The Ghost DAG: Zero-Handshake Coordination on Kaspa
Metadata Obfuscation, Dual-Key Stealth Addresses, and the Art of the Economic Burn
Update 4/7/2026: Thanks to Shai’s post here, I now know that Quantum PCs can break "discrete log assumptions" which both the Shamir Three-Pass Protocol and the Pohlig-Hellman algorithm rely heavily on.
In my previous post, we looked at Shamir’s Three-Pass Protocol the “Ultimate Non-Agreement Protocol” that lets Alice and Bob swap data without ever creating a shared secret. However, having a locked box is irrelevant if the mailman (the DAG) tells the world exactly who is sending mail to whom. On a public, immutable ledger, transparency is the default. To achieve true privacy, we have to work around the ledger itself.
To achieve as close to 100% privacy as a transparent DAG allows that defeats all practical chain-analysis today, a system must satisfy the Cryptographic Trinity:
Confidentiality: No one can read the content. Solved by the Pohlig-Hellman Cipher within our 3-pass context.
Anonymity: No one knows who is talking. Solved via Dual-Key Stealth Addresses (DKSA).
Untraceability: No one can link multiple messages together. Solved through Fuel-Chaining and behavioral jitter.
If you miss even one of these pillars, the trust model encoded in your data becomes externally analyzable by state actors, chain analysts, or automated adversaries.
So far, I’ve seen kloak and SolCipher_Kaspa for privacy solutions on Kaspa. SolCipher is a DAG-optimized privacy mixer for Kaspa that uses one-time stealth addresses, Pedersen commitments to hide amounts with decoys, and achieves privacy in seconds through parallel mixing across multiple DAG paths. I’ve yet to see any details about kloak, but I’m looking forward to it.
The Genesis Problem: The Silent Scrape
Before Alice can send her first ghost transaction, she needs Bob’s scanning key. If Bob sends that key directly to Alice via email or DM, the relationship is doxed before the first message is even sent. To stay a ghost, the key exchange must be a “Silent Scrape”, not a “Loud Handshake”.
There are three primary ways to advertise keys without leaving an audit trail:
The Public Registry: Bob posts his scanning key to a DApp/decentralized phonebook on the ledger. Because thousands of users query these registries daily, Alice scraping Bob’s key is a silent act that leaves no trace of a specific relationship.
The Steganographic Post: Bob hides his key in plain sight like a GitHub Readme, a social media bio, or metadata in a public image. To the network, Bob is just updating his profile. To Alice, it’s the coordinate for a dead-drop.
Physical Out-of-Band (OOB): Alice and Bob swap keys via QR code in the real world. There is zero digital footprint; the first time the DAG sees them interact is when the first message is sent to a ghost address.
The Ghost Overlay: Implementing DKSA
The biggest smoking gun on a public ledger is the static address. If Alice sends to Bob’s main wallet, the relationship is documented forever. The fix is Dual-Key Stealth Addresses (DKSA).
Since Kaspa’s base layer doesn’t natively support stealth scanning keys in its address format, we implement this as an Application-Layer Protocol. We aren’t changing the consensus; we are riding on top of it using the transaction payload as a signaling channel.
How the Ghost is Built
The Setup (Bob’s Silent Beacon): Bob generates a private scan key (v) and a public scan key (V). He publishes V once. This is his ghost xPub which gives Alice the coordinates to find him without revealing his balance. Crucially, the scan key allows Bob to see incoming messages, but it cannot spend funds; a separate spend key is required to move the KAS fuel.
My understanding is Kaspa doesn’t natively have this baked-in to the protocol, but it provides the necessary secp256k1 primitives and extensible transaction metadata to support a non-custodial Overlay Protocol. We are essentially leveraging Kaspa’s robust cryptographic foundation to implement a privacy layer that remains fully compatible with the existing network.
The Handshake-less Send (Alice to Bob): Alice generates a one-time Ephemeral Keypair (r, R). She calculates a Shared Secret (ss) by combining her private (r) with Bob’s public (V). She then derives a One-Time Public Key (P). She creates a normal transaction to address (P) but hides her Ephemeral Public Key (R) inside the transaction payload.
The Stealth Scan (Bob’s Radar): Bob’s wallet runs a lightweight, resumable scanner that walks the DAG from a user-configurable checkpoint (genesis or any recent blue-score/timestamp), making recovery after device loss seamless and efficient.
Bob’s wallet acts as a passive radar. It watches every incoming transaction with the protocol’s specific tag. It pulls (R) from the payload and solves the math using his private scan key (v). If the result matches address (P), the wallet identifies the output as his.
The “Decoy” Scrape: If it's a searchable on-chain DApp where queries themselves are public or metered. The protocol should automatically scrape about 50 random “Beacons” from the registry every time it checks for Bob’s. This creates a “Denial of Intent” for the observer.
To an outside observer, this transaction is a dead end. Address (P) has no mathematical connection to Bob’s main wallet, and the payload (R) looks like random cryptographic noise to anyone without Bob’s private key. They don’t use a shared secret, but rather a shared map.
Fuel-Chaining and the Economic Burn
An audit trail usually forms when a user pays for a reply. If Bob uses his main wallet to pay the gas fee for Pass 2 of a 3-pass swap, he links his identity to the ghost address. We solve this with Fuel-Chaining.
Alice sends enough Kaspa in Pass 1 to cover the fees for the entire conversation. Bob uses that Kaspa to fuel his reply in Pass 2. By Pass 3, the Kaspa has been almost entirely consumed by miner fees. The remaining dust, less than 0.20 KAS, is intentionally left behind.
In a standard wallet, you would eventually consolidate these tiny dust UTXOs. In a ghost protocol, you don’t. Consolidating is a smoking gun that links your past ghosts into a single identifiable cluster. Instead, we embrace the “Economic Burn.” The Kaspa is a sacrificial pawn; you burn a few cents to buy mathematical invisibility.
Defeating AI via Environmental Mimicry
By 2026, AI-driven chain analysis has become incredibly good at probabilistic linking. If your protocol behaves predictably, it creates a fingerprint. To stay hidden, we must inject Jitter and Noise into the system.
Temporal Jitter: AI looks for “A followed by B.” To break this, Alice should wait a randomized duration after scraping the key before sending the first ghost TX. The longer the better with 40+ minutes being ideal.
Value Jitter: If the “Economic Burn” is always the same, it’s a fingerprint. The protocol should calculate a random dust goal for every transaction, making these look like thousands of unrelated, forgotten UTXOs.
If your goal is purely to break the chain, meaning there is zero mathematical link between your real identity and your ghost activity. Then you can skip these last 3 bullet points, but if you want the protocol to be resilient against profiling then continue. It is the difference between being “untraceable” and being “identifiable as a privacy user.”
The Stitch & Burn: To blend into network noise, the transaction should include a “Stitch” which is a tiny, random donation to a high-traffic address like a top miner/exchange or the Kaspa Dev Fund. To an observer, Alice just looks like a random user tipping the network.
The Clown Suit Problem: If only ghost users tip, the tip itself becomes a signal and the user stands out like the user is wearing a clown suit. The protocol must perform “Environmental Mimicry.” This requires each user to have two separate wallets, a ghost only one and a decoy that fuels the mimicry. Ideally, the decoy should be funded through a different mining block or a separate P2P swap than the ghost wallet. This can be done by occasionally performing a “Self-Send” (consolidating two tiny UTXOs) or a “Market Simulation” (sending a tiny amount to an exchange). The AI shouldn’t see a privacy user; it should see a bored retail user or a developer testing.
The “State-Actor” Problem (Deep Analysis): AI can still find patterns, especially if the AI is looking at the entire history of the DAG, it’s looking for consistency.
Don’t just stitch every time. It should have a 50% “No-Stitch” Probability.
Half the time, Alice sends a “Pure ghost” transaction (no tip).
The other half, she sends a “Noisy ghost” (with a tip).
By fluctuating the behavior, you lower the AI’s Confidence Score. If the AI can’t be 99% sure that a tip means a ghost user is present, it can’t legally or practically act on that data.
The Catch: The Genesis Funding Problem
The final hurdle is the entry point. To initiate a conversation, someone must have some Kaspa. If you fund a wallet from a centralized exchange, you’ve created a traceable link.
If you want to be a ghost in the system, you have to remove the central authorities at every step. A hardened plan to mine non-KYC Kaspa might look like this:
Use Cash or Acquire non-KYC crypto:
Instead of an exchange, use a P2P platform (like Bisq) or a Bitcoin ATM that doesn’t require ID for small amounts.
Swap that crypto for a high-privacy coin (like Monero) using a non-KYC swap service (like ChangeNOW or a DEX).
Buy Miner: Find a provider or secondary market seller (e.g., on a forum or specialized marketplace) who accepts cash/crypto and is willing to ship to a PO Box or a commercial mail receiving agency (like a UPS Store) where you aren’t required to use your residential address. If you’re really paranoid you could possibly hire a homeless person to pick up the package for you. Hire multiples and use dead-drops to really make things interesting. 🤣
The Mining: Once the ASIC arrives, run it on a VPN-enabled router so the network/mining pool never sees your IP address.
Not interested in mining? Using a mixer is where the plan gets risky. By 2026, AI-driven chain analysis has become incredibly good at probabilistic linking.
Time-Correlation: If you put 1000 KAS into a mixer and 998 KAS comes out 2 hours later to a new address, AI flags that as a high-probability link.
Change Addresses: Mixers often leave dust or specific patterns in how they structure transactions that AI agents can recognize.
The Counter-Move: To beat this, you’d need to leave the funds in the mixer for a long time, withdraw them in small, irregular batches, and mix them with other assets.
Final Verdict
By partitioning KAS for “ghost messaging” and treating it as a consumable fuel rather than an asset, we break the audit trail entirely. We have moved from a traditional “Key Agreement” to a Zero-Handshake Ghost Exchange.
If you want to be a ghost that AI/chain analysis could potentially identify as a ghost (but not your real identity), then you must not only mine your own fuel but also broadcast through Tor or a high-obfuscation VPN. The goal is not to look 'Normal'; the goal is to be Mathematically Unlinkable.
If you want to be an unknown ghost, you can't just be invisible, you have to look like something else. If you don't perform "Civilian" actions (like consolidating, sending to exchanges, or accidental dust-clearing), you are effectively wearing a sign that says "I am a Privacy Specialist.”
