Back to Posts
PROTOCOL

Under the Hood: How ZK Gifts Actually Work | Protocol

2026-02-168 min read
Under the Hood: How ZK Gifts Actually Work | Protocol

Only Math is Trustless

In the Ecosystem series, we talked about what you can do with Lambda. In the Protocol series, we talk about how it works.

We didn't just fork a privacy concept. We built a specific architecture optimized for Monad's parallel execution environment. Here is the stack.

1. The Commitment (Poseidon)

When you "wrap" a gift, you aren't just sending tokens to a contract. You are creating a Cryptographic Commitment.

We use the Poseidon Hash function. Why?

  • Standard SHA-256: Expensive for Zero-Knowledge circuits (thousands of constraints).
  • Poseidon: Built specifically for zk-SNARKs (arithmetic friendly). It costs ~8x less gas to verify inside a circuit.

Your gift commitment looks like this:

Commitment = Poseidon(Secret, Salt, Amount)

The contract stores this hash. It knows something exists, but it doesn't know the Secret or the Amount.

2. The Curve (Baby JubJub)

To claim a gift, you need to sign a message saying "Send this to my address." But standard Ethereum signatures (ECDSA on secp256k1) are heavy for ZK.

We use Baby JubJub, a twisted Edwards curve that fits perfectly inside the BN254 field.

  • Efficiency: Allows us to verify signatures inside the ZK proof with minimal constraints.
  • Security: Provides ~128-bit security, standard for modern cryptography.

3. The Proof (Groth16)

When you claim, your browser generates a ZK-SNARK using Groth16. Groth16 is the "Smallest" proving system.

  • Proof Size: Constant 256 bytes (tiny!).
  • Verification: ~280k Gas on Monad.

This is critical. If we used heavier systems (like PLONK or Halo2), verification might cost too much gas for a $20 gift. Groth16 keeps Lambda affordable.

The "UTXO" Model

Lambda doesn't work like an account (Balance = X). It works like Bitcoin (Unspent Transaction Outputs). When you claim a gift:

  1. You prove you know the Secret for Commitment A.
  2. You "spend" Commitment A (Nullifying it).
  3. You create Commitment B (The Change) if you didn't claim the full amount.

This Commitment Chaining ensures that even if you receive a 1000 $LAMB gift but only cash out 10 $LAMB, the remaining 990 $LAMB stays hidden in a fresh, unlinkable commitment.

Why This Stack?

We chose Poseidon + Baby JubJub + Groth16 for one reason: Efficiency. Privacy shouldn't cost $50 in gas. On Monad, with this architecture, it costs pennies.

Next Up: The Invisible Courier - How Relayers make gasless claims possible.

You might also like

Recommended Reads

The Relayer Network: How Gasless Privacy Works | Protocol
LOCKED
2026-02-185 min read

The Relayer Network: How Gasless Privacy Works | Protocol

ACCESS DENIED
Curvance x Lambda: Unlocking Private Liquidity | Ecosystem
ECOSYSTEM
2026-02-124 min read

Curvance x Lambda: Unlocking Private Liquidity | Ecosystem

READ INTEL
Ambient x Lambda: Bootstrapping Liquidity | Ecosystem
ECOSYSTEM
2026-02-124 min read

Ambient x Lambda: Bootstrapping Liquidity | Ecosystem

READ INTEL
Kuru x Lambda: Accumulating $LAMB on the Order Book | Ecosystem
ECOSYSTEM
2026-02-105 min read

Kuru x Lambda: Accumulating $LAMB on the Order Book | Ecosystem

READ INTEL
Silent Accumulation: How to Trade Like a Ghost | Lambda Academy
ACADEMY
2026-02-047 min read

Silent Accumulation: How to Trade Like a Ghost | Lambda Academy

READ INTEL