Skip to main content

Introduction

Tornado Nova uses zero-knowledge circuits written in Circom to enable private transactions. These circuits generate zk-SNARK proofs that validate transaction correctness without revealing sensitive information like amounts, recipients, or transaction history.

Circuit Architecture

The circuit system is composed of several modular components:

Core Components

1

Transaction Circuits

Universal JoinSplit circuits that support either 2 or 16 inputs with 2 outputs. These handle the main transaction logic including commitment verification, nullifier generation, and amount invariants.
2

Merkle Proof Circuits

Cryptographic proof circuits that verify a UTXO commitment exists in the Merkle tree without revealing which specific UTXO it is.
3

Keypair Circuits

Simple hash-based keypair generation and signature schemes used for UTXO ownership proof.

UTXO Model

Tornado Nova implements a UTXO (Unspent Transaction Output) model similar to Bitcoin. Each UTXO contains: 
Utxo structure:
{
    amount,      // Value of the UTXO
    pubkey,      // Owner's public key
    blinding,    // Random number for privacy
}

Cryptographic Primitives

Commitments: Hide UTXO details while allowing verification 
commitment = hash(amount, pubKey, blinding)
Nullifiers: Prevent double-spending without revealing which UTXO was spent 
nullifier = hash(commitment, merklePath, sign(privKey, commitment, merklePath))
All hash functions use Poseidon, a ZK-friendly hash function optimized for efficient circuit representation.

Circuit Parameters

The circuits use the following key parameters:
ParameterValueDescription
Merkle Tree Levels5Supports up to 32 UTXOs (2^5)
Input Variants2 or 16Number of input UTXOs per transaction
Outputs2Number of output UTXOs per transaction
Zero Leafkeccak256("tornado") % FIELD_SIZEDefault value for empty tree positions
The zero leaf value must match between the circuit and smart contract: 21663839004416932945382355908790599225266501822907911457504978515578255421292

Privacy Guarantees

The circuits ensure:
  • Anonymity: Transactions cannot be linked to specific users
  • Confidentiality: Transaction amounts remain private
  • Unlinkability: Input and output UTXOs cannot be correlated
  • Non-interactivity: No interaction required between sender and receiver

Next Steps

Transaction Circuits

Learn about the 2 and 16 input transaction circuit variants

Merkle Proofs

Understand how Merkle proof verification works in circuits

Build docs developers (and LLMs) love

Get started for freeTalk to us