Reference
Public signals
The 12 public signals in order — for anyone verifying a proof.
A join-split proof commits to 12 public signals. The on-chain verifier reconstructs them positionally from the instruction (never from a separate client blob) and verifies the proof against them. Anyone verifying a proof independently must use this exact order.
| # | Signal | Type | Meaning |
|---|---|---|---|
| 0 | nullifier0 | field element | nullifier of input note 0 |
| 1 | nullifier1 | field element | nullifier of input note 1 |
| 2 | outCommitment0 | field element | commitment of output note 0 |
| 3 | outCommitment1 | field element | commitment of output note 1 |
| 4 | root | field element | Merkle root the inputs are proven against |
| 5 | publicAmountIn | u64 | value entering the pool (shield); else 0 |
| 6 | publicAmountOut | u64 | value to the recipient (unshield); else 0 |
| 7 | fee | u64 | relayer fee (unshield); else 0 |
| 8 | recipientHi | 16-byte limb | recipient address, bytes 0..16 |
| 9 | recipientLo | 16-byte limb | recipient address, bytes 16..32 |
| 10 | relayerHi | 16-byte limb | relayer address, bytes 0..16 |
| 11 | relayerLo | 16-byte limb | relayer address, bytes 16..32 |
[nullifier0, nullifier1, outCommitment0, outCommitment1,
root, publicAmountIn, publicAmountOut, fee,
recipientHi, recipientLo, relayerHi, relayerLo]Notes:
- Signals 0–3 are circuit outputs; 4–11 are circuit inputs.
nPublic = 12, and the verifying key'sIChasnPublic + 1 = 13G1 points. - A 32-byte address exceeds the ~254-bit BN254 scalar field, so
recipientandrelayerare each split into two 16-byte limbs (hi = bytes 0..16, lo = bytes 16..32). Shield and transfer bind these to zero. - Field elements are encoded as 32-byte big-endian; the proof itself is
A(G1, 64 B) ‖B(G2, 128 B, EIP-197 orderx_c1‖x_c0‖y_c1‖y_c0) ‖C(G1, 64 B).