Semaphore Authentication Spec(Korean) - HeesungB/semaphore_auth Wiki

Semaphore Authentication V1

세마포어 인증 버전1

TODO: Come up with a better name 할 일: 더 좋은 이름 정하기

Intro

소개

Private anti-sybil is a big problem in the internet world. A bunch of services want to be sure a user logged in is a unique person. So far people have used mobile phone numbers as a proof of individuality. This is centralized, allowing mobile phone providers or the governments that control them to generate infinite new addresses at little cost. 개인의 anti-sybil은 인터넷 세계에서 큰 문제입니다. 여러 서비스는 로그인한 사용자가 특정한 사용자인지 확인하고 싶어 합니다. 지금까지 사용자들은 개인을 증명하기 위해 핸드폰을 사용해왔습니다. 이것은 중앙화되어 핸드폰 제공자 또는 정부가 무한한 번호를 적은 비용으로 생성할 수 있었습니다.

A second problem is that when users login they link all their actions to their phone numbers. 두번째 문제는 사용자가 로그인할 때 모든 작업을 전화번호와 연결한다는 것입니다.

Here we impose a fixed economic cost on account creation via burning crypto-currency AND provide anonymous login using Zero knowledge proofs. 우리는 암호화폐를 소각해 고정적인 비용으로 계정을 생성하고 영지식 증명을 통해 익명으로 로그인을 제공합니다

Definitions

We have a group $G$ of users $$p_1, $$\dots$$ ,p_n$, each using their device, called client, to interact with a server $S$.

$$ G = {p_1, \dots, p_n} $$

The requirements:

  • A user $p_i$ sends messages $m_{it}$ at time $t$ to interact with server $S$
  • $S$ learns $m_{it}$ is sent by someone from $G$, but unable to infer $p_i$.
  • Note: $S$ still knows the time $t$ that $m_{it}$ is sent.

Features

Signup

There are some options to signup here. But they all need a contract that manages a merkle tree.

We can combine multiple approaches and use multiple proofs of membership so we can become more confident about a users individuality.

Signup via Proof of Burn

Users sign up to a smart contract by sending $X$ ETH to the address which is burned. Then their public key is inserted into a semaphore group.

$X$ can be parameterized such that we can have stronger guarantees of individuality.

Signup via mobile phone number confirmations

A service provider who runs a service that users can register their account by verifying their phone number.

The provider then adds those user to a contract.

The provider knows who signed up but doesn't know where / when the person who signed up logged in.

Login

Users can then login to any service using this as proof of individuality by providing a snark proof of membership to that server.

The server saves the nullifiers and only allows one login per nullifier. We can have a persistent cookie that times out after a given time.

external_nullifier=hash("ANONLOGIN" + URL)

The server should also attach the login proof to posts, so that readers can also verify the poster had economic cost.

Batch signup

It is also possible to allow batch singup / account creations where we create an intermediate root and insert it into the tree at a depth $x$.

to do this they must burn $2^x \cdot \mathit{fee}$ ETH so that they burn one ETH for every leaf they insert.

We must only allow powers of 2 leaves to be added.

User story: We might have a user called mass account manager. The manager wants to add a million of users. Adding a million of users is too gas costly to add them one by one, so we allow the manager to just insert an intermediate root to the tree.

TODO: Think about data availability attack here.

An user that is managed by the mass account manager needs to prove their membership via the merkle branches, which are in risk of having some paths withheld by the manager.

Semaphore Authentication V2

We want to allow users to receive an ERC20 or ERC721 in response to their login. This will allow users to invite others to join other semaphore groups based upon their posts OR pay them a reward for posting interesting things.

Each login results in a nullifier being produced. This is constructed by hashing the private_key with the external_nullifier.

We can create another snark that produces the same nullifier but has an address as a public input.

We then create a smart contract that will send the erc20 token or erc721 token to that address provided

  1. proof is valid.
  2. The nullfier is the same
  3. the merkle root is the same

There is no way for anyone but the original proof creator to create such a proof. Unless they know that user's private key.

Milestones

Semaphore Authentication V1

  • Single signup

    1. [2w] Create smart contract for burning and group joining.
    2. [1w] Create server infra to allow users to login.
    3. [1w] Create UI for login and account creation
    4. [2w] Make example site like 4chan that uses this method of login.
  • Batch signup

    • [2w] Create smart contract
    • [2w] UI and server for mass account creation
  • (Concurrent) Help / support people to use semaphore login.

  • (Concurrent) Help / support people to make other semaphore groups.

Semaphore Authentication V2

  1. [2w] Make the smart contract
  2. [1w] Do CLI stuff so that such a proofs can be created easily.
  3. [1w] Make UI for this.
  4. [2w] Do some experimentation with top posts on some anon login app.

Appendix

Future plans

in no particular order

  1. Reputation system: Proving you belonging to multiple groups as a measure of reputation.
  2. Private Social media
  3. TBD

Use cases

  • host sites: Someone wants to host site. But dont want to have the site they host associated with their payment method / all the other sites they host. So they sign up and pay to join a semaphore group.

Implementation

https://github.com/ChihChengLiang/semaphore_auth