Cryptographic Amnesia (ERC-8228)

amnesia<T>, destroy(), vdf_proof — verifiable data deletion.

ERC-8228 introduces cryptographic amnesia: a contract can provably commit to destroying secret data after a delay enforced by a Verifiable Delay Function (VDF). Once the destruction ceremony completes, no party — including the chain operator — can recover the data. This enables use cases like time-limited secret auctions, ephemeral keys, and GDPR-compliant on-chain storage.

amnesia_ceremony.cov — 4-phase destruction protocol

record SecretAuction {
    // amnesia wraps T in a destruction-trackable envelope
    sealed_bid:  amnesia;
    bidder:      address;
    phase:       u8;       // 0=init 1=committed 2=locked 3=destroyed
    reveal_at:   time;
    destroy_at:  time;

    error WrongPhase(expected: u8, got: u8);
    error TooEarly(ready_at: time, now: time);

    // Phase 0 → 1: commit the bid (sealed)
    action commit(bid: u256)
        when(self.phase == 0)
        only(self.bidder)
    {
        self.sealed_bid = amnesia(bid);
        self.phase = 1;
    }

    // Phase 1 → 2: lock — no more reads after this
    action lock()
        when(self.phase == 1)
        when(block.timestamp >= self.reveal_at)
        only(self.bidder)
    {
        self.phase = 2;
    }

    // Phase 2 → 3: destroy with VDF proof (prevents last-minute reads)
    // vdf_proof(t) requires t sequential squarings — ~1 million ≈ 30 seconds
    action destroy()
        when(self.phase == 2)
        when(block.timestamp >= self.destroy_at)
        only(self.bidder)
    {
        vdf_proof(t = 1_000_000);   // enforced delay before destruction
        destroy(self.sealed_bid);   // zeroes and tombstones the slot
        self.phase = 3;
    }

    // Readable only in phase 1 (after commit, before lock)
    view read_bid() -> u256
        only(self.bidder)
        when(self.phase == 1)
    {
        return self.sealed_bid;
    }
}

Annotations

`amnesia<T>`	wraps `T` in a destruction-trackable envelope. The compiler tracks all read paths and enforces phase guards.
`destroy(field)`	zeroes the storage slot and writes a tombstone hash that proves destruction occurred at a specific block.
`vdf_proof(t = N)`	compiles to a STATICCALL to the VDF precompile (`0x0502`). The sequentiality of the VDF prevents parallel pre-computation of the proof — you cannot rush destruction.
ERC-8228 compliance	requires: (a) amnesia wrapping, (b) locked phase before destruction, (c) VDF proof in the destruction action, (d) a tombstone event emitted on-chain.

Key takeaways

Cryptographic amnesia provides a verifiable guarantee of deletion — not just a promise.
The VDF delay prevents an adversary from watching mempool and reading the data right before the destroy transaction mines.
After destroy(), the amnesia slot is tombstoned — any subsequent read attempt reverts.