stealthPRIVATE · ACTIVE BLOCK 30,847,291
TPS 412 NULLIFIER SET GROWING — UTC
STEALTH /privacy
Document
stealthPRIVATE / Deep Reference
Proof System
Halo 2 · Orchard
Bridge
2-of-3 P2SH Multisig
Updated
April 2026
Privacy Layer · Dedicated Sidechain

Shielded by Design.

stealthPRIVATE is a fully dedicated private sidechain where sender, receiver, and amount are hidden by mathematics, not by policy. No transparent fallback. No opt-in privacy. Every transaction inside the sidechain operates under zk-SNARK guarantees — always.

zk-SNARKs Halo 2 / Orchard Feeless Pool-based No Explorer
Value crosses the bridge. What emerges on the private side is a commitment, not a trace.
Architecture
Sidechain
Dedicated · no transparent fallback
Proof System
Halo 2
Orchard · no new trusted setup
Bridge Security
2 / 3
P2SH multisig quorum
Privacy Set
Pool
Mint-burn · no per-user linkage
Explorer
None
No rich list · no tx lookup
§01 · THESIS

Shielded by default.
Not bolted on.

Design principle · Not a toggle
Most zk-SNARK chains — Zcash included — bolt privacy onto a transparent UTXO chain as an optional feature. Most transactions remain visible; shielded users are the minority, and the minority is itself legible. stealthPRIVATE inverts that. It is a dedicated private sidechain, fully integrated with stealthCORE. There is no transparent fallback, no opt-in privacy. The entire chain operates under zk-SNARK guarantees — always.
§02 · ARCHITECTURE

The Core-to-Private bridge.

CBridgeDeposit · 2-of-3 P2SH

A deposit is recorded on stealthCORE as a CBridgeDeposit. It locks XST transparently into a multisig address and instructs stealthPRIVATE to mint an equivalent shielded note. The record is minimal by design — only what is needed for custody and withdrawal is persisted.

CBridgeDeposit

Record · On-chain
  • core_txid Core-chain transaction that locked the XST
  • amount XST value locked into the multisig address
  • p2sh_address Pay-to-Script-Hash address holding the locked XST
  • staker_keys Three staker public keys · 2-of-3 quorum governs spend
  • spent Boolean · flipped when the deposit UTXO is consumed by a withdrawal
What is deliberately absent: no sender address, no receiver XSS address. The XSS address is used only at the moment of minting to create the shielded note — it is never persisted. This is intentional. The record cannot be used to link deposit to receiver, ever.

Flow · Core → Private → Core

  1. Lock on stealthCORE
    User sends XST to the 2-of-3 multisig P2SH address. This lock is transparently visible on Core.
  2. Record CBridgeDeposit
    Core-chain txid, amount, P2SH address, staker keys, and spent flag are written as the deposit record.
  3. Mint shielded note
    An equivalent shielded note is minted to the recipient XSS address on stealthPRIVATE. nTotalMinted is incremented.
  4. Transact freely inside stealthPRIVATE
    Shielded-to-shielded transfers — split, merge, relay — all fully private. Zero on-chain sender, receiver, or amount.
  5. Burn on withdrawal
    The spender burns a note on stealthPRIVATE. nTotalBurned is incremented. The destination XST address is a free parameter.
  6. Unlock on stealthCORE
    The 2-of-3 staker quorum signs a transaction that unlocks XST from the P2SH address to the withdrawal destination. The consumed deposit UTXO is marked spent.
§03 · POOL

A pool, not a pairing.

nTotalMinted · nTotalBurned
netSupply=nTotalMintednTotalBurned

Deposits and withdrawals do not pair per-user. The bridge tracks two counters only — nTotalMinted and nTotalBurned — and enforces a single invariant: the shielded pool must always net to a non-negative, Core-collateralised supply. Every user's withdrawal consumes some unspent deposit UTXO. Which one is immaterial and unlinkable to the withdrawer.

nTotalMinted
Incremented on every deposit. The lifetime total of shielded supply ever created.
nTotalBurned
Incremented on every withdrawal. The lifetime total of shielded supply ever destroyed.
netSupply
Current shielded supply. Always matches XST locked in the multisig on Core.
anonymity set
All historical depositors. Grows monotonically with nTotalMinted.

Worked example · 100 small deposits, one large exit

Step 01
User sends 100 deposits of 1,000 XST each — 100,000 XST total — to the bridge. nTotalMinted += 100,000.
Step 02
100 shielded notes of 1,000 XSS land in the user's shielded wallet. They can now split, merge, and relay these notes inside stealthPRIVATE — no on-chain trace.
Step 03
User issues one withdrawal of 50,000 XSS back to Core — to any XST address they name. The destination does not have to be theirs; it does not have to match any deposit.
Step 04
50,000 XSS is burned from the shielded wallet. nTotalBurned += 50,000. The bridge selects an unspent deposit UTXO (or combination) that covers the request and releases 50,000 XST from the multisig.
Result
100 → 1 transformation. Deposit amounts, timings, and addresses do not match the withdrawal. The bridge sees a pool rebalance. The chain sees no link.
§04 · SHIELDED

What moves inside the private pool.

Notes · Nullifiers · Halo 2

Funds exist as encrypted notes. Spending proves ownership without naming it.

A shielded note is a cryptographic commitment stored on-chain. It binds an amount and an owner — but reveals neither. The chain cannot tell you what a note is worth or who holds it, only that a valid note was created.

To spend a note, the owner publishes a nullifier — a one-way derivative of the note that marks it consumed, without revealing which note it was — and a Halo 2 zk-SNARK proof attesting that the note existed, was not previously nullified, and that the output balances check out.

A global nullifier set prevents double-spending. Observers see that a nullifier appeared; they cannot tell which note produced it. Sender, receiver, and amount are not obfuscated — they are mathematically absent from the public record.

Spend bundle · composition

  • spend action Consumes an existing shielded note. Emits the note's nullifier; proves ownership in zero-knowledge.
  • output action Creates a new shielded note encrypted to the recipient's viewing key.
  • change output A second output action — back to the sender — when spend value exceeds transfer value. Identical on-chain shape to any output.
  • Halo 2 proof Succinct zero-knowledge proof binding all actions. Constant size. Verifies in milliseconds. No trusted setup.

Inside stealthPRIVATE, value moves freely: B → C, C → D, split, merge, relay. Every step is shielded end-to-end. Only the size of the nullifier set and the size of the note commitment tree grow — neither reveals anything about who moved what, or when.

§05 · DISCLOSURE

Selective transparency, on the sender's terms.

Planned · OVK-derived
Planned · not yet implemented

Prove a single payment happened — without unveiling anything else.

Payment Disclosure is a planned feature that lets a sender selectively prove a single shielded payment to a third party, using their Outgoing Viewing Key (OVK).

The disclosure reveals only what is needed for the recipient party to verify: the receiver address, the amount, and the memo — for one specific note. Nothing about the sender's wallet state, balance, other transactions, or history leaks.

This preserves the global privacy property while giving senders a surgical tool for the narrow cases where proof-of-payment is useful — audit, refund, dispute, or merchant verification.

Use cases

  • Merchant verify Buyer proves a specific invoice was paid, without exposing wallet or other activity.
  • Dispute resolve Attach a disclosure to a support ticket — proof-of-payment for one note, nothing more.
  • Audit / compliance Regulated parties disclose selected transactions on request — without wholesale chain analysis.
  • Refund processing Identify the original shielded payment for a refund flow, without breaking the counterparty's privacy.
§06 · VISIBILITY

No rich list. No transaction explorer.

By design · Not a roadmap item

The stealthPRIVATE sidechain has no rich list, no visible transactions, and no searchable explorer — by design. The rich list RPC (getrichlist) only tracks transparent addresses on stealthCORE. Shielded transactions cannot be viewed, searched, or listed. Not "not yet"; not "for now" — not ever. The explorer does not and cannot exist for the shielded chain.

Hidden · always

What the chain does not show

  • Senders — shielded spends name no address.
  • Receivers — shielded outputs name no address.
  • Amounts — neither transfer nor change value is visible.
  • Balances — there is no per-address ledger to enumerate.
  • Rich list — nothing to rank. No ordering exists.
  • Transaction history — shielded txs are not indexable by participant.
Visible · aggregate only

What remains public

  • Block height — the chain's tip.
  • Net supply — nTotalMinted − nTotalBurned.
  • Note commitment tree size — a monotone counter.
  • Nullifier count — total spends ever.
  • Bridge deposits — visible on Core, not linkable to shielded activity.
  • Consensus state — block validity, tip hash, protocol params.
§07 · ZK vs. RINGS

Why zk-SNARKs are a different class of privacy.

Mathematical proof · not statistical obfuscation

Ring signatures hide you in a crowd. zk-SNARKs prove a transaction is valid without disclosing anything.

Both schemes were designed to protect transaction privacy on public blockchains. They achieve this through radically different mechanisms — with dramatically different security properties.

Ring signatures provide plausible deniability: one signer in a group, statistically hidden. zk-SNARKs provide cryptographic certainty: a mathematical proof that nothing was revealed. One is obfuscation. The other is proof.

The distinction is not academic. It determines whether privacy strengthens, holds, or degrades as chain data accumulates.

01 · What each scheme actually is

Ring Signatures

Obfuscation through decoys

A transaction is signed by one member of a predefined group — the "ring." The signer selects n − 1 other public keys as decoys. An observer cannot definitively tell which member signed.

The privacy is statistical, not mathematical. The set of candidate signers — decoys included — is publicly visible on-chain. Every ring member, real and fake, is recorded forever. Monero is the canonical user of this scheme.

zk-SNARKs

Proof without disclosure

A zero-knowledge succinct non-interactive argument of knowledge. The prover generates a proof encoding the entire validity of a transaction — inputs, outputs, balances — without revealing any value.

No decoys. No candidate set. No statistical model to attack. The privacy is encoded in the mathematics of the proof itself — and it does not weaken as chain data accumulates.

02 · The traceability problem in ring signatures

Because every ring member is visible on-chain, each address will eventually appear in another ring, in another transaction, either as real spender or as decoy. This creates a graph of probabilistic relationships that chain-analysis firms actively exploit. Privacy is not static; it degrades.

Attack 01

Zero-decoy tracing

Early Monero transactions used ring size 1 (no decoys). These transactions are trivially traceable. Any output that passed through that era of the chain carries a permanent on-chain record of its travel path — even if its current transactions use larger rings.

Attack 02

Chain-reaction analysis

When a ring member is confirmed as a spend (e.g., via a zero-decoy transaction), it can be eliminated from every other ring it appears in. Each elimination narrows other rings — cascading to unmask senders across chain history.

Attack 03

Timing & output correlation

Outputs have ages. Newly created outputs rarely appear as decoys in the same transaction that creates them. Statistical models of "typical" selection assign higher probabilities to certain ring members — narrowing plausible deniability below claimed levels.

03 · Proof size, verification, scalability
Rings · Size

Scales linearly with ring size

More privacy = larger transactions

Each additional decoy adds data. A ring-16 transaction is roughly 16× the size of a trivial one. As chains mandate larger rings for stronger privacy, throughput suffers and storage grows proportionally.

zk-SNARKs · Size

Constant, regardless of complexity

Maximum privacy = minimum footprint

A zk-SNARK proof is a few hundred bytes — regardless of what it proves. Hiding sender, receiver, and amount produces the same compact proof as hiding only one. The "succinct" is in the name.

Rings · Verify

Grows with ring size

Privacy adds verification overhead

Verifying a ring signature checks the relationship across all n members. A ring-16 transaction verifies roughly 16× slower than a trivial one. On high-throughput chains, the overhead compounds.

zk-SNARKs · Verify

Constant-time, extremely fast

Privacy adds negligible verification cost

zk-SNARK verification is O(1) — same time regardless of the size or complexity of the underlying statement. This is compatible with high-throughput chains that must validate thousands of transactions per second.

04 · Privacy completeness — what each scheme actually hides
Eight-row comparison · privacy property by scheme
Privacy property Ring Signatures zk-SNARKs
Sender identity hidden Probabilistic Provably complete
Receiver identity hidden Partial (stealth addresses) Provably complete
Transaction amount hidden Only with RingCT add-on Native & complete
Resistant to chain analysis Degrades over time Permanent guarantee
On-chain decoy records Yes — all visible None
Proof size Scales with ring size Constant (~200 bytes)
Verification overhead Scales with ring size Constant time
Privacy guarantee type Heuristic / statistical Cryptographic / mathematical
05 · The trusted setup question

The legitimate trade-off

zk-SNARKs need a setup ceremony

Early zk-SNARK constructions required a trusted setup to generate cryptographic parameters. If the ceremony's "toxic waste" is not destroyed, an attacker could forge proofs — a genuine and important consideration.

Modern practice addresses this with multi-party computation (MPC) ceremonies. Hundreds or thousands of independent participants contribute randomness. The ceremony is only compromised if every single participant is — an essentially impossible condition at scale.

Stealth's choice · Halo 2

No trusted setup at all

stealthPRIVATE uses Halo 2 / Orchard — a proof system that eliminates the trusted setup requirement entirely. There is no ceremony, no toxic waste, no multi-party trust assumption to preserve.

Ring signatures also require no setup — but that advantage is paid for with a fundamentally statistical privacy model. Halo 2 gives you both: no setup, and mathematical proof.

"Ring signatures say: 'it could have been anyone in this group.' zk-SNARKs say: 'I can prove everything is valid without telling you anything at all.' One is obfuscation. The other is mathematics."
Stealth R&D LLC
§08 · SPECIFICATIONS

Privacy layer · canonical parameters.

Source of record
Architecture Dedicated sidechain stealthPRIVATE runs alongside stealthCORE. Fully shielded by default — no transparent pool, no opt-in.
Proof system Halo 2 / Orchard Zero-knowledge succinct non-interactive arguments of knowledge. No trusted setup.
Bridge record CBridgeDeposit Stores core_txid, amount, p2sh_address, staker_keys, spent. Does not store sender or receiver XSS address.
Custody model 2-of-3 P2SH multisig Three staker public keys govern unlock; any two constitute a valid quorum for withdrawal.
Privacy set Pool · mint-burn nTotalMintednTotalBurned = net supply. Anonymity set is every historical depositor.
Spend bundle spend · output · change · proof One spend action, one output action, one optional change output, one Halo 2 proof. Constant-size, O(1) verification.
Note model Commitment + nullifier Notes are on-chain commitments. Nullifiers prevent double-spending with zero disclosure of which note was consumed.
Payment Disclosure Planned · OVK-based Sender-originated proof of a single payment: recipient, amount, and memo only. Selective transparency; does not leak wallet state.
Explorer visibility None — by design Public data: block height, net supply, note commitment tree size, nullifier count. No rich list. No transaction explorer.
Fees Feeless Inherits Stealth's feework model. No per-transaction fees inside the shielded pool.
SPEC · v0 Full specification → back to landing