Skip to main content

What Exists On-Chain and What Doesn't

Understanding Ghost Protocol's privacy requires precision about what data is recorded on the blockchain and what isn't.

The Primitive: What Commit/Reveal Records

At the protocol level, Ghost Protocol records:

On commit:

  • The commitment hash (a 256-bit value)
  • Its position (leaf index) in the Merkle tree
  • Block timestamp

On reveal:

  • The nullifier (a hash that marks the commitment as consumed)
  • The zero-knowledge proof (verified then discarded)
  • Block timestamp

System state:

  • The Merkle tree of all commitments
  • A ring buffer of recent Merkle roots
  • All spent nullifiers
  • Contract owner and operator roles

Never recorded on-chain:

  • The commitment's preimage — the secret, nullifier secret, and blinding factor
  • Which commitment a reveal corresponds to (this is what the ZK proof hides)

This is the core privacy property of the primitive: the link between a specific commit and a specific reveal is cryptographically broken.

Value Transfer Applications Record More

When Ghost Protocol is used for token transfers (as in Ghostcoin's vanish/summon), the smart contracts record additional metadata beyond the primitive:

From deposit (vanish) transactions:

  • The depositor's address (stored in commitmentDepositors mapping and emitted in events)
  • The token type and amount deposited

From withdrawal (summon) transactions:

  • The recipient's address
  • The token type and amount withdrawn

Accounting state:

  • Total amounts deposited per token (totalVanished mapping)

This means an observer with a block explorer can see every deposit and every withdrawal individually — who deposited, how much, who withdrew. What they cannot determine is which deposit funds which withdrawal. The ZK proof breaks that link.

This is substantially more metadata than the bare primitive records. The privacy guarantee for value transfers is unlinkability between deposits and withdrawals, not invisibility of the transactions themselves.

Where the Privacy Comes From

The privacy property differs by application:

For the general primitive: The commitment preimage never exists on-chain. No one can determine what was committed or connect a specific reveal to a specific commitment.

For value transfers (Ghostcoin): Individual deposits and withdrawals are each publicly visible. The privacy property is unlinkability — an observer can see that Alice deposited 100 GHOST and Bob withdrew 100 GHOST, but cannot determine whether Alice's deposit funded Bob's withdrawal.

The Burn-and-Mint Distinction

When used for value transfer, Ghost Protocol uses a burn-and-mint model rather than a pool:

  • On vanish (commit), tokens are burned. They cease to exist in any account.
  • On summon (reveal), new tokens are minted to the recipient.

Between vanish and summon, the value exists only as a cryptographic commitment — there are no tokens sitting in a pool that could be traced or frozen by address. This is a genuine architectural difference from pool-based mixers like Tornado Cash.

Limitations of Unlinkability

The cryptographic unlinkability is strong but not absolute in practice:

Amount correlation. If only one person deposited exactly 73.5 GHOST, and someone withdraws exactly 73.5 GHOST, the link is obvious. Larger anonymity sets (more deposits of similar amounts) strengthen privacy.

Timing correlation. Depositing and immediately withdrawing weakens unlinkability. More time between deposit and withdrawal, and more transactions in between, strengthens it.

External information. If someone knows you deposited at a specific time, and a withdrawal appears shortly after, they may infer a connection even without breaking the cryptography.

The ZK proof provides mathematical unlinkability. Operational security determines how much practical privacy you achieve.

The Mathematical Foundation

Ghost Protocol uses the Poseidon hash function, which has a property called preimage resistance. Given a hash output, it is computationally infeasible to determine the input that produced it.

This means: given a commitment hash on-chain, no one can compute the secret, nullifier secret, and blinding factor that produced it. The commitment is a one-way function of your secrets.

The commitment exists on-chain. The secrets that created it exist only in your possession. If you lose them, the committed value is lost forever. There is no recovery mechanism.