Stark-RQ Hidden Runtime V1¶
TKT-P3-60 adds the smallest real witness-hiding proving runtime slice currently integrated for the fixed confidential-transfer statement.
What this runtime now proves:
- hidden source-note ownership field binding
- hidden source-note inclusion for the fixed one-note pre-state profile
- hidden source-nullifier relation
- hidden receiver note hash relation
- hidden receiver-owner-commitment relation
- hidden receiver-value-commitment relation
- hidden receiver-nonce relation
- hidden sender-change carried value-commitment relation
- hidden sender-change carried nonce relation
- hidden committed-value conservation under the frozen fixed-statement fee policy
- hidden transition consistency from the frozen pre-transition commitments represented by stateIn32 to the frozen post-transition commitments represented by stateOut32, bound to the same outputFingerprint32 public anchor
Hidden witness values consumed by the sidecar:
- sourceEncodedNoteLeaf
- receiverEncodedNoteLeaf
- sourceNoteId32
- senderPub33
- receiverScanPub33
- receiverSpendPub33
- hidden source committed value term
- hidden receiver committed value term
- hidden sender-change committed value term
- hidden fee-policy committed value term
Verifier-visible inputs for this runtime slice:
- sourceNoteHash32
- shardId32
- stateIn32
- stateOut32
- outputFingerprint32
- expected source owner commitment
- expected sender-change value commitment
- expected sender-change nonce
- expected pre-state note root
- expected receiver note hash
- expected receiver owner commitment
- expected receiver value commitment
- expected receiver nonce
- expected source nullifier
- proof artifact bytes only
What stays host-side and unchanged:
- transcript binding
- OFm2/v2 recomputation
- tokenized continuation shell checks
- malformed carrier rejection
- public binding recomputation already assigned to host
Important truthfulness note:
- this runtime slice is witness-hiding at the artifact boundary because hidden witness values are not serialized into the proof artifact
- this runtime slice currently realizes source-note ownership as hidden spent-leaf preimage binding to the source leaf ownerCommitment32 field under the fixed canonical one-note pre-state profile
- this runtime slice currently realizes receiver-side construction as one coherent hidden receiver note witness: owner commitment, value commitment, and nonce are all checked against the same receiver note leaf and note hash context
- this runtime slice currently realizes sender-change construction as one coherent carried change-note bundle under the same fixed confidential-transfer witness context: the carried change note is the hidden source leaf in the canonical profile, so sender-change value and nonce are checked against that same hidden source leaf already bound to sourceNoteHash32
- this runtime slice now realizes committed-value conservation as a hidden arithmetic layer over committed-value witness terms under the frozen fixed-statement fee policy; it does not depend on public BCH output-value interpretations or host-side shell facts
- this runtime slice now realizes transition consistency under witness hiding by proving that the same already-proven source/receiver/change/conservation facts compose to the same frozen post-transition commitments represented by stateOut32, starting from the same frozen pre-transition commitments represented by stateIn32, and bound to the same outputFingerprint32 public anchor
- the runtime does not satisfy transition consistency by re-proving host-side shell-validity facts: transcript binding, OFm2/v2 recomputation, tokenized continuation shell checks, malformed-carrier rejection, and other frozen host responsibilities remain outside this sidecar
- this runtime slice is not yet the final backend family or trust model
- the current sidecar uses a deterministic development Groth16 setup cache so the project can gain real hidden-witness proving capability without widening the frozen verifier boundary
What remains blocked for TKT-P3-59:
- final backend-family / trust-model selection
Why this still unblocks progress:
- the repo now contains a real witness-hiding proving runtime path over hidden identity-bearing witness values
- backendId 2 is now truthfully backed by integrated runtime machinery for the completed hidden fixed-statement relation rather than integrity-only placeholders
Current measurement note:
- proofBytes stayed at 192
- proofBlobBytes stayed at 1080
- publicInputs moved from 22 to 28
- proveMs moved from 144974.515 in the committed-value-conservation baseline to 296200.109 after adding transition consistency
- verifyMs moved from 97.649 to 215.09
Interpretation: - compact direct-path carriage still holds - proving cost is still the main pressure to monitor - adding transition consistency completed the hidden fixed-statement relation without regressing carriage, but it did materially steepen the proving-time curve; that is the first clear signal that iteration cost may now justify a reassessment before normalizing further runtime growth
Bounded Validation Policy (Runtime-Backed Scaffold)¶
This runtime-backed SRQ3 path is retained as a comparison scaffold, and its validation is now explicitly split into fast-path iteration checks and slow merge-grade checks.
Fast-path iteration checks:
- yarn workspace @bch-stealth/zk-backend-mock test:runtime-baseline:fast
- intended for local iteration and CI smoke coverage
- runs hidden-runtime assertions plus a quick backend precondition check
- uses short timeouts to avoid unbounded waits
Slow merge-grade checks:
- yarn workspace @bch-stealth/zk-backend-mock test:runtime-baseline:slow
- intended for stabilization branch validation before merge
- runs hidden-runtime, real-backend, and runtime-backed SRQ3 suites with a hard timeout budget (--test-timeout=900000)
- timeout expiry is treated as a result to classify (iteration-cost pressure or harness/runtime issue), not as a command to rerun indefinitely
Generated artifact refresh:
- yarn workspace @bch-stealth/zk-backend-mock runtime-baseline:update
- refreshes runtime-backed baseline proof fixtures and benchmark snapshots from current source
- by default preserves prior timing fields to keep generated artifacts reproducible across reruns
- set BCH_STEALTH_REFRESH_RUNTIME_BASELINE_TIMINGS=1 when an explicit timing refresh is desired