Protocol Overview
Lateo uses a UTXO-based privacy model where each deposit creates a cryptographic commitment, and each withdrawal consumes commitments by revealing nullifiers. Zero-knowledge proofs ensure all operations are valid without revealing the link between deposits and withdrawals.
Core Invariant
For every transact() call:
sum(input_amounts) + ext_amount = sum(output_amounts)This balance conservation is enforced by the ZK circuit. The on-chain contract cannot verify the individual amounts (they’re hidden), but the proof guarantees the equation holds.
UTXO Model
Unlike account-based systems, Lateo uses a note-based (UTXO) model:
- Deposit creates a new note (commitment in the Merkle tree)
- Withdrawal destroys notes (publishes nullifiers) and optionally creates a change note
- Transfer destroys and creates notes (balance stays in pool)
Each note contains: (amount, ownerPubKey, blinding) — all hidden inside the commitment hash.
On-Chain State
The pool contract maintains:
| State | Storage | Purpose |
|---|---|---|
| Merkle tree (10 levels) | Persistent | Stores all commitments ever inserted |
| Root ring buffer (90 entries) | Persistent | Recent roots for proof verification |
| Nullifier set | Persistent | All spent nullifiers (prevents double-spend) |
| Next leaf index | Persistent | Current insertion point in the tree |
| ASP contract references | Persistent | Links to membership and non-membership contracts |
Protocol 25 Primitives Used
| Host Function | Usage in Lateo |
|---|---|
bn254_g1_add | Groth16 proof verification (IC accumulation) |
bn254_g1_mul | Groth16 proof verification (scalar multiplication) |
bn254_pairing_check | Groth16 proof verification (final pairing equation) |
poseidon2 | Commitment hashing, nullifier derivation, Merkle tree hashing |
Last updated on