In the 1999 film Eyes Wide Shut, Kubrick has an iconic scene of a bunch of people standing around naked with a rabbit mask over their face. A swinger orgy where all participants are masked but partake in the visceral act.
I think this is a somewhat accurate portrayal of how we envision the digital marketplace. With end-to-end encryption, and a bunch of tooling to protect identities, users can join the cesspool of exchange with the products clearly displayed but identities anonymous.
Direct Anonymous Attestation Signature Schemes
Anonymous Attestation is an interesting topic that appears frequently in distributed systems. In a cloud environment, permissions and authorities both for internal parties and external clients must be managed. This is because whether to protect the intellectual property of the service, or the integrity of the data, you must know who you are talking to. Just simply stating who you yourself are is no longer enough.
Right now you might be thinking JWT’s or some UUID scheme. That’s good. But we can do better. Cryptographically, we have signature schemes. Traditionally, and still now, the Schnorr signature is used. This is because of the efficiency of the Private-Public key schema. This schema falls under the general Direct Anonymous Attestation schema. Where the user’s privacy is protected, but whatever they want to prove (usually just prove they have some authority) can be proven.
For example, you want to file a police report but you don’t want to give your name. That is fine. They don’t ask for it anyway. You have the authority to make a claim, without revealing who you are.
We go one more step further, and deviate from the Schnorr scheme by adopting the BBS+ Signature Scheme. What this scheme allows is to prove data ownership. Where previously we could prove identity and authority, without revealing identity, we can now prove:
1, Identity
2, Authority
3, Ownership of data by said Identity
You might think this is a very nuanced case. You are not wrong. Thankfully, this is a case that we happen to take on.
How Socrates would describe zk-proofs
Before half of crypto twitter come slams me for not delving into the elliptic curves and pairing functions, lets refresh ourselves on what a zk-proof really encapsulates. It seeks to “prove” underlying data without revealing underlying data. Now, mathematically, this is very easily done. When you have a polynomial with millions of coefficients, and a high enough power, guessing an answer on your first try is near impossible. Did you catch that?
near
This word is extremely important. Because although the chances of brute forcing a zk-proof proof in one go is extremely unlikely. it is not impossible. Technically, as per quantum mechanics, there is a chance all your atoms disperse and you body is scattered across a sphere with radius 3 x 10⁸m in the next second. There’s also a chance private keys can be regenerated, they aren’t collision proof. It’s just that the chance of that happening is many times larger than grains of sand on this world.
So what does this tell us? We don’t need a 100% foolproof method to prove the underlying data without revealing it. In the case of our marketplace, if the buyer is 99.99% sure that a product is the product, that’s good enough. If the product is fake, then at that point it isn’t an algorithm or marketplace set up problem. Remember, there’s a Van Gogh out there that Interpol still hasn’t found. If there’s con artists eluding the world’s government for decades, they can probably elude a marketplace online.
Some Technicals
We will likely end up using ArWeave for on chain data storage. We could use some centralized database. But once the database is centralized, maybe the chat servers will be centralized. And what’s next? The entire marketplace is centralized. It is important to set standards for yourself you must uphold, and in our case, it is decentralization.
On weighing different zk-proof options, zk-SNARK’s are likely what we’ll run with. So the information will be stored encrypted, and selectively decrypted and shown to users to boost their confidence to that 99.99% threshold. Snarks have pretty good proof size, proof generation speed, and proof validation speed. There’s also a bunch of libraries already ported to wasm. Though STARK’s offer many benefits (such as being quantum secure :0), their proof generation time and size is something that browsers — most devices — can’t support.
The chat function was originally going to be only end to end encrypted (e2ee), as peer to peer (p2p) is not possible from the browser, with the new http3/QUIC protocol on UDP, technically, UDP hole punching via QUIC is possible. Mozilla has already provided documentation, however it’s very experimental. Then again, isn’t all of blockchain? :)
