Skip to main content

Cryptographic Primitives

Let's start with the everyday version. Imagine you want to prove you are over 21 to get into a bar, but you do not want to show your ID — because your ID also has your home address, your full name, and a terrible photo from 2019. A zero-knowledge proof is like a magic stamp on your hand that says "verified: over 21" without revealing anything else.

That is what Ghost Protocol does, at scale, for any data on the blockchain. Here is the cryptography that makes it possible.

Poseidon: The ZK-Friendly Hash

Hash functions are the building blocks of all blockchain cryptography. They take any input and produce a fixed-size fingerprint that is (for all practical purposes) impossible to reverse. Ghost Protocol uses Poseidon, a hash function specifically designed to be efficient inside zero-knowledge proof circuits.

Why not just use keccak256, the hash function Ethereum uses? Because keccak256 is expensive to prove in ZK. It was designed for speed on regular CPUs, not for the algebraic constraint systems that ZK proofs use. Poseidon, by contrast, was designed from the ground up for this exact purpose — it requires dramatically fewer constraints, which means faster proof generation and lower verification costs.

Ghost Protocol uses three variants of Poseidon, each tailored to a specific job:

Poseidon2 (2 inputs)

Used for Merkle tree nodes and nullifier derivation. Every pair of leaves in the Merkle tree is hashed together with Poseidon2 to build the tree structure. Nullifiers — the values that prevent double-spending — are also derived using Poseidon2.

Poseidon4 (4 inputs)

Used for data and Revel commitments in the Open Ghost Vault. When you commit arbitrary data (not tokens), the four-input variant captures the necessary fields in a single hash.

Poseidon7 (7 inputs)

Used for token commitments with policy binding in the Commit Reveal Vault. The seven inputs include the token address, the amount, the secrets, and — critically — the policy address and policy parameter hash. This is what makes policies tamper-proof: change any input, and the entire commitment hash changes.

Groth16: Constant-Size Proofs

Zero-knowledge proofs come in many flavors. Ghost Protocol uses Groth16, a proving system known for producing the smallest possible proofs with the fastest possible verification.

The numbers:

  • Proof size: Constant 256 bytes, regardless of what you are proving. Whether you are proving ownership of a single token commitment or demonstrating compliance with a complex policy, the proof is always the same size.
  • Verification cost: Approximately 220,000 gas — roughly the cost of a Uniswap swap on Ethereum. On Specter, with lower gas prices, this is very affordable.
  • Curve: BN254 (also known as alt_bn128), the same elliptic curve used by Ethereum's precompiled contracts for pairing operations.

Groth16 does require a one-time trusted setup ceremony for each circuit. This ceremony generates proving and verification keys, and the security of the system depends on at least one participant in the ceremony being honest and destroying their toxic waste (the secret randomness used during setup). Ghost Protocol's circuits have undergone this ceremony, and the parameters are published for anyone to verify.

The Two Circuits

Ghost Protocol uses two distinct ZK circuits, each serving a different purpose:

Redemption Proof (8 public inputs)

This is the circuit used for one-time reveals — when you Summon tokens, reveal a Revel, or claim any single-use commitment. The proof demonstrates:

  • You know the secret (the Phantom Key) corresponding to a valid commitment in the Merkle tree.
  • The commitment matches the claimed token, amount, and policy.
  • The nullifier is correctly derived (preventing reuse).
  • You have not tampered with any of the commitment's bound data.

The eight public inputs are values that the verifier contract checks against on-chain state, such as the Merkle root, the nullifier hash, the recipient address, and the token details.

Access Proof (4 public inputs)

This is the circuit used for persistent Phantom Keys — reusable credentials that can be verified multiple times without being consumed. The proof demonstrates that you hold a valid persistent key without revealing which one, using only four public inputs. Critically, this proof does not produce a nullifier, which is what allows it to be used repeatedly.

Nullifier Formula

The nullifier is what prevents double-spending, and its derivation is carefully designed to be both secure and unlinkable:

nullifier = Poseidon2(Poseidon2(nullifierSecret, commitment), leafIndex)

This two-layer structure ensures that:

  • Knowing the nullifier reveals nothing about the commitment (you would need the secret to make the connection).
  • The leaf index is included so that even if the same secret were used in two different commitments (which is discouraged but theoretically possible), the nullifiers would be different.

Quantum-Safe Layer

Here is something we think about even though we hope it never matters: quantum computers. The security of Groth16 proofs on BN254 relies on the hardness of the discrete logarithm problem on elliptic curves — something a sufficiently powerful quantum computer could theoretically crack using Shor's algorithm.

Ghost Protocol includes a defense-in-depth mechanism:

quantumCommitment = keccak256(quantumSecret)

At commit time, a separate quantum secret is hashed with keccak256 (a traditional hash function, not an elliptic-curve-based one) and stored on-chain. If the ZK proof system is ever compromised, users can prove ownership by revealing the preimage of their quantum commitment.

Keccak256's security against quantum computers is much stronger — the best known quantum speedup against hash functions (Grover's algorithm) only provides a quadratic speedup, meaning a 256-bit hash still offers 128 bits of quantum security. That is more than enough.

Think of it as wearing both a seatbelt and having an airbag. You hope the seatbelt (ZK proofs) always works. But if it ever does not, the airbag (quantum commitment) is there to protect you.