ERC-8086: Privacy Token

zero · December 23, 2025, 1:46am

tomw1808:

I am working on a similar idea for a while and just stumbled upon this ERC. I also see a need for tokens to be able to integrate a shielding logic natively. That is: on the token level instead of relying on “general purpose” solutions.

Kudos on the demo, looks very nice!

I just had a brief moment to dig into the source and the whitepaper, maybe you can help me out:

I see the interface and the merkle tree implementation, but the GitHub Repo misses somehow the circuits and resulting verifiers (?). For the reference implementation/demo: are circuits/verifier contracts intentionally out-of-repo (or generated elsewhere), and if so, what is the intended ‘canonical’ circuit family to target for interoperable wallets if any?

I was also wondering if the verifiers are based on a similar circuit design as railgun uses… ERC-8086 exposes proofType and opaque proof bytes but does the draft intend any standardization of circuit semantics (e.g., fixed input/output like 2-in-2-out), or is proofType expected to fully encapsulate circuit differences per token?

Does the ERC aim to standardize recipient key format or is wallet compatibility expected to be negotiated per implementation? Is there maybe an intended registry/discovery mechanism for supported proofType values and their public inputs, so wallets can know which prover to use for a given token?

Thanks for the thoughtful questions — they touch exactly the design boundary we’ve been very deliberate about with ERC-8086.

Our intent with ERC-8086 is to define a minimal, native privacy primitive at the token level, rather than standardizing a full privacy protocol or prescribing a concrete ZK system. This is very much a “minimal interface, maximal freedom” design.

Circuits & verifiers

The absence of circuits and generated verifier contracts in the reference repo is intentional.

ERC-8086 is not meant to canonize a specific circuit family. Doing so would effectively turn the ERC into a full product specification, which would dramatically raise the implementation bar and exclude many existing or future designs. Instead, the ERC defines what a token must expose, not how privacy is achieved internally.

Projects are free to:

generate verifiers off-repo,
use different proving systems,
upgrade circuits over time,
as long as they conform to the interface.

This also means that systems like Railgun could adopt ERC-8086 naturally, without refactoring their circuit architecture.

the circuits used in our reference implementation are planned to be open-sourced in the near future.
They are intended as a reference and starting point, not a mandatory target: anyone will be free to reuse them directly or adapt them to build their own ERC-8086–compatible implementations.

Recipient keys & wallet interoperability

look this ERC-8091: Privacy Address Format