Skip to main content

Ghost Protocol: A Commit-Reveal Privacy Primitive

Ghost Protocol is a general-purpose commit-reveal primitive. You commit data once by recording a cryptographic hash on-chain. You reveal it once by presenting a zero-knowledge proof that you know the secret behind the hash. Between commit and reveal, the commitment's meaning is known only to you.

Download Whitepaper (PDF) Watch: Ghost Protocol Explained (8 min)

The Problem

Every digital transaction leaves a trail. When you send money, buy something, or access a service, records are created. These records accumulate. They can be searched, subpoenaed, leaked, sold, or stolen.

Existing privacy systems try to hide these trails through encryption, obfuscation, or institutional promises. But hidden trails still exist. They can be revealed later when encryption is broken, when institutions change their policies, or when someone with enough power demands access.

The fundamental weakness of most privacy systems is that they hide data rather than eliminate it. Hidden data can always be unhidden given enough time, resources, or authority.

What Ghost Protocol Does Differently

Ghost Protocol is built on a simple primitive: commit once, reveal once.

  1. You generate random secrets and compute a cryptographic hash (the commitment).
  2. The commitment is recorded on-chain. The secrets that created it are not.
  3. Later, you can reveal by presenting a zero-knowledge proof that you know the secret behind a valid commitment — without revealing which commitment is yours.
  4. Once revealed, the commitment is marked as consumed via a nullifier. It can never be revealed again.

The commitment's preimage — your secret, nullifier secret, and blinding factor — is never stored on-chain. Only you hold these values. The commitment hash is a one-way fingerprint; no amount of computation can reverse it.

This is not encryption. There is no ciphertext to decrypt. The commitment contains no recoverable data. The privacy comes from the mathematical impossibility of deriving the preimage from the hash.

This primitive is general-purpose. It can be applied to value transfer, credentials, access tokens, sealed disclosures, and more. Ghostcoin's "vanish" and "summon" operations are one application of this primitive — they use commit/reveal to build unlinkable value transfers with a burn-and-mint model. But the protocol itself is not limited to tokens.

The Core Guarantee

Ghost Protocol provides two guarantees:

1. The commitment preimage never exists on-chain. The secrets you used to create the commitment are never recorded. Only the hash is stored. No one can reverse the hash to learn your secrets.

2. Commit and reveal are unlinkable. The zero-knowledge proof demonstrates knowledge of a valid commitment without revealing which one. Observers can see that commitments are made and that reveals happen, but cannot connect a specific reveal to a specific commitment.

When you commit:

  • A commitment hash is recorded in a Merkle tree
  • The commitment's preimage (your secrets) is never stored on-chain

When you reveal:

  • A zero-knowledge proof verifies you know a valid commitment's secret
  • The nullifier is recorded to prevent the same commitment from being revealed twice

Important caveat for value transfer applications: When Ghost Protocol is used for token transfers (as in Ghostcoin), the smart contracts also record transaction metadata — who deposited, how much, who withdrew. The unlinkability guarantee means observers cannot connect a specific deposit to a specific withdrawal, but the individual transactions are visible. See What Exists and What Doesn't for a full accounting.

Why This Matters

The commit-reveal primitive enables several categories of applications:

Credentials that cannot be leaked. A credential issued as a commitment can be verified without revealing the credential itself. The verification proves you have it without exposing what "it" is.

Access that cannot be revoked. A one-time access token cannot be rescinded after issuance. Once granted, the holder has irrevocable access until they choose to use it.

Disclosures that cannot be premature. Information can be committed now and revealed later, with cryptographic certainty that it cannot be revealed by anyone else in the interim.

Value transfers that cannot be traced. When applied to tokens (as in Ghostcoin), the commit-reveal primitive breaks the link between deposits and withdrawals. Combined with a burn-and-mint model, this creates unlinkable value transfers. (Note: the contract owner can pause the system — see Risks.)

What This Document Covers

This whitepaper explains Ghost Protocol as a system, not as a product. It covers:

  1. The Core Model - The commit-once, reveal-once paradigm and what the commitment preimage's absence from the chain means
  2. The Lifecycle of Data - What happens at each stage and where data actually lives
  3. What Ghost Protocol Enables - Categories of applications, not specific products
  4. Ghostcoin - Why a token exists and what it proves about the protocol
  5. Why This Is Different - Honest comparison to other privacy approaches
  6. Risks and Tradeoffs - What can go wrong and what is intentionally unsupported
  7. For Investors - Why this is infrastructure, not just another application
  8. Where This Runs - The execution environment and current status
  9. What Exists Today - Concrete facts, not promises

If you are looking for code, APIs, or integration guides, see the Developer Documentation.

Ghost Protocol is a commit-reveal primitive. The commitment preimage never exists on-chain. The link between commit and reveal is cryptographically broken. Everything else — tokens, value transfer, Ghostcoin — is an application built on top of this foundation.