Privacy Modes
dregg supports three verification modes with progressive privacy guarantees.
You choose the mode when authorizing an action -- the tradeoff is between
what the verifier learns and proof generation time.
Trusted Mode
Full cleartext evaluation. The verifier receives the complete token, Datalog derivation trace, and clearance result.
- Verifier learns: Everything -- the full token chain, all caveats, the derivation logic, and the conclusion.
- Use when: Both parties are in the same trust domain (same organization, same machine, internal microservices).
- Latency: ~8 microseconds (local Datalog evaluation only, no proof generation).
Selective Disclosure
The prover chooses which facts from the derivation trace to reveal. Everything else remains hidden behind a STARK proof. A Poseidon2 commitment binds the revealed facts to the proof so the prover cannot lie about what was derived.
- Verifier learns: The selected facts (e.g., "authorized for service: dns") plus a STARK proof that the full derivation is valid.
- Hidden: Unrevealed facts, delegation chain structure, intermediate authorities, token contents.
- Use when: Cross-organization interactions where partial disclosure is acceptable.
- Latency: ~200ms proof generation, ~2ms verification.
Per-Fact Disclosure Control
Each fact in the derivation trace can independently be:
- Reveal -- Show in plaintext.
- Predicate -- Prove a property (e.g., "balance >= 1000") without revealing the value.
- Committed Threshold -- Prove against a hidden threshold (neither value nor threshold visible to third parties).
- Hidden -- Nothing revealed (STARK proves existence only).
Fully Private
The verifier learns exactly one bit: whether authorization was granted or denied. The STARK proof covers the entire multi-step Datalog derivation without revealing any intermediate facts, chain length, or rule selections.
- Verifier learns: Allow or Deny. Nothing else.
- Hidden: All token contents, all derivation facts, chain length, identities, rule structure.
- Use when: Anonymous credential presentation, maximum privacy.
- Latency: ~500ms proof generation, ~2ms verification.
Anonymous Presentation
A variant of fully-private mode that additionally hides which federation member produced the proof. Uses per-presentation blinding (BlindedMerklePoseidon2StarkAir) so the same holder produces unlinkable proofs across sessions.
- Verifier learns: Some valid federation member authorized this request. Cannot determine which one.
- Unlinkability: Two proofs from the same agent cannot be correlated (fresh blinding each time).
Choosing a Mode
| Mode | Privacy Level | Speed | Proof Size |
|---|---|---|---|
| Trusted | None (full visibility) | ~8 us | 0 (no proof) |
| Selective | Partial (chosen facts only) | ~200 ms | ~24 KiB |
| Fully Private | Maximum (one bit) | ~500 ms | ~24 KiB |
| Anonymous | Maximum + unlinkable | ~500 ms | ~24 KiB |
Beyond Authorization Privacy
Authorization modes control what the verifier learns about your credentials.
dregg's privacy stack extends further:
- Amount privacy: Transfer amounts are Pedersen commitments. The federation verifies conservation (amounts balance) without seeing values.
- Recipient privacy: Stealth addresses derive one-time keys per transaction. Only the recipient can detect and spend incoming notes.
- Sovereign cell privacy: In sovereign mode, the federation stores only a 32-byte hash of your state. It never sees balances, capabilities, or metadata.
- Peer-to-peer privacy: Between known parties, interactions happen directly with no federation contact. Only your peer learns your new state commitment.
- Network privacy: Dandelion++ routing hides message origin. Fixed-size message padding prevents traffic analysis.
Honest limitation: Intent content is partially visible. SSE keyword tokens are enumerable by observers who know the keyword space. The executor sees sovereign state during federation-mediated multi-party interactions.
For the developer API behind these modes, see Privacy API Reference and the Privacy Architecture deep dive.