Private payments where the proof is post-quantum and the promises are honest.

A shielded payment hides the amount and the recipient and proves it’s valid without revealing anything else — using zk-STARK proofs with no elliptic curves and no trusted setup.

01

The Two Rails

What “shielded” means here

Stealth has two rails: transparent (XST, public — what settles payments today) and shielded (XSS), where a coin is a note whose only public footprint is a commitment that reveals nothing.

You move value by spending notes and creating new ones. Each spend publishes a one-time nullifier that prevents double-spending — without ever linking back to the note it came from.

Transparent · XST

Public by design

The settlement rail in use today. Balances and transfers are visible on-chain — the right default for open, auditable payments.
Footprint · fully public
Shielded · XSS

A note, not an entry

The only public footprint is a commitment that reveals nothing. A one-time nullifier blocks double-spends and never links back to the note.
Links to note · never
02

The Proof

One zk-STARK, no trusted setup

Every shielded transfer carries one zk-STARK binding membership, nullifiers, new commitments, and value-in = value-out. STARK security rests entirely on hashes (via FRI) — no elliptic curves — so the guarantee that supply can’t be inflated and notes can’t be forged is post-quantum by construction.

Rests on

Hashes · FRI

No elliptic curves, no trusted setup. Soundness inherits the same Grover-only, survivable exposure as every other hash in the stack.
Elliptic curves · none
Guarantee

Post-quantum by construction

Supply can’t be inflated and notes can’t be forged — bound in a single proof per transfer, with no trusted ceremony to compromise.
Trusted setup · none
03

Selective Disclosure

Prove one payment, reveal nothing else

The sender can prove one specific payment — its recipient, amount, and memo — and that it really happened, without exposing any other note or any history.

It’s sender-cooperative: it proves a payment, it can’t compel a reveal — exactly what a receipt or an audit needs. This is also what makes a private x402 payment possible.

Mode · cooperative

Proves, never compels

A sender-side proof of one payment. It can produce a receipt; it cannot be used to force a reveal against the holder’s will.
Other notes · untouched
Use · receipts & audit

Exactly what an audit needs

Disclose a single recipient, amount, and memo — and prove it happened — with no history exposed. The basis for a private x402 payment.
Exposes · one payment
04

Getting In And Out

The bridge, and its trust model

Value enters and leaves the shielded pool through a federated custody bridge — an m-of-n committee. The shielded transfers are trustless cryptography; the peg in and out rests on a threshold of operators behaving.

That’s a real trust assumption, and we say so. Anti-redirect bindings and reserve checks make custody fail-safe — they reduce what the committee can do, they don’t remove the committee. We’d rather you read it here than discover it in the source.
Transfers

Trustless cryptography

Movement inside the shielded pool needs no one’s permission and no operator — it’s pure zk-STARK-verified math.
Model · trustless
Peg in/out

Federated m-of-n

Crossing the boundary rests on an operator threshold. Reserve checks and anti-redirect bindings keep custody fail-safe.
Custody · fail-safe
05

Quantum Posture

Soundness now, confidentiality next

Validity and soundness are post-quantum today (STARKs). The confidentiality transport — note delivery — is classical key agreement until a post-quantum KEM replaces it, isolated behind one module for exactly that reason.

We never collapse the two: the proof is post-quantum; the encryption that hides the contents isn’t yet.

The full quantum map →
Soundness

Post-quantum

Validity proofs rest on STARKs — supply integrity and note unforgeability are quantum-safe today, not someday.
Status · done
Confidentiality

Classical → KEM

Note delivery uses classical key agreement, isolated in one module so a post-quantum KEM can drop in without touching the proof.
Collapsed claim · never
06

Where It’s Headed

Prove it · encrypt it · sign it

A private payment leans on three pieces of cryptography — proving a transaction is valid, encrypting who paid whom, and signing to authorize it. A quantum computer threatens each one on a different timeline, so we migrate in order of exposure: the proofs are already quantum-safe, the encryption is next, and the public-rail signatures come last.

01 · Prove

Soundness

zk-STARK proofs rest on hashes, not elliptic curves — so the layer that proves a transaction valid is already quantum-safe. Everything else builds on it.
Status · done
02 · Encrypt

Confidentiality

Shielded notes are delivered with classical encryption today. Swap it for a post-quantum KEM so a future quantum attacker still can’t see the amount or the recipient.
Status · next
03 · Sign

Transparent migration

The public XST rail still signs with ECDSA — the elliptic-curve crypto Shor breaks first. Move it to post-quantum signatures. Last, because it touches every live key.
Status · after

Pay in private.

Shielded amounts, shielded recipients, post-quantum proofs. Never touch a private key.