A hybrid transaction model is an architectural pattern where the execution of a transaction's logic occurs off-chain, while its outcome or final state is settled on-chain. This separation is crucial for applications that process sensitive data or complex computations that are impractical to run directly on a public blockchain. Common use cases include private voting, confidential DeFi strategies, and enterprise supply chain tracking where business logic is proprietary but auditability is required. The core challenge is ensuring the integrity of the off-chain computation so the on-chain settlement can be trusted.
LABS
Guides
How to Architect a Hybrid Public-Private Transaction Model
This guide provides a technical blueprint for building a fractional ownership system where asset metadata is public, but holder data is private. It covers state separation, privacy co-processors, and consistency mechanisms.
Chainscore © 2026
introduction
GUIDE
How to Architect a Hybrid Public-Private Transaction Model
A hybrid transaction model combines on-chain settlement with off-chain execution, enabling applications that require both public verifiability and private computation.
Architecting this model requires selecting a verification mechanism to bridge the off-chain and on-chain worlds. The three primary approaches are: Zero-Knowledge Proofs (ZKPs), where a cryptographic proof attests to correct execution without revealing inputs; Trusted Execution Environments (TEEs) like Intel SGX, which provide a secure, attestable hardware enclave; and Optimistic schemes with fraud proofs, which assume correctness but allow challenges within a dispute window. The choice depends on your threat model, performance needs, and development complexity.
A standard implementation flow involves four components: a client application, an off-chain prover/executor, a verification contract on-chain, and a state settlement contract. First, the client submits private inputs to the off-chain executor. The executor runs the business logic and generates a state transition proof (e.g., a ZK-SNARK). This proof, along with the new public state, is sent to the on-chain verifier. The smart contract verifies the proof's validity and, if correct, updates the application's public state on-chain, finalizing the transaction.
For example, consider a private auction. Bids (private inputs) are sent to an off-chain service. This service computes the winner and final price (private execution), then generates a ZK-proof demonstrating the winner was selected correctly according to the rules. Only the proof and the winner's public address (public output) are published to an Ethereum verification contract. The contract checks the proof and, upon verification, transfers the NFT to the winner and funds to the seller. The bids remain confidential, but the outcome is publicly verifiable.
Key design considerations include data availability—ensuring necessary public data is accessible for verification—and oracle integration for external data. Managing the economic incentives for off-chain operators and the cost of on-chain verification (especially for ZK-proofs) is critical. Frameworks like Aztec Network for ZK-rollups or Oasis Network for TEE-based confidential smart contracts provide foundational layers. Always start by clearly defining which data must be private, which must be public, and the required trust assumptions for your specific application.
prerequisites
ARCHITECTURE FOUNDATION
Prerequisites and System Requirements
Before building a hybrid public-private transaction model, you must establish the correct technical and conceptual foundation. This section outlines the required knowledge, tools, and infrastructure.
A hybrid public-private transaction model combines the transparency and security of a public blockchain with the privacy and control of a private ledger. The core architectural pattern involves submitting a public proof (like a zero-knowledge proof or a hash commitment) to a mainnet like Ethereum, while keeping the sensitive transaction details and execution on a private, permissioned chain or off-chain environment. This requires a deep understanding of consensus mechanisms, cryptographic primitives (especially zk-SNARKs or zk-STARKs), and interoperability protocols.
Your development environment must support both public and private chain interactions. Essential tools include a Node.js or Go runtime, the Hardhat or Foundry framework for smart contract development, and a library for zero-knowledge proofs like circom with snarkjs. You will need access to an Ethereum testnet (Goerli, Sepolia) via a provider like Alchemy or Infura, and the ability to run a private network, such as a local Ganache instance or a Hyperledger Besu node. A basic understanding of Docker is recommended for containerizing private network components.
The smart contract architecture is critical. On the public chain, you will deploy verifier contracts to validate zero-knowledge proofs and state commitment contracts (like a Merkle root store). These contracts must be gas-optimized, as their functions will be called frequently. Use libraries such as OpenZeppelin for secure contract templates. The private side requires a transaction processor that can generate valid proofs, manage private state (e.g., a database), and submit transactions to the public verifier. This component is often built as a standalone service using a framework like Express.js.
Security considerations are paramount. You must audit the entire data flow: the integrity of proof generation, the trust assumptions of the relay between chains, and the resilience of the private system. Use multi-signature wallets (like Safe) to control the public contract owners. Implement secure off-chain storage for private data, considering solutions like IPFS with encryption or a dedicated secure database. Plan for key management for the private network's validators using a tool like Hashicorp Vault.
Finally, establish a testing and monitoring framework. Write comprehensive tests for your verifier logic and the end-to-end flow using Hardhat tests or Foundry's Forge. Simulate network failures and malicious inputs. Implement monitoring for the private service's health and the public contract's events using tools like The Graph for indexing and Prometheus with Grafana for metrics. This foundation ensures your hybrid model is robust, secure, and ready for production deployment.
architecture-overview
SYSTEM ARCHITECTURE OVERVIEW
How to Architect a Hybrid Public-Private Transaction Model
A hybrid public-private transaction model combines the transparency of a public ledger with the confidentiality of private execution, enabling selective data disclosure for enterprise and DeFi applications.
A hybrid transaction model is essential for applications requiring both public verifiability and private computation. In this architecture, transaction execution and state updates occur within a private environment, often using Trusted Execution Environments (TEEs) like Intel SGX or zero-knowledge proofs (ZKPs). The resulting state changes or validity proofs are then anchored to a public blockchain, such as Ethereum or Solana, creating an immutable, verifiable record. This separation allows for confidential business logic and sensitive data handling while leveraging the public chain for final settlement and censorship resistance.
The core architectural components include a private execution layer, a public settlement layer, and a bridging/verification mechanism. The private layer, which could be a dedicated blockchain (e.g., Hyperledger Fabric) or an off-chain network, processes transactions. The public layer, typically a Layer 1, records commitments. The bridge, often a smart contract, verifies proofs from the private layer before allowing state updates on-chain. Key design decisions involve choosing the privacy technology (TEE vs. ZKP), the data availability model for the private state, and the trust assumptions for the relay or prover network.
Implementing this model requires careful state management. You must define what data is kept private, what is published publicly, and how the two states are synchronized. For example, a DeFi pool might keep individual user balances private but publish a cryptographic commitment to the total pool liquidity on-chain. A common pattern uses a Merkle tree where the root is stored on-chain, and users can provide ZK proofs of their inclusion in the tree without revealing their specific leaf data. The smart contract on the public chain only accepts state root updates accompanied by a valid proof of correct private execution.
Security considerations are paramount. With TEE-based designs, you must account for hardware vulnerabilities and side-channel attacks. With ZKP systems, the trust shifts to the correctness of the cryptographic setup and the prover's honesty. A critical challenge is ensuring data availability for the private state so that users can exit or dispute transactions if the private operators go offline. Solutions like EigenDA or Celestia can be adapted for private data publishing. Furthermore, the bridging contract is a high-value target and must be rigorously audited to prevent exploits that could mint unauthorized assets on the public chain.
Use cases for this architecture are diverse. In enterprise supply chains, companies can privately track goods and only reveal specific certificates to regulators. In private DeFi, users can trade or lend assets without exposing their portfolios to front-running bots. GameFi projects can hide in-game item stats and player actions until a match concludes. When architecting your system, start by precisely defining the privacy and transparency requirements, then select the stack—such as using Aztec Network for ZK rollups or Oasis Protocol for TEE-based paratimes—that best matches your trust model and performance needs.
key-concepts
HYBRID TRANSACTION MODELS
Core Architectural Components
A hybrid public-private transaction model combines on-chain transparency with off-chain privacy. These are the key technical components required to build one.
05
Data Availability & Calldata
For a system to be trustless, certain data must be made available so users can reconstruct state and verify proofs independently.
- In validium models (e.g., StarkEx), transaction data is kept off-chain with a committee, trading some decentralization for lower cost.
- In zk-rollup models (e.g., zkSync, StarkNet), the essential data is posted as cheap calldata on Layer 1. This allows anyone to rebuild the state and challenge invalid transitions.
- The choice between rollup and validium is a core architectural decision balancing cost, throughput, and security.
< $0.01
zkRollup Tx Cost
2,000+ TPS
StarkEx Throughput
06
Relayer Network
Relayers are permissionless actors who submit user transactions to the public blockchain, solving the problem of who pays gas fees for private actions.
- A user creates a private, signed transaction with a fee for the relayer.
- The relayer batches this transaction with others, generates the ZK proof, and submits it to the mainnet verifier contract, paying the gas.
- The relayer is compensated from the user's fee. This design ensures privacy for the sender (their identity isn't linked to the on-chain gas payment) and enables seamless user experience.
- Tornado Cash and Aztec Connect used this model.
ARCHITECTURAL LAYER
Public vs. Private State Responsibilities
A breakdown of responsibilities for managing state data in a hybrid transaction model.
| State Component | Public Layer Responsibility | Private Layer Responsibility | Coordination Mechanism |
|---|---|---|---|
Transaction Validity Proofs | Verify ZK-SNARK/STARK proofs | Generate ZK-SNARK/STARK proofs | Proof publication and verification |
Asset Ownership Ledger | Maintain public balances for shielded assets | Maintain private ownership graphs and notes | Commitment tree roots anchored on-chain |
Transaction Data | Store transaction hashes and nullifiers | Store encrypted payloads and viewing keys | State synchronization via events |
Consensus & Finality | Provide canonical ordering and settlement | Process off-chain state transitions | Dispute resolution via fraud proofs |
Access Control | Enforce smart contract logic for entry/exit | Manage participant permissions and keys | Conditional logic bridges (e.g., Aztec, Aleo) |
Data Availability | Guarantee liveness for state commitments | Host private data with specified parties | Data availability committees or encrypted mempools |
Fee Payment | Accept native gas tokens (ETH, SOL) | Accept private payments or fee abstractions | Relayer networks or paymasters |
implement-public-layer
ARCHITECTURE
Step 1: Implementing the Public State Layer
The public state layer forms the foundational, immutable record of a hybrid system, anchoring private transactions to a verifiable on-chain history.
The public state layer is the canonical, permissionless blockchain component of a hybrid model. It serves as the single source of truth for critical, non-sensitive data that requires universal verifiability. This typically includes: the root hashes of private state Merkle trees, public account balances for fee payment, smart contract addresses for the private execution environment, and cryptographic commitments to private transactions. By publishing only commitments (like zk-SNARK proofs or hash digests), the public chain validates the correctness of private computations without revealing the underlying data.
Architecturally, this layer is often implemented as a set of verifier smart contracts on a base layer like Ethereum, or as a dedicated layer-1/layer-2 chain. The core contract functions include: submitPrivateTransaction(bytes proof, bytes32 newStateRoot) to post a verified state update, verifyInclusion(bytes32 root, bytes32 leaf, bytes32[] proof) for membership proofs, and managing a registry of authorized participants. The public state's immutability provides non-repudiation and a tamper-proof audit trail, allowing any observer to cryptographically verify the entire history's integrity.
For developers, implementing this layer begins with defining the public state schema. Using Solidity on Ethereum as an example, you would deploy a contract that stores the latest publicStateRoot. A private client would then generate a zk-SNARK proof (e.g., using Circom or Halo2) demonstrating a valid state transition from root R_old to R_new. Calling the verifier contract's updateState function with this proof executes the public update. Tools like Hardhat or Foundry are essential for testing these contracts, simulating fraud proofs, and ensuring gas efficiency for the frequent verification calls.
A critical design consideration is the data availability of the public state's inputs. If the public chain only stores a commitment, where is the data needed to reconstruct the private state? Solutions include using a Data Availability Committee (DAC), leveraging EigenDA or Celestia for scalable data availability layers, or employing validity proofs that bundle necessary data. The choice impacts security assumptions and trustlessness. The system must also manage finality; a private transaction is only considered settled once its commitment is included and finalized on the public layer, preventing chain reorgs from reversing private state.
implement-private-layer
ARCHITECTURE
Step 2: Implementing the Private State Layer
This section details the technical implementation of a private state layer, enabling confidential transactions and data within a public blockchain framework.
The core of a hybrid model is a private state layer that operates alongside the public ledger. This layer manages confidential data—such as transaction amounts, user balances, or proprietary business logic—off-chain. The public blockchain acts as an immutable anchor, recording only cryptographic commitments (like hashes or zero-knowledge proofs) to this private state. This separation ensures data privacy while maintaining the security and finality guarantees of the underlying public chain, such as Ethereum or Solana.
Implementing this layer requires a state management system that can handle private data with integrity. Common approaches include using a trusted execution environment (TEE) like Intel SGX, a secure multi-party computation (MPC) network, or a dedicated privacy-focused sidechain. The choice depends on the trust model and performance requirements. For instance, Aztec Network uses zk-rollups to create a private L2, while Oasis Network utilizes TEEs called "Confidential ParaTimes" to isolate smart contract execution.
Developers interact with this layer through specialized smart contracts or SDKs. A typical flow involves: 1) generating a private key for the user's confidential account, 2) submitting encrypted transactions to the private state processor, and 3) receiving a proof of valid state transition. The system must manage key storage and access control meticulously, often employing techniques like hierarchical deterministic (HD) wallets and signature schemes such as BLS or Schnorr for efficient aggregation.
Here is a conceptual code snippet for initiating a private transaction using a hypothetical SDK. The public commitment is what gets posted on-chain.
javascriptimport { PrivateWallet } from '@hybrid-sdk/private'; // Initialize wallet with private key const privateWallet = new PrivateWallet(userPrivateKey); // Create a confidential transfer object const privateTx = await privateWallet.createTransfer({ to: recipientPublicKey, amount: '100', // This value is kept private assetId: 'ETH' }); // Get the zero-knowledge proof and public commitment const { proof, publicCommitment } = await privateTx.generateProof(); // Submit only the proof & commitment to the public smart contract await publicContract.submitTransaction(proof, publicCommitment);
The primary challenge is ensuring state consistency between the public and private layers. A robust system employs fraud proofs or validity proofs (zk-SNARKs/zk-STARKs) to allow anyone to verify that the private state transitions are correct without seeing the underlying data. Regular state root updates posted to the main chain act as checkpoints, enabling light clients to verify the integrity of the private layer. This design is critical for trust minimization.
In summary, implementing the private state layer involves selecting a confidentiality technology, building a secure off-chain execution environment, and establishing a verifiable link to the public blockchain. Successful architectures, like those used by Aleo or Polygon Nightfall, demonstrate that with careful design, it is possible to achieve scalable privacy without compromising on-chain security.
bridge-consistency
ARCHITECTURE
Step 3: Building the Consistency Bridge
This step details the core architectural pattern for synchronizing private state with public blockchains, enabling verifiable computation without exposing sensitive data.
A hybrid public-private transaction model separates logic from data visibility. The private execution layer processes sensitive business logic off-chain, while the public settlement layer records cryptographic proofs of correct execution. This architecture is foundational for enterprise applications requiring confidentiality, such as supply chain tracking or private financial agreements. The critical component linking these layers is the consistency bridge, a set of smart contracts and off-chain services that ensure the private state transitions are valid and committed to the public chain.
The bridge's primary function is to generate and verify zero-knowledge proofs (ZKPs). When a transaction is processed in the private environment, a ZKP (like a zk-SNARK or zk-STARK) is generated. This proof cryptographically attests that the transaction followed the predefined rules without revealing the inputs or intermediate states. The proof is then submitted to a verifier smart contract on the public chain (e.g., Ethereum, Polygon). The contract's verifyProof() function checks the proof against a public verification key, and if valid, records a commitment (like a state root hash) to the new private state.
Here is a simplified conceptual interface for the core bridge contract:
solidityinterface IConsistencyBridge { function submitStateUpdate( bytes32 newStateRoot, bytes calldata zkProof ) external; function verifyProof( bytes32 publicInput, bytes calldata proof ) external view returns (bool); }
The newStateRoot is a Merkle root representing the entire private state after the transaction. The public chain only stores this root, not the underlying data. Disputes or audits can be resolved by challenging a state root and requiring the private network to provide a validity proof for the specific data in question.
Implementing this requires careful design of the state commitment scheme. A Merkle tree is commonly used, where each leaf is a hashed record of a private transaction or account state. The private network must maintain this tree and generate inclusion proofs. For high throughput, consider a zkRollup-like design where batches of private transactions are proven together, amortizing the cost of public verification. Tools like Circom for circuit design and SnarkJS for proof generation are essential for this layer.
Operational challenges include managing the prover key and verifier key setup, ensuring low latency between private execution and public settlement, and handling data availability for fraud proofs if using an optimistic model. The architecture must also define permissioning for who can submit proofs, often managed via a multisig or a decentralized validator set for the private layer. This setup creates a verifiable data pipeline where public blockchain security guarantees extend to off-chain, private business processes.
privacy-tools
ARCHITECTURE GUIDE
Privacy Co-Processor and ZK Tooling
Design a transaction model that selectively reveals data using zero-knowledge proofs and off-chain computation.
01
Define the Privacy Boundary
The first step is to architect what data stays on-chain (public) and what is computed off-chain (private).
- Public State: Settlement finality, asset identifiers, and proof verification results.
- Private State: User balances, transaction amounts, and counterparty identities held off-chain.
Use a commitment scheme (like a Merkle tree) to represent the private state on-chain without revealing its contents. Each private action updates this commitment, with a ZK proof attesting to the correct state transition.
04
Design the State Synchronization Mechanism
Ensure consistency between the private off-chain state and the public on-chain commitments.
- State Roots: The co-processor network maintains the canonical private state. Periodically, a state root (the hash of the private state Merkle tree) is posted on-chain.
- Validity Proofs: Every transaction batch includes a ZK proof that the new state root is a valid transition from the previous one, given the applied transactions.
- Fraud Proofs (Optional): In optimistic models, a challenge period allows watchers to dispute invalid state transitions, falling back to a fraud proof.
This mechanism allows the L1 to trust the off-chain state without seeing it.
06
Audit the Privacy & Security Model
Formally verify the system's guarantees before mainnet deployment.
- Circuit Audits: Hire specialized firms to audit your ZK circuit logic for soundness errors, which could leak data or allow forged proofs.
- Trust Assumptions: Document and minimize trust. Does the system rely on honest majority of provers? A trusted setup?
- Data Availability: Ensure the public data needed to reconstruct state (like nullifiers) is always available on-chain to prevent censorship.
- Cryptographic Review: Audit the implementation of elliptic curve pairings, hash functions, and other primitives within the proof system.
Treat the privacy co-processor as a critical consensus component with its own slashing conditions and economic security.
HYBRID TRANSACTION ARCHITECTURE
Frequently Asked Questions
Common questions and technical clarifications for developers implementing hybrid public-private transaction models on EVM chains.
A hybrid public-private transaction model is an architectural pattern that allows a single transaction to contain both public data, visible on-chain, and private data, encrypted and stored off-chain. This is typically implemented using commit-reveal schemes or zero-knowledge proofs (ZKPs). For example, a voting dApp might post a public commitment hash on-chain while storing the encrypted vote details on a decentralized storage network like IPFS or a private mempool service. The model's core components are:
- On-chain Verifier: A smart contract that validates proofs or commitments.
- Off-chain Prover/Encryptor: A client-side or server-side service that handles private computation.
- Data Availability Layer: A system (like Celestia, EigenDA, or a private P2P network) ensuring private data can be retrieved for verification when needed.
resource-links
GUIDES
Implementation Resources and Documentation
Key tools, protocols, and reference implementations for designing a hybrid public-private transaction architecture. Each resource focuses on a concrete layer of the stack, from private execution to selective disclosure and public settlement.
04
Selective Disclosure with Commitments and Merkle Proofs
A lightweight hybrid model uses cryptographic commitments and Merkle trees instead of full zk circuits. Sensitive data stays private, while verifiers can request targeted proofs.
Typical flow:
- Commit private transaction data using hash commitments
- Aggregate commitments into a Merkle tree
- Publish the Merkle root on a public chain
- Reveal specific leaves with Merkle proofs when required
This pattern is simpler than zk-SNARKs and works well for:
- Auditability with delayed disclosure
- Compliance reporting
- Low-frequency verification use cases
Gas costs are predictable, and verification logic is simple Solidity without custom precompiles.
05
Rollup-Based Hybrid Settlement
Hybrid models increasingly rely on rollups to combine private execution with cheap public settlement. Execution happens off-chain or in an encrypted VM, while calldata or proofs are posted to L1.
Design options:
- zk-rollups with private witnesses and public proofs
- Optimistic rollups with encrypted calldata and fraud proofs
- Hybrid L2s that expose only minimal state publicly
Relevant components:
- Ethereum calldata as a data availability layer
- L2-specific provers and sequencers
- Bridges for asset movement between private and public domains
This approach scales better than L1-only designs and aligns with current Ethereum roadmap priorities.
conclusion-next-steps
ARCHITECTURAL SUMMARY
Conclusion and Next Steps
This guide has outlined the core principles for designing a hybrid public-private transaction model. The next steps involve implementing these patterns and exploring advanced optimizations.
A hybrid public-private transaction model leverages the transparency and security of public blockchains like Ethereum or Solana for final settlement, while using off-chain systems or private channels for sensitive data and computation. The key architectural patterns include: using zero-knowledge proofs (ZKPs) to validate private state transitions on-chain, employing commit-reveal schemes for delayed privacy, and utilizing trusted execution environments (TEEs) for confidential smart contract execution. This separation allows applications to maintain user privacy and scalability without sacrificing the decentralized security guarantees of the underlying L1.
For implementation, start by defining your data taxonomy. Clearly categorize which data must be on-chain (e.g., asset ownership hashes, ZK proof verifications), which can be in a verifiable off-chain system (e.g., encrypted balances in a zkRollup), and which must remain entirely private (e.g., user identity details). Tools like Aztec Network provide a framework for private smart contracts, while StarkEx and zkSync offer customizable data availability modes. For enterprise use, consider Hyperledger Besu with its privacy manager or Baseline Protocol for coordinating private business logic with public Ethereum settlement.
Testing and auditing are critical. Use local development networks like Hardhat or Anvil to simulate the hybrid flow. Rigorously test the interaction points between public and private components—these are common failure points. Engage auditors familiar with privacy-preserving cryptography to review any custom ZK circuit logic or TEE attestation mechanisms. The OpenZeppelin Defender suite can help automate and secure the management of your hybrid system's administrative tasks.
Looking forward, consider these advanced optimizations. Explore recursive proofs to aggregate multiple private transactions into a single on-chain verification, drastically reducing gas costs. Investigate multi-party computation (MPC) for scenarios where no single party should hold complete private data. Stay updated with EIP-4844 proto-danksharding on Ethereum, which will significantly reduce the cost of posting data availability commitments for L2 privacy solutions. The field is rapidly evolving, with new cryptographic primitives and L2 designs emerging regularly.
To continue your learning, engage with the following resources. Study the documentation for Aztec's Noir language for writing private circuits. Review how Tornado Cash (conceptually) implemented privacy pools, understanding both its mechanism and the regulatory challenges it faced. Participate in research forums like the EthResearch category for privacy to discuss new trade-offs between privacy, scalability, and compliance in hybrid systems.