Encrypted Value Commitments
Instead of storing actual balances, Papillae uses cryptographic commitments - a way to “commit” to a value without revealing it.
Commitment Scheme:
Commitment = Hash(secret, amount, randomness, tokenAddress)Properties of Commitments:
Hiding: Given a commitment, it’s computationally impossible to determine the amount it represents
Binding: Once created, the commitment cannot be opened to a different value
Homomorphic: Commitments can be mathematically combined (added/subtracted) without decryption
How It Works in Practice:
When you deposit 100 BNB:
A random secret is generated:
secret = 0x7f3e9d2a...A random blinding factor:
randomness = 0x9a1c4b8e...Commitment computed:
C = Hash(secret, 100, randomness, BNB_address)Only
Cis stored on-chain, not the amount
The blockchain only sees cryptographic hashes. Even miners, validators, and block explorers cannot determine actual values.
UTXO Model: Papillae uses an Unspent Transaction Output (UTXO) model similar to Bitcoin:
Each commitment represents an unspent output
Transactions consume input commitments and create output commitments
Spent commitments are marked by “nullifiers” (discussed below)
This model prevents double-spending while maintaining privacy
Nullifiers: One-way cryptographic tags that mark commitments as spent:
When a commitment is spent:
Its nullifier is published on-chain
The nullifier reveals nothing about the commitment or amount
Attempting to spend the same commitment again would generate the same nullifier, which the contract rejects
This prevents double-spending without revealing which commitment was spent
Last updated