GhostPay Mesh: A Cryptographic Protocol for Offline-First Value Transfer

Abstract

We present GhostPay Mesh, a cryptographic protocol enabling offline-first value transfer through Payment Letter of Credit (PLC) instruments. By combining Ed25519 digital signatures, XChaCha20-Poly1305 authenticated encryption, and SHA-256 commitment schemes, the protocol allows creation, transfer, and eventual settlement of payment promises without requiring network connectivity. We demonstrate that the protocol maintains security guarantees equivalent to online payment systems while operating in fully disconnected environments, with a novel time-bounded commitment mechanism that prevents double-spending upon reconnection.

Introduction

The global payment infrastructure relies on persistent network connectivity for transaction authorization, clearing, and settlement. This dependency creates a critical failure mode: when connectivity is unavailable — whether due to network congestion at events, infrastructure failures, geographic remoteness, or deliberate censorship — economic activity stops.

Current solutions to offline payments are limited to stored-value cards (no programmability), SMS-based systems (requires cellular), or deferred settlement with no cryptographic guarantees. None provide a general-purpose, cryptographically secure mechanism for offline value transfer.

GhostPay Mesh addresses this gap by introducing the Payment Letter of Credit (PLC) — a cryptographic instrument that encapsulates a payment promise with provable authenticity, integrity guarantees, and time-bounded validity. PLCs can be created, transferred, and verified entirely offline, with deterministic settlement when connectivity is restored.

Protocol Overview

The GhostPay Mesh protocol operates in three phases: Promise Creation, Offline Transfer, and Network Settlement. Each phase is designed to function independently, allowing participants to complete their portion without knowledge of the others' state.

A PLC contains: the amount, currency, issuer public key, recipient identifier, creation timestamp, expiration (TTL), a nonce, and a digital signature covering all fields. The compact binary encoding allows PLCs to fit within QR code capacity limits (approximately 4,296 alphanumeric characters).

Device binding is achieved through hardware-backed key storage (Secure Enclave on iOS, StrongBox on Android), ensuring private keys never leave the device. This prevents PLC forgery even if the device's application layer is compromised.

Cryptographic Design

The protocol employs three cryptographic primitives, each chosen for specific security properties and performance characteristics in resource-constrained mobile environments:

Ed25519 (EdDSA over Curve25519): Used for digital signatures on PLC instruments. Ed25519 provides 128-bit security, deterministic signatures (no random number generator dependency — critical for offline devices), and fast verification (approximately 71,000 signatures/second on modern mobile hardware).

XChaCha20-Poly1305: Used for authenticated encryption of PLC payloads during transfer. The extended nonce (192-bit) eliminates nonce collision risks in offline environments where coordinated nonce management is impossible. Poly1305 MAC provides authentication, preventing modification of encrypted PLCs in transit.

SHA-256 Commitment Scheme: Used to create binding commitments that are published to the settlement network before the PLC is transferred. This enables double-spend detection: if two PLCs share the same commitment hash, the settlement system rejects the later submission.

Offline Settlement

The settlement process uses a conflict-free replicated data type (CRDT) approach to merge transaction states from multiple offline devices. When devices reconnect, they submit their local transaction logs to the settlement network.

The settlement algorithm processes submitted PLCs in timestamp order, verifying each signature and checking commitments against the global ledger. PLCs with valid signatures but duplicate commitments are flagged for dispute resolution. The time-bounded nature of PLCs (default 24-hour TTL) limits the window for potential conflicts.

For high-value transactions, a pre-commitment phase can be executed while online: the issuer publishes a commitment hash before going offline, reserving funds in the settlement system. This eliminates double-spend risk entirely at the cost of requiring brief connectivity during issuance.

Security Analysis

We analyze the protocol against the following threat model:

• Forgery: An attacker attempts to create valid PLCs without possessing the issuer's private key. Mitigated by Ed25519 signature verification — forging a signature requires solving the discrete logarithm problem on Curve25519.
• Double-spend: An issuer creates multiple PLCs spending the same funds. Mitigated by SHA-256 commitment scheme and TTL enforcement — duplicate commitments are detected at settlement, and expired PLCs are rejected.
• Replay attack: An attacker captures and re-submits a valid PLC. Mitigated by unique nonces and one-time commitment hashes — each PLC can only be settled once.
• Man-in-the-middle: An attacker intercepts PLC transfer and modifies contents. Mitigated by XChaCha20-Poly1305 authenticated encryption — any modification invalidates the Poly1305 MAC.
• Key extraction: An attacker attempts to extract private keys from a device. Mitigated by hardware-backed key storage (Secure Enclave / StrongBox) — keys are never exposed to the application layer.

Use Cases

The protocol enables a broad range of real-world applications:

• Mass events: Festivals, conferences, and sporting events where cellular infrastructure is overwhelmed. Vendors accept offline payments from thousands of attendees without network dependency.
• Transportation: In-flight purchases, cruise ship transactions, and subway systems operating underground. Passengers pay without connectivity, with settlement upon arrival.
• Disaster relief: Emergency response scenarios where communication infrastructure is damaged. Aid distribution and local commerce continue through offline payment promises.
• Developing markets: Regions with intermittent connectivity where mobile money systems fail frequently. GhostPay Mesh provides reliable payment capability regardless of network state.
• Business continuity: Enterprise operations that must continue during ISP outages, DDoS attacks, or infrastructure maintenance. Critical payments process without interruption.

Roadmap

The protocol development follows a phased approach, with each phase building on the security and reliability guarantees of the previous:

• 2024 Core protocol specification and reference implementation. Ed25519/XChaCha20 cryptographic layer. Basic PLC lifecycle (create, transfer, settle).
• 2025 Mobile SDKs (Flutter, React Native). REST API and developer documentation. Integration with Brazilian payment rails (Pix, Asaas).
• 2026 Enterprise compliance framework. Multi-currency support. Mesh networking for device-to-device relay. SOC 2 Type II certification.
• 2027+ Open settlement network. Cross-protocol interoperability. Hardware security module (HSM) integration. Academic peer review and formal verification.

References

1. Bernstein, D.J. et al. "High-speed high-security signatures." Journal of Cryptographic Engineering, 2012.
2. Bernstein, D.J. "The Poly1305-AES message-authentication code." FSE 2005, LNCS 3557.
3. Arciszewski, S. "XChaCha20-Poly1305 Construction." IETF Draft, 2020.
4. NIST. "Secure Hash Standard (SHS)." FIPS PUB 180-4, 2015.
5. Josefsson, S., Liusvaara, I. "Edwards-Curve Digital Signature Algorithm (EdDSA)." RFC 8032, 2017.
6. Shapiro, M. et al. "Conflict-free Replicated Data Types." SSS 2011, LNCS 6976.
7. World Bank. "Global Findex Database 2021: Financial Inclusion, Digital Payments, and Resilience." 2022.
8. GSMA. "State of Mobile Internet Connectivity Report." 2023.