Abstract. NOX is a cryptocurrency in which balances and transfers are private by default. It combines a shielded pool secured by zero-knowledge STARK proofs, post-quantum key encapsulation and signatures, and a Byzantine-fault-tolerant consensus with near-instant finality. Unlike earlier private currencies, NOX uses transparent, hash-based proofs that require no trusted setup and rely on no assumptions a quantum computer is known to break. All proving happens on the user's own device, so the network never learns a user's balance, counterparties, or amounts. NOX has a fixed maximum supply of 50,000,000 units.
Public blockchains made money programmable but not private: every balance and payment is exposed to the world forever. Financial privacy is a normal expectation of physical cash and bank accounts, and its absence on-chain is a real barrier to everyday use. A second problem looms further out: most deployed public-key cryptography (elliptic curves, RSA) would be broken by a sufficiently large quantum computer, putting today's signatures and encrypted data at future risk.
NOX addresses both at once. It provides strong on-chain privacy using modern zero-knowledge proofs, and it builds its confidentiality and authentication on post-quantum primitives standardized by NIST. The goal is money that is private the way cash is private, and that is designed to remain secure as cryptography evolves.
A NOX wallet holds two kinds of value. The transparent side is a conventional account model with public balances, used for on-ramps, exchange, and interoperability. The shielded side is a pool of encrypted notes whose amounts and owners are hidden. Users move value between the two by shielding (transparent → shielded) and unshielding (shielded → transparent); while shielded, value can be transferred privately between users.
The chain is an application built on a CometBFT (Tendermint-class) state machine. Consensus is Byzantine-fault-tolerant with single-slot finality: once a block commits, it is final — there is no probabilistic reorg risk as in proof-of-work. Block times are on the order of one second. The shielded pool is a Merkle commitment tree; spends are authorized by zero-knowledge proofs verified by every validator.
Wallet keys derive deterministically from a single 24-word (256-bit) recovery phrase, so one phrase reconstructs a user's transparent keys, shielded spend keys, and note-encryption keys.
A shielded note represents a hidden amount owned by a spend key. Its public commitment is stored in the Merkle tree; the note itself is known only to its owner. Each note has:
cm = H(value, ak, npk, rho) binding the amount, an authorization tag, the public nullifier key, and a random value;npk = H(nsk) derived from the secret spend key nsk;nf = H(nsk, rho, position) published when the note is spent. The nullifier is unlinkable to the commitment for anyone but the owner, yet uniquely marks the note as spent — this is what prevents double-spending without revealing which note was consumed.When value is sent, the sender encrypts the new note's opening to the recipient's ML-KEM key and attaches it as a memo. Recipients (and, on NOX, the depositor of a shield) scan these memos to discover notes addressed to them.
NOX defines four shielded operations, each backed by a dedicated arithmetic circuit (AIR):
| Operation | Proves |
|---|---|
| shield | authorized transparent debit → new shielded note (public deposit) |
| transfer | 1 input note → 2 output notes (recipient + change), value conserved |
| transfer2 | 2 input notes → 2 outputs (a note-merge), with an in-circuit proof that the two inputs are distinct |
| unshield | 1 input note → transparent output, bound to the destination address |
Each circuit proves, in zero knowledge: membership of the spent note(s) in the tree at a known root; correct derivation of the commitment(s) and nullifier(s); value conservation (inputs = outputs + fee); and range bounds that keep values from wrapping the field. Proofs are generated at production parameters (96 FRI queries, blow-up factor 8, cubic field extension) targeting a 128-bit security level.
To bound denial-of-service from spam that is cheap to submit but expensive to verify, each shielded transaction also carries a small proof-of-work admission stamp bound to its public fields, and each block enforces a maximum number of proof verifications.
The entire wallet — key derivation, note scanning, memo decryption, transaction assembly, and STARK proof generation — runs in the browser as a single Rust module compiled to WebAssembly. Generating a private-send proof takes on the order of tens of milliseconds on a normal device. Because everything happens locally, secret keys and the witness never leave the user's machine, and no server (including the one hosting the wallet) can observe a user's activity. The wallet contacts the network only to read public data (Merkle paths, chain state) and to broadcast finished, self-verified transactions. There is no trusted setup and no prover service to trust.
Validators apply a strict, deterministic set of checks to every shielded transaction before it can change state: the referenced tree root must be a known historical anchor; the STARK proof must verify against the exact public inputs; each nullifier must be previously unspent (and, for merges, the two inputs distinct); output commitments must be new; and fees must lie within safe bounds. Checks are ordered so that a failing transaction changes nothing (validate-then-mutate). A global supply invariant is maintained and checked, ensuring value cannot be created or destroyed behind the shield.
NOX has a fixed maximum supply of 50,000,000 units. A genesis allocation seeds the initial network; the remainder is released through a transparent, long-horizon decaying emission schedule. Protocol fees on shielded transactions are burned to a treasury account. All supply figures — total, emitted, and cap — are queryable on-chain and shown live on the explorer. The unit is divisible to nine decimal places.
The security of the shielded pool rests on the soundness of its circuits and the correctness of the consensus rules. The design has been the subject of an independent security review of the zero-knowledge circuits and state-transition logic. Areas that receive particular scrutiny include the circuit soundness of each operation, the custom nullifier-distinctness gadget used in the merge circuit, the completeness of range checks, and the parameter choice underlying the 128-bit target.
Users should understand the honest limits of the current deployment: NOX today runs as a public testnet with play-money, on a limited validator set, and should not be used to hold real value. Privacy is strong but not magic — good operational hygiene (not reusing addresses, keeping the recovery phrase safe) still matters. The recovery phrase is the sole backup; losing it means losing access.
The protocol, wallet, explorer, and node infrastructure are live on testnet. The path to a value-bearing mainnet is deliberately conservative: