Technical whitepaper · public edition

Signing at the source.
No trusted hand in between.

How the VPAY measurement device cryptographically signs a physical reading at the instant it is taken — so that between the asset and the public blockchain, there is no point at which a human can change the number without it being detected. This is the Hardware & Oracle Bridge of the VPAY Genesis stack.

Version 1.0 · public Status pre-production hardware · design specification Scope capability-level (no vendor part numbers)

Download PDF →

Read this first — honest status. The verification & anchoring software described in §6 is live on Polygon Mainnet today and independently checkable. The measurement device (the GSU) is engineered and in pre-production; it is not yet deployed in the field. This paper describes the designed signing mechanism and the security properties it is built to provide — not a claim of a shipped, audited product. Vendor part numbers for the secure element and sensors are withheld from this public edition and provided to partners under NDA. We are pre-revenue and claim no certifications, pilots, or endorsements.

The trust gap every commodity rail still has

In the gold trade — and in carbon, agriculture, medicine and every other physical market — the digital record is created by a human typing a number a human measured. Between the assay bench and the certificate, between the certificate and the database, between the database and the token, there are people, spreadsheets and editable fields. Each is a place where the number can drift, by error or by fraud, and nobody downstream can tell.

Blockchains do not fix this. Writing a forged number to a blockchain just makes the forgery permanent. The hard problem is the first inch: getting an honest reading from the physical world onto the chain without a trusted human in the path. That first inch is what the Hardware & Oracle Bridge is for.

Principle: the reading signs itself

The device does not send a number to a server that a person then approves. The device measures, serialises, and signs the reading inside tamper-resistant hardware, using a private key that never leaves that hardware and that no operator — including EcoVent — can read or export. What travels onward is the reading plus a cryptographic signature over it. Anyone can later check that signature against the device's public identity. If a single byte of the reading is altered anywhere downstream, the signature no longer verifies, and the on-chain contract refuses it.

This is the physical analogue of the protocol's founding rule — “no verification, no token.” The chain mints nothing unless it is presented with a device-signed reading whose signature checks out.

End-to-end: from atom to anchor

The crucial line is drawn at the chip. Everything to the right of the secure element is untrusted by design. The relayer that carries the payload, the network it travels over, even our own servers — none of them can alter the reading without invalidating the signature. The blockchain is the final, public arbiter: it re-checks the signature itself before it will mint.

The signing device

The measurement unit pairs industrial-grade physical sensors with a hardware secure element — a tamper-resistant chip of the class used in payment cards and passports, purpose-built to generate and hold private keys that cannot be read out, only used to sign.

Key provenance

Born on-chip. Each device's signing key pair is generated inside the secure element at provisioning. The private key is never exported, never transmitted, and is not known to EcoVent, the operator, or the manufacturer.
Public identity registered once. Only the device's public key is published and registered on-chain against a device ID. The contract will later accept readings only from registered devices.
Tamper response. The secure element is designed to detect physical intrusion and zeroise its key material if the enclosure is opened or attacked — a compromised device stops being able to sign rather than signing fraudulently.

What it measures, and binds together

At capture the device records the physical reading (for gold: mass, spectroscopic purity, derived density and geometry), a geolocation fix from a multi-constellation satellite receiver, and a trusted timestamp. These are serialised into one canonical byte string in a fixed, documented order, and that exact byte string is what gets hashed and signed — so the what, the where, and the when are cryptographically bound into a single inseparable attestation.

The attestation object

A completed reading produces a compact, self-describing object. Conceptually:

attestation = {
  deviceId : registered public identity of the unit
  readingBytes : canonical fixed-order serialisation of the measurement
  readingHash : hash( readingBytes ) // integrity fingerprint
  geo : satellite position fix at capture
  timestamp : trusted time at capture
  signature : sign( readingHash ) // produced inside the secure element
}

The canonical byte layout is fixed and documented so that anyone — a partner, an auditor, a regulator — can independently re-serialise the same fields, re-hash them, and re-check the signature. There is no proprietary verification step: the math is the audit. (The trade-side equivalent of this canonical layout, for leveraged positions, is published in the stack's candle-encoding specification.)

On-chain enforcement — the part that is live today

The signed attestation is submitted to the AttestationBridge contract on Polygon. The bridge is the enforcement point of “no verification, no token”:

Recover & check the signer

The contract recovers the signing key from the signature and confirms it matches a device registered on-chain. An unregistered or mismatched signer is rejected outright.

Re-bind the reading

The contract confirms the signature is over the exact reading submitted. A reading altered in transit no longer matches its signature and is refused.

Price the matter independently

For value-bearing mints, the conversion to token units is driven by a live on-chain market price oracle (Chainlink XAU/USD on Polygon), not an admin-typed rate — so neither the device operator nor EcoVent sets the number that mints.

Mint only on a clean pass

Only if signer, reading and price all check out does the bridge mint. The attestation and its outcome are written to the public ledger, permanently and openly.

This software is deployed and source-verified on Polygon Mainnet now. The companion Proof-of-Reasoning contract (for AI/model outputs) and the Anchor Registry (for forecast and metric snapshots) run on the same chain — see §7 of the architecture page and the live registry on Polygonscan.

Threat model — where a human could cheat, and why they can't

Attack	Without VPAY	How the bridge closes it
Edit the number in transit	A relayer or server changes mass/purity before it's recorded.	The reading is signed at the chip. Any change breaks the signature; the contract refuses it. ✓ closed
Replay an old reading	A real past reading is re-submitted to mint twice.	Each attestation carries a trusted timestamp and is bound to a single device session; the chain rejects duplicates. ✓ closed
Spoof the device	A fake device fabricates readings.	Only public keys registered on-chain can produce accepted signatures; an unregistered signer is rejected. ✓ closed
Backdate or relocate	Claim a reading happened elsewhere/earlier.	Geolocation and time are signed inside the same attestation as the reading — they cannot be detached or swapped. ✓ closed
Admin sets a favourable rate	An insider tweaks the mint conversion.	Value mints price off a live external market oracle, not an admin field. ✓ closed
Extract the device key	Clone a trusted device.	The key is born and held in a tamper-resistant element and zeroised on intrusion; it cannot be read out. ✓ by design
Sign a true signature over a false physical input	Fool the sensor itself (e.g. a salted sample).	Residual / out of scope for crypto. Signing proves the device produced the reading, not that the sample wasn't physically tampered pre-measurement. Mitigated operationally by sampling protocol, multi-gate physical checks and chain-of-custody — and is the honest boundary of what cryptography alone can promise. See §8.

Limits & honesty

We state plainly what this does and does not prove:

It proves authorship and integrity, not virtue. A device signature proves this device produced this reading, unaltered, here, then. It does not, by itself, prove the underlying sample was not physically manipulated before it reached the sensor. That is a sampling- and custody-control problem, addressed by protocol and multi-gate checks, not by the signature.
The hardware is pre-production. The mechanism above is the engineered design and is the basis on which partners are invited to evaluate the architecture; it is not a claim of a field-deployed, third-party-certified unit. An independent hardware security evaluation is part of the path to production.
The software is real now. The on-chain enforcement (§6) and the public registries are live and verifiable on Polygon Mainnet today.
Vendor specifics under NDA. The exact secure element, sensor suite and provisioning ceremony are documented for partners in the NDA edition of this paper.

This is the discipline of the whole protocol: claim only what can be checked, and make the checking open to anyone.

—

Evaluate the full design

Institutional partners can request the NDA edition — with secure-element and sensor specifics, the provisioning ceremony, and the device-registration flow — and a technical walkthrough.

Request the NDA edition →