What is ZK Privacy EB?

ZK Privacy EB (Encrypted Balances) is a privacy layer for stablecoins that hides transaction amounts while maintaining regulatory compliance. Unlike UTXO-based privacy systems, EB provides instant balance checks with zero scanning.

Why EB?

Problem with UTXO	EB Solution
Scan thousands of notes to find yours	One RPC call + local decrypt
Note fragmentation requires consolidation	Single encrypted balance per user
Complex wallet sync (minutes to hours)	Instant - just read your balance slot
All-or-nothing privacy	Three layers: choose your level

Three Privacy Layers

+---------------------------------------------------------------+
|  L1: PUBLIC ERC-20                                            |
|    Standard balanceOf(). Full transparency.                   |
+---------------------------------------------------------------+
|  L2: ENCRYPTED BALANCES                             [DEFAULT] |
|    Amounts hidden. Addresses visible.                         |
|    encryptedBalances[compressedBPK] = ElGamal Encrypted Balance                |
|    ~87k gas per transfer (Jacobian optimized)                |
+---------------------------------------------------------------+
|  L3: ANONYMOUS STAKING                                        |
|    Individual stake commitments + aggregated burns.           |
|    Uses nullifier IMT - no link between stake/unstake.        |
|    ~450k gas (up to 8 commits). Full graph privacy.           |
+---------------------------------------------------------------+

Key Concepts

Concept	What It Is
BPK (Balance Public Key)	Your Grumpkin public key. Share it to receive encrypted transfers.
Compressed BPK	32-byte reversible encoding of BPK. Used as storage key.
ElGamal Ciphertext	`(R, C)` where `R = rG` and `C = mG + r*BPK`. Additively homomorphic.
ZK Proof	Proves balance ownership and sufficient funds without revealing amounts.
Stake Commitment	`hash(amount, blinding, secret)`. Inserted into Merkle tree for L3.
Nullifier	Prevents double-spending in L3. Derived from stake secret.

Operations at a Glance

Operation	Layer	What It Does	Gas
`shield()`	L1->L2	Convert public tokens to encrypted balance	~87k
`transfer()`	L2->L2	Private transfer (ZK proof, amounts hidden)	~370k
`unshield()`	L2->L1	Convert encrypted balance to public tokens	~320k
`stake()`	L2->L3	Create anonymous stake commitment	~400k
`unstake()`	L3->L2	Burn stake to any BPK (breaks link)	~450k

Wallet Integration

EB supports two key derivation modes - use whichever fits your UX:

Linked Mode (Recommended)

Derive EB keys from any existing EVM wallet. One wallet, one identity.

import { keysFromSignature } from '@zk-privacy/eb-sdk';

const signature = await walletClient.signMessage({
  message: `zkPrivacy spending key for ${address}`,
});

const keys = keysFromSignature(signature);

Why this is powerful:

No new seed phrase to backup
EVM wallet IS your EB wallet
Works with any signing wallet (MetaMask, Ledger, WalletConnect, Coinbase)
Deterministic: same signature = same keys

Standalone Mode

Generate a separate EB identity with its own mnemonic:

import { generateMnemonic, keysFromMnemonic } from '@zk-privacy/eb-sdk';

const mnemonic = generateMnemonic();
const keys = keysFromMnemonic(mnemonic);

When to use:

Maximum separation between EVM and EB identities
Hardware wallet with custom EB app
Institutional setups

Browser-Based Proving

All ZK proofs are generated client-side in the browser:

import { createClient, keysFromSignature } from '@zk-privacy/eb-sdk';

const client = await createClient({ chainId: 8453 });

const signature = await walletClient.signMessage({
  message: `zkPrivacy spending key for ${address}`,
});
const keys = keysFromSignature(signature);

const wallet = client.wallet({ 
  spendingKey: keys.spendingKey, 
  account,
});

await wallet.USD.shield({ amount: 1000_000000n });
await wallet.USD.transfer({ to: recipientBPK, amount: 500_000000n });

Sub-second proving. Your secrets never leave your device.

Compliance Model

EB is designed for regulated stablecoins (MiCA, etc.):

What	Visible?	Notes
L2 sender/recipient	Yes	BPK visible on-chain (not EVM address)
L2 amounts	No	ElGamal encrypted
L3 addresses	No	Anonymity set
L3 amounts	No	Hidden in stake commitments
UKRC decryption	Optional	m-of-n guardians for legal orders

No single party - not even us - can decrypt. Only threshold guardian cooperation under legal order.

Next Steps

Ready to build? Follow the Quick Start guide.

Why EB?​

Three Privacy Layers​

Key Concepts​

Operations at a Glance​

Wallet Integration​

Linked Mode (Recommended)​

Standalone Mode​

Browser-Based Proving​

Compliance Model​

Next Steps​