Vision
26 Jun
## min read

Can blockchains and zero-knowledge help humanity survive? 47 real-world use cases

Worldwide, the average person’s daily screen time is 6 hours and 58 minutes. This is approximately 41% of waking time. Does it mean that a modern human is 41% digital?

Share
Written by
Lisa A.
Edited by

Are we becoming cyborgs in 2024?

Many thanks to Elias, Palla, Mahima, Hannes, and Rafal for review. Separate thanks to João Montenegro for an awesome discussion.

Worldwide, the average person’s daily screen time is 6 hours and 58 minutes. This is approximately 41% of waking time. Does it mean that a modern human is 41% digital?

Let’s think.

  • Personal relations are becoming digital (17% of marriages and 20% of relationships begin online) as well as business and consumer relations (81% of consumers prefer communicating in a messenger).
  • Society is becoming “cashless”: only 9% of Americans pay with cash, and in some countries it accounts for only 1% (e.g. Norway, Honk Kong, Sweden, etc.).
  • 71% of smartphone owners sleep with or next to their mobile phones.
  • Google search engine acts almost like humanity's hive-mind.
  • “Information and communications technologies are more widespread than electricity.” – Shoshana Zuboff.

One thing can be said for sure: our everyday life is a blend of the physical and digital worlds and this trend won’t reverse. Furthermore, the share of digital reality is going to grow.

Humanity has rich experience (approx. 300,000 years) living in physical reality.

Within this time we’ve learnt some useful skills. For example:

  • How to build reliable constructions such as houses, bridges, roller coasters, and military offices.
  • How to treat our bodies in such a way that they serve us as long as possible.
  • How to build meaningful relations that last for years and make us feel good, loved, and needed.

With digital reality, our experience is approximately 4,878x shorter (assuming 1983 being the internet’s year of birth). So, it seems we are still at the beginning of the learning curve of living in digital reality.

What part of ourselves is digital? Let’s think.

  • Most of our documents, files, and data (e.g. financial and health) are digital and stored on smartphones or laptops.
  • Most of our communications and social interactions are digital: through emails, social media, video calls, etc.
  • Most of our work is done digitally: collaborative work using Google services and GitHub, web services (e.g. Figma), storing and managing files in the cloud (e.g. Dropbox).
  • Most of our memorable moments and things that make us feel good are stored digitally: pictures from birthdays and weddings, screenshotted messages from those we love and hate, playlists we’ve been collecting for years, movie ratings, etc.
  • Authentications and passwords for all services and accounts we use.

What exactly does “digital” mean in all these cases? In most cases, it means stored in cloud services or on a company server. That is saying that 99.9% of our digital “us” is outside of our control.

Google won’t close tomorrow, will it?

Humans like to be optimistic. Google won’t close tomorrow, right? It just doesn’t make any sense. Humanity pays it so much money. Humanity gives it all its data.

Okay, thinking rationally, let’s assume that Google’s best option is to exist forever. But what about our Google accounts? What about the digital “us”? What about data authenticity? What about the part of our life that happens digitally every day? Will it exist tomorrow?

Let’s for a second move from that optimistic perspective to a more realistic one:

  • Whether we have access to our money or not depends on whether the bank allows us or not.
  • Whether we can access our iPhone or not depends on whether Apple allows us or not.
  • Whether we can access our data backup on iCloud depends on whether Apple allows us or not.
  • Whether we can leave a comment on a forum or social media depends on whether we meet the criteria of being a “good user” or not.

So, the first “layer” is: in order to have access to our digital life, we need to meet the criteria of being a “good customer” every day. Every single day. Doesn’t sound nice, but not a big deal, right?

Source

At the end of the day, we are good humans, we have nothing to hide, we trust our governments and these pretty multibillion corporations. They are nice guys. Is there anything else to worry about?

Hmm, let us think what happens if…

  • Artificial general intelligence (AGI) kidnaps the internet and floods it with bots?
  • Company servers are destroyed because of war or natural disasters?
  • Governmental databases break down, destroying all information about citizens and pushing the world into anarchy?
  • Autopilot transports and machinery get programmed for self-destruction on Wednesday 9:00 Eastern Time?
  • Banking system gets lost or corrupted, so we lose all our money because it is just a digital entry on a centralized server?

We still can stick to an optimistic mindset and say: okay, the probability of this happening is very low. Let’s wait until one such incident happens (e.g. nuclear war) and then we should start worrying. Today we still can access banking apps, scroll Instagram, and order a poke bowl. Why do we need to worry now?

There are several reasons to think about it today:

  1. We can’t think about saving the world after the world has been destroyed because the world won’t exist anymore.
  2. Saving the world might take time. A couple of seconds might not be enough. And if the world is going to be destroyed, no one will kindly tell us 20 years in advance.
  3. We still can eat poke while trying to save the world. There is no contradiction therein.

Now let’s be more precise. While appealing to “saving the world”, by “the world”, we mean “the digital world”, a part of our life and identity that exists purely online or in a hybrid state of offline and online (e.g. medical devices implanted into human bodies having software components). By “saving”, we mean making it robust. That is to say neither governments, corporations, AGI, nor bots can kidnap, destroy, control, or limit a digital part of us.

We must make the internet more robust

Comparing our physical reality to digital reality, if in the former we developed robust materials such as carbon, metal, glass, and ultra-high molecular weight polyethylene fiber, in the latter we are still building twig huts.

The good news is that today we are already equipped well enough to start making the internet more robust. Three components that will allow us to resist factors such as AGI or dictatorships are blockchains, privacy incorporated into blockchains, and cryptography. Why these three?

To have control of our digital “us”, we need four components:

  • Permissionlessness
  • Immutability
  • Verifiability
  • Privacy

Let’s abstract from the wording “the internet”. Instead, let’s use the word “cyberspace”, meaning “everything digital” including the internet, computer networks, and whatnot.

By permissionlessness, we mean that cyberspace is equal for any human on Earth. Create an account, deploy code, own a digital object, talk to another human in cyberspace – whatever is possible there for one human is possible for everyone.

By immutability, we mean that humans have control over their life in cyberspace and if they make an action in cyberspace (e.g. open an account, issue an ID, or deploy code), no one can undo it. One should note that immutability might work as a double-edged sword, as if being immutable means nothing can ever be forgotten. Thus, we should be very conscious while building of what exactly we are making immutable and how it might manifest as a negative externality one day.

By verifiability, we mean something like an objective source of truth. If human 54835934 tells human 82849934 that “this statement” is true, human 82849934 has a tool to objectively verify its truthfulness.

By privacy, we mean control over what is disclosed, when, and to whom. How sincere are we claiming “we have nothing to hide”? Even if we don’t mind “someone” having access to all our correspondence, medical data, pictures and videos (including those hot nudes), food delivery, e-commerce, and porn browser history… What if we take it one step further, right to brain-computer interfaces (BCI)? If someone (whether governments, corporations, AGI or another party with exceptionally good intentions) now has access to all our thoughts and body chemistry, do we still have nothing to hide?

These four properties allow us to ensure that our digital “us” will last at least as long as our physical “us” (or maybe even longer, but that is a topic for another article).

Blockchains and cryptography

No technology in isolation is a magic pill. However, combining the right technologies and applying them in the right cases allow us to come closer to inventing a magic pill.

Let’s first clarify what technologies we have in our “survival kit” and what properties of theirs we are interested in.

Blockchain provides permissionlessness and immutability

Blockchain is a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a network.

In this definition, the key property is “shared”. The question is how exactly it is shared or who are the participants of the network. To be shared “for real”, we want the blockchain to have thousands or even millions of nodes that are independent of each other. As of the 15th of April 2024, Ethereum has 5,912 nodes in the network where by nodes we mean different independent parties running infrastructure (one node might run many validators). And even though some of them are run by institutions, Ethereum can be fairly called a shared and immutable ledger. That is to say, Ethereum is good enough to be the base of the robust internet.

Cryptography provides verifiability

Cryptography’s history is almost as long as humanity’s history. But with the advent of the digital era, some specific kinds of cryptography that fit the needs of computers and the internet started evolving at an insane pace.

The history of zero-knowledge cryptography started in 1989, although it wasn’t obvious it would be a perfect complement for blockchains (even though the idea of blockchains was proposed earlier).

A zero-knowledge protocol consists of two parties, a Prover and a Verifier, where the Prover can prove to the Verifier that a certain huge statement is true while conveying only a tiny bit of information. This property is called “succinctness” and is a key component of cyberspace, where individuals need to coordinate with each other all the time and the communication has to be as lightweight as possible.

Privacy-preserving blockchains provide privacy

Privacy-preserving blockchains allow individuals to choose what information to disclose, when, to whom, and in what form. This is another crucial element of cyberspace, as disclosing one bit of data while preserving private other bits of data is a must-have mechanism for efficient coordination.

For example, in the case of elections, an individual wants to tell the tally that (i) they are eligible to vote, (ii) they have voted, (iii) they voted only once, but they don’t want to disclose any details about their vote or their identity.

One should note that privacy on the application layer (e.g. private identity or transfers) can’t be added to a transparent blockchain purely by means of cryptography. Privacy should be incorporated into blockchain design at the level of smart contract anatomy and state management.

Now that we’ve looked at what components we need to build robust cyberspace, let’s explore specific cases we need to fix and decide if we really can fix them with these tools.

47 use cases and 75 examples for blockchains, privacy, and zero-knowledge

In the second part of this article, we will explore 47 use cases and 75 examples of how blockchains, privacy, and verifiability can disrupt, heal, expand, and modify the world around us, addressing its problems, weaknesses, points of failure, and fragilities.

But before we dive into the full list, let’s cover three quick examples as an introductory illustration:

  1. Programmable identity: Today, when someone needs to confirm their identity, age, citizenship, or residential address, they provide a passport, ID, or other formal documents. With zero-knowledge proofs, one can manage all their documents client-side and provide proofs of specific properties upon request, without requiring documents.

One should note that for this use case we strictly need privacy-preserving composable blockchain (e.g. Aztec).

  1. Combining several data sets and a model without datasets and model disclosure between parties.
  1. Smart home that processes all data client-side (i.e. inside of smart home) without sharing its inhabitants’ data with anyone (even Google!).

Now we have some intuition behind how zero-knowledge proofs and privacy-preserving blockchains can create an alternative to the current reality, with several of the cases we’ve mentioned involving fixing data privacy and individual sovereignty issues and unlocking new forms of collaboration and coordination. Finally we are ready to dive into the longlist of blockchain, privacy, and verifiability use cases, where these three factors become the real game changers for the world and humanity’s future.

Most of the ideas described below were borrowed from brilliant minds, either from their public presentations or personal talks. Credit to Barry, Steven, Zac, freeatnet.eth, Jessica, Henry, Tarun, and Joe for being brilliant minds.

We will also categorize all use cases into categories:

  1. Efficient coordination – allows small numbers of individuals coordinating efficiently to compete with much larger agents.
  2. Verifiable computation – “truth objectivity” allows individuals to be sure that something is true without relying on honesty of institutions or other individuals.
  3. Data immutability and robustness – makes the cyberspace environment more long-lasting, reliable, and independent of institutions and individual agents.
  4. Improved world economic efficiency – allows individuals and institutions to utilize the resources at their disposal in a more economically efficient manner.
  5. Privacy – just privacy.

In the table below, we categorize a number of solutions to specific problems we will probably meet within the next decades while the digital share of the world is expanding and rooting deeper and deeper into our reality. We classify them according to whether they require blockchain, privacy, verifiability (provided by zero-knowledge), or a specific combination of these three. In most cases, blockchain serves as a coordination layer, privacy is engaged in all cases where participants can’t go with 100% transparency of all data, and zero-knowledge adds verifiability.

Under blockchain, we assume a decentralized one where nodes are run by thousands of diverse, independent parties. This decentralization makes the network credibly neutral and provides strong security guarantees. Today, Ethereum fits this criteria more than anything else. Layers 2 on top of Ethereum inherit its security property, however, their credible neutrality depends on design details such as approach to block building and upgrade mechanism.

Under privacy, we mean that whatever we want to stay private should be fully processed client-side on the user's device and should not be exposed to any other parties.

We also consider combining blockchain, privacy, and zero-knowledge with other existing technologies such as:

  • MPC and 2PC – enables multiple parties (or two parties in 2PC case) – each holding their own private/secret data – to compute the value of a public function using that private data while keeping their own piece of data secret.
  • TEE – a secure area of a main processor that prevents unauthorized entities from outside the TEE from reading data, and prevents code in the TEE from being replaced or modified by unauthorized entities.
  • Any existing cryptographic primitive such as an ECDSA signature (an example of a public key cryptography encryption algorithm).

Why can't we use these technologies separately and why do we need to combine them with zero knowledge and blockchain? Because we don’t just want to trust those using them that they are acting in good faith; we want to be able to verify that they are acting in good faith.

Efficient coordination

Use case Blockchain Privacy Verifiability
Proof of eligibility (for participation, access, etc.) Example 1: Access to the building (e.g. office).
Example 2: Access to military data regarding ongoing war where if this data is leaked it will lead to numbers of deaths.
Optional Need Need
Proof of innocence
Example: Compliance (proof of not interacting with agents meeting specific criteria, e.g. North Korean hackers).
Need Need Need
A mechanism ensuring collective agreement for making crucial decisions
Example 1: Minimum threshold for pushing the nuclear button where the voting members represent all parties that should be represented in a fair manner (MPC+ZK).
Example 2: Minimum threshold to approve decisions of the board of directors with huge financial impact.
Need Need Need
Prevention from malicious cooperation such as bribery or voting system “tampering” Example 1: Voting mechanism where it is impossible to prove that one has voted for a specific candidate.Example 2: Voters can independently verify that their vote was fairly recorded in the election tally. Need Need Need
“Programmable” trust: verification of specific properties of individuals (e.g. belonging to specific groups, visiting specific events, etc.) that allows the building of “safe spaces”
Example: If one studied at the same university and is a member of the same charity organization, it increases the probability that we share similar values and my default trust in this person can rationally be higher than in those who don’t meet these properties.
Need Need Need
“Temperature check” before making decisions/actions with extremely high general costs or the cost of being among the first.
Example: A government member can check how many other government members are ready to oppose the current ruling coalition and start to act only if they are sure they will have sufficient supporters (MPC+ZK).
Need Need Need
Check the alignment or expectations regarding a specific question in a neutral way as (i) participants don’t need to disclose sensitive information to each other and (ii) no one needs to express their preferences first, so there is no time priority.
Example 1: Negotiation of salary between the employer and employee where no single party needs to reveal their preference first, allowing the second party to adjust their preferences based on the disclosed information.
Example 2: Negotiation of the type of relationship that works best of all for all participants, such as “Should friends start romantic relationships”? (2PC+ZK or MPC+ZK depending on the number of participants).
Need Need Need
Private DAOs as a type of a legal entity
Example: Programmable organization with task-based system where compensation payments fully depend on executed milestones.
Need Need Need
Neutral personal data regulation
Example: Instead of governments enforcing the laws and standards around personal data (e.g. the EU’s GDPR), these standards are designed and regulated by a neutral third party while its execution is verifiable.
Need Need Need
Fair incentives mechanisms
Example: Corporations commit to a specific max level of negative externality regarding the greenhouse effect. If the max level is exceeded even by a tiny amount, the agent is “slashed”. By slashed we might mean monetary or other types of slashing (e.g. “reputational slashing” through public reporting for a worldwide audience).
Need Need Need
Blended experience between offline and online domains
Example: Pokémon Go, where blockchain serves as a coordination layer for a number of players.
Need Need Need

Verifiable computations / truth objectivity

Use case Blockchain Privacy zk
Ensuring that an autonomous automatic system will work exactly in the way it is expected to work (i.e. according to the designed algorithm)Example: Self-driving cars, autopilot planes, and self-navigating rockets can execute only the algorithm they committed to. Optional Optional Need
Executing the algorithm while keeping it a secret, i.e. executing any algorithm that should be executed by an external party while the algorithm owner would prefer not to disclose the underlying mechanism (either for commercial or personal motivations)
Example: Dating matching algorithm (2PC/MPC+ZK).
Optional Need Need
Content authenticity: verifying specific criteria of content (pictures, videos, etc.) such as no-edits, produced by a human, time and place of production, etc.
Example: Distinguishing between deepfakes and authentic sources.
Optional Optional Need
Ensuring that some technology was used in a proper way
Example 1: Ensuring that FHE encryption for cloud data storage was done correctly.Example 2: Zk-snark wrapped up around an NFC signature from a chip's public key to prove that one owns a valid signature without revealing the raw signature itself.
Optional Need Need
Direct data verification from a web2 service
Example: Verifying one’s Twitter username to be used in an external (non-twitter) service.
Optional Need Need
Optimizing subjective manual processes by converting them into objective non-manualExample: Today, to confirm a bank transfer over a specific threshold, one needs to confirm this transfer manually through the bank call center. This manual process can be eliminated by using zero-knowledge proof to pass the bank’s security check. Optional Optional Need
Converting post-factum verification/check into preliminary
Example: In the modern blockchain world, compliance and KYC information is supplied post-factum, after the transaction was executed when it might be too late to address it. Using zero-knowledge, the transaction can be valid only if the counterparties proved that they meet a specific criteria (e.g. possess some kyc token provided by some kyc provider). Hence, any fraud attempts can be handled in time.
Need Need Need
Proof of ML models’ integrity
Example 1: The model owner proves that the result of the ML model running is fair without revealing any information about the model itself.Example 2: Proving that the submitted model was executed on the committed data without revealing data. Combining both examples, the model owner publicly commits to a model, and generates a zk-proof that the committed model was applied to the user’s submitted input, yielding the claimed result.Example 3: In case of LLM making decisions on its own (e.g. shouting military goals), proving how LLM made the decision when the information is fragmented and different parties have access to different fragments. One should be able to see how the data was put together and be able to question it without revealing all data to one specific party.
Optional Need Need
Proof of treating all participants in the same wayExample: Proof of no price discrimination. Need Need Need
Verifiability in supply chains
Example 1: Proving the origin and authenticity of goods and materials.
Example 2: Proving that materials meet compliance standards of supply chains within modern economies without revealing sensitive corporate information such as the identities of their suppliers and customers.
Need Need Need
Verified rating services
Example: Employer review (e.g. Glassdoor) where all the reviewers (i) stay anonymous, (ii) provide proofs of being eligible to review specific company/role.
Need Need Need
Proof of a mistake in a decision made by big data machine
Example 1: If one’s transaction was identified as a fraud but it is not, one can generate verifiable proof that the transaction is legitimate.
Example 2: If one was marked as an individual affiliated with a specific person (e.g. a terrorist) when one is not, one can generate verifiable proof that there are no connections/interactions with this party.
Optional Optional Need
List of attested events (created client-side) based on the data stream
Example 1: Using zk email as a data stream, based on the parking bill from a government authority, to generate a proof that the email owner has a car and lives in a specific city.
Example 2: Based on the shipment delivery updates delivered through zk email, generate a proof of order delivery.
Optional Need Need

Data immutability and robustness

Use case Blockchain Privacy zk
Robustness of interoperability Example: Guaranteed access configurations to Twitter API. That is to say Twitter can’t withdraw or modify this API version and thus break the operations of those using it. Need Need Need
Games/virtual worlds ownershipExample: Games’ immutability protects gamers from game studios’ “dictatorship”, enforcing the ownership over game assets and rules, which is meaningful for professional gamers who spend a huge chunk of their lives playing. Need Need Optional
Immutability for ownership guarantee
Example 1: Impossibility of suspending social media accounts by automated algorithms (especially those with large audiences, e.g. creators) without proof of violation.
Example 2: Impossibility of freezing ad accounts in social media by automated algorithms without proof of violation.
Optional Need Need
Signed internet history that is recoverable in case of web2 internet servers destruction (e.g. putting every internet website as a rollup)
Example 1: Proving data authenticity in case of “sybil attacks”. Example 2: Resisting AI DDOS attack.
Example 3: Impossibility of malicious power’s actions because of data immutability (e.g. revocation of citizenship).
Example 4: Preserving core digital infrastructure in case of internet shutdown/firewalling/censoring (e.g. in case of revolution or war in countries with oppressive regimes).
Need Need Need
A “car” transferring sealed data between various web2 and web3 services (as an alternative to current API mechanism). This allows (i) avoid trusting APIs (e.g. Facebook), (ii) get the data in the format one needs, (iii) data authenticity is verifiable.Example 1: Web2 and web3 oracles.
Example 2: Services built on top of existing services such as “who unfollowed me” on top of Instagram.
Example 3: Cross-chain verification.
Need Need Need
Physical and digital property ownership history
Example: Verifiable ownership history of rare antiques or pieces of art.
Need Need Need
Eliminating the risks of personal database leaks: because of client-side personal data processing, there is no need for collecting and storing huge personal data databases that can be leaked or hacked Need Need Need

Efficiency

Use case Blockchain Privacy zk
Creating global settlement layer of the world’s assets: digitizing real-world assets (e.g. property, pieces of art, IP, etc) to be able to use them in the digital world
Example: Use physical assets as collateral for digital lending.
Need Dearly need Need
Improving efficiency of decentralized services so that they are able to compete with centralized ones
Example: For democracies (which require a lot of multiparty coordination) to be able to compete with the authoritarian regimes that are highly centralized and coordinated.
Need Need Need
Neutral databases of authorized attestations
Example: Proof of holding a certificate issued by the International Culinary Institute that can be verified by anyone without additional requests to the institution that issued it.
Need Need Need
DeFi as an alternative to traditional financial institutions to (i) provide banking services for underbanked parts of the world, (ii) provide humans with censorship resistance and immutability where institutions can’t limit access to assets and number of allowed actions. One should note that even though we have been talking about DeFi for quite a while, the DeFi we have today is fully transparent. That is to say, if one borrows money, everyone can see it, all payments (e.g. salaries), savings, and assets are easily observable. To make DeFi the real alternative to traditional financial institutions, we need privacy-preserving composable blockchains, otherwise it’s a toy example.
Example 1: Buying stablecoins in countries where people are not allowed to buy foreign currency.
Example 2: Immutable private transactions or private compliant transactions.
Example 3: Providing basic banking services in countries with low GDP and weak institutions that can’t provide their population with access to banking.
Example 4: Broker-dealer network for securities trading services.
Need Deadly need Need
By reducing the amount of data that needs to be transmitted and processed, ZKPs can also significantly reduce the energy demands of IoT devices, improving efficiency and reducing costs. Optional Optional Need
Programmable spending based on the on-chain income
Example: Recurring monthly debt payment as the first spending from the salary.
Need Need Optional

To glimpse how all these use cases are possible through combining zero-knowledge and privacy-preserving blockchains, one should note that even though these technologies are absolutely awesome, they are still not magic pills. We need developers, engineers, and architects to combine them in smart ways. That is to say that the real magic pills are the developers, engineers, and architects capable of doing this and caring about our common future as much as the Aztec team does.

The components (i.e. blockchain, privacy, and verifiability) have been clear at a theoretical level for years. But even when they started to be implemented, most implementations were not really feasible for real-world usage and were hard to combine with each other. This was a serious issue, as web3 applications should be competitive with the existing web2 stuff we already use.

Aztec Labs addressed this issue and has been developing Noir, an open-source, domain-specific language that makes it easy for developers to write programs with arbitrary programmable logic, zero-knowledge proofs, and composable privacy. The program logic can vary from simple “I know X such that X < Y” to complex RSA signature verification. If you’re curious about Noir, check the talk “Learn Noir in an afternoon” by José Pedro Sousa.

Privacy-preserving blockchain and zero-knowledge in spacetech and defense

For those who are still skeptical about these 47 use cases above as too cypherpunk-ish, the next section talks about the need for privacy-preserving blockchains and zero-knowledge cryptography in a very specific domain for solving very specific problems.

Blockchains and zero-knowledge in space

Today, operating in near-Earth space is a part of everyday life: countries, industries, and businesses rely on the day-to-day operation of satellites and the complex infrastructure created in Earth’s orbit. That is to say, a number of parties (some of them are obviously hostile towards each other) manage a number of programmable “nodes” with sensitive data. That sounds exactly like a coordination problem that privacy-preserving blockchains and zero-knowledge are able to handle!

  • Case 1: satellite coordination
    Most large countries have their satellites flying in space for some specific missions. That reminds one of car or plane traffic, but instead there are a number of satellites going from point A to point B. The goal is to manage this traffic in a way that there are no collisions or accidents. The coordination problem is that space is everyone’s – that is, the model of plane traffic doesn’t work.

Instead, satellite owners have to coordinate with each other (and as a consequence trust each other) to negotiate space management. This requires pretty deep data disclosure and trust that other parties have good intentions.

We can utilize zero-knowledge to provide proof of correct code execution, meaning that the satellite will perform exactly what its owner promises. For example, it can generate “proof of route”, which is a crucial component of space coordination as one additional zero in the code can send the satellite spinning forever or force it to change its trajectory and crash into other satellites. Privacy-preserving blockchain can be used as a coordination layer to deploy protocols for specific use cases.

  • Case 2: operating over hostile areas
    Sometimes satellites need to fly over the area of the countries with whom they are “not friends”. While flying over these areas, enemy representatives might be interested in hacking the satellite, intervening in its operating activity, and data forgery. For example, providing AI-generated images instead of authentic ones. To mitigate this risk, we can use zero-knowledge to provide proof of data authenticity or proof of metadata.

  • Case 3: planetary defense
    Planetary defense is the effort to monitor and protect Earth from asteroids, comets, and other objects in space. Life on Earth has been drastically altered by asteroid impacts before. For example, once a planet-shaking strike led to the extinction of the non-avian dinosaurs.
    Planetary defense combines comet and asteroid detection, trajectory assessment, tracking over time, and developing tools for possible collision prevention (includes slamming a spacecraft into the target, pulling it using gravity, and nuclear explosions).
    Planetary defense is operated by NASA, the European Space Agency, and other organizations, all representing different countries and dealing with sensitive data collection and secret technologies (e.g. satellite engineering mechanisms).
    ZKPs and privacy-preserving blockchains can be a coordination layer to process data collected by different parties without exposing it to others.  

Blockchains and zero-knowledge for LLMs on battlefields, enterprise, and everyone’s daily lives

LLMs are (today, already, obviously) very valuable, are shaping an absolutely different economy, and will have a huge impact on daily humans’ lives, geopolitical balance, and enterprise operations.

One of the issues with LLMs is that they can’t tell you how they reached their conclusions. However, some of these conclusions change the world and impact millions, if not billions, of people, being used for business, for countries, for battlefields. Take for example the case of using LLMs to detect targets on a battlefield. The model tells the commander “This is the target”, but it doesn’t provide any proof that this target was detected correctly. In this case, the cost of wrong detection is at least a life, maybe a dozen lives, or several hundred thousand lives.

Zero-knowledge proofs can be a “neutral arbiter” providing the proof of what data the model was trained on, what data the model used to make a conclusion, how this data was put together, what the underlying algorithm is, etc. Furthermore, it can be done without revealing any specific information about either the data or the model.

One should note that today we are not talking about whether or not we should use LLMs for specific use cases. The reality is they are already used everywhere, by all major corporations, countries, and their governments. But what we still are able to do while LLMs start flooding our world is make the model owners accountable for their models – that is to say enforce some formal LLM compliance.

Similar to private data processing and collection today, some legislation for AI regulation will be set up as well. However, mere legislation is not enough; standards should be transparent and equal for everyone, and they should be followed.

Can a trusted third party who is believable, shares pro-democratic values, and is neutral enforce legislation compliance? In a domain such as AI, where at stakes are at the very least huge amounts of money (if not shaping the geopolitical landscape of the world for years to come), there are no neutral parties – everyone has their own interests and skin in the game.

In LLMs we don’t have custodial relations to the data, we can’t prove how the decision was made. But at the same time, we need to know how the data was put together and be able to question it. That is, for example, an absolute necessity for the presumption of innocence. ZKPs as a source of truth and privacy-preserving blockchains as a coordination layer can solve this issue to enforce AI standards compliance.

Conclusion

We are just at the very beginning. Privacy-preserving blockchains and zero-knowledge cryptography are needed in spacetech, agrotech, medtech, biotech, AI/ML, military technology, social networks, retail, robotics, big data, IoT, media and entertainment, edtech, fintech, logistics, neurotech, etc.

The 47 use cases mentioned above are kind of obvious today, but the real landscape of ZKPs and blockchain usage in 20 years will be much wider, deeper, and more diverse. Some of them can be predicted today, while some of them are almost impossible to imagine (unless you’re a true visionary).

One thing is absolutely clear, however: world verifiability is an absolutely required property while our world merges offline and online universes deeper and deeper. ZKPs as a “source of truth” and privacy-preserving blockchains as a coordination layer are a very promising duo to make the world verifiable.

It will take us time. The right moment to start was yesterday. But today is also a good day: for those ready to act together with Aztec – fill in the form.

Sources:

  • An article “Planetary defense: Protecting Earth from space-based threats” by Vicky Stein.
  • A talk “on The Global Tech Race” by Alex Karp.
  • A talk “Charting Taiwan DID as a Showcase & Experiment” by Noah Yeh.
  • A talk “State of ZK ECDSA” by Gauthier.
  • A talk 2PC is for Lovers by Barry Whitehat.
Read more
Aztec Network
Aztec Network
15 Oct
xx min read

Your Private Money Yearns for a Private Economy

Watch this: Alice sends Zcash. Bob receives USDC on Aztec. Nobody, not even the system facilitating it, knows who Alice or Bob are.

And Bob can now do something with that money. Privately.

This is the connection between private money and a private economy where that money can actually be used.

Zcash has already achieved something monumental: truly private money. It’s the store of value that Bitcoin promised (but made transparent). Like, digital gold that actually stays hidden.

But here's the thing about gold - you don't buy coffee with gold bars. You need an economy where that value can flow, work, and grow. Privately.

Money Under the Mattress

While other projects are trying to bolt privacy onto existing chains as an afterthought, Zcash is one of the oldest privacy projects in Web3. It's achieved what dozens of projects are still chasing: a truly private store of value.

Total Shielded ZEC Value (USD): Sep 16 - Oct 14 | Source: zkp.baby/

This is critical infrastructure for freedom. The ability to store value privately is a fundamental right, a hedge against surveillance, and a given when using cash. We need a system that provides the same level of privacy guarantees as cash. Right now, there's over $1.1 billion sitting in Zcash's shielded pool, private wealth that's perfectly secure but essentially frozen.

Why frozen? Because the moment that shielded $ZEC tries to do anything beyond basic transfers: earn yield, get swapped for stablecoins, enter a liquidity pool, it must expose itself. The privacy in this format is destroyed.

This isn't Zcash's failure. They built exactly what they set out to build: the world's best private store of value. The failure is that the rest of crypto hasn't built where that value can actually work.

The Privacy Landscape Has an Imbalance

What happens when you want to do more than just send money? What happens when you want privacy after you transfer your money?

Private Digital Money (i.e., “Transfer Privacy,” largely solved by Zcash):

  • Zcash: est. 2016
  • Everyone else: building variants of digital money at the transaction or identity level
    • Monero
    • Ethereum privacy pools
    • 0xbow
    • Payy
    • Every privacy stablecoin project
    • Every confidential L2
    • Every privacy project you've ever heard of

Private World Computer (i.e., After-the-Transfer Privacy):

  • Aztec

Everyone else is competing to build better ways to hide money. Zcash has already built the private store of value, and Aztec has built the only way to use hidden money.

The Locked Liquidity Problem

Here's the trillion-dollar question: What good is private money if you can't use it?

Right now, Zcash's shielded pool contains billions in value. This is money in high-security vaults. But unlike gold in vaults that can be collateralized, borrowed against, or deployed, this private value just sits there.

Every $ZEC holder faces two impossible choices:

  1. Keep it shielded and forfeit all utility
  2. Unshield it to use it and forfeit all privacy

Our demo breaks this false sense of choice. For the first time, shielded value can move to a place where it remains private AND becomes useful.

The Private World Computer

Here's how you can identify whether you’re dealing with a private world computer, or just private digital money:

Without a private world computer (every other privacy solution):

  • Receive salary privately → Can't invest it
  • Store savings privately → Can't earn yield
  • Send money privately → Recipient can't use it privately

With a private world computer (only Aztec):

  • Receive salary privately → Invest it privately
  • Store savings privately → Earn APY privately
  • Send payment privately → Recipient spends it privately

This is basic financial common sense. Your money should grow. It should work. It should be useful.

The technical reality is that this requires private smart contracts. Aztec is building the only way to interact privately with smart contracts. These smart contracts themselves can remain completely hidden. Your private money can finally do what money is supposed to do: work for you.

What We Actually Built

Our demo proves these two worlds can connect:

  1. The Vault: Zcash
  2. The Engine: Aztec (where private money becomes useful)

We built the bridge between storing privately and doing privately.

The technical innovation - "partial notes" - are like temporary lockboxes that self-destruct after one use. Money can be put privately into these lockboxes, and a key can be privately handed to someone to unlock it. No one knows who put the money in, where the key came from, or who uses the key. You can read more about how they work here. But what matters isn't the mechanism. 

What matters is that Alice's Zcash can become Bob's working capital on Aztec without anyone knowing about either of them.

As a result, Bob receives USDC that he can:

  • Earn yield on
  • Trade with
  • Pay suppliers with
  • Build a business on
  • All privately

Why This Required Starting from Scratch (and 8 years of building)

You can't bolt privacy onto existing systems. You can't take Ethereum and make it private. You can't take a transparent smart contract platform and add privacy as a feature.

Aztec had to be built from the ground up as a private world computer because after-the-transfer privacy requires rethinking everything:

  • How state is managed
  • How contracts execute
  • How proofs are generated
  • How transactions are ordered

This is why there's only one name building fully private smart contracts. From the beginning, Aztec has been inspired by the work Zcash has done to create a private store of value. That’s what led to the vision for a private world computer.

Everyone else is iterating on the same transfer privacy problem. Aztec solves a fundamentally different problem.

The Obvious Future

Once you see it, you can't unsee it: Privacy without utility is only the first step.

Every privacy project will eventually need what Aztec built. Because their users will eventually ask: "Okay, my money is private... now what?"

  • Zcash users will want their $ZEC to earn yield
  • Privacy pool users will want to do more than just mix
  • Private stablecoin users will want to actually… use their stablecoins

This demo that connects Zcash to Aztec is the first connection between the old world (private transfers) and the new world (private everything else).

What This Means

For Zcash Holders: Your shielded $ZEC can finally do something without being exposed.

For Developers: Stop trying to build better mattresses to hide money under. Start building useful applications on the only platform that keeps them private. 

For the Industry: The privacy wars are over. There's transfer privacy (solved by Zcash) and after-the-transfer privacy (just Aztec).

What’s Next? 

This demo is live. The code is open source. The bridge between private money and useful private money exists.

But this is just the beginning. Every privacy project needs this bridge. Every private payment network needs somewhere for those payments to actually be used.

We're not competing with transfer privacy. We're continuing it.

Your private money yearns for the private economy.

Welcome to after-the-transfer privacy. Welcome to Aztec.

Aztec Network
Aztec Network
8 Oct
xx min read

Aztec: The Private World Computer

Privacy has emerged as a major driver for the crypto industry in 2025. We’ve seen the explosion of Zcash, the Ethereum Foundation’s refocusing of PSE, and the launch of Aztec’s testnet with over 24,000 validators powering the network. Many apps have also emerged to bring private transactions to Ethereum and Solana in various ways, and exciting technologies like ZKPassport that privately bring identity on-chain using Noir have become some of the most talked about developments for ushering in the next big movements to the space. 

Underpinning all of these developments is the emerging consensus that without privacy, blockchains will struggle to gain real-world adoption. 

Without privacy, institutions can’t bring assets on-chain in a compliant way or conduct complex swaps and trades without revealing their strategies. Without privacy, DeFi remains dominated and controlled by advanced traders who can see all upcoming transactions and manipulate the market. Without privacy, regular people will not want to move their lives on-chain for the entire world to see every detail about their every move. 

While there's been lots of talk about privacy, few can define it. In this piece we’ll outline the three pillars of privacy and gives you a framework for evaluating the privacy claims of any project. 

The Three Pillars of Privacy 

True privacy rests on three essential pillars: transaction privacy, identity privacy, and computational privacy. It is only when we have all three pillars that we see the emergence of a private world computer. 

Transaction: What is being sent?

Transaction privacy means that both inputs and outputs are not viewable by anyone other than the intended participants. Inputs include any asset, value, message, or function calldata that is being sent. Outputs include any state changes or transaction effects, or any transaction metadata caused by the transaction. Transaction privacy is often primarily achieved using a UTXO model (like Zcash or Aztec’s private state tree). If a project has only the option for this pillar, it can be said to be confidential, but not private. 

Identity: Who is involved?

Identity privacy means that the identities of those involved are not viewable by anyone other than the intended participants. This includes addresses or accounts and any information about the identity of the participants, such as tx.origin, msg.sender, or linking one’s private account to public accounts. Identity privacy can be achieved in several ways, including client-side proof generation that keeps all user info on the users’ devices. If a project has only the option for this pillar, it can be said to be anonymous, but not private. 

Computation: What happened? 

Computation privacy means that any activity that happens is not viewable by anyone other than the intended participants. This includes the contract code itself, function execution, contract address, and full callstack privacy. Additionally, any metadata generated by the transaction is able to be appropriately obfuscated (such as transaction effects, events are appropriately padded, inclusion block number are in appropriate sets). Callstack privacy includes which contracts you call, what functions in those contracts you’ve called, what the results of those functions were, any subsequent functions that will be called after, and what the inputs to the function were. A project must have the option for this pillar to do anything privately other than basic transactions. 

From private money to a private world computer 

Bitcoin ushered in a new paradigm of digital money. As a permissionless, peer-to-peer currency and store of value, it changed the way value could be sent around the world and who could participate. Ethereum expanded this vision to bring us the world computer, a decentralized, general-purpose blockchain with programmable smart contracts. 

Given the limitations of running a transparent blockchain that exposes all user activity, accounts, and assets, it was clear that adding the option to preserve privacy would unlock many benefits (and more closely resemble real cash). But this was a very challenging problem. Zcash was one of the first to extend Bitcoin’s functionality with optional privacy, unlocking a new privacy-preserving UTXO model for transacting privately. As we’ll see below, many of the current privacy-focused projects are working on similar kinds of private digital money for Ethereum or other chains. 

Now, Aztec is bringing us the final missing piece: a private world computer.

A private world computer is fully decentralized, programmable, and permissionless like Ethereum and has optional privacy at every level. In other words, Aztec is extending all the functionality of Ethereum with optional transaction, identity, and computational privacy. This is the only approach that enables fully compliant, decentralized applications to be built that preserve user privacy, a new design space that we see as ushering in the next Renaissance for the space. 

Where are we now? 

Private digital money

Private digital money emerges when you have the first two privacy pillars covered - transactions and identity - but you don’t have the third - computation. Almost all projects today that claim some level of privacy are working on private digital money. This includes everything from privacy pools on Ethereum and L2s to newly emerging payment L1s like Tempo and Arc that are developing various degrees of transaction privacy 

When it comes to digital money, privacy exists on a spectrum. If your identity is hidden but your transactions are visible, that's what we call anonymous. If your transactions are hidden but your identity is known, that's confidential. And when both your identity and transactions are protected, that's true privacy. Projects are working on many different approaches to implement this, from PSE to Payy using Noir, the zkDSL built to make it intuitive to build zk applications using familiar Rust-like syntax. 

The Private World Computer 

Private digital money is designed to make payments private, but any interaction with more complex smart contracts than a straightforward payment transaction is fully exposed. 

What if we also want to build decentralized private apps using smart contracts (usually multiple that talk to each other)? For this, you need all three privacy pillars: transaction, identity, and compute. 

If you have these three pillars covered and you have decentralization, you have built a private world computer. Without decentralization, you are vulnerable to censorship, privileged backdoors and inevitable centralized control that can compromise privacy guarantees. 

Aztec: the Private World Computer 

What exactly is a private world computer? A private world computer extends all the functionality of Ethereum with optional privacy at every level, so developers can easily control which aspects they want public or private and users can selectively disclose information. With Aztec, developers can build apps with optional transaction, identity, and compute privacy on a fully decentralized network. Below, we’ll break down the main components of a private world computer.

Private Smart Contracts 

A private world computer is powered by private smart contracts. Private smart contracts have fully optional privacy and also enable seamless public and private function interaction. 

Private smart contracts simply extend the functionality of regular smart contracts with added privacy. 

As a developer, you can easily designate which functions you want to keep private and which you want to make public. For example, a voting app might allow users to privately cast votes and publicly display the result. Private smart contracts can also interact privately with other smart contracts, without needing to make it public which contracts have interacted. 

Aztec’s Three Pillars of Privacy

Transaction: Aztec supports the optionality for fully private inputs, including messages, state, and function calldata. Private state is updated via a private UTXO state tree.

Identity: Using client-side proofs and function execution, Aztec can optionally keep all user info private, including tx.origin and msg.sender for transactions. 

Computation: The contract code itself, function execution, and call stack can all be kept private. This includes which contracts you call, what functions in those contracts you’ve called, what the results of those functions were, and what the inputs to the function were. 

Decentralization

A decentralized network must be made up of a permissionless network of operators who run the network and decide on upgrades. Aztec is run by a decentralized network of node operators who propose and attest to transactions. Rollup proofs on Aztec are also run by a decentralized prover network that can permissionlessly submit proofs and participate in block rewards. Finally, the Aztec network is governed by the sequencers, who propose, signal, vote, and execute network upgrades.

What Can You Build with a Private World Computer?

Private DeFi

A private world computer enables the creation of DeFi applications where accounts, transactions, order books, and swaps remain private. Users can protect their trading strategies and positions from public view, preventing front-running and maintaining competitive advantages. Additionally, users can bridge privately into cross-chain DeFi applications, allowing them to participate in DeFi across multiple blockchains while keeping their identity private despite being on an existing transparent blockchain.

Private Dark Pools

This technology makes it possible to bring institutional trading activity on-chain while maintaining the privacy that traditional finance requires. Institutions can privately trade with other institutions globally, without having to touch public markets, enjoying the benefits of blockchain technology such as fast settlement and reduced counterparty risk, without exposing their trading intentions or volumes to the broader market.

Private RWAs & Stablecoins

Organizations can bring client accounts and assets on-chain while maintaining full compliance. This infrastructure protects on-chain asset trading and settlement strategies, ensuring that sophisticated financial operations remain private. A private world computer also supports private stablecoin issuance and redemption, allowing financial institutions to manage digital currency operations without revealing sensitive business information.

Compliant Apps

Users have granular control over their privacy settings, allowing them to fine-tune privacy levels for their on-chain identity according to their specific needs. The system enables selective disclosure of on-chain activity, meaning users can choose to reveal certain transactions or holdings to regulators, auditors, or business partners while keeping other information private, meeting compliance requirements.

Let’s build

The shift from transparent blockchains to privacy-preserving infrastructure is the foundation for bringing the next billion users on-chain. Whether you're a developer building the future of private DeFi, an institution exploring compliant on-chain solutions, or simply someone who believes privacy is a fundamental right, now is the time to get involved.

Follow Aztec on X to stay updated on the latest developments in private smart contracts and decentralized privacy technology. Ready to contribute to the network? Run a node and help power the private world computer. 

The next Renaissance is here, and it’s being powered by the private world computer.

Aztec Network
Aztec Network
24 Sep
xx min read

Testnet Retro - 2.0.3 Network Upgrade

Special thanks to Santiago Palladino, Phil Windle, Alex Gherghisan, and Mitch Tracy for technical updates and review.

On September 17th, 2025, a new network upgrade was deployed, making Aztec more secure and flexible for home stakers. This upgrade, shipped with all the features needed for a fully decentralized network launch, includes a completely redesigned slashing system that allows inactive or malicious operators to be removed, and does not penalize home stakers for short outages. 

With over 23,000 operators running validators across 6 continents (in a variety of conditions), it is critical not to penalize nodes that temporarily drop due to internet connectivity issues. This is because users of the network are also found across the globe, some of whom might have older phones. A significant effort was put into shipping a low-memory proving mode that allows older mobile devices to send transactions and use privacy-preserving apps. 

The network was successfully deployed, and all active validators on the old testnet were added to the queue of the new testnet. This manual migration was only necessary because major upgrades to the governance contracts had gone in since the last testnet was deployed. The new testnet started producing blocks after the queue started to be “flushed,” moving validators into the rollup. Because the network is fully decentralized, the initial flush could have been called by anyone. The network produced ~2k blocks before an invalid block made it to the chain and temporarily stalled block production. Block production is now restored and the network is healthy. This post explains what caused the issue and provides an update on the current status of the network. 

Note: if you are a network operator, you must upgrade to version 2.0.3 and restart your node to participate in the latest testnet. If you want to run a node, it’s easy to get started.

What’s included in the upgrade? 

This upgrade was a team-wide effort that optimized performance and implemented all the mechanisms needed to launch Aztec as a fully decentralized network from day 1. 

Feature highlights include: 

  • Improved node stability: The Aztec node software is now far more stable. Users will see far fewer crashes and increased performance in terms of attestations and blocks produced. This translates into a far better experience using testnet, as transactions get included much faster.
  • Boneh–Lynn–Shacham (BLS) keys: When a validator registers on the rollup, they also provide keys that allow BLS signature aggregation. This unlocks future optimizations where signatures can be combined via p2p communication, then verified on Ethereum, while proving that the signatures come from block proposers.
  • Low-memory proving mode: The client-side proving requirements have dropped dramatically from 3.7GB to 1.3GB through a new low-memory proving mode, enabling older mobile devices to send Aztec transactions and use apps like zkPassport. 
  • AVM performance: The Aztec Virtual Machine (AVM) performance has seen major improvements with constraint coverage jumping from 0% to approximately 90-95%, providing far more secure AVM proving and more realistic proving performance numbers from provers. 
  • Flexible key management: The system now supports flexible key management through keystores, multi-EOA support, and remote signers, eliminating the need to pass private keys through environment variables and representing a significant step toward institutional readiness. 
  • Redesigned slashing: Slashing has been redesigned to provide much better consensus guarantees. Further, the new configuration allows nodes not to penalize home stakers for short outages, such as 20-minute interruptions. 
  • Slashing Vetoer: The Slasher contract now has an explicit vetoer: an address that can prevent slashing. At Mainnet, the initial vetoer will be operated by an independent group of security researchers who will also provide security assessments on upgrades. This acts as a failsafe in the event that nodes are erroneously trying to slash other nodes due to a bug.

With these updates in place, we’re ready to test a feature-complete network. 

What happened after deployment? 

As mentioned above, block production started when someone called the flush function and a minimum number of operators from the queue were let into the validator set. 

Shortly thereafter, while testing the network, a member of the Aztec Labs team spun up a “bad” sequencer that produced an invalid block proposal. Specifically, one of the state trees in the proposal was tampered with. 

Initial block production 

The expectation was that this would be detected immediately and the block rejected. Instead, a bug was discovered in the validator code where the invalid block proposal wasn't checked thoroughly enough. In effect, the proposal got enough attestations, so it was posted to the rollup. Due to extra checks in the nodes, when the nodes pulled the invalid block from Ethereum, they detected the tampered tree and refused to sync it. This is a good outcome as it prevented the attack. Additionally, prover nodes refused to prove the epoch containing the invalid block. This allowed the rollup to prune the entire bad epoch away. After the prune, the invalid state was reset to the last known good block.

Block production stalled

The prune revealed another, smaller bug, where, after a failed block sync, a prune does not get processed correctly, requiring a node restart to clear up. This led to a 90-minute outage from the moment the block proposal was posted until the testnet recovered. The time was equally split between waiting for pruning to happen and for the nodes to restart in order to process the prune.

The Fix

Validators were correctly re-executing all transactions in the block proposals and verifying that the world state root matched the one in the block proposal, but they failed to check that intermediate tree roots, which are included in the proposal and posted to the rollup contract on L1, were also correct. The attack tweaked one of these intermediate roots while proposing a correct world state root, so it went unnoticed by the attestors. 

As mentioned above, even though the block made it through the initial attestation and was posted to L1, the invalid block was caught by the validators, and the entire epoch was never proven as provers refused to generate a proof for the inconsistent state. 

A fix was pushed that resolved this issue and ensured that invalid block proposals would be caught and rejected. A second fix was pushed that ensures inconsistent state is removed from the uncommitted cache of the world state.

Block production restored

What’s Next

Block production is currently running smoothly, and the network health has been restored. 

Operators who had previously upgraded to version 2.0.3 will need to restart their nodes. Any operator who has not upgraded to 2.0.3 should do so immediately. 

Attestation and Block Production rate on the new rollup

Slashing has also been functioning as expected. Below you can see the slashing signals for each round. A single signal can contain votes for multiple validators, but a validator's attester needs to receive 65 votes to be slashed.

Votes on slashing signals

Join us this Thursday, September 25, 2025, at 4 PM CET on the Discord Town Hall to hear more about the 2.0.3 upgrade. To stay up to date with the latest updates for network operators, join the Aztec Discord and follow Aztec on X.

Noir
Noir
18 Sep
xx min read

Just write “if”: Why Payy left Halo2 for Noir

The TL;DR:

Payy, a privacy-focused payment network, just rewrote its entire ZK architecture from Halo2 to Noir while keeping its network live, funds safe, and users happy. 

Code that took months to write now takes weeks (with MVPs built in as little as 30 minutes). Payy’s codebase shrank from thousands of lines to 250, and now their entire engineering team can actually work on its privacy infra. 

This is the story of how they transformed their ZK ecosystem from one bottlenecked by a single developer to a system their entire team can modify and maintain.

Starting with Halo2

Eighteen months ago, Payy faced a deceptively simple requirement: build a privacy-preserving payment network that actually works on phones. That requires client-side proving.

"Anyone who tells you they can give you privacy without the proof being on the phone is lying to you," Calum Moore - Payy's Technical Lead - states bluntly.

To make a private, mobile network work, they needed:

  • Mobile proof generation with sub-second performance
  • Minimal proof sizes for transmission over weak mobile signals
  • Low memory footprint for on-device proving
  • Ethereum verifier for on-chain settlement

To start, the team evaluated available ZK stacks through their zkbench framework:

STARKs (e.g., RISC Zero): Memory requirements made them a non-starter on mobile. Large proof sizes are unsuitable for mobile data transmission.

Circom with Groth16: Required trusted setup ceremonies for each circuit update. It had “abstracted a bit too early” and, as a result, is not high-level enough to develop comfortably, but not low-level enough for controls and optimizations, said Calum.

Halo2: Selected based on existing production deployments (ZCash, Scroll), small proof sizes, and an existing Ethereum verifier. As Calum admitted with the wisdom of hindsight: “Back a year and a half ago, there weren’t any other real options.”

Bus factor = 1 😳

Halo2 delivered on its promises: Payy successfully launched its network. But cracks started showing almost immediately.

First, they had to write their own chips from scratch. Then came the real fun: if statements.

"With Halo2, I'm building a chip, I'm passing this chip in... It's basically a container chip, so you'd set the value to zero or one depending on which way you want it to go. And, you'd zero out the previous value if you didn't want it to make a difference to the calculation," Calum explained, “when I’m writing in Noir, I just write ‘if’. "

With Halo2, writing an if statement (programming 101) required building custom chip infra. 

Binary decomposition, another fundamental operation for rollups, meant more custom chips. The Halo2 implementation quickly grew to thousands of lines of incomprehensible code.

And only Calum could touch any of it.

The Bottleneck

"It became this black box that no one could touch, no one could reason about, no one could verify," he recalls. "Obviously, we had it audited, and we were confident in that. But any changes could only be done by me, could only be verified by me or an auditor."

In engineering terms, this is called a bus factor of one: if Calum got hit by a bus (or took a vacation to Argentina), Payy's entire proving system would be frozen. "Those circuits are open source," Calum notes wryly, "but who's gonna be able to read the Halo2 circuits? Nobody."

Evaluating Noir: One day, in Argentina…

During a launch event in Argentina, "I was like, oh, I'll check out Noir again. See how it's going," Calum remembers. He'd been tracking Noir's progress for months, occasionally testing it out, waiting for it to be reliable.

"I wrote basically our entire client-side proof in about half an hour in Noir. And it probably took me - I don't know, three weeks to write that proof originally in Halo2."

Calum recreated Payy's client-side proof in Noir in 30 minutes. And when he tested the proving speed, without any optimization, they were seeing 2x speed improvements.

"I kind of internally… didn't want to tell my cofounder Sid that I'd already made my decision to move to Noir," Calum admits. "I hadn't broken it to him yet because it's hard to justify rewriting your proof system when you have a deployed network with a bunch of money already on the network and a bunch of users."

Rebuilding (Ship of Theseus-ing) Payy

Convincing a team to rewrite the core of a live financial network takes some evidence. The technical evaluation of Noir revealed improvements across every metric:

Proof Generation Time: Sub-0.5 second proof generation on iPhones. "We're obsessive about performance," Calum notes (they’re confident they can push it even further).

Code Complexity: Their entire ZK implementation compressed from thousands of lines of Halo2 to just 250 lines of Noir code. "With rollups, the logic isn't complex—it's more about the preciseness of the logic," Calum explains.

Composability: In Halo2, proof aggregation required hardwiring specific verifiers for each proof type. Noir offers a general-purpose verifier that accepts any proof of consistent size.

"We can have 100 different proving systems, which are hyper-efficient for the kind of application that we're doing," Calum explains. "Have them all aggregated by the same aggregation proof, and reason about whatever needs to be."

Migration Time

Initially, the goal was to "completely mirror our Halo2 proofs": no new features. This conservative approach meant they could verify correctness while maintaining a live network.

The migration preserved Payy's production architecture:

  • Rust core (According to Calum, "Writing a financial application in JavaScript is borderline irresponsible")
  • Three-proof system: client-side proof plus two aggregators  
  • Sparse Merkle tree with Poseidon hashing for state management

When things are transparent, they’re secure

"If you have your proofs in Noir, any person who understands even a little bit about logic or computers can go in and say, 'okay, I can kinda see what's happening here'," Calum notes.

The audit process completely transformed. With Halo2: "The auditors that are available to audit Halo2 are few and far between."

With Noir: "You could have an auditor that had no Noir experience do at least a 95% job."

Why? Most audit issues are logic errors, not ZK-specific bugs. When auditors can read your code, they find real problems instead of getting lost in implementation details.

Code Comparison

Halo2: Binary decomposition

  • Write a custom chip for binary decomposition
  • Implement constraint system manually
  • Handle grid placement and cell references
  • Manage witness generation separately
  • Debug at the circuit level when something goes wrong

Payy’s previous 383 line implementation of binary decomposition can be viewed here (pkg/zk-circuits/src/chips/binary_decomposition.rs).

Payy’s previous binary decomposition implementation

Meanwhile, binary decomposition is handled in Noir with the following single line.

pub fn to_le_bits<let N: u32>(self: Self) -> [u1; N]

(Source)

What's Next

With Noir's composable proof system, Payy can now build specialized provers for different operations, each optimized for its specific task.

"If statements are horrendous in SNARKs because you pay the cost of the if statement regardless of its run," Calum explains. But with Noir's approach, "you can split your application logic into separate proofs, and run whichever proof is for the specific application you're looking for."

Instead of one monolithic proof trying to handle every case, you can have specialized proofs, each perfect for its purpose.

The Bottom Line

"I fell a little bit in love with Halo2," Calum admits, "maybe it's Stockholm syndrome where you're like, you know, it's a love-hate relationship, and it's really hard. But at the same time, when you get a breakthrough with it, you're like, yes, I feel really good because I'm basically writing assembly-level ZK proofs."

“But now? I just write ‘if’.”

Technical Note: While "migrating from Halo2 to Noir" is shorthand that works for this article, technically Halo2 is an integrated proving system where circuits must be written directly in Rust using its constraint APIs, while Noir is a high-level language that compiles to an intermediate representation and can use various proving backends. Payy specifically moved from writing circuits in Halo2's low-level constraint system to writing them in Noir's high-level language, with Barretenberg (UltraHonk) as their proving backend.

Both tools ultimately enable developers to write circuits and generate proofs, but Noir's modular architecture separates circuit logic from the proving system - which is what made Payy's circuits so much more accessible to their entire team, and now allows them to swap out their proving system with minimal effort as proving systems improve.

Payy's code is open source and available for developers looking to learn from their implementation.