KAS Shielded Pool
Deposit KAS into a shared pool; withdraw the same amount to a fresh address by proving “I own an un-spent deposit” in zero knowledge — without revealing which one. No mixer operator, no custodian, no trusted server: the proof is verified by every Kaspa node, and you can check the pool's solvency yourself, live, below.
Try it — three steps
Deposit, withdraw to a fresh address, and verify on-chain that the two can't be linked. Everything — generating notes, proving, signing, submitting — happens in your browser; no server ever holds your key. You just need a testnet-10 key with a little TKAS (from the faucet).
How it works
1 · Deposit
You publish a commitment — a hash of two secrets only you know. The pool adds it to a Merkle tree and takes a fixed amount of KAS. Cheap, and it reveals nothing about you.
2 · Wait
Your deposit joins everyone else’s in the same tree. The longer you wait, the larger the anonymity set your later withdrawal hides inside — the whole tree, not a fixed handful.
3 · Withdraw
From a fresh address, you submit a zero-knowledge proof that one of the tree’s commitments is yours and hasn’t been spent. The pool pays out. Nobody — not even the pool — can link it to your deposit.
not capped at ~3 like a coinjoin
each note withdraws exactly once
anyone can broadcast; nobody can redirect
The live cycle on this pool
These four transactions are the pool above, moving under real consensus on testnet-10 — one covenant lineage, genesis to private payout. Open any and check the inputs consumed and outputs produced:
How to verify the pool without trusting anyone
- Start at the genesis transaction and follow output 0 — the pool continuation — from tx to tx. The inspector above does exactly this walk against a public node.
- Every box in that chain carries the same covenant_id (070a4eef8c81…): that's the pool's identity, proving each box is the real continuation and not an impostor.
- Each deposit adds one denomination (+1 TKAS), each withdrawal removes one (−1 TKAS) and pays a fresh address. The tip box's balance = total un-withdrawn deposits.
- Every withdrawal carried a valid Groth16 proof — the node rejected any that didn't. Solvency and privacy aren't asserted here; they're enforced by consensus.
Two pools, side by side
This pool proves with Groth16 — tiny proofs you generate right in your browser. Kaspa L1 also exposes a STARK precompile, so there's a second, post-quantum pool with no trusted setup. Same privacy; different tradeoffs.
Groth16 pool
available todayProve ownership right in your browser — secrets never leave your machine. Tiny proofs, cheap verify. The pragmatic choice for private KAS now.
Post-quantum pool
future-proofA hash-based STARK with no trusted setup — its security survives a quantum adversary. Heavier proofs, proven locally. The high-assurance choice.
| Groth16 | Post-quantum | |
|---|---|---|
| Precompile | 0x20 · BN254 Groth16 | 0x21 · RISC Zero STARK |
| Trusted setup | per-circuit ceremony | none — transparent |
| Post-quantum | no — pairing / elliptic-curve | yes — hash-based |
| Proof size | ~128–256 bytes | ~217 KB |
| Node verify cost | 140k grams | 250k grams |
| Where you prove | in your browser (WASM) | locally / prover service (~min) |
| Best for | everyday private transfers | future-proof, high-assurance |
Neither is strictly better — that's the point. Groth16 gives you tiny, in-browser proofs today; the STARK pool trades proof size and prove-time for a transparent, quantum-resistant setup.
Where this demo is
Testnet-10 only · unaudited prototype · prototype cryptographic parameters · not for real value. Built as open research from the kUSD covenant work; source opens with the framework release.