| title | Vendor: EY |
|---|---|
| status | production |
A production-ready Zero-Knowledge rollup for private token transfers with enterprise compliance features. Nightfall v4 implements a ZK rollup that provides immediate finality and supports ERC20, ERC721, ERC1155, and ERC3525 tokens with X509 certificate-based access control.
- Private Stablecoin Shielded Payments
- Privacy L2s
- Regulatory Disclosure Keys Proofs
- Private ISO20022
- General-purpose privacy L2s (focused on enterprise transfers)
- Public DeFi composability (limited composability by design)
- Low-resource deployment environments (requires significant compute)
Client-Proposer model with separate containerized roles. Clients generate UltraPlonk proofs for private transactions and submit to Proposers who create Layer 2 blocks with rollup proofs. X509 certificate validation gates all network access. Uses commitment-nullifier privacy model (UTXO-style) with MongoDB storage for metadata and Merkle tree state. Supports webhook integration for asynchronous processing.
- Certificate-gated private transfers with immediate ZK rollup finality
- Selective disclosure for regulatory compliance and audit trails
- Enterprise treasury operations with confidential payment flows
Target segments include multinational corporations, financial institutions
- UltraPlonk proof system with no per-circuit trusted setup
- supporting ERC20/721/1155/3525 standards
- RESTful APIs for deposit, transfer, withdraw operations with X-Request-ID tracking
- Integration with LocalWallet and AzureWallet for enterprise key management
- Sophisticated chain reorganization handling and immediate finality from ZK rollup architecture.
- Production-ready with mature ZK technology and enterprise compliance features
- Advanced cryptography using UltraPlonk proofs eliminating trusted setup requirements
- Built-in X509 certificate validation and selective disclosure for regulatory compliance
- Immediate finality from pure ZK rollup architecture (no optimistic challenge periods)
- Extremely high compute requirements (144 cores, 750GB RAM) limit proposer decentralization
- Complex infrastructure requirements may limit deployment scenarios
- Limited composability compared to general-purpose privacy L2s
Starlight is an open-source transpiler that converts standard Solidity smart contracts into zero-knowledge applications (zApps). Developers annotate Solidity code with privacy decorators (a superset called "Zolidity"), and the compiler generates ZK circuits, on-chain verifier contracts, and JavaScript orchestration code; enabling private business logic on public Ethereum without requiring deep cryptographic expertise.
- Shielded ERC-20 Transfers: enables building shielding-type circuits from Solidity, not a drop-in shielded pool
- Private Shared State (co-SNARKs): two-party shared secret commitments via
sharedSecretdecorator - L1 ZK Commitment Pool: generated contracts deploy commitment pools with nullifier tracking on L1
- Private transaction rollups: Starlight privatises business logic at the contract level but does not provide network-level transaction privacy or a private execution environment (see Nightfall v4 or Aztec)
- Production-grade ZK infrastructure: output zApps use Groth16 with known malleability caveats; no security audit has been completed; a trusted setup is required per circuit
- Regulatory disclosure infrastructure: no built-in viewing keys, selective disclosure, or compliance hooks; institutions must layer these separately (see pattern-regulatory-disclosure-keys-proofs.md)
- Full Solidity feature parity: not all Solidity syntax transpiles; complex control flow, certain if-statement patterns, and loops may not be supported
Developers write .zol files (Solidity + decorators: secret, known/unknown, encrypt, sharedSecret, re-initialisable) and run zappify. The transpiler parses the decorated AST via solc, then generates:
- ZoKrates circuits: (
.zok) for zero-knowledge proof generation (Groth16) - Solidity verifier contracts: (
.sol) for on-chain proof verification and commitment management
Secret state lives on-chain as cryptographic hash commitments; pre-image data stays local with the owner. Nullifiers prevent double-spending; Merkle trees provide membership proofs.
- Single-party private state: secret variables owned by one party; on-chain commitments hide values from all others
- Two-party shared secrets:
sharedSecretdecorator enables bilateral state (e.g. atomic swaps) where both parties share a derived key - No native selective disclosure: Starlight does not provide viewing keys or regulator access mechanisms at the compiler level
- B2B contract management: multi-party business agreements where logic must be shared but commercial terms remain confidential (procurement, supply-chain)
- Inventory and payment management: large-scale asset tracking with privacy from competitors, combined with Nightfall for token transfers
- Prototyping and education: lowest-friction path to demonstrating ZK-private business logic for organisations evaluating privacy on Ethereum
- Target segment: organisations migrating complex B2B agreements from private EDI systems to public Ethereum; Solidity-proficient teams wanting to explore ZK without circuit expertise
- Proof system: Groth16 (via ZoKrates); requires per-circuit trusted setup
- Circuit language: ZoKrates DSL (generated, not hand-written)
- State model: Cryptographic hash commitments; nullifiers for spend tracking; Merkle tree for membership proofs
- Low barrier to entry: Solidity developers add privacy via decorators without learning circuit DSLs; contrast with Noir/Circom which require new languages
- End-to-end code generation: single
zappifycommand produces circuits, contracts, and orchestration; reduces manual wiring errors - Public domain: no licensing constraints; enterprises can fork and customise freely
- No security audit: EY explicitly warns against use for material-value transactions; the project is labelled "experimental prototype still under development"
- Trusted setup per circuit: each generated circuit requires a separate Groth16 trusted setup ceremony; business logic changes require new ceremonies and state migration with no documented upgrade path
- JavaScript integer precision: uint256 values silently lose precision if not handled with BigInt; for 18-decimal tokens this caps correct handling at ~9,007 tokens
- Limited Solidity coverage: not all Solidity syntax transpiles; complex conditionals, loops, and certain patterns are unsupported (see STATUS.md)
- No native regulatory disclosure: no built-in viewing keys, selective disclosure, or compliance screening hooks; institutions must build or source these separately