Last year, Gavin Wood was asked what one thing he’d fix about Polkadot. His answer: “I would make it entirely shielded. … Stick everything in ZK. … Make everything totally anonymous.”
Referendum 573 committed Kusama to an independent JAM chain — 32 cores, 1-second blocks, a configuration tailored to Kusama’s scale. When I asked whether that independence was real or nominal, W3F answered with the Kusama Vision bounties: ZK as one of three named priorities, with funding for optimized ZK libraries, private governance, and private DeFi. The founder wants this. The ecosystem is now funding it. The question is no longer whether to build privacy infrastructure on Kusama — it’s how.
I’ve spent the last few weeks researching that question and published the results under the working name Kage (影, “shadow” — a nod to Kusama’s Japanese roots) — just a codename for the research, not a brand. The full document is on Codeberg.
A project this broad — spanning cryptography, execution environments, migration mechanisms, governance — will have errors. I’ve almost certainly made some. Finding them now is the first step toward a plan that actually works. Anything left uncovered will bite hard during implementation.
The Proposal
A UTXO-based shielded pool overlaid on Kusama’s account model. Users deposit KSM into the pool, where amounts, senders, and receivers are hidden behind Halo2 zero-knowledge proofs. The chain verifies transactions are valid — no double-spending, amounts balance — without learning anything about them.
Zcash’s viewing key hierarchy gives users control over disclosure. Share an incoming viewing key with an exchange for deposits. Share a full viewing key with an auditor. No backdoors, no master keys. This is the “pragmatic privacy” model that regulators and cypherpunks can both live with.
The endgame is a governance vote to migrate all KSM balances to private — the first NPoS blockchain with mandatory privacy. That’s years away, and each phase delivers standalone value before we get there.
Standing on Shoulders
This proposal doesn’t emerge from a vacuum. @GENGE’s Make Anonymity Coherent Again laid the architectural groundwork — UTXO/nullifier models, the case for a canonical privacy service in JAM. @sourabhniyogi then demonstrated a PoC where Rust compiled to PVM via polkatool handles ZK proof verification at 75-100M gas with the recompiler — making the additional host functions originally assumed necessary redundant. @RustSyndicate’s Kusama Shield proved a shielded pool can work on Asset Hub today, while revealing Solidity’s limits — Poseidon hashing alone consumes 70% of the block budget. The question is whether the Solidity path can reach the scale needed, or whether those findings point toward building natively in Rust on PVM from the start — where the 17.7x efficiency gain and the path to mandatory privacy both become possible.
This research brings those threads together into one proposal: specific cryptographic choices, gas estimates validated against JAM DUNA’s benchmarks, a JAM service architecture, migration mechanism, and a three-track roadmap.
Why the Tech Works Now
The cryptographic stack is Zcash’s Orchard protocol — Halo2 IPA proofs on Pallas/Vesta curves, Pedersen commitments, Poseidon hashing. No trusted setup ceremony. Battle-tested on Zcash mainnet since May 2022.
The execution environment is validated. JAM DUNA’s Orchard service compiles Halo2 verification to PVM and runs it. PolkaVM’s recompiler runs within 1.3-1.7x of native execution time — not the 50-100x slowdown you’d expect from a VM. On 32 Kusama JAM cores, conservative estimates — accounting for deserialization, witness checks, and overhead beyond raw verification — put throughput at 256-512 private TPS. With proof aggregation via Tachyon’s Ragu PCD framework, that scales to 12,800-51,200 TPS.
And the regulatory environment has shifted. The Fifth Circuit ruled immutable smart contracts aren’t sanctionable property. Vitalik published an L1 privacy roadmap for Ethereum. Privacy isn’t fringe anymore.
The Hard Truth
Every privacy project in Polkadot/Kusama has failed or pivoted.
| Project | What Happened |
|---|---|
| Manta/Calamari | Pivoted to Ethereum L2 — insufficient user base |
| Phala/Khala | Migrated to Ethereum L2 — Intel SGX deprecation killed Kusama deployment |
| Integritee | Shut down — WireTap vulnerability destroyed trust model |
| Raze Network | Never shipped |
TEE-based approaches are fragile. Privacy-only parachains struggle for adoption. Most of these projects never got far enough for the cryptography to be tested — the failures were strategic, not mathematical.
But there’s a harder problem than any of those failures: the anonymity set. A motivated community could reach k=1,000 deposits — the challenge is growing far beyond that and sustaining it. 44% of Tornado Cash deposits had their anonymity compromised through heuristic analysis, despite a much larger pool.
I won’t pretend this is solved. Multi-asset pooling, XCM bridging, and incentivized shielding help. But the real answer is making privacy the default — not an opt-in feature nobody uses. Monero did this in 2017. It worked. Kusama, with its governance sovereignty and appetite for experimentation, is the one chain in this ecosystem positioned to attempt it.
Three Tracks, Not One Bet
Track A — Substrate. Build the pallet architecture and prove it on testnet while JAM is in development. Mainnet deployment depends on Pallas/Vesta host function support in polkadot-sdk (available via arkworks-extensions but not yet merged) — without it, Halo2 verification in WASM exceeds the block budget.
Track B — JAM. Port to PVM when JAM launches. 32 cores, parallel verification, architecture validated by JAM DUNA’s working Orchard service.
Track C is where it gets interesting. Replace Halo2 with Tachyon’s Ragu for proof aggregation — 50-100x throughput. Evolving nullifiers enable state pruning, critical for JAM where storage is deposit-priced. The proposed architecture abstracts the proving layer behind a trait boundary to enable this swap without rebuilding the application layer. The shared primitives (Pallas/Vesta, Pedersen, Poseidon) make it feasible.
Each track is independently valuable. If JAM is delayed, Track A still produces a tested pallet and the host function groundwork for Substrate-based privacy. If Tachyon takes longer than expected, Tracks A and B still provide hundreds of private TPS.
This is a research proposal, not a product announcement. The full research covers the cryptographic stack in detail, PVM gas estimates, JAM service architecture, the migration mechanism including private staking via Penumbra-style delegation tokens, and a 10-phase roadmap.
The research is at a point where it needs scrutiny more than polish. If you see holes in the approach — or want to help turn it into code — bring it to this thread.