ZeraLabs logo

Pre-migration documentation. This site reflects the pre-migration state of the protocol. It’s mostly current, but a few edges may not match ZERA at launch. We’re finalizing the new, detailed ZERA docs now. Thanks for your patience.

How Zero‑Knowledge Cash Works

A Plain‑Language Walk‑Through

The goal is to let any device (even one that stays offline for long periods) create, move and verify private balances without ever leaking amounts or letting attackers forge money.

To make this work, we need just three moving pieces: a shared starting point, offline balance updates, and simple verification rules.

The Three Core Components

1. Shared Starting Point
A tamper‑proof genesis that every device can recreate and verify.
2. Offline Updates
Each device updates its own balances epoch‑by‑epoch while offline.
3. Simple Verification
Rules that let two devices meet, exchange proofs and instantly agree on honesty.

Why This Defeats Perfect Rollback Attacks

The Perfect Rollback Problem

Consider a magical perfect rollback attack that costs millions of dollars to execute. An attacker with nation‑state resources could theoretically:

  • Extract private keys from secure elements using $1M+ lab equipment
  • Perfectly rollback a device to a previous state
  • Replay transactions to double‑spend funds
  • Escape detection through perfect timing
How Zero‑Knowledge Cash Defeats This
Offline Client Detection
Even offline clients can detect rollbacks by checking the epoch chain. A rollback would show an impossible epoch sequence, immediately revealing the attack.
Cross‑Party Verification
Multiple parties in a transaction verify the same epoch state. Any discrepancy indicates a rollback attempt.
Economic Reality Check
  • Cost per successful rollback: $171M (equipment + expertise + time)
  • Success rate: < 0.7% per attempt
  • Scaling limitation: Each device requires individual lab work
  • Detection window: 24–72 hours maximum
Security Guarantee
The system ensures that even honest offline clients can detect perfect rollback attacks. This provides 10,000x stronger security than traditional banking systems, making it suitable for high‑value financial applications where security exceeds even current banking standards.

6. Putting It All Together

  1. Perpetual genesis ceremony creates an unending randomness beacon where anyone can join anytime.
  2. Each wallet keeps its balance as a single point and hops it forward every epoch with the public beta.
  3. Payments are homomorphic updates plus small range proofs and nullifiers.
  4. Offline checking is possible because the link proofs are stand‑alone and rely only on the deterministic beta sequence.
  5. Online nodes catch any cheating or double‑spending with three algebra checks and a RocksDB of nullifiers.

That is the entire protocol in plain words — no heavy algebra, no hidden trust, and every step maps directly to code you can write with curve25519-dalek, merlin, RocksDB and a drand HTTP client.

5. Where the Merkle Tree and DAG Show Up

Merkle Tree
Inside each block (or local log entry) the node collects all new commitments and nullifiers into a Merkle tree. The Merkle root becomes the block hash so devices that only care about their own notes can store just the path.
DAG of Blocks
Validators run HotStuff‑style BFT. Blocks form a Directed Acyclic Graph until a super‑majority signs a quorum certificate; then the branch is final. The DAG structure never touches the math of commitments, so it can be upgraded without changing the money layer.

4. Catching Cheats When Everyone Comes Back Online

Sooner or later every wallet will reconnect to an online node. At that point it broadcasts:

  • Its whole commitment chain since the last sync.
  • All nullifiers it created.
  • The range proofs of each outgoing transfer.
  1. The link proofs form an unbroken chain that uses the public beta values.
  2. Every nullifier is unique in the global RocksDB.
  3. The sum of incoming commitments equals the sum of outgoing commitments plus the last balance.

If any of those fail, the cheating wallet's last good commitment is frozen and future spends using its nullifiers are rejected. Honest offline wallets are unharmed.

3. Making and Accepting a Payment

Preparing a Transfer

  1. Sender chooses a new random blinding r_out.
  2. Computes an output commitment using Pedersen: C_out = G * amount + H * r_out
  3. Computes an update delta: Delta = C_out - (G * amount)
  4. Creates a short zero‑knowledge range proof that amount is positive and smaller than the currency cap.
  5. Packages C_out, Delta, the range proof and a one‑time nullifier (a unique hash that prevents double‑spending).
How Pedersen Commitments Enable Privacy
The magic of Pedersen commitments is that you can prove the transaction is valid (no money created/destroyed) without revealing the amounts. The receiver gets a new commitment that hides their balance, while the network can verify the mathematical relationships hold true.

Verifying and Accepting

The receiver (online or offline) checks:

  1. The sender's chain of link proofs back to the last common slot.
  2. The range proof shows the amount is valid.
  3. The nullifier is not already in the receiver's nullifier set.
  4. Algebra check: C_sender_new = C_sender_old - Delta.

If everything passes the receiver adds C_out to its own wallet, stamps the nullifier into its RocksDB and moves on.

2. How a Device Keeps Its Money While Offline

The Idea of a Pedersen Commitment

A balance is never stored as "42 coins". Instead the wallet stores a single curve point using a Pedersen commitment:

C = G * value + H * blinding
  • value is the amount (like 42 coins)
  • blinding is a fresh random number that hides the amount
  • G and H are the base points from the genesis ceremony

Only the owner knows the value and blinding numbers, so outsiders see C as just a random point. This is called perfect hiding — no one can figure out the amount from the commitment.

Why Pedersen Commitments?
Pedersen commitments have a special property: you can add them together mathematically while keeping the amounts hidden. This allows the system to verify that money isn't being created or destroyed without revealing any amounts.

Marching Through Epochs

Time is cut into equal‑length slots (say, one hour). Every slot has a public random number beta that comes from the drand randomness beacon. An offline device cannot fetch drand, so it uses the beacon value that was stamped in the published seed file plus a simple, deterministic function of the slot number.

To roll its balance from slot i to slot i + 1 the device recomputes:

C_next = C_current + H * beta

Note what that does:

  • The amount part G * value never changes.
  • The blinding part advances by H * beta.

So the commitment looks fresh each epoch, but any honest device that sees the full chain of points can check that every jump matches the public beta sequence — if any point is tampered with the chain breaks.

Proof That the Chain is Unbroken

When two devices meet, each shows (a) its current commitment and (b) a link proof: a short Schnorr signature that proves "I know the same hidden amount in the current point and in the previous point". Chaining those proofs back to the genesis point convinces the peer that no slot was forged or skipped.

1. The Perpetual Genesis Ceremony

The Unending Randomness Beacon

Instead of a one‑time ceremony, the system uses a perpetual randomness beacon that runs continuously. Time is divided into equal‑length epochs (like hours), and each epoch gets its own unpredictable random number from a public beacon (like the drand network).

How Anyone Can Join at Any Time

Anyone who wants to issue or hold the cash can join at any time, not just at the beginning. Each new participant contributes their own randomness during a "contribution window" in each epoch:

  1. Public randomness beacon – Each epoch gets a random number from a trusted beacon (like drand)
  2. User contributions – Anyone can add their own randomness during a contribution window
  3. Homomorphic mixing – All the randomness is combined mathematically to create the epoch's final random seed
  4. New base points – The seed creates fresh cryptographic base points for that epoch
  5. Ledger checkpoint – Everything is recorded permanently in the blockchain

This creates an infinite, self‑healing randomness pipeline where new participants can join anytime, and every later state remains a hard‑to‑predict descendant of the very first seed. No one needs to trust any authority — the math itself provides the proof.

Key Concepts to Explore

What Is Zero-Knowledge Cash?

A simple explanation of privacy‑preserving money

Learn more
The Privacy Problem

Why traditional cryptocurrencies reveal everything

Learn more
Real-World Applications

Where and how ZKC can be used

Learn more
Glossary & Reference

Definitions and explanations of technical terms

Learn more