zkCoins

Private Bitcoin transactions via Shielded CSV

The paper behind zkCoins.

zkCoins implements Shielded CSV — a privacy protocol for Bitcoin that reveals nothing on-chain beyond a 64-byte nullifier. No token. No own chain. Settled on Bitcoin.

Whitepaper · ePrint 2025/068

Shielded CSV: Private and Efficient Client-Side Validation

A privacy-preserving variant of Client-Side Validation, settled directly on Bitcoin.

Authors: Jonas Nick (Blockstream) · Liam Eagen (Alpen Labs) · Robin Linus (ZeroSync)
Published: January 2025
Reference: eprint.iacr.org/2025/068

Client-Side Validation (CSV) decouples transaction validation from Bitcoin consensus by moving it to the recipient. Shielded CSV improves on prior CSV designs by hiding the transaction history entirely: each transfer leaks only a 64-byte nullifier to the chain, with the rest verified client-side via succinct zero-knowledge proofs. The protocol is compatible with Bitcoin as-is — no soft fork, no hard fork — and targets roughly an order of magnitude more transactions per second than the base layer alone.

Read the paper ↗ Abstract on ePrint ↗

What Shielded CSV Changes

On-chain footprint

64 bytes per transfer.A nullifier — derived from the transaction, indistinguishable from random data — replaces the full transaction payload.

Privacy

No leaked transaction graph.Unlike RGB or Taproot Assets, the history is hidden under a zk-SNARK-style proof; recipients verify validity without seeing the lineage.

Compatibility

Bitcoin as-is.No soft fork, no hard fork. CSV protocols coexist on the chain by using it only for ordering and double-spend prevention.

Throughput

~100 transactions per second.Shrinking the on-chain footprint from ~560 WU to ~64 WU lifts Bitcoin's effective capacity by roughly an order of magnitude.

Roadmap to mainnet

Phase 01
Foundation
Q2 2026 Active

The proving stack and the wallet-server boundary. Everything downstream depends on this.
- Zero-knowledge circuit migration.Move the state-transition circuit onto a recursion-native proving system with a Bitcoin-friendly hash.
- Server-side proving on commodity hardware.Single-host Apple Silicon target — no GPU farms, no cloud proving service. The wallet holds only the private key.
- Wallet boundary via BIP-340 Schnorr.The wallet signs a SHA256 digest of the server-computed state. No in-browser zero-knowledge.
- End-to-end roundtrip on signet.Create account, mint, send, receive — the full user loop runs on a public Bitcoin testnet.
Phase 02
Pre-mainnet hardening
Q3 2026 Next

Close the protocol gaps between "works on signet" and "safe with real Bitcoin".
- Hiding recipient commitments.Eliminate the residual link between sender, recipient and coin identifier.
- Reorg-safe nullifier accumulation.Gracefully degrade when the canonical chain reorganises rather than getting stuck.
- Per-coin freshness proofs.Recipients verify a coin's age locally without trusting any third party.
- Paper-derived security test suite.The full set of formal properties from the Shielded CSV paper, encoded as failing-witness tests.
Phase 03
Trustless BTC bridge
Q4 2026 Planned

Mint and burn against native BTC without trusting the issuer. The biggest user-facing trust gap closes here.
- BitVM2 / Clementine-style bridge.1-of-N honesty trust model. The same construction running on Citrea mainnet.
- Recursive Bitcoin light client.A succinct proof that a deposit landed at depth ≥ 6 in the canonical chain.
- Plonky2 → Groth16 wrapping.Bridge our recursion-friendly proofs into a verifier that Bitcoin script can check.
- Federation scaling: N=3 → N=100.Start with a single-operator federation; grow to one hundred independent members, where one honest key deletion is enough.
- Signet integration run.Full peg-in / peg-out roundtrip including a deliberately malicious operator scenario.
Phase 04
Lightning atomic swap
Q1 2027 Planned

Move value between Lightning and zkCoins atomically — no provider trust, no custodial bridge.
- HTLC on the inscription funding transaction.Atomicity lives on Bitcoin layer 1, not on the private coin layer. Standard primitives, no soft fork.
- Symmetric LN ↔ zkCoins flows.Buy with Lightning sats and sell back to Lightning sats, both directions trustless.
- Provider-fronted liquidity.Anyone can run a swap provider; the protocol enforces honesty, not the operator.
- Privacy-preserving swap pattern.A swap provider learns the LN side, never the zkCoins-internal graph.
Phase 05
Long-term positioning
2027 + Horizon

Replace the bridge technologies of today with the bridge technologies of tomorrow — without changing the protocol.
- Next-generation proving system.Port to a smaller field with a faster hash once the upstream stack stabilises. Algorithmic structure stays.
- Bridge construction upgrade.Drop-in successors to BitVM2 (Glock, Mosaic) cut on-chain dispute cost by two orders of magnitude. Circuit contract unchanged.
- Federation diversity.Recruit independent organisations as federation members until one-honest-deletion is a meaningful assumption.
- Production trusted setup.A 30–60 contributor ceremony replaces the single-contributor parameter set used for testing.

Note. Dates indicate target windows for the engineering work, not a guaranteed mainnet date. zkCoins runs in a closed test environment until pre-mainnet hardening completes; no real Bitcoin is at risk before then.