DocumentationPreview
Resources

Glossary

Terms and definitions

Tokens

UPD (Universal Private Dollar)

A stablecoin pegged 1:1 to USD, over-collateralized with stETH. UPD can be used both publicly (standard ERC-20) and privately (via UPP).

sUPD (Staked UPD)

A yield-bearing token representing staked UPD. sUPD is a share-based vault token that increases in value over time as the vault earns yield.

Privacy System

UPP (Universal Private Pool)

The privacy layer that enables private transactions for ERC-20 tokens. UPP uses zero-knowledge proofs to hide transaction details while maintaining compliance through the ASP layer.

Shield

The operation of depositing public tokens into the private pool. Shielding creates a private note that represents your balance.

Unshield

The operation of withdrawing from the private pool back to public tokens. Unshielding reveals the amount and recipient address.

Note

A private unit of value in UPP. Notes are like encrypted "coins" that represent a specific amount, token, and origin. Notes are consumed when spent and new notes are created.

Commitment

A cryptographic hash of a note's contents: Poseidon(amount, blinding, origin, token). Commitments are stored on-chain and hide the note details.

Nullifier

A unique identifier computed when a note is spent. Nullifiers prevent double-spending by tracking which notes have been used.

Blinding Factor

A random value included in a note's commitment that ensures two notes with the same amount/origin/token have different commitments.

Keys

Spending Key

A private key that authorizes spending notes. Without the spending key, notes cannot be transferred or withdrawn.

Viewing Key

A private key that allows decrypting and viewing notes but not spending them. Viewing keys can be shared for auditing without risking funds.

Master Viewing Key (MVK)

The root viewing key from which per-transaction viewing keys are derived. The MVK can decrypt all notes for an account.

Decryption Viewing Key (DVK)

A per-note viewing key that can decrypt only a specific note. DVKs are derived from the MVK and note index.

Stealth Address

A reusable address that allows senders to create unique one-time addresses for each payment. Stealth addresses prevent payment linkability.

Stealth Meta-Address

The public identifier containing spending and viewing public keys. Encoded in bech32m format with prefix 0zk.

Compliance

ASP (Association Set Provider)

An entity that maintains a list of compliant addresses. ASPs publish Merkle roots on-chain, and users prove their funds' origin is in the ASP's allowlist.

Origin

The address that originally deposited funds into the pool. Origin is used for compliance checking and can only be changed via merge.

Ragequit

A special withdrawal path that bypasses ASP checks when the recipient equals the origin. Ensures original depositors can always recover their funds.

Merge

The operation of combining two notes into one. Merge is the only way to change a note's origin - the merger becomes the new origin.

Restricted Transfer

A transfer where the origin is not in any ASP allowlist. Restricted notes can only be sent back to their origin address.

Cryptography

BabyJubJub

An elliptic curve optimized for ZK circuits. UPP uses BabyJubJub for all key operations.

Poseidon

A hash function designed for ZK circuits. Used for commitments, nullifiers, and Merkle trees.

Groth16

A zero-knowledge proof system used by UPP. Groth16 produces small, fast-to-verify proofs but requires a trusted setup.

LeanIMT

Lean Incremental Merkle Tree - the data structure used to store note commitments. Optimized for gas efficiency and ZK circuits.

ECDH (Elliptic Curve Diffie-Hellman)

A key agreement protocol used to derive shared secrets between sender and recipient for note encryption.

AES-GCM

The encryption algorithm used for note data. Provides both confidentiality and authentication.

Operations

Transfer

A private payment within the pool. Consumes one note and creates two new notes (recipient + change).

Merge

Combines two notes into one. The merger becomes the new origin.

Shield

Deposit public tokens into the pool.

Unshield

Withdraw from the pool to a public address.

Infrastructure

Merkle Tree

A hash-based data structure that allows efficient membership proofs. UPP uses Merkle trees for both note commitments (state tree) and ASP allowlists.

Merkle Root

The top hash of a Merkle tree. Publishing the root allows verification of membership without revealing all entries.

Merkle Proof

A path of hashes proving that a leaf is part of a Merkle tree with a given root.

Root History

A circular buffer of recent Merkle roots. Allows transactions to use slightly outdated roots for timing flexibility.

Indexer

Software that scans the blockchain for encrypted notes and decrypts those belonging to a user. Required for wallet functionality.

Keccak Channel & Proof Serialization

Custom Fiat-Shamir channel design and deterministic proof encoding between Rust and Solidity

Security Model

Security considerations and disclaimers

On this page

TokensUPD (Universal Private Dollar)sUPD (Staked UPD)Privacy SystemUPP (Universal Private Pool)ShieldUnshieldNoteCommitmentNullifierBlinding FactorKeysSpending KeyViewing KeyMaster Viewing Key (MVK)Decryption Viewing Key (DVK)Stealth AddressStealth Meta-AddressComplianceASP (Association Set Provider)OriginRagequitMergeRestricted TransferCryptographyBabyJubJubPoseidonGroth16LeanIMTECDH (Elliptic Curve Diffie-Hellman)AES-GCMOperationsTransferMergeShieldUnshieldInfrastructureMerkle TreeMerkle RootMerkle ProofRoot HistoryIndexer