from the people behind OpenHaystack there is this paper. in section 6.1 they explain:
Equation (1) derives a new symmetric key from the last used symmetric key with 32 bytes length. Equation (2) derives the so-called “anti-tracking” keys ui and vi from the new symmetric key with a length of 36 bytes each. Finally, Eqs. (3) and (4) create the advertisement key pair via EC point multiplication using the anti-tracking keys and the master beacon key d0now, what confuses me is, looking at OpenHaystack's code, we can see that what they transfer to the device on flashing is a symmetric key (SK0 in the equations) and what they call a "public key"
but I'm under the impression that it's actually the private key, and thus the device needs to hold both the symmetric key and the private key (d0)