Umbra PrivacyBurning UTXOs to Encrypted Balance
Learn how to withdraw funds from Umbra's Unified Mixer Pool to an Encrypted Token Account (ETA) while maintaining full transaction privacy and anonymity.
Burning a UTXO to an encrypted balance withdraws anonymous funds from the Unified Mixer Pool directly into an Encrypted Token Account (ETA). This provides the highest level of privacy-the withdrawal amount remains hidden while the source stays anonymous.
Overview
When you burn a UTXO to an ETA, the withdrawal amount is encrypted before being credited to the destination account. External observers can see that a withdrawal occurred, but they cannot determine the amount or link it to any specific deposit.
Privacy Characteristics
| Aspect | Visibility |
|---|---|
| Withdrawal Amount | Hidden (encrypted) |
| Recipient Address | Visible (destination ETA owner) |
| Source of Funds | Anonymous (could be any UTXO) |
| Link to Deposit | Impossible to determine |
Comparison to Public Burn
| Aspect | Burn to ATA | Burn to ETA |
|---|---|---|
| Amount | Visible | Hidden |
| Recipient | Visible | Visible |
| Source | Anonymous | Anonymous |
| Overall Privacy | Good | Maximum |
Why Burn to ETA?
Burning to an ETA is the preferred option when:
| Scenario | Rationale |
|---|---|
| Maximum Privacy | Keep amount hidden end-to-end |
| Continued Confidentiality | Plan to use funds confidentially |
| Re-entering Mixer Later | ETA deposits hide amount |
| Hiding Wealth | Total holdings stay private |
The ETA → Mixer → ETA Flow
This is the gold standard for privacy:
| Stage | What's Hidden |
|---|---|
| Entry | Amount (ETA deposit) |
| In Pool | Identity (mixer anonymity) |
| Exit | Amount (ETA withdrawal) |
No information is ever exposed publicly.
Prerequisites
Same as burning to ATA, plus ETA requirements:
| Requirement | Description |
|---|---|
| Unlocking Authority | Know preimages of UTXO's unlocking address |
| Mixing Delay Passed | Sufficient time since deposit |
| UTXO Not Spent | Nullifier not in nullifier set |
| Destination Match | Must burn to the destination set at deposit |
Note: Recipient's X25519 registration is not required at burn time. If the recipient hasn't registered, funds are held securely until they register and claim. See Recipient Without X25519 Registration.
Destination Address Constraint
The destination address is fixed at deposit time. For ETA burns, this means the destination ETA must belong to the L1 address specified when the UTXO was created.
The Burn Process
Step 1: Construct the Zero-Knowledge Proof
Same proof requirements as public burn:
| Claim | What You Prove |
|---|---|
| Membership | UTXO commitment exists in Merkle tree |
| Ownership | Know all preimages of unlocking address |
| Nullifier Correctness | Nullifier correctly derived |
| Destination Match | Burn outputs to correct destination |
Step 2: MPC Involvement
Unlike public burns, ETA burns involve the Arcium MPC for encrypted balance updates:
Step 3: Encrypted Balance Update
The MPC:
- Receives the withdrawal amount
- Encrypts it using the recipient's X25519 public key
- Adds the encrypted amount to the recipient's ETA balance
All arithmetic happens in the encrypted domain.
Step 4: Amount Correctness Verification
To ensure the amount credited to the ETA exactly matches the amount burned from the UTXO, Umbra uses the Polynomial Commitment Protocol. This is a hybrid verification approach combining both Zero-Knowledge Proofs and MPC verification.
How the Protocol Works
- Commit Phase: The burn amount is encoded as a polynomial and committed using a hiding commitment scheme
- ZK Proof Generation: The spender generates a proof that the committed amount matches the UTXO value without revealing the actual amount
- MPC Evaluation: The Arcium MPC network evaluates the polynomial at a secret point, producing a share of the result
- Cross-Verification: The MPC collectively verifies that the encrypted amount being credited to the ETA corresponds to the same polynomial commitment
| Component | Role |
|---|---|
| Polynomial Commitment | Binds the hidden amount to a verifiable commitment |
| ZK Proof | Proves the committed amount matches the UTXO without revealing it |
| MPC Verification | Confirms the encrypted ETA credit matches the committed amount |
This ensures no value is created or destroyed during the burn - the exact amount leaving the mixer pool equals the exact amount entering the ETA. The polynomial commitment acts as a cryptographic bridge between the ZK domain (UTXO spending) and the MPC domain (ETA balance updates).
Step 5: On-Chain Updates
Burning to Your Own ETA
When burning to your own ETA (self-withdrawal):
| Aspect | Details |
|---|---|
| Unlocking Address | Your User Commitment |
| Destination Address | Your L1 Address |
| Who Burns | You |
| Who Sees Amount | Only you (via X25519) |
Burning to Someone Else's ETA
When using ephemeral keys, you can burn to another user's ETA:
| Aspect | Details |
|---|---|
| Who Burns | You (the sender) |
| Who Receives | Recipient (at their ETA) |
| Amount Visibility | Hidden from everyone except recipient (after they claim) |
| Recipient's Action | If registered: none. If not registered: must register X25519 and claim |
If the recipient has already registered their X25519 public key, funds appear immediately in their ETA. If not, see the next section.
Recipient Without X25519 Registration
You can still burn to an ETA even if the recipient hasn't registered their X25519 public key. The funds are held securely until the recipient registers and claims them.
How It Works
When burning to a non-registered recipient:
| Stage | Balance Visibility |
|---|---|
| Before Registration | Encrypted for MPC only - no one can see the amount, not even the recipient |
| After Registration + Claim | Encrypted for both MPC and recipient - recipient can now see their total balance |
The Claim Process
Claiming requires two separate instructions:
- Register X25519 Public Key - The recipient registers their X25519 keypair on-chain
- Claim Pending Burns - The MPC converts the balance into a form readable by the recipient
When the recipient claims:
- The MPC re-encrypts the balance so the recipient can decrypt it with their X25519 private key
- The recipient sees their total aggregated balance from all pending burns
- Individual transfer history from before registration is not available - only the total
Linker Derivation
Linkers are cryptographic identifiers used to connect UTXOs with their intended recipients and enable the MPC to correctly route funds. Importantly, different MVKs are used at creation vs. claim:
| Operation | MVK Used | Explanation |
|---|---|---|
| UTXO Creation | Sender's MVK (part of sender's User Commitment) | The sender uses their own MVK to create the linker, binding the UTXO to their identity for auditability |
| Claim | Unlocking user's MVK | The recipient derives the linker from their own MVK to prove they are the intended recipient |
This design ensures:
- Sender auditability: The sender's MVK is used during creation, creating an auditable record of who sent the funds
- Recipient verification: The unlocking user's MVK is used during claim, proving they hold the keys corresponding to the unlocking address
- Dual accountability: Both parties have cryptographic linkage to the transaction through their respective MVKs
- Privacy preservation: Neither MVK is revealed publicly - only the derived linkers are used in the protocol
Privacy During Pending State
| Information | Visibility |
|---|---|
| Individual burn amounts | Hidden from everyone (including recipient) |
| Total pending balance | Hidden from everyone (only MPC knows) |
| That burns occurred | Public (on-chain events) |
| Recipient address | Public |
Even while funds are pending, no external observer - and not even the recipient - can see the amounts. Privacy is maintained throughout.
After Claiming
| Information | Visibility |
|---|---|
| Total ETA balance | Visible to recipient (via X25519) |
| Individual transfer amounts | Not visible (aggregated into total) |
| Transfer history | Not available for pre-registration burns |
Alternative: Burn to ATA
If you prefer the recipient to see funds immediately (sacrificing amount privacy):
This makes the amount publicly visible but requires no registration from the recipient.
Technical Details
Instruction: BurnToETA
| Parameter | Description |
|---|---|
| proof | Zero-knowledge proof of UTXO ownership |
| nullifier | Derived nullifier |
| merkle_root | Merkle root being proven against |
| amount | Withdrawal amount (for MPC processing) |
| destination | Destination L1 address (ETA owner) |
On-Chain Effects
| Change | Description |
|---|---|
| Nullifier Set | Nullifier added |
| Pool Balance | Decremented |
| Destination ETA Balance | Encrypted increment |
| Destination ETA Nonce | Updated |
MPC Processing
The MPC handles the encrypted balance update by adding the encrypted withdrawal amount to the recipient's existing ETA balance. All arithmetic is performed in the encrypted domain using the recipient's X25519 key.
Privacy Analysis
What's Hidden
| Information | Hidden From |
|---|---|
| Withdrawal Amount | Everyone except recipient |
| Source UTXO | Everyone |
| Link to Deposit | Everyone |
| Recipient's New Balance | Everyone except recipient |
What's Visible
| Information | Visibility |
|---|---|
| That a burn occurred | Public |
| Recipient's L1 address | Public |
| Nullifier | Public |
| Transaction time | Public |
Privacy Advantage Over ATA Burn
With ATA burns, observers can:
- See exact withdrawal amounts
- Potentially correlate with deposit amounts
- Build statistical models of likely deposit-withdrawal pairs
With ETA burns, observers see only that a burn occurred-no amount data to correlate.
Error Conditions
| Error | Cause | Resolution |
|---|---|---|
| Invalid Proof | Proof verification failed | Check proof inputs |
| Nullifier Already Used | UTXO already spent | Cannot spend again |
| Mixing Delay Not Met | Too soon after deposit | Wait longer |
| Destination Mismatch | Wrong destination address | Use original destination |
Note: Burning to a recipient without X25519 registration is not an error - the funds are held until they register and claim.
Use Cases
Anonymous Savings
Multiple deposits from various sources, consolidated into your ETA with hidden total.
Private Payments to Registered Users
Send to someone's ETA without revealing the amount publicly:
Anonymous Revenue Collection
Businesses can receive payments through the mixer:
Competitors cannot see individual payment amounts or total revenue.
Summary
| Aspect | Details |
|---|---|
| Source | Unified Mixer Pool (UTXO) |
| Destination | Encrypted Token Account (ETA) |
| Amount Visibility | Hidden (encrypted) |
| Source Anonymity | Hidden - cannot link to any deposit |
| Proof Required | ZK proof of UTXO ownership |
| MPC Required | Yes - for encrypted balance update |
| Amount Verification | Polynomial Commitment Protocol |
| Non-Registered Recipients | Supported - funds held until they register and claim |
| Best For | Maximum privacy - hidden amounts, anonymous source |
Burning UTXOs to Public Balance
Learn how to withdraw funds from Umbra's Unified Mixer Pool to a public Associated Token Account (ATA) after the mixing delay period completes.
Unlocking Address Strategies
Choosing between registered commitments and ephemeral keys when creating UTXOs for different recipients