Introduction
Gyze is an open privacy layer for Robinhood Chain, validated on commodity hardware.
What is Gyze?
Robinhood Chain is an Arbitrum Orbit Layer 2 with 100 ms blocks that settles to Ethereum
and carries tokenized stocks and stablecoins, 24/7. Everything on it is public: balances,
positions, counterparties. Gyze adds an opt-in shielded pool on top. Assets bridge into
the pool, move privately between owners, and withdraw back to a normal Robinhood Chain address.
Privacy comes from Groth16 zero-knowledge proofs over BLS12-381. Proofs are generated on
the user's own device; a small BFT cohort of validators only verifies them — about
ten milliseconds per proof on a single CPU core. Any laptop can carry the network.
Two primitives
- Private payments — a shielded pool with Groth16 proofs. Range-proven u64 values, Poseidon commitments, expiry-bound withdrawals.
- Private compute (alpha) — WASM jobs verified by the same BFT cohort. Encrypted I/O via AES-256-GCM, outputs bound to ownership proofs.
Why commodity hardware?
A Groth16 proof verifies in roughly ten milliseconds on one CPU core. Validators never
generate proofs — that stays client-side — so there is no GPU requirement and no
specialized hardware. Decentralization is cheap when the work is cheap.
Economic model
There is no Gyze token and withdrawal fees do not flow to a founder account. Fees are
credited to the leading validator's pending_rewards and claimed
on-chain. Four instructions define the whole economy:
register_validator — stake the bond, join the registry
distribute_fee — credit the epoch's fees to the leader
claim_rewards — withdraw earned ETH
slash_validator — burn bond on provable fault
What's anchored on Robinhood Chain
- Bridge contract — merkle root of the note tree, nullifier records, replay protection
- Validator registry — registration, stake, reputation
- BFT checkpoints — 7-of-10 default threshold, configurable per network
- MPC transcript — BGM17 phase-2 ceremony with a verifiable, notarized transcript
Status
v0.5.0-rc5 — pre-mainnet. External audit pending, MPC ceremony in progress. Testnet is live.
| Metric | Value |
| Lines of Rust | ~33,000 |
| Tests passing | 407 |
| Proof verify time | ~10 ms / proof |
| Proof size | 192 bytes |
| Default BFT threshold | 7 of 10 |
| Coordinator HA | active/passive failover, <30 s RTO |
| Settlement | Robinhood Chain (chain id 4663) |
| License | MIT |
Vision
Tokenized finance should not mean surrendering financial privacy.
Robinhood Chain moves real financial life on-chain: stock tokens, stablecoin balances,
around-the-clock trading in 120+ countries with self-custody. That is a huge step forward —
and it makes every position, salary, and counterparty publicly linkable forever.
Gyze's position is simple: privacy should be a property of the settlement layer, not a
service you rent. So the design rules are strict:
- No new token. Fees are paid and earned in ETH.
- No founder cut. 100% of protocol fees go to validators.
- No special hardware. If it doesn't run on a Raspberry Pi, it doesn't ship.
- No trust-me components. MIT source, signed reproducible builds, public MPC transcript.
The goal is not anonymity from regulators — withdrawals are expiry-bound and the pool
supports viewing keys for selective disclosure. The goal is that your competitor, your
employer, and strangers on an explorer cannot read your balance sheet.
Quick start
Deposit, transfer privately, withdraw — in five minutes on testnet.
1 · Install the CLI
curl -L https://get.gyze.xyz/install.sh | sh
gyze --version # gyze 0.5.0-rc5
2 · Create a wallet
gyze wallet new --network rh-testnet
gyze faucet request # 1 ETH every 6 hours on testnet
3 · Shield funds
Deposit moves ETH from your public Robinhood Chain address into the shielded pool. Your device generates the proof; the cohort verifies it in ~10 ms.
gyze shield deposit --amount 0.25eth
# note committed · merkle root updated · anchored on RH Chain
4 · Transfer privately
Recipients are addressed by their shielded address (gyze1…). The transfer reveals nothing on-chain: not sender, not recipient, not amount.
gyze shield send --to gyze1q8k...x2fj --amount 0.1eth
5 · Withdraw
gyze shield withdraw --amount 0.1eth --to 0xYourRHChainAddress
Tip: withdrawals are expiry-bound — the proof commits to a deadline block, so a stale withdrawal can never be replayed later.
Installation
Signed binaries, cargo, or build from source.
Install script (recommended)
curl -L https://get.gyze.xyz/install.sh | sh
Detects your platform (Linux x86_64/ARM64, macOS Intel/Apple Silicon), downloads the release binary, and verifies its SHA-256 checksum before installing to ~/.gyze/bin.
Cargo
cargo install gyze-cli
From source
git clone https://github.com/gyze-labs/gyze
cd gyzeai
cargo build --release --bin gyze
Verify the release
Every release ships with SHA-256 checksums, a CycloneDX SBOM, and Sigstore signatures:
sha256sum -c gyze-0.5.0-rc5-checksums.txt
cosign verify-blob --bundle gyze.sigstore.json gyze
Architecture
Four layers, one settlement root on Robinhood Chain.
| Layer | Runs where | Does what |
| Client prover | user device | builds notes, generates Groth16 proofs |
| Coordinator | HA pair | orders transactions, assembles blocks |
| Validator cohort | 10 nodes (7-of-10) | verifies proofs, votes, checkpoints |
| Settlement | Robinhood Chain | bridge, registry, nullifiers, finality |
Transaction lifecycle
- The user's device builds a shielded transaction and proves it (Groth16, ~1–3 s on a phone-class CPU).
- The coordinator sequences it into a block and broadcasts to the cohort.
- Each validator verifies every proof (~10 ms each) and signs a vote.
- At 7-of-10 signatures the block is final within Gyze; the checkpoint (new merkle root + nullifier batch) is posted to the settlement contract on Robinhood Chain.
- Robinhood Chain settles to Ethereum — so Gyze inherits Ethereum-grade finality at the root.
Trust model
The cohort can censor (liveness) but cannot steal or forge (safety): every state transition
requires a valid proof, and the contract on Robinhood Chain rejects checkpoints that don't
verify against the previous root. Worst case for users is exit-to-L2 via the escape hatch in
the bridge contract.
Privacy layer
Notes, commitments, nullifiers — the standard shielded-pool construction, tuned for cheap verification.
Notes
Value in the pool lives in notes: (value: u64, owner_pk, salt).
A note is published only as a Poseidon commitment, so nothing about it is readable on-chain.
Commitment tree
Commitments append to an incremental merkle tree (depth 32, Poseidon hashing). Only the root
is anchored on Robinhood Chain. Spending a note proves membership against a recent root
without revealing which leaf.
Nullifiers
Spending publishes a deterministic nullifier — a PRF of the note and owner key. The
settlement contract stores nullifiers forever; a doubly spent note is rejected at the
contract level, not by validator honesty.
Range proofs
Every output value is proven to fit in u64 via a lookup-based circuit, so balance
conservation (Σ in = Σ out + fee) can't be gamed with field
overflow.
Viewing keys
Each shielded address has a derivable viewing key. Share it with an accountant or auditor
to grant read-only visibility into your history — selective disclosure without breaking the
pool's anonymity for anyone else.
Shielded transfers
2 inputs, 3 outputs, one 192-byte proof.
Every transfer consumes up to 2 notes and creates up to 3 (recipient, change, fee). The fixed shape means one circuit, one verifying key, and uniform ~10 ms verification.
What the proof shows
- Input notes exist in the tree (membership against a recent root)
- The spender owns them (signature under the owner key inside the circuit)
- Nullifiers are correctly derived
- Values balance and each output is range-proven u64
What the chain sees
{ proof: 192 bytes, root, nullifiers[2], commitments[3], enc_notes[3] }
No sender, no recipient, no amounts.
Encrypted delivery
Output notes are encrypted to the recipient's key and gossiped with the block. Wallets
trial-decrypt new blocks in the background — receiving a private payment requires no
interaction and leaves no network trace pointing at the recipient.
Consensus
Small-cohort BFT with reputation-weighted leadership and provable-fault slashing.
Cohort
Blocks finalize with 7-of-10 validator signatures (threshold configurable per network).
Cohort membership rotates each epoch from the on-chain registry, weighted by reputation.
Reputation
Uptime and vote participation feed a 30-day EWMA. Reputation determines leader selection
probability — leaders earn the epoch's fees, so consistent uptime is the whole earnings game.
Slashing
- Equivocation — two signed votes for conflicting blocks at the same height. Proof is two signatures; anyone can submit it.
- Liveness fault — missing a protocol-defined participation window.
There is no discretionary slashing and no admin path to a validator's bond.
Checkpointing
Every finalized block posts a checkpoint (root, nullifier batch, signature bitmap) to the
settlement contract on Robinhood Chain. The contract independently verifies the aggregate
signature — a dishonest supermajority still cannot forge state the contract will accept
without valid proofs.
Compute layer alpha
Private WASM jobs, verified by the same cohort that verifies payments.
Beyond payments, Gyze can run small deterministic WASM programs whose inputs and outputs
are private. Think of it as a shielded job queue: submit an encrypted job, the cohort
executes and attests, you decrypt the result.
- Encrypted I/O — inputs and outputs sealed with AES-256-GCM to the submitter's key.
- Deterministic WASM — metered, no ambient I/O, identical results across the cohort.
- Ownership-bound outputs — results can mint shielded notes bound to an ownership proof, so a job can pay its submitter privately.
Alpha: the compute layer is testnet-only and its interfaces will change. Payments do not depend on it.
Comparison
Where Gyze sits relative to the usual options.
| Gyze | Mixer-style pools | Privacy L2s (generic) | Plain Robinhood Chain |
| Hides amounts | yes | fixed denominations | yes | no |
| Hides recipient | yes | partially | yes | no |
| Private transfers inside pool | yes | no — deposit/withdraw only | yes | — |
| New token required | no | varies | usually | no |
| Validator hardware | laptop / RPi | n/a | provers need GPUs | n/a |
| Selective disclosure | viewing keys | no | varies | everything public |
| Settlement | Robinhood Chain → Ethereum | host chain | own bridge | Ethereum |
The key differences: Gyze supports transfers inside the pool (not just in/out),
keeps verification cheap enough for commodity validators, and adds no token or new trust
assumptions beyond its cohort — safety is enforced by the contract on Robinhood Chain.
Fees & rewards
No token. ETH in, ETH out, validators keep everything.
There is no Gyze token — and there will not be one. Fees are denominated in ETH on Robinhood Chain.
Fee schedule
| Action | Fee | Goes to |
| Deposit (shield) | RH Chain gas only | — |
| Shielded transfer | flat, protocol-set | epoch leader |
| Withdraw (unshield) | 0.1% of value | epoch leader |
| Compute job (alpha) | metered per instruction | executing cohort |
Distribution
Fees accrue to the epoch leader's pending_rewards in the
validator registry and are withdrawn with claim_rewards.
Leadership rotates by reputation-weighted selection, so long-run earnings track uptime.
Bond
0.5 ETH per validator, slashable only on provable fault (see Consensus).
Exiting cleanly returns the full bond after a one-epoch cooldown.
Robinhood Chain bridge
One settlement contract anchors the entire pool.
The contract
The bridge on Robinhood Chain (chain id 4663) holds pool funds and stores three things:
- the current merkle root of the commitment tree (plus a window of recent roots)
- the nullifier set — every spent note, forever
- the cohort's checkpoint signatures, verified on-chain
Deposit
deposit(commitment) transfers ETH into the contract and appends
the commitment. From the public side, all deposits look identical.
Withdraw
withdraw(proof, nullifier, recipient, amount, expiry) verifies
the Groth16 proof directly in the contract, checks the nullifier is fresh, checks
block.number ≤ expiry, and pays out. Replay is impossible:
the nullifier is recorded and the expiry bounds stale proofs.
Finality chain
Gyze block (7-of-10 BFT, ~1 s)
→ Robinhood Chain (100 ms blocks, Arbitrum Orbit)
→ Ethereum (settlement root)
Escape hatch
If the cohort halts, any user can exit directly against the contract with a proof against
the last anchored root — no validator cooperation required.
API reference
CLI commands and the JSON-RPC surface.
CLI
| Command | Description |
| gyze wallet new | balance | export | key management, shielded address derivation |
| gyze shield deposit | send | withdraw | pool operations |
| gyze shield history --viewing-key | decrypt your own history (or one shared with you) |
| gyze validator register | run | exit | validator lifecycle |
| gyze compute submit | status | result | compute layer (alpha) |
| gyze faucet request | testnet ETH |
JSON-RPC (coordinator)
| Method | Returns |
| gyze_getRoot | current commitment-tree root |
| gyze_getWitness(commitment) | merkle path for proving |
| gyze_submitTx(tx) | tx hash after cohort acceptance |
| gyze_getBlock(height) | block with encrypted notes for trial decryption |
| gyze_status | height, cohort, RH Chain anchor tx |
Rust crate
# Cargo.toml
gyze-core = "0.5"
The crate exposes note construction, proving, and RPC clients — everything the CLI uses.
Validator guide
Hardware, registration, and day-2 operations.
The short version lives on the Validators page: 2 cores, 4 GB RAM, 100 GB SSD, 0.5 ETH bond, four commands to go live. This page covers operations.
systemd unit
[Unit]
Description=Gyze validator
After=network-online.target
[Service]
ExecStart=%h/.gyze/bin/gyze validator run
Restart=always
RestartSec=5
[Install]
WantedBy=default.target
Key handling
- The consensus key stays on the node; it can only sign votes.
- The reward key (which claims ETH) should live in a separate wallet — cold if possible. Set it at registration with
--reward-address.
Upgrades
Releases are backward-compatible within a minor version. Upgrade by replacing the binary and restarting — state is rebuilt from Robinhood Chain checkpoints if local state is stale.
Exiting
gyze validator exit # bond returns after one epoch cooldown
MPC ceremony
One honest participant secures the system.
Gyze's Groth16 circuits need a one-time BGM17 phase-2 ceremony to produce proving and
verifying keys. If at least one contributor destroys their randomness, the setup is sound.
Contribute
- Install:
cargo install gyze-ceremony
- Run
gyze-ceremony contribute on an air-gapped machine.
- Upload the transcript, sign it with your GitHub key, then destroy the entropy file (or the machine, if you're feeling thorough).
Verify
Every contribution appends to a hash-chained public transcript, notarized on Robinhood
Chain. Anyone can check the full chain:
gyze-ceremony verify # transcript ok · 0 gaps · anchored @ RH Chain
Full details on the ceremony page.
Networking
Gossip for blocks and notes, direct links for votes.
| Port | Protocol | Purpose |
| 7070/tcp | libp2p (noise) | block + encrypted-note gossip |
| 7071/tcp | QUIC | cohort voting mesh (validators only) |
| 8545/tcp | JSON-RPC | coordinator API (optional, local by default) |
NAT
Outbound-only nodes work: the gossip layer supports relay and hole-punching. For best
reputation scores, forward 7070 and 7071 so peers can dial you directly.
Bandwidth
Sustained usage is ~10 Mb/s: blocks are small (proofs are 192 bytes) — most traffic is encrypted note gyzetexts for trial decryption.
Coordinator HA
Active/passive failover with <30 s RTO.
The coordinator orders transactions but holds no funds and cannot forge state — it is a
liveness component. It runs as an active/passive pair:
- The active node holds a lease renewed every 5 s in the cohort's replicated state.
- If the lease lapses, the passive node takes over; recovery time objective is under 30 seconds.
- In-flight transactions are re-submitted by wallets automatically (submissions are idempotent by tx hash).
If both coordinators fail, validators continue checkpointing the last finalized state and
users can still exit via the bridge escape hatch — coordinator loss never risks funds.
Monitoring
Prometheus metrics on :9615, ready-made Grafana dashboard.
gyze validator run --metrics 0.0.0.0:9615
Key metrics
| Metric | Watch for |
| gyze_proof_verify_ms | p99 creeping past ~15 ms → CPU contention |
| gyze_votes_missed_total | any growth → connectivity, hurts reputation |
| gyze_cohort_peers | should equal cohort size − 1 |
| gyze_anchor_lag_blocks | checkpoints falling behind Robinhood Chain head |
| gyze_reputation_ewma | your slice of future leader slots |
A Grafana dashboard JSON ships in contrib/grafana/. Alert on missed votes and anchor lag first — those are the two that cost you money.
Releases & supply chain
Reproducible builds, signed artifacts, verifiable from source to binary.
- Reproducible builds — pinned toolchain; the same commit yields byte-identical binaries.
- SHA-256 checksums — published with every release.
- Sigstore signatures — keyless signing tied to the CI identity of the release workflow.
- CycloneDX SBOM — full dependency inventory per release.
Verify before you run
sha256sum -c gyze-0.5.0-rc5-checksums.txt
cosign verify-blob --bundle gyze.sigstore.json gyze
# Verified OK
Policy: nothing executable is distributed outside GitHub Releases. If you got a Gyze binary anywhere else, don't run it.
Developer guide
Integrate shielded payments via the CLI or the gyze-core crate.
Shell out to the CLI
Simplest path for any language — every command supports --json:
gyze shield send --to gyze1q8k...x2fj --amount 0.1eth --json
# {"tx":"0x91ab...","status":"final","verify_ms":9.7}
Rust
use gyze_core::{Wallet, Pool};
let wallet = Wallet::load("~/.gyze/wallet.json")?;
let pool = Pool::connect("https://rpc.gyze.xyz")?;
let tx = wallet.shielded_send(&pool, recipient, eth("0.1"))?;
tx.wait_final()?; // 7-of-10 signed + anchored on RH Chain
Watching for payments
Subscribe to blocks and trial-decrypt with your viewing key:
for note in pool.subscribe_notes(wallet.viewing_key()) {
println!("received {} wei", note.value);
}
Testing
gyze dev localnet spins up a 4-node cohort plus a local Robinhood Chain fork — the full stack on one machine, funded test accounts included.
Use cases
What private settlement on Robinhood Chain is actually for.
Private payroll
Pay a team in stablecoins on Robinhood Chain without publishing everyone's salary to the block explorer. Employees withdraw to their public address whenever they choose.
OTC settlement
Two parties settle a negotiated trade inside the pool — size and counterparty stay off the tape, avoiding the front-running that follows large visible transfers.
Treasury management
A company holding tokenized assets can rebalance without signalling strategy. Viewing keys give the auditor full history; the market sees nothing.
Personal privacy
Robinhood Chain gives self-custody to users in 120+ countries. Gyze makes self-custody safe to use in public: your address no longer doubles as a public statement of net worth.
Compliance-compatible disclosure
Every use case above works with selective disclosure — viewing keys and expiry-bound withdrawals mean privacy from the public, not from your own auditors or obligations.