Proof-Carrying
Authorization

Privately authorize actions without revealing identity. A cryptographic model for composable, replay-resistant access control.

Read Full Paper View Source

Identity is Authorization's Bottleneck

Traditional systems ask "Who are you?" to grant access. This creates central honeypots of identity and forces privacy trade-offs. Proof-Carrying Authorization (PCA) flips the model: verifiers check a Zero-Knowledge proof that a policy is satisfied, without ever learning which user satisfied it.

Core Primitives

Privacy

Zero-Knowledge

Authorize transparent actions (payments, allowlist gates) while keeping the authorizer's identity completely private using zk-SNARKs.

Security

Domain Binding

Proofs are cryptographically bound to a specific Protocol, Policy, and Context. They cannot be replayed or redirected.

Safety

Replay Resistance

Deterministic nullifiers ensure every authorization is unique, preventing double-spending without revealing the spender.

Runtime

Solana Native

Designed for constrained environments. Uses Groth16 and Pinocchio for efficient on-chain verification.

The Protocol

PCA binds the proof to the action scope to ensure integrity.

// Statement Encoding

stmt = enc(action) || enc(context) || enc(public_inputs)

// Scope Hash

scope = SHA256(DST_SCOPE || action || context || SHA256(p_pieces))

// Nullifier Derivation

nf = SHA256(DST_NF || domain || spend_key || scope)