What Exists Where
Understanding Ghost Protocol requires understanding where data lives at each stage of the lifecycle.
On-Chain Data: The Primitive
At the protocol level, the blockchain stores:
Commitment Tree (CommitmentTree contract):
- Every commitment hash and its leaf index
- A ring buffer of the 100 most recent Merkle roots
- Duplicate commitment prevention records
- The root operator address (admin role)
Nullifier Registry (NullifierRegistry contract):
- Every spent nullifier hash
- Total nullifier count
This is the minimal on-chain footprint of the commit-reveal primitive. Commitments go in; nullifiers come out. The link between them is hidden by the ZK proof.
On-Chain Data: Value Transfer Applications
When Ghost Protocol is used for token transfers (Ghostcoin's vanish/summon), the GhostVault contract records additional data:
GhostVault contract:
- Depositor address for each commitment (
commitmentDepositorsmapping) - Total vanished amount per token (
totalVanishedmapping) - Contract owner (can pause the system and swap the verifier)
- Verifier contract address
Event logs (permanently indexed):
Vanishevents: token address, depositor address, amount, commitment hash, leaf indexSummonevents: token address, recipient address, amount, nullifier
An observer with access to an archive node or block explorer can see every deposit and every withdrawal, including who deposited, who withdrew, and how much. This is substantially more than what the bare primitive records.
Off-Chain Data (Your Responsibility)
The commitment's preimage exists only off-chain, in your possession:
Your secrets. The random secret, nullifier secret, and blinding factor generated when creating the commitment. These are the values that make your commitment meaningful and revealable.
Your voucher. In value transfer applications, the exported data (typically a JSON object or encoded string) containing your secrets plus metadata like the leaf index.
Your proof inputs. When you reveal, a zero-knowledge proof is generated from your secrets. The proof is submitted on-chain, but the inputs to the proof stay with you.
This data is entirely your responsibility. Ghost Protocol does not back it up. No cloud service stores it. No recovery mechanism exists. If you lose your secrets, your commitment is lost.
The Privacy Boundary
For the general primitive, the boundary is clean:
| Public On-Chain | Private (Off-Chain) |
|---|---|
| Commitment hash | Secret, nullifier secret, blinding factor |
| Nullifier (after reveal) | Which commitment a reveal corresponds to |
| Tree positions | What was committed |
| Timestamps |
For value transfer applications (Ghostcoin), the boundary includes more public data:
| Public On-Chain | Private (Off-Chain) |
|---|---|
| Everything above | Everything above |
| Depositor address | Link between deposit and withdrawal |
| Deposit amount and token | Which commitment a withdrawal is spending |
| Recipient address (at reveal) | |
| Withdrawal amount (at reveal) |
The key insight: in value transfer applications, individual deposits and withdrawals are each publicly visible. What is hidden is the connection between a specific deposit and a specific withdrawal.
Why This Separation Matters
The strict separation between linked and unlinked data is what makes Ghost Protocol's privacy useful:
No transaction graph. While individual transactions may be visible (in value transfer applications), the link between commits and reveals is broken. Standard blockchain analysis that traces funds from sender to receiver does not work.
Burn-and-mint model. In value transfer applications, tokens are destroyed on deposit and created fresh on withdrawal. There is no pool of funds sitting at a contract address.
Plausible deniability. A committer cannot be proven to control any specific reveal.
Correlation resistance. The larger the set of commits with similar parameters and timing, the harder it is to correlate specific commits with specific reveals. This is the anonymity set.
Practical Implications
This model requires you to take responsibility:
Backup your secrets. If you lose them, your commitment is lost. Store them securely, offline if possible.
Understand the risk. There is no "forgot password" flow. No support team can help you recover lost secrets.
Plan for transfer. If you want someone else to be able to reveal your commitment, you must give them your secrets.
Understand the limits. In value transfer applications, your deposit address and amount are public. Privacy comes from the broken link between commit and reveal, not from hiding that you committed.