# Semaphore Authentication Spec [TOC] ## Semaphore Authentication V1 TODO: Come up with a better name ### Intro Private anti-sybil is a big problem in the internet world. A bunch of services want to be sure a user logged in is a unique person. So far people have used mobile phone numbers as a proof of individuality. This is centralized, allowing mobile phone providers or the governments that control them to generate infinite new addresses at little cost. A second problem is that when users login they link all their actions to their phone numbers. Here we impose a fixed economic cost on account creation via burning crypto-currency AND provide anonymous login using Zero knowledge proofs. ### Definitions We have a group $G$ of users $p_1,\dots,p_n$, each using their device, called client, to interact with a server $S$. $$ G = \{p_1, \dots, p_n\} $$ The requirements: - A user $p_i$ sends messages $m_{it}$ at time $t$ to interact with server $S$ - $S$ learns $m_{it}$ is sent by someone from $G$, but unable to infer $p_i$. - Note: $S$ still knows the time $t$ that $m_{it}$ is sent. ### Features #### Signup There are some options to signup here. But they all need a contract that manages a merkle tree. We can combine multiple approaches and use multiple proofs of membership so we can become more confident about a users individuality. ##### Signup via Proof of Burn Users sign up to a smart contract by sending $X$ ETH to the address which is burned. Then their public key is inserted into a semaphore group. $X$ can be parameterized such that we can have stronger guarantees of individuality. ##### Signup via mobile phone number confirmations A service provider who runs a service that users can register their account by verifying their phone number. The provider then adds those user to a contract. The provider knows who signed up but doesn't know where / when the person who signed up logged in. #### Login Users can then login to any service using this as proof of individuality by providing a snark proof of membership to that server. The server saves the nullifiers and only allows one login per nullifier. We can have a persistent cookie that times out after a given time. ``` external_nullifier=hash("ANONLOGIN" + URL) ``` The server should also attach the login proof to posts, so that readers can also verify the poster had economic cost. #### Batch signup It is also possible to allow batch singup / account creations where we create an intermediate root and insert it into the tree at a depth $x$. to do this they must burn $2^x \cdot \mathit{fee}$ ETH so that they burn one ETH for every leaf they insert. We must only allow powers of 2 leaves to be added. User story: We might have a user called mass account manager. The manager wants to add a million of users. Adding a million of users is too gas costly to add them one by one, so we allow the manager to just insert an intermediate root to the tree. #### TODO: Think about data availability attack here. An user that is managed by the mass account manager needs to prove their membership via the merkle branches, which are in risk of having some paths withheld by the manager. ## Semaphore Authentication V2 We want to allow users to receive an ERC20 or ERC721 in response to their login. This will allow users to invite others to join other semaphore groups based upon their posts OR pay them a reward for posting interesting things. Each login results in a `nullifier` being produced. This is constructed by hashing the `private_key` with the `external_nullifier`. We can create another snark that produces the same nullifier but has an address as a public input. We then create a smart contract that will send the erc20 token or erc721 token to that address provided 1. proof is valid. 2. The nullfier is the same 3. the merkle root is the same There is no way for anyone but the original proof creator to create such a proof. Unless they know that user's private key. ## Milestones ### Semaphore Authentication V1 - Single signup 1. [2w] Create smart contract for burning and group joining. 2. [1w] Create server infra to allow users to login. 3. [1w] Create UI for login and account creation 4. [2w] Make example site like 4chan that uses this method of login. - Batch signup - [2w] Create smart contract - [2w] UI and server for mass account creation - (Concurrent) Help / support people to use semaphore login. - (Concurrent) Help / support people to make other semaphore groups. ### Semaphore Authentication V2 1. [2w] Make the smart contract 2. [1w] Do CLI stuff so that such a proofs can be created easily. 3. [1w] Make UI for this. 4. [2w] Do some experimentation with top posts on some anon login app. ## Appendix ### Future plans in no particular order 1. Reputation system: Proving you belonging to multiple groups as a measure of reputation. 2. Private Social media 3. TBD ### Use cases - host sites: Someone wants to host site. But dont want to have the site they host associated with their payment method / all the other sites they host. So they sign up and pay to join a semaphore group. ### Implementation https://github.com/ChihChengLiang/semaphore_auth