Skip to main content
shyware

anonymous by design. auditable by law.

Anonymous distributed-ledger protocol. Structural non-linkability across voting, wire transfer, custody, financing, and governance — one invariant, thirteen embodiments.

Read the docsContact us

Protocol properties

Non-linkabilitystructural — no join key between List 1 (payload) and List 2 (identity hash)
Verifiabilityoperator-independent — count-match + HSM-signed disjoint Merkle roots
Recoverycredential-free — biometric re-derivation, no seed phrase or password
Authority model3–4 structurally separated parties; dual co-authorization enforced at validation layer
Latency1–6 s block finality (Hyperledger Fabric / CometBFT BFT, no proof overhead)
GDPR208/208 residual-risk assertions pass — Art. 5, 15, 17, 25, 32 verified

Config-driven dual sealing

shyPayloadEncrypts List 1 (payload) using provider-derived key
shyIDVEncrypts List 2 (identity/metadata) using same sealer logic
SDK enforcementAll sealing is handled by the SDK (storeClient), not by consumer code
Canonical exampleSEDA_HAQQ: both shyPayload and shyIDV enabled for maximum privacy
{
  "anon_layer": {
    "shyPayload": true,
    "shyIDV": true
  }
}

Embodiment examples

13 contract variants. Each is a reference implementation — build your own on any variant. Branded co-mission products at co-mission.fyi.

shyvoting-v1Elections

Coercion-resistant anonymous ballots. Write-only posture on attested device. Hostile-regime ready.

shyvoting-v1Civic Referenda

Anonymous civic votes with operator-independent HSM-attested tally.

shywire-v1Private Value Transfer

Conservation-auditable stablecoin transfers. Amount and sender unlinked in canonical state.

shycustody-v1Commodity Custody

Warehouse receipt system. Holder identity absent from canonical lot records.

shycontracts-v1Revenue Financing

Anonymous lender/borrower commitments with public goal-achievement attestation.

shyshares-v1DAO Governance

Wallet-weighted anonymous proposals. Delegation mapping structurally non-enumerable.

shychat-v1Private Messaging

Anonymous dispatch. Sender identity structurally absent from canonical payload records.

How it works

// Ballot submission: two unlinked atomic writes
//   List 1 (Vote Direction) — no identity
//   List 2 (Voter Registry) — no vote choice
//
// Count-match invariant at poll close:
//   |L1(P)| === |L2(P)|   ← verifiable by arithmetic
//
// HSM-backed tally attestation:
//   σ = Sign_KMS( H(R_vote || R_voter || N || C) )
//   Logged to S3 Object Lock (365-day retention)