Skip to main content
privacyJanuary 3, 2026·10 min read

Privacy-Preserving Token Transfers: A Technical Deep Dive

How NixProtocol implements encrypted ERC20 balances and private transfers using homomorphic encryption and zero-knowledge proofs.

E

Engineering Team

NixProtocol

Share:

Your wallet is a glass house

Every token balance you have on Ethereum? Public. Every transfer you make? Public. That address you used to receive your paycheck? Anyone can see exactly how much you make, when you get paid, and where you spend it.

For individuals, that's creepy. For businesses, it's a disaster. Your competitors can watch your treasury. They can see when you're accumulating tokens before a big announcement. They can front-run your trades.

Mixing services help a bit, but they're clunky and regulators hate them. We wanted something better: balances that are encrypted by default, where you can prove things about your transactions without revealing the actual numbers.

How we encrypt balances

The trick is using encryption that lets you do math on encrypted values. Sounds like magic, but it's real math called homomorphic encryption.

We use ElGamal encryption. Here's the key property: if you have two encrypted numbers, you can multiply the ciphertexts together and get the encryption of their sum. You never decrypt anything, but the math still works out.

Enc(100) * Enc(50) = Enc(150)

So when Alice sends Bob 50 tokens:

  • We subtract 50 from Alice's encrypted balance
  • We add 50 to Bob's encrypted balance
  • The smart contract never sees "50" or either balance in plaintext

The contract just sees encrypted blobs getting updated.

But wait, how do we know Alice isn't cheating?

This is where zero-knowledge proofs come in. Along with every transfer, Alice submits a proof that says:

  1. "I actually have enough tokens to send this amount" (without revealing her balance)
  2. "The encryption is done correctly" (so I'm not smuggling in bad data)
  3. "The same amount leaving my account is arriving at Bob's" (no tokens created from thin air)
  4. "My balance won't go negative" (this one's important)

The smart contract verifies this proof. If it checks out, the transfer goes through. If not, it reverts. Alice proves everything is legit without exposing any actual numbers.

Walking through a transfer

Let's say Alice wants to send Bob 50 tokens.

On Alice's device:

  • She decrypts her own balance locally (only she can do this with her private key)
  • She computes what her new balance should be
  • She computes what Bob's new balance should be (encrypted to his public key)
  • She generates a ZK proof that everything's correct

On-chain:

  • The contract receives Alice's transaction with the new encrypted balances and the proof
  • It verifies the proof (this is cheap and fast)
  • It updates both encrypted balances
  • Done. No one learned any amounts.

Bob's side:

  • Bob's wallet watches for events
  • When he sees an update to his balance, he decrypts it with his private key
  • He now knows he received 50 tokens

Stopping overflow attacks

There's a sneaky attack we had to prevent. What if Alice tries to send a negative amount? Or a number so big it overflows?

Without protection, she could "send" -1000 tokens to Bob, which would actually increase her balance. Not good.

We use range proofs (specifically Bulletproofs) to prove that all values are within valid bounds. Every amount has to be between 0 and some maximum, no exceptions. This adds a bit to the proof size but it's essential for security.

What about compliance?

"But won't regulators freak out about encrypted balances?"

We thought about this. NixProtocol supports optional view keys. You can give an auditor a special key that lets them see your transactions without being able to spend anything. It's read-only access.

This means:

  • Your CFO can monitor company wallets
  • Your accountant can prepare tax reports
  • Regulators can audit you if legally required
  • But random strangers on the internet still can't see anything

You get privacy by default with compliance when you need it.

Real-world numbers

WhatCost
Private transfer~500k gas, proof takes ~2 seconds to generate
Checking your balanceFree (it's local decryption)
Proof verification on-chain~300k gas, under 10ms

It's more expensive than a regular ERC20 transfer, but not outrageously so. For the privacy you get, we think it's worth it.

The bottom line

You shouldn't have to broadcast your financial life to participate in crypto. With the right cryptography, you can have all the benefits of blockchain (trustless, permissionless, verifiable) without giving up your privacy.

That's what we're building.

Continue Reading

Explore more research articles on privacy infrastructure and zero-knowledge proofs.

View All Articles