For serious capital to move on-chain privately, the privacy of a transaction cannot end at the cryptography. It has to begin with how the money itself is recorded.
A proof can keep a transaction private. But a proof needs something to prove, and what it proves depends entirely on how the private state is structured. That structure is what lets value be held, sent, and received entirely in private, party to party, and not merely shielded on the way onto a public chain and off it again. It is the subject of Episode 03.
Most value on public chains is tracked with the account model. Every address holds one running balance. The chain updates that balance in place with each transaction, and both the balance and every change to it sit in public view.
That structure is the problem. A single account that updates in place ties every transaction into one continuous, public history. Given enough of it, anyone can reconstruct who deals with whom, how often, and on what terms. For an institution, that is counterparty exposure and competitive intelligence sitting in plain sight.
So how value is recorded decides how much privacy is possible, before any cryptography is applied. For an institution running large volume through the same infrastructure, a model that accumulates linkage degrades the longer it runs. That is the model we did not build on. We solve this at the level of the data, not the math on top of it.
So we asked the question that decided the data model. What representation of value lets a proof confirm ownership, prevent reuse, and preserve totals, without leaving a thread between one transaction and the next?
The answer was to stop treating holdings as a balance to edit, and to start treating them as discrete records of value. Each one is created once and retired once. None is ever modified in place.
This is the unspent transaction output model, usually shortened to UTXO. Instead of one account holding a number that rises and falls, your funds are a set of distinct sealed notes, each standing for a fixed amount of a specific asset. Spending does not subtract from a balance. Spending consumes whole notes and produces new ones. Paying someone retires your notes and mints new ones for them, the amount and both sides private, with nothing on the public side touched. A note is a sealed unit of value rather than a line in an account.
A note is created, proven, and consumed. It is never touched again. There is no running balance to follow, because there is no balance at all. The discrete shape pays off again at volume. Because each note is independent, no single balance becomes a bottleneck that every transaction has to queue behind, and operations on separate notes never collide.
Each note becomes a commitment. A commitment is a sealed fingerprint of the note's contents, produced by hashing its attributes into a single value: the asset, the amount, the address that owns it, a timestamp, and an optional identifier for non-fungible assets. You can later prove what is inside that fingerprint without the fingerprint revealing anything.
The rule we drew before writing the circuits was strict. Nothing about a note's contents is ever written on-chain. Only the commitment, the sealed hash, is published. The amount, the asset, and the owner stay off the public record.
Creation runs one of two ways. When the amount is known in advance, the commitment is computed on the user's side and only the hash is submitted, with the encrypted contents passed to the recipient so they can rebuild the note privately. When the amount cannot be known in advance, for example the result of a swap with slippage, the contract generates the note from the settled figure. Either way, the chain holds fingerprints, not contents. To an outside observer, some commitment was created and, later, some nullifier was published. They never see which, for whom, or for how much.
The system runs on two structures that do opposite work.
The first is an append-only Merkle tree, held on-chain. A Merkle tree compresses an entire set of records into a single fingerprint, which lets a user prove their commitment is one of the records without revealing which one. That is how ownership is established, and it is established privately. The proof reveals only that the note sits somewhere in the set, never its position. The contract checks it against a single value, the root of the tree, and accepts or rejects in one step.
The second is the nullifier set. When a note is spent, its owner publishes a nullifier: a unique fingerprint derived from the commitment and a signature from the owner's private key. A nullifier is a one-time spent stamp. It marks one specific note as used, and it is recorded so the same note can never be used again.
Together they describe the whole private economy without exposing it. The Merkle tree is every unit of value ever created. The nullifier set is every unit ever retired. What remains is the difference, and no observer can compute that difference for any individual, because neither a commitment nor a nullifier reveals its contents or points back to a person.
One case reaches outside the shielded pool, such as a swap through an external venue. For that, the protocol issues a privacy-preserving allowance: a record carrying the asset, the amount, and a binding to the one external contract it may touch. Value leaves for a defined purpose, and that purpose is never readable as a balance.
The commitment and the nullifier are produced with the hash function chosen for the proof system in Episode 02, because it is efficient inside a zero-knowledge circuit. What matters here is how the two values behave.
A nullifier is derived deterministically from the commitment and the owner's signature. The same note always produces the same nullifier, for its owner and for no one else. The requirement underneath is exact. A nullifier must be reproducible by the owner yet unlinkable by everyone else, and deriving it from the commitment plus a private signature satisfies both at once. It is reproducible, so the system can verify it. It is unlinkable, so the check gives nothing away.
That property is what stops double-spending. Submit a note twice and the same nullifier appears twice. The protocol sees it is already in the set and rejects the second transaction. It needs no record of which note was spent. It needs no balance lookup. It needs no party watching for fraud. Uniqueness is enforced by math.
The Merkle tree is append-only by design. Commitments are added and never removed, even after their notes are spent. We made that decision deliberately. The confidentiality of any single transaction is already complete: the proof and the note model keep its contents off the public record on their own, from the very first transaction, whether value moves privately between parties or settles to the public side. What the growing set adds is unlinkability. Every commitment that stays enlarges the anonymity set, the pool of indistinguishable records any proof could be referencing, so connecting one transaction to another only gets harder over time. The base privacy is built in, and the network makes it harder still.
The note model is what gives the proof from Episode 02 something to prove. The three things every Hinkal proof establishes map straight onto these structures. Ownership: a commitment exists in the tree and belongs to the spender. Uniqueness: its nullifier has not appeared before. Conservation: the value sealed into the inputs equals the value sealed into the outputs, so nothing is created and nothing disappears.
The proof and the data model were built as one design. The commitment model needs the proof to enforce its rules without revealing what it protects. The proof needs the commitment model to give it a well-formed state to attest to. Apart, each is incomplete. Together, they produce a record that is provably correct and provably private in the same operation. For an institution, that combination is the entire point. Full verifiability satisfies the auditor. Full confidentiality satisfies the users. Neither is traded away to get the other.
This is the record institutions have always needed and public chains have never offered. Every unit of value is provably owned, never spent twice, and fully accounted for, while who holds what, in which asset, and in what amount stays private. Value moves privately from one party to the next by default. Reaching the public side is a choice, an on and off ramp, not the whole point. Settlement has always forced a choice between auditability and confidentiality. A record built from commitments and nullifiers keeps both. Audit everything. Reveal nothing. That is the standard institutions actually need, and it lives in how value is recorded, not in a promise on top of it.
This is what turns a privacy guarantee into a working financial record. The cross-chain reach, the compliance tooling, and the institutional integrations still ahead in the series all operate on top of it.
A note proves what value is and who controls it, and it can move privately from one party to the next. What it does not yet cover is how a recipient is paid without ever exposing a reusable public identity. That is what we open next.
