Encrypted NFTs on Stacks: a Standard Trait for Commitment-Based Private Layers (eNFT)

Hey Stacks community

I’m Xenitron, from Skullcoin Labs building sustainable GameFi on Stacks. We’ve been shipping “Encrypted NFTs” in production for puzzle/game use cases (Seed Phrase Hunt, Find2Earn content unlocking). Today it works via a hybrid model (on-chain = permissions, off-chain = encrypted payload), but the ecosystem lacks a shared standard.

This post proposes a small, non-consensus step that could unlock a lot of composability: a trait + minimal on-chain commitments/events standard so wallets/marketplaces/indexers can support “private layers” consistently.

TL;DR

Encrypted NFTs (eNFTs) introduce a new NFT primitive on Stacks: SIP-009 NFTs with a public layer + a commitment-based private layer (encrypted payloads).

Today, projects that attempt “locked content” do it in incompatible ways → wallets/markets/indexers can’t support it consistently.

Proposal: a non-consensus standard trait that exposes:

• payload commitment (hash + minimal metadata that binds token-id → private payload)

• owner-gated key envelope (so the rightful owner can decrypt client-side)

• optional key rotation / versioning

• standard events for indexers and better UX

No hard fork required. Fully compatible with SIP-009 NFTs.

Why Encrypted NFTs?

Typical NFT metadata is public. But lots of real apps need incomplete information:

• game/puzzle clues (ARG style)

• coordinates / “treasure maps”

• access passes with hidden content

• sealed collectibles (reveal only to owner)

You can store ciphertext anywhere, but without a standard:

• wallets don’t know how to show “Locked content”

• markets can’t index or preview the encrypted layer

• devs can’t compose these NFTs across apps

How we do it today (Hybrid)

Our current pattern on Stacks is:

• On-chain: SIP-009 NFT ownership + commitments (hashes / indexes / events) that bind token-id → locked payload.

• Off-chain: encrypted payload (image/text/coords) stored in a database or content storage; revealed only after verifying ownership and (optionally) a signed challenge.

This works, but it’s fragmented and easy to implement insecurely if each team invents their own access control pattern.

Proposal (Non-consensus): eNFT Trait + Commitments

Define a trait (name bikesheddable) that every “Encrypted NFT” contract can implement, enabling standard UX.

Minimal required API (conceptual)

1. get-payload-commitment(token-id) → returns:

• commitment (hash binding the payload)

• cipher-suite (string identifier)

• optional payload-uri (ciphertext location)

• optional mime/type

• version

2. get-key-envelope(token-id) → returns owner-gated:

• envelope (opaque bytes; encryption envelope or retrieval descriptor)

• envelope-hash

• created-at

3. Optional: get-key-envelope-version(token-id) or key rotation events.

Standard events

• encrypted_payload_set(token-id, commitment, cipher-suite, payload-uri?)

• key_envelope_rotated(token-id, envelope-hash, version)

Ownership gating requirement

get-key-envelope MUST fail unless tx-sender is the current token owner.

What this enables (immediately)

• Wallets can display “ Locked content” consistently.

• Markets can index “has private layer” and show reveal actions to owners.

• Apps can reuse each other’s eNFTs without custom integrations.

• Security improves because patterns become reviewable and repeatable.

Security notes (important)

• A public chain can’t keep plaintext secret. The goal is interoperability around ciphertext + owner-gated key retrieval / client-side decryption.

• Commitment fields make payload integrity verifiable (prevents silent server-side swaps).

• A standard owner-gated signature challenge pattern is recommended to avoid common access control bugs (IDOR/replay).

Non-goals (for this SIP)

• “True on-chain secrecy” (not possible on a public chain by definition).

• Mandatory ZK verification or heavy cryptographic precompiles.

• Forcing one encryption method.

We want a small, adoptable spec that works now.

Future work (separate track, optional)

If the community is interested, a separate consensus-level SIP could explore adding additional cryptography primitives to Clarity/VM to enable more advanced flows (e.g., on-chain verification of encryption-consistency proofs, etc.). That is not required for the trait standard, and should be treated as a longer-term R&D topic.

Why this helps developer adoption:

Today, building “locked content” NFTs on Stacks requires each team to invent their own access-control flows, storage conventions, and indexing patterns—making integrations slow and security reviews harder. A shared Encrypted NFT trait reduces that complexity to a known, reusable primitive, enabling faster wallet/market support and easier composability between projects. Lower integration friction + clearer best practices tends to attract more builders, because developers can ship private-layer use cases without reinventing the entire stack every time.

Open questions / Feedback requested

1. Trait shape: what’s the cleanest minimal interface for wallets/markets?

2. Commitment semantics: should we recommend sha256(ciphertext) by default?

3. Event schemas: what fields do indexers need for good UX?

4. Key rotation: do we standardize it v1 or leave as optional?

I have been excited about your encrypted NFTs, ever since DeGrants 2. They are amazing and are so many more use cases. (My head is spinning with all of them again)

Is this a first step SIP to set a basic framework for these and to garner adoption, there by creating a platform wide evolution?

Awesome! Love this and that it’s being proposed as a standardization via SIP!

Interesting and much-needed work to unlock GameFi and enable more complex, engaging functionality across the ecosystem. I fully support it and would like to see more details and concrete examples.

An innovative use case to revive the NFT markets on Stacks.

Is there any equivalent Ethereum/Solana version of this standard already?

Perhaps you can also share what exact cryptography primitive would be needed in Clarity as an optional track.

Good question.

Equivalent standard on ETH/Solana: I’m not aware of a widely adopted, marketplace-native “Encrypted NFT private layer” standard there - most implementations are app-specific token-gated encrypted metadata patterns. The closest conceptual parallel on Ethereum is ERC-7857 (NFT with private metadata), but it’s a different scope.

Crypto primitives for an optional Clarity track: our proposed v1 trait standard needs no new cryptography (commitment hashes + owner-gated access). If we later want a more trust-minimized / on-chain path, the first useful step would be ECDH/ECIES support (EC point ops / scalar multiplication + key derivation), and a “fully on-chain + ZK” direction would require adding a ZK verifier (larger consensus-level change). MystenLab’s encrypted-nft PoC is a great technical reference for the fully on-chain direction, but our focus is the practical, ecosystem-wide standard that can be adopted on Stacks now and become a new primitive for builders. PoC link: https://github.com/MystenLabs/encrypted-nft-poc

Cool idea. A few thoughts:

The wallet/marketplace support you’re describing might be a tough sell right now. Leather and Xverse probably aren’t prioritizing custom UI for a trait one project uses, and the Stacks NFT market has been pretty quiet—Gamma’s been focused on Bitcoin for a while now.

Also worth noting: this is still trust-the-server at its core. The on-chain hash proves payload integrity, but the actual secret is held by whoever runs the decryption service. That’s fine for certain use cases, but it’s closer to DRM with NFT-gated access than a trustless primitive.

That said, I agree with the premise—we need more on-chain activity beyond just DeFi. Deposit, yield, wait… that’s not generating much actual usage. Games, puzzles, content unlocking—that kind of stuff brings real engagement and transactions.

Curious to hear more:

• What use cases are you seeing the most traction with?

• How much activity has Seed Phrase Hunt / Find2Earn generated?

• Are other teams reaching out wanting to use this pattern?

Worth experimenting and seeing what sticks. More ideas building weird new things is what the ecosystem needs.

Thanks - this is a very fair take,

On wallet/market support being a tough sell right now: totally. We’re not expecting Leather/Xverse/Gamma to build bespoke UX for a single project. The point of a standard trait is the opposite: reduce it from “custom per project” to a reusable primitive. If multiple teams align on the same interface/events, support becomes much easier to justify (and can start small: a “ locked content” badge + owner-only “reveal” action). Even without full wallet UX, indexers / explorers / marketplaces can support “has private layer” + events with minimal work.

On “trust-the-server / DRM”: agreed that you can’t get true secrecy on a public chain. Our v1 is explicitly not trying to solve “perfect trustlessness”. What we can do today is:

• Integrity + anti-swap: the on-chain commitment prevents silent server-side payload swaps (“this NFT used to unlock X, now it unlocks Y”).
• Interoperability: a shared trait means wallets/markets/apps don’t need custom integration per project.
• A clear upgrade path: v1 works now; later we can push toward more trust-minimized designs (public ciphertext on IPFS/Arweave, client-side decryption, optional key rotation, etc.). In that model the server isn’t a “secret oracle” anymore - at worst it’s just a CDN.

So yes: v1 is “token-gated encrypted content,” but with verifiable commitments + a standard interface, which is a meaningful step up from pure DRM patterns.

Use cases with the most traction: puzzles/quests where the private layer is actual gameplay state, not “art behind a paywall”:

• seed-word fragments / multi-step hunts (Seed Phrase Hunt)
• coordinate/map unlocks (Find2Earn)
• “sealed” items (mystery chests / encrypted maps) where revelation is part of the game loop

Activity / traction: We’ve run multiple on-chain eNFT games already, and the pattern consistently generates real user actions (mint/transfer/reveal flows) rather than passive “deposit and wait.” In our latest Seed Phrase Hunt event, Stacks daily transactions showed a noticeable spike that coincided with the game day - people played for ~7 hours non-stop. We had 118 unique wallets participating (via Leather/Xverse, including mobile).

Seed_Phrase_Hunt1280×470 39.9 KB

On other teams reaching out: not yet - and that’s expected at this stage. Right now the main barrier is that “private layer NFTs” are implemented as bespoke, project-specific patterns, so other teams can’t easily reuse them or get wallet/market/indexer support without custom work. The goal of this SIP is to formalize the interface (trait + events + commitment conventions) so the pattern becomes discoverable and composable. If we standardize it, it lowers the integration cost dramatically - that’s when we expect other teams to adopt it and you’ll see more on-chain activity built on the same primitive.

Cool idea. A few thoughts:

The wallet/marketplace support you’re describing might be a tough sell right now. Leather and Xverse probably aren’t prioritizing custom UI for a trait one project uses, and the Stacks NFT market has been pretty quiet—Gamma’s been focused on Bitcoin for a while now.

Also worth noting: this is still trust-the-server at its core. The on-chain hash proves payload integrity, but the actual secret is held by whoever runs the decryption service. That’s fine for certain use cases, but it’s closer to DRM with NFT-gated access than a trustless primitive.

That said, I agree with the premise—we need more on-chain activity beyond just DeFi. Deposit, yield, wait… that’s not generating much actual usage. Games, puzzles, content unlocking—that kind of stuff brings real engagement and transactions.

Curious to hear more:

• What use cases are you seeing the most traction with?

• How much activity has Seed Phrase Hunt / Find2Earn generated?

• Are other teams reaching out wanting to use this pattern?

Worth experimenting and seeing what sticks. More ideas building weird new things is what the ecosystem needs.

Thanks for the clarification - I was wrong about the trust model. The on-chain commitment does prevent server-side cheating, which is a meaningful guarantee even if the server still holds the secret. Appreciate the patience in walking through that.

The Seed Phrase Hunt metrics are interesting - 118 wallets, 7 hours of continuous play, visible on-chain spike. What do you think would 10x or 100x that?

• Is it the game mechanics themselves? More complex puzzles, longer arcs, higher stakes?

• The audience reach? Getting beyond the existing Stacks crowd?

• Sponsorship/prizes that attract attention?

• UX friction? Are you looking at off-chain intent messages that settle later, or passkey-based smart wallets so anyone on mobile Chrome can play without seed phrases?

Curious where you see the bottleneck between “cool experiment” and “thousands of active players.”

Appreciate the follow-up - great questions.

What would 10x / 100x the activity? In my view, the biggest levers are (1) distribution beyond the current Stacks-native audience, and (2) reducing UX friction while staying crypto-native. The mechanics are already proving engagement. Scaling is mostly about making the loop repeatable and easy to join on mobile.

Mechanics (complexity vs scale): The power of Encrypted NFTs is depth - they enable games with incomplete information (mystery arcs, detective-style quests, multi-step reveals) that we haven’t even fully explored yet. Seed Phrase Hunt (SPH) is intentionally a “simple, obvious” starting point (wallet-native + seed words), but the same primitive can power much richer narratives. That’s also why a SIP matters: it makes the pattern legible and composable for other builders’ imagination.

Audience reach (beyond Stacks): I agree the reach should be “all of crypto.” Stacks is our homeland where this pattern has been built and proven, and where we want to standardize it. At the same time, broader crypto exposure (partners, creators, communities in larger ecosystems) is how you get the next 10x. The goal isn’t to “leave Stacks,” it’s to make the primitive visible enough that more builders and users flow back into Stacks because the standard exists here.

Sponsorship / prizes: The base SPH model is already sustainable: the prize pool is funded from the mint flow (poker tournament-style entry → prize pool + fees). Sponsorship becomes an optional “overlay” that boosts attention and creates bigger wow-moments (larger jackpots, branded public-layer drops, etc.) without breaking the core economics.

UX friction (without removing wallets): I’m not focused on eliminating wallets at this stage - we’re building crypto-native. The goal is to make wallet UX painless: fewer steps, better mobile deep-links, clearer signing, and eventually passkey-based onboarding where it makes sense (WebAuthn/P-256 is a promising direction). “Off-chain intents → on-chain settlement” is also interesting for smoothing the experience, but we still want the on-chain layer to stay the source of truth for ownership and proofs.

Bottleneck from “cool experiment” to “thousands”: repeatable cadence + distribution + mobile UX. Not necessarily harder puzzles - more like seasons/episodes, consistent events, social status layers, and low-friction participation. Once the interface is standardized (trait/events/commitment conventions), the ecosystem can build on it without bespoke integrations - and that’s when adoption can compound.

Having a “eNFTs” standard to formalize the interface and normalize things for discoverability and composability would be very beneficial for extending the value proposition of NFTs on Stacks.

The pattern proposed by @xenitron is well thought out, and I support this proposal.

Lets level up NFTs!