Erebuzdocs

Privacy model

What is hidden, from whom, and where your users' keys live.

Erebuz gives users transactional privacy without your app having to run any cryptography itself.

What observers see

On-chain observers see value entering and leaving a shared pool, they cannot link a specific deposit to a specific withdrawal, or a sender to a recipient. Because the pool is shared across every app built on Erebuz, the anonymity set is far larger than anything a single app could build on its own.

What your app sees

Your app sees its own users' transfers, you called send(), so you know the sender, recipient and amount. Erebuz adds privacy against the outside world, not against you.

Where keys live

Your app runs its own secure enclave (TEE). The master seed and every derived key live inside it:

  • Keys never leave your infrastructure and are never held by Erebuz.
  • If Erebuz goes offline, your enclave keeps running and funds stay under your users' control.
  • Remote attestation lets you verify the enclave is running unmodified code before trusting it with a seed.

How this differs from privacy tools

Tools like Railgun or Zcash give you a privacy primitive on one chain. Erebuz is a router on top of primitives like these: it picks the right tool for each transfer, runs compliance, routes across chains, and handles gas, so neither you nor your users ever interact with the underlying protocol.

On this page