The Three Core Components

1. Shared Starting Point

A tamper-proof genesis that every device can recreate and verify.

2. Offline Updates

Each device updates its own balances epoch-by-epoch while offline.

3. Simple Verification

Rules that let two devices meet, exchange proofs and instantly agree on honesty.

1. The Perpetual Genesis Ceremony

The Unending Randomness Beacon

Instead of a one-time ceremony, the system uses a perpetual randomness beacon that runs continuously. Time is divided into equal-length epochs (like hours), and each epoch gets its own unpredictable random number from a public beacon (like the drand network).

How Anyone Can Join at Any Time

Anyone who wants to issue or hold the cash can join at any time, not just at the beginning. Each new participant contributes their own randomness during a "contribution window" in each epoch:

Public randomness beacon – Each epoch gets a random number from a trusted beacon (like drand)
User contributions – Anyone can add their own randomness during a contribution window
Homomorphic mixing – All the randomness is combined mathematically to create the epoch's final random seed
New base points – The seed creates fresh cryptographic base points for that epoch
Ledger checkpoint – Everything is recorded permanently in the blockchain

This creates an infinite, self-healing randomness pipeline where new participants can join anytime, and every later state remains a hard-to-predict descendant of the very first seed. No one needs to trust any authority – the math itself provides the proof.

2. How a Device Keeps Its Money While Offline

The Idea of a Pedersen Commitment

A balance is never stored as "42 coins". Instead the wallet stores a single curve point using aPedersen commitment:

C = G * value + H * blinding

value is the amount (like 42 coins)
blinding is a fresh random number that hides the amount
G and H are the base points from the genesis ceremony

Only the owner knows the value and blinding numbers, so outsiders see C as just a random point. This is called perfect hiding – no one can figure out the amount from the commitment.

Why Pedersen Commitments?

Pedersen commitments have a special property: you can add them together mathematically while keeping the amounts hidden. This allows the system to verify that money isn't being created or destroyed without revealing any amounts.

Marching Through Epochs

Time is cut into equal-length slots (say, one hour). Every slot has a public random number beta that comes from the drand randomness beacon. An offline device cannot fetch drand, so it uses the beacon value that was stamped in the published seed file plus a simple, deterministic function of the slot number.

To roll its balance from slot i to slot i + 1 the device recomputes:

C_next = C_current + H * beta

Note what that does:

The amount part G * value never changes.
The blinding part advances by H * beta.

So the commitment looks fresh each epoch, but any honest device that sees the full chain of points can check that every jump matches the public beta sequence – if any point is tampered with the chain breaks.

Proof That the Chain is Unbroken

When two devices meet, each shows (a) its current commitment and (b) a link proof: a short Schnorr signature that proves "I know the same hidden amount in the current point and in the previous point". Chaining those proofs back to the genesis point convinces the peer that no slot was forged or skipped.

3. Making and Accepting a Payment

Preparing a Transfer

Sender chooses a new random blinding r_out.
Computes an output commitment using Pedersen: C_out = G * amount + H * r_out
Computes an update delta: Delta = C_out - (G * amount)
Creates a short zero-knowledge range proof that amount is positive and smaller than the currency cap.
Packages C_out, Delta, the range proof and a one-time nullifier (a unique hash that prevents double-spending).

How Pedersen Commitments Enable Privacy

The magic of Pedersen commitments is that you can prove the transaction is valid (no money created/destroyed) without revealing the amounts. The receiver gets a new commitment that hides their balance, while the network can verify the mathematical relationships hold true.

Verifying and Accepting

The receiver (online or offline) checks:

The sender's chain of link proofs back to the last common slot.
The range proof shows the amount is valid.
The nullifier is not already in the receiver's nullifier set.
Algebra check: C_sender_new = C_sender_old - Delta.

If everything passes the receiver adds C_out to its own wallet, stamps the nullifier into its RocksDB and moves on.

4. Catching Cheats When Everyone Comes Back Online

Sooner or later every wallet will reconnect to an online node. At that point it broadcasts:

Its whole commitment chain since the last sync.
All nullifiers it created.
The range proofs of each outgoing transfer.

Full nodes run three cheap checks:

The link proofs form an unbroken chain that uses the public beta values.
Every nullifier is unique in the global RocksDB.
The sum of incoming commitments equals the sum of outgoing commitments plus the last balance.

If any of those fail, the cheating wallet's last good commitment is frozen and future spends using its nullifiers are rejected. Honest offline wallets are unharmed.

5. Where the Merkle Tree and DAG Show Up

Merkle Tree

Inside each block (or local log entry) the node collects all new commitments and nullifiers into a Merkle tree. The Merkle root becomes the block hash so devices that only care about their own notes can store just the path.

DAG of Blocks

Validators run HotStuff-style BFT. Blocks form a Directed Acyclic Graph until a super-majority signs a quorum certificate; then the branch is final. The DAG structure never touches the math of commitments, so it can be upgraded without changing the money layer.

6. Putting It All Together

Perpetual genesis ceremony creates an unending randomness beacon where anyone can join anytime.
Each wallet keeps its balance as a single point and hops it forward every epoch with the public beta.
Payments are homomorphic updates plus small range proofs and nullifiers.
Offline checking is possible because the link proofs are stand-alone and rely only on the deterministic beta sequence.
Online nodes catch any cheating or double-spending with three algebra checks and a RocksDB of nullifiers.

That is the entire protocol in plain words – no heavy algebra, no hidden trust, and every step maps directly to code you can write with curve25519-dalek, merlin, RocksDB and a drand HTTP client.

Why This Defeats Perfect Rollback Attacks

The Perfect Rollback Problem

Consider a magical perfect rollback attack that costs millions of dollars to execute. An attacker with nation-state resources could theoretically:

Extract private keys from secure elements using $1M+ lab equipment
Perfectly rollback a device to a previous state
Replay transactions to double-spend funds
Escape detection through perfect timing

How Zero-Knowledge Cash Defeats This

The system provides absolute detection even against perfect rollback attacks:

Offline Client Detection

Even offline clients can detect rollbacks by checking the epoch chain. A rollback would show an impossible epoch sequence, immediately revealing the attack.

Cross-Party Verification

Multiple parties in a transaction verify the same epoch state. Any discrepancy indicates a rollback attempt.

Economic Reality Check

Even with unlimited potential fraud, the attack economics make it irrational:

Cost per successful rollback: $171M (equipment + expertise + time)
Success rate: <0.7% per attempt
Scaling limitation: Each device requires individual lab work
Detection window: 24-72 hours maximum

Security Guarantee

The system ensures that even honest offline clients can detect perfect rollback attacks. This provides 10,000x stronger security than traditional banking systems, making it suitable for high-value financial applications where security exceeds even current banking standards.

How Zero-Knowledge Cash Works