Viewing keys & disclosure
Consent-based, selective disclosure — hand an auditor a viewing key to reveal your own history, and only yours.
Privacy and auditability are usually framed as opposites. Hestia makes them the same key. The
viewing key (vk) that lets you discover your own incoming notes is also the key you hand
to an auditor to disclose your history — completely, but selectively.
How notes are sealed
When anyone pays you, they encrypt the note's secret fields to your public viewing key
VK and post the ciphertext on-chain alongside the commitment:
interface NotePlaintext {
value: bigint;
token: bigint;
label: bigint;
randomness: bigint;
}
// sender side: seal the note to the recipient's VK
const blob = encryptNote(recipientVK, plaintext); // ephemeralPub ‖ ciphertextThe scheme is an ephemeral X25519 key agreement, an HKDF-SHA256 key derivation, and
ChaCha20-Poly1305 authenticated encryption. The owner field is implied — it is the
recipient's own SK — so it isn't stored in the plaintext.
How discovery works
Your SDK doesn't know in advance which ciphertexts are yours. It trial-decrypts every blob
with your viewing secret vk; the AEAD tag verifies only for notes actually sealed to you:
const plaintext = decryptNote(vk, blob); // → NotePlaintext if it's yours, else nullThis is what hestia.sync() does under the hood to rebuild your balance — see
the shielded pool.
Selective disclosure
Because every note you've ever received is sealed to your VK, anyone holding the matching
vk can reconstruct your entire history — and only yours. Hand that key to an auditor and
you've disclosed exactly your own activity: no master key, no exposure of counterparties'
balances, no access to spend.
const viewingKey = hestia.exportViewingKey(); // hex of vk — give to an auditorWith that key (and access to the public ciphertexts via the indexer), an auditor can:
- enumerate every note you received, with its
value,token, andlabel; - follow your
labels to see the lineage of your funds; and - verify it against the on-chain commitments.
What they cannot do:
- spend anything — that needs
sk, which is never part of disclosure; - see anyone else's notes — each note is sealed to its own recipient's key;
- forge or alter history — they only read what the chain already committed to.
Why this is the right shape for disclosure
| Property | Consequence |
|---|---|
| Disclosure is opt-in | You choose to export the key; nothing is revealed by default. |
| Disclosure is scoped to you | A vk only opens notes sealed to its VK. |
| Disclosure is read-only | Viewing and spending are different keys. |
| Disclosure is verifiable | Every disclosed note ties to an on-chain commitment. |
Pair this with association sets: provenance is proven publicly and in zero knowledge, while history is disclosed privately and only with your consent. That combination is what "compliant privacy" means in Hestia.
Treat the viewing key like the sensitive secret it is. It cannot move funds, but it reveals everything you've received. Export it only to a party you intend to audit you.