#HASH is designed to reward Kaspians for marketing #Kaspa.
The more valuable the reward though, the more entry points you'll need.
Operators, Vanguards, Legendaries and Mythics all contribute different point values, meaning every NFT you hold opens new reward opportunities.
Crypto gave individuals sovereignty. Staghunt is betting the next frontier is the group version: coordination markets.
Read more at our latest thought leadership in partnership with @hashdag
https://t.co/VJQ15N0ka0
@RuiPinto_FL Ou ficaram sem colhões depois da temporada, ou o Martinez os capou , houve muita falta de coragem por parte dos “melhores do mundo “ nas suas posições .
To finish the series: - Deterministic chain-seeded genetic computation.
We ran a chain-seeded genetic optimiser for 32 generations and proved every single step in zero-knowledge, then folded all 32 proofs into one. The whole lineage verifies on Kaspa in a single transaction, post-quantum. You can open the tx and check it yourself.
What it is: a tiny program, an evolutionary search over a 16-value genome , that mutates and selects for a lower-cost circuit design, seeded by the Kaspa chain. Over 32 generations it drove its target circuit's scored constraint count down (best target ~72 → ~50; trending down, though it's a sawtooth it rotates through three circuit types).
The part that matters: every one of those 32 steps ran inside a zero-knowledge VM and was proven correct a step that didn't compute correctly simply won't verify. Then all 32 step-proofs were folded into ONE. That proof is 222 KB exactly the size of a single step, and it stays that size no matter how many generations you add. (The catch, stated plainly: folding more generations costs the prover more time; only the final proof size is constant.)
Kaspa verified the entire 32-generation lineage in one transaction: 7504fa32f74aa028301290299276a707cf98ffc2766b1be0daed4c5c41883f15.
Flip a single byte of the proof and the network rejects it, we tried; it's rejected.
And the verification path is post-quantum: hash-based the whole way (FRI/Poseidon2 + SHA-256), no elliptic curves or pairings anywhere nothing Shor's algorithm targets.*
What this is and isn't: It's a feasibility experiment on testnet. It's deterministic, chain-seeded genetic computation not AI, not intelligence. We drive each step and proved a fixed lineage we chose; it does not yet run itself on-chain (that's the next build).
The core, though, is real and checkable: a program's entire computational lineage 32 generations proven correct, post-quantum, verified by Kaspa in a single shot.
*STARK security rests on hash assumptions plus the Fiat-Shamir heuristic, not on any pre-quantum hardness.
A follow-on to the post-quantum signature work on Kaspa. We've now reached past signatures to the harder half of the problem and have a first result on testnet 10.
The PQ UTXO-commitment accumulator:
In plain terms: protecting your coins has two halves. One is the signature that proves you authorised a spend, we showed the NIST post-quantum signatures (ML-DSA, SLH-DSA, Falcon) can be checked on Kaspa. The other half is the ledger's running summary of who owns what. Kaspa builds that summary with MuHash, which isn't quantum-safe, and it's the harder half to fix.
This experiment swaps that summary for a quantum-safe one, a hash tree and shows two things on testnet. First, you can prove a change to it (a coin spent, a coin created) and have Kaspa's nodes check that proof. Second, for one specific update we hardcoded in advance, the summary advanced only when a valid proof of that update was presented and the network rejected both a faked proof and an attempt to divert the coin elsewhere. (It does not yet accept arbitrary updates that's the next, harder step.)
It's a feasibility experiment, not a finished feature. It isn't in consensus, proving one update is slow (~25 min on a basic laptop), the transition is pre-wired rather than general, and we're not claiming to have replaced MuHash. Just showing the harder half is reachable with the same tools that handled the signatures.
The detail, for those who want it:
Why MuHash is the hard part: it commits to the UTXO set with cheap incremental updates (add = a multiply, remove = a divide). But its security reduces to a discrete-log-style assumption, and Shor's algorithm breaks discrete log so the speed comes from structure that isn't post-quantum. The conservative swap is a hash-based Merkle tree: quantum-safe on SHA-256 alone, but you lose the cheap updates.
ZK closes that gap. We model the UTXO set as a 256-deep sparse Merkle tree and prove one transition remove the spent coin's leaf, add the created coin's leaf, old root → new root , entirely in hash operations, in a zkVM. Nodes verify that update succinctly, with cost independent of the set's size while proving stays expensive (~25 min), which is exactly the open systems problem.
We also enforce it as on-chain state, for one transition. The root is committed in a covenant's state; spending it requires (1) the single output to be the pre-committed successor state, and (2) a valid transition proof for the (R_old → R_new) the redeem commits both checked on-chain. On TN10 the advance confirmed: the covenant forced the coin to the successor and required the proof. A coin sent to the wrong successor was rejected by the covenant's destination check; a tampered proof was rejected by the ZK verifier two independent gates, two distinct failures.
Honest scope, plainly: the successor is pre-chosen the redeem hardcodes the next state's address and the journal. So the proof's new root and the destination's new root are equal by construction, not cross-checked on-chain (both sit inside hashes). This enforces one fixed transition, not a covenant that accepts any valid successor, that needs more machinery. The leaves are abstract too, so this proves the mechanism, not an update to Kaspa's live UTXO set. Residual assumptions are symmetric-primitive: SHA-256 under Grover, plus Fiat-Shamir soundness in the QROM not discrete log. The verification path has no pairing, no lattice, no Shor-breakable assumption. Not a MuHash replacement; doing this at block-rate in consensus is wide open.
On TN10: Accumulator transition verified: bfcad4dd0561706dd3e423a991ddb8406de1d3e16547ed9ba441dd4f659d6a34
State advanced (R_old → R_new) 0a34fb1c3e40b26d1e546bbb7ea3710f779c0d2e2285f8a7fec977ca01e93da8
This is the lattice/ZK lane, now reaching toward the commitment layer.
Some notes:
"No conjecture?" → We avoid Shor-breakable assumptions. Residual: SHA-256/Grover + Fiat-Shamir-in-QROM heuristic, a much better PQ footing than discrete log, not zero assumptions.
The accumulator and ZK-Merkle-update are standard; the demonstration is a PQ-secure commitment with on-chain-verified, on-chain-gated updates running against Kaspa's deployed opcode. Engineering feasibility, not a new primitive.
On-chain we enforce (a) the output is the pre-committed successor and (b) a valid proof for the committed journal exists. The two roots are equal by construction (we wrote the same R_new into both, publicly verifiable), not cross-checked on-chain, both are inside hashes. Making the covenant accept ANY valid successor (extract/verify R_new trustlessly) is the next step.
So it's just an anchored proof dressed up as a state machine? → The advance is more than the anchor: the covenant forces the coin to the successor state AND requires the proof — wrong destination and tampered proof each fail, at different layers. It's ONE pre-wired hop, not a general machine, we say that plainly.
Verification cost is independent of the UTXO-set size; proving stays ~25 min (the open systems problem). We don't claim O(1).
MuHash isn't weak because it's homomorphic. → Yes, and this post says so: weak because its security reduces to discrete log, which Shor breaks. The homomorphism is just why updates are cheap.
If you managed to get this far, we hope you found this interesting.
📢 RENT CARS WITH KASPA 🚗💨
You can now book car rentals from 1,700+ top suppliers with $KAS payments @kaspaunchained
📍 50,000+ pickup locations worldwide
Kaspa accepted here
BOOK NOW: https://t.co/bUoqkZZa7T
All three NIST post-quantum signature schemes - two finalised standards and one still in draft (FN-DSA) - now verify inside a zkVM and are checked on-chain on Kaspa testnet, each with a tamper control. No pairings anywhere.
Same pipeline for all three: verify the signature in a RISC Zero zkVM → compress to a succinct STARK (FRI/Poseidon2) → a Kaspa node verifies the STARK on-chain via the KIP-16 ZK opcode. No Groth16.
• FIPS-204 - ML-DSA-44 / Dilithium (lattice).
b7add3df69d54ca96b171771d92cad300d231504ed80ea55a9873edb08094eca
• FIPS-205 - SLH-DSA / SPHINCS+ (hash-based).
01f747bc0e559bb7080d3e77dae8a4c1902545da1d97b55a9b37be90870f2342
• FIPS-206 (draft) — FN-DSA / Falcon-512 (lattice/NTRU), Pornin's implementation.
aec459a84600caa13f6ce2c13104285c1b55c8cb8a986340bf5c135b65f15bc3
And one step past verifying signatures: a PQ-secured UTXO - a coin that moves only with a valid ML-DSA signature over that exact spend. The covenant rebuilds the signed message from the transaction itself (introspection), so the funds can't be redirected, and the proof is bound to the specific funding transaction it signed.
e33a1332e72266f361b6276449c6b3273bbb03a6fe1caff4d7db71f56806ff90
We replayed that proof against a second coin at the same lock; the node rejected it, and that coin still sits unspent at the lock - the on-chain proof the replay couldn't move it:
31366d00a6eee4f36e04d977e34812f07c5adc86f580e934ba35e3ef5b855920
zkVM cost spans ~15×: Falcon ~1.8 min, ML-DSA ~8, SLH-DSA ~27 (SLH-DSA is hash-based → thousands of SHA-256 compressions). Each scheme has a negative control - a tampered or replayed proof, rejected on-chain, so it's not a no-op.
Scope, plainly: this is the signature layer, not "Kaspa is quantum-ready" - quantum mining and the MuHash UTXO commitment are separate, harder problems this doesn't touch.
Testnet-10 PoC; transactions are still secp256k1.
Complementary to @Max143672's XMSS - his is the native route.
(Our interns have been busy)
For builders and institutions evaluating settlement infrastructure or programmable money on a high-performance base layer: Every interesting thing about Kaspa is something the EVM structurally cannot do. State is local and linear a UTXO is consumed exactly once.
Composition happens at the transaction level, not through synchronous calls. The chain itself is concurrent by construction (GHOSTDAG).
Execution is gasless, bounded, and total. On top of this foundation, the script engine has been extended with powerful new primitives:
• Transaction introspection • Lineage tracking via covenant IDs in consensus • Native ZK proof verification
These are not layered on top of an account-based, gas-metered VM. They are native to Kaspa’s UTXO + BlockDAG model.
Solidity was designed for the opposite world: global mutable state, reentrant calls, ambient authority, and gas-metered Turing-completeness. Almost every famous EVM exploit is a direct tax on those fundamental choices.
These architectural properties predictable costs, inherent parallelism, and security by design are what make native high-throughput, low-risk programmable settlement on Kaspa particularly compelling for regulated environments, high-speed financial, energy and industrial applications.
Exhausted and happy. 2 days felt like 2 weeks. Nothing beats f2f; so many great convos, insights, updates from the field. Teams in overdrive mode. 1) AI coding is a routine, frontier is multi-model envs and harness 2) Toccata unlocks more than I initially grasped 3) Agents are wallets 4) Sovereignty and interop aren't at odds
We hear the Kaspa community and understand why dynamic address support is important. kaspa:native is technically different from Bitcoin-like UTXO networks such as BTC, LTC, DOGE, etc. Its architecture requires a separate implementation approach, so this feature cannot be added in the same way as for other UTXO-based networks.
That’s why dynamic address support is being rolled out step by step. We started with networks where the implementation of this feature is the same, while Kaspa requires additional dedicated work and validation before it can be delivered properly.
Kaspa is a priority and the team is actively working through the technical scope right now. We’re not putting a firm date on it yet because we want to deliver it right, but the Kaspa community hasn’t been forgotten and we’ll come back with concrete timing once it’s confirmed.
prologue
Taking my dr.’s (Sompolinsky) advice to rest a bit and have fun after Toccata’s release, I started experimenting with argent: a small high-level DSL for multi-contract covenant apps that produces silverscript code.
Please don’t laugh at this definition of “rest” ;) Releasing heavy core consensus upgrades carries a massive burden of mainnet responsibility. Playing with language compilers and application structure is exploratory work. So yes, for some ppl, it might genuinely feel like resting.
---
About three months ago, during the development of Toccata and silverscript, Ori (@someone235) threw a quick sentence at me: “You can implement a mechanism similar to MAST using ICC.”
(Stay with us if you want to understand what MAST is and why Ori was only partially right.)
Around that time, I started playing with complex scripts over silverscript and mostly tried to understand what a complex contract system over the new Kaspa script engine/silverscript could look like (or if one could be built at all). One thing led to another and I started trying to develop a chess game over silverscript. “okay codex, let’s start developing chess, let’s start with a chess game with basic movement rules, no complications. An array of 64 cells representing the board, public keys for black/white, turn, movement. The bare minimum that is still sufficiently complex.”
Of course, the first attempt didn’t go so well. As is fitting for a compiler in its early days, I quickly reached a state where I was the first one walking through certain code paths. This triggered a burst of contributions to silverscript itself and/or finding temporary workarounds.
The second attempt got stuck on the boundaries of the script itself. It turns out that implementing all the game rules for every possible piece plus scan loops statically unrolled to 64 iterations is, how should I put it, not really workable and tends to blow up. I came to the conclusion that the logic needed to be shattered into different contracts, meaning different scripts.
But how do you do that within the boundaries of a game? And what if I want to implement a decentralized chess league with players and scores that persist and update over time?
(By the way, chess is a complex and interesting test case for development, but don’t mistakenly think for a second that this discussion is limited to or aimed at games.)
>>
since many (~4) asked me about the zcash bug - - - earlier this year I had this convo with a zcash core dev:
zk: it's weird that kaspa is pruning past records
me: why does it need to keep 'em?
zk: the whole point of ledgers is to prove correctness of all state transitions
me: the whole point of ledgers is to provide focal points for the consensus state
zk: the whole point...
me: hmm then why did you come work in zcash? you know the Sprout->Sapling counterfeiting bug
zk: Turnstile guarantees that the counterfeit could have been very limited
me: true but you still cannot prove or even reason about correct state transitions besides the total supply cap
zk: that's actually a good point
----
the most hardcore cryptography coin is shifting away from correctness proofs to practical-enough proofs. I believe this is a step in the right+practical direction, yet the paradigm shift should not go unnoticed - -cryptography is giving way to consensus.
if you came to zcash for cryptographic integrity, reconsider. there are many good reasons to root for zcash prospering. zcash is serving a more important role than bitcoin, whose utility for the original mission is by now blurry. cryptographic integrity is/should not be one of those reasons.
----
BTW the bug should definitely have been exploited. I don't know the personal values of Taylor Hornby, and I shouldn't be required to make the effort to learn them. I only know that if I found such an exploit, it wouldn't take me more than a few minutes to tempt myself into printing a longint amount of ZEC and deciding later what to do with it.
I wouldn't necessarily use it to exit the pool immediately and corrupt the supply, I'd wait to see if some portion of the broken pool does not seem to migrate on time (probably lost funds), in which case I would not think twice before claiming the funds myself.
you could argue that no harm done, and you might be right, but then again you are here -- in zcash / in crypto -- for its consensus dynamics, the ability to coordinate interests and convictions across different trust zones around some shared asset; not for some pristine mathematical integrity.