Public code — exterior
A QR or NFC tag anyone can scan. It resolves to the château's information page and to the live title record: current owner address, full custody history, and “alive / consumed” status. Read-only.
Technology
Two layers.
Two codes. One title.
Livre des Crus adds a neutral ownership layer on top of the producer authentication that already exists. Here is exactly how it works — and the one thing a ledger cannot do alone.
The architecture
Two layers, cleanly separated.
The lookup already exists. The title registry is what's missing.
Layer 1 · exists today
Identity & information
Scan the public code → the château's own page: vintage, cuvée, tasting notes, marketing. Named, human-readable, centralized. We keep it as-is.
Layer 2 · the Livre des Crus core
Title & ownership
- Each bottle is a unique, producer-signed on-chain title.
- The owner is a pseudonymous key — provable, not a name.
- Anyone can verify; no middleman, no gatekeeper.
- Opening the bottle burns the title forever.
On the bottle
A public code and a secret one.
Secret code — the metal seal
A secure NFC element embedded in the foil capsule — not the cork. The seal must be cut to reach the cork, so opening necessarily destroys it. Querying it writes the consumption event and burns the title. Authentic corks are reused by forgers; a severed seal cannot be.
These are identifiers, not a cryptographic keypair. The real cryptography lives with the producer's signing key (which mints titles) and the owner's wallet key (which proves and transfers ownership).
The bottle lifecycle
Four on-chain events.
- ◆
Mint — at the château
The producer's signing key creates a title: a unique bottle ID; producer, cuvée, vintage, format and lot; a hash commitment to the secret code; and the producer's signature. The producer is the sole authority that can mint.
- ◆
Transfer — négociant → auction → collector
Two problems solved together: money-vs-title atomicity, via smart-contract escrow (title moves only when payment clears); and title-vs-bottle atomicity, via the custody handshake below and, for investment wine, vaulting.
- ◆
Consume — burn-on-open
Opening exposes the secret code. The chain checks it against the commitment stored at mint, records a
Consumedevent, and permanently burns the title. This is the mechanism that defeats the refill attack — an authentic empty is now worthless.
The binding problem
A ledger guarantees the digital record is tamper-proof. It guarantees nothing about whether the token is bound to this physical bottle. The defense is physical: a destructible secure-NFC carrier on the metal seal, applied under the producer's authority. Get it wrong and you have an elegant, tamper-proof database of lies. Hardware integrity is a first-class part of the protocol.
Closing the title-vs-bottle gap
Seller initiates transfer; title enters escrow; buyer pays in; seller ships. On receipt the buyer scans the public code and co-signs “received,” releasing payment and finalizing title. If the buyer never confirms, escrow refunds and title reverts — the physical handoff becomes part of the protocol.
Decoupling ownership from movement
For investment-grade wine, the bottle sits in a bonded warehouse for years and only the title circulates — trading pseudonymously and instantly. The vault is an audited custodian whose attestations are themselves signed on-chain. Likely the fastest path to real-world adoption.
Privacy is protection
Prove what you own
without exposing what you own.
Pseudonymous is not anonymous. We treat de-anonymization as an adversary from day one.
Fresh address per bottle
No names on-chain. Provable ownership, private holder.
Stealth addresses
Each transfer derives a one-time address, so a bottle's history can't be linked to a single party.
Zero-knowledge
Prove “I hold a genuine, unopened bottle from this producer” without revealing which one — supporting verification, insurance and financing without disclosure.
Open trade-offs, not dogma
- A public chain with privacy tooling (stealth / zk) best fits a neutral public good — pending foundation review.
- A non-fungible, soulbound-until-transfer title with a burn primitive and producer-gated mint.
- Secure NFC (challenge–response) for the secret code; QR for the public code.
- No protocol token. Reading and verification are free.
Root of trust is the hard part
- A non-profit foundation stewards the protocol and the open data standard.
- A consortium of producers, négociants, auction houses and warehouses governs — no single member can rewrite history.
- Producer onboarding — admitting a château's signing key — must be rigorous, audited and revocable.
Want the full detail?
The whitepaper, concept doc, data model and threat model are openly published and iterated.