ZK Proofs on Stellar

X-Ray (Protocol 25) introduced native host functions for zero-knowledge-friendly primitives (BN254 and Poseidon/Poseidon2), marking an important milestone in a long-term strategy to equip developers with the execution-environment infrastructure needed to build compliance-forward, privacy-preserving applications using zero-knowledge cryptography. These primitives are foundational building blocks and do not, on their own, provide end-to-end private payments without additional higher-level protocol or application logic.

For more details on X-Ray, see this blog post.

BN254

BN254 is a pairing-friendly elliptic curve defined over a 254-bit prime field, commonly used in zero-knowledge proof systems because it supports efficient bilinear pairings. These pairings enable succinct proof constructions where complex statements can be verified quickly on-chain or in constrained environments. BN254 is especially popular in blockchain ecosystems because its arithmetic and pairing operations are relatively efficient to implement and well supported by existing libraries and tooling.

While BN254 host functions provide the cryptographic operations needed for proof verification, developers must still generate proofs using higher-level systems (such as circuits written in Noir or Risc0 methods) and deploy verifier smart contracts on Stellar to implement complete zero-knowledge workflows.

BN254 host functions

• g1_add - performs point addition in G1 (point on curve)
• g1_mul - performs scalar multiplication in G1 (point on curve)
• pairing_check - performs pairing operation on a vector of G1 points and a vector of G2 points

Resources

• P25 Preview examples
• Soroban SDK BN254 documentation - types and functions
• CAP-74 proposal
• Noir Ultrahonk Soroban Verifier Contract
• Noir documentation (circuits)
• Risc0 documentation (circuits)

Poseidon

Poseidon is a cryptographic hash function specifically designed for zero-knowledge proof systems, where efficiency inside arithmetic circuits is critical. Unlike traditional hashes such as SHA-256, Poseidon is optimized to minimize the number of constraints required in zero-knowledge circuits by operating natively over finite fields used by zk-SNARKs. This makes it significantly faster and cheaper to prove and verify statements involving hashing, which is why Poseidon is widely used for commitments, Merkle trees, and nullifiers in zero-knowledge applications.

Poseidon host functions support hashing within ZK-friendly environments, but developers must still incorporate them into higher-level proof systems and pair them with Stellar verifier contracts to build end-to-end zero-knowledge application flows.

Poseidon host functions

• poseidon - computes the Poseidon hash of the input field elements
• poseidon2 - computes the Poseidon hash of the input field elements

Resources

• P25 Preview examples
• Soroban SDK Poseidon documentation
• CAP-75 proposal

note

Poseidon is currently being branched out as a separate Rust SDK for use in smart contracts.