Ethereum's account model makes ownership reconstruction cheap and accurate. Every interaction, delegate, and transaction history accumulates under a persistent address, feeding identity, relationship, and behavioral inferences. GhostShard, a privacy architecture proposed on ethresear.ch by developer giantgun, flips the problem: instead of hiding what you own, it makes it impossible to prove you own anything continuously.
Why Account Persistence Is a Privacy Leak
Bitcoin derives practical privacy from ownership fragmentation. Assets spread across independent outputs; no single public key reliably labels an identity. Ethereum's account model does the opposite. A single address collects ERC-20 tokens, governance votes, DeFi positions, and NFT activity. Over time that address becomes a persistent attribution surface. Observers don't need raw shielded state. They reconstruct ownership from transaction patterns, then map identity and relationships on top. Privacy loss equals successful reconstruction, not information exposure.
GhostShard starts from that observation. The architecture treats ownership topology as the attack surface and fragmentation as the defense.
GhostShard's Shard-and-Destroy Strategy
GhostShard combines three post-Pectra primitives: ERC-5566 stealth addresses for receiving assets without linking them to a known account, EIP-7702 delegated execution to give EOAs programmable behavior, and disposable ownership fragments called shards. Instead of maintaining a persistent account, ownership is decomposed. Each spend consumes old shards and creates new ones. Assets remain standard ERC-20 or ETH. Composable. Visible. But ownership continuity becomes a graph problem the observer cannot solve.
The protocol does not hide that transfers happen. It does not hide balances. It fragments the signal the observer relies on: the mapping between assets and a persistent identity. Selective disclosure is built in through the same shard mechanism, allowing users to prove ownership of a specific fragment without revealing the full set.
Privacy as a Default, Not a Discipline
Most privacy systems require conscious action. Enter the privacy pool. Bridge to a shielded domain. Maintain discipline. Exit correctly. GhostShard explores a different UX hypothesis: privacy emerges from ordinary usage when fragmentation is baked into the ownership model itself. If every transaction naturally destroys and recreates ownership fragments, a user doesn't need to remember to be private. Participation alone disrupts reconstruction.
This is speculative. The author explicitly asks for graph-analysis attacks and measurement frameworks. But the direction is refreshing. Privacy as a default consequence rather than a specialized activity could lower the behavioral bar dramatically.
Open Questions and the Path Forward
The central research question is whether ownership fragmentation alone constitutes a meaningful privacy primitive without shielded state. GhostShard's answer will depend on how well shard topology resists linkage attacks. Can an adversary with full transaction visibility and graph algorithms reconstruct ownership given enough time? The author's paper (linked in the post) and an unaudited research prototype on GitHub provide concrete starting points. Whether GhostShard survives that analysis or falls to a simple clustering attack will determine if ownership topology can replace shielded state as a viable privacy primitive.
Source: Exploring ownership fragmentation as a privacy primitive for the post-Pectra EVM
Domain: ethresear.ch
Comments load interactively on the live page.