paraloomParaloom-core ships two primitives. Private payments — SOL bridges into a shielded pool, transfers move privately, withdrawals settle back unlinkably. Private compute (alpha) — submit a WASM job, get a BFT-validated result without exposing inputs or outputs. Both ride the same validator cohort and the same on-chain anchor.
You move SOL into the paraloom shielded pool through an Anchor program on Solana mainnet. Locally, your wallet generates a Poseidon commitment that hides the amount and your identity. The on-chain transaction proves you own the funds; the commitment binds them privately.
→ Groth16 proof, ~4s on a modern laptop. The Solana tx is normal — anyone can see it; nobody can tell what was committed.
Inside the pool, transfers consume one or more existing commitments and create new ones. Values are constrained to a u64 range in-circuit, by bit-decomposition — nothing can be forged via field overflow. Each spent note emits a nullifier so it cannot be spent twice.
→ Nullifier set is fsync‑backed RocksDB. Sender→receiver graph never reaches the chain.
Validators verify each Groth16 proof in roughly ten milliseconds — verify-only, no proving cost. A configurable BFT threshold (default 7-of-10) must agree on each block. Equivocation and persistent unavailability are slashable.
→ Reputation gating; small home machines can participate without GPUs.
A withdrawal proof shows that an output commitment was created legitimately, without revealing which deposit it came from. The on-chain Anchor program enforces a one-slot expiration to prevent replay. The output address is unlinkable to any input.
→ Receiver gets a normal Solana balance. The pool root advances; no graph leaks.
You hand the network a WebAssembly binary plus its inputs. Under --private mode, inputs are encrypted with AES-256-GCM. The coordinator scores validators by uptime and reputation, then distributes the job across a cohort. No single node sees the full picture.
→ Wasmtime sandbox; strict memory, time, and syscall limits per job.
Each validator in the cohort runs the program in an isolated sandbox and emits a result hash. At least 7 of 10 (configurable) must produce identical output to commit. Byzantine faults are detected by hash divergence and recorded as slashing evidence.
→ Same BFT cohort that validates withdrawals also validates compute results.
A zero-knowledge proof certifies the computation was executed correctly without revealing inputs, outputs, or who requested it. Under private mode, the result is encrypted and bound by an ownership proof so only the requester can decrypt.
→ Alpha: output-note plumbing pending; private compute is not yet production-ready.
The same validator cohort that signs withdrawals also agrees on compute results. Validators are verify-only — they do not produce proofs; they check them. A Groth16 proof verifies in roughly ten milliseconds on a single CPU core, which is small enough that home PCs and single-board computers can carry the load.
| Default threshold | 7 of 10 | configurable per network |
|---|---|---|
| Verification time | ~10 ms / proof | single CPU core |
| Slashing evidence | equivocation · unavailability | recorded in-protocol |
| Coordinator HA | active / passive failover | < 30s RTO |
Validators find each other through a Kademlia DHT seeded by on-chain registered multiaddrs. Heartbeats and ping probes distinguish slow peers from offline ones; gossipsub propagates consensus messages with bounded codec reads and a tightened size cap.
| Discovery | Kademlia DHT | bootstrap-refreshed routing |
|---|---|---|
| Liveness | libp2p ping | slow / offline distinction |
| Gossip | gossipsub | bounded codec reads, size-capped |
| Bootstrap | on-chain registry | multiaddrs from validator program |
| Coordinator HA | active / passive failover | < 30s RTO scenario test |
The protocol described above is implemented in roughly 33K lines of Rust, with 407 tests passing on every commit. MIT licensed, every release signed, MPC ceremony in the open.