, π), no PPT adversary can determine the value of private
selector a with probability significantly greater than 1/2.

Proof via sequence of games:

Game 0: Real protocol execution.
  Adversary observes (root, N_out, recipient, relayer, fee, π)

Game 1: Replace Poseidon hash outputs with truly random values.
  |Pr[A wins G1] − Pr[A wins G0]| ≤ negl(λ)
  (by PRF security of Poseidon under Sponge assumption)

Game 2: Replace Groth16 proof π with simulated proof π*.
  |Pr[A wins G2] − Pr[A wins G1]| ≤ negl(λ)
  (by zero-knowledge property of Groth16)

In Game 2, adversary's view:
  • root:     independent of a
  • N_out:    random value (by Game 1)
  • recipient, relayer, fee:  chosen by user, independent of a
  • π*:       simulated, no witness information

All components independent of a ⟹ Pr[A guesses a] = 1/2  □

Corollary 1 (Coercion Resistance): Under coercion, decoy nullifier
produces valid funds. Attacker CANNOT determine:
  (1) Whether user has additional real funds
  (2) Whether coercion resistance was activated
  (3) What triggered the decoy path

ℹ️ Peace of Mind as a Cryptographic Parameter (Definition 8)

ZK-Sentinel formalizes cryptographic peace of mind Ψ(P): the verifiable guarantee that (1) there exists an escape action A_escape the user can execute under coercion, (2) A_escape is computationally indistinguishable from normal action A_real, and (3) the user can verify (1) and (2) before depositing funds. The Shadow Passphrase satisfies all three: A_escape = entering the canary phrase; indistinguishability guaranteed by arithmetic selector (same circuit, same gas, same proof structure); verifiability via Circom source inspection. Protocol's indistinguishability follows from Poseidon's PRF security under the Sponge assumption (Theorem 2, proven via sequence of games).