Phantom Keys

A Phantom Key is a bearer instrument for data. It is a set of secret numbers that encode the preimage of a commitment in Specter's Merkle tree. Whoever knows the numbers can generate a zero-knowledge proof of ownership and access or reveal the committed data. No account, no wallet, no private key in the Ethereum sense — just numbers.

The Core Idea

When data is committed to Specter's Merkle tree, the commitment is a Poseidon hash of several secret values (secret, nullifierSecret, blinding, etc.). These values are the "keys" to the commitment. Anyone who possesses them can:

1. Recompute the commitment hash.
2. Prove it exists in the Merkle tree via a ZK proof.
3. Reveal the committed data or access it persistently.

A Phantom Key packages these secrets into a human-readable numeric format that can be written on paper, spoken aloud, printed on a card, or transmitted digitally. It is a self-contained bearer credential — the numbers are the access.

Format

Phantom Keys are displayed as groups of four digits, similar to a credit card number:

9473 0018 7376 9372 0484 1273

Under the hood, this numeric string encodes:

Field	Description
Version byte	Format version (V1 through V7, supporting progressive feature additions)
Seed (128 bits)	The root entropy from which all secrets are derived
Amount encoding	Scientific notation representation of the committed value (significand + exponent)
Leaf index	Variable-length encoding of the commitment's position in the tree
Checksum (4 digits)	Error detection code for the full key

The encoding is compact — a full Phantom Key fits in 24-30 digits depending on the version and amount size.

Seed-Based Derivation

The key insight is that all cryptographic secrets can be deterministically derived from a single 128-bit seed using HKDF-SHA256. This keeps the Phantom Key short while maintaining full cryptographic strength.

The derivation process:

1. Generate seed: 16 bytes (128 bits) from a cryptographic random number generator.
2. Derive secret: HKDF-SHA256(seed, info="ghostcoin-secret-v1", length=32) reduced mod BN254 field prime.
3. Derive nullifierSecret: HKDF-SHA256(seed, info="ghostcoin-nullifier-v1", length=32) reduced mod BN254 field prime.
4. Derive blinding: HKDF-SHA256(seed, info="ghostcoin-blinding-v1", length=32) reduced mod BN254 field prime.
5. Derive changeBlinding (for partial withdrawals): HKDF-SHA256(seed, info="ghostcoin-change-blinding-v1", length=32) reduced mod BN254 field prime.

Each derivation uses a different HKDF info string, producing cryptographically independent values from the same seed. The 32-byte HKDF output is reduced modulo the BN254 scalar field prime ($r \approx 2^{254}$) to produce a valid field element.

Quantum Secret

Later versions of the Phantom Key format (V4+) also derive a quantumSecret — a 256-bit value reserved for the planned quantum-resistant commitment layer. This value is included in the numeric encoding but is not used by the current ZK circuits.

Two Modes of Operation

Phantom Keys operate in two distinct modes depending on the vault they interact with:

Standard Phantom Keys

Standard Phantom Keys are one-time bearer instruments. They are backed by commitments in the CommitRevealVault (for tokens) or OpenGhostVault (for data). When the key is used to reveal, the commitment's nullifier is spent and the key is consumed. It cannot be used again.

Use cases: private token transfers, gift cards, one-time credential sharing, sealed document delivery.

See Standard Phantom Keys for the full flow.

Open Ghost Keys

Open Ghost Keys are a specialized variant for sealed data sharing. They use the OpenGhostVault and OpenGhostKeyVault contracts to enable one-time encrypted data retrieval. The commitment contains a dataHash rather than a token amount, and the OpenGhostKeyVault stores an encrypted key part that is returned once and then permanently deleted.

Use cases: encrypted message delivery, sealed documents, one-time secret sharing, credential issuance.

See Open Ghost Protocol for the full specification.

Phantom Identity (Extended Concept)

Both Standard Phantom Keys and Open Ghost Keys are one-time instruments — the commitment is consumed on reveal. Phantom Identity extends the Phantom Key concept to create persistent, reusable identities.

A Phantom Identity uses the same seed-based derivation as a Phantom Key, but instead of the Redemption Circuit (which spends a nullifier), it uses the Access Proof Circuit (which does not). This means the commitment is never consumed, and the holder can authenticate repeatedly using session-bound accessTag values.

Phantom Identity is covered in its own section of the whitepaper.

Security Model

The security of a Phantom Key reduces to a single principle:

Knowing the numbers is equivalent to holding the data or tokens.

There is no password, no account recovery, no custodian. If the numbers are lost, the committed data or tokens are permanently inaccessible. If the numbers are stolen, the thief can reveal the commitment before the legitimate holder.

Threat	Mitigation
Key interception during sharing	Share physically (printed card, spoken aloud) or via encrypted channel
Key theft from storage	Store securely (encrypted device, physical safe, split storage)
Key loss	No recovery possible — this is a feature, not a bug. Bearer instruments are final.
Brute-force seed guessing	128-bit seed = $2^{128}$ possibilities. Computationally infeasible.
HKDF output prediction	HKDF-SHA256 is a standardized KDF with proven security bounds. Outputs are indistinguishable from random.
Checksum forgery	4-digit checksum detects accidental transcription errors, not adversarial modification.

The Phantom Key is designed to be the simplest possible interface to Specter's privacy system: a number you can hold, share, and redeem. No blockchain knowledge required.