Full privacy overview

Goal

Private by default:

Hide sender/receiver, amounts, transaction graph
Privacy against the sequencer (not just against L1 observers)
Decentralized ordering + recoverability
Hide smart-contract state + private execution

Architecture in one picture

Clients execute → prover layer → encrypted mempool → decentralized sequencer ordering → decrypt-after-ordering (obfuscated data) → batch proof → Solana verifies + stores roots (not only store roots in L1 also L2) → users scan encrypted outputs

Solana is the finality + verifier + root anchor, not the execution engine. (Note: we can still think about the where we want the finality at)

On-chain Solana program responsibilities

Keep it minimal (fast/cheap):

Store:

state_root (Merkle root of all private state)
nullifier_root (or accumulator commitment)
batch_index
batch_commitment_hash (commitment to DA data)

Verify on SubmitBatch:

old_root == current_root
committee approval (M-of-N sequencer signatures over batch header)
ZK proof verifies old_root -> new_root and correct nullifier update
update roots + batch commitment

That’s it. No plaintext state ever.

Off-chain state model (what you actually prove)

Use Zcash-style notes (UTXO commitments) for best privacy and simplest circuits:

Commitments: C = Commit(note) for new notes/state objects
Nullifiers: N = PRF(sk, note) for spent notes (unlinkable)
Encrypted outputs: ciphertexts addressed to receiver viewing keys
Private app state: also committed into the same state tree (or separate subtree)

Global truth is only the root(s) on Solana. (Note: maybe user can also just look at the sequencers state so we can have faster updates on the user side)

How users learn state updates (wallet logic)

Users do NOT get “pushed” balances.

They:

watch finalized batches (roots anchored on Solana)
fetch batch data from DA (or sequencer caches)
scan encrypted_outputs[]
decrypt what belongs to them (notes / state diffs)
mark spends by checking if their nullifiers appear
maintain local wallet state (unspent notes + app state)

This keeps privacy and avoids storing global state.

“Full privacy against the sequencer”

You need encrypted mempool + decrypt-after-ordering.

Minimal viable (MVP)

TX object is already “opaque”: {proof, nullifiers, commitments, encrypted_outputs}
sequencer still sees those objects, but not addresses/amounts/state (because they’re not present)

Real full privacy (target, decentralized order sequencing)

Users submit ciphertexts to the mempool:
- cipher = Encrypt(PK_committee, tx_object)
Sequencers order ciphertexts blindly
Order is committed (signed hash of ciphertext list)
Only then the committee performs threshold decryption to reveal tx objects
Prover builds batch + proof

This prevents:

content-based censorship
MEV/front-running on private actions
early linkage via tx contents

You still add:

relayers + batching windows to reduce IP/timing correlation.

Decentralization plan (without drowning)

Don’t try to ship everything at once.

Phase 1 (ship a working private rollup)

Shielded notes + nullifiers + encrypted outputs
Single sequencer, permissionless prover
DA via committed hash + replicated storage
Solana verifies batch proofs + updates roots

Phase 2 (decentralize ordering)

Sequencer committee (rotating leader)
M-of-N signatures required to submit batch
Decentralized prover layer

encrypted mempool with threshold encryption
decrypt-after-ordering
relayers + batching windows

Data availability (DA) so users can always recover

Never rely on “sequencer database only.”

You need:

a DA store for batch blobs (encrypted outputs + commitments + nullifiers + ordering)
on Solana: store batch_hash + pointer/reference

For maximum safety: publish DA on Solana accounts (expensive).
For maximum throughput: external DA + strong replication + hash anchored on Solana.

Sequencers are caches/CDNs, not the source of truth.

Performance choices for “fastest”

Batch aggressively (one proof per batch)
Use a proof system with cheap verification on Solana
Keep on-chain verification minimal (roots + verifier + committee signatures)
Avoid on-chain storage of blobs unless needed; anchor hashes + pointers

Build checklist (what to implement)

Note format + commitment scheme
Nullifier scheme + anti-double-spend logic
State tree + inclusion proofs
Client proving pipeline (private execution) or prover layer
Batch prover (aggregates txs → new roots + batch proof)
Solana program: verify proof + update roots
DA publishing + batch hash anchoring
Wallet scanner (decrypt outputs, track nullifiers)
Committee sequencing (M-of-N approvals)
Encrypted mempool (threshold) + relayers + batching

One-sentence summary

Fastest full-privacy Solana rollup = client-side private execution (with prover layer) + ZK validity proof batches + Solana root verification + decentralized sequencer committee + encrypted mempool (decrypt-after-ordering) + DA anchored by batch commitments + wallets that scan/decrypt outputs and track nullifiers.

Goal​

Architecture in one picture​

On-chain Solana program responsibilities​

Off-chain state model (what you actually prove)​

How users learn state updates (wallet logic)​

“Full privacy against the sequencer”​

Minimal viable (MVP)​

Real full privacy (target, decentralized order sequencing)​

Decentralization plan (without drowning)​

Phase 1 (ship a working private rollup)​

Phase 2 (decentralize ordering)​

Phase 3 (true “sequencer-blind” privacy)​

Data availability (DA) so users can always recover​

Performance choices for “fastest”​

Build checklist (what to implement)​

One-sentence summary​