Cloak: Non-Custodial Private Spending
for Payment Cards

Cryptocurrencies promise pseudonymous value transfer, yet nearly all consumer spending funnels through custodial on-ramps that undo the anonymity set the moment a wallet is linked to a legal identity. Privacy-preserving mixers such as Tornado Cash [1] and shielded-pool constructions in Zcash [2] address the on-chain-to-on-chain case, but neither bridges to the merchant layer where the overwhelming majority of economic activity occurs.

We present Cloak, a protocol that combines a shielded commitment pool with a permissionless relayer network and a conventional card-issuing program (BIN sponsor). A user's on-chain deposit is cryptographically decoupled from the subsequent card-authorization event via a zero-knowledge proof of membership in the commitment set. The result is a Visa-branded debit card whose balance is backed by crypto deposits, yet whose transaction graph is disconnected from the depositor's wallet.

Our contributions are threefold: (i) a formal construction for note-based commitments and nullifiers suitable for a high- -throughput payment rail; (ii) a concrete Groth16 [3] instantiation with 94,712 R1CS constraints and a prover running in approximately 1.1 seconds on commodity hardware; (iii) a practical deployment pattern that integrates with the ISO-8583 authorization flow of the Visa Direct network without requiring custody of user funds.

2.1 Commitment schemes

A non-interactive commitment $Com(m,r)\to C$ is hiding if $C$ reveals no computationally-bounded information about $m$, and binding if no adversary can produce a distinct$(m^{\prime },r^{\prime })$ opening to the same $C$. Cloak instantiates$Com$ as a Poseidon hash [4] over a BN254 base field, which offers SNARK-friendly arithmetization at ~40 constraints per absorption.

2.2 Shielded pool protocols

Zcash's Sapling protocol [2] popularized the note / nullifier construction: a deposit appends a commitment to an append-only Merkle tree; a spend proves (a) membership of a commitment in the tree and (b) knowledge of a trapdoor that derives a unique nullifier, marking the note as spent. Cloak adopts this structure verbatim, substituting Solana's account model for Sapling's UTXO set and reducing Merkle depth to 32 to bound verifier cost.

2.3 Card issuance and BIN sponsorship

Modern payment cards are issued by a principal member of the Visa or Mastercard network — typically a regulated financial institution — under a program manager agreement that delegates operational control to a non-bank entity[5]. The program manager supplies the cardholder experience; the sponsor retains KYC/AML responsibility under its own license. This separation is what permits Cloak to issue cards without itself holding a money transmitter license.

2.4 Related systems

Let $F$ be the BN254 scalar field and $H:F^n\to F$ a Poseidon permutation instantiated at $(t=3,R_F=8,R_P=57)$. A note is the tuple

where $sk\in F$ is the note private key,$\rho \in F$ is a fresh randomness,$v\in {\mathbb{Z}}_{\ge 0}$ is the amount bounded by $2^{40}$, and $\tau$ identifies the asset. The commitment is

and the nullifier is

3.1 Deposit

On deposit, the depositor transfers $v$ units of asset $\tau$ to the pool's program-derived address and publishes $C$. The pool contract verifies the transfer, appends $C$ to its Merkle tree $\mathcal{T}$ of depth 32, and emits the updated root $\mathcal{R}$. No additional proof is required at deposit: the hiding of$C$ alone is sufficient, because the depositor is the only party to see $v$ off-chain and the pool constraint permits any transfer amount whose Poseidon image matches.

3.2 Spend

To spend, the holder of $\mathcal{N}$ produces a Groth16 proof $\pi$ over the statement

where $\mathbf{p}$ is the authenticated path,$C^{\prime }$ is the fresh change commitment, and$f$ is the relayer fee. The tuple$(\mathcal{R},\eta ,C^{\prime },f,h,\pi )$ — where$h$ binds off-chain data — constitutes a spend packet.

3.3 Relayer transport

A spend packet is forwarded through $N\ge 3$ relayers using a Sphinx-like [7] onion format. Each hop strips one layer of routing metadata, re-shuffles its batch, and forwards to the next. At the final hop, the packet is validated by the pool contract: $\eta$ is inserted into the nullifier set, $C^{\prime }$ into$\mathcal{T}$, and the issuer is instructed to credit a card.

  user                         pool              issuer
   │                            │                   │
   │──deposit(v, C)────────────▶│                   │
   │                            ├─── \mathcal{R}─┐  │
   │                            │                │  │
   │                            │                │  │
   │──sign(I), build \pi──┐     │                │  │
   │                      │     │                │  │
   │                      ▼     │                │  │
   │                ┌─relayer─┐ │                │  │
   │                │ hop 1   │ │                │  │
   │                │ hop 2   │ │                │  │
   │                │ hop 3   ├─┤                │  │
   │                └──┬──────┘ │                │  │
   │                   │        │                │  │
   │                   └──verify(\pi), set \eta──┘  │
   │                                          │     │
   │                                          ├────▶│ credit card
   │                                          │     │
              

Proof sketch. Suppose $\eta =H(sk,C)=H(s{k}^{\prime },C^{\prime })$ with$(sk,C)\ne (s{k}^{\prime },C^{\prime })$. Then $H$ admits a collision with non-negligible probability, contradicting the cryptographic assumption on Poseidon. The pool contract rejects any spend whose nullifier is already in the set, so at most one proof per note is accepted.

Proof sketch. The nullifier and fresh commitment are uniformly distributed in $F$ conditional on their pre-images being hidden (commitments are hiding; nullifiers are pseudorandom outputs of Poseidon). Groth16 proofs on identical statement templates are zero-knowledge by construction [3]. Hence the joint distribution reveals at most the public inputs, which are equal by assumption.

4.1 Out-of-scope attacks

We do not defend against (a) compromise of the user's signing device, (b) compelled disclosure of records by the BIN sponsor under lawful process, (c) side-channel correlation by merchants at the authorization layer, or (d) total relayer collusion across all hops. Section 6 discusses mitigations for (c) and (d).

We implement the pool as an Anchor program on Solana mainnet-beta, the spend circuit in circom 2.1.9 [8], and the relayer reference client in Rust. Benchmarks use an Apple M1 (3.2 GHz) for the prover and a stock Solana validator for verifier cost.

The dominant user-perceived cost is the mobile prover at ~4.8 seconds. We have explored GPU-backed remote proving [9] but rejected it as incompatible with our non-custodial model: the prover holds the witness$sk$. Future work on improved mobile MSM implementations should reduce prover time below 2 s.

6.1 Anonymity set dynamics

Pool entropy is not constant. At launch, with ~1,200 notes, the information-theoretic anonymity set is bounded at roughly ${\log }_{2}1200\approx 10.2$ bits. Past 10^5 notes the set exceeds 16 bits, sufficient for casual adversaries but below the level required to resist well-resourced state actors [10]. The client SDK introduces deliberate timing jitter and denomination normalization to reduce effective linkage below the theoretical maximum.

6.2 Compliance architecture

Our BIN sponsor operates the card program under a prepaid stored-value license exempt from per-transaction KYC below $2,500 per card and $10,000 aggregate per holder per year under FinCEN guidance for general-use prepaid cards [11]. Spends above these thresholds transition the sponsor into a money-services-business regime, at which point the cardholder's identity is collected by the sponsor — not by Cloak. We view this as a deliberate privacy boundary rather than a limitation; users seeking greater limits accept a weaker guarantee.

6.3 Relayer incentives

We deliberately avoid a staking / slashing economic layer. Slashable stake creates an incentive for a relayer to prove misbehavior of a peer, which requires deanonymizing the underlying transaction. Instead, relayers earn a fixed percentage of spend volume; reputation is observable (uptime, latency) and client-enforced via path selection. This design follows the arguments of Le et al. [12] on incentive incompatibility in privacy markets.

Cloak demonstrates that the privacy guarantees of a shielded commitment pool can extend through a regulated payment rail without user-side KYC and without custody of funds, at a user-experience cost of roughly two seconds of proving latency. Ongoing work centers on (i) recursive proof composition to reduce verifier cost on Solana, (ii) Mastercard program onboarding to diversify card-network risk, and (iii) cross-chain pool aggregation using IBC-style commitments.

All circuits, contracts, and relayer code are open-source under MIT (circuits, Solana program, web client) and AGPL-3.0 (Rust relayer). Audit reports and trusted-setup transcripts are published at $github.com/cloakfi$.