Bearer Formats
Specter's data protocol is designed around bearer instruments — objects where possession equals access. The cryptographic secrets needed to generate a ZK proof and access committed data are encoded directly into a physical or digital artifact. There is no account to log into, no server to authenticate against, no custodian to trust. You hold the object; you control the data.
The protocol supports four bearer formats, each optimized for a different use case and threat model.
Overview
| Format | Data Capacity | Key Type | Persistence | Best For |
|---|---|---|---|---|
| Numeric Key | Seed (128 bits) + metadata | Phantom Key (one-time) | Paper, memory, voice | Simple transfers, gift cards, offline sharing |
| PNG Bearer Object | Full keypair + all secrets | Phantom Identity (persistent) | Digital file | Persistent accounts, recurring access |
| PDF Voucher | Metadata + QR + numeric fallback | Phantom Key (one-time) | Printable document | Branded vouchers, formal issuance |
| NFC Tag | Encrypted seed + metadata | Phantom Key (one-time) | Physical tag | Gift cards, access cards, event tickets |
Numeric Keys
Numeric Keys are the simplest bearer format: a human-readable string of digits that encodes a 128-bit seed and associated metadata. They are the primary format for Phantom Keys.
Format
9473 0018 7376 9372 0484 1273
Displayed in groups of four digits for readability. The full encoding contains:
| Field | Description | Size |
|---|---|---|
| Version byte | Format version (V1-V7) | 1 digit |
| Seed | Root entropy (128 bits) | ~39 digits |
| Amount | Scientific notation (significand + exponent) | Variable |
| Leaf index | Variable-length encoding of tree position | Variable |
| Checksum | Error detection (CRC-based) | 4 digits |
Total length: 24-30 digits depending on version and amount encoding.
Seed-Based Derivation
All cryptographic secrets are deterministically derived from the 128-bit seed using HKDF-SHA256:
| Secret | HKDF Info String | Purpose |
|---|---|---|
secret | ghostcoin-secret-v1 | Primary commitment preimage input |
nullifierSecret | ghostcoin-nullifier-v1 | Nullifier / accessTag derivation |
blinding | ghostcoin-blinding-v1 | Commitment randomization |
changeBlinding | ghostcoin-change-blinding-v1 | Partial withdrawal change commitment |
quantumSecret | ghostcoin-quantum-v1 | Post-quantum commitment (V4+) |
Each HKDF output is 32 bytes, reduced modulo the BN254 scalar field prime to produce a valid field element. The seed is the single source of entropy — everything else is derived.
Properties
| Property | Value |
|---|---|
| Human-readable | Groups of four digits. Can be spoken aloud, read over the phone, or dictated. |
| Paper-friendly | Short enough to write on a card, receipt, or sticky note. |
| Error detection | 4-digit checksum catches transcription errors. |
| Self-contained | The number encodes everything needed to reveal the commitment (plus chain access for the Merkle proof). |
| No encryption | The numbers are the secret. Anyone who reads them controls the commitment. |
When to Use
Numeric Keys are ideal for one-time transfers where simplicity and universality matter more than multi-factor security. Gift cards, printed vouchers, verbal sharing, low-tech environments.
PNG Bearer Objects
PNG Bearer Objects are the format for Phantom Identity. They encode a full secp256k1 keypair, all commitment secrets, and the local half of the split key — all embedded in a standard PNG image file.
Structure
The PNG file uses the standard tEXt metadata chunk (defined in the PNG specification) to store identity data. The visual content of the image can be anything — a logo, an abstract pattern, a QR code — the cryptographic payload is in the metadata, not the pixels.
| Metadata Field | Description | Encrypted? |
|---|---|---|
publicKey | secp256k1 public key (hex) | No |
encKeyPartA | Local half of split private key | Yes (if passphrase set) |
secret | BN254 field element | Yes (if passphrase set) |
nullifierSecret | BN254 field element | Yes (if passphrase set) |
blinding | BN254 field element | Yes (if passphrase set) |
dataHash | Hash of associated data | Yes (if passphrase set) |
quantumSecret | 256-bit quantum commitment preimage | Yes (if passphrase set) |
commitment | Poseidon commitment hash | No |
quantumCommitment | keccak256(quantumSecret) | No |
leafIndex | Position in the Merkle tree | No |
salt | PBKDF2 salt (if passphrase set) | No |
iv | AES-GCM IV (if passphrase set) | No |
encrypted | Boolean flag | No |
Passphrase Encryption
When a passphrase is set, all sensitive fields are encrypted as a single AES-256-GCM payload:
Without the passphrase, the encrypted fields are indistinguishable from random data. The salt and IV are stored in the clear — they do not need to be secret.
Properties
| Property | Value |
|---|---|
| Persistent | Supports unlimited connect/disconnect cycles via Access Proofs. |
| Self-sovereign | No server, no account, no recovery. The file is the identity. |
| Two-factor (optional) | Possession (file) + knowledge (passphrase). |
| Portable | Standard PNG file. Works on any device that can read files. |
| Backup-friendly | Copy the file to cold storage, USB drive, or print the QR code. |
When to Use
PNG Bearer Objects are the format for persistent anonymous identities, recurring authentication, and any workflow that requires a signing key over multiple sessions.
PDF Vouchers
PDF Vouchers embed Phantom Key metadata in PDF document properties (setProperties), combined with a visual presentation that includes QR codes and a printed numeric key for offline recovery.
Structure
| Component | Location | Purpose |
|---|---|---|
| Metadata payload | PDF setProperties (document properties) | Machine-readable key data |
| QR code | Visual page content | Scan-to-redeem for mobile |
| Numeric key | Printed text on page | Human-readable fallback for offline recovery |
| Branding | Visual page content | Issuer logo, denomination, instructions |
Dual Recovery Paths
PDF Vouchers provide two independent recovery paths:
- QR code: scan with a phone camera. The QR encodes the same data as the numeric key. Fastest path for mobile users.
- Numeric key: printed in plain text. The ultimate fallback — works even if the QR is damaged, the PDF is printed in low resolution, or the user has no camera.
- PDF metadata: programmatic extraction via
setProperties. Used by automated systems that process vouchers in bulk.
Properties
| Property | Value |
|---|---|
| Printable | Standard PDF. Print on any printer. |
| Branded | Issuer can customize visual design, add logos, instructions. |
| Redundant | Three independent recovery paths (QR, numeric, metadata). |
| Offline-capable | Printed voucher works without any device until the reveal step. |
| One-time | Backed by Phantom Keys (nullifier spent on reveal). |
When to Use
PDF Vouchers are ideal for formal issuance: employee credentials, loyalty rewards, branded gift cards, event tickets, institutional certificate delivery. The printable format and branding support make them suitable for non-technical recipients.
NFC Tags
NFC Tags encode Phantom Key data on NTAG 424 DNA chips — tamper-evident, cryptographically authenticated physical bearer instruments.
Hardware: NTAG 424 DNA
The NTAG 424 DNA is an NFC chip manufactured by NXP Semiconductors with hardware-level security features:
| Feature | Description |
|---|---|
| SUN Authentication | Secure Unique NFC. Each tap generates a unique, cryptographically signed response. Prevents cloning. |
| AES-128 encryption | On-chip symmetric encryption. Data is encrypted at the hardware level. |
| Tamper detection | The chip can detect physical tampering attempts. |
| Read counters | Hardware counter increments on each read. Detects unauthorized reads. |
| Multiple file areas | Separate storage regions with independent access controls. |
Data Layout
| Region | Content | Access Control |
|---|---|---|
| Public URL | NDEF URL record pointing to the Specter redemption page. Includes SUN authentication parameters (PICC data + MAC). | Read: open. Write: locked. |
| Encrypted payload | Phantom Key seed + metadata, AES-128 encrypted. | Read: requires authentication. Write: locked after issuance. |
| SUN parameters | Encrypted PICC data + CMAC. Verified server-side to confirm tag authenticity. | Generated by hardware on each tap. |
Tap-to-Redeem Flow
Anti-Cloning
The NTAG 424 DNA's SUN authentication makes cloning practically impossible:
- Each tap generates a fresh AES-CMAC using the chip's internal key (never exposed).
- The CMAC covers the chip's unique ID (UID) and the current read counter.
- The verification server holds the chip's AES key (provisioned during manufacturing/issuance).
- A cloned chip cannot produce valid CMACs because it does not have the internal key.
- A replayed CMAC will fail because the read counter has advanced.
Properties
| Property | Value |
|---|---|
| Physical bearer | Tangible object. Hand it to someone. |
| Tamper-evident | Hardware detection of physical intrusion. |
| Clone-resistant | SUN authentication prevents duplication. |
| Encrypted at rest | AES-128 on-chip encryption. |
| Tap-to-redeem | Single NFC tap initiates the reveal flow. |
| One-time | Backed by Phantom Keys (nullifier spent on reveal). |
Use Cases
| Use Case | Description |
|---|---|
| Gift cards | Physical cards with NFC chips. Tap to redeem GHOST tokens or access data. |
| Access cards | Prove credential ownership by tapping an NFC-enabled reader. |
| Event tickets | Tamper-proof, non-clonable tickets. SUN authentication prevents counterfeits. |
| Physical key distribution | Distribute encryption keys or API credentials as NFC tags. One tap, one retrieval, key material deleted. |
| Supply chain verification | Attach NFC tags to physical goods. Each tap proves authenticity via on-chip cryptography. |
Format Selection Guide
| Requirement | Recommended Format |
|---|---|
| Simplest possible sharing | Numeric Key |
| Persistent identity | PNG Bearer Object |
| Printable, branded voucher | PDF Voucher |
| Physical tamper-proof card | NFC Tag |
| Verbal/phone sharing | Numeric Key |
| Multi-factor security | PNG Bearer Object (with passphrase) |
| Automated batch processing | PDF Voucher (metadata extraction) |
| Anti-counterfeiting | NFC Tag (SUN authentication) |
| Air-gapped environment | Numeric Key or printed PDF |
| Mobile-first redemption | NFC Tag or PDF Voucher (QR scan) |