The Two Faces of On-Chain Money

Plain-language cryptography behind PrivateTip and the @claucondor/sdk stack.

~15 min·4 tabs·Updated May 2026·← Back

The problem with public chains

2 min · Everything leaks by default

Every transaction on a public blockchain reveals at least three things: who sent it, who received it, and how much moved. That's not a bug — it's the entire point of a public ledger. But it makes blockchains genuinely bad for a surprising number of real-world use cases.

Transaction on-chain

from:0x4f2a…d391

to:0x9c1b…fa22

amount:5.00 FLOW

memo:Thanks for the talk!

Fully public — amount, memo visible to all. Toggle to see private mode.

Think about tipping a creator. Would you tip more or less if your exact amount appeared publicly next to your wallet address forever? Most people tip less (anchoring) or skip entirely (privacy instinct). The same applies to donations, payroll, sealed bids — anything where the amount is commercially sensitive.

Where PrivateTip sits today

PrivateTip is confidential tier— amounts are cryptographically hidden, but sender and recipient addresses are visible on-chain. That's deliberate for v0.5: the "who tipped whom" visibility is social proof. Sender/recipient unlink (stealth addresses) is on the roadmap.

The Pedersen commitment

3 min · A sealed envelope anyone can verify

The core primitive is a Pedersen commitment. Take an amount and some random noise (a blinding factor), mix them mathematically in a one-way direction, and publish the result. The result proves you're committed to a specific amount, without revealing what that amount is.

C = a·G + b·H

Interactive: watch the commitment point move

Amount (a)

Blinding factor (b)

C = a·G + b·H

Same amount, different blinding → completely different point. This is perfect hiding.

Here G and Hare fixed points on the BabyJubJub curve — generators chosen such that nobody knows the discrete logarithm relationship between them ("nothing-up-my-sleeve" parameters).

The homomorphic property

Adding two commitments gives a valid commitment to the sum: C₁ + C₂ = (a₁+a₂)·G + (b₁+b₂)·H. This is what makes an account model work: every incoming tip updates the commitment homomorphically, and the owner can always prove their total without revealing it.

The ShieldedNote — the recovery channel

2 min · Without this, balances accumulate silently

Here's a subtle problem most explainers gloss over. Suppose Alice sends Bob 5 FLOW, privately. The on-chain commitment at Bob's address changes by some opaque amount. How does Bob know he received 5? Without the exact (amount, blinding) pair, he cannot construct a valid ZK proof when he wants to withdraw.

ShieldedNote lifecycle

🧑

Sender

🧑‍💻

Recipient

Waiting for note…

Initializing…

The solution is the ShieldedNote. Every shielded transfer ships an encrypted payload alongside the commitment update. The payload contains the amount, blinding factor, and an optional memo — everything the recipient needs to reconstruct their position. It's encrypted using ECIES over BabyJubJub, addressed to the recipient's MemoKey public key.

Why PrivateTip blocks sends to recipients without a MemoKey

If there's no MemoKey registered, the sender has no public key to encrypt the ShieldedNote to. The recipient would receive a commitment they can never decode — a permanently unspendable balance.

What's NOT private

1 min · Honest scope of today's privacy guarantees

PrivateTip hides amounts. It does not hide identities or patterns. Before you use it, know exactly what stays public:

What's NOT private

Sender address (visible on-chain)
Recipient address (visible on-chain)
Transaction timestamp
Tx graph / frequency / social pattern

If you need sender/recipient unlinkability, wait for stealth-address support on the roadmap — or compose PrivateTip with a separate stealth-address primitive.

Fees

30 sec · Boundary-only, hard-capped

PrivateTip charges a 0.1% fee at the boundary — when you wrap FLOW into a shielded balance and when you unwrap back out. Shielded transfers between users are free. The fee is hard-capped at 1% by the contract and flows to the Janus admin COA.

Build something with this

The SDK ships Pedersen commitments, Groth16 proofs, ShieldedNote encryption, and sign-derive — all as drop-in primitives. PrivateTip is ~250 lines on top.

Sealed-bid NFT auctionsHidden pack openingsAlphaArena private positionsConfidential payrollConfidential donationsCross-VM privacy walletsDark-pool AMMsZK voting

npm i @claucondor/sdk Source & docs on GitHub Try PrivateTip