Home/Architecture

Technical Documentation

Architecture & Technical Reference

Zero-persistence. Hardware-bound. Cryptographically verified. How Phantom Secrets™ removes the target rather than defending it.

Technical Resources

Evaluating Phantom Secrets™ on the merits? Jump straight to the materials your security and engineering teams need.

Architectural Overview

Zero Standing Secrets

Lokblok's Phantom Secrets platform is built on a zero-persistence, non-custodial architecture. As defined in the technical white paper, this introduces a third model beyond storage and encryption: secrets reconstructed on demand, executed inside hardware, and destroyed the moment the operation completes.

What is eliminated

No secrets stored
No keys at rest
No recoverable material between operations

What replaces it

On-demand secret reconstruction
Hardware-bound execution
Cryptographically verified workflows

Zero-Persistence Architecture

Traditional systems store secrets, protect them, rotate them, and eventually lose them. Lokblok never stores secrets at all. Secrets exist only during a verified operation window, are reconstructed inside secure hardware, and are destroyed immediately after use.Attack surface at rest = zero.

Trust Architecture

Lokblok® Trust Fabric

An Integrated Sovereign Security Architecture

Business Applications — Third-party & Custom Build

Sovereign Banking App
Defense Field Tablet
Healthcare Patient Portal
Digital Inheritance Vault
BUILD UPON
BUILD UPON
BUILD UPON

Services & Orchestration Layer

Phantom Gate™, Lokblok® zero-trust authentication gateway

API & SDK Gateway

Access Control OrchestrationAPI Endpoint ManagementIdentity Federation
AUTH REQUESTS
SHARDED SECRET DELIVERY
Secure Terminal™, Lokblok® hardware execution layer

Hardware Root of Trust

Managed HSM / Edge Gateway

Tamper-Evident HardwareEdge Computing NodeSecure Enclave
Phantom Secrets™, Lokblok® zero-persistence key reconstruction module

Decentralized MPC Root of Trust

Sharded Secret Parties

MPCHANDSHAKESABCD
US Patent
Toughkey™, Lokblok® cryptographic hardware key

FIDO2 Hardware Token

NFC / Bluetooth LE
Cryptographic Coprocessor
ToughID™, Lokblok® hardware-bound identity attestation device

Rugged Biometric Key

Biometric Sensor
FIDO2 Certified
Lokblok® Zero Trust Ecosystem architecture overview

System Components

Six layers. One unified protocol.

01 HARDWARE ROOT OF TRUST

Toughkey™

FIPS 140-3 certified secure element
Common Criteria EAL6+ assurance
Performs all cryptographic operations internally
Phantom Secrets are always regenerated and burned in the hardware
Hardware attestation on every operation
Tamper-resistant execution

02 ORCHESTRATION

Phantom Secrets API Service

Policy enforcement
Delegation logic
Workflow validation
MPC coordination
Does not store secrets
Does not reconstruct secrets centrally

03 IDENTITY & WORKFLOW

ToughID™

Biometric identity verification
Liveness detection
Business process validation
Hardware attestation
Each step produces a signed, linked record
No chain = no operation. Broken chain = rejected.

04 DISTRIBUTED RECONSTRUCTION

Recovery Agents

Distributed independent participants
Each contributes to the generation of public Regen Tokens that have no value and can be stored anywhere
No single agent holds meaningful data
Quorum required for any operation
k-of-n threshold model
No stored shares. No unilateral action possible.

05 GOVERNANCE

Policy & Delegation Engine

Defines who can act
Under what conditions
For how long
On which device
Enforces permanent delegation (ownership transfer)
Enforces temporary delegation (use without possession)

06 API & SDK GATEWAY

Phantom Gate™

Unified API and SDK gateway for all Lokblok services
Access control orchestration
API endpoint management
Identity federation
Routes requests without ever holding secrets
Stateless. No session data retained between calls

Proven Foundations · Threat Model

Built on Proven Cryptography

Lokblok is not built on experimental cryptography. It is a novel composition of well-established technologies, including threshold cryptography, secure hardware, and hardware attestation, combined in a way that removes the need for stored secrets.

Academically validated
Widely deployed
Industry-proven

The innovation is in how they are combined. Much like Bitcoin, Lokblok does not rely on a single breakthrough. It connects existing technologies to create a new security model.

From Components to Architecture

Individually, these technologies

  • Secure keys
  • Distribute trust
  • Verify identity

Combined, they enable

  • Zero-persistence cryptography
  • No stored secrets
  • No custodial risk
  • No static attack surface

Why This Matters

Because the system is built on proven components:

  • It is auditable and understandable
  • It avoids reliance on untested assumptions
  • It can be deployed in regulated and high-assurance environments

Cryptographic Architecture

Threshold reconstruction. No stored shares.

Phantom Secrets is built on a Shamir's Secret Sharing-derived threshold model. A polynomial of degree k-1 is defined over a finite field, where evaluating any k points permits reconstruction of the secret S. What Lokblok changes is where those points come from.

RECONSTRUCTION MODEL

f(x) = S + a1x + a2x2 + ⋯ + ak−1xk−1
SThe secretkThreshold (minimum participants)f(x)is the polynomial used for reconstruction

CONVENTIONAL SYSTEMS

Store shares (y-values). Those shares become persistent attack targets. Compromise any storage location and the reconstruction is within reach.

LOKBLOK

Stores nothing. Recomputes inputs dynamically from verified identities, public datasets, hardware attestations, and session entropy. Shares exist only during reconstruction, then immediately destroyed.

ABSCISSAE ARE DERIVED FROM

Verified identities
Public datasets
Hardware attestations
Session entropy

After reconstruction: shares are destroyed, wiped, and gone. No backups. No logs. No "just in case."

Operational Flow

Eight steps from zero to zero.

Every operation begins and ends with no attack surface. The steps in between are cryptographically verified at every transition.

01

Session Initiation

User authenticates via Toughkey™. Hardware attestation generated.

02

Identity Verification

Biometric and liveness check. Cryptographic identity binding.

03

Administrative Approval

Optional secondary verification for high-risk actions.

04

Data / Event Validation

External condition verified (e.g. sale confirmed, death attested, approval received).

05

Workflow Validation

Full chain verified by API service. Policy and quorum checked.

06

Secret Reconstruction

Occurs inside secure hardware. Never exposed externally.

07

Execution

Signing, access, or transfer occurs.

08

Destruction

All intermediate values destroyed. Attack surface returns to zero.

Delegation Models

Use without possession.

PERMANENT DELEGATION

Ownership Transfer

Ownership transfer
Irreversible
Used for estate transfer, asset sale, succession

TEMPORARY DELEGATION

Controlled Usage

No possession transferred
Fully revocable at any time
One-time dynamic tokens
Hardware execution only
Full audit trail maintained

Security Model

Designed against specific adversaries.

ATTACK TYPELOKBLOK DEFENCE
Storage AttacksNo stored secrets. Nothing to steal.
Insider ThreatsNo single party holds full control. Delegates never hold secrets.
Replay AttacksOne-time tokens. Session-bound workflows.
Identity SpoofingBiometric + liveness + hardware binding.
Regulatory SeizureNo material exists to seize.
Intermediate LeakageAll values destroyed immediately post-operation.

Trust Assumptions

The system's security guarantees hold under four explicit trust assumptions:

Hardware integrity (Toughkey™)
Independent Recovery Agents
Secure communication channels
Valid identity providers

Integration Architecture

Lokblok as the foundational layer.

With IAM / Zero Trust

Replaces credentials with ephemeral identity. No standing access tokens.

With PAM

Removes privileged credential storage. Privileged access with no privilege at rest.

With KMS / Vaults

Eliminates stored key material. Retains policy and orchestration layer.

With Cloud Platforms

Enables sovereign cryptographic control independent of cloud provider access.

Compliance & Auditability

Non-repudiable by design.

Every action produces a cryptographically signed record, hardware attestation, and identity verification. The ToughID™ Workflow Chain provides a complete, tamper-evident audit trail. No action is possible without leaving a verifiable, non-repudiable record.

NIST SP 800-57NIST SP 800-53FIPS 140-3SOC 2GDPRMiCA
Non-repudiation
Full audit trail
Regulatory alignment

Where this architecture appears

From the cryptographic core to the products and industries that use it.

The threshold-reconstruction architecture above is realised as a small set of products, exposed through a handful of cryptographic features, and deployed across the regulated industries that cannot tolerate stored keys.

Architectural Summary

The architecture at a glance.

DIMENSIONLOKBLOK ARCHITECTURE
Secret storageNone
Attack surface at restZero
ExecutionHardware-bound
VerificationMulti-step cryptographic workflow
Custody and / or delegationWithout custody
RecoveryThreshold-based, on-demand
AuditNon-repudiable chain
IntegrationUnderlying security layer

Further reading: HSM vs MPC vs zero-persistence, zero-trust key management, and post-quantum key management. Browse all practitioner insights or the terminology glossary.

The Question

Why do secrets exist at all?

Most systems ask how to secure secrets. Lokblok asks why they need to exist. Then removes them from the architecture. Which, inconveniently for attackers, leaves them with nothing to steal.

Get In Touch