"Make Everything Totally Anonymous" — A Research Proposal for Kusama

Last year, Gavin Wood was asked what one thing he’d fix about Polkadot. His answer: “I would make it entirely shielded. … Stick everything in ZK. … Make everything totally anonymous.”

Referendum 573 committed Kusama to an independent JAM chain — 32 cores, 1-second blocks, a configuration tailored to Kusama’s scale. When I asked whether that independence was real or nominal, W3F answered with the Kusama Vision bounties: ZK as one of three named priorities, with funding for optimized ZK libraries, private governance, and private DeFi. The founder wants this. The ecosystem is now funding it. The question is no longer whether to build privacy infrastructure on Kusama — it’s how.

I’ve spent the last few weeks researching that question and published the results under the working name Kage (影, “shadow” — a nod to Kusama’s Japanese roots) — just a codename for the research, not a brand. The full document is on Codeberg.

A project this broad — spanning cryptography, execution environments, migration mechanisms, governance — will have errors. I’ve almost certainly made some. Finding them now is the first step toward a plan that actually works. Anything left uncovered will bite hard during implementation.

The Proposal

A UTXO-based shielded pool overlaid on Kusama’s account model. Users deposit KSM into the pool, where amounts, senders, and receivers are hidden behind Halo2 zero-knowledge proofs. The chain verifies transactions are valid — no double-spending, amounts balance — without learning anything about them.

Zcash’s viewing key hierarchy gives users control over disclosure. Share an incoming viewing key with an exchange for deposits. Share a full viewing key with an auditor. No backdoors, no master keys. This is the “pragmatic privacy” model that regulators and cypherpunks can both live with.

The endgame is a governance vote to migrate all KSM balances to private — the first NPoS blockchain with mandatory privacy. That’s years away, and each phase delivers standalone value before we get there.

Standing on Shoulders

This proposal doesn’t emerge from a vacuum. @GENGE’s Make Anonymity Coherent Again laid the architectural groundwork — UTXO/nullifier models, the case for a canonical privacy service in JAM. @sourabhniyogi then demonstrated a PoC where Rust compiled to PVM via polkatool handles ZK proof verification at 75-100M gas with the recompiler — making the additional host functions originally assumed necessary redundant. @RustSyndicate’s Kusama Shield proved a shielded pool can work on Asset Hub today, while revealing Solidity’s limits — Poseidon hashing alone consumes 70% of the block budget. The question is whether the Solidity path can reach the scale needed, or whether those findings point toward building natively in Rust on PVM from the start — where the 17.7x efficiency gain and the path to mandatory privacy both become possible.

This research brings those threads together into one proposal: specific cryptographic choices, gas estimates validated against JAM DUNA’s benchmarks, a JAM service architecture, migration mechanism, and a three-track roadmap.

Why the Tech Works Now

The cryptographic stack is Zcash’s Orchard protocol — Halo2 IPA proofs on Pallas/Vesta curves, Pedersen commitments, Poseidon hashing. No trusted setup ceremony. Battle-tested on Zcash mainnet since May 2022.

The execution environment is validated. JAM DUNA’s Orchard service compiles Halo2 verification to PVM and runs it. PolkaVM’s recompiler runs within 1.3-1.7x of native execution time — not the 50-100x slowdown you’d expect from a VM. On 32 Kusama JAM cores, conservative estimates — accounting for deserialization, witness checks, and overhead beyond raw verification — put throughput at 256-512 private TPS. With proof aggregation via Tachyon’s Ragu PCD framework, that scales to 12,800-51,200 TPS.

And the regulatory environment has shifted. The Fifth Circuit ruled immutable smart contracts aren’t sanctionable property. Vitalik published an L1 privacy roadmap for Ethereum. Privacy isn’t fringe anymore.

The Hard Truth

Every privacy project in Polkadot/Kusama has failed or pivoted.

TEE-based approaches are fragile. Privacy-only parachains struggle for adoption. Most of these projects never got far enough for the cryptography to be tested — the failures were strategic, not mathematical.

But there’s a harder problem than any of those failures: the anonymity set. A motivated community could reach k=1,000 deposits — the challenge is growing far beyond that and sustaining it. 44% of Tornado Cash deposits had their anonymity compromised through heuristic analysis, despite a much larger pool.

I won’t pretend this is solved. Multi-asset pooling, XCM bridging, and incentivized shielding help. But the real answer is making privacy the default — not an opt-in feature nobody uses. Monero did this in 2017. It worked. Kusama, with its governance sovereignty and appetite for experimentation, is the one chain in this ecosystem positioned to attempt it.

Three Tracks, Not One Bet

Track A — Substrate. Build the pallet architecture and prove it on testnet while JAM is in development. Mainnet deployment depends on Pallas/Vesta host function support in polkadot-sdk (available via arkworks-extensions but not yet merged) — without it, Halo2 verification in WASM exceeds the block budget.

Track B — JAM. Port to PVM when JAM launches. 32 cores, parallel verification, architecture validated by JAM DUNA’s working Orchard service.

Track C is where it gets interesting. Replace Halo2 with Tachyon’s Ragu for proof aggregation — 50-100x throughput. Evolving nullifiers enable state pruning, critical for JAM where storage is deposit-priced. The proposed architecture abstracts the proving layer behind a trait boundary to enable this swap without rebuilding the application layer. The shared primitives (Pallas/Vesta, Pedersen, Poseidon) make it feasible.

Each track is independently valuable. If JAM is delayed, Track A still produces a tested pallet and the host function groundwork for Substrate-based privacy. If Tachyon takes longer than expected, Tracks A and B still provide hundreds of private TPS.

This is a research proposal, not a product announcement. The full research covers the cryptographic stack in detail, PVM gas estimates, JAM service architecture, the migration mechanism including private staking via Penumbra-style delegation tokens, and a 10-phase roadmap.

The research is at a point where it needs scrutiny more than polish. If you see holes in the approach — or want to help turn it into code — bring it to this thread.

codeberg.org/hantoniu/kage

Have you read the Zexe paper? https://eprint.iacr.org/2018/962.pdf I think its important to think of use cases beyond utxo, like how can i make a private system remark?

How can we have privacy for generic PVM compute?

But also I think programmable generic privacy(especially allowing developers to access private states in there smart contracts would be really cool) is the way forward have you looked at aztec or https://aleo.org/?

You’re pointing at the key design question — whether a UTXO shielded pool is the ceiling or just the starting point. It’s the starting point.

The model I keep coming back to is Zexe — programmable records with birth/death predicates. Each note carries constraints on how it’s created and consumed, proven in ZK. Taiga (Anoma) explored the same idea with Halo2. The approach extends naturally from simple transfers to a wide range of private operations without redesigning the base layer.

Your system remark example is a good test case. A death predicate emits a commitment of the remark content to on-chain state via Accumulate. The sender is hidden behind a nullifier and ZK proof of authorization. The chain records that some remark was anchored — neither author nor content is revealed. Same mechanism covers governance votes, time-locked notes, multi-sig, DEX orders. Everything shares one Merkle tree, so a simple transfer and a governance vote live in the same anonymity set.

One thing that makes this viable on JAM: SNARK verification cost is roughly constant regardless of what was proven. A proof of a simple transfer and a proof of a governance vote with time-lock and multi-sig both cost ~200-600M gas to verify. The complexity shifts to the client-side prover.

Aztec and Aleo both validate the direction — UTXO/note model, client-side proving, dual public/private state. Aleo’s transition/finalize maps directly to JAM’s Refine/Accumulate. But generic private compute (proving arbitrary PVM execution in ZK) isn’t in production anywhere yet. Programmable predicates cover the practical 80%: governance, DEX, credentials, conditional transfers.

Your question pushed me to write up the full programmable records analysis — I’m adding it to the research document. The immediate design decision: reserve app_data fields in the note structure now and design the proof abstraction to support nested verification from the start, so Phase 1 circuits don’t get thrown away when predicates arrive.