Skip to content

Instantly share code, notes, and snippets.

@eordano

eordano/poh.with.privacy.md

Last active January 14, 2022 20:27
Show Gist options
  • Save eordano/0c9be5a81c9ec644553eca5b1f5db948 to your computer and use it in GitHub Desktop.
Save eordano/0c9be5a81c9ec644553eca5b1f5db948 to your computer and use it in GitHub Desktop.
Download ZIP
Tell me you're a human without telling me which one
Raw
poh.with.privacy.md

"Tell me you're a human without telling me which one"

Synopsis: if it scales, Proof of Humanity (PoH) can produce a list of unique humans paired with an ethereum address. The uses of PoH are limited because of the inherent lack of privacy in the system. There is a need for a mechanism that allows any actor to prevent Sybil attacks on their system without compromising the identity of the user accessing the system.

Introduction

Proof of Humanity is an Ethereum-based system that relies on social validation of an attestment by a human person that a certain address belongs to them. This validation requires individuals to publicly release a video binding their identity to such address. This video-based contract must be verified by other already existing members of the community. This video is made public over the internet, and could be replicated in multiple machines over the world, so it is reasonable to assume that the link between the person and the address can't be forgotten/contested.

PoH requires and is built upon such public process, and no privacy is offered to the users by design. The ramifications of the link could be potentially harmful or even dangerous for the users, since address reuse is a general practice in the Ethereum community, and a useful resource when interacting with the Ethereum network. For example, token airdrops sometimes rely on users having used the same address to interact with multiple contracts.

The utility of PoH to our internet-connected society could be much greater if PoH can be used in a private way, allowing the holder of a PoH address to identify itself to a third-party system without the operator of such third-party system knowing the users' Ethereum address, public key, or real life identity.

For example, a website operator could avoid using CAPTCHAs or IP address identification to prevent denial-of-service attacks, and instead require the user agent to provide a proof crafted for the purpose of accessing the website. Since that proof is derived uniquely from their PoH identity, the website operator could effectively rate-limit the access to their website to each human person, without obtaining knowledge of the person's identity or financial history on Ethereum, thus respecting their privacy.

Discussion

  • Use zokrates?
    • Use of snapshot of PoH with merkle trees
      • NEED TO KNOW: are proofs unique for the same input? or does the prover use some external entropy?
      • step1 would be: operator creates verifier and prover
      • step2: both verifier and prover are made public
      • step3: user tries to HTTP GET
      • step4: website replies 403 asking for authentication
      • step5: user agent creates proof using their private key
      • step6: user retries HTTP GET but attaching proof
      • step7: website uses the proof as unique identifier of user to provide access or rate-limit if necessary
  • Both on-chain and off-chain?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment