null.
Reference

Public signals

The 12 public signals in order — for anyone verifying a proof.

A join-split proof commits to 12 public signals. The on-chain verifier reconstructs them positionally from the instruction (never from a separate client blob) and verifies the proof against them. Anyone verifying a proof independently must use this exact order.

#SignalTypeMeaning
0nullifier0field elementnullifier of input note 0
1nullifier1field elementnullifier of input note 1
2outCommitment0field elementcommitment of output note 0
3outCommitment1field elementcommitment of output note 1
4rootfield elementMerkle root the inputs are proven against
5publicAmountInu64value entering the pool (shield); else 0
6publicAmountOutu64value to the recipient (unshield); else 0
7feeu64relayer fee (unshield); else 0
8recipientHi16-byte limbrecipient address, bytes 0..16
9recipientLo16-byte limbrecipient address, bytes 16..32
10relayerHi16-byte limbrelayer address, bytes 0..16
11relayerLo16-byte limbrelayer address, bytes 16..32
[nullifier0, nullifier1, outCommitment0, outCommitment1,
 root, publicAmountIn, publicAmountOut, fee,
 recipientHi, recipientLo, relayerHi, relayerLo]

Notes:

  • Signals 0–3 are circuit outputs; 4–11 are circuit inputs. nPublic = 12, and the verifying key's IC has nPublic + 1 = 13 G1 points.
  • A 32-byte address exceeds the ~254-bit BN254 scalar field, so recipient and relayer are each split into two 16-byte limbs (hi = bytes 0..16, lo = bytes 16..32). Shield and transfer bind these to zero.
  • Field elements are encoded as 32-byte big-endian; the proof itself is A (G1, 64 B) ‖ B (G2, 128 B, EIP-197 order x_c1‖x_c0‖y_c1‖y_c0) ‖ C (G1, 64 B).