Skip to content
SIP Protocol

Privacy Levels

Privacy Levels

Section titled “Privacy Levels”

SIP defines three privacy levels that users can select per-intent.

Overview

Section titled “Overview”
LevelPrivacyComplianceUse Case
TRANSPARENTNoneFullMaximum compatibility
SHIELDEDFullNoneMaximum privacy
COMPLIANTFull + DisclosureSelectiveInstitutional/regulatory

TRANSPARENT

Section titled “TRANSPARENT”

Standard on-chain transaction with no privacy enhancements.

const intent = await sip
  .intent()
  .input('near', 'NEAR', 100n)
  .output('ethereum', 'ETH')
  .privacy(PrivacyLevel.TRANSPARENT)
  .build()

Visibility

Section titled “Visibility”
InformationVisible To
Sender addressEveryone
Input amountEveryone
Output amountEveryone
Recipient addressEveryone

Required Proofs

Section titled “Required Proofs”

None - standard transaction signing only.

Use Cases

Section titled “Use Cases”
  • DEX integrations requiring transparency
  • Public treasury operations
  • Airdrops and distributions
  • Testing and debugging

SHIELDED

Section titled “SHIELDED”

Full privacy with cryptographic hiding of sender, amounts, and recipient.

const intent = await sip
  .intent()
  .input('ethereum', 'ETH', 1_000_000_000_000_000_000n)
  .output('zcash', 'ZEC')
  .privacy(PrivacyLevel.SHIELDED)
  .build()

Visibility

Section titled “Visibility”
InformationVisible ToHidden Via
Sender addressNobodySender commitment
Input amountNobodyPedersen commitment
Output amountSolver only (range)Commitment
Recipient addressNobodyStealth address
Min output requiredEveryonePlaintext (for quoting)

Required Proofs

Section titled “Required Proofs”
ProofPurpose
Funding ProofProve balance ≥ input
Validity ProofProve authorization
Fulfillment ProofProve correct delivery

What Solvers See

Section titled “What Solvers See”
Solver view:
├── "Someone wants to swap"
├── "Input: ??? amount of SOL (committed)"
├── "Output: at least 100 ZEC"
├── "Recipient: stealth address 0x..."
└── "Proof that sender has sufficient funds: ✓"

Guarantees

Section titled “Guarantees”
PropertyGuaranteed?Mechanism
Sender privacyYesPedersen commitment
Amount privacyYesAmount commitments
Recipient privacyYesStealth address
UnlinkabilityYesFresh blinding + stealth per tx

COMPLIANT

Section titled “COMPLIANT”

Full privacy with selective disclosure for authorized auditors.

const viewingKey = sip.generateViewingKey('/audit')


const intent = await sip
  .intent()
  .input('solana', 'SOL', 5_000_000_000n)
  .output('near', 'NEAR')
  .privacy(PrivacyLevel.COMPLIANT)
  .viewingKey(viewingKey)
  .build()

Visibility

Section titled “Visibility”
InformationPublicAuditor (with key)
Sender addressHiddenVisible
Input amountHiddenVisible
Output amountHiddenVisible
Recipient addressHiddenVisible
Audit trailHiddenFull history

Auditor Workflow

Section titled “Auditor Workflow”
  1. User creates COMPLIANT intent
  2. User designates auditor (provides viewing key hash)
  3. Transaction data encrypted with auditor’s key
  4. Encrypted blob stored with intent
  5. Auditor decrypts when needed
  6. Auditor generates ViewingProof for reports

Use Cases

Section titled “Use Cases”
  • Institutional trading
  • Tax compliance
  • Regulatory requirements
  • DAO treasury operations

Comparison Matrix

Section titled “Comparison Matrix”

Privacy

Section titled “Privacy”
AspectTRANSPARENTSHIELDEDCOMPLIANT
Sender hiddenNoYesYes (public) / No (auditor)
Amount hiddenNoYesYes (public) / No (auditor)
Recipient hiddenNoYesYes (public) / No (auditor)
Audit possibleTrivialNoYes (with key)

Performance

Section titled “Performance”
AspectTRANSPARENTSHIELDEDCOMPLIANT
Proof generationNone~2-5s~2-5s + encryption
VerificationFast~10ms~10ms
Data sizeSmallMediumMedium + encrypted blob

Use Case Fit

Section titled “Use Case Fit”
Use CaseRecommended Level
Public DEX swapTRANSPARENT
Personal privacySHIELDED
Institutional tradingCOMPLIANT
Tax reporting neededCOMPLIANT
Anonymous donationSHIELDED
Regulated exchangeCOMPLIANT

Transition Rules

Section titled “Transition Rules”
TRANSPARENT → SHIELDED ✓ (add proofs and commitments)
TRANSPARENT → COMPLIANT ✓ (add proofs + viewing key)
SHIELDED → COMPLIANT ✓ (add viewing key encryption)
SHIELDED → TRANSPARENT ✗ (cannot reveal hidden data)
COMPLIANT → SHIELDED ✗ (auditor key already shared)
COMPLIANT → TRANSPARENT ✗ (cannot reveal hidden data)

Once data is committed/hidden, it cannot be revealed without user cooperation.

SDK Usage

Section titled “SDK Usage”
import { SIP, PrivacyLevel } from '@sip-protocol/sdk'


const sip = new SIP({ network: 'testnet' })


// Transparent
const transparent = await sip.createIntent({
  privacyLevel: PrivacyLevel.TRANSPARENT,
  sender: '0x...',
  recipient: '0x...',
  inputAmount: 100n,
})


// Shielded - SDK generates commitments, stealth, proofs
const shielded = await sip.createIntent({
  privacyLevel: PrivacyLevel.SHIELDED,
  inputAmount: 100n,
})


// Compliant - SDK adds encrypted viewing data
const compliant = await sip.createIntent({
  privacyLevel: PrivacyLevel.COMPLIANT,
  inputAmount: 100n,
  auditorKeyHash: '0x...',
})

Security Considerations

Section titled “Security Considerations”

Privacy Level Selection

Section titled “Privacy Level Selection”
ConsiderationGuidance
Default levelSHIELDED (privacy by default)
Downgrade requestsReject - cannot downgrade
Level in metadataIncluded in intent_hash

Commitment Binding

Section titled “Commitment Binding”

All commitments are bound to privacy level:

commitment_hash = Poseidon(
  commitment,
  privacy_level,
  intent_id
)

This prevents commitment reuse across different privacy contexts.

Auditor Trust

Section titled “Auditor Trust”

For COMPLIANT mode:

  • User chooses auditor (not protocol)
  • Multiple auditors supported
  • Revocation possible but doesn’t hide past disclosures