Menu
Comparing privacy on Aztec, Canton, Starkware, Tempo, and zkSync
Privacy has become a baseline requirement for L1s and L2s who care about bringing real-world users onchain. Users don't want their activity broadcast to competitors or the general public, but applications operating at scale also need some form of auditability, whether for regulators, compliance requirements, or tax reporting. Selective disclosure resolves that tension: privacy by default, with the ability to prove specific facts when required. What separates these networks is not whether they offer that switch, but who gets to hold it.
Aztec, Canton, Starknet, Tempo, and zkSync all offer some form of privacy with selective disclosure, but under the hood they make fundamentally different architectural decisions about who can see your data and who can turn your privacy off. Those decisions determine whether your privacy stays under your own control or sits behind a switch that someone else operates.
Three questions reveal where these networks actually diverge:
The answers determine whether your privacy off-switch is held by a policy, by an operator's good behavior, or by you alone through a cryptographic proof. As you'll see in this post, there are legitimate reasons to use each one with different tradeoffs. Aztec is the only network, however, where that switch stays in the user's hands, answering all three questions without putting a permissioned set of operators or a standing viewing key in control of your privacy. That gives developers the flexibility to build apps that comply with applicable laws while still keeping full privacy under the user's control.
This article will compare the privacy approaches of Aztec, Canton, Starknet, Tempo, and zkSync to give developers insight into the privacy tradeoffs of each network.
Here’s how each network handles the selective disclosure privacy off-switch, and who has control over your privacy:
Each of these networks offers privacy with selective disclosure, but each rests on a different network design with its own tradeoffs. We have ordered them by who holds your privacy off-switch, starting with designs where a third party controls access to your data and ending with designs where that control stays with you. At the top, the switch sits behind a policy promise and an honest operator, and further down it is replaced by proofs that the user generates and controls.
Canton keeps data private by controlling viewing permissions for the various actors on its network. A transaction splits into per-participant views, so each party receives only the sub-transactions that name it, and the parts it is not entitled to never reach it. The sequencer and mediator move those views without reading them, which is real privacy against those roles.
However, the data is still read in plaintext by the participant nodes that host the relevant parties, and in the common regulated-asset pattern where the issuer is a signatory on its own token, the issuer's node sees every transfer. The harder gap is verification, because no third party can reconstruct the global ledger, so correctness rests on the confirming nodes staying honest and their keys staying safe. In practice the off-switch sits with those nodes rather than with you, since you cannot see when your data is read and cannot stop it.
Tempo is designed for payments and uses validity proofs to verify that each zone is executing correctly, while still giving the zone operator full plaintext visibility into every transaction within that zone. Privacy comes from Tempo Zones, which are parallel execution environments connected to the Tempo mainnet.
By design, the zone operator has visibility into all transactions within the zone, while users see only their own and the public sees only a proof that the zone is valid. Token issuers set compliance controls, allowlists, blocklists, and freezes, enforced across zones. The mainnet checks each zone's validity, so execution is verified, while the operator still reads every transaction in plaintext and holds the off-switch over what is revealed. Your privacy is from the public, not from the operator.
zkSync Prividium adds the verifiability piece that Canton lacks. Every batch produces a validity proof settled to Ethereum, so a compromised operator cannot forge state or mint tokens from nothing without also forging a proof, which it cannot do. The tradeoff is that the operator processes every transaction in plaintext and decides who sees what, which means the off-switch stays with the operator and your privacy is from the outside world rather than from the operator itself.
This tradeoff has legitimate uses in high-trust institutional environments. If Bank of America, JPMorgan, and Wells Fargo are transacting on a shared network, a zone where BofA's infrastructure processes BofA-originated transactions satisfies internal control requirements while still delivering genuine ZK privacy from the other banks and the rest of the world. Where this model breaks down is in lower-trust environments where giving an operator full plaintext access and the switch that comes with it holds back product design possibilities.
Starknet's STRK20 breaks from relying on an operator for privacy. It shields ERC-20 balances and transfers in a privacy pool, and every private transaction carries a zero-knowledge proof generated client-side, so no operator sees your plaintext in order to build it.
Disclosure is where STRK20 diverges from Aztec. To join the Starknet Privacy Pool, you register an encrypted viewing key onchain, and it sits there for the life of your participation. On a regulatory request, a designated auditing entity can decrypt that key and trace your complete transaction history, forwards and backwards. StarkWare calls this ‘not a backdoor’ but a carefully scoped access mechanism, and the safeguard is a policy promise that the auditor decrypts only when required. The privacy is cryptographic, but the off-switch is a standing key that someone else holds and can flip whether or not you are watching.
On Aztec your private state lives as encrypted private data that only you can decrypt. The contract developer can choose what state is public and what is private, and whether your encrypted private data is emitted onchain as a private log or shared off-chain instead.
Your transactions get proven client-side on your own device, so no sequencer or operator sees your unencrypted private data. Those proofs settle to Ethereum, which gives the same integrity anchor marketed by Prividium, with every transaction verified and no forged state, but without a single operator who reads your data. The base protocol decentralizes sequencing, proving, and governance, so there is no operator to choose and trust in the first place.
Disclosure is your choice too: you decide who learns your private data, and whether they learn it in encrypted or decrypted form. To grant discovery without readability, you share an app-specific tagging secret that lets an auditor find your data in encrypted form without being able to decrypt and read it. This is enough to prove things calculated from that data, such as a tax basis or a profit and loss figure. Granting permission to actually read the data works differently. There's no per-contract read key you can hand out, because decryption uses your master viewing key, which would unlock all your data across every contract. So instead of sharing a key, you share the data itself, plus a proof that your plaintext is what encrypts to the on-chain ciphertext.
Aztec has true selective disclosure in that you can selectively share it, and nothing else you don’t need to. This is app specific, meaning that private data discoverability access on one app does not grant access on another. Most importantly, the off-switch stays in your hands, and you never need to trust the network to handle access to any of your private data and activity.
This is not just conceptual: here is a working proof-of-concept of this model on Aztec. PrivPNL takes you from private DEX trades through a tagging-key disclosure to a browser-generated ZK proof of your PnL. The auditor verifies a proof while the prover only has to reveal the amount they owe, and your portfolio stays private.
Canton keeps the switch with the participant nodes that read your data in plaintext, so disclosure rests on those nodes staying honest rather than on anything you control. Tempo similarly gives the off-switch to a zone-based node operator, but allows you to verify the correctness of transactions using validity proofs. Prividium hardens that promise with a proof settled to Ethereum, a real improvement, but the operator still reads every transaction and still decides who sees what. This can work well for large institutions, but small to medium sized enterprises are left with the same privacy as their current banks unless they run their own Prividium nodes. STRK20 moves the switch into a standing viewing key and asks you to trust that a designated auditor reaches for it only when needed. In each of these models the real question is not whether your privacy can be switched off, but who gets to do the switching, and whether you would even know it happened.
Aztec takes the operator and the standing key out of the question entirely. You keep the data, you generate the proof, and you disclose the result, one fact at a time and only when you choose to. The off-switch never leaves your hands, and no operator, auditor, or node can reach it on your behalf. This is one of the benefits of a network that offers fully programmable, privacy-preserving smart contracts that put you in control.
Selective disclosure is how privacy survives contact with a regulator, and the model you pick decides who can open your history when you are not looking. On Aztec, that answer is no one but you.
Dive into the technical details: Try a live demo of selective disclosure on Aztec and read the technical article on how it was built.
Integrate with Aztec: Reach out if you are interested in integrating privacy into your project.
Aztec is built on one idea: smart contracts on Ethereum where developers choose what is public and what is private. That doesn't just mean shielded transactions. It means who acts (identity), what they transact (state), and how they execute (computation) can all be private. Aztec makes end-to-end privacy possible; even the contracts themselves can be private.
But privacy also has to be practical. Aztec integrates private and public execution in the same contract, so apps can seamlessly weave together private and public state. Every account is a smart contract, letting users grant granular, revocable access for selective disclosure, which is useful for compliance, tax reporting, or agent permissions.
Finally, Aztec is a decentralized L2, with 3,500+ sequencers participating in the network today. That permissionlessness is what makes Aztec a credible foundation for a global privacy layer.
In this article we’re going to explore the Aztec stack and how we make programmable privacy a reality. We’ll answer questions like ‘what can you do on Aztec?’, ‘how does it all work?’, and ‘what are the core layers of the system that makes it all possible?’
The four layers of the Aztec stack, all live today on the Alpha network:
Aztec smart contracts are written in Noir, a programming language with Rust-like syntax optimized for writing private programs. Noir is an open-source project developed by Aztec and is now the industry-leading language for writing private apps using zero-knowledge proofs. Let’s dive into what Noir is, and why we use it as the building block for writing smart contracts.
Writing zk programs is extremely difficult without a background in cryptography. When developing Noir, our first goal was to create a highly optimized and easy-to-write zk Domain Specific Language (zkDSL) where developers don’t need to know any of the underlying mathematics. As a result, Noir handles all the cryptographic complexities, and will automatically convert your code into fancy zk circuits.
Noir compiles down to the Abstract Circuit Intermediate Representation (ACIR), an adaptable intermediary language that makes it easy to plug in a variety of popular proving backends. These proving backends, such as Aztec’s Barretenberg proving system, take the compiled zero-knowledge circuits and generate proofs attesting to the validity of the program’s execution, all without revealing any private inputs. From authorization systems that keep a password on the user's device, to complex onchain state channels with recursive proofs to verify offchain state; Noir and a proving backend handle everything from compilation to cryptography for you.
In addition to simplifying the developer experience, we also wanted to make it intuitive to specify which elements you want to keep private and which you want to make public. With Noir, privacy is baked in as a default, so all variables and functions are automatically kept completely private, and executed on the user’s device.
If you want to make any part of your code public, you can do so by simply adding a pub attribute.
Noir on its own is great for writing programs that need to execute stateless functions, such as proving that you reside in a specific country based on passport data, or that you hold a certain number of tokens without revealing how many. Projects are already starting to build with Noir outside of Aztec on Base, Scroll, Starknet, and other chains. However, if you are looking to write privacy-preserving apps that store private state data onchain, it’s helpful to utilize a smart contract library that deliberately handles those complexities for you. That’s exactly what we’ve built at Aztec and what we’ll explore in the next section.
Aztec smart contracts leverage Noir to create apps with onchain private and public state. This section covers how smart contracts work on Aztec and how you deploy and interact with your contracts.
An Aztec smart contract is a set of public and private functions written in Noir, deployed on the Aztec Network. They are written using the Aztec.nr framework which handles all the cryptography under the hood for managing private and public state and interacting with other contracts on the network.
To build useful applications, developers need to be able to incorporate both private and public components into their contracts. For example, an onchain voting contract might want to keep the information of the voter private and prevent someone from voting twice, but publicly display how many votes have been cast, and the outcome.
Because contracts are written in Noir, this functionality is as easy as adding a ‘private’ annotation above your function. The following function will be executed privately on the user device, allowing a user to cast a vote without revealing their address:
The output of this private, local execution will be sent to the network, where the correctness of execution is verified and public function calls are executed. The following function is designed to be executed publicly, adding a vote to the total tally without revealing where it came from.
To seamlessly weave together private and public components that can easily interact with onchain state, Aztec smart contracts utilize the Aztec.nr framework to execute private functions on the user’s device and bundle the proofs for these transactions together with the public functions that will be executed by the Aztec Virtual Machine (AVM).
This framework adds the functionality needed to build onchain, privacy-preserving apps, including defining contracts, accessing private or public context, and interacting with the Aztec Network. Similar to how a vanilla Noir program would compile down into zk circuits, Aztec smart contracts are compiled into zk circuits for private functions or AVM bytecode for public functions, and stored in the Aztec contract tree.
Aztec accounts are also written as smart contracts, implementing what is known as account abstraction. Account abstraction allows application developers to create programmable accounts to dramatically improve user experience, including social recovery, sponsored transactions, and multi-factor authentication. It also makes compliance practical, allowing for granular access controls on accounts.
The Aztec Network is the only decentralized L2 on Ethereum. There are currently over 3,500 sequencers running the alpha network. View the live block explorer for the alpha network.
In order for a network to fully protect users and their data, it must guarantee three levels of privacy:
When you write Aztec smart contracts, everything listed above is taken care of for you. As discussed in the previous two sections, you can easily opt into privacy protections at a granular level by weaving together public and private functions.
To understand how all of these components fit together, let’s examine how a transaction is executed on the Aztec Network.
When a user interacts with your application, private functions are executed client-side on the user’s device: a phone, a personal computer, etc. This happens in a private execution environment (PXE) that is able to create highly-efficient zk proofs even on browsers and mobile devices. Any private state updates are added to the state of the network in an append-only database (UTXO tree). Because the proof is generated client-side, no information can be leaked about the inputs, outputs, accounts, or even the functions that were executed.
On the other hand, public transactions are bundled together with the private client-side proofs and sent off to the Aztec Network, powered by a decentralized network of independent community-run sequencers. Sequencers check the validity of private execution proofs, execute any public functions and update the public state, propose blocks, and publish state updates (“diffs”) to Ethereum L1. Sequencers also coordinate with a decentralized network of provers who compute the final proof for every Aztec “epoch” - defined as a contiguous sequence of 32 L2 blocks - and publish it to Ethereum. Any public functions executed by sequencers update an account-based database similar to Ethereum.
Sequencer and prover roles are fully permissionless. Anyone can spin up the required hardware and join the sequencer set or run provers and start bidding to produce proofs of Aztec epochs.
Aztec delivers on a simple but powerful idea: smart contracts on Ethereum where you choose what's public and what's private across identity, data, and compute. The four layers we've walked through are what make that possible.
Noir gives developers a Rust-like language for writing zero-knowledge programs without a cryptography background, with privacy as the default. Aztec smart contracts build on Noir through the Aztec.nr framework, letting you weave private and public functions into a single contract and use account abstraction to unlock granular access controls for compliance, tax reporting, and selective disclosure. The Aztec Network is the only decentralized L2 on Ethereum, with over 3,500 sequencers powering end-to-end programmable privacy across data, identity, and compute. And it all settles to Ethereum, inheriting L1's economic security.
The result is the first practical platform for privacy on Ethereum, and a credible candidate to become the global settlement layer of the future.
Now it's your turn to build. Head to docs.aztec.network to ship your first privacy-preserving app.
Follow Aztec on X for updates on the current state of the network.
Last week, PSE published an insightful and comprehensive user-research piece on private transfers on Ethereum. They interviewed 38 teams in the space and asked what's broken, what's missing, what builders wish they had. The list reads like a wishlist of features every privacy app on L1 is currently trying to engineer towards. It's the kind of rigorous, builder-grounded research the privacy ecosystem has needed.
We read the list. It's the list we've been building against for years.
Aztec solves all of these problems. Every requested feature already lives on Aztec. The proving system, the private contract language, the decentralized network, the privacy wallet architecture, the key model, the snark-friendliness: all of Aztec was built against this list before it was a list.
What follows is a walkthrough. For each of PSE's top technical findings, here's the feature builders are asking for, and how it works on Aztec today.
Ethereum Problem: Proof generation is too slow on user devices, especially mobile. Elliptic-curve pairing operations are a specific bottleneck. Server-side proving is a censorship and privacy leak vector. Sub-second proving was the stated threshold.
Aztec solution: Proving on Aztec runs locally in the PXE (Private eXecution Environment, pronounced "pixie"), so no data ever leaves the user's device. Chonk, our client-side zk proving system, is ruthlessly optimised for fast recursive proving on low-memory devices like phones, native and in-browser. Years of optimization have already gone in, and we're still finding more. It’s best in class and we haven’t even merged-in GPU acceleration yet!
The slow pairing checks that PSE's interviewees called out as a bottleneck aren’t a problem with Aztec; pairings are simply batched together and deferred away from the user's device, handled by the more powerful network instead, without leaking any information. With such a powerful local prover, there’s little need to outsource proving to an untrusted party.
Ethereum Problem: Verifying a ZK proof on Ethereum is prohibitively expensive. A Groth16 proof for a private transfer costs several hundred thousand L1 gas. A Halo2 (KZG Plonk) proof can cost approximately one million gas
Aztec solution: Aztec amortises L1 verification gas across all transactions in the rollup. At current network throughput, that cost is split across roughly 2,000 users per proof. Later this year, it’s slated to be split across ~20,000. Rollup costs are also partially subsidised by Aztec block rewards.
Net result: hundreds of L1 gas per user instead of millions. Plus cheap L2 gas. The user pays pennies for an Aztec transaction.
Ethereum Problem: Wrapping and unwrapping tokens leaks privacy and breaks composability. Smart contracts can't easily interact with encrypted balances. Private state is isolated; contract state is normally shared.
Aztec solution: Private state is not isolated on Aztec. The private state of one contract can be composed with that of another. This can unlock new privacy-preserving DeFi patterns directly on Aztec.
A single private transaction can call a stack of private functions across multiple contracts, with private inputs, private state transitions, and privacy over which functions were even executed and how many. Observers see that a transaction landed. They do not see what happened inside it. Stew on that for a second: a call stack of nested private functions across contracts written by different developers, each causing state transitions, all completely private.
Aztec also runs public functions, similar to Ethereum, inside the same smart contract, so you can build existing DeFi primitives on Aztec.
For Ethereum DeFi specifically, Aztec has a tidy L1-to-L2 messaging layer. Private balances can be unshielded to interact with L1 protocols and shielded back, without leaking who did the interaction and without leaky public gas payments. And for private DeFi primitives that need genuinely shared private state (state nobody knows the value of, but which anyone can mutate), people have built Aztec contracts that compose conventional Aztec private state with co-snark or FHE sidecars.
Private and public state are peers inside a single Aztec smart contract. Builders mix and match.
Ethereum Problem: Entry and exit points are the dominant privacy leak, not the protocol itself. Depositing and quickly withdrawing makes identity analysis trivial.
Aztec solution: The main fix is to stop crossing the boundary so often. (Or even if you do cross the boundary, Aztec has leakage protections).
Imagine if thousands of private smart contracts lived on the same network and could call each other without leaking which contracts were called, which arguments were passed, or what was returned. Imagine they all shared one global note tree and one global nullifier tree. That's Aztec. Once funds are inside, users don't need to keep crossing the private/public boundary to do useful things: Aztec is its own rich environment for composable, private execution of smart contracts.
Even when a private function does need to call a public function – be it an L1 DeFi contract, or a native public function within Aztec – the developer controls the information they reveal; not the protocol. The call can even be "incognito" to hide msg_sender. A single environment for many private apps to thrive also means re-usable tooling for builders.
Ethereum Problem: Privacy features (per-dapp addresses, private transfers) aren't natively integrated into major wallets. Reliance on dapp-specific UIs damages UX.
Aztec solution: Ethereum wallets weren't built for any of this, and they don't need to be: the chain underneath them has no private state to protect. Aztec wallets are an entirely new category of software.
Aztec wallets are able to manage all these new privacy-centric concepts:
Aztec wallets are in active development, and this is an area where we expect many teams to build different wallets that are customized to various user needs. An early wallet is already baked into the protocol for developers to start using today.
Ethereum Problem: Encrypted tokens and many privacy protocols depend on external networks for encryption, decryption, or relaying. Threshold-decryption committees and TEE hardware vendors are added trust assumptions on top of the chain itself.
Aztec solution: Aztec's private and public execution environments are not reliant on external networks. Aztec is its own decentralised network: ~4,000 validators stake on it, block proposers are randomly selected, a random committee attests, and a decentralised set of provers proves the rollup's execution. Validity is ultimately backed by cryptographic proofs settled on Ethereum.
External networks (co-snark networks, TEEs, MPC or FHE sidecars) become an opt-in choice for the specific case of private shared state. The trust tradeoffs there are something the contract developer signs up for explicitly, not a tax every user pays on every transaction by default.
Ethereum Problem: Keccak is inefficient to prove inside ZK circuits. There is no native support for a ZK-friendly hash like Poseidon.
Aztec solution: Poseidon2 is enshrined across the entire Aztec protocol, for rapid proving of every tx. Every Aztec state tree, the proving system, the innards of the protocol; everywhere. Reading and writing state inside a circuit is as cheap as it gets.
Keccak, SHA, and Blake hashes are still available through optimised Noir libraries when contracts need them for L1 interoperability. The default is ZK-friendly; the L1-friendly hashes are there when you reach for them.
Ethereum Problem: Syncing private state (scanning for incoming notes and events) is a client-side bottleneck. Users wait for scans to complete before seeing their balance. Tachyon-style oblivious sync was cited as a path forward.
Aztec solution: Brute-force syncing of private state is rarely needed. Most real-world use cases involve a sender and recipient who can establish a shared secret offchain first.
From that shared secret, both parties can derive a sequence of random-looking “tags”. Each encrypted note log is prepended with the next tag in the sequence. The recipient already knows the next tag, so they know exactly what to query. Note discovery happens in seconds, not minutes. The scheme slots cleanly into PIR or mixnet approaches for extra privacy on the query itself, and smart contracts that don't trust senders to use the correct tag can just constrain it inside the circuit.
That’s not to say that Aztec requires interactivity between all senders and recipients. For genuinely non-interactive use cases (recipient can't talk to the sender before the transfer), Aztec enables devs to customize both their log emission and their note-discovery logic however they like. (Aztec also has ways to speed up the brute-force scanning approach from "scan the whole chain" to "scan a tiny subset of non-interactive handshake txs"
Ethereum Problem: Shielded pools are fragmented across dapps and chains, reducing the effective privacy set for all users. Each new privacy protocol must bootstrap its own.
Aztec solution: There is one global note tree and one global nullifier tree on Aztec, shared by every smart contract on the network. Every private app contributes to and draws from the same privacy set. No per-app bootstrap. No walled gardens.
Private payments, private swaps, lending, payroll, treasury, identity attestations: all of them land in the same global commitment set, by construction.
Ethereum Problem: Ethereum developer tooling lacks support for private transfers and private state. Standards for private tokens, compliance, and wallet interactions are missing. Many privacy teams are small, with short runway and expensive audits.
Aztec solution: Aztec ships the full toolchain for private contracts: Noir for writing private logic, the Aztec smart contract framework with macros that hide the protocol mess so devs can focus on app logic, the PXE for keys / state / syncing / proof generation, a JS SDK, a local node for testing, a CLI, and a real, live, decentralised L2.
The mental overhead of building a privacy protocol on Aztec collapses to "just write the app logic." Here is an example of a complete private transfer function on Aztec:
#[authorize_once("from", "authwit_nonce")]
#[external("private")]
fn transfer_in_private(from: AztecAddress, to: AztecAddress, amount: u128, authwit_nonce: Field) {
self.storage.balances.at(from).sub(amount).deliver(MessageDelivery.ONCHAIN_CONSTRAINED);
self.storage.balances.at(to).add(amount).deliver(MessageDelivery.ONCHAIN_CONSTRAINED);
}
Look at how simple that is.
A two-line function body.
Two lines.
Aztec takes care of the rest.
Behind those #[...] macros, the framework handles: caller authorisation, note syncing, fetching notes from the user's private db, Merkle membership proofs against the global note tree, safe nullifier creation (without leaking master secrets to the circuit), randomness for new notes, encrypted ciphertext generation, log tagging for fast recipient discovery, and public-input population. The PXE handles key management, private state, and proof generation. The smart contract itself contains its own message-processing logic for log discovery, decryption, and storage on the recipient side.
If you want whitelists, blacklists, association sets, custom tx authorisation, viewing-key hierarchies, temporary view access, selective disclosure to specific counterparties, just import a Noir library. Want something more adventurous than private payments? Same toolchain.
PSE's findings are not ten unrelated bugs. They're the same problem refracted ten ways: privacy retrofitted onto a chain that was not designed for it yields bad tradeoffs.
Aztec was designed against this list before it was a list. One global note tree and one global nullifier tree. Private and public state inside the same contract. Compose calls between private contracts without leaking anything. Fast client-side proving on phones via Chonk. Snark-friendliness everywhere. Rollup-amortised L1 gas costs, fractions of a cent per user. Native account abstraction with private fee paymasters. No painfully slow private state syncing: a tagging-based note discovery scheme that runs in seconds. An entirely new category of wallet that treats privacy as a first-class concern. Simple, high-level smart contract syntax that collapses a basic private token transfer function into two lines.
There were 10 privacy features Ethereum devs wanted, all of them live on Aztec. The infrastructure is in place. Build the thing.
Aztec is the blockchain that solved the privacy problem. Start at docs.aztec.network or read the architecture deep-dive on The Best of Both Worlds: How Aztec Blends Private and Public State.
Alpha is live: a fully feature-complete, privacy-first network. The infrastructure is in place, privacy is native to the protocol, and developers can now build truly private applications.
Nine years ago, we set out to redesign blockchain for privacy. The goal: create a system institutions can adopt while giving users true control of their digital lives. Privacy band-aids are coming to Ethereum (someday), but it’s clear we need privacy now, and there’s an arms race underway to build it. Privacy is complex, it’s not a feature you can bolt-on as an afterthought. It demands a ground-up approach, deep tech stack integration, and complete decentralization.
In November 2025, the Aztec Ignition Chain went live as the first decentralized L2 on Ethereum, it’s the coordination layer that the execution layer sits on top of. The network is not operated by the Aztec Labs or the Aztec Foundation, it’s run by the community, making it the true backbone of Aztec.
With the infrastructure in place and a unanimous community vote, the network enters Alpha.
Alpha is the first Layer 2 with a full execution environment for private smart contracts. All accounts, transactions, and the execution itself can be completely private. Developers can now choose what they want public and what they want to keep private while building with the three privacy pillars we have in place across data, identity, and compute.
These privacy pillars, which can be used individually or combined, break down into three core layers:
Alpha is feature complete–meaning this is the only full-stack solution for adding privacy to your business or application. You build, and Aztec handles the cryptography under the hood.
It’s Composable. Private-preserving contracts are not isolated; they can talk to each other and seamlessly blend both private and public state across contracts. Privacy can be preserved across contract calls for full callstack privacy.
No backdoor access. Aztec is the only decentralized L2, and is launching as a fully decentralized rollup with a Layer 1 escape hatch.
It’s Compliant. Companies are missing out on the benefits of blockchains because transparent chains expose user data, while private networks protect it, but still offer fully customizable controls. Now they can build compliant apps that move value around the world instantly.
Developers can explore our privacy primitives across data, identity, and compute and start building with them using the documentation here. Note that this is an early version of the network with known vulnerabilities, see this post for details. While this is the first iteration of the network, there will be several upgrades that secure and harden the network on our path to Beta. If you’d like to learn more about how you can integrate privacy into your project, reach out here.
To hear directly from our Cofounders, join our live from Cannes Q&A on Tuesday, March 31st at 9:30 am ET. Follow us on X to get the latest updates from the Aztec Network.
On Wednesday 17 March 2026 our team discovered a new vulnerability in the Aztec Network. Following the analysis, the vulnerability has been confirmed as a critical vulnerability in accordance with our vulnerability matrix.
The vulnerability affects the proving system as a whole, and is not mitigated via public re-execution by the committee of validators. Exploitation can lead to severe disruption of the protocol and theft of user funds.
In accordance with our policy, fixes for the network will be packaged and distributed with the “v5” release of the network, currently planned for July 2026.
The actual bug and corresponding patch will not be publicly disclosed until “v5.”
Aztec applications and portals bridging assets from Layer 1s should warn users about the security guarantees of Alpha, in particular, reminding users not to put in funds they are not willing to lose. Portals or applications may add additional security measures or training wheels specific to their application or use case.
We will shortly establish a bug tracker to show the number and severity of bugs known to us in v4. The tracker will be updated as audits and security researchers discover issues. Each new alpha release will get its own tracker. This will allow developers and users to judge for themselves how they are willing to use the network, and we will use the tracker as a primary determinant for whether the network is ready for a "Beta" label.
We have identified a vulnerability in barretenberg allowing inclusion of incorrect proofs in the Aztec Network mempool, and ask all nodes to upgrade to versions v.4.1.2 or later.
We’d like to thank Consensys Diligence & TU Vienna for a recent discovery of a separate vulnerability in barretenberg categorized as medium for the network and critical for Noir:
We have published a fixed version of barretenberg.
We’d also like to thank Plainshift AI for discovery, reproduction, and reporting of one more vulnerability in the Aztec Network and their ongoing work to help secure the network.
Privacy has become a baseline requirement for L1s and L2s who care about bringing real-world users onchain. Users don't want their activity broadcast to competitors or the general public, but applications operating at scale also need some form of auditability, whether for regulators, compliance requirements, or tax reporting. Selective disclosure resolves that tension: privacy by default, with the ability to prove specific facts when required. What separates these networks is not whether they offer that switch, but who gets to hold it.
Aztec, Canton, Starknet, Tempo, and zkSync all offer some form of privacy with selective disclosure, but under the hood they make fundamentally different architectural decisions about who can see your data and who can turn your privacy off. Those decisions determine whether your privacy stays under your own control or sits behind a switch that someone else operates.
Three questions reveal where these networks actually diverge:
The answers determine whether your privacy off-switch is held by a policy, by an operator's good behavior, or by you alone through a cryptographic proof. As you'll see in this post, there are legitimate reasons to use each one with different tradeoffs. Aztec is the only network, however, where that switch stays in the user's hands, answering all three questions without putting a permissioned set of operators or a standing viewing key in control of your privacy. That gives developers the flexibility to build apps that comply with applicable laws while still keeping full privacy under the user's control.
This article will compare the privacy approaches of Aztec, Canton, Starknet, Tempo, and zkSync to give developers insight into the privacy tradeoffs of each network.
Here’s how each network handles the selective disclosure privacy off-switch, and who has control over your privacy:
Each of these networks offers privacy with selective disclosure, but each rests on a different network design with its own tradeoffs. We have ordered them by who holds your privacy off-switch, starting with designs where a third party controls access to your data and ending with designs where that control stays with you. At the top, the switch sits behind a policy promise and an honest operator, and further down it is replaced by proofs that the user generates and controls.
Canton keeps data private by controlling viewing permissions for the various actors on its network. A transaction splits into per-participant views, so each party receives only the sub-transactions that name it, and the parts it is not entitled to never reach it. The sequencer and mediator move those views without reading them, which is real privacy against those roles.
However, the data is still read in plaintext by the participant nodes that host the relevant parties, and in the common regulated-asset pattern where the issuer is a signatory on its own token, the issuer's node sees every transfer. The harder gap is verification, because no third party can reconstruct the global ledger, so correctness rests on the confirming nodes staying honest and their keys staying safe. In practice the off-switch sits with those nodes rather than with you, since you cannot see when your data is read and cannot stop it.
Tempo is designed for payments and uses validity proofs to verify that each zone is executing correctly, while still giving the zone operator full plaintext visibility into every transaction within that zone. Privacy comes from Tempo Zones, which are parallel execution environments connected to the Tempo mainnet.
By design, the zone operator has visibility into all transactions within the zone, while users see only their own and the public sees only a proof that the zone is valid. Token issuers set compliance controls, allowlists, blocklists, and freezes, enforced across zones. The mainnet checks each zone's validity, so execution is verified, while the operator still reads every transaction in plaintext and holds the off-switch over what is revealed. Your privacy is from the public, not from the operator.
zkSync Prividium adds the verifiability piece that Canton lacks. Every batch produces a validity proof settled to Ethereum, so a compromised operator cannot forge state or mint tokens from nothing without also forging a proof, which it cannot do. The tradeoff is that the operator processes every transaction in plaintext and decides who sees what, which means the off-switch stays with the operator and your privacy is from the outside world rather than from the operator itself.
This tradeoff has legitimate uses in high-trust institutional environments. If Bank of America, JPMorgan, and Wells Fargo are transacting on a shared network, a zone where BofA's infrastructure processes BofA-originated transactions satisfies internal control requirements while still delivering genuine ZK privacy from the other banks and the rest of the world. Where this model breaks down is in lower-trust environments where giving an operator full plaintext access and the switch that comes with it holds back product design possibilities.
Starknet's STRK20 breaks from relying on an operator for privacy. It shields ERC-20 balances and transfers in a privacy pool, and every private transaction carries a zero-knowledge proof generated client-side, so no operator sees your plaintext in order to build it.
Disclosure is where STRK20 diverges from Aztec. To join the Starknet Privacy Pool, you register an encrypted viewing key onchain, and it sits there for the life of your participation. On a regulatory request, a designated auditing entity can decrypt that key and trace your complete transaction history, forwards and backwards. StarkWare calls this ‘not a backdoor’ but a carefully scoped access mechanism, and the safeguard is a policy promise that the auditor decrypts only when required. The privacy is cryptographic, but the off-switch is a standing key that someone else holds and can flip whether or not you are watching.
On Aztec your private state lives as encrypted private data that only you can decrypt. The contract developer can choose what state is public and what is private, and whether your encrypted private data is emitted onchain as a private log or shared off-chain instead.
Your transactions get proven client-side on your own device, so no sequencer or operator sees your unencrypted private data. Those proofs settle to Ethereum, which gives the same integrity anchor marketed by Prividium, with every transaction verified and no forged state, but without a single operator who reads your data. The base protocol decentralizes sequencing, proving, and governance, so there is no operator to choose and trust in the first place.
Disclosure is your choice too: you decide who learns your private data, and whether they learn it in encrypted or decrypted form. To grant discovery without readability, you share an app-specific tagging secret that lets an auditor find your data in encrypted form without being able to decrypt and read it. This is enough to prove things calculated from that data, such as a tax basis or a profit and loss figure. Granting permission to actually read the data works differently. There's no per-contract read key you can hand out, because decryption uses your master viewing key, which would unlock all your data across every contract. So instead of sharing a key, you share the data itself, plus a proof that your plaintext is what encrypts to the on-chain ciphertext.
Aztec has true selective disclosure in that you can selectively share it, and nothing else you don’t need to. This is app specific, meaning that private data discoverability access on one app does not grant access on another. Most importantly, the off-switch stays in your hands, and you never need to trust the network to handle access to any of your private data and activity.
This is not just conceptual: here is a working proof-of-concept of this model on Aztec. PrivPNL takes you from private DEX trades through a tagging-key disclosure to a browser-generated ZK proof of your PnL. The auditor verifies a proof while the prover only has to reveal the amount they owe, and your portfolio stays private.
Canton keeps the switch with the participant nodes that read your data in plaintext, so disclosure rests on those nodes staying honest rather than on anything you control. Tempo similarly gives the off-switch to a zone-based node operator, but allows you to verify the correctness of transactions using validity proofs. Prividium hardens that promise with a proof settled to Ethereum, a real improvement, but the operator still reads every transaction and still decides who sees what. This can work well for large institutions, but small to medium sized enterprises are left with the same privacy as their current banks unless they run their own Prividium nodes. STRK20 moves the switch into a standing viewing key and asks you to trust that a designated auditor reaches for it only when needed. In each of these models the real question is not whether your privacy can be switched off, but who gets to do the switching, and whether you would even know it happened.
Aztec takes the operator and the standing key out of the question entirely. You keep the data, you generate the proof, and you disclose the result, one fact at a time and only when you choose to. The off-switch never leaves your hands, and no operator, auditor, or node can reach it on your behalf. This is one of the benefits of a network that offers fully programmable, privacy-preserving smart contracts that put you in control.
Selective disclosure is how privacy survives contact with a regulator, and the model you pick decides who can open your history when you are not looking. On Aztec, that answer is no one but you.
Dive into the technical details: Try a live demo of selective disclosure on Aztec and read the technical article on how it was built.
Integrate with Aztec: Reach out if you are interested in integrating privacy into your project.
Alpha is live: a fully feature-complete, privacy-first network. The infrastructure is in place, privacy is native to the protocol, and developers can now build truly private applications.
Nine years ago, we set out to redesign blockchain for privacy. The goal: create a system institutions can adopt while giving users true control of their digital lives. Privacy band-aids are coming to Ethereum (someday), but it’s clear we need privacy now, and there’s an arms race underway to build it. Privacy is complex, it’s not a feature you can bolt-on as an afterthought. It demands a ground-up approach, deep tech stack integration, and complete decentralization.
In November 2025, the Aztec Ignition Chain went live as the first decentralized L2 on Ethereum, it’s the coordination layer that the execution layer sits on top of. The network is not operated by the Aztec Labs or the Aztec Foundation, it’s run by the community, making it the true backbone of Aztec.
With the infrastructure in place and a unanimous community vote, the network enters Alpha.
Alpha is the first Layer 2 with a full execution environment for private smart contracts. All accounts, transactions, and the execution itself can be completely private. Developers can now choose what they want public and what they want to keep private while building with the three privacy pillars we have in place across data, identity, and compute.
These privacy pillars, which can be used individually or combined, break down into three core layers:
Alpha is feature complete–meaning this is the only full-stack solution for adding privacy to your business or application. You build, and Aztec handles the cryptography under the hood.
It’s Composable. Private-preserving contracts are not isolated; they can talk to each other and seamlessly blend both private and public state across contracts. Privacy can be preserved across contract calls for full callstack privacy.
No backdoor access. Aztec is the only decentralized L2, and is launching as a fully decentralized rollup with a Layer 1 escape hatch.
It’s Compliant. Companies are missing out on the benefits of blockchains because transparent chains expose user data, while private networks protect it, but still offer fully customizable controls. Now they can build compliant apps that move value around the world instantly.
Developers can explore our privacy primitives across data, identity, and compute and start building with them using the documentation here. Note that this is an early version of the network with known vulnerabilities, see this post for details. While this is the first iteration of the network, there will be several upgrades that secure and harden the network on our path to Beta. If you’d like to learn more about how you can integrate privacy into your project, reach out here.
To hear directly from our Cofounders, join our live from Cannes Q&A on Tuesday, March 31st at 9:30 am ET. Follow us on X to get the latest updates from the Aztec Network.
The Ignition Chain launched late last year, as the first fully decentralized L2 on Ethereum– a huge milestone for decentralized networks. The team has reinvented what true programmable privacy means, building the execution model from the ground up— combining the programmability of Ethereum with the privacy of Zcash in a single execution environment.
Since then, the network has been running with zero downtime with 3,500+ sequencers and 50+ provers across five continents. With the infrastructure now in place, the network is fully in the hands of the community, and the culmination of the past 8 years of work is now converging.
Major upgrades have landed across four tracks: the execution layer, the proving system, the programming language, Noir, and the decentralization stack. Together, these milestones deliver on Aztec’s original promise, a system where developers can write fully programmable smart contracts with customizable privacy.
The infrastructure is in place. The code is ready. And we’re ready to ship.
The execution layer delivers on Aztec's core promise: fully programmable, privacy-preserving smart contracts on Ethereum.
A complete dual state model is now in place–with both private and public state. Private functions execute client-side in the Private Execution Environment (PXE), running directly in the user's browser and generating zero-knowledge proofs locally, so that private data never leaves the original device. Public functions execute on the Aztec Virtual Machine (AVM) on the network side.
Aztec.js is now live, giving developers a full SDK for managing accounts and interacting with contracts. Native account abstraction has been implemented, meaning every account is a smart contract with customizable authentication rules. Note discovery has been solved through a tagging mechanism, allowing recipients to efficiently query for relevant notes without downloading and decrypting everything on the network.
Contract standards are underway, with the Wonderland team delivering AIP-20 for tokens and AIP-721 for NFTs, along with escrow contracts and logic libraries, providing the production-ready building blocks for the Alpha Network.
The proving system is what makes Aztec's privacy guarantees real, and it has deep roots.
In 2019, Aztec's cofounder Zac Williamson and Chief Scientist Ariel Gabizon introduced PLONK, which became one of the most widely used proving systems in zero-knowledge cryptography. Since then, Aztec's cryptographic backend, Barretenberg, has evolved through multiple generations, each facilitating faster, lighter, and more efficient proving than the last. The latest innovation, CHONK (Client-side Highly Optimized ploNK), is purpose-built for proving on phones and browsers and is what powers proof generation for the Alpha Network.
CHONK is a major leap forward for the user experience, dramatically reducing the memory and time required to generate proofs on consumer devices. It leverages best-in-class circuit primitives, a HyperNova-style folding scheme for efficiently processing chains of private function calls, and Goblin, a hyper-efficient purpose-built recursion acceleration scheme. The result is that private transactions can be proven on the devices people actually use, not just powerful servers.
This matters because privacy on Aztec means proofs are generated on the user's own device, keeping private data private. If proving is too slow or too resource-intensive, privacy becomes impractical. CHONK makes it practical.
Decentralization is what makes Aztec's privacy guarantees credible. Without it, a central operator could censor transactions, introduce backdoors, or compromise user privacy at will.
Aztec addressed this by hardcoding decentralized sequencing, proving, and governance directly into the base protocol. The Ignition Chain has proven the stability of this consensus layer, maintaining zero downtime with over 3,500 sequencers and 50+ provers running across five continents. Aztec Labs and the Aztec Foundation run no sequencers and do not participate in governance.
Noir 1.0 is nearing completion, bringing a stable, production-grade language within reach. Aztec's own protocol circuits have been entirely rewritten in Noir, meaning the language is already battle-tested at the deepest layer of the stack.
Internal and external audits of the compiler and toolchain are progressing in parallel, and security tooling including fuzzers and bytecode parsers is nearly finished. A stable, audited language means application teams can build on Alpha with confidence that the foundation beneath them won't shift.
The code for Alpha Network, a functionally complete and raw version of the network, is ready.
The Alpha Network brings fully programmable, privacy-preserving smart contracts to Ethereum for the first time. It's the culmination of years of parallel work across the four tracks in the Aztec Roadmap. Together, they enable efficient client-side proofs that power customizable smart contracts, letting users choose exactly what stays private and what goes public.
No other project in the space is close to shipping this.
The code is written. The network is running. All the pieces are in place. The governance proposal is now live on the forum and open for discussion. Read through it, ask questions, poke holes, and help shape the path forward.
Once the community is aligned, the proposal moves to a vote. This is how a decentralized network upgrades. Not by a team pushing a button, but by the people running it.
Programmable privacy will unlock a renaissance in onchain adoption. Real-world applications are coming and institutions are paying attention. Alpha represents the culmination of eight years of intense work to deliver privacy on Ethereum.
Now it needs to be battle-tested in the wild.
View the updated product roadmap here and join us on Thursday, March 5th, at 3 pm UTC on X to hear more about the most recent updates to our product roadmap.
Privacy has emerged as a major driver for the crypto industry in 2025. We’ve seen the explosion of Zcash, the Ethereum Foundation’s refocusing of PSE, and the launch of Aztec’s testnet with over 24,000 validators powering the network. Many apps have also emerged to bring private transactions to Ethereum and Solana in various ways, and exciting technologies like ZKPassport that privately bring identity on-chain using Noir have become some of the most talked about developments for ushering in the next big movements to the space.
Underpinning all of these developments is the emerging consensus that without privacy, blockchains will struggle to gain real-world adoption.
Without privacy, institutions can’t bring assets on-chain in a compliant way or conduct complex swaps and trades without revealing their strategies. Without privacy, DeFi remains dominated and controlled by advanced traders who can see all upcoming transactions and manipulate the market. Without privacy, regular people will not want to move their lives on-chain for the entire world to see every detail about their every move.
While there's been lots of talk about privacy, few can define it. In this piece we’ll outline the three pillars of privacy and gives you a framework for evaluating the privacy claims of any project.
True privacy rests on three essential pillars: transaction privacy, identity privacy, and computational privacy. It is only when we have all three pillars that we see the emergence of a private world computer.
Transaction privacy means that both inputs and outputs are not viewable by anyone other than the intended participants. Inputs include any asset, value, message, or function calldata that is being sent. Outputs include any state changes or transaction effects, or any transaction metadata caused by the transaction. Transaction privacy is often primarily achieved using a UTXO model (like Zcash or Aztec’s private state tree). If a project has only the option for this pillar, it can be said to be confidential, but not private.
Identity privacy means that the identities of those involved are not viewable by anyone other than the intended participants. This includes addresses or accounts and any information about the identity of the participants, such as tx.origin, msg.sender, or linking one’s private account to public accounts. Identity privacy can be achieved in several ways, including client-side proof generation that keeps all user info on the users’ devices. If a project has only the option for this pillar, it can be said to be anonymous, but not private.
Computation privacy means that any activity that happens is not viewable by anyone other than the intended participants. This includes the contract code itself, function execution, contract address, and full callstack privacy. Additionally, any metadata generated by the transaction is able to be appropriately obfuscated (such as transaction effects, events are appropriately padded, inclusion block number are in appropriate sets). Callstack privacy includes which contracts you call, what functions in those contracts you’ve called, what the results of those functions were, any subsequent functions that will be called after, and what the inputs to the function were. A project must have the option for this pillar to do anything privately other than basic transactions.
Bitcoin ushered in a new paradigm of digital money. As a permissionless, peer-to-peer currency and store of value, it changed the way value could be sent around the world and who could participate. Ethereum expanded this vision to bring us the world computer, a decentralized, general-purpose blockchain with programmable smart contracts.
Given the limitations of running a transparent blockchain that exposes all user activity, accounts, and assets, it was clear that adding the option to preserve privacy would unlock many benefits (and more closely resemble real cash). But this was a very challenging problem. Zcash was one of the first to extend Bitcoin’s functionality with optional privacy, unlocking a new privacy-preserving UTXO model for transacting privately. As we’ll see below, many of the current privacy-focused projects are working on similar kinds of private digital money for Ethereum or other chains.
Now, Aztec is bringing us the final missing piece: a private world computer.
A private world computer is fully decentralized, programmable, and permissionless like Ethereum and has optional privacy at every level. In other words, Aztec is extending all the functionality of Ethereum with optional transaction, identity, and computational privacy. This is the only approach that enables fully compliant, decentralized applications to be built that preserve user privacy, a new design space that we see as ushering in the next Renaissance for the space.
Private digital money emerges when you have the first two privacy pillars covered - transactions and identity - but you don’t have the third - computation. Almost all projects today that claim some level of privacy are working on private digital money. This includes everything from privacy pools on Ethereum and L2s to newly emerging payment L1s like Tempo and Arc that are developing various degrees of transaction privacy
When it comes to digital money, privacy exists on a spectrum. If your identity is hidden but your transactions are visible, that's what we call anonymous. If your transactions are hidden but your identity is known, that's confidential. And when both your identity and transactions are protected, that's true privacy. Projects are working on many different approaches to implement this, from PSE to Payy using Noir, the zkDSL built to make it intuitive to build zk applications using familiar Rust-like syntax.
Private digital money is designed to make payments private, but any interaction with more complex smart contracts than a straightforward payment transaction is fully exposed.
What if we also want to build decentralized private apps using smart contracts (usually multiple that talk to each other)? For this, you need all three privacy pillars: transaction, identity, and compute.
If you have these three pillars covered and you have decentralization, you have built a private world computer. Without decentralization, you are vulnerable to censorship, privileged backdoors and inevitable centralized control that can compromise privacy guarantees.
What exactly is a private world computer? A private world computer extends all the functionality of Ethereum with optional privacy at every level, so developers can easily control which aspects they want public or private and users can selectively disclose information. With Aztec, developers can build apps with optional transaction, identity, and compute privacy on a fully decentralized network. Below, we’ll break down the main components of a private world computer.
A private world computer is powered by private smart contracts. Private smart contracts have fully optional privacy and also enable seamless public and private function interaction.
Private smart contracts simply extend the functionality of regular smart contracts with added privacy.
As a developer, you can easily designate which functions you want to keep private and which you want to make public. For example, a voting app might allow users to privately cast votes and publicly display the result. Private smart contracts can also interact privately with other smart contracts, without needing to make it public which contracts have interacted.
Transaction: Aztec supports the optionality for fully private inputs, including messages, state, and function calldata. Private state is updated via a private UTXO state tree.
Identity: Using client-side proofs and function execution, Aztec can optionally keep all user info private, including tx.origin and msg.sender for transactions.
Computation: The contract code itself, function execution, and call stack can all be kept private. This includes which contracts you call, what functions in those contracts you’ve called, what the results of those functions were, and what the inputs to the function were.
A decentralized network must be made up of a permissionless network of operators who run the network and decide on upgrades. Aztec is run by a decentralized network of node operators who propose and attest to transactions. Rollup proofs on Aztec are also run by a decentralized prover network that can permissionlessly submit proofs and participate in block rewards. Finally, the Aztec network is governed by the sequencers, who propose, signal, vote, and execute network upgrades.
A private world computer enables the creation of DeFi applications where accounts, transactions, order books, and swaps remain private. Users can protect their trading strategies and positions from public view, preventing front-running and maintaining competitive advantages. Additionally, users can bridge privately into cross-chain DeFi applications, allowing them to participate in DeFi across multiple blockchains while keeping their identity private despite being on an existing transparent blockchain.
This technology makes it possible to bring institutional trading activity on-chain while maintaining the privacy that traditional finance requires. Institutions can privately trade with other institutions globally, without having to touch public markets, enjoying the benefits of blockchain technology such as fast settlement and reduced counterparty risk, without exposing their trading intentions or volumes to the broader market.
Organizations can bring client accounts and assets on-chain while maintaining full compliance. This infrastructure protects on-chain asset trading and settlement strategies, ensuring that sophisticated financial operations remain private. A private world computer also supports private stablecoin issuance and redemption, allowing financial institutions to manage digital currency operations without revealing sensitive business information.
Users have granular control over their privacy settings, allowing them to fine-tune privacy levels for their on-chain identity according to their specific needs. The system enables selective disclosure of on-chain activity, meaning users can choose to reveal certain transactions or holdings to regulators, auditors, or business partners while keeping other information private, meeting compliance requirements.
The shift from transparent blockchains to privacy-preserving infrastructure is the foundation for bringing the next billion users on-chain. Whether you're a developer building the future of private DeFi, an institution exploring compliant on-chain solutions, or simply someone who believes privacy is a fundamental right, now is the time to get involved.
Follow Aztec on X to stay updated on the latest developments in private smart contracts and decentralized privacy technology. Ready to contribute to the network? Run a node and help power the private world computer.
The next Renaissance is here, and it’s being powered by the private world computer.
The following is written by Zac Williamson, with inspiration and advice from Arnaud Schenk.
My fellow companions, my decentralized brothers and sisters. I wish to tell you a story, about complicated people and their struggles to resolve the wreckage of their contradictions. It is a story of humanity.
We are at a unique point in history and stand at the threshold of two worlds. One world is a propagation of our present, a status quo antebellum with all of its associated joys and sorrows.
There is another door, one hidden from view except for those with the sight to see it. You and I are here because we see a unique vision of the future, one of high technology and high ideals, that advance human beings from their status as a commodity resource in a globalized world, to free actors imbued with autonomy and purpose, who bow to no one.
I want to articulate this vision and examine the forces that drive us. Despite our successes and dedication it is clear that our current achievements fall short of our aspirations. We must reconcile this.
Bitcoin is not yet a credible threat to traditional currencies. Paying for goods and services with cryptocurrency is a niche luxury for the technologically well-connected. Decentralized autonomous organizations (DAOs) are yet to govern anything that is not a cryptocurrency project. A notable exception was ConstitutionDAO, which immediately failed in its goals due to the intrinsic limitations of trustless blockchain networks.
There are missing pieces in the technological armaments we have fashioned. I want to show you the missing pieces. I want to go back to the roots: what are the systems and frameworks we want to disrupt? Which properties do blockchain networks need for us to forge a conspiracy against the present, and fight for our vision of the future?
Reaching back into prehistory, humanity has been waging a war against itself – a war that pits the freedom and autonomy of individuals against the safety and control of institutions.
We want to be free. We want to be safe. This is the eternal contradiction.
To acquire safety we bind ourselves to institutions. Within these institutions, control factions form. They metastasize and act to entrench their power and influence by monopolizing human agency. This triggers inevitable conflict and revolt, which acts to reset the equilibrium.
How best we can resolve the contradiction between freedom and safety is a function of social organization, the quality of which is gated behind technological innovation.
Blockchain is one such technology. To identify what we need, we must identify the weaknesses of the institutions we seek to undermine, and tailor our strengths against them.
Control factions have a fatal weakness: they reject competence.
Competent people threaten individuals within entrenched power structures. A competent subordinate is a threat to your power and privileges. This is the so-called “dictator trap”, but the mechanics at play extend to all power structures, from the boards of mega-corporations to the local residents association. But it’s not a dictator trap, it is an institution trap.
Power craves legibility and predictability and will act on these desires by exerting control – limiting agency and freedom of action.
We want to undermine institutional control, and redistribute control down to smaller units of organization.
Blockchain technology enables such radical new forms of social organization that fall outside the frameworks of traditional institutions.
We possess a keystone technology that enables mass peer-to-peer coordination, initially of cryptocurrency assets but this can be generalized to anything with perceived value that can be given a digital fingerprint.
Blockchain networks have radically different incentive mechanisms to traditional modes of social organization.
Because blockchains are coordination engines. They enable individuals to coordinate on how to deploy their collective resources. This type of mass-coordination of personal resources is unique and will subtly act to profoundly re-distribute the existing power structures of the present.
Why? Blockchains weaken the fundamental value propositions of vertically integrated companies that extract a profit from information asymmetries. Individuals whose skills serve large institutions can more easily decide for themselves how best to apply their skills, without the need for the institution’s support frameworks. As a coordination engine, blockchain networks can efficiently combine the skills and capital required to execute grand ideas, as well as provide a digital market for resulting products.
A global marketplace of programmable money is one with profound information transparency. The ability of independent groups to analyze the market enables great efficiency and reduces information asymmetries. Though, does not delete them entirely.
In short, blockchain networks are pro-competency. They allow individuals to decide for themselves how their skills can best be utilized and deployed, instead of having that decided for them by a control faction. Competent people add value to the network and in doing so, provide another composable brick that others can use in their constructions. The raw incentives create a positive-sum game.
What are the missing pieces?
The great difficulty in realizing our vision is the limited ability of current blockchains to reach into the real world.
We are not our online avatars. We exist in a physical space and we have physical needs that must be satisfied. We are bound to networks of obligation and responsibility that societies depend upon to maintain social order. We cannot live in an NFT.
The real world matters. Without a way of linking real-world identities to blockchains, the grand cypherpunk vision for blockchain can never be fully realized – only a neutered form of primitive electronic sovereignty.
The new information networks we are building lack a key ingredient: composable privacy.
By using novel cryptography, we can turn blockchains into encrypted ledgers where transactions hide their execution from observers. Identities can be encrypted, but still used to prove statements about the user, and without involving an additional institutional third party. e.g. “I have a U.S. passport”, “I have a digital driving license”, “I have a Twitter account with over 1,000 followers”, “I signed in with a Google account”.
The effect of this is to build trust infrastructure that allows human beings to iteratively build trust between themselves and to do so rapidly and at scale.
Programmable private blockchains stand to usher in a revolution in how distributed systems can be used. Without strong identity guarantees, the only workable governance mechanisms for distributed on-chain organizations are autocracy and plutocracy.
However, if past actions can be uniquely tied to a cryptocurrency account, it is possible to identify key stakeholders and to give them an accelerated role in governance. That enables a much more democratic architecture of governance systems.
Privacy technology is required to turn blockchains into the coordination engines they were always destined to be.
The future we are building does not outright destroy existing systems of control – it breaks them apart and replicates these systems on a smaller scale. Lower barriers to entry lead to greater competition and market fragmentation and act to limit the ability of distributed organizations to consolidate power.
Because coordination engines are pro-competency.
There is a phrase I think we will hear much of over the coming years: privacy for the user, transparency for the protocol.
The capabilities of private programmable blockchains and the outcomes they enable are not commonly understood. A private blockchain is not one where all information and data are intrinsically hidden. They are hybrid systems where public and private data coexist. Application designers and users can choose which data is hidden.
Efficient markets require data transparency. Data relating to identity requires data confidentiality. The solution is applications where information that relates to assets is public, and information relating to users (e.g. who owns said assets) is private.
To create a privacy-preserving ecosystem it must be possible for confidential, transparent, and hybrid applications to directly interact with one another. Privacy is not an aftermarket add-on to be bolted onto a few select applications. Full composability is essential to develop a rich ecosystem.
Composability enables trust-building networks by allowing individuals to put core aspects of themselves on-chain, disclosing it only selectively and enabling distributed protocols to use these capabilities in a composable permissionless manner, without leaking information. Who are you? What have you done? What do you want to do? With privacy, we can disclose this information to smart contracts and hide it from people. These will form core primitives of our new information networks.
I have spent the last 6 years building exactly this, through building Aztec. Crafting the missing ingredient, privacy, via cutting-edge cryptography, zero-knowledge proofs, and raw engineering.
Networks have values that are independent of their creators. Networks live or die on the quality of their network effects. This incentive gives network participants a shared motivation to expand the network. The more nodes that exist, the greater the value individual nodes can extract from the network. The manner in which the network changes itself to act on these motivations defines its intrinsic values.
What are the intrinsic values of permissionless programmable privacy networks like Aztec? We can derive these from the fundamental value proposition – to expose a rich ecosystem of composable, confidential applications, and to do this as a permissionless, decentralized network. This enables individuals and small groups to compete in industries dominated by large players leveraging large information asymmetries.
Such networks are, at their very core, pro-competency. If you have something useful to add to the network, you can. If you want to use existing network components in your product, go right ahead. No need to ask for permission from the network.
From this starting point we can anticipate the cycles of action and reaction that will drive networks like Aztec to adopt the following values over their lives:
Blockchain networks grow by harnessing the industry and enterprise of as many human souls as they can get their hands on.
Without mechanisms of coercion to fall back on, the network must ensure a positive-sum game for network participants who add value. These also happen to be values that I believe I strongly hold. This is not a coincidence. I started in web3 seven years ago building a marketplace for corporate debt on Ethereum and by degrees ended up building a distributed programmable privacy network on Ethereum. This was not due to some grand design but, I think, the cumulative effects of seven years of following my impulses. To find a place of belonging.
This feeling is something you may share – that the frameworks and systems produced by our societies offer none of us a true sense of belonging and purpose. But here, amongst our companions, we have found belonging through building a shared vision of a radical new world.
There is a long road to walk to realize the ambitions of the new information networks. The technology is barely capable and challenging to build. The architecture is novel and challenging to design. Convincing people to build on radical foundations to bootstrap a market is challenging. Building competitive infrastructure and tooling is challenging.
The challenge is irrelevant. We cannot become a generation scorned by our descendants for squandering the opportunity of a lifetime.
We will build and deploy the new information networks and by degrees will learn how to use them to chip away at the inequities of the status quo, and the social order that upholds it.
Equipped with such armaments and driven by our ideals, we will pull our ideas into reality. Together, we will forge our digital Eden.
Kev Wedderburn is the father, architect, and team lead of Noir, a universal zero knowledge circuit writing language funded by Aztec Labs.
We're excited to bring you this interview and profile of the man and mystery behind the DSL creating a step-function change in the accessibility of ZK programs.
Alyssa: Hey Kev! Thanks so much for your time, I’d love to give readers a snapshot of your journey into web3 and Aztec Labs, as well as your focus on the Noir team.
Kev: Sure! Let’s jump in.
Alyssa: Can you start by sharing your web2 background?
Kev: Yes. I started out as a front-end developer, then moved into app development.
I built a social media site for books. Then, a janky music-sharing app that would check your playlist, then check my playlist, then if our playlists overlapped enough, it would recommend each of us songs on each other's playlist (this was before Spotify became Spotify I think).
Alyssa: How’d app development lead you to going full-time web3?
Kev: While transitioning to crypto, I made a tax app that scanned your bitcoin QR code and told you how much tax you owed.
From there, I started doing tutorial videos focused on smart contracts. I wanted to do one for a particular blockchain, and it turned out that they didn’t have a well-functioning wallet. So that’s actually what led to my entry into the web3 space. I didn’t end up finishing that tutorial, I just went on to build the wallet myself.
Alyssa: And this work led to your first formal web3 role?
Kev: Eventually, yes. While I was working on an improved wallet, I noticed the node that the original wallet was interacting with wasn’t that great either. So once the new wallet was finished, I moved on to creating a node in Golang (the wallet was also originally built in Golang).
After I finished the node, I got recruited by a privacy-focused project. And they asked me to build a node for their privacy network.
Once I dug deeper, it turned out they didn’t have a proving system. So then I started learning cryptography to implement a type of ZK proof called bulletproofs — state of the art at the time.
Alyssa: And you’ve primarily worked on privacy within web3 ever since, is that right?
Kev: Yes, I worked for several other privacy blockchains prior to Aztec, such as Monero. At Monero, I pivoted from implementing Bulletproofs to Plonk for increased proving speed, but noticed it was very challenging to program on top of Plonk.
The Plonk constraint system and proving system both have nice properties, but the UX was really bad. So Kobi Gurkan from Geometry Research, and Barry Whitehat from the Ethereum Foundation asked if I wanted to make a compiler — I guess they saw that I was pretty active within Plonk and cryptography in general.
Alyssa: Had you built one before?
Kev: At the time, I didn’t know much about compilers at all, so it was exciting to figure out what the compiler I’d build would look like, what other compilers were doing, and how to make a compiler with the safety guarantees needed for zero knowledge proofs.
That was the beginning of what we now call Noir, and I’ve been at Aztec since.
Alyssa: Wow, okay, so you’ve been with the Noir project since the beginning of Noir’s existence?
Kev: Yeah, exactly.
Alyssa: Amazing, congrats on all the progress you and the team have made. And what about getting into web3 in the first place? Was it through engineering, or your own interest in cryptocurrency? How did that look?
Kev: I first looked at Bitcoin in university, but was deterred by the codebase being challenging to read. But I wanted to learn Bitcoin and teach people about it. Back then, everything was a bit scammy. I even created a Bitcoin book…
Alyssa: Going back to Noir, how do you feel about the experience of learning the language you helped build? Is it intuitive for developers?
Kev: I can tend to over-criticize the things I do. But Noir’s in a solid place. There’s not much to really compare it to….there are other zkDSLs, but they give different guarantees for the most part. For example, Noir provides devs with a high-level language that aims not to sacrifice performance and safety, while Circom gives devs very little safety but allows them to do anything. There are pros and cons to both of these approaches.
The more control you give to a developer, the more powerful things they can do, but they can also easily make mistakes because the compiler is no longer holding your hand or stopping you from doing something potentially dangerous.
But yes, Noir is in a good place for developers to use. There’s still a lot we want to put into the language to make it comparable to common programming languages in terms of UX. But we’re well on our way.
Alyssa: And what about just being on the Aztec Labs team in general, and maybe even the Noir team within Aztec Labs? What’s that like? What do you enjoy about it?
Kev: The Aztec team is cross-functional and fluid, meaning that even though you’re on the Noir team, or the tooling team, or the engineering team, you can touch other parts of the stack. So that’s great about being at Aztec.
The fun thing about the Noir team in particular is that there are so many challenges we have yet to solve. We’ve solved quite a lot of them, but there’s still a lot we’re excited to work on like continuing to improve the UX, as I mentioned.
Alyssa: Love that answer as I know there’s a job opening on the Noir team, so someone joining can have exposure beyond understanding their specific role.
Kev: In fact, we encourage that, if you’re on tooling and you want to create something and the compiler just doesn’t seem to be fit to do what you want, feel free to start some print or tasks to modify the compiler. We’re always open to new ideas.
Alyssa: Really cool, that’s great. And what about beyond web3, any general interests or hobbies?
Kev: Generally speaking, I really like maths. I also used to sing and play guitar for quite a while, and I exercise a lot these days.
Alyssa: Thanks again for the chat, great learning a bit more about your work, Kev!
Kev: Thank you!
We think Noir has the best syntax, most modularity, and best ecosystem of any ZK language. But don't take our word for it.
Get started with Noir at noir-lang.org.
Today Aztec Labs is proud to announce that Aztec’s core circuits have been rewritten in Noir.
Aztec’s core circuits were previously written in C++. The circuits spanning private execution, public execution, and proof recursion are now in Noir. We didn’t undertake this decision lightly, but we made the call based on a single fact:
It was always our goal to achieve Aztec-Noir alignment, unifying our cryptography stack and making our code safer, simpler, and easier to audit.
We’re there now, in the era of unabashed Noir maximalism.
💻 You can find the open Noir circuit repos here.
The Noir circuits are merged and passing Aztec’s stringent protocol test suite–huge achievement for Noir as a language.
Writing your code in a domain-specific language (DSL) does not make it safer than writing it in a library.This may not be apparent – a DSL is just a language made for a specific problem. One could create a DSL that makes writing circuits easier, but does not improve on performance. One could even create one that makes writing circuits harder, but it’s very performant. Noir makes writing circuits easier and safer than our cpp library with little sacrifice to performance.
As a startup you want to be able to write code fast, but also safely. If you take too long to ship, you may just die. If you write code that is unsafe or brittle, you may lose the trust of your target audience.
We could say that all developers need to do better. Skill issue. However, this approach doesn’t scale beyond. Developers love to write smart, elegant, clever code, i.e. code that’s subject to bugs. In Noir, you need to opt into writing unsafe code.
So what’s wrong with using Barretenberg as a C++ library?
Nothing.
In fact, a library inherits a lot of adoption from its host language; a Solidity library can be picked up quickly by Solidity developers, for example.
Aztec’s constraint system library is written in C++, and while this allows developers to do anything they want, it also allows developers to do anything they want.
Developers need to be aware of quirks with C++ whenever they use Barretenberg. This can lead to subtle bugs due to the inherent compounding of quirks specific to C++ and quirks specific to the library. In other words, more gotchas or footguns.
Library writers also need to be careful because in some places they are reasoning about constraints. In other places, they are reasoning about unconstrained code or non-constraint system code.
The overarching problem here is that in order to write safe circuits, you need to be able to write C++ code and also be a good circuit writer. These are two different skill sets that Noir reduces to one because Noir is specifically designed as a circuit writing language.
In March, a team of cryptography engineers developed Aztec’s core cryptography circuits under the guidance of Aztec Labs CEO Zac Williamson. Developing in C++ required significant onboarding and technical overhead, including:
In the meantime, the Noir team has built a comprehensive toolchain that makes ZK development significantly smoother:
In addition to developer tooling like performance profiling, syntax highlighting, and auto-formatting.
With Noir, we built the fast and safe DevEx we wanted for ourselves, resulting in a full rewrite of all Aztec core circuits from C++ to Noir in less than a month of three engineers’ time.
Here’s a side-by-side code snippet comparison of our private kernelbase rollup circuit in C++ and Noir, highlighting the legibility and simplicity of Noir.
C++:
Noir:
Finally, Aztec Labs gets to more fully participate in Noir’s vibrant ecosystem.
The community continues to develop new tooling that improves code analysis. Developers building in the Noir ecosystem and discovering bugs continuously battle-test the compiler. And Aztec is now fully aligned with the many developers building applications and protocols on Noir.
We too would like to share in the fruits of the Noir community.
Noir maximalism is open-source maximalism.
While Noir is still Beta software and isn’t fully production-ready until it is audited, the language is progressing towards an implementation freeze by the first half of 2024, and a completed audit by the back half of the year.
🏗️ Start building with Noir at noir-lang.org.
In addition to basic optimizations required for the kernel circuit to run on low-powered mobile devices, we intend on integrating Noir with the arsenal of novel cryptography in our development pipeline:
Building Aztec in Noir has been a long time coming.
As a result of adapting our core circuits to Noir, testing a wide array of features, and having Noir code pass extensive test suites, we have dramatically more confidence in its stability.
The collaborative approach between our internal Aztec and Noir teams demonstrates a commitment to advancing the capabilities of zero-knowledge proof technologies in an integrated fashion.
Improving Noir now improves Aztec.
The truth of the matter is: you cannot escape potentially dangerous code.
You can still write unsafe code in Noir.
You can only move the responsibility of writing dangerous code to folks who are least likely to make a mistake. And with Noir, you make it Aztec Labs engineers’ responsibility to write compiler code and optimizations. And with our stack, we make it the cryptographers’ responsibility to write absolutely unhinged cryptographic proving systems.
You are free to rebuild all of this yourself in C++. But Noir makes it so you don’t need to.
Where we cannot help you is unsafe business logic. If your application was meant to choose a random number between 1 and 10 and it instead chooses a random number between 0 and 1, then that’s on you.
But that’s as it should be! That’s the sort of code that you should be responsible for, and Noir aims to make it such that that’s the only thing you are responsible for.
If that sounds good to you, you might consider making the switch, as we have.
⭐ Get started with Noir today at noir-lang.org.
Today we’re releasing NoirJS– a Javascript package for Noir developers who want to build real applications that generate zero knowledge proofs in the browser.
Web development within the Noir ecosystem has historically been, uhm, complex. Practically, that meant Noir developers couldn’t really build applications that ran in the browser. And we want people to build applications with our software!
A browser is an application used to access the World Wide Web and interact with Internet applications. It turns out most people like using browsers.
Before today, Noir didn’t really let you build applications that could run in-browser. Instead, developers were forced to run applications locally in a CLI.
In simple terms, that meant Noir couldn’t actually support real applications.
But now Noir does support applications with NoirJS.
The goals of NoirJS are simple:
Noir is a zero knowledge circuit-writing language that works with multiple crypto proving back-ends. That means the front-end (the language) remains the same but Noir can be modularized to support the latest and greatest in zero knowledge proving research.
We do this through the ACIR (abstract circuit intermediate representation). Learn more about the ACIR here.
NoirJS lets developers build around the core concept of client-side compute: the ability to harness user hardware–phones, laptops, tablets–through the browser in order to compute proofs of execution.
And client-side compute in turn allows for fully private and trustless blockchain systems.
…sound familiar??
That’s the core philosophy of Aztec–giving developers the tools to develop programs with private data and compute while remaining fully trustless.
In English: do blockchain things without anyone knowing! Cool, right?
And for developers’ convenience, NoirJS is packaged with Barretenberg–the same Plonkish backend used by Aztec Labs in the Aztec rollup. No need to go shopping for a proving system unless you like, really want to.
NoirJS does a lot of other things, too! Developers were previously burdened by the need to manage multiple components like `bb.js`, `acvm`, `noirc_abi`, and future components like `noir_wasm`.
But managing component libraries and balancing version compatibility is not our idea of fun.
To install NoirJS you simply run `npm i @noir-lang/noir_js` in your Javascript directory
Install your proving backend of choice (ahem, probably Barretenberg), and you’re good to go.
NoirJS handles all Noir dependencies, exposing them through one clean interface, allowing you to focus on building rather than fiddling with packages.
Here are some other advantages:
Immediate Access: Browser-based applications don’t require additional software, making it easier for developers to reach a wider audience.
Improved User Experience: By enabling Noir functionality in the browser, users can interact with applications in real-time. That means fast apps.
Enhanced Security: Operating in the browser allows for client-side cryptography, offering an additional layer of security for applications that require cryptographic proofs.
Developer Flexibility: NoirJS enables developers to build rich, client-side applications with cryptographic functions, providing a broader toolkit for web development.
Community Building: Browser-based Noir enables rapid prototyping and sharing among the developer community. This is especially useful for teams who focus on in-browser applications and use-cases.
In-Browser Tooling: NoirJS fits seamlessly with in-browser IDEs like VSCode for web, allowing for a streamlined development process in which Noir programs can be compiled and proven directly in the browser.
So to summarize, by bringing Noir to the browser, we’re:
Siiick.
Less development pain means more time for building new applications. Here are some use-cases we’re excited to see:
NoirJS lets you build real Noir applications that run in the browser. It also makes your life easy breezy beautiful CoverGirl.
If you don’t know what Noir is, read this announcement, scan these docs, and watch this video.
If you do know what Noir is, install NoirJS right now. Right now. Right now.
And if you end up building something cool, come ask us for money.
