Phantom Identity
A Phantom Identity is a persistent, reusable anonymous identity encoded as a PNG bearer object. Unlike a Phantom Key — which is consumed on first use — a Phantom Identity survives indefinitely. You download it once and authenticate with it forever. Each "connect" recovers a full secp256k1 private key via a zero-knowledge access proof and split-key recombination. No wallet. No account. No metadata trail. Just a PNG file that is your identity.
This is the mechanism that turns Specter from a one-time data commitment system into a persistent data privacy protocol.
The Core Innovation
Phantom Keys solve one-time data operations: commit, share, reveal, done. But most real-world data access patterns are not one-time:
- A credential needs to be verified on every login.
- An API key needs to authenticate on every request.
- A subscription key needs to be checked on every access.
- A pseudonymous account needs to sign transactions over months or years.
Phantom Identity addresses these patterns by separating authentication from consumption. The Access Proof Circuit proves knowledge of a commitment without spending its nullifier. The commitment stays in the Merkle tree permanently. The identity holder can authenticate an unlimited number of times, each time with a fresh, unlinkable session.
What Is a Phantom Identity?
A Phantom Identity is a PNG image file with cryptographic metadata embedded in its tEXt chunk. When you "download your identity," you receive a standard PNG that can be stored on disk, backed up to cold storage, or printed as a QR code. Inside it:
| Component | Description |
|---|---|
| secp256k1 keypair | A full elliptic curve keypair (private key + public key). The private key is split-encrypted — only half lives in the PNG. |
secret | BN254 field element, derived from the keypair. Part of the commitment preimage. |
nullifierSecret | BN254 field element. Used for accessTag derivation (authentication) and nullifier derivation (revocation). |
blinding | Random blinding factor for the commitment. |
dataHash | Hash of the identity's associated data payload. |
quantumSecret | 256-bit value for post-quantum commitment rotation. |
encKeyPartA | The local half of the split private key (XOR-encrypted). |
commitment | The Poseidon commitment hash: |
quantumCommitment | — stored on-chain, rotated on each access. |
The PNG is the identity. Whoever holds the file — and optionally knows the passphrase — controls the identity.
Key Properties
Persistent
The on-chain commitment is never consumed. The PersistentKeyVault stores the second half of the split key indefinitely. Unlike OpenGhostKeyVault (which deletes key material after one retrieval), the persistent vault returns key material without deleting it. The identity survives across sessions, devices, and time.
Reusable
Each "connect" generates a new Access Proof with a fresh sessionNonce and unique accessTag. There is no limit on the number of times a Phantom Identity can be used. The access proof circuit has no nullifier computation — it authenticates without consuming.
Self-Sovereign
The PNG file is a bearer instrument. There is no account server, no recovery email, no custodian. If you lose the PNG, the identity is gone. If the PNG is stolen (and unprotected by a passphrase), the thief controls the identity. This is the same security model as a hardware wallet — but the "hardware" is a file.
Pseudonymous
The secp256k1 public key derived from the Phantom Identity serves as the identity's public address. On-chain, this address has no connection to the holder's real identity. Transactions signed by this key are linked to the pseudonym, not to the human behind the PNG.
Quantum-Resistant
Each access rotates the quantumCommitment on-chain. Even if the Groth16/BN254 proving system is broken by a future quantum computer, an attacker would still need to provide a valid keccak256 preimage — which is believed to be quantum-resistant — to access the key vault.
Passphrase Protection
Phantom Identity supports optional AES-256-GCM encryption of the PNG metadata:
- The user chooses a passphrase during identity generation.
- A 256-bit encryption key is derived via PBKDF2-SHA256 with 100,000 iterations.
- All sensitive metadata fields in the PNG
tEXtchunk are encrypted with AES-256-GCM. - On each "connect," the user enters the passphrase to decrypt the metadata before proof generation.
Without the passphrase, the PNG is opaque — the encrypted fields are indistinguishable from random bytes. This adds a knowledge factor (passphrase) to the possession factor (PNG file), creating two-factor security for the identity.
Use Cases
| Use Case | Description |
|---|---|
| Persistent anonymous accounts | Maintain a pseudonymous on-chain identity over months or years. Sign transactions, interact with contracts, build reputation — all without revealing who you are. |
| Long-term credential access | A credential (KYC attestation, diploma, certification) committed once and verified indefinitely. Each verification generates a fresh access proof. |
| Recurring authentication | Authenticate to a service on every login using the same Phantom Identity. The service verifies the access proof without learning anything about the holder. |
| Subscription keys | Access a subscription service by proving ownership of a committed key. The key is never revealed, never consumed, and can be verified on every access. |
| Multi-step privacy workflows | Complex operations that span multiple transactions: commit data, verify it, update it, share it — all from the same persistent pseudonym without breaking the privacy chain. |
| Private fund management | Use the recovered secp256k1 key to sign transactions directly. Move funds, interact with DeFi, manage assets — all from a pseudonymous identity with no wallet connection. |
Relationship to Phantom Keys
Phantom Identity is not a replacement for Phantom Keys — it is an extension. Phantom Keys remain the right tool for one-time operations: send a gift card, share a secret, transfer tokens. Phantom Identity is for everything that needs to persist.
Both systems share the same cryptographic foundation: Poseidon commitments, Merkle tree membership, and Groth16 proofs on BN254. The difference is in the circuit and the vault:
| Phantom Key | Phantom Identity | |
|---|---|---|
| Circuit | Redemption (spends nullifier) | Access Proof (does not spend nullifier) |
| Vault | CommitRevealVault / OpenGhostKeyVault | PersistentKeyVault |
| Lifetime | Single use | Indefinite |
See Phantom Identity vs. Phantom Keys for the full comparison.