Calyx: Privacy-Preserving Multi-Token Optimistic-Rollup Protocol

TL;DR

Calyx tackles the dual challenges of privacy and scalability in Layer-2 rollups by introducing a privacy-preserving multi-token optimistic-rollup. It combines a UTXO-based L2 design with zk-SNARKs to hide sender, receiver, amount, and token type, while leveraging an efficient one-step fraud-proof and a pointer-based BLOB data structure to maintain data availability on L1 with minimal on-chain data. The protocol supports atomic multi-transaction execution, token-specific state via a Coin Tree and Nullifier Tree, and seamless joining/leaving through mint/burn bridging. Security is analyzed under Byzantine and rational adversaries, and a practical Ethereum prototype demonstrates feasible costs and performance, with an explicit pathway to CBDC extensions. Overall, Calyx offers a privacy-first, scalable, and economically sound framework for multi-token L2 payments with concrete implementation and evaluative benchmarks.

Abstract

Rollup protocols have recently received significant attention as a promising class of Layer 2 (L2) scalability solutions. By utilizing the Layer 1 (L1) blockchain solely as a bulletin board for a summary of the executed transactions and state changes, rollups enable secure off-chain execution while avoiding the complexity of other L2 mechanisms. However, to ensure data availability, current rollup protocols require the plaintext of executed transactions to be published on-chain, resulting in inherent privacy limitations. In this paper, we address this problem by introducing Calyx, the first privacy-preserving multi-token optimistic-Rollup protocol. Calyx guarantees full payment privacy for all L2 transactions, revealing no information about the sender, recipient, transferred amount, or token type. The protocol further supports atomic execution of multiple multi-token transactions and introduces a transaction fee scheme to enable broader application scenarios while ensuring the sustainable operation of the protocol. To enforce correctness, Calyx adopts an efficient one-step fraud-proof mechanism. We analyze the security and privacy guarantees of the protocol and provide an implementation and evaluation. Our results show that executing a single transaction costs approximately $0.06 (0.00002 ETH) and incurs only constant-size on-chain cost in asymptotic terms.

Figures (1)

• Figure 1: Calyx Overview. Consider three clients $U_0, U_1, U_2$ joining the protocol with three types of tokens (ETH, $T_0$, $T_1$). Then $U_0$ privately pays $U_1$ and $U_2$, while $U_2$ pays $U_0$. Transactions grouped in a bracket are executed atomically. Execution occurs after the transactions are published on-chain and no fraud-proof is submitted by a verifier within a specified time window. Finally, $U_0$ retrieves the $2$ tokens $T_1$ from $U_2$ through the contract.

Theorems & Definitions (30)

• Definition 1: Balance security
• Definition 2: Liveness
• Definition 3: L2 transaction privacy
• Definition 4: Rational security
• Theorem 1: Balance security
• Theorem 2: Liveness
• Theorem 3: L2 transaction privacy
• Theorem 4: Rational security & privacy
• Lemma 1: Correct joining
• proof