zkRune is the cryptographic primitive layer for MiCA-licensed CASPs, issuers of ARTs and EMTs, and the AML / compliance tech vendors that integrate with them. Proof of reserves, travel-rule attestations, AML thresholds, and beneficial-ownership selective disclosure — without indefinite retention of identity dossiers.
Outside MiCA scope? See the full regulations matrix (AI Act, DSA, eIDAS 2.0, DORA, NIS2, UK OSA, GDPR).
Regulation (EU) 2023/1114 has been binding for CASPs since 30 December 2024. Every CASP must demonstrate reserve adequacy, travel-rule compliance, AML reporting, and beneficial-ownership screening — while GDPR Article 5(1)(c) constrains how much of that evidence can be retained as raw personal data. Most CASPs default to indefinite EDD retention. Most exchange compliance teams know it's the wrong default.
We are not a MiCA compliance platform. We are the cryptographic primitive underneath one. The licensing, KYC orchestration, sanctions feeds, and transaction monitoring remain with you (or your existing vendor stack). We replace the raw-PII retention model with proofs that travel.
EU-licensed exchanges, brokers, OTC desks, custodians (Binance EU, Bitstamp, Kraken EU, Bitvavo, Bitpanda, Coinbase EU, OKX EU)
Proof of solvency and proof of reserve without revealing per-user balances. Travel-rule attestations bound to the originating wallet via the signature-verification circuit. AML threshold checks (range-proof) that satisfy reporting thresholds without retaining the user's amount.
Stablecoin issuers (Circle, Tether EU subsidiaries, Banking Circle), tokenised deposit operators, regulated EMT issuers
Reserve attestations on a per-block cadence — the holder of the proof can verify reserves match commitments without seeing the reserve composition. Bound to on-chain anchors so attestations are non-repudiable.
Sumsub, Chainalysis, Elliptic, TRM, Notabene — AML orchestration and transaction-risk vendors
ZK as a pluggable layer in your existing screening stack. Customers retain orchestration control, you add the privacy-preserving evidence path that satisfies GDPR proportionality challenges to indefinite EDD retention.
References are to Regulation (EU) 2023/1114 and the Transfer of Funds Regulation (Regulation (EU) 2023/1113). Mapping is informational; consult your DPO and authorised national competent authority for certification-grade claims.
MiCA article
Art. 67 — Reserve of assets (ART issuers)
Issuer must maintain segregated reserves of assets backing the issued ART, with monthly audits and ongoing supervision.
zkRune circuit
balance-proof · range-proofNotes
Per-block proof that on-chain reserve wallets hold at least the circulating supply. Verifiers re-check against published commitments without seeing the asset composition.
MiCA article
Art. 70 — Reserve composition (EMT issuers)
E-money tokens must be redeemable at par by the holder; reserves held as deposits in qualifying institutions.
zkRune circuit
membership-proof · signature-verificationNotes
Cryptographic attestation from the reserve custodian, signed and verified by the issuer's smart contract. Holders verify the chain of trust without seeing depositor identities.
MiCA article
Travel Rule (TFR 2023/1113)
Originator and beneficiary identifiers must accompany crypto transfers above EUR 1,000 between CASPs.
zkRune circuit
signature-verification · credential-proofNotes
Originator CASP binds the transfer to a signed identity attestation that the beneficiary CASP verifies cryptographically. The on-chain transaction itself remains pseudonymous; identifying data lives in the attestation, not the chain.
MiCA article
Art. 60 — Authorisation conditions (CASPs)
Verification of senior-manager fitness, beneficial ownership, and PEP / sanctions screening as part of authorisation.
zkRune circuit
credential-proof · membership-proofNotes
Attestations from regulators / national authorities that a person is authorised and screened, verifiable by counterparties without exposing the underlying identity dossier.
MiCA article
AML 6AMLD enhanced due diligence
Retain EDD records for at least 5 years; reconcile to GDPR proportionality. Currently most CASPs retain raw dossiers indefinitely as a safe default.
zkRune circuit
hash-preimage · patience-proofNotes
Proof that an EDD review happened at a moment in time, bound to the reviewer and the customer hash, without retaining the raw customer record. Supervisors can re-verify the proof against the anchored commitment chain.
Audited circuits
14 production Groth16 circuits
Compiled with Circom, trusted setup completed via multi-party Phase 1 (Hermez Powers of Tau, 54 contributors) + Phase 2 (zkRune-side).
Proof generation
0.4–5 seconds in-browser
Suitable for per-transaction risk attestations issued from the customer's device. Sub-second on modern hardware for the smaller circuits (range-proof, balance-proof).
Proof size
~200 bytes
Storage-friendly for the multi-year retention obligations under MiCA and 6AMLD. Five years of daily reserve attestations is well under 500 KB per circuit.
Mainnet anchors
Solana · Base · Sui
Verification keys are immutable on three independent chains. EU supervisors can independently verify any proof against the on-chain key — no dependency on zkRune as a vendor.
Licence
MIT / Apache-2.0
Open source by default. Compatible with internal procurement reviews and the regulator's preference for auditable supply chains. No vendor lock-in.
Audit
Q3–Q4 2026 (planned)
Third-party security audit scheduled. Honest disclosure of current posture at /trust — including what we have not yet proved.
The list below is what licensed CASPs and their existing vendor stack already do. Adding zkRune to your architecture should slot under the orchestration you already trust — not replace it.
The vKeys served by the hosted verifier are the same ones anchored on Base, Solana, and Sui mainnet. Auditors, supervisors, and counterparty CASPs can independently verify any proof against the on-chain key without trusting zkRune's hosted endpoint.
We work directly with compliance leads, DPOs, and engineering teams at CASPs, ART/EMT issuers, and AML technology vendors. The fastest path is a 30-minute technical session with the OpenAPI spec and trust documentation ready to forward to your security team.
zkruneprotocol@gmail.com · @rune_zk on X · github.com/louisstein94/zkrune