Veil Protocol

Confidential Transactions on Sui

Whitepaper v1.0 - March 2026

Abstract

Veil Protocol is a privacy-preserving transaction layer built natively on Sui using the Move programming language. It combines zero-knowledge proofs (Groth16 over BN254), Poseidon hash commitments, Merkle tree accumulators, and stealth addresses to provide a system where transaction amounts are hidden, senders are indistinguishable, and recipients are unlinkable to their public identities.

The native $VEIL token (210M fixed supply) is distributed entirely through a fair launch mechanism. No pre-mine, no VC allocation, no insider deals. Every token is earned through protocol usage, creating natural alignment between early adopters and long-term protocol health.

1. Problem Statement

Public blockchains like Sui provide transparency by default. While transparency is valuable for protocol verification, it creates serious privacy vulnerabilities for users.

Balance Exposure

Every wallet's holdings are publicly visible. This exposes individuals to targeted attacks and gives competitors real-time insight into treasury movements.

Transaction Graph

The sender, recipient, and amount of every transaction are recorded permanently. Chain analysis can reconstruct complete financial histories and relationship maps.

Front-Running

Visible pending transactions enable value extraction through sandwich attacks, front-running, and other MEV strategies that cost DeFi users significantly.

Privacy is not a feature. It is a fundamental property of sound money and functional financial infrastructure. Sui's ecosystem currently has no production-grade privacy solution. Veil fills this gap.

2. Design Principles

Privacy by default

Once assets enter the privacy pool, they are fully shielded. No opt-in required for individual transactions.

Minimal trust assumptions

All privacy guarantees are enforced cryptographically on-chain. No trusted setup ceremonies, no reliance on honest validators, no centralised mixer.

Composability

Built as native Move modules that integrate with Sui's object model. Other protocols can compose with Veil's privacy primitives.

Efficiency

Off-chain ZK proof generation keeps on-chain verification lightweight. Groth16 proofs are compact and fast to verify.

Conservative cryptography

Every cryptographic primitive is peer-reviewed, formally analysed, and battle-tested: Poseidon (2019), Groth16 (2016), BN254 (widely deployed), Merkle trees (foundational).

3. Protocol Architecture

3.1 Commitment Scheme - Poseidon Hash

Every private note in Veil is represented as a Poseidon hash commitment: C = Poseidon(value, secret, blinding). The value is hidden behind the commitment, and only the owner (who knows the secret and blinding factor) can open it.

Poseidon is a ZK-friendly hash function designed for arithmetic circuits. It operates over the BN254 scalar field and is approximately 50x cheaper inside ZK circuits compared to SHA-256, making it ideal for on-chain proof verification.

3.2 Merkle Tree Accumulator

All commitments are stored in an on-chain Merkle tree using Poseidon hashing at each level. When a user shields SUI, their commitment is inserted as a new leaf. The Merkle root is updated and stored on-chain, providing a compact digest of all existing notes.

To spend a note, the user provides a ZK proof that their commitment exists somewhere in the tree (using a Merkle path) without revealing which leaf. This is the core privacy mechanism: the spender proves membership in the set of all valid notes without identifying their specific note.

3.3 Nullifiers - Double-Spend Prevention

Each note has a unique nullifier derived deterministically from its secret: N = Poseidon(secret, leafIndex). When a note is spent, the nullifier is published on-chain and recorded in a global registry. If the same nullifier appears twice, the second transaction is rejected.

Critically, nullifiers are unlinkable to commitments. An observer sees a nullifier being published and a new commitment being created, but cannot determine which existing commitment was consumed.

3.4 ZK-SNARK Proofs - Groth16

Veil uses Groth16 zero-knowledge proofs over the BN254 curve for all privacy-critical operations. The proving system generates compact proofs (3 group elements, ~128 bytes) that are verified on-chain using Sui's native sui::groth16::verify_groth16_proof function.

ZK Circuit Types

●Shield circuit - proves commitment matches deposited value

●Spend circuit - proves Merkle membership + correct nullifier + value conservation

●Transfer circuit - proves input consumption + output creation without revealing amounts

●Insert circuit - proves correct Merkle tree update after leaf insertion

3.5 Stealth Addresses & ECDH Note Discovery

Recipients register a StealthMeta on-chain containing their BLS12-381 view and spend public keys. These keys are deterministically derived from the wallet's signature, so the same wallet always produces the same keys on any device. When a user first connects, their StealthMeta is automatically registered on-chain as an owned object.

When sending VEIL, the sender looks up the recipient's view_pubkey from their on-chain StealthMeta. The sender generates an ephemeral keypair (r, R = r*G), computes a shared secret via ECDH: s = blake2b256(r * view_pubkey), and encrypts the note's secrets (value, secret, blinding) into a 125-byte memo stored on-chain alongside the commitment.

The recipient automatically discovers received notes during recovery by scanning all on-chain memos. For each memo, they compute the same shared secret using their view private key: s = blake2b256(viewPrivKey * R). If the checksum verifies, the note belongs to them. No manual sharing of note codes or out-of-band communication is required.

3.6 Privacy Pool

Users enter privacy by shielding: depositing transparent SUI and receiving a private note (commitment in the Merkle tree). They exit by unshielding: providing a ZK proof that they own a valid note, publishing its nullifier, and receiving transparent SUI.

The privacy pool acts as a fungibility set. The larger the pool (more active commitments and more transaction volume), the stronger the anonymity guarantees. The fair launch emission system is designed specifically to bootstrap this pool by rewarding early shielding.

3.7 Encrypted Recovery & Dual Memo System

When notes are created, an encrypted memo is stored on-chain as part of the LeafInsertedEvent. The memo format depends on who needs to read it:

Memo Formats

●Format 0x01 (16 bytes) — Self-encrypted for sender's own change notes. Uses a symmetric key derived from the wallet seed. Contains noteIndex and value; the secret and blinding are re-derived from the seed during recovery.

●Format 0x02 (125 bytes) — ECDH-encrypted for the recipient. Contains the ephemeral public key R (48 bytes) plus the full note secrets (value, secret, blinding) encrypted with the ECDH shared secret. Only the recipient with the matching view private key can decrypt it.

During recovery, the scanner tries both formats for every on-chain event. If either decryption succeeds and the resulting commitment matches, the note is added to the wallet. Nullifier status is checked on-chain to distinguish spendable notes from already-spent ones.

4. VEIL Token Economics

4.1 Fair Launch

VEIL uses a fair launch model with zero pre-mine. No tokens exist at genesis. All 210,000,000 VEIL are minted exclusively through protocol usage and predefined allocations, with 75% earned directly by users (60% privacy pool rewards + 15% LP incentives).

Total Supply

210,000,000

Fixed cap, no inflation

Pre-mine

All earned through usage

Decimals

Same as SUI

4.2 Token Allocation

Privacy Pool Rewards60%

126,000,000 VEILEarned by shielding SUI

Liquidity Incentives15%

31,500,000 VEILEarned by SUI/VEIL LP providers

Development Fund10%

21,000,000 VEIL12-month cliff, 36-month vest

Initial DEX Liquidity10%

21,000,000 VEILSeeds AMM pool at launch

Protocol Treasury5%

10,500,000 VEILGovernance-controlled

4.3 Emission Schedule

The 60% privacy pool allocation (126M VEIL) is distributed through a halving emission schedule. Users earn VEIL proportional to the amount of SUI they shield. The emission rate halves every 6 months across 4 halvings, ending permanently after 24 months.

Months 1-61:1

1 VEIL per 1 SUI shielded

Months 7-120.5:1

0.5 VEIL per 1 SUI shielded

Months 13-180.25:1

0.25 VEIL per 1 SUI shielded

Months 19-240.125:1

0.125 VEIL per 1 SUI shielded

After month 240

Emission ends permanently

Period	Rate	Description
Months 1-6	1:1	1 VEIL per 1 SUI shielded
Months 7-12	0.5:1	0.5 VEIL per 1 SUI shielded
Months 13-18	0.25:1	0.25 VEIL per 1 SUI shielded
Months 19-24	0.125:1	0.125 VEIL per 1 SUI shielded
After month 24	0	Emission ends permanently

4.4 Utility

●Transaction fees - shield and unshield operations require VEIL fee payment

●Governance - VEIL holders vote on protocol parameters: fee rates, supported assets, upgrades

●AMM liquidity - VEIL/SUI trading pair with constant-product swap pool

●Privacy pool incentive - emission rewards attract shielding volume and grow anonymity set

4.5 Fee Structure

Shield

0.1%

SUI to Private SUI

Unshield

0.2%

Private SUI to SUI

Swap

0.3%

SUI/VEIL AMM

Transfer

Gas only

Private to Private

Protocol fees are collected in VEIL on every shield and unshield operation. Fee revenue is used for: buyback and burn (40%), staking rewards (30%), development fund (20%), and treasury reserve (10%).

5. On-Chain Architecture

Veil Protocol is implemented as a suite of Move smart contracts deployed on Sui. The modular design separates concerns across 11 contracts, each handling a specific aspect of the privacy system.

pedersen

Pedersen commitments on BLS12-381 G1 for legacy compatibility

stealth

StealthMeta registration + ECDH on BLS12-381 for automatic note discovery

ring

CLSAG ring signatures with key image double-spend prevention

private_coin

Core private coin type with hidden value and stealth ownership

shield

Privacy pool bridge with fair launch emission integration

veil_token

VEIL token with 210M supply and emission tracking

veil_mint

Shielded minting gateway for VEIL tokens

veil_pool

Private VEIL token pool with ZK verification

veil_swap

Constant-product AMM for SUI/VEIL swaps

merkle

On-chain Merkle tree accumulator for note commitments

zk_verifier

Groth16 proof verification wrapper using sui::groth16

nullifier

Double-spend prevention registry using dynamic fields

private_transfer

2-in 2-out private transfers with ZK proofs

Module	Purpose
pedersen	Pedersen commitments on BLS12-381 G1 for legacy compatibility
stealth	StealthMeta registration + ECDH on BLS12-381 for automatic note discovery
ring	CLSAG ring signatures with key image double-spend prevention
private_coin	Core private coin type with hidden value and stealth ownership
shield	Privacy pool bridge with fair launch emission integration
veil_token	VEIL token with 210M supply and emission tracking
veil_mint	Shielded minting gateway for VEIL tokens
veil_pool	Private VEIL token pool with ZK verification
veil_swap	Constant-product AMM for SUI/VEIL swaps
merkle	On-chain Merkle tree accumulator for note commitments
zk_verifier	Groth16 proof verification wrapper using sui::groth16
nullifier	Double-spend prevention registry using dynamic fields
private_transfer	2-in 2-out private transfers with ZK proofs

Why Sui?

Native ZK verification

Sui's built-in groth16::verify function enables on-chain SNARK verification without external verifiers

BLS12-381 support

Native elliptic curve operations via sui::bls12381 for stealth addresses and legacy primitives

Object model

Private coins as first-class Sui objects with ownership, transfer, and lifecycle semantics

Dynamic fields

O(1) nullifier lookups and key image checks without vector scanning

Parallel execution

Non-conflicting private transactions execute in parallel for high throughput

Move safety

Linear type system prevents coin duplication or destruction outside protocol rules

6. Client SDK

The TypeScript SDK handles all off-chain operations: key management, proof generation, stealth address scanning, note encryption, and transaction construction. It is built on @noble/curves (BLS12-381), @noble/hashes (blake2b, sha256), and circomlibjs (Poseidon hashing).

●Deterministic key derivation from wallet signature: master seed, encryption key, BLS12-381 stealth keys — all recoverable on any device

●Groth16 proof generation via snarkjs WASM for shield, spend, transfer, and insert circuits

●ECDH note discovery — automatic detection of received notes using BLS12-381 key exchange, no manual sharing required

●Dual memo scanning — recovers both self-created (0x01) and received (0x02 ECDH) notes from on-chain events

●Note management with local storage, commitment deduplication, nullifier checking, and automatic UTXO selection

●StealthMeta registration — auto-registers BLS12-381 public keys on-chain so others can send you private transfers

7. Roadmap

Phase 1: Core Protocol

COMPLETEQ1-Q2 2026

✓11 Move contracts deployed to Sui testnet

✓TypeScript SDK with 29/29 crypto tests passing

✓ZK circuits: shield, spend, transfer, insert (Groth16 over BN254)

✓Stealth addresses with ECDH on BLS12-381

✓Private transfers (2-in, 2-out) with nullifier registry

✓VEIL/SUI AMM swap pool (constant-product)

✓Next.js frontend with wallet integration

✓Encrypted note recovery from on-chain events

✓ECDH-based automatic note discovery — recipients find received notes without manual sharing

✓Deterministic key derivation — same wallet recovers all keys and notes on any device

✓Dual memo system (0x01 self-encrypted + 0x02 ECDH) for universal recovery

✓Auto-registration of StealthMeta on-chain for seamless receiving

✓Nullifier-aware recovery that correctly detects spent vs spendable notes

✓E2E integration test passing on testnet

Phase 2: Hardening

IN PROGRESSQ3 2026

◦Groth16 trusted setup ceremony and verifying key deployment

◦Gas optimisation for on-chain proof verification

◦Comprehensive Move test suite (100+ test cases)

◦Stealth address scanning service for background payment detection

◦Frontend polish: transaction status tracking, error handling

◦Public testnet launch with documentation and faucet

Phase 3: Audit & Launch

PLANNEDQ4 2026

◦Independent security audit of Move contracts and ZK circuits

◦Audit remediation and formal verification of balance proofs

◦VEIL token genesis with fair launch emission on mainnet

◦DEX liquidity bootstrapping (Cetus, Turbos)

◦Wallet SDK for third-party dApp integration

◦Mainnet deployment

Phase 4: Growth

PLANNED2027

◦Multi-asset privacy (USDC, USDT on Sui)

◦Selective disclosure for compliance (view key sharing)

◦Governance framework and on-chain voting

◦Cross-chain privacy bridges

◦Second security audit

8. Risks and Mitigations

Regulatory risk

Privacy protocols face regulatory scrutiny. Mitigation: selective disclosure via view keys enables voluntary compliance. Veil provides privacy, not anonymity. Users can prove transaction details to auditors when required.

Cryptographic risk

All primitives are well-studied: Poseidon (2019), Groth16 (2016), BN254 (widely deployed in Ethereum and other systems), Merkle trees (foundational). Multiple security audits are planned before mainnet.

Adoption risk

Privacy pools require critical mass for strong anonymity. Mitigation: the fair launch emission system rewards early shielding, creating a natural incentive to bootstrap the pool. 75% of tokens go to users.

Technical risk

ZK proof generation requires client-side compute. Mitigation: Groth16 proofs are fast to generate (1-3 seconds on modern hardware) and compact to verify on-chain. WASM support enables browser-based proving.

9. Conclusion

Veil Protocol fills a critical gap in Sui's ecosystem by providing production-grade confidential transactions. By combining zero-knowledge proofs with Move's resource safety and Sui's parallel execution, Veil delivers privacy that is cryptographically enforced, composable with existing DeFi, and economically sustainable through the VEIL token's fair launch model.

The fair launch ensures alignment between protocol development and community adoption. No insiders, no pre-mine, no special allocations. Every VEIL token is earned through using the protocol, creating natural incentive alignment from day one.

Privacy is not optional infrastructure. It is foundational. Veil makes it native to Sui.

10. How to Use Veil Protocol

Getting Started

Connect your wallet

Connect any Sui-compatible wallet (Sui Wallet, Suiet, etc.) to the Veil Protocol app.

Initialize privacy keys

Click "Initialize Privacy Keys" on the Dashboard. Your wallet will ask you to sign a message — this derives your privacy keys deterministically. The same wallet always produces the same keys, so you can recover on any device.

Your stealth public keys are automatically registered on-chain as a StealthMeta object. This allows other users to send you private transfers. This only happens once per wallet.

Buying VEIL

Go to the Swap page

Navigate to the Swap page from the top navigation bar.

Enter the amount of SUI to swap

Enter how much SUI you want to convert to private VEIL. The AMM pool will show you the estimated output.

Approve the transaction

The app generates a ZK shield proof (takes a few seconds) and submits the transaction. Your wallet will ask you to approve it. Once confirmed, you'll have a private VEIL note in your wallet.

Sending VEIL Privately

Go to the Transfer page

Navigate to the Transfer page. Your private balance and available notes are shown.

Enter recipient address and amount

Paste the recipient's Sui wallet address (0x...) and enter the amount. The app automatically selects the best notes and calculates change.

Wait for proof generation

The app generates zero-knowledge proofs (15-30 seconds). These proofs verify balance conservation and note validity without revealing any details.

Approve the transaction

Your wallet asks you to approve the on-chain transaction. Once confirmed, the transfer is complete. Neither sender, recipient, nor amount is visible on-chain.

Receiving VEIL

Fully automatic

You don't need to do anything special to receive VEIL. Once you've initialized your privacy keys and your StealthMeta is registered on-chain, anyone can send you VEIL using just your wallet address. The sender encrypts the note details with your public view key using ECDH, so only you can read them.

To see received notes, go to the Recover page and click "Scan & Recover Notes". The scanner checks every on-chain event, tries to decrypt each memo with your view key, and discovers any notes addressed to you. Received notes appear alongside your own change notes.

Recovering Notes on a New Device

Connect the same wallet

Connect the same wallet (same seed phrase / private key) on your new device.

Initialize privacy keys

Click "Initialize Privacy Keys" — the same wallet signature produces the same keys.

Go to the Recover page

Navigate to Recover and click "Scan & Recover Notes". The scanner reads all on-chain events and tries both self-decryption (your change notes) and ECDH decryption (notes received from others).

Import recovered notes

Review the found notes and click Import. Spent notes are automatically detected and excluded from your spendable balance.

Contract Addresses

Package

0xfc7b8797d67b83ebf5a6858243e1fda8bdc6ed1d3faffd81f5404e5db33d0a01

Privacy Pool (SUI)

0xa1d2d1f00bc969cbc74bc85cf2c2afdb6a64448a6349ed86c3b2cb273c39f19a

VEIL Treasury

0x8ef0de34552cbcccda76ff7366136454ce0c272383a6627b1d8f9994288d092b

Swap Pool

0x3e3d32770a78de1835bb112885628f42c34fe7d0df823876ad6a5768f5693f2d

Verifying Keys

0x0908584ac7b7ca8390c2278e82bd6312e4291478f146c6c1b79565a2807f15db

All contracts deployed on Sui Testnet. Mainnet deployment pending security audit.

Veil Protocol - Built by All Too Human Limited, New Zealand

Open source (Apache 2.0) - github.com/NavtejDhillon/veil