Apologies for the very delayed response…
Is GitHub - near/pagoda-relayer-rs: Rust Reference Implementation of Relayer for NEP-366 Meta Transactions 2 based upon your code too?
Hm, that seems unrelated to me: it seems like a repo for generating TXNs whose fees are paid by others.
then I suppose the your pepper service would not require a login per application, but simply one login when instantiating some new frontend, right?
So, the way we derive account addresses is application-specific (see here. At a high-level:
addr = H(
"https://accounts.google.com",
"sub", "google-user-id-123456",
"application-id.xyz";
r)
We let the pepper r
be:
r = VRF_sk(
"https://accounts.google.com",
"sub", "google-user-id-123456",
"application-id.xyz")
To make sure that only that user for that application is able to obtain that pepper, the pepper service asks for a JWT over the right sub
and aud
(i.e., over "google-user-id-123456"
, "application-id.xyz"
).
So, an application that the user signs in with Google will use (say) our SDK contact the pepper service in the background, authenticate itself using the JWT and obtain the pepper for that user’s application-specific address.
Another application will do the same.
Other schemes may be possible; e.g., maybe you could say “I’ll use the same pepper for all that user’s addresses, and ignore the application”.
i.e., no more app ID in the VRF evaluation
r = VRF_\mathsf{sk}(
"https://accounts.google.com",
"sub", "google-user-id-123456")
But then any malicious application the user signs into now can fetch the user’s pepper and track her activity on-chain.
Actually users know their OIDC provider, so no reason this appears on-chain, right?
Yes, they know it. The only reason to leave it public is because it makes the OIDC signature validation logic in the zkSNARK circuit easier:
- The validators see what OIDC provider this address has
- They previously fetched the JWK (PK) for it in the background via a special-purpose consensus algorithm (see here)
- They can now input this JWK (PK) as one of the zkSNARK’s public inputs for the signature verification.
It is possible to hide the OIDC provider: the zkSNARK would take (1) a digest of an authenticated dictionary mapping each provider’s iss
to their current JWK (PK), maintained by the validators and (2) a look up proof w.r.t. this digest that reveals the PK corresponding to the iss
in the JWT. It gets hairy though.
Also, the chain & pepper server care little who provides the OIDC, so the only plaintext on-chain should be the pepper server, no? Along with balances or whatever.
Not sure I follow: How can a “pepper server” be a “plaintext”?
Will be very neat to have a way to avoid relying on public keys on chain
I don’t think this can work without mapping each OIDC provider (i.e., the iss
) to its current JWKs (PKs): the chain needs ground truth to verify the OIDC signatures against.
As mentioned above, our approach is to implement a special JWK consensus primitive on top of our validators. An oracle approach may work for others, but not for us.
So, if the complexity of the circuit makes it unfeasible to run your own prover it hinders even more the privacy of the solution.
You can do client side-proving in Rust in around 20-30 seconds probably. Depending on the application, this may or may not be okay.
It’s true however the (a) pepper server should not necessarily be trusted for account survival
That would be nice. Possible approaches:
- use pepper = 0 (no privacy)
- ask users to remember their pepper (bad UX)
- decentralize the pepper service on the validators
- decentralize the pepper service on some other infra (e.g., League of Entropy-like consortium?)
If you decentralize the provers, colluding on that matter will be very unlikely.
Yes, MPC proving for Groth16 is actually possible rather efficiently. See these works:
- OB21e, Experimenting with Collaborative zk-SNARKs: Zero-Knowledge Proofs for Distributed Secrets, 2021, Alex Ozdemir and Dan Boneh
- SVV15e, Trinocchio: Privacy-Friendly Outsourcing by Distributed Verifiable Computation, 2015, Berry Schoenmakers and Meilof Veeningen and Niels de Vreede
- CLMZ23, EOS: Efficient Private Delegation of zkSNARK Provers, 2023, Chiesa, Alessandro and Lehmkuhl, Ryan and Mishra, Pratyush and Zhang, Yinuo
- GGJ+23e, $\mathsf{zkSaaS}$: Zero-Knowledge SNARKs as a Service, 2023, Sanjam Garg and Aarushi Goel and Abhishek Jain and Guru-Vamsi Policharla and Sruthi Sekar
@burdges and @alinush can you confirm the context and scope of what you have in mind here? Specifically, my suggestion was in the context of creating keyless accounts between Relay Chains (L1’s outside of Substrate).
I am not sure I understand enough about Polkadot’s relay chains / Substrate to opine. But if you give me a short primer, I can try…
I did not suggest, and do not support, using this to onboard new users from outside the current ecosystems. @alinush I’ll DM you for the reasons for this. But you can see a use case outlined here:
Sure, please do. Or even post here? But what do you mean by “current ecosystems”? I am currently parsing this as “It is risky to set up OIDC-based (keyless) Polkadot blockchain accounts for our users.”
I’ve not reviewed all the differences, but among the three the Aptos one looks superficially strongest, mostly thanks to the pepper OPRF. I’ll have another researcher look over them too.
I think our work is the only one that is (1) privacy-preserving and (2) fully-open source (soon; prover service incoming).