# Circuits

Arithmetic Circuits allow for zero-knowledge (ZK) operations, and are used e.g., by our genesis contracts for these specific use-cases:

- Phoenix: to spend notes and pay for gas.
- Citadel: to use in the Self-Sovereign Identity implementation.
- Zedger: to use the Zedger transaction model and spent securities.

Developers can write their own ZK circuits as part of their smart contracts, allowing for the proving and verification of zero-knowledge proofs.

## Phoenix circuits

Circuits in Phoenix prove that the following conditions hold true:

**Membership**: Every note that is about to be spent is included in the Merkle tree of notes.**Ownership**: The sender holds the note secret key for every note that is about to be spent.**Nullification**: The nullifier is calculated correctly.**Minting**: The value commitment for the newly minted notes are computed correctly.**Balance integrity**: The sum of the values of all spent notes is equal to the sum of the values of all minted notes + the gas fee + a deposit, where a deposit refers to funds being transfered to a contract.

For additional information, you can have a look at the circuits and specifications.

## Citadel circuits

Circuits in Citadel allow for the following actions: Request Creation and Encryption:

**Stealth Address Generation:**A new stealth address is correctly generated using Diffie-Hellman.**Data Encryption:**The license stealth address and an additional key are encrypted using the derived key.**Session Initialization:**Public inputs are used to construct session data (e.g. session ID, session hash, commitmentsâ€¦).**Verification**: Pedersen commitments and hash commitment are calculated and verified.**Data Decryption:**Requested data is decrypted using the derived key.**Signature Creation:**A signature for the license is generated using the license secret key and hash.**License Data Encryption**: The signature and attribute data are encrypted with the public key of the license.**Proof Generation**: A proof of membership in a Merkle tree is created.**Proof Verification:**: Cryptographic commitments are computed and the signature of the session hash is verified.

For additional information, you can have a look at the circuits and specifications.