Veil Logo

Veil Protocol

The infrastructure layer for building, managing, and monetizing private AI agents using zero-knowledge proofs and on-chain identity.

1.Executive Summary

Production Ready • Mainnet Deployable

The First Production-Grade Privacy Protocol
on Solana

Veil enables confidential transactions with industry-standard Groth16 zkSNARKs. Built for AI agents, institutional DeFi, and MEV-resistant trading — delivering cryptographic privacy without compromising Solana's performance.

Phase 3 Complete
80+ Tests Passing
Multi-asset Coming Q1 2026

Technical Performance

~7,000
R1CS
Constraints
Optimized circuit
<1s
on-chain
Verification
~200k CU cost
80+
coverage
Tests Passing
Production ready
5-10s
client
Proof Time
Native Rust core

Core Capabilities

Production-grade

Zero-Knowledge Privacy

Groth16 zkSNARKs provide cryptographic guarantees that transaction amounts, sender, and recipient remain completely hidden.

High-speed

Solana Performance

Sub-second on-chain verification with ~200k CU. Built for high-throughput DeFi applications and AI agent automation.

Battle-tested

Enterprise Security

Circuit-safe nullifiers, PDA-based double-spend prevention, 30-root history buffer for front-running protection.

Network ready

IP Privacy Layer

Relayer infrastructure breaks IP-to-transaction link. Self-host ready with 0.3% default fee for anonymous submission.

Ready to Build with Veil?

Production SDK available now. Multi-asset support, cross-chain bridging, and AI agents coming in 2025.

Technical DetailsView on GitHub

2.Background & Market Opportunity

The Privacy Crisis

Blockchain's transparency creates a fundamental privacy crisis. Every transaction is permanently visible, enabling sophisticated surveillance, MEV extraction, and competitive disadvantages for honest users.

Transparency Paradox

Public ledgers expose every transaction detail—amounts, counterparties, and behavior patterns—creating an impossible choice between trustlessness and privacy.

Critical blocker for institutional adoption

MEV Exploitation

Automated bots extract billions in value by front-running visible transactions. Traders and users systematically lose to sophisticated adversaries.

$7B+ extracted annually across chains

Fragmented Solutions

Existing privacy protocols sacrifice performance for privacy (slow proofs), centralization for speed (trusted operators), or user experience for security (complex UX).

No production-ready solution at scale

The Veil Solution

Veil provides a shielded pool architecture on Solana, enabling confidential transactions with production-grade cryptography and Solana-native performance.

Zero-Knowledge Proofs
Groth16 zkSNARKs
Circuit Efficiency
~7,000 constraints
Verification Cost
~200k CU (<$0.0002)
Network Privacy
Relayer infrastructure
1

Shield

Deposit assets into privacy pool with Pedersen commitments

2

Transfer

Send privately using zkSNARK proofs (5-10s generation)

3

Unshield

Withdraw to public addresses when needed

3.Cryptographic Primitives

Pedersen Commitments

C = amount·G + blinding·H

Cryptographic binding to amounts on BN254 G1 curve with perfect hiding properties. Commitments are 32 bytes, information-theoretically secure against amount extraction.

Curve
BN254 G1
Security
~128-bit
Size
32 bytes

Poseidon Hash Function

t=3, RF=8, RP=57, S-box: x⁵

zkSNARK-optimized hash function using sponge construction. Reduces circuit constraints by 100x vs SHA-256 (~200 vs ~20,000 constraints per hash).

Constraints
~200/hash
Field
BN254 Fr
Rounds
65 total

ECDH Note Encryption

ChaCha20-Poly1305 AEAD

Elliptic curve Diffie-Hellman on BN254 for key exchange, ChaCha20-Poly1305 for authenticated encryption. Recipients discover notes via trial decryption.

Encryption
ChaCha20
MAC
Poly1305
Size
96 bytes

Circuit-Safe Nullifiers

Two-step Poseidon derivation

Prevents secret leakage in zkSNARK circuits via spending_key intermediate. Nullifiers stored as PDAs with Anchor init constraint for double-spend prevention.

Derivation
2-step Poseidon
Storage
PDA-based
Constraints
~400 total

Groth16 zkSNARKs

BN254 curve, ~7,000 R1CS

Industry-standard zero-knowledge proof system. 256-byte proofs verify in <1s on-chain (~200k CU). Public inputs: merkle_root, nullifier, new_commitment (96 bytes).

Proof Size
256 bytes
Gen Time
5-10s
Verify Time
<1s

Merkle State Tree

Depth 20, Poseidon-based

Binary Merkle tree with ~1M leaf capacity. Filled subtrees optimization reduces proof size. 30-root history buffer protects against front-running attacks.

Depth
20 levels
Capacity
~1M leaves
Root History
30 roots

Circuit Constraint Breakdown (~7,000 total)

Merkle Proof (20 levels)
~4,000 constraints • 57%
Input/Output Commitments
~1,000 constraints • 14%
Nullifier Derivation
~400 constraints • 6%
Spending Key
~400 constraints • 6%
Validation Logic
~1,200 constraints • 17%

4.System Architecture

Four-Layer Design

1/4

Python SDK

Application Layer

High-level VeilClient API with async/sync methods. Manages secrets, coordinates proof generation, and submits transactions via RPC or relayers.

shield_async()
private_transfer_async()
unshield_async()
Context managers
Error handling
2/4

Rust Core

Cryptography Engine

Compiled shared library via PyO3 bindings. Generates Groth16 proofs (~7k constraints) at native speed in 5-10 seconds with optimized arkworks primitives.

generate_commitment()
generate_nullifier()
generate_proof()
verify_proof()
poseidon_hash()
3/4

Relayer Network

Privacy Infrastructure

Optional IP privacy layer via third-party relayers. Breaks IP-to-transaction link with 0.3% default fee. Self-host ready, marketplace coming Q1 2025.

IP privacy
Fee estimation
Relayer selection
Self-hosting
0.3% default fee
4/4

Solana Program

On-Chain Verifier

Anchor-based smart contract. Verifies Groth16 proofs (~200k CU), prevents double-spends via nullifier PDAs, maintains Merkle state with 30-root history.

Groth16 verification
Nullifier PDAs
Merkle tree
Shield/Transfer/Unshield
Fee collection

Transaction Flow

User
Python SDK
Transaction parameters
Python SDK
Rust Core
Proof generation request
Rust Core
Python SDK
256-byte Groth16 proof
Python SDK
Relayer (optional)
Signed transaction
Relayer
Solana Program
Proof + public inputs
Solana Program
User
Transaction confirmed

6.Core Features & Capabilities

Production

Groth16 Proof System

Industry-Standard zkSNARKs

BN254 curve for succinct non-interactive arguments of knowledge. 256-byte proofs (proof_a: 64, proof_b: 128, proof_c: 64) verify in <1s on-chain.

Proof Size
256 bytes
Public Inputs
96 bytes
Security
~128-bit
Optimized

~7,000 R1CS Constraints

Highly Optimized Circuit

Efficient constraint allocation: 57% Merkle proof, 14% commitments, 17% validation, 12% nullifiers. Enables 5-10s client-side proof generation.

Generation
5-10s
Memory
2-4 GB
Verification
<1s
Private

Merkle Membership Proofs

Privacy-Preserving State

Depth-20 binary tree (~1M capacity) proves fund existence without revealing which leaf is spent. Poseidon-based for circuit efficiency.

Depth
20 levels
Capacity
~1M leaves
Constraints
~4,000
Secure

Value Conservation

Mathematical Enforcement

Circuit enforces input_amount = output_amount with zero deviation. Any manipulation causes proof verification to fail cryptographically.

Enforcement
Circuit-level
Precision
Exact
Attacks
0 possible
Hardened

Circuit-Safe Nullifiers

No Secret Leakage

Two-step derivation (secret → spending_key → nullifier) prevents exposure in zkSNARK constraints. Reduces circuit complexity by ~500 constraints.

Steps
2-stage
Constraints
~400 total
Storage
PDA-based
Active

Front-Running Protection

30-Root History Buffer

Proofs remain valid for ~1 minute (30 tree updates) even if Merkle root changes. Prevents transaction invalidation from concurrent activity.

Buffer Size
30 roots
Validity
~1 minute
Protection
Built-in

7.Performance & Benchmarks

Operation Benchmarks

Proof Generation

Client Time5-10s
On-Chain TimeN/A
CostFree (client)

Native Rust core with arkworks, 2-4 GB RAM

Proof Verification

Client Time<10ms
On-Chain Time<1s
Cost~200k CU

BN254 pairing check, groth16-solana crate

Shield Transaction

Client Time<100ms
On-Chain Time~1s
Cost~50k CU

Commitment insertion + Merkle update

Private Transfer

Client Time5-10s (proof)
On-Chain Time~3s
Cost~200k CU

Includes zkSNARK verification + state update

Unshield Transaction

Client Time5-10s (proof)
On-Chain Time~3s
Cost~150k CU

Proof verification + withdrawal execution

Note Encryption

Client Time<1ms
On-Chain TimeN/A
CostFree (client)

ECDH + ChaCha20-Poly1305, 96-byte output

Competitive Comparison

MetricVeil (Solana)Tornado (Ethereum)Aztec (Ethereum)
Proof Size256 bytes ~384 bytes~2 KB
Verification Cost~200k CU ~600k gas~900k gas
Proof Time5-10s ~15s~30s
Constraints~7,000 ~11,000~28,000

* Benchmarks as of December 2024. Tornado/Aztec on Ethereum L1. Gas costs converted to approximate CU equivalents.

5.Security Model & Threat Analysis

Threat Mitigations

Double Spending

CriticalMitigated

Deterministic nullifier PDAs with Anchor init constraint. Once a nullifier is spent, the PDA exists permanently, preventing reuse.

Amount Manipulation

CriticalMitigated

zkSNARK circuit enforces value conservation: input_amount = output_amount + fee. Any deviation causes proof verification to fail.

Fake Membership

CriticalMitigated

Merkle proof verifies commitment exists in on-chain tree. 20-level path proves membership in ~1M leaf pool with ~4k constraints.

Front-Running

HighMitigated

30-root history buffer allows proofs anchored to recent roots (up to ~1 minute old). Transactions remain valid despite concurrent state changes.

Secret Leakage (Circuit)

CriticalMitigated

Two-step nullifier derivation prevents secret exposure in zkSNARK constraints. Spending key intermediate isolates secret from circuit logic.

Note Interception

HighMitigated

ECDH key exchange + ChaCha20-Poly1305 AEAD encryption. Only recipient can decrypt 96-byte note with their private key via trial decryption.

Security Assumptions

Discrete Log Problem (DLP)

BN254 curve security (~128-bit)

Industry standard

Trusted Setup

Groth16 requires setup ceremony (Phase 4)

MPC planned Q1 2025

Solana Security

Relies on validator consensus

Mainnet proven

Random Number Generation

OsRng for secret/blinding generation

OS-level entropy

8.Roadmap

Production Status: Mainnet Ready

Live

Phase 3 complete with production-grade Groth16 zkSNARKs (~7,000 constraints), relayer infrastructure, and 80+ tests passing. Now focusing on multi-asset support, advanced privacy features, and cross-chain interoperability.

Phase 1-2: Foundation & MVP

Q4 2025

Objective: Core cryptographic primitives and functional proof-of-concept.

Cryptographic Foundation

BN254 curve, Poseidon hashing, Pedersen commitments

Merkle Tree Implementation

Depth-20 tree with filled subtrees optimization

Basic Privacy Operations

Shield, transfer, and unshield functionality

Solana Program Development

Anchor-based smart contract infrastructure

Phase 3: Production Groth16MAINNET READY

Q4 2025

Objective: Production-grade zkSNARK implementation with enterprise features.

Groth16 Circuit (~7k constraints)

Highly optimized zkSNARK circuit with ~200k CU on-chain verification

Circuit-Safe Nullifiers

Two-step Poseidon derivation preventing secret leakage

ECDH Note Encryption

ChaCha20-Poly1305 with 96-byte encrypted notes for recipient discovery

Relayer Infrastructure

IP privacy layer with 0.3% default fee, self-host ready

Production SDK

Python SDK with Rust core, async/sync APIs, 80+ tests passing

Security Hardening

Front-running protection, PDA-based nullifiers, 30-root history

Phase 4: Multi-Asset & Scalability

Q1 2026

Objective: Expand protocol to support all Solana tokens with enhanced performance.

SPL Token Support

Private transfers for any SPL token with unified liquidity pools

Batch Proof Generation

Aggregate multiple operations into single proof for 50% cost reduction

Trusted Setup Ceremony

Multi-party computation with 100+ participants for production keys

Public Relayer Network

Decentralized relayer marketplace with reputation system

📋

Mobile SDK

React Native bindings for iOS/Android with optimized proof generation

Phase 5: Advanced Privacy Features

Q1 2026

Objective: Next-generation privacy primitives and institutional-grade features.

📋

Stealth Addresses

One-time addresses for enhanced recipient privacy and unlinkability

📋

Viewing Keys

Selective disclosure for compliance and auditing without compromising privacy

📋

Shielded Pools v2

Multi-denomination pools with improved anonymity sets (10x larger)

📋

Zero-Knowledge Compliance

Prove regulatory compliance without revealing transaction details

📋

Developer Tools

Privacy-as-a-Service APIs, GraphQL indexer, transaction explorer

Phase 6: Cross-Chain & Interoperability

Q2 2026

Objective: Bridge privacy across ecosystems with cross-chain private transfers.

💡

Wormhole Integration

Cross-chain private bridging to Ethereum, Polygon, and other EVM chains

💡

Unified Privacy Layer

Single SDK for private transactions across multiple blockchains

💡

Private DeFi Composability

Integrate with Jupiter, Orca, and major DeFi protocols

💡

Institutional Custody

Multi-sig support and hardware wallet integration for enterprises

Phase 7: AI & Automation

Q2 2026

Objective: Privacy-preserving AI agents and automated trading strategies.

💡

AI Agent Framework

Pre-built privacy agents for trading, payments, and DeFi automation

💡

MEV Protection Suite

Private order flow with encrypted mempool and shielded trading

💡

Zero-Knowledge Machine Learning

On-chain ML inference without revealing model or data

💡

Privacy-First Analytics

Aggregate statistics and insights without individual transaction exposure

Completed
In Progress
Upcoming

Disclaimer

The Veil Protocol is currently in alpha. The information provided in this whitepaper is for informational purposes only and does not constitute financial advice. Features and specifications are subject to change.