Web3 Privacy Toolkit (2026)

This is a companion to my talk. Not a whitepaper, not a sales pitch — just the stuff you'd actually want open in a tab if you sat down to build something private this week.

1. The Core Stack

Different privacy problems need different crypto primitives. Here's where things stand:

Quick take: ZK-SNARKs are the only one ready for real users today. TEEs work but you're trusting Intel. FHE is exciting but slow — keep an eye on it, don't ship on it yet.

2. What to Build With Today

A. Noir 1.0

Tech	Good For	Verification	Maturity
ZK-SNARKs	Private transfers, identity proofs	< 10ms	Production (Noir/Circom)
TEEs (SGX)	Dark pools, MEV protection	Native	Hardware-dependent
FHE	On-chain confidential compute	~1s+	Early (Fhenix/Zama)

AztecZK DSLRust-like

Noir is to ZK circuits what Solidity was to the EVM — the thing that made it accessible. You write Rust-like code, it compiles to a ZK circuit. No cryptography PhD required.

If you want private smart contracts on Aztec's network, this is where you start.

            install
            // github.com/aztec-protocol/noir

            curl -L noirup.dev | bash
        

B. Railgun SDK

DeFi PrivacyL1/L2PPOI

The go-to for adding privacy to existing DeFi. Swaps, transfers, LP positions — all shielded. The important bit: it has Private Proof of Innocence baked in, so you can stay private and compliant after the 2025 regulatory shifts.

            install
            npm install @railgun-community/wallet-sdk
        

C. Kohaku SDK

Ethereum FoundationStealth AddressesERC-5564

The EF's official privacy toolkit. Gives you stealth addresses and ZK-compliance modules you can drop into any wallet or dApp. Three of the four core modules (Stealth, Compliance, Registry) are audited and live.

            quickstart
            npx kohaku-init my-private-app
        

3. Regulatory Quick-Ref (UK/EU 2026)

MiCA (EU)

All assets need to support View Keys or ZK-Compliance Proofs for sanctions screening. Deadline: July 2026. If your protocol can't prove a transaction isn't from a sanctioned address without revealing the sender, you have a problem.

FCA (UK)

Focused on market abuse and MEV. Using privacy tools to hide wash trading = illegal. Using them to protect against front-running = encouraged. The line is intent, not the tool.

US Safe Harbor (March 2025)

Hosting decentralised, non-custodial privacy code is protected activity. Writing Tornado Cash is fine. Running a mixer with a fee and no compliance = not fine.

4. The "HTTPS Moment"

The pitch from my talk: privacy on-chain is going through the same transition HTTPS did. It went from "sketchy" to "default". Here's the core equation if you want to reason about ZK proofs:

V(S, π, P) = 1

S = public statement ("this tx is valid")
π = the proof (the SNARK itself)
P = public input ("amount > 0, sender has balance")

Privacy happens because the witness (the secret input — who you are, how much you have) is never revealed to the verifier.

That's it. Everything else — Noir circuits, Railgun shielding, stealth addresses — is just a nicer interface for constructing that π.

handout