pith. sign in

arxiv: 2606.10172 · v1 · pith:CEO4NW2Fnew · submitted 2026-06-08 · 💻 cs.CR

Proof of Source of Funds: Efficient On-chain Provenance of Cryptoassets

Alireza Kavousi , Istv\'an Andr\'as Seres , Zhipeng Wang This is my paper

Pith reviewed 2026-06-27 15:59 UTC · model grok-4.3

classification 💻 cs.CR
keywords proof of source of fundszero-knowledge proofscrypto complianceincrementally verifiable computationtransaction DAGprivacy-preserving regulationblockchain provenance
0
0 comments X

The pith

Users generate zero-knowledge proofs that their crypto deposits come only from compliant sources, letting platforms verify in constant time without monitoring or leaks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a shift from platform-side transaction surveillance to user-generated cryptographic proofs of fund provenance. It models ledger histories as a temporal directed acyclic graph of value flows that covers both UTXO and account-based systems. Users extract a compliant sub-graph and apply incrementally verifiable computation to prove state-transition rules that block tainted funds. Platforms then perform a single constant-time check to admit the deposit. This keeps all intermediate addresses, paths, and origins hidden while meeting regulatory requirements.

Core claim

PoSoF lets a user extract a compliant sub-DAG from their transaction history and use IVC to prove that the deposited value satisfies rigorous state-transition predicates ensuring exclusive origin from compliant sources, without revealing the topology, addresses, or specific origins, while reducing on-chain verification to constant time.

What carries the argument

Incrementally Verifiable Computation (IVC) over a temporal Directed Acyclic Graph (DAG) abstraction of generalized value flows, used to prove compliant sub-histories.

Load-bearing premise

Users can always extract a compliant sub-DAG from their full history and prove the required state transitions with IVC without leakage or prohibitive cost.

What would settle it

A deposit from non-compliant sources that still produces a verifying proof, or a set of compliant funds for which no valid proof can be generated in reasonable time.

Figures

Figures reproduced from arXiv: 2606.10172 by Alireza Kavousi, Istv\'an Andr\'as Seres, Zhipeng Wang.

Figure 1
Figure 1. Figure 1: Compliant Subgraph Extraction. (Left) The global ledger G contains a co-mingled graph of compliant and unauthorized transactions. (Right) The prover utilizes a constrained graph search to extract a compliant sub-DAG G ′ ⊆ G. The nodal predicates (e.g., Flow Solvency, Strict Temporal Ordering) are natively enforced over this isolated topology by the zero-knowledge circuit. worth, intermediate transaction to… view at source ↗
Figure 2
Figure 2. Figure 2: Account-Based Provenance Illustration. A single identity [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: UTXO-Based Provenance Illustration. In the Bitcoin sub-DAG, [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Prover’s Sub-DAG Witness (G ′ ). Scenario 1 isolates a single path via greedy search. Complex topologies may require capacity-balanced sub-DAGs: Scenario 2 demonstrates fractional consumption (vout ≤ P vin) absorbing surplus capacity, while Scenario 3 excludes non-compliant inflows (dashed gray) for strict Source Anchoring. Temporal acyclicity (hi < hi+1) is strictly enforced across all valid edges. (vi) T… view at source ↗
Figure 5
Figure 5. Figure 5: PoSoF-Prover microbenchmarks vs. compile-time maximum hops Lmax (active hops k=Lmax per row; Apple Silicon laptop; gnark v0.14 Groth16/BN254 harness). 6.2 Proof System with Folding-based IVC The Groth16 prototype in §6 compiles the full linear predicate bundle into one monolithic arith￾metic circuit. While optimized for a one-shot compliance check (≈ 37 s proving time), this static architecture scales poor… view at source ↗
Figure 6
Figure 6. Figure 6: Groth16 vs. IVC when attesting a provenance path of length [PITH_FULL_IMAGE:figures/full_fig_p021_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Toy dag_diamond topology. Two compliant origins (CA, CB) converge at an intermediate merge hub. Rather than utilizing dual independent proofs, our circuit multiplexing strategy folds this convergence into a single incrementally verifiable chain. to evaluate these signatures inside the SNARK curve. Verification Architecture. Finally, it is crucial to note that Bitcoin Script currently lacks the expressivity… view at source ↗
read the original abstract

Regulatory compliance is increasingly mandatory for decentralized finance and privacy-enhancing technologies. Current approaches rely on binary inclusion/exclusion lists or retroactive graph analysis by centralized blockchain intelligence firms. This approach strips honest users of their financial privacy, leads to false positives and negatives, and forces decentralized platforms to bear the burden of on-chain transaction monitoring. In this work, we propose a paradigm shift: moving from platform-side surveillance to user-side provenance. We introduce Proof of Source of Funds (PoSoF), a novel cryptographic framework that shifts the burden to the user. Rather than the platform tracing funds, the user locally generates a zero-knowledge proof demonstrating that their deposit originates exclusively from a set of compliant sources. The platform is thus relieved of chain-analysis duties, requiring a constant-time, O(1) verification to enforce admission control. We formulate a unified temporal Directed Acyclic Graph (DAG) abstraction that formalizes both UTXO and account-based ledger histories within a generalized value-flow model. Users extract a compliant sub-DAG of their transaction history and utilize Incrementally Verifiable Computation (IVC) to prove rigorous state-transition predicates that protect against various attack vectors. Crucially, PoSoF provides verifiable cryptographic provenance; it guarantees the legitimacy of the funds without leaking the intermediate transaction topology, intermediary addresses, or the specific origins utilized. We formally define the security properties of PoSoF and evaluate an Ethereum-compatible prototype. Our benchmarks demonstrate that fully private, proactive compliance is highly practical, requiring only ~1.8 s to incrementally update a user's PoSoF per new transaction, and a constant-time ~1.5 ms (~800k gas) for final on-chain EVM verification.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes Proof of Source of Funds (PoSoF), a cryptographic framework that shifts regulatory compliance burden to users via zero-knowledge proofs. Users extract a compliant sub-DAG from their transaction history (modeled as a unified temporal DAG for UTXO and account-based ledgers) and use Incrementally Verifiable Computation (IVC) to prove state-transition predicates ensuring funds originate only from compliant sources. The platform performs constant-time O(1) verification. The work formally defines security properties and reports an Ethereum prototype with ~1.8 s incremental updates and ~1.5 ms (~800k gas) on-chain verification, claiming no leakage of topology, addresses, or origins.

Significance. If the security properties, sub-DAG extraction feasibility, and IVC performance hold, the result would be significant for privacy-preserving DeFi compliance. It offers a user-side alternative to centralized chain analysis, unifies ledger models, and demonstrates practical on-chain verification costs. The incremental IVC approach and proactive compliance paradigm address real regulatory pressures while preserving privacy, provided the zero-knowledge guarantees are rigorously established.

major comments (2)
  1. [Abstract and security definitions section] The central security claims (no leakage of topology or origins, and prevention of non-compliant mixing) rest on the existence of an always-extractable compliant sub-DAG and efficient IVC circuits for the value-flow predicates. No extraction algorithm, formal predicate definitions, or circuit construction details are supplied, making it impossible to verify that the predicates are expressible without prohibitive cost or leakage; this is load-bearing for all stated security properties.
  2. [Evaluation and benchmarks section] The reported timings (~1.8 s incremental update, ~1.5 ms verification) are presented without specifying history length, IVC recursion depth, circuit size growth, or error analysis. If circuit size scales with transaction count or extraction is non-canonical, both the zero-knowledge property and the constant-time claim become conditional; this directly affects the practicality evaluation.
minor comments (2)
  1. [Abstract] The abstract claims formal definitions of security properties but the provided text contains none; adding explicit definitions (e.g., for the sub-DAG extraction and IVC predicates) would improve clarity.
  2. [Model section] Notation for the temporal DAG and value-flow model should be introduced with a dedicated figure or table to aid readers unfamiliar with the unified UTXO/account abstraction.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments highlight areas where additional detail will strengthen the manuscript's verifiability. We respond to each major comment below and commit to revisions that address the concerns without altering the core claims.

read point-by-point responses

  1. Referee: [Abstract and security definitions section] The central security claims (no leakage of topology or origins, and prevention of non-compliant mixing) rest on the existence of an always-extractable compliant sub-DAG and efficient IVC circuits for the value-flow predicates. No extraction algorithm, formal predicate definitions, or circuit construction details are supplied, making it impossible to verify that the predicates are expressible without prohibitive cost or leakage; this is load-bearing for all stated security properties.

    Authors: We acknowledge that the manuscript does not supply the extraction algorithm, formal predicate definitions, or circuit construction details. These omissions make independent verification of the security properties difficult. In the revised manuscript we will add a new subsection that presents the sub-DAG extraction algorithm, supplies formal definitions of the value-flow predicates, and outlines the IVC circuit constructions (including predicate encoding and recursion structure) at a level sufficient to assess expressibility, cost, and zero-knowledge guarantees. revision: yes

  2. Referee: [Evaluation and benchmarks section] The reported timings (~1.8 s incremental update, ~1.5 ms verification) are presented without specifying history length, IVC recursion depth, circuit size growth, or error analysis. If circuit size scales with transaction count or extraction is non-canonical, both the zero-knowledge property and the constant-time claim become conditional; this directly affects the practicality evaluation.

    Authors: The referee is correct that the evaluation section omits key experimental parameters. We will expand the benchmarks section to report the transaction-history lengths tested, IVC recursion depths, observed circuit-size growth, and any error or variability analysis. These additions will make explicit the conditions under which the reported timings hold and will clarify the scope of the constant-time verification claim. revision: yes

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper introduces PoSoF as a new construction that shifts compliance to user-generated zero-knowledge proofs over a generalized DAG value-flow model, using standard IVC primitives to prove state-transition predicates. No load-bearing step reduces by definition or self-citation to its own inputs; the unified temporal DAG abstraction, security properties, and extraction of compliant sub-DAGs are presented as independent formalizations rather than tautological renamings or fitted predictions. Benchmarks are reported as empirical prototype measurements, not derived outputs. The framework is self-contained against external cryptographic assumptions without self-referential loops.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on standard cryptographic assumptions for ZK proofs and IVC, plus the modeling choice of a unified temporal DAG; no free parameters or invented physical entities are introduced.

axioms (2)
  • standard math Soundness and zero-knowledge properties of the underlying ZK and IVC primitives hold.
    Invoked when claiming that proofs guarantee legitimacy without leakage.
  • domain assumption A compliant sub-DAG can be extracted from any user's transaction history.
    Required for users to generate valid proofs in the generalized value-flow model.
invented entities (1)
  • PoSoF framework no independent evidence
    purpose: User-side cryptographic provenance for compliant deposits
    Newly defined protocol combining DAG abstraction and IVC; no independent evidence provided beyond the proposal itself.

pith-pipeline@v0.9.1-grok · 5847 in / 1377 out tokens · 19001 ms · 2026-06-27T15:59:24.217359+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

36 extracted references

  1. [1]

    Single-server private outsourcing of zk-snarks.Cryptology ePrint Archive, 2025

    Kasra Abbaszadeh, Hossein Hafezi, Jonathan Katz, and Sarah Meiklejohn. Single-server private outsourcing of zk-snarks.Cryptology ePrint Archive, 2025

    2025

  2. [2]

    Blink: an optimal proof of proof-of-work

    Lukas Aumayr, Zeta Avarikioti, Matteo Maffei, Giulia Scaffino, and Dionysis Zindros. Blink: an optimal proof of proof-of-work. InInternational Conference on Financial Cryptography and Data Security, pages 173–190. Springer, 2025

    2025

  3. [3]

    Axiom v1 smart contracts: Historical block hash cache.https://github.com/ axiom-crypto/axiom-v1-contracts, 2024

    Axiom Crypto. Axiom v1 smart contracts: Historical block hash cache.https://github.com/ axiom-crypto/axiom-v1-contracts, 2024. Accessed: 2026-05-12

    2024

  4. [4]

    The case for on-chain privacy and compliance.Stan

    Shlomit Azgad-Tromer, Joey Garcia, and Eran Tromer. The case for on-chain privacy and compliance.Stan. J. Blockchain L. & Pol’y, 6:265, 2023

    2023

  5. [5]

    Haze and daze: Compliant privacy mixers.Cryptology ePrint Archive, 2023

    Stanislaw Baranski, Maya Dotan, Ayelet Lotem, and Margarita Vald. Haze and daze: Compliant privacy mixers.Cryptology ePrint Archive, 2023

    2023

  6. [6]

    Derecho: Privacy pools with proof-carrying disclosures

    Josh Beal and Ben Fisch. Derecho: Privacy pools with proof-carrying disclosures. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 3197–3211, 2024

    2024

  7. [7]

    What is zkpass (zkp)?https://www.binance.com/en/academy/articles/ what-is-zkpass-zkp, Feb 2026

    Binance Academy. What is zkpass (zkp)?https://www.binance.com/en/academy/articles/ what-is-zkpass-zkp, Feb 2026. Accessed: 2026-05-15

    2026

  8. [8]

    Merkle mountain ranges are optimal: On witness update frequency for cryptographic accumulators

    Joseph Bonneau, Jessica Chen, Miranda Christ, and Ioanna Karantaidou. Merkle mountain ranges are optimal: On witness update frequency for cryptographic accumulators. InAnnual International Cryptology Conference, pages 170–202. Springer, 2025

    2025

  9. [9]

    Privacy-protecting regulatory solutions using zero-knowledge proofs, 2022

    Joseph Burleson, Michele Korver, and Dan Boneh. Privacy-protecting regulatory solutions using zero-knowledge proofs, 2022. 22

    2022

  10. [10]

    Blockchain privacy and regulatory compliance: Towards a practical equilibrium.Blockchain: Research and Applications, 5(1):100176, 2024

    Vitalik Buterin, Jacob Illum, Matthias Nadler, Fabian Schär, and Ameen Soleimani. Blockchain privacy and regulatory compliance: Towards a practical equilibrium.Blockchain: Research and Applications, 5(1):100176, 2024

    2024

  11. [11]

    An efficient system for non-transferable anonymous credentials with optional anonymity revocation

    Jan Camenisch and Anna Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. InInternational conference on the theory and applications of cryptographic techniques, pages 93–118. Springer, 2001

    2001

  12. [12]

    Know-your-transaction (kyt): New standard in crypto compliance.https://www

    ChainUp. Know-your-transaction (kyt): New standard in crypto compliance.https://www. chainup.com/blog/kyt-crypto-compliance-procedures/, 2026. Accessed: 2026-05-15

    2026

  13. [13]

    Eos: Efficient private delegation of{zkSNARK}provers

    Alessandro Chiesa, Ryan Lehmkuhl, Pratyush Mishra, and Yinuo Zhang. Eos: Efficient private delegation of{zkSNARK}provers. In32nd USENIX Security Symposium (USENIX Security 23), pages 6453–6469, 2023

    2023

  14. [14]

    Proof-carrying data and hearsay arguments from signature cards

    Alessandro Chiesa and Eran Tromer. Proof-carrying data and hearsay arguments from signature cards. InICS, volume 10, pages 310–331, 2010

    2010

  15. [15]

    Joss Duff and Henry F. Korth. Privacy preserving compliance. Technical report, Lehigh University, 2026

    2026

  16. [16]

    Hidden costs of aml compliance: How to reduce risk & cut waste.https://www

    Flagright. Hidden costs of aml compliance: How to reduce risk & cut waste.https://www. flagright.com/post/overcoming-the-hidden-costs-of-aml-compliance , 2026. Accessed: 2026-05-20

    2026

  17. [17]

    Towards measuring the traceability of cryptocur- rencies

    Domokos M Kelen and István András Seres. Towards measuring the traceability of cryptocur- rencies. In2025 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pages 1–10. IEEE, 2025

    2025

  18. [18]

    Non-interactive proofs of proof-of-work

    Aggelos Kiayias, Andrew Miller, and Dionysis Zindros. Non-interactive proofs of proof-of-work. InInternational Conference on Financial Cryptography and Data Security, pages 505–522. Springer, 2020

    2020

  19. [19]

    Nova: Recursive zero-knowledge arguments from folding schemes

    Abhiram Kothapalli, Srinath Setty, and Ioanna Tzialla. Nova: Recursive zero-knowledge arguments from folding schemes. InAnnual International Cryptology Conference, pages 359–

  20. [20]

    True cost of financial crime compliance study

    LexisNexis Risk Solutions. True cost of financial crime compliance study. https://risk.lexisnexis.com/global/en/about-us/press-room/press-release/ 20240306-true-cost-of-compliance-emea, 2023. Accessed: 2026-05-20

    2023

  21. [21]

    Evasion under blockchain sanctions

    Endong Liu, Mark Ryan, Liyi Zhou, and Pascal Berrang. Evasion under blockchain sanctions. InProceedings of the ACM Web Conference 2026, pages 3507–3518, 2026

    2026

  22. [22]

    A fistful of bitcoins: characterizing payments among men with no names

    Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geof- frey M Voelker, and Stefan Savage. A fistful of bitcoins: characterizing payments among men with no names. InProceedings of the 2013 conference on Internet measurement conference, pages 127–140, 2013

    2013

  23. [23]

    Tornado cash and blockchain privacy: a primer for economists and policymakers.Federal Reserve Bank of St

    Matthias Nadler and Fabian Schär. Tornado cash and blockchain privacy: a primer for economists and policymakers.Federal Reserve Bank of St. Louis Review, 2023. 23

    2023

  24. [24]

    Bitcoin: A peer-to-peer electronic cash system.Satoshi Nakamoto, 2008

    Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system.Satoshi Nakamoto, 2008

    2008

  25. [25]

    Everything you need to know about kyc in crypto.https://ondato.com/blog/ kyc-crypto/, 2026

    Ondato. Everything you need to know about kyc in crypto.https://ondato.com/blog/ kyc-crypto/, 2026. Accessed: 2026-05-20

    2026

  26. [26]

    Tornado cash privacy solution version 1.4.Tornado cash privacy solution version, 1(6), 2019

    Alexey Pertsev, Roman Semenov, and Roman Storm. Tornado cash privacy solution version 1.4.Tornado cash privacy solution version, 1(6), 2019

    2019

  27. [27]

    Privacy-preserving on-chain permissioning for kyc-compliant decentralized applications

    Fabian Piper, Karl Wolf, and Jonathan Heiss. Privacy-preserving on-chain permissioning for kyc-compliant decentralized applications. In2025 7th Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS), pages 1–10. IEEE, 2025

    2025

  28. [28]

    RAILGUN github repository

    RAILGUN. RAILGUN github repository. https://github.com/railgun-privacy, 2026. Accessed: 2026-05-19

    2026

  29. [29]

    Succinct network: Prove the world’s software, 2024

    Uma Roy, John Guibas, M Pai, K Kulkarni, and Dan Robinson. Succinct network: Prove the world’s software, 2024

    2024

  30. [30]

    Sede: Balancing blockchain privacy and regulatory compliance by selective de-anonymization.arXiv preprint arXiv:2311.08167, 2023

    Naveen Sahu, Mitul Gajera, Amit Chaudhary, and Hamish Ivey-Law. Sede: Balancing blockchain privacy and regulatory compliance by selective de-anonymization.arXiv preprint arXiv:2311.08167, 2023

    arXiv 2023

  31. [31]

    Zerocash: Decentralized anonymous payments from bitcoin

    Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In2014 IEEE symposium on security and privacy, pages 459–474. IEEE, 2014

    2014

  32. [32]

    Auditpay: Anonymous payments with controlled oversight.Cryptology ePrint Archive, 2026

    Elkana Tovey, Yossi Gilad, and Aviv Zohar. Auditpay: Anonymous payments with controlled oversight.Cryptology ePrint Archive, 2026

    2026

  33. [33]

    Department of the Treasury

    U.S. Department of the Treasury. U.s. treasury sanctions notorious virtual currency mixer tornado cash. https://home.treasury.gov/news/press-releases/jy0916, August 2022. Office of Foreign Assets Control (OFAC)

    2022

  34. [34]

    Blockchain transaction censorship:(in) secure and (in) efficient? InThe International Conference on Mathematical Research for Blockchain Economy, pages 78–94

    Zhipeng Wang, Xihan Xiong, and William J Knottenbelt. Blockchain transaction censorship:(in) secure and (in) efficient? InThe International Conference on Mathematical Research for Blockchain Economy, pages 78–94. Springer, 2023

    2023

  35. [35]

    Ethereum: A secure decentralised generalised transaction ledger.Ethereum project yellow paper, 151(2014):1–32, 2014

    Gavin Wood et al. Ethereum: A secure decentralised generalised transaction ledger.Ethereum project yellow paper, 151(2014):1–32, 2014

    2014

  36. [36]

    cold-start

    Zhiying Wu, Jieli Liu, Jiajing Wu, Zibin Zheng, and Ting Chen. Tracer: Scalable graph-based transaction tracing for account-based blockchain trading systems.IEEE Transactions on Information Forensics and Security, 18:2609–2621, 2023. A Zero-Knowledge Argument of Knowledge A proof system enables a proverP to convince a verifierV about some statementu such ...

    2023