Encrypted UTXO Ledger with Globally Verifiable Supply Integrity
1. Design Overview
The ANCORA confidential ledger solves the privacy-auditability paradox by implementing:
Individual transaction amounts and balances are fully encrypted and private
Global total supply and conservation rules are publicly verifiable via zero-knowledge proofs
No third party can inspect individual user balances, but all users can verify no unauthorized token creation has occurred
This architecture delivers full financial privacy for users while eliminating the inflation risk and unverifiable supply that plagues existing privacy-focused cryptocurrencies.
2. Confidential UTXO Model
ANCORA uses an encrypted UTXO (Unspent Transaction Output) model rather than a traditional account model. Each UTXO contains:
A Pedersen commitment hiding the token amount
A stealth address hiding the owner identity
A unique nullifier for double-spend protection
An owner proof for spending authorization
No plaintext amount or owner address is ever stored on-chain.
2.1 Pedersen Commitment Construction
For amount v and blinding factor r:
Where G and H are independent generator points with no known discrete logarithm relationship. Pedersen commitments are perfectly hiding and computationally binding.
2.2 Nullifier Construction
Each UTXO has a unique nullifier derived from the owner secret key and UTXO identifier:
When a UTXO is spent, its nullifier is published on-chain and marked as spent, preventing double-spending without revealing which UTXO was spent.
3. Global Supply Commitment Tree
The network maintains a public Merkle tree called the Supply Commitment Tree (SCT) that tracks aggregate supply state while preserving individual privacy.
3.1 Tree Structure
Leaf nodes: Aggregate commitment of all UTXOs created in each block
Intermediate nodes: Hash of child node commitments
Root node: Global aggregate commitment of all existing UTXOs
The root of the SCT is included in every block header and is publicly verifiable by all nodes.
3.2 Supply Conservation Invariant
The fundamental invariant enforced by the protocol at all times:
This invariant is proven for every transaction via an individual zk-STARK balance proof, and aggregated for the entire block via the block Supply Proof.
4. Zero-Knowledge Supply Proof
Every block includes an aggregated zk-STARK proof called the Supply Proof that mathematically demonstrates:
All transactions in the block satisfy the supply conservation invariant
No new tokens were created outside the defined vesting schedule
No double-spending occurred in the block
The new SCT root is correctly computed
4.1 Proof Circuit Definition
The Supply Proof circuit verifies:
4.2 Verification
All full nodes verify the Supply Proof before accepting a block. Proof verification is O(1) and requires no trusted setup.
5. Supply Auditability
Any network participant can independently verify the complete supply history by:
Replaying all blocks from genesis
Verifying each block's Supply Proof
Aggregating all vesting releases and fee burns
Comparing computed total supply against the SCT root
This audit can be performed without accessing any individual user's transaction details or balance information.
6. Security Guarantees
Privacy Guarantee: No information about individual transaction amounts, balances, or identities is leaked via the ledger or supply proof.
Soundness Guarantee: It is computationally infeasible to produce a valid Supply Proof for a block that violates supply conservation rules.
Completeness Guarantee: All valid state transitions will produce a valid Supply Proof.
Post-Quantum Security: zk-STARK proofs are inherently quantum-resistant, with no vulnerability to Shor's algorithm.