R+4 is the verification layer that turns R+2 receipts and R+3 audit bundles into zero-knowledge proofs — short, non-interactive cryptographic statements that prove a property holds (e.g. "this operator processed ≥10,000 actions in Q1 within published policy") without disclosing the underlying receipts, principals, payloads, or counts. Where R+2 makes every action signable and R+3 makes every period provable, R+4 makes every compliance claim federable across organisations without revealing data.
R+2 produces signed receipts; R+3 aggregates them into Merkle-rooted, signed audit bundles. Both are powerful — but both have an unavoidable privacy property: the verifier sees data. To check an R+2 receipt, you must hold the receipt. To check an R+3 bundle, you must walk the Merkle proof for each included record.
In most operational contexts this is acceptable, even desirable. But three classes of question break the model:
R+4 solves these by emitting zero-knowledge proofs over R+2 receipts and R+3 bundles. An R+4 proof is a short cryptographic object (~200 bytes) that lets a verifier check a specific, pre-committed statement about the underlying data without learning anything else. The proof is constant-size, verifiable in milliseconds, and natively anchorable to Base mainnet (or any other EVM L2) so that regulators, counterparties, and the public can verify a property holds — forever, without trusting the issuer or any intermediary.
R+4 strictly depends on R+2 and R+3. It is not a replacement for either — it is a verification layer that operates over them.
| Layer | What it produces | What the verifier sees | Use case |
|---|---|---|---|
| R+2 | Signed action receipt | The full receipt (action, timestamp, principal, payload-hash) | Per-action provenance |
| R+3 | Signed audit bundle | Bundle metadata + Merkle proofs for included records | Per-period audit export |
| R+4 | Zero-knowledge proof | Only the proven statement + a constant-size proof | Privacy-preserving cross-org compliance |
An R+4 proof references R+2 receipts (via their hashes) and R+3 bundles (via their Merkle roots). It does not transmit them. The verifier can independently confirm that the referenced R+3 bundle was signed and (optionally) on-chain anchored — without ever seeing the receipts inside it.
// Operator emits R+2 receipts continuously throughout Q1. // Operator aggregates them into a signed R+3 bundle at end of Q1. // Operator anchors R+3 Merkle root onto Base mainnet. // Operator generates an R+4 proof of the statement: // "≥ 10,000 receipts in the bundle were signed by Agent-X with // policy_id = 'pol_v3' and amount ≤ $5.00, in [2026-01-01, 2026-03-31]" // Operator publishes the R+4 proof + statement. // Regulator verifies the proof in <10 ms. Sees nothing else.
| Term | Symbol | Meaning | RFC ref |
|---|---|---|---|
| Issuer | I | The operator generating the R+4 proof. Holds the proving key. Must be in possession of the underlying R+2 receipts. | RFC 2119 |
| Verifier | V | Any party that checks the R+4 proof. Only requires the verifying key + the public statement + the proof bytes. | RFC 2119 |
| Statement | S | The public, machine-readable assertion the proof witnesses. Encoded as a structured object (see §4). | — |
| Witness | w | The private inputs (R+2 receipts, signatures, bundle preimages) used by the issuer to generate the proof. Never disclosed. | — |
| Proving key | pk | Output of the trusted setup ceremony, held by the issuer. Used to construct π given (S, w). | Groth, 2016 |
| Verifying key | vk | Output of the trusted setup, published with the circuit. Anyone holding vk + S + π can verify. | Groth, 2016 |
| Proof | π | The constant-size cryptographic object (~200 bytes on BN254). Output of Prove(pk, S, w). | Groth, 2016 |
| Federation | F | A set of independent issuers that share a common verifying key and circuit, enabling cross-issuer statement verification. | — |
| SRS | — | Structured Reference String. The trusted-setup output for SNARK systems; subdivided into (pk, vk). | BCTV14 |
RFC 2119 conformance: MUST, SHOULD, MAY apply throughout this document.
R+4 defines a small library of statement classes. Each class corresponds to a deployed circuit with a published vk. Issuers MUST emit statements that match an installed circuit; verifiers MUST reject proofs whose statement does not type-check against the circuit's published schema.
{
"r4_version": "0.1.0",
"circuit_id": "r4-threshold-count-v1",
"vk_hash": "sha256:7c92...e1f3",
"statement": {
"bundle_root": "0x9f...a4",
"period_start": "2026-01-01T00:00:00Z",
"period_end": "2026-03-31T23:59:59Z",
"threshold": 10000,
"policy_id": "pol_v3",
"amount_cap_usd": 5.00,
"issuer_id": "did:dcs:0xbDd1...0f5F"
},
"proof": "0xc2...6e"
}
| Circuit ID | Statement form | Use case | Public inputs |
|---|---|---|---|
| r4-threshold-count-v1 | "≥ N receipts in bundle B from issuer I in window [t1,t2] with policy P, amount ≤ A" | Volume + policy compliance | bundle_root, t1, t2, N, P, A, I |
| r4-sum-bound-v1 | "Total $ amount across receipts in B from I in [t1,t2] is in [L, U]" | Settlement totals | bundle_root, t1, t2, L, U, I |
| r4-set-membership-v1 | "Every receipt in B with category C has principal ∈ allowlist A (referenced by Merkle root)" | KYC / access-control compliance | bundle_root, C, A_root |
| r4-uniqueness-v1 | "No two receipts in B share the same nonce" (no replay) | Replay-attack absence | bundle_root |
| r4-policy-conformance-v1 | "Every receipt in B was signed by an agent whose policy_id field equals P" | Uniform-policy compliance | bundle_root, P |
| r4-completeness-v1 | "B contains exactly the receipts that match selector Q over the operator's signed receipt log" | No silent omissions | bundle_root, Q_hash |
New statement classes are added by publishing a circuit definition (R1CS or PLONK constraints), running a public ceremony (see §6), and registering (circuit_id, vk_hash, schema) in the DCS Labs R+4 registry at registry.r4.dcslabs.ai. Issuers MUST NOT emit statements referencing unregistered circuit IDs in production.
R+4 circuits are arithmetised R1CS (Groth16 profile) or custom-gate PLONK (PLONK profile) over a pairing-friendly curve. v0.1 standardises on BN254 for EVM compatibility (Base mainnet precompile); BLS12-381 is supported as an optional curve for higher security margins where on-chain verification is not required.
Every R+4 circuit MUST enforce the following invariants:
period_start ≤ ts ≤ period_end.// Pseudo-code; full circom source in r4-circuits/threshold-count.circom template ThresholdCount(MAX_RECEIPTS, TREE_DEPTH) { // Public inputs signal input bundle_root; signal input period_start; signal input period_end; signal input threshold; signal input policy_id; signal input amount_cap; signal input issuer_pk; // Private witness signal input receipts[MAX_RECEIPTS]; signal input merkle_paths[MAX_RECEIPTS][TREE_DEPTH]; signal input signatures[MAX_RECEIPTS]; signal input active_count; // number of receipts actually consumed // Verify each active receipt for (i = 0; i < MAX_RECEIPTS; i++) { if (i < active_count) { VerifyMerklePath(receipts[i], merkle_paths[i], bundle_root); VerifyEd25519(receipts[i], signatures[i], issuer_pk); AssertTimeWindow(receipts[i].ts, period_start, period_end); AssertPolicy(receipts[i].policy_id, policy_id); AssertAmountCap(receipts[i].amount, amount_cap); } } // Threshold check AssertGTE(active_count, threshold); }
| Operation | Constraints | Notes | Profile |
|---|---|---|---|
| Merkle path verify (depth 20) | ~6,500 | SHA-256 per level, Poseidon optional | Groth16 |
| Ed25519 sig verify | ~190,000 | Native — dominates cost | Groth16 |
| Ed25519-Poseidon variant | ~12,000 | EdDSA over BabyJubJub | Groth16 fast profile |
| Threshold proof, N=10k, MAX=10k | ~2.0B constraints | Memory-intensive; recursion recommended | Recursive Halo2 |
| Threshold proof, N=10k, MAX=10k (recursive) | ~22M (per recursion step) | Logarithmic verifier cost via folding | Halo2 / Nova |
Groth16 circuits require a per-circuit trusted setup to produce (pk, vk). The integrity of the resulting proofs depends on at least one participant in the ceremony being honest (1-of-N trust assumption). R+4 mandates a public, multi-party ceremony for every published circuit.
registry.r4.dcslabs.ai + anchored on Base mainnet for tamper-evidence.If a single party generated the SRS, they could secretly retain the trapdoor — the mathematical "trapdoor" that lets the holder forge proofs for any statement. The ceremony distributes this trust: as long as any one of the contributors destroyed their share, no party can forge proofs. With 5+ contributors and public attestation, the practical security is high.
PLONK-based R+4 circuits use a universal-and-updatable trusted setup, eliminating the per-circuit ceremony. The trade-off is somewhat larger proofs (~400-600 bytes vs ~200 for Groth16) and slightly higher verification cost. v0.1 supports both; deployments MAY choose PLONK to avoid per-circuit ceremonies entirely.
Both Groth16 and PLONK rest on the hardness of discrete log on pairing-friendly curves — they are not post-quantum-secure. R+4 v0.x targets present-day classical security. A future R+4 v1.x profile (under research at DCS Labs) will offer STARK-based proofs (post-quantum, larger proof size) for deployments with long-horizon retention requirements (typically > 15 years).
An R+4 proof object is a JSON document containing the statement, the proof bytes, and metadata required for verification. The full object MUST be canonically serialised per RFC 8785 (JSON Canonicalisation Scheme) before any hashing or signing.
{
"r4_version": "0.1.0",
"profile": "groth16-bn254",
"circuit_id": "r4-threshold-count-v1",
"vk_hash": "sha256:7c92ab...e1f3",
"statement": {
"bundle_root": "0x9f3a...a401",
"period_start": "2026-01-01T00:00:00Z",
"period_end": "2026-03-31T23:59:59Z",
"threshold": 10000,
"policy_id": "pol_v3",
"amount_cap_usd_cents": 500,
"issuer_id": "did:dcs:0xbDd1f5fC349D9a8EfCEb07Edbd491233b2540f5F"
},
"proof": {
"pi_a": ["0x...", "0x...", "0x..."],
"pi_b": [["0x...", "0x..."], ["0x...", "0x..."]],
"pi_c": ["0x...", "0x...", "0x..."]
},
"public_inputs": ["..."],
"issued_at": "2026-04-01T12:04:33Z",
"issuer_signature": "ed25519:0x2bd...9a",
"anchor": {
"chain": "base-mainnet",
"tx_hash": "0x4c...",
"block_number": 29371204
}
}
statement per the circuit's public-input ordering.Proofs MAY be transmitted as JCS-canonical JSON (default) or as CBOR (deterministic encoding, RFC 8949) for size-sensitive deployments. The binary proof field is hex-encoded in JSON and raw-bytes in CBOR. Verifiers MUST accept both encodings.
R+4 enables a federation: a set of independent issuers that share circuit definitions and verifying keys. Within a federation, any participant can produce an R+4 proof, and any other participant (or external verifier) can check it without bilateral key exchange.
A federation is defined by:
To verify a proof issued by an unfamiliar party, a verifier:
proof.issuer_id is in the manifest's member list.proof.circuit_id is in the manifest's accepted-circuit list.| Federation | Members | Shared circuits | What gets proved across the federation |
|---|---|---|---|
| EU AI Act compliance | Anthropic, OpenAI, DCS, Mistral, etc. | r4-policy-conformance-v1, r4-completeness-v1 | "Each vendor's Q1 logs satisfy Art. 12 logging requirements" — no customer data crosses borders |
| HIPAA hospital network | 15 US hospitals sharing AI agents | r4-set-membership-v1 (allowlist), r4-uniqueness-v1 | "Every AI inference in Q1 was authorised by a credentialled clinician" — no PHI shared with regulator |
| Inter-bank AI settlement | 4 commercial banks + 1 clearinghouse | r4-sum-bound-v1 | "Each bank's agent-to-agent settlement totals match the clearinghouse expected total" — no customer accounts revealed |
The verifier algorithm for an R+4 proof object is deterministic and runs in < 10 ms on commodity hardware for the Groth16 profile.
function verify_r4(proof_obj, registry, federation_manifest) { // 1. Schema validation if (!validate_schema(proof_obj.statement, proof_obj.circuit_id)) return { ok: false, reason: "schema_mismatch" }; // 2. Circuit registration check const circuit = registry.lookup(proof_obj.circuit_id); if (!circuit || circuit.vk_hash !== proof_obj.vk_hash) return { ok: false, reason: "unregistered_circuit" }; // 3. Federation membership (optional) if (federation_manifest) { if (!federation_manifest.members.includes(proof_obj.statement.issuer_id)) return { ok: false, reason: "non_member_issuer" }; } // 4. Public-input derivation const public_inputs = derive_public_inputs( proof_obj.statement, proof_obj.circuit_id ); if (!deep_equal(public_inputs, proof_obj.public_inputs)) return { ok: false, reason: "public_input_mismatch" }; // 5. Issuer signature (optional) if (proof_obj.issuer_signature) { if (!ed25519.verify(proof_obj, proof_obj.issuer_signature)) return { ok: false, reason: "bad_issuer_signature" }; } // 6. Anchor check (optional) if (proof_obj.anchor) { if (!chain_anchor_resolves(proof_obj.anchor, hash(proof_obj))) return { ok: false, reason: "bad_anchor" }; } // 7. The actual zero-knowledge verification const ok = groth16.verify( circuit.vk, public_inputs, proof_obj.proof ); return ok ? { ok: true, statement: proof_obj.statement } : { ok: false, reason: "snark_invalid" }; }
Groth16 over BN254 has a precompiled pairing on Ethereum and L2s including Base. An R+4 proof can be verified on-chain in approximately ~250,000 gas (well within block limits). This enables R+4 proofs to gate smart-contract execution — e.g. a settlement contract that releases funds only when an R+4 compliance proof is presented.
// Solidity sketch — full implementation in r4-verifier-contract/src/ function verifyAndExecute( bytes calldata proof, uint[7] calldata public_inputs ) external { require( groth16Verifier.verifyProof(proof, public_inputs), "R+4 proof invalid" ); // public_inputs[0] = bundle_root, [1]=period_start, ... // Now the contract knows the statement holds. _releaseFunds(public_inputs[0]); }
R+4 soundness rests on (a) the cryptographic hardness of the underlying SNARK (Groth16 over BN254 / PLONK), (b) the integrity of the trusted-setup ceremony, and (c) the correctness of the circuit implementation. A failure in any one of these undermines the entire stack. Each circuit MUST be independently audited before being added to the registry.
If all ceremony contributors retain their secret randomness, they can collude to forge proofs for any statement. R+4 mitigates this by (a) requiring ≥ 5 independent contributors, (b) requiring public attestations, (c) recommending air-gapped machines, and (d) allowing PLONK universal setup as an alternative for deployments where ceremony coordination is impractical.
A bug in the circuit — e.g. a missing range check or under-constrained signal — can allow the prover to construct proofs of statements that do not actually hold. R+4 mandates:
R+4 proofs are not inherently bound to a verification context. A proof of "Q1 2026 compliance" can be replayed indefinitely. Where freshness matters, verifiers SHOULD include the current period in the statement's public inputs, or rely on the optional issued_at field with a tight acceptance window. For settlement contracts, the on-chain anchor provides natural temporal binding.
BN254 has degraded since its parameter selection (≤ ~100 bit security against modern attacks). v0.1 deployments accept this for EVM compatibility. Long-horizon archives (proofs retained > 10 years) SHOULD use the BLS12-381 profile (~128 bit security) and migrate to STARK-based v1.x profiles when available.
R+4 proofs that reference R+3 bundles transitively rely on the R+3 signature and (where present) on-chain anchor. A compromised R+3 issuer signing key allows an attacker to commit a malicious bundle, and any R+4 proof over it will inherit the corruption. Mitigation: federation manifests SHOULD require R+3 anchors for any bundle that gets witnessed by an R+4 proof.
Properly constructed R+4 proofs reveal nothing beyond the public statement. Specifically:
The statement itself is public. Verifiers learn whatever the statement encodes — typically: the bundle_root, the period window, the threshold, the policy ID, and the issuer ID. Issuers MUST treat the statement as a public document and choose statements that do not themselves leak sensitive information.
Side-channel leakage MAY occur via timing (proof generation time), proof size (for PLONK proofs with variable-length statements), or proof issuance frequency. Federations SHOULD batch proofs and use constant-time prover implementations where side-channel resistance matters.
An R+4 proof generated from a witness that includes PII does not "transfer" the PII to the verifier — the verifier never sees it. This makes R+4 a strong primitive for cross-border AI compliance demonstrations under GDPR Art. 44-49 and DPDP §16-17 (cross-border data transfer restrictions). DCS Labs has published a draft sectoral GDPR profile mapping R+4 statement classes to specific Article-12-and-after disclosures.
| Regime | Clause | R+4 statement class that satisfies it | Notes |
|---|---|---|---|
| EU AI Act | Art. 12 (Logging) | r4-completeness-v1 | Proves the operator's R+3 bundle contains all required events without disclosing the events |
| EU AI Act | Art. 26 (Records) | r4-policy-conformance-v1 | Every recorded action conforms to declared policy |
| NIST AI RMF | GOVERN-1.4 | r4-uniqueness-v1 + r4-policy-conformance-v1 | Logging is non-replayed and policy-bound |
| India DPDP | §16-17 (Cross-border) | Any R+4 proof | Compliance evidence crosses borders without underlying personal data |
| HIPAA | §164.308(a)(1)(ii)(D) | r4-set-membership-v1 | Audit log access restricted to credentialled clinicians, provable without PHI disclosure |
| SOC 2 | CC7.2 (Monitoring) | r4-threshold-count-v1 | Monitoring volume meets policy thresholds |
| PCI-DSS | 10.5 (Audit logs) | r4-uniqueness-v1 + r4-completeness-v1 | Logs are non-replayed and complete |
| ISO 27001 | A.12.4 (Logging) | r4-completeness-v1 | Event recording is comprehensive |
Each compliance mapping above is a starting point; jurisdictional and sectoral specifics may require additional circuits. Submit a request via [email protected] for a new statement class.
End-to-end example: an operator generating an R+4 threshold-count proof over a Q1 2026 R+3 bundle, anchored on Base mainnet.
// 12,847 R+2 receipts from Agent X, signed Jan-Mar 2026, // all with policy_id = "pol_v3", all amount ≤ $5.00. // Aggregated into R+3 bundle with Merkle root 0x9f3a...a401. // R+3 bundle anchored on Base @ block 29240118.
{
"r4_version": "0.1.0",
"circuit_id": "r4-threshold-count-v1",
"statement": {
"bundle_root": "0x9f3aa1f2bc4d9e7f0a8b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3a401",
"period_start": "2026-01-01T00:00:00Z",
"period_end": "2026-03-31T23:59:59Z",
"threshold": 10000,
"policy_id": "pol_v3",
"amount_cap_usd_cents": 500,
"issuer_id": "did:dcs:0xbDd1f5fC349D9a8EfCEb07Edbd491233b2540f5F"
}
}
$ r4-verify proof.json --registry registry.r4.dcslabs.ai [ ok ] circuit_id : r4-threshold-count-v1 [ ok ] vk_hash : sha256:7c92ab...e1f3 (registered) [ ok ] schema validation : passed [ ok ] public input derive : matched [ ok ] issuer signature : ed25519 verified [ ok ] base anchor : tx 0x4c...8e at block 29371204 ✓ [ ok ] groth16 verify : valid (8.3 ms) Statement holds: The operator emitted ≥ 10,000 R+2 receipts in [2026-01-01, 2026-03-31] under policy "pol_v3" with amount ≤ $5.00. No further information was revealed.
The proof object is ~290 bytes including JSON wrapping. The actual SNARK proof is 192 bytes (Groth16 over BN254). Verification took 8.3 ms on commodity hardware. The same proof can be verified on Base mainnet in ~250k gas.
github.com/DCS-LabsAI/r4-standard. v0.1 reference will include: circom sources for all six v0.1 statement classes, the trusted-setup ceremony coordinator scripts, a TypeScript prover/verifier (@trdnetwork/r4-prove, @trdnetwork/r4-verify), and Solidity verifier contracts ready for deployment to Base mainnet. First publication target: Q3 2026.