Where Jat Fits in Solana Privacy: an Honest Map
Solana has several privacy efforts in flight, and they do not all mean the same thing by the word. Here is the map, with Jat placed on it as the shipped devnet deposit pool it actually is.
Where Solana privacy actually stands in mid-2026
Solana has several privacy efforts in flight, and they do not all mean the same thing by the word. Some hide the amount but leave the parties public. Some hide everything but route trust through an operator or an MPC committee. Some are not privacy tools at all and get filed under privacy anyway. Before claiming Jat belongs anywhere on this map, it is worth drawing the map plainly and then placing Jat on it without inflating what is shipped.
Jat is now a working devnet deposit pool. The program receives real lamports, mints a commitment leaf on its own on-chain Poseidon Merkle tree, verifies a Groth16 proof of membership and a value threshold inside the program, and pays a withdrawal trustlessly out of a vault PDA. There is no auditor key and no operator key in the design, and there is no authority that can post a root. That is the bet it makes, and the rest of this post is about whether that bet is interesting given everything else already running.
What the existing tools actually do
Token-2022 Confidential Transfers encrypts amounts and balances with zero-knowledge proofs. The sender, the recipient, and the mint stay public on chain, so the value is blurred while the relationship is in plain view. A mint can also set an optional auditor key that decrypts amounts for whoever holds it. As of mid-2026 the underlying ZK ElGamal proof program is disabled on both mainnet and devnet, switched off in June 2025 after a soundness bug in the proof verification (the sigma OR-proof / Phantom Challenge issue), and it is undergoing a further audit before it can be re-enabled. So it is not usable on any public Solana cluster today. It is real cryptographic work aimed at a narrower goal than full payment privacy.
Arcium, the successor to Elusiv after that project announced its sunset at the end of February 2024, builds confidential compute on an MPC trust model. Correctness rests on the honesty assumptions of the MPC set rather than on a per-transaction zero-knowledge proof. Its graph-hiding lives at the application layer through Umbra, and its mainnet alpha is permissioned with caps as of early 2026.
Light Protocol's ZK Compression is often filed under privacy. It is state compression, with the data public, so it does not hide amounts or parties. A separate privacy layer has been announced since the Helius acquisition but is not shipped.
Outside Solana, the relevant peers are Aztec and Railgun. Aztec runs client-side proofs on its own L2 with no operator seeing plaintext, on mainnet but still experimental. Railgun is an EVM shielded pool that hides amounts, parties, and graph through Groth16, with a user-held viewing key that can optionally be scoped to a block range, for example to a tax year, for auditable disclosure. Both are more mature than Jat by a wide margin. Neither is on Solana.
What Jat actually is, structurally
Jat is not new cryptography. The honest description is that it is a Tornado-style shielded pool plus a Semaphore-style range gate, deployed as a Solana-native program with an on-chain Poseidon tree.
Tornado Cash established the shape of a shielded pool: deposit a fixed denomination against a commitment, then later prove membership of the commitment set and spend a single-use nullifier without revealing which commitment is yours. Semaphore generalized the membership-plus-nullifier idea into group signaling with an external, context-scoped nullifier. Jat's two circuits sit inside that lineage. The deposit gate is a depth-20 Poseidon-Merkle inclusion proof with a context-scoped nullifier Poseidon(nullifier, contextHash) and a GreaterEqThan(64) range check, so a holder can prove the committed amount clears a threshold without revealing the exact value above it; the denomination tier is public, since deposits are fixed-size. The withdraw circuit proves inclusion of the same leaf and spends a global single-use nullifier Poseidon(nullifier) to claim the leaf's exact value.
So the cryptographic core is borrowed and well understood. The contribution worth claiming is narrower and more specific: a Solana-native verifier program with its own on-chain incremental Poseidon-BN254 tree, a root that is a deterministic function of deposits rather than a posted value, and a disclosure model with no auditor key and no operator key anywhere. That packaging is the bet. The math underneath it is Tornado and Semaphore lineage, and pretending otherwise would be dishonest.
The one bet: no delegated disclosure key, no posted root
In the shipped devnet design there is no operator viewing key and no auditor key. Whatever a proof hides stays hidden against everyone, because there is no privileged party who can later decide to inspect the secret, the exact value above the threshold, or the Merkle path; the denomination tier is public, since deposits are fixed-size. Token-2022 allows a mint to attach an auditor key. Arcium's confidentiality rests on the MPC set behaving. Railgun gives the user a viewing key they can hand to an auditor for a scoped block range. Jat's design has no such key for anyone, by construction.
The v2 program also closed the centralization point that the earlier version carried. The registry is now decentralized: init_tree computes the empty-subtree zeros on chain, the set_root instruction and the authority field were deleted, and the root moves only when a deposit inserts a leaf. No key can post a root. The root is a deterministic function of the deposits that actually happened.
That is the axis on which Jat is meaningfully different from most of the Solana field. Disclosure is not delegated to a key that someone else holds, and the set is not curated by a key that someone else holds.
The one axis that matters: who can decrypt what the system hides. Jat sits on the user-held end, with no auditor key and no operator key.
The value binding, and what fixed denominations buy
The most important v2 change is that the committed value is real. On deposit, the program moves real lamports into the vault and pins the leaf's value to the amount actually transferred, so the leaf is Poseidon(value, label, Poseidon(nullifier, secret)) with value equal to what moved. A holder can no longer self-assign a value to a commitment. When a later proof asserts value >= threshold, that threshold is over a real deposited amount.
Deposits are accepted only in a fixed allowed set of denominations. Same-denomination deposits are indistinguishable from each other, so when a withdrawal reveals its value, that disclosure only narrows the anonymity set to deposits of that denomination, never to a unique amount. Fixed denominations are the standard shielded-pool defense against amount correlation, and they replace the amount-correlation weakness the prior version had.
The landscape in one view
The systems below sit at very different maturity levels and goals. The table is a map of where each one stands, not a scoreboard.
| System | Maturity | Disclosure model | Amount hidden | Parties / graph hidden | Chain |
|---|---|---|---|---|---|
| Aztec | Mainnet, experimental | User-held, no standing auditor | Yes | Yes | Aztec L2 / Ethereum |
| Railgun | Mainnet (live) | User-held viewing key, optionally block-range scoped | Yes | Yes | EVM |
| Token-2022 Confidential Transfers | Disabled on mainnet and devnet since June 2025, pending re-audit | Optional mint-set auditor key decrypts amounts | Yes | No (sender/recipient/mint public) | Solana |
| Arcium | Mainnet alpha, permissioned with caps | MPC trust model | Via MPC | App-layer (Umbra) | Solana |
| Light Protocol ZK Compression | Live (compression only) | Not a privacy tool, data public | No | No | Solana |
| Jat | Devnet, full stealth + pool round-trip e2e | No auditor key, no operator key, no posted root (root derived from deposits) | Exact value above threshold hidden; denomination tier public (fixed denominations) | Yes: stealth one-time addresses, relayer-paid claims | Solana |
Where Jat fits
A Tornado-style shielded pool with a Semaphore-style range gate is a good fit for a specific job: deposit a real amount privately, later prove you belong to the committed set and that your value clears a bar, once per context, and withdraw the exact value to a bound recipient, all without revealing which deposit is yours. On Solana, this shape, a program with its own on-chain Poseidon tree and no delegated disclosure key, is uncommon among what ships today. That is the gap Jat aims at.
The flow that shipped reaches past the pool itself. A payer funds a one-time stealth address derived from a recipient's published link, with no on-chain link between the two parties, so receiving a payment someone sends you is now part of the design, not out of scope. A fee relayer pays the claim and the withdraw, so a fresh recipient address never originates a fee and the gas-and-timing linkage the early version left open is closed. The recipient routes the funds through the fixed-denomination pool and back out to a clean address, which shields the link between the deposit and the withdrawal in one round-trip, all on devnet today. The denomination tier stays public, since deposits are fixed-size.
The tree holds on the order of a million leaves at depth 20, and the privacy a withdrawal gives grows with the set of same-denomination deposits in the pool, so the practical anonymity set scales with adoption rather than with the protocol. The remaining milestones are scale and a mainnet deployment with an operator setup for the relayer and indexer where the relayer is constrained to only pay gas.
What is actually being claimed
Jat is a working devnet system built on the Tornado and Semaphore lineage: a payer funds a one-time stealth address from a published link with no on-chain link between the parties, the recipient deposits real lamports against a commitment in an on-chain Poseidon tree, proves membership and a value threshold with a Groth16 proof verified inside the program, and withdraws the exact value trustlessly to a clean address with single-use nullifiers, with a relayer paying the fees so a fresh address never has to. The value is deposit-bound, the denominations are fixed, the root is derived from deposits with no authority, and there is no auditor key or operator key in the design. The cryptography is borrowed and well studied; the packaging and the disclosure choice are the contribution. The road from here is scale and mainnet. The technical and builder posts walk the mechanism in detail from there.