Skip to main content

Commit Once, Reveal Once

Ghost Protocol enforces a simple rule: every commitment can be revealed exactly once, or never. There is no middle ground.

The Lifecycle

A commitment passes through exactly one of two lifecycles:

Lifecycle A: Commit → Reveal

  1. You create a commitment by generating a cryptographic hash
  2. The commitment is recorded on-chain
  3. At some point, you present the secret that matches the commitment
  4. The system verifies the match and marks the commitment as revealed
  5. The commitment can never be revealed again

Lifecycle B: Commit → Silence

  1. You create a commitment
  2. The commitment is recorded on-chain
  3. You choose not to reveal, or you lose the secret
  4. The commitment remains on-chain forever, permanently unrevealed
  5. No one can ever determine what was committed

There is no Lifecycle C. You cannot reveal twice. You cannot partially reveal. You cannot reveal the same commitment to different parties at different times.

Why Only Once

The one-time constraint is not a limitation. It is the source of Ghost Protocol's strongest guarantees.

One-time revelation creates scarcity. If a commitment could be revealed multiple times, holders could duplicate value. The reveal would be worth less each time. One-time revelation ensures that revealing is meaningful and final.

One-time revelation prevents correlation. If the same commitment could be revealed in multiple contexts, observers could correlate those contexts. One-time revelation ensures that each reveal is an isolated event with no connection to past or future reveals.

One-time revelation enables finality. When a commitment is revealed, the interaction is complete. There is no lingering data that could be revealed later. The reveal is the end of the commitment's meaningful life.

The Nullifier System

To enforce one-time revelation, Ghost Protocol uses a cryptographic construct called a nullifier. When you reveal a commitment, you also reveal its nullifier. The system records the nullifier and rejects any future reveal attempt that produces the same nullifier.

The nullifier is derived from your secret in a way that:

  • Produces a unique value for each commitment
  • Cannot be computed without knowing the secret
  • Cannot be correlated with the commitment until revelation

This means:

  • Before revelation, no one can predict what nullifier you will produce
  • After revelation, everyone can verify that the nullifier matches the commitment
  • Any attempt to reveal again will produce the same nullifier and be rejected

Practical Implications

The commit-once, reveal-once model has concrete implications for how Ghost Protocol can be used:

You cannot "spend the same dollar twice." Value committed to Ghost Protocol cannot be duplicated. Revealing once transfers the full value; attempting to reveal again fails.

You cannot prove the same credential twice. A credential committed and revealed for one verification cannot be used for another. Each verification requires a fresh commitment.

You cannot rescind a reveal. Once revealed, the commitment is done. There is no undo, no take-back, no reversal.

You cannot be asked to reveal later. If you reveal now, the commitment is consumed. No one can compel you to reveal it again because there is nothing left to reveal.

These constraints may sound limiting. They are actually liberating. They eliminate entire categories of abuse, fraud, and coercion that depend on data being reusable or revokable.