ItsKhanOnChain

私たちはしばしば、ブロックチェーンの世界の中で「プライバシーは贅沢である」と言います。ほとんどのプライバシープロトコルは、有名に遅く、使いにくく、リソースを大量に消費するため、現実の統合にとって悪夢のようです。これがいわゆるプライバシーパラドックスです：私たちは分散化を望みますが、チェックアウトカウンターやデジタルゲートで証明が確認されるのを数分間待つことには抵抗があります。
これはDusk（@dusk_foundation）が天井を打ち破ったまさにその場所です。ここがDuskのFORTプロトコルでの作業が思いもよらない成果を達成した場所です—思考そのものの速度でのゼロ知識証明です。

Dusk NetworkとそのKadcastプロトコルについて話しましょう。あなたが暗号とテクノロジーに興味があり、金融におけるグローバルなユーティリティと規制されたセクターに関心があるなら、@dusk_foundationからの$DUSK は間違いなく注目に値します。「それはユーティリティとプライバシーの両方を真に提供するLayer-1ブロックチェーンです。正直なところ、現在は目立たない状態ですが、これが長く続くとは思えません。」
さて、Duskの技術の中で最も賢く、過小評価されている側面の一つについて話しましょう：それはKadcastと呼ばれる独自のピアツーピアブロードキャスティングプロトコルです。正直なところ、これはほとんどのブロックチェーンが抱える古いゴシッププロトコルの実装よりも遥かに先を行っています。

Let’s face it: almost everything we want to do online these days requires far more information than we ought to give out.
Purchasing a concert ticket? Enter your name, email, phone number, and sometimes even your ID scan.
Subscribing to a streaming service? Link a card and the viewing history becomes forever stored.
Future smart cities or IoT type stuff? Could be your location, habits, health info – end up in somebody’s database somewhere.
We're putting our trust in those large organizations (or unscrupulous apps) not to sell, divulge, or develop secret profiles about us, tracking our movements into the future. Most persons are unaware of just how integrated their virtual life currently is.
That is exactly why Self-Sovereign Identity (SSI) feels so exciting right now. The idea is simple: You are in control of your credentials. You can verifiably claim “I'm over 18”, or “I bought the VIP ticket”, or “I completed KYC”, etc. without giving away your entire life story and without some entity being the middleman.
Early this year, a certain paper was published by Xavier Salleras (from Dusk Network) titled Citadel: Self-Sovereign Identities on Dusk Network, which actually tries to solve this in a serious, privacy-first way.
Most NFT-based identity projects today are still far from reaching that ideal.
A lot of teams tried putting tickets, memberships or access rights on-chain as NFTs — more often than not, on Ethereum or similar chains.
You mint NFT, you prove ownership with a zero-knowledge proof, but no one knows what’s inside.
Sounds good, doesn't it… until one looks at it
The information contained in the NFT itself is typically completely public (Token ID, address, date of mint, etc.)Even if the users hide their information, linking between the events or services could deanonymize users still.
Revoking a stolen ticket or a cancelled membership? Very hard without either violating privacy or using a centralized server.
Citadel was designed specifically to fix those exact issues, and it does so by living natively inside Dusk Network, a Layer-1 chain that has been designed for privacy from day one.
How Citadel actually works-the cool part

The Citadel SSI Workflow: Privacy-preserving interaction between Issuer, User and Verifier.
Dusk already has an extremely elegant transaction model called Phoenix; confidential notes — like private UTXOs — with zk-SNARK proofs on every transfer.
Citadel extends that very system to create private NFTs; they call them private notes carrying rights/licenses.
Two Flavors:
Type 2: Semi-transparent NFT (metadata visible, however benefits from Dusk privacy everywhere else)
Type 3: Fully encrypted payload. Only the owner can decrypt the contents (i.e., the ticket details, a signature from the issuer, and the expiry date).
Real-world example:
You want a festival ticketYou send $DUSK payment to the organizer via PhoenixThe Organizer then signs your attributes: (VIP access, valid 3 days, holder over 18)They mint a private encrypted NFT note and send it to a one-time stealth address that you createdThat message remains private on the Dusk blockchain, and no one else can read what is contained thereAt the gate, you generate a zk-SNARK proof showing:
• You own/decrypt this note
• The signature is valid
• The note has not been spent or revoked …all without revealing your identity or the note itself
Why this actually matters?
No on-chain traces that join you across events or services.True decentralized revocation - organizer able to revoke stolen tickets through consensus without requiring access to your wallet.You choose what to reveal, just the word ‘over 18’, ‘VIP holder’, etc., never the actual ticket data itself.Mobile friendly – heavy proof generation can be left to helpers (which Dusk’s approach safely supports).No need for gas wars or wallet linking as in Ethereum.
Imagine 2026
Buy festival tickets anonymously.Get venue access without scanning a QR code that links to your wallet history.Organizer revokes fake tickets without a central server.Same technology that's been used for parking rights, gym memberships, and other regulated DeFi apps and privacy-preserving voting systems.
That is the kind of future that Citadel is pointing to. @dusk_foundation has been working on its own privacy infrastructure, but the Citadel cum RWA tokenization drive, along with the push for MiCA, could make $DUSK one of the cleanest chains for private yet regulated activity. What do you think? Are we finally close to tickets & rights that are both secure and private?
#dusk $DUSK @Dusk_Foundation

Blockchain is always evolving, and this is particularly true when it comes to finding a balance between privacy and the need for regulation and auditing. The traditional blockchains, such as Bitcoin or Ethereum, are all about transparency. You can see the transaction values, the wallet balances, the whole shebang. This is fantastic if you want to be transparent, but not so great if you want to maintain privacy, such as in business or supply chain management.
This is where Haults a protocol developed by $DUSK Network, comes in. It stands for Homomorphic Encryption-based Vaults, and it is a new protocol that has emerged from some new research. The interesting thing about Haults is that it combines homomorphic encryption, zero-knowledge proofs, and smart contracts. When you combine all of these things, you have a system that allows you to maintain the privacy of your balances, even on blockchains that use virtual machines, such as those that are compatible with Ethereum.
Haults provide a very intelligent wallet solution that strikes a balance between privacy and permissioning. They are not like completely anonymous platforms like Zcash or Monero. With Haults, you always know who is participating in a transaction, but you cannot see their balances or what they are sending. This is a good combination if you want to identify users, perhaps for legal purposes, but keep the actual money information private.
Haults revolve around these things called "notes." They’re specialized data structures that contain value, all encrypted. Each note has two encrypted components.
One of them is encrypted with MapRecoverable encryption. Essentially, if you have the right private key, you can decrypt this and read the underlying value.
The other one is encrypted with a homomorphic encryption scheme, MapHomomorphic, which is based on ElGamal encryption over elliptic curves. This one is particularly slick: you can sum up the encrypted balances of multiple notes without decrypting them. That way, you can add up all the values without learning what’s in each note.

Each user has their own Hault keypairs—this is like a set of special keys developed by $DUSK Network specifically for the Hault protocol, and they are completely separate from their blockchain addresses. These keys take care of all the encryption and decryption. There is also an auditor involved in this process, who holds a public key that provides an additional layer of encryption to every transaction. This way, in case there is a need to check compliance or investigate any transactions or even trace lost funds, the auditor can decrypt the amounts. However, this information is not accessible to the common user or the rest of the network, so privacy is maintained.

The core of Haults is based on the transfer protocol. When a user wants to send value w to another user, the following takes place:
First, the sender gathers their notes and calculates their old balance in both plain number form (after decryption) and its encrypted form. They then subtract w from the balance to obtain their new encrypted balance. Next, they make new notes for the recipient, locked under the recipient’s public key, as well as a set for the auditor. To connect all the dots, they construct a zero-knowledge proof that verifies all the steps are valid, including the fact that nothing new is created or destroyed, the old notes are destroyed, and all the encryption is sound, without revealing w or the balances.

The “Hault” smart contract verifies the proof and the public inputs—such as ensuring that the old encrypted sums actually match what’s been stored. It then removes any notes that have already been used and adds new ones to both the sender’s and the recipient’s accounts. This ensures that everything is safe on the blockchain, and at the same time, it doesn’t expose anyone’s private information.
There are a couple of special cases. For minting, the contract owner—basically the issuer—emits new notes through transparent encryption. This means that they set the randomness to zero, so the amount is exposed to everyone. This way, people can check the total supply, but regular notes still hide the amounts. Then you have the force transfers. If someone loses their keys, the auditor can chime in. With their own keys, they prove and complete the transfer, which allows people to get their money back without jeopardizing the entire system.
Haults’ design keeps things simple by using only one transfer circuit for almost all operations. This reduces complexity immensely. The zero knowledge circuit is responsible for a few important tasks: it verifies points on the elliptic curve, ensures that all values remain within bounds so you don’t end up with overflows or funky negative values, keeps homomorphic subtraction and encryption under control, and double-checks that recoverable and homomorphic mappings actually correspond.
This design is based on the basics of elliptic curve cryptography, in which the public key is a point on the curve (pk = sk · G).
But what does this all mean in practice? Haults can support enterprise blockchains, DeFi platforms that operate within the law, or networks where real-world assets are tokenized – areas where you need privacy, but you can’t afford to forget accountability. They avoid the problems that come with completely private blockchains, such as not scaling well or regulators pushing back, but they still maintain a whole lot more privacy than transparent blockchains.
With more and more regulated sectors turning to blockchain, solutions like Haults show the way forward: privacy is baked in from the start, there’s the ability to audit if necessary, and anyone can check what’s happening if they have to. It safeguards user data and helps people actually trust these digital finance systems, even as they come under the microscope. And with zero-knowledge proofs and homomorphic encryption continually improving, you can bet that Dusk Network's Haults-like systems will take privacy-enhanced smart contracts to the next level.
#dusk $DUSK @Dusk_Foundation

Dusk Reinforced Concrete (RC) is a new hash function that is super fast in zero-knowledge proofs (such as ZK-SNARKs or STARKs). It is not like regular hash functions (such as SHA-256). Rather, it is designed to work directly over mathematical fields (prime number fields) so that proofs need fewer multiplications and are much faster.
First, let’s understand this: What is a hash?
A hash is like a machine that takes data of any size and produces a fixed-size “fingerprint.”
This fingerprint is so sensitive that even a tiny change in the data completely changes the fingerprint.
To generate this fingerprint, $DUSK RC uses a sponge construction.
Think of a sponge like this: it soaks up water and then you squeeze it out.
Dusk RC uses the same principle to generate a fingerprint.
Data goes in during the absorb phase, and the hash output comes out during the squeeze phase.
Here’s a simple sponge idea:
Left side: input is absorbed (you keep feeding the message)
Right side: output is squeezed (you extract the digest / hash)

This is simple sponge diagram – the green bit is the rate (where you put in the message), and the red cylinders are the permutation rounds that mix it.
Concrete
This is the linear mixing step.
Imagine there is water in 3 glasses. You multiply them by a matrix, so everything gets mixed together, and then you add a few constants.
This helps changes spread very quickly across the whole state (strong diffusion)
Bricks
This is the non-linear phase (similar to S-boxes).
It employs some mathematical squaring and multiplication to make algebraic attacks (mathematical attacks) extremely difficult.
The algebraic degree is maintained high (5) to make attacks costly and impractical.
Bars
This is the actual Dusk speedup!
A number is broken up into small pieces (e.g., a 256-bit number into 32-bit pieces).
A simple non-linear operation is done on each piece (using a lookup table), and then all the pieces are combined again.
The reason why lookup tables are so cheap in zero-knowledge proofs is why Dusk RC is about 10-15× faster.
This entire concept originates from an SPN (Substitution-Permutation Network):
First, substitute with a non-linear substitution
Then, permute the values
You can imagine a simple round of an SPN like this:
The purple boxes represent S-boxes (non-linear components), and the lines represent permutation and diffusion.

Why is all this important for Dusk Network?
In a regular hash function such as Poseidon, each round has a lot of multiplications, so it is slow in zero-knowledge proofs.
$DUSK RC, due to Bars, replaces many multiplications with tables, so it is much faster.
Also, Bricks + Concrete maintain the high security level, which resists both algebraic attacks and statistical attacks.
To add some extra understanding: have you ever heard of a Merkle tree?
In blockchains, transactions are hashed and put into a tree structure such that the proof is small.
Dusk RC is used in exactly these types of proofs.
This is a simple diagram of a Merkle tree – the data is at the bottom, and as you go up, you combine the hashes step by step.

#dusk $DUSK @Dusk_Foundation

Dusk Network is more than just another privacy coin. It is a conscious effort to create a blockchain on which real-world financial transactions can take place without revealing who is sending what to whom and why. To achieve this, the network relies very heavily on a shortlist of very specific cryptographic primitives: Pedersen commitments, Bulletproofs, EdDSA, bLSAG, BLS signatures, and zero-knowledge proofs in general.
These are not selected because they are fashionable. They are selected because each one addresses a specific problem that cannot be solved by simpler tools (basic ECDSA, basic hashes, basic public keys) without breaking either privacy or performance.
I can take you through each component and explain the real-world need that drove its creation and how they all work together in Dusk’s design.
1. Pedersen Commitments – Hiding values while still being able to prove they add up
Suppose you wanted to send funds on-chain but didn’t want the amount to be visible. However, the network still needs to be able to verify that the total amount of money going in is equal to the total amount of money going out (no inflation, no magic money creation).
A simple public-key encryption scheme would allow you to hide the amount. However, then you could never prove that the two hidden amounts added up to something.
Pedersen commitments exactly solve this problem.
You choose two group elements G and H, where the discrete log relationship between H and G is unknown (in practice, H is computed from G via a hash-to-point so that no one knows the log). To commit to a value x, you compute C = rG + xH.
The "magic" here is:
Hiding: Even if an attacker has unlimited compute power, they can’t figure out x from C (since that would require solving the discrete log problem for H).Binding: You can’t open the same C to two different values (discrete log hardness again).Additive homomorphism: C(x1, r1) + C(x2, r2) = C(x1+x2, r1+r2). You can add commitments without knowing the values.
In Dusk, this is used for every confidential transaction output. The sender commits to the amount they are sending and the amount they are receiving (the change). The network only sees commitments, but it can prove that they add up to zero using the homomorphism. No amounts ever go on the chain in the clear.
Vector Pedersen applies the same concept to multiple values at once (amount + blinding + memo field + whatever else you want to hide together). That’s why the paper presents the vector form – Dusk frequently needs to commit to multiple scalars at once.

2. Bulletproofs – Proving “this hidden number is between 0 and 2⁶⁴” without revealing it
With hidden numbers comes the next challenge: how to prove that the number is non-negative (or within a valid range) without revealing the number itself?
Traditional range proofs (as in old confidential transactions in Monero before Bulletproofs) were massive – several kilobytes per output.
Bulletproofs reduced this to ~2 KB for a 64-bit range, and importantly, without trusted setup.
The key to Bulletproofs’ efficiency is that they prove assertions about arithmetic circuits using inner-product proofs. The prover and verifier both operate on vectors whose inner product represents the range constraint. The proof size is merely logarithmic in the bitsize of the range.
In Dusk, Bulletproofs are used to prove:
The transaction amounts are in [0, 2⁶⁴)Correct computation of the Poseidon hash (used for note commitments) in a circuitVarious other small circuit integrity checks
Poseidon is selected specifically for its suitability for arithmetic circuits (low multiplicative depth), which keeps the Bulletproof circuit small and efficient to prove/verify.
The verification time is linear in the size of the circuit, but since the circuits Dusk employs are very small (primarily Poseidon calls), this remains feasible even on mobile hardware.

3. Signature schemes – the various roles they play in Dusk
EdDSA – efficient, deterministic, non-malleable message authentication
For regular peer-to-peer messages (gossiping, block announcements, and so on), Dusk employs EdDSA on Curve25519.
Why not ECDSA?
EdDSA is deterministic → no bad randomness can reveal the private key.
Twisted Edwards curve provides faster arithmetic and complete addition laws (no special cases).
The signature consists of merely two group elements — very compact and efficient to verify.It is the go-to scheme for anything that does not require anonymity.bLSAG (Back Linkable Spontaneous Anonymous Group signatures) – anonymous spending with double-spend protectionThis is the ring signature variant used for spending notes.
You have a set of public keys (the ring). You prove you know the secret key for one of them, without revealing which one. The signature size is constant, regardless of the ring size.
Linkability is provided by the key-image: a deterministic value computed from the secret key, and key-images are unique for each key. If you attempt to spend the same note twice, the key-images match → double-spend detected.
The “spontaneous” component indicates that there is no setup process, and anyone can choose any ring on the fly. The “Back” component refers to Adam Back’s solution that enabled linkability without compromising anonymity.
This is what enables Dusk to have anonymous transactions like Monero but also allows for double-spend detection on-chain.

BLS signatures – aggregation for consensus
BLS (Boneh-Lynn-Shacham) signatures live on pairing-friendly curves (BN-254 or BLS12-381). The pairing enables aggregation of many signatures into one short signature that verifies against the aggregated public key.
In $DUSK , this is applied in the consensus layer: hundreds of validators can sign the same block, and their signatures are aggregated on the fly, leaving only one signature on-chain. Block size remains small even with thousands of signers.
The drawback is that BLS signatures need a trusted setup for the curve parameters (or MPC ceremony), but after that, it is very powerful.

4. Zero-knowledge proofs – the overall philosophy
All the above building blocks are ultimately employed within larger zero-knowledge proofs.
The zero-knowledge proofs of $DUSK must fulfill three properties (which are explicitly stated in the paper):
Completeness – honest prover always convinces honest verifier.Soundness – cheating prover cannot convince verifier except with negligible probability.Zero-knowledge – verifier learns nothing beyond the truth of the statement.
The explanation for why these three properties are absolutely essential is straightforward: in a privacy coin, the proof is literally the only thing between the user’s financial privacy and complete transparency. If soundness is broken, then someone can print fake money. If zero-knowledge is broken, then the entire point of privacy is moot.
Dusk employs a mix of Bulletproofs (for range and circuit proofs) and other SNARK-friendly methods within its transaction proofs. This means that the observer can see only the proof and the commitments, while everything else remains hidden.

Why this particular set of tools?
It’s not possible to get everything done with one primitive. Pedersen’s gives you anonymity + binding + additivity. Bulletproofs give you efficient range and circuit proofs on top of those commitments. bLSAG gives you anonymity for spending. BLS gives you efficient consensus. EdDSA gives you fast everyday signing. They all combine to create a layered system where each layer solves exactly the problem the layer above can’t solve.
This is why Dusk’s design appears “over-engineered” compared to other, simpler chains – because it’s a harder set of problems to solve. Most other chains have to give up either privacy or scalability. Dusk is attempting to preserve both, and this requires using this particular set of cryptographic tools.
#dusk $DUSK @Dusk_Foundation

ダスクネットワークは、プライバシーを中心に構築されたブロックチェーンで、規制された金融の世界のために作られています。チームはその暗号ツールを慎重に選びました—彼らはプライベートなものを維持したいが、規制当局が仕事をできないほどのプライバシーは望んでいません。同時に、彼らはセキュリティを損なうことなく、スピードと効率を求めています。2024年のホワイトペーパーはこれを明確に示しています: ダスクの暗号技術は、ユーザーが必要なときに匿名を保つことを可能にしますが、適切な監査のための余地も残しています。取引は迅速に完了し、大量のリソースを消費しません。それぞれの暗号ツールがなぜ選ばれたのかを分解し、コンセンサス、取引、そしてすべてをスムーズに運営するためにどのように役立つかを見てみましょう。

ダスクネットワークは別のブロックチェーンではありません。それは存在するものの一つです。特に2026年の今、これは特に当てはまります。ダスクネットワークは実世界の資産を使ったクールなことをしています。彼らはこれらの資産をトークンに変えることを可能にしています。これは、金融がルールや法律とともにより良く機能するための取引です。ダスクネットワークはこれに非常に優れています。彼らはこの分野のリーダーの一つです。ダスクネットワークはこれに取り組んでいます。
ここにダスクを際立たせる本当の理由があります: ダスクは、いくつかのプライバシーコインのように完全な匿名性を追求することはなく、すべてを公開することもありません。その代わりに、ダスクは$DUSK のプライバシーに焦点を当てています。ダスクの全体的な考えは、最初から市場や機関を助けることであり、MiCAやMiFID IIのすべてのルールに従う必要がある人々が、同時に機密のビジネス情報を非公開に保つ必要があるためのものです。それがダスクが達成するバランスであり、正直なところ、このように行っているプロジェクトは多くありません。

If you really want to get what @dusk_foundation is about, you’ve got to look beyond the usual talk around “privacy.” Most blockchains treat privacy like an afterthought—something you slap on later with a mixer or a Layer 2 solution. $DUSK takes a totally different approach. It’s built from the ground up as a privacy-first micro-kernel. That’s not just a fancy label, either. It’s about how the whole thing actually works.
1. How Circuit-Based Computation Changes the Game
The big idea in Dusk’s design isn’t just a tweak to the old way of doing things. Instead of the standard instruction-set model, Dusk uses circuit-based logic. Here’s why that matters: On a regular blockchain, nodes have to re-run code to make sure everything checks out. Dusk flips the script. Its Piecrust VM doesn’t just execute code—it creates a mathematical proof that the code ran exactly as it should. So instead of trusting that each node re-did the work right, you get cryptographic certainty from the start. That’s a pretty fundamental shift.
Here’s the real edge: With Zero-Knowledge Verification, a validator can confirm a transaction is legit without ever seeing the details. That’s a big shift—from everyone peeking into a “public ledger” to a new kind of “verifiable secret ledger” where privacy and trust actually work together.
2. The “Blind Bid” Game Theory
So, why did @dusk_foundation come up with Succinct Attestation (SA)?
The answer hides in the way “Blind Bid” game theory works.
Here’s the thing: In most proof-of-stake networks, you can spot the wealthiest nodes. That paints a target on their backs for hackers and even big state actors.
Dusk flips the script. They use a symmetric cryptographic primitive so a block proposer can prove they’ve earned the right to produce a block, but their identity stays secret—at least until the block’s done. This “Privacy of the Producer” makes it a lot harder to bribe or attack the network. Honestly, even Bitcoin’s mining pools, with all their size, can’t promise that level of censorship resistance.
3. Asynchronous Finality vs. Probabilistic Risk
Most investors miss this, but “finality” is the real sticking point for Real World Assets (RWA).
Here’s why: If you’re trading a $100 million bond on a chain like Ethereum, which only offers probabilistic finality, there’s always a small risk your trade could get unwound in a re-org. That’s a lot of money hanging on a mathematical chance things could go sideways.
The Dusk Solution: SA consensus locks in blocks the moment they’re certified. There’s no waiting around—once a block is attested, it’s set in stone. Why do this? It’s all about meeting those tough Legal Settlement Finality rules from Basel III and other big banking standards.
4. The Phoenix Protocol: Cracking the UTXO vs. Account Model Problem
Dusk doesn’t pick sides. Instead, it brings in something new: Phoenix, a hybrid approach.
Here’s the real issue: Account-based models like Ethereum tie every transaction to your main address, which is a privacy nightmare. UTXO models, like Bitcoin, are much better for privacy, but they fall flat when it comes to running complex smart contracts.
Phoenix changes the game. It introduces a “Private UTXO” setup that actually works with smart contracts. Your transaction blends right in with thousands of others—nobody can pick yours out. It’s more than just slapping on some privacy layer. Phoenix rethinks how data lives on the blockchain from the ground up.
5. Why “RWA” Isn’t Just a Badge—It’s Earned
A lot of projects slap on the “RWA” tag after spinning up a website. DUSK actually earns it, and the key is their Confidential Security Contracts (XSC).
Here’s the big idea: In the XSC framework, the “Compliance Engine” runs separately from the “Transfer Logic.” So, when laws or tax rules shift, a company can update its compliance setup without needing to re-issue every token. That’s real dynamic regulatory compliance. It’s why $DUSK stands alone as the only chain that can keep securities legal and up-to-date for decades, not just a few years.
The Infrastructure You Don’t See
Right now, the market isn’t really valuing institutional-grade privacy. But as we move on from “Transparent DeFi” to real, regulated on-chain finance, the way DUSK has built things—from the Piecrust VM to the Phoenix model—sets it up as the financial backbone nobody else is even close to. Call it the “Financial Kernel” for the next era.
DUSK isn’t just tweaking what’s already out there. They’re not making a faster horse. They’re building the engine for a car the market hasn’t even imagined yet.
#dusk $DUSK @Dusk_Foundation