pith. sign in

arxiv: 2604.04369 · v2 · submitted 2026-04-06 · 💻 cs.CR · cs.ET

DAO to (Anonymous) DAO Transactions

Minfeng Qi , Lin Zhong , Qin Wang This is my paper

Pith reviewed 2026-05-10 20:28 UTC · model grok-4.3

classification 💻 cs.CR cs.ET
keywords DAO transactionsthreshold signaturesstealth addressesblockchain anonymitydistributed key managementmulti-party computationorganizational wallets
0
0 comments X

The pith

Dao² lets one threshold-controlled DAO pay another with optional recipient anonymity while keeping funds under distributed control on both sides.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper formalizes the problem of moving assets between two organizations that each rely on threshold authorization rather than single private keys. It introduces Dao², a framework that lets the sender use threshold signatures to authorize a payment while the receiver derives either a normal child address or a one-time unlinkable stealth address through distributed operations. This closes the gap between how DAOs actually manage treasuries and how existing payment systems assume single-user wallets. The receiver can redeem the funds without any party reconstructing a master secret. A prototype shows that a typical seven-member DAO completes an anonymous transfer in under 27 milliseconds using less than 1.2 kilobytes of communication, with costs growing linearly as group size increases.

Core claim

Dao² combines distributed key derivation for ordinary non-stealth child addresses, distributed stealth-address generation for unlinkable one-time destinations, and threshold signatures so that one DAO can transfer value to another DAO while optionally keeping the recipient anonymous; the receiver redeems the funds without reconstructing any master secret, and the security of the combined process is formally proven.

What carries the argument

The combination of distributed key derivation (DKD), distributed stealth-address generation (DSAG), and threshold signatures that together enable payments without exposing or reconstructing private keys on either side.

If this is right

  • DAO treasuries can transfer funds directly to other threshold-controlled organizations without relying on single-key intermediaries.
  • Anonymous transfers become possible between DAOs while the received funds remain under distributed control on the receiving side.
  • The linear scaling with DAO size makes the protocol practical for groups of modest size such as seven members.
  • Both ordinary and anonymous transfer modes rest on the same formally proven security foundation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar distributed techniques could extend to joint actions between DAOs beyond payments, such as coordinated contract calls.
  • The low communication overhead suggests the method could operate in bandwidth-constrained environments.
  • Widespread use would reduce the need for centralized exchanges when one organization pays another.

Load-bearing premise

The security of the combined distributed key derivation, distributed stealth-address generation, and threshold signatures holds without any participant reconstructing master secrets.

What would settle it

A concrete attack that recovers a private key from the distributed operations during a Dao² transfer, or a measurement showing that communication volume or time grows faster than linearly with the number of DAO members.

Figures

Figures reproduced from arXiv: 2604.04369 by Lin Zhong, Minfeng Qi, Qin Wang.

Figure 1
Figure 1. Figure 1: DAO2 framework. ➀ DKG distributes key shares to each DAO. ➁ The receiver derives a child key (DKD); for anonymous transfers the sender also generates a stealth destination (DSAG). ➂ The sender threshold-signs the payment. ➃ Blockchain validates and confirms the transaction. ➄ The receiver detects the output, recovers one-time shares, redeems via threshold signing, and updates its state. • honest qualified … view at source ↗
Figure 2
Figure 2. Figure 2: End-to-end execution of a DAO2 transaction. The left column covers transaction generation (child-key allocation, stealth-destination generation, threshold authorization); the right column covers receiver-side detection, distributed one-time share recovery, threshold redemption, and state evolution. Cross-phase parameters: chaincode cc(k) , shared secret Ω(k) ↔ Ω′(k) , and Lagrange-based aggregation through… view at source ↗
Figure 3
Figure 3. Figure 3: Per-module computation cost versus DAO size n (t = 2). DKD and threshold signing remain lightweight; DSAG cost grows linearly with n due to per-member EC scalar multiplications. 3 5 7 10 15 20 0 20 40 60 80 DAO size n Latency (ms) Phase I Phase II Total [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: End-to-end transaction latency versus DAO size n (t = 2). Phase I and Phase II have comparable cost; total latency grows linearly and remains below 75 ms even for n=20. Proof sketch. Two observations underpin forward secrecy: 1) One-way chaincode evolution (Lemma 13): each chain￾code cc(k) is derived from the previous one by the HMAC-SHA512 update map, which is computationally one-way by Assumption 1. 2) S… view at source ↗
Figure 5
Figure 5. Figure 5: breaks down the per-transaction communication overhead by protocol component. All sizes assume compressed EC points (33 bytes), 32-byte scalars and hash outputs, and 64-byte ECDSA signatures. DKD metadata (81 bytes: one compressed point, one 32- byte chaincode, and one 16-byte tag) and the two threshold￾signature outputs (128 bytes in total) are independent of n. 3 5 7 10 15 20 0 1,000 2,000 3,000 DAO size… view at source ↗
Figure 6
Figure 6. Figure 6: Computation cost comparison. Standard SA is the single-user baseline (n=1); Plain TS measures threshold signing without privacy. DAO2 adds privacy and key-derivation overhead that scales with n but remains practical. The dominant communication cost comes from the DSAG protocol, where each member broadcasts a commitment and an opening on the sender side, and a public share for verification on the receiver s… view at source ↗
Figure 7
Figure 7. Figure 7: DKD per-derivation cost versus depth k (n=7, t=2). Deriva￾tion time is essentially constant regardless of depth, confirming that the HMAC-based additive scheme introduces no cumulative performance degradation. E. Key-Derivation Depth Scalability [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
read the original abstract

Blockchain assets are increasingly controlled by organizations rather than individuals. DAO treasuries, consortium wallets, and custodial exchanges rely on threshold authorization and multi-party key management, yet existing payment mechanisms still target single-user wallets, leaving no unified solution for organizational transfers. We formalize the problem of \emph{DAO-to-(anonymous)-DAO} transactions and present \textsc{Dao$^2$}, a framework that enables one threshold-controlled organization to pay another, optionally with recipient anonymity, while keeping received funds under distributed control. \textsc{Dao$^2$} combines three components: \emph{distributed key derivation} (DKD) for non-stealth child addresses, \emph{distributed stealth-address generation} (DSAG) for unlinkable one-time destinations, and \emph{threshold signatures} for authorization. For ordinary transfers, the receiver derives a non-stealth address via DKD; for anonymous transfers, it derives a stealth address via DSAG. The sender then threshold-signs the payment, and the receiver redeems the funds without reconstructing any master secret. We formally prove its security and evaluate a prototype. A complete anonymous DAO-to-DAO transaction for a typical-sized (e.g., 7-member) DAO finishes in under 27\,ms with less than 1.2\,KB of communication, and scales linearly with DAO size.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The manuscript formalizes DAO-to-(anonymous)-DAO transactions and presents the Dao² framework, which integrates distributed key derivation (DKD) for non-stealth addresses, distributed stealth-address generation (DSAG) for unlinkable one-time destinations, and threshold signatures for authorization. It claims a formal security proof that payments can be authorized and redeemed under threshold control without reconstructing master secrets, along with an optional anonymity property, and reports prototype results showing an anonymous transaction for a 7-member DAO completes in under 27 ms with less than 1.2 KB communication and linear scaling with DAO size.

Significance. If the security proof and composition hold, the work fills a gap in blockchain payment mechanisms for threshold-controlled organizations by extending standard cryptographic primitives (distributed key derivation, stealth addresses, and threshold signatures) to DAO-to-DAO transfers with optional anonymity. The formal proof establishing security without secret reconstruction and the prototype evaluation with concrete performance numbers are explicit strengths that support both theoretical and practical utility for DAO treasury management.

minor comments (2)
  1. [Abstract] Abstract: The claim that the transaction 'scales linearly with DAO size' lacks a supporting table or figure showing measured times across multiple DAO sizes (e.g., 3, 7, 15 members) and should include error analysis or standard deviations for the reported timings.
  2. The acronyms DKD and DSAG are introduced without prior expansion in the abstract; ensure they are defined on first use in the introduction and that the threat model for the security proof is stated explicitly before the proof sketch.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary and significance assessment of our work on formalizing DAO-to-(anonymous)-DAO transactions via the Dao² framework. We are pleased with the recommendation for minor revision.

Circularity Check

0 steps flagged

No significant circularity; derivation combines standard primitives with independent security proof

full rationale

The manuscript formalizes the DAO-to-(anonymous)-DAO transaction problem and constructs Dao² as a composition of three standard cryptographic building blocks: distributed key derivation (DKD), distributed stealth-address generation (DSAG), and threshold signatures. It states that the receiver derives addresses via DKD or DSAG, the sender threshold-signs the payment, and the receiver redeems without reconstructing master secrets. A formal security proof is claimed for this composition, and prototype timings are reported separately. No equations, definitions, or steps are presented that reduce a claimed result or prediction back to its own inputs by construction, nor is any load-bearing premise justified solely by self-citation. The security argument and performance evaluation remain independent of each other and of any fitted parameters internal to the paper.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 3 invented entities

The central claim rests on standard cryptographic assumptions for threshold signatures and the correctness of the two distributed generation techniques; these are asserted rather than derived in the abstract.

axioms (2)
  • standard math Security of threshold signature schemes under standard assumptions
    Implicit basis for the authorization component.
  • domain assumption Correctness of distributed key derivation and stealth address generation without master secret reconstruction
    Core premise enabling distributed control after transfer.
invented entities (3)
  • Dao² framework no independent evidence
    purpose: Unified solution for DAO-to-DAO transfers with optional anonymity
    Newly proposed combination of techniques.
  • DKD (distributed key derivation) no independent evidence
    purpose: Generation of non-stealth child addresses under threshold control
    Component introduced for ordinary transfers.
  • DSAG (distributed stealth-address generation) no independent evidence
    purpose: Creation of unlinkable one-time destinations for anonymous transfers
    Component introduced for recipient anonymity.

pith-pipeline@v0.9.0 · 5534 in / 1560 out tokens · 73182 ms · 2026-05-10T20:28:20.733359+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 27 canonical work pages

  1. [1]

    Understanding DAOs: An empirical study on governance dynamics.IEEE Transactions on Computational Social Systems (TCSS), 12(5):2814–2832, 2025

    Qin Wang, Guangsheng Yu, Yilin Sai, Caijun Sun, Lam Duc Nguyen, and Shiping Chen. Understanding DAOs: An empirical study on governance dynamics.IEEE Transactions on Computational Social Systems (TCSS), 12(5):2814–2832, 2025

    work page 2025

  2. [2]

    Decentralised autonomous organizations (DAOs): An exploratory survey.Distributed Ledger Technologies: Research and Practice (ACM DLT), pages 1–25, 2025

    Caiyan Tang, Qi Cai, Chengzu Dong, et al. Decentralised autonomous organizations (DAOs): An exploratory survey.Distributed Ledger Technologies: Research and Practice (ACM DLT), pages 1–25, 2025

    work page 2025

  3. [3]

    Fast secure multiparty ecdsa with practical distributed key generation and applications to cryptocurrency custody

    Yehuda Lindell and Ariel Nof. Fast secure multiparty ecdsa with practical distributed key generation and applications to cryptocurrency custody. InProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1837–1854, 2018

    work page 2018

  4. [4]

    Uc non-interactive, proactive, threshold ecdsa with identifiable aborts

    Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. Uc non-interactive, proactive, threshold ecdsa with identifiable aborts. InProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1769–1787, 2020

    work page 2020

  5. [5]

    Threshold ECDSA in three rounds

    Jack Doerner, Yashvanth Kondi, Eysa Lee, and abhi Shelat. Threshold ECDSA in three rounds. InProceedings of the 45th IEEE Symposium on Security and Privacy, pages 3053–3071, 2024

    work page 2024

  6. [6]

    CryptoNote v 2.0

    Nicolas van Saberhagen. CryptoNote v 2.0. https://www.getmonero.org/ resources/research-lab/pubs/cryptonote-whitepaper.pdf, oct 2013. White paper

    work page 2013

  7. [7]

    A distributed stealth address generation protocol for threshold signatures

    Yujue Wang, Lin Zhong, Jun Du, Yudi Zou, Kevin He, and Andrew Zhang. A distributed stealth address generation protocol for threshold signatures. InProceedings of the 2024 IEEE International Symposium on Parallel and Distributed Processing with Applications, ISPA 2024, pages 2014–2021, 2024

    work page 2024

  8. [8]

    Post quantum fuzzy stealth signatures and applications

    Sihang Pu, Sri Aravinda Krishnan Thyagarajan, Nico Doettling, and Lucjan Hanzlik. Post quantum fuzzy stealth signatures and applications. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 371–385, 2023

    work page 2023

  9. [9]

    BIP-0032: Hierarchical Deterministic Wallets

    Pieter Wuille. BIP-0032: Hierarchical Deterministic Wallets. https:// github.com/bitcoin/bips/blob/master/bip-0032.mediawiki, 2012. Bitcoin Improvement Proposal 32, assigned 2012-02-11

    work page 2012

  10. [10]

    Distributed key derivation for multi-party management of blockchain digital assets

    Lin Zhong, Yujue Wang, Yong Ding, Jun Du, Kevin He, and Andrew Zhang. Distributed key derivation for multi-party management of blockchain digital assets. InProceedings of the 2023 IEEE 29th International Conference on Parallel and Distributed Systems, ICPADS 2023, pages 715–720, 2023

    work page 2023

  11. [11]

    Fast 2-out-of-n ecdsa threshold signature

    Lin Zhong, Yujue Wang, Jun Du, Daji Liang, Ziyuan Zhong, Kevin He, and Andrew Zhang. Fast 2-out-of-n ecdsa threshold signature. InIEEE International Conference on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking, pages 456–465, 2023

    work page 2023

  12. [12]

    Rivest, Adi Shamir, and Yael Tauman

    Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a secret. InAnnual International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), volume 2248, pages 552–565. Springer, 2001

    work page 2001

  13. [13]

    Ring confidential transactions.Ledger, 1:1–18, 2016

    Shen Noether, Adam Mackenzie, and The Monero Research Lab. Ring confidential transactions.Ledger, 1:1–18, 2016

    work page 2016

  14. [14]

    Secure distributed key generation for discrete-log based cryptosystems

    Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Secure distributed key generation for discrete-log based cryptosystems. Journal of Cryptology, 20(1):51–83, 2007

    work page 2007

  15. [15]

    Non-interactive VSS using class groups and application to DKG

    Aniket Kate, Easwar Vivek Mangipudi, Pratyay Mukherjee, Hamza Saleem, and Sri Aravinda Krishnan Thyagarajan. Non-interactive VSS using class groups and application to DKG. InProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security, pages 4286–4300, 2024

    work page 2024

  16. [16]

    Linkable ring signatures: Security models and new schemes

    Joseph K Liu and Duncan S Wong. Linkable ring signatures: Security models and new schemes. InInternational Conference on Computational Science and Its Applications, pages 614–623. Springer, 2005

    work page 2005

  17. [17]

    Decentralized autonomous organizations: Concept, model, and applications.IEEE Transactions on Computational Social Systems (TCSS), 6(5):870–878, 2019

    Shuai Wang, Wenwen Ding, Juanjuan Li, Yong Yuan, Liwei Ouyang, and Fei-Yue Wang. Decentralized autonomous organizations: Concept, model, and applications.IEEE Transactions on Computational Social Systems (TCSS), 6(5):870–878, 2019

    work page 2019

  18. [18]

    From tech- nology to society: An overview of blockchain-based DAO.IEEE Open Journal of the Computer Society, 2:204–215, 2021

    Lu Liu, Sicong Zhou, Huawei Huang, and Zibin Zheng. From tech- nology to society: An overview of blockchain-based DAO.IEEE Open Journal of the Computer Society, 2:204–215, 2021

    work page 2021

  19. [19]

    Leveraging architectural approaches in web3 applications-a dao perspective focused

    Guangsheng Yu, Qin Wang, Tingting Bi, Shiping Chen, and Xiwei Xu. Leveraging architectural approaches in web3 applications-a dao perspective focused. InIEEE International Conference on Blockchain and Cryptocurrency (ICBC), pages 1–6. IEEE, 2023

    work page 2023

  20. [20]

    Cristiano Bellavitis, Christian Fisch, and Paul P. Momtaz. The rise of decentralized autonomous organizations (DAOs): a first empirical glimpse.Venture Capital, 25(2):187–203, 2023

    work page 2023

  21. [21]

    Vitarit: Paying for threshold services on bitcoin and friends

    Sri Aravinda Krishnan Thyagarajan, Easwar Vivek Mangipudi, Lucjan Hanzlik, Aniket Kate, and Pratyay Mukherjee. Vitarit: Paying for threshold services on bitcoin and friends. InProceedings of the 2025 IEEE Symposium on Security and Privacy, pages 2018–2036, 2025. 14

    work page 2025

  22. [22]

    Ringct 2.0: A compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero

    Shi-Feng Sun, Man Ho Au, Joseph K Liu, and Tsz Hon Yuen. Ringct 2.0: A compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. InEuropean Symposium on Research in Computer Security (ESORICS), pages 456–474. Springer, 2017

    work page 2017

  23. [23]

    Ringct 3.0 for blockchain con- fidential transaction: Shorter size and stronger security

    Tsz Hon Yuen, Shi-feng Sun, Joseph K Liu, Man Ho Au, Muhammed F Esgin, Qingzhao Zhang, and Dawu Gu. Ringct 3.0 for blockchain con- fidential transaction: Shorter size and stronger security. InInternational Conference on Financial Cryptography and Data Security (FC), pages 464–483. Springer, 2020

    work page 2020

  24. [24]

    Concise ringct protocol based on linkable threshold ring signature.IEEE Transactions on Dependable and Secure Computing (TDSC), 21(5):5014–5028, 2024

    Junke Duan, Shihui Zheng, Wei Wang, Licheng Wang, Xiaoya Hu, and Lize Gu. Concise ringct protocol based on linkable threshold ring signature.IEEE Transactions on Dependable and Secure Computing (TDSC), 21(5):5014–5028, 2024

    work page 2024

  25. [25]

    Foun- dations of coin mixing services

    Noemi Glaeser, Matteo Maffei, Giulio Malavolta, Pedro Moreno- Sanchez, Erkan Tairi, and Sri Aravinda Krishnan Thyagarajan. Foun- dations of coin mixing services. InProceedings of the ACM SIGSAC conference on Computer and Communications Security (CCS), pages 1259–1273, 2022. APPENDIXA SECURITYPROOFS This appendix provides the detailed proof arguments for t...

    work page 2022

  26. [26]

    To compute this from b (k′) j one must invert the derivation offsetsω (k+1),

    The past child share b (k) j . To compute this from b (k′) j one must invert the derivation offsetsω (k+1), . . . ,ω(k′), each of which depends on a past chaincode (Lemma 13)

    work page

  27. [27]

    Since both paths are blocked, we conclude: Pr A→d (k) |state at k ′ >k ≤negl(κ)

    The stealth offsetρ (k) =H(Ω (k) ∥ξ (k)), which requires Ω(k) =ab (k)G, which is protected by the sender-side threshold (for a) and chaincode independence (for b (k)). Since both paths are blocked, we conclude: Pr A→d (k) |state at k ′ >k ≤negl(κ). Proof of Proposition 1.By Lemma 13, past chaincodes are computationally hidden from the current state. By Le...

    work page