Introduction

Gyze is an open privacy layer for Robinhood Chain, validated on commodity hardware.

What is Gyze?

Robinhood Chain is an Arbitrum Orbit Layer 2 with 100 ms blocks that settles to Ethereum and carries tokenized stocks and stablecoins, 24/7. Everything on it is public: balances, positions, counterparties. Gyze adds an opt-in shielded pool on top. Assets bridge into the pool, move privately between owners, and withdraw back to a normal Robinhood Chain address.

Privacy comes from Groth16 zero-knowledge proofs over BLS12-381. Proofs are generated on the user's own device; a small BFT cohort of validators only verifies them — about ten milliseconds per proof on a single CPU core. Any laptop can carry the network.

Two primitives

  • Private payments — a shielded pool with Groth16 proofs. Range-proven u64 values, Poseidon commitments, expiry-bound withdrawals.
  • Private compute (alpha) — WASM jobs verified by the same BFT cohort. Encrypted I/O via AES-256-GCM, outputs bound to ownership proofs.

Why commodity hardware?

A Groth16 proof verifies in roughly ten milliseconds on one CPU core. Validators never generate proofs — that stays client-side — so there is no GPU requirement and no specialized hardware. Decentralization is cheap when the work is cheap.

Economic model

There is no Gyze token and withdrawal fees do not flow to a founder account. Fees are credited to the leading validator's pending_rewards and claimed on-chain. Four instructions define the whole economy:

  • register_validator — stake the bond, join the registry
  • distribute_fee — credit the epoch's fees to the leader
  • claim_rewards — withdraw earned ETH
  • slash_validator — burn bond on provable fault

What's anchored on Robinhood Chain

  • Bridge contract — merkle root of the note tree, nullifier records, replay protection
  • Validator registry — registration, stake, reputation
  • BFT checkpoints — 7-of-10 default threshold, configurable per network
  • MPC transcript — BGM17 phase-2 ceremony with a verifiable, notarized transcript

Status

v0.5.0-rc5 — pre-mainnet. External audit pending, MPC ceremony in progress. Testnet is live.
MetricValue
Lines of Rust~33,000
Tests passing407
Proof verify time~10 ms / proof
Proof size192 bytes
Default BFT threshold7 of 10
Coordinator HAactive/passive failover, <30 s RTO
SettlementRobinhood Chain (chain id 4663)
LicenseMIT

Vision

Tokenized finance should not mean surrendering financial privacy.

Robinhood Chain moves real financial life on-chain: stock tokens, stablecoin balances, around-the-clock trading in 120+ countries with self-custody. That is a huge step forward — and it makes every position, salary, and counterparty publicly linkable forever.

Gyze's position is simple: privacy should be a property of the settlement layer, not a service you rent. So the design rules are strict:

  • No new token. Fees are paid and earned in ETH.
  • No founder cut. 100% of protocol fees go to validators.
  • No special hardware. If it doesn't run on a Raspberry Pi, it doesn't ship.
  • No trust-me components. MIT source, signed reproducible builds, public MPC transcript.

The goal is not anonymity from regulators — withdrawals are expiry-bound and the pool supports viewing keys for selective disclosure. The goal is that your competitor, your employer, and strangers on an explorer cannot read your balance sheet.

Quick start

Deposit, transfer privately, withdraw — in five minutes on testnet.

1 · Install the CLI

curl -L https://get.gyze.xyz/install.sh | sh
gyze --version   # gyze 0.5.0-rc5

2 · Create a wallet

gyze wallet new --network rh-testnet
gyze faucet request        # 1 ETH every 6 hours on testnet

3 · Shield funds

Deposit moves ETH from your public Robinhood Chain address into the shielded pool. Your device generates the proof; the cohort verifies it in ~10 ms.

gyze shield deposit --amount 0.25eth
# note committed · merkle root updated · anchored on RH Chain

4 · Transfer privately

Recipients are addressed by their shielded address (gyze1…). The transfer reveals nothing on-chain: not sender, not recipient, not amount.

gyze shield send --to gyze1q8k...x2fj --amount 0.1eth

5 · Withdraw

gyze shield withdraw --amount 0.1eth --to 0xYourRHChainAddress
Tip: withdrawals are expiry-bound — the proof commits to a deadline block, so a stale withdrawal can never be replayed later.

Installation

Signed binaries, cargo, or build from source.

Install script (recommended)

curl -L https://get.gyze.xyz/install.sh | sh

Detects your platform (Linux x86_64/ARM64, macOS Intel/Apple Silicon), downloads the release binary, and verifies its SHA-256 checksum before installing to ~/.gyze/bin.

Cargo

cargo install gyze-cli

From source

git clone https://github.com/gyze-labs/gyze
cd gyzeai
cargo build --release --bin gyze

Verify the release

Every release ships with SHA-256 checksums, a CycloneDX SBOM, and Sigstore signatures:

sha256sum -c gyze-0.5.0-rc5-checksums.txt
cosign verify-blob --bundle gyze.sigstore.json gyze

Architecture

Four layers, one settlement root on Robinhood Chain.

LayerRuns whereDoes what
Client proveruser devicebuilds notes, generates Groth16 proofs
CoordinatorHA pairorders transactions, assembles blocks
Validator cohort10 nodes (7-of-10)verifies proofs, votes, checkpoints
SettlementRobinhood Chainbridge, registry, nullifiers, finality

Transaction lifecycle

  1. The user's device builds a shielded transaction and proves it (Groth16, ~1–3 s on a phone-class CPU).
  2. The coordinator sequences it into a block and broadcasts to the cohort.
  3. Each validator verifies every proof (~10 ms each) and signs a vote.
  4. At 7-of-10 signatures the block is final within Gyze; the checkpoint (new merkle root + nullifier batch) is posted to the settlement contract on Robinhood Chain.
  5. Robinhood Chain settles to Ethereum — so Gyze inherits Ethereum-grade finality at the root.

Trust model

The cohort can censor (liveness) but cannot steal or forge (safety): every state transition requires a valid proof, and the contract on Robinhood Chain rejects checkpoints that don't verify against the previous root. Worst case for users is exit-to-L2 via the escape hatch in the bridge contract.

Privacy layer

Notes, commitments, nullifiers — the standard shielded-pool construction, tuned for cheap verification.

Notes

Value in the pool lives in notes: (value: u64, owner_pk, salt). A note is published only as a Poseidon commitment, so nothing about it is readable on-chain.

Commitment tree

Commitments append to an incremental merkle tree (depth 32, Poseidon hashing). Only the root is anchored on Robinhood Chain. Spending a note proves membership against a recent root without revealing which leaf.

Nullifiers

Spending publishes a deterministic nullifier — a PRF of the note and owner key. The settlement contract stores nullifiers forever; a doubly spent note is rejected at the contract level, not by validator honesty.

Range proofs

Every output value is proven to fit in u64 via a lookup-based circuit, so balance conservation (Σ in = Σ out + fee) can't be gamed with field overflow.

Viewing keys

Each shielded address has a derivable viewing key. Share it with an accountant or auditor to grant read-only visibility into your history — selective disclosure without breaking the pool's anonymity for anyone else.

Shielded transfers

2 inputs, 3 outputs, one 192-byte proof.

Every transfer consumes up to 2 notes and creates up to 3 (recipient, change, fee). The fixed shape means one circuit, one verifying key, and uniform ~10 ms verification.

What the proof shows

  • Input notes exist in the tree (membership against a recent root)
  • The spender owns them (signature under the owner key inside the circuit)
  • Nullifiers are correctly derived
  • Values balance and each output is range-proven u64

What the chain sees

{ proof: 192 bytes, root, nullifiers[2], commitments[3], enc_notes[3] }

No sender, no recipient, no amounts.

Encrypted delivery

Output notes are encrypted to the recipient's key and gossiped with the block. Wallets trial-decrypt new blocks in the background — receiving a private payment requires no interaction and leaves no network trace pointing at the recipient.

Consensus

Small-cohort BFT with reputation-weighted leadership and provable-fault slashing.

Cohort

Blocks finalize with 7-of-10 validator signatures (threshold configurable per network). Cohort membership rotates each epoch from the on-chain registry, weighted by reputation.

Reputation

Uptime and vote participation feed a 30-day EWMA. Reputation determines leader selection probability — leaders earn the epoch's fees, so consistent uptime is the whole earnings game.

Slashing

  • Equivocation — two signed votes for conflicting blocks at the same height. Proof is two signatures; anyone can submit it.
  • Liveness fault — missing a protocol-defined participation window.

There is no discretionary slashing and no admin path to a validator's bond.

Checkpointing

Every finalized block posts a checkpoint (root, nullifier batch, signature bitmap) to the settlement contract on Robinhood Chain. The contract independently verifies the aggregate signature — a dishonest supermajority still cannot forge state the contract will accept without valid proofs.

Compute layer alpha

Private WASM jobs, verified by the same cohort that verifies payments.

Beyond payments, Gyze can run small deterministic WASM programs whose inputs and outputs are private. Think of it as a shielded job queue: submit an encrypted job, the cohort executes and attests, you decrypt the result.

  • Encrypted I/O — inputs and outputs sealed with AES-256-GCM to the submitter's key.
  • Deterministic WASM — metered, no ambient I/O, identical results across the cohort.
  • Ownership-bound outputs — results can mint shielded notes bound to an ownership proof, so a job can pay its submitter privately.
Alpha: the compute layer is testnet-only and its interfaces will change. Payments do not depend on it.

Comparison

Where Gyze sits relative to the usual options.

GyzeMixer-style poolsPrivacy L2s (generic)Plain Robinhood Chain
Hides amountsyesfixed denominationsyesno
Hides recipientyespartiallyyesno
Private transfers inside poolyesno — deposit/withdraw onlyyes
New token requirednovariesusuallyno
Validator hardwarelaptop / RPin/aprovers need GPUsn/a
Selective disclosureviewing keysnovarieseverything public
SettlementRobinhood Chain → Ethereumhost chainown bridgeEthereum

The key differences: Gyze supports transfers inside the pool (not just in/out), keeps verification cheap enough for commodity validators, and adds no token or new trust assumptions beyond its cohort — safety is enforced by the contract on Robinhood Chain.

Fees & rewards

No token. ETH in, ETH out, validators keep everything.

There is no Gyze token — and there will not be one. Fees are denominated in ETH on Robinhood Chain.

Fee schedule

ActionFeeGoes to
Deposit (shield)RH Chain gas only
Shielded transferflat, protocol-setepoch leader
Withdraw (unshield)0.1% of valueepoch leader
Compute job (alpha)metered per instructionexecuting cohort

Distribution

Fees accrue to the epoch leader's pending_rewards in the validator registry and are withdrawn with claim_rewards. Leadership rotates by reputation-weighted selection, so long-run earnings track uptime.

Bond

0.5 ETH per validator, slashable only on provable fault (see Consensus). Exiting cleanly returns the full bond after a one-epoch cooldown.

Robinhood Chain bridge

One settlement contract anchors the entire pool.

The contract

The bridge on Robinhood Chain (chain id 4663) holds pool funds and stores three things:

  • the current merkle root of the commitment tree (plus a window of recent roots)
  • the nullifier set — every spent note, forever
  • the cohort's checkpoint signatures, verified on-chain

Deposit

deposit(commitment) transfers ETH into the contract and appends the commitment. From the public side, all deposits look identical.

Withdraw

withdraw(proof, nullifier, recipient, amount, expiry) verifies the Groth16 proof directly in the contract, checks the nullifier is fresh, checks block.number ≤ expiry, and pays out. Replay is impossible: the nullifier is recorded and the expiry bounds stale proofs.

Finality chain

Gyze block  (7-of-10 BFT, ~1 s)
  → Robinhood Chain  (100 ms blocks, Arbitrum Orbit)
    → Ethereum  (settlement root)

Escape hatch

If the cohort halts, any user can exit directly against the contract with a proof against the last anchored root — no validator cooperation required.

API reference

CLI commands and the JSON-RPC surface.

CLI

CommandDescription
gyze wallet new | balance | exportkey management, shielded address derivation
gyze shield deposit | send | withdrawpool operations
gyze shield history --viewing-keydecrypt your own history (or one shared with you)
gyze validator register | run | exitvalidator lifecycle
gyze compute submit | status | resultcompute layer (alpha)
gyze faucet requesttestnet ETH

JSON-RPC (coordinator)

MethodReturns
gyze_getRootcurrent commitment-tree root
gyze_getWitness(commitment)merkle path for proving
gyze_submitTx(tx)tx hash after cohort acceptance
gyze_getBlock(height)block with encrypted notes for trial decryption
gyze_statusheight, cohort, RH Chain anchor tx

Rust crate

# Cargo.toml
gyze-core = "0.5"

The crate exposes note construction, proving, and RPC clients — everything the CLI uses.

Validator guide

Hardware, registration, and day-2 operations.

The short version lives on the Validators page: 2 cores, 4 GB RAM, 100 GB SSD, 0.5 ETH bond, four commands to go live. This page covers operations.

systemd unit

[Unit]
Description=Gyze validator
After=network-online.target

[Service]
ExecStart=%h/.gyze/bin/gyze validator run
Restart=always
RestartSec=5

[Install]
WantedBy=default.target

Key handling

  • The consensus key stays on the node; it can only sign votes.
  • The reward key (which claims ETH) should live in a separate wallet — cold if possible. Set it at registration with --reward-address.

Upgrades

Releases are backward-compatible within a minor version. Upgrade by replacing the binary and restarting — state is rebuilt from Robinhood Chain checkpoints if local state is stale.

Exiting

gyze validator exit   # bond returns after one epoch cooldown

MPC ceremony

One honest participant secures the system.

Gyze's Groth16 circuits need a one-time BGM17 phase-2 ceremony to produce proving and verifying keys. If at least one contributor destroys their randomness, the setup is sound.

Contribute

  1. Install: cargo install gyze-ceremony
  2. Run gyze-ceremony contribute on an air-gapped machine.
  3. Upload the transcript, sign it with your GitHub key, then destroy the entropy file (or the machine, if you're feeling thorough).

Verify

Every contribution appends to a hash-chained public transcript, notarized on Robinhood Chain. Anyone can check the full chain:

gyze-ceremony verify   # transcript ok · 0 gaps · anchored @ RH Chain

Full details on the ceremony page.

Networking

Gossip for blocks and notes, direct links for votes.

PortProtocolPurpose
7070/tcplibp2p (noise)block + encrypted-note gossip
7071/tcpQUICcohort voting mesh (validators only)
8545/tcpJSON-RPCcoordinator API (optional, local by default)

NAT

Outbound-only nodes work: the gossip layer supports relay and hole-punching. For best reputation scores, forward 7070 and 7071 so peers can dial you directly.

Bandwidth

Sustained usage is ~10 Mb/s: blocks are small (proofs are 192 bytes) — most traffic is encrypted note gyzetexts for trial decryption.

Coordinator HA

Active/passive failover with <30 s RTO.

The coordinator orders transactions but holds no funds and cannot forge state — it is a liveness component. It runs as an active/passive pair:

  • The active node holds a lease renewed every 5 s in the cohort's replicated state.
  • If the lease lapses, the passive node takes over; recovery time objective is under 30 seconds.
  • In-flight transactions are re-submitted by wallets automatically (submissions are idempotent by tx hash).

If both coordinators fail, validators continue checkpointing the last finalized state and users can still exit via the bridge escape hatch — coordinator loss never risks funds.

Monitoring

Prometheus metrics on :9615, ready-made Grafana dashboard.

gyze validator run --metrics 0.0.0.0:9615

Key metrics

MetricWatch for
gyze_proof_verify_msp99 creeping past ~15 ms → CPU contention
gyze_votes_missed_totalany growth → connectivity, hurts reputation
gyze_cohort_peersshould equal cohort size − 1
gyze_anchor_lag_blockscheckpoints falling behind Robinhood Chain head
gyze_reputation_ewmayour slice of future leader slots

A Grafana dashboard JSON ships in contrib/grafana/. Alert on missed votes and anchor lag first — those are the two that cost you money.

Releases & supply chain

Reproducible builds, signed artifacts, verifiable from source to binary.

  • Reproducible builds — pinned toolchain; the same commit yields byte-identical binaries.
  • SHA-256 checksums — published with every release.
  • Sigstore signatures — keyless signing tied to the CI identity of the release workflow.
  • CycloneDX SBOM — full dependency inventory per release.

Verify before you run

sha256sum -c gyze-0.5.0-rc5-checksums.txt
cosign verify-blob --bundle gyze.sigstore.json gyze
# Verified OK
Policy: nothing executable is distributed outside GitHub Releases. If you got a Gyze binary anywhere else, don't run it.

Developer guide

Integrate shielded payments via the CLI or the gyze-core crate.

Shell out to the CLI

Simplest path for any language — every command supports --json:

gyze shield send --to gyze1q8k...x2fj --amount 0.1eth --json
# {"tx":"0x91ab...","status":"final","verify_ms":9.7}

Rust

use gyze_core::{Wallet, Pool};

let wallet = Wallet::load("~/.gyze/wallet.json")?;
let pool = Pool::connect("https://rpc.gyze.xyz")?;

let tx = wallet.shielded_send(&pool, recipient, eth("0.1"))?;
tx.wait_final()?;   // 7-of-10 signed + anchored on RH Chain

Watching for payments

Subscribe to blocks and trial-decrypt with your viewing key:

for note in pool.subscribe_notes(wallet.viewing_key()) {
    println!("received {} wei", note.value);
}

Testing

gyze dev localnet spins up a 4-node cohort plus a local Robinhood Chain fork — the full stack on one machine, funded test accounts included.

Use cases

What private settlement on Robinhood Chain is actually for.

Private payroll

Pay a team in stablecoins on Robinhood Chain without publishing everyone's salary to the block explorer. Employees withdraw to their public address whenever they choose.

OTC settlement

Two parties settle a negotiated trade inside the pool — size and counterparty stay off the tape, avoiding the front-running that follows large visible transfers.

Treasury management

A company holding tokenized assets can rebalance without signalling strategy. Viewing keys give the auditor full history; the market sees nothing.

Personal privacy

Robinhood Chain gives self-custody to users in 120+ countries. Gyze makes self-custody safe to use in public: your address no longer doubles as a public statement of net worth.

Compliance-compatible disclosure

Every use case above works with selective disclosure — viewing keys and expiry-bound withdrawals mean privacy from the public, not from your own auditors or obligations.