KASPA

← Zero-Knowledge on L1·Post-quantum pool →·Testnet demoPrototype · not for real value

KAS Shielded Pool

Deposit KAS into a shared pool; withdraw the same amount to a fresh address by proving “I own an un-spent deposit” in zero knowledge — without revealing which one. No mixer operator, no custodian, no trusted server: the proof is verified by every Kaspa node, and you can check the pool's solvency yourself, live, below.

Try it — three steps

Deposit, withdraw to a fresh address, and verify on-chain that the two can't be linked. Everything — generating notes, proving, signing, submitting — happens in your browser; no server ever holds your key. You just need a testnet-10 key with a little TKAS (from the faucet).

How it works

1 · Deposit

You publish a commitment — a hash of two secrets only you know. The pool adds it to a Merkle tree and takes a fixed amount of KAS. Cheap, and it reveals nothing about you.

2 · Wait

Your deposit joins everyone else’s in the same tree. The longer you wait, the larger the anonymity set your later withdrawal hides inside — the whole tree, not a fixed handful.

3 · Withdraw

From a fresh address, you submit a zero-knowledge proof that one of the tree’s commitments is yours and hasn’t been spent. The pool pays out. Nobody — not even the pool — can link it to your deposit.

Anonymity set
the whole tree

not capped at ~3 like a coinjoin

Double-spend
nullifier-proven

each note withdraws exactly once

Relaying
trustless

anyone can broadcast; nobody can redirect

The live cycle on this pool

These four transactions are the pool above, moving under real consensus on testnet-10 — one covenant lineage, genesis to private payout. Open any and check the inputs consumed and outputs produced:

genesis
pool created (committed keys baked) · 5 TKAS
e1e853a760f1
deposit
commitment added · pool → 6 TKAS
9d2406296abe
screen
2-of-3 governance advances the approved set
e878ea30fc76
withdraw
committed-key ZK proof, private payout · pool → 5 TKAS
0c0f71804859

How to verify the pool without trusting anyone

  1. Start at the genesis transaction and follow output 0 — the pool continuation — from tx to tx. The inspector above does exactly this walk against a public node.
  2. Every box in that chain carries the same covenant_id (070a4eef8c81): that's the pool's identity, proving each box is the real continuation and not an impostor.
  3. Each deposit adds one denomination (+1 TKAS), each withdrawal removes one (−1 TKAS) and pays a fresh address. The tip box's balance = total un-withdrawn deposits.
  4. Every withdrawal carried a valid Groth16 proof — the node rejected any that didn't. Solvency and privacy aren't asserted here; they're enforced by consensus.

Two pools, side by side

This pool proves with Groth16 — tiny proofs you generate right in your browser. Kaspa L1 also exposes a STARK precompile, so there's a second, post-quantum pool with no trusted setup. Same privacy; different tradeoffs.

Groth16Post-quantum
Precompile0x20 · BN254 Groth160x21 · RISC Zero STARK
Trusted setupper-circuit ceremonynone — transparent
Post-quantumno — pairing / elliptic-curveyes — hash-based
Proof size~128–256 bytes~217 KB
Node verify cost140k grams250k grams
Where you provein your browser (WASM)locally / prover service (~min)
Best foreveryday private transfersfuture-proof, high-assurance

Neither is strictly better — that's the point. Groth16 gives you tiny, in-browser proofs today; the STARK pool trades proof size and prove-time for a transparent, quantum-resistant setup.

Where this demo is

doneCovenant + proofs run under real consensus on TN10 (deposit, withdraw, double-spend rejection, anonymity set).
doneP0 concurrency frozen: an 8-deep deposit-root ring (a withdrawal survives interleaving deposits) and fee-from-delta withdrawals (trustless relaying).
liveThe N=8 KAS pool is live on testnet-10 with a full genesis → deposit → withdraw cycle driven on-chain — the inspector above walks its real lineage from a public node.
nextP1: committed Poseidon parameters + a trusted-setup ceremony (the live pool runs prototype dev parameters).
nextInteractive deposit/withdraw in the browser (client-side proving via WASM — your secrets never leave your machine).
laterExternal audit. Only then is any of this considered for real value.

Testnet-10 only · unaudited prototype · prototype cryptographic parameters · not for real value. Built as open research from the kUSD covenant work; source opens with the framework release.