Vision
Where paraloom is going — privacy as Solana infrastructure, not a wrapped product.
Vision
Paraloom is built on one observation: on-chain transparency is a feature for verifiability and a bug for everything else. Every balance, every trade, every counterparty is visible to anyone with an RPC endpoint and a query. For most use cases that doesn't matter. For an increasing number — institutional flow, fair launches, payroll, anything where front-running is profitable — it's a structural blocker.
Privacy is a primitive, not a wrapper around an existing app. The right shape for it is a Layer 2 that anchors trust-critical state on Solana but moves transfers privately off-chain.
What's already real
| Status | |
|---|---|
| Groth16 zk-SNARKs over BLS12-381 | working |
| Poseidon hash, Pedersen commitments, sparse merkle tree | working |
| In-circuit u64 range proofs | working (#60) |
Replay-protected withdrawals (expiration_slot) | working (#61) |
| 7-of-10 BFT cohort with reputation gating + slashing | working (#62) |
| Solana Anchor program (merkle root + nullifier PDAs + validator stake) | working |
| libp2p (Kademlia + gossipsub + ping) with on-chain peer discovery | working |
| Coordinator HA with under-30s failover | working |
| Signed multi-platform releases + SBOM + GHCR | working (#70) |
| BGM17 phase-2 MPC ceremony tooling | working — execution pending |
| Private WASM compute with Pedersen + ownership proof | alpha |
This is paraloom-core v0.5.0-rc2 today: 33K LOC of Rust, 407 tests passing, ~10 ms proof verification per validator.
What's next, and in what order
Near-term (gating mainnet)
The minimum bar before paraloom can be called mainnet-ready:
- MPC ceremony executed end-to-end. Devnet uses locally-generated proving keys; mainnet keys must come from a real multi-party ceremony with a verifiable transcript. Tooling exists (
paraloom-ceremony-contribute,verify,finalize); coordinated execution is the work that remains. Tracked in #64. - External audit of the privacy circuits, the Anchor program, and the BFT cohort path. Particularly the bits that touch user funds: range proofs, nullifier PDA flow, slashing logic.
- Compute layer output-notes integrated with the shielded pool, so private compute results re-enter the privacy pool as commitments rather than landing only at the requester. Today's compute is alpha specifically because of this gap.
Mid-term (developer ergonomics)
The crate surface works but is rough — there's no SDK yet. The plan:
paraloom-sdk— typed clients in Rust and TypeScript wrapping the bridge, wallet, and compute APIs. Bakeexpiration_slotdefaults, note storage, and randomness handling in by default.- WASM-friendly proof system bindings for browsers and mobile.
- A WebSocket subscription layer for
DepositEvent/WithdrawEventto replace the current polling listener.
The bar here is not "many features" but "small, well-typed, hard to misuse."
Longer-term (research + ecosystem)
These are the open questions, not commitments:
- Compute correctness proofs. Today's compute relies on BFT result agreement. A verifier circuit (zk-WASM-shaped) would let a single verifier check the result without running it — at very different cost.
- Cross-chain anchors. The same proof / nullifier discipline can settle on more than one chain. Solana is paraloom's first home, not its only one.
- Composability with public Solana DeFi. Private positions need to interact with public liquidity in a privacy-preserving way. This is the harder application-layer work;
paraloom-coreprovides the primitives.
The earlier vision draft listed two specific applications (Privacy Swap, Privacy Launch) as if they were on the near-term roadmap. They are possible applications of the privacy layer, not commitments. The infrastructure is what we're building; what's built on top of it is downstream.
What paraloom is not
A few clarifications, because the privacy space is full of vague claims:
- Not a mixer. Mixers obfuscate by routing; privacy is statistical and breaks under timing/amount analysis. Paraloom uses zk-SNARKs — privacy is cryptographic, not heuristic.
- Not a sidechain. State that matters (merkle root, nullifiers, validator stake, slashing) lives on Solana. Off-chain BFT is for verification throughput, not for trust.
- Not a custodial service. Validators verify; they don't hold user funds. The bridge vault is a Solana PDA, not a multisig owned by paraloom.
- Not a token-first project. There is no token. The economics that fund the network are validator stake, fees from withdrawals, and (post-mainnet) compute fees.
Trust model
The minimum trust users need to extend:
| Component | Trust assumption |
|---|---|
| Solana | as much as you trust Solana |
| Anchor program | published source, reviewed, deployed at a fixed program ID |
| MPC ceremony | one honest participant suffices; transcript is publicly verifiable |
| BFT cohort | at most 3 of 10 simultaneously malicious; on-chain slashing creates economic penalty |
| Coordinator (HA) | doesn't need to be trusted for safety; only for liveness — failover < 30 s if primary dies |
Where this differs from a fully trustless design: today's withdrawal threshold is a parameter (7-of-10 default). The on-chain program also re-verifies every withdrawal proof, so even a 10-of-10 malicious cohort can't approve an invalid proof. The cohort can only delay or refuse — not forge.
How to participate
| You are | Your move |
|---|---|
| A validator | Run a node on devnet. Reputation accrues now; mainnet stake will use the same registry. |
| A protocol auditor | Read Architecture and Privacy layer; start at the Anchor program and the withdrawal circuit. |
| A user | Wait for mainnet. Devnet is real but uses devnet-only proving keys; don't move real funds yet. |
| A builder | Watch paraloom-sdk — that's the surface you'll integrate against. Until then, Developer guide covers the CLI + Rust paths. |
| A ceremony participant | Ceremony. One honest contribution is all the protocol needs; more is better. |
The end state
A privacy primitive that's boring infrastructure — one that any Solana app can adopt without rebuilding consensus, without trusting a custodian, without paying a 10× privacy premium. The most ambitious thing paraloom can be is something nobody talks about because it just works.