Idea: Collateralized Identity – Using bitcoin to suppress sockpuppets

[joecascio]

I would very much like the community's input on this idea. I just published it on my blog to release it into the public domain.

Collateralized Identity – Using bitcoin to suppress sockpuppets http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/


Is there prior art?
Can you find any weaknesses or possible exploits?
What's your opinion of its feasibility?
Any other thoughts you have on the idea.

Thanks.

[Come-from-Beyond]

The idea is not so bad. But blockchain grows very fast and its usage is limited to hi-end computers, websites with 5 USD per month hosting won't be able to use it.

Btw, TL;DR version will help a lot. I bet only a few ppl managed to read the whole text.

[joecascio]

The idea is not so bad. But blockchain grows very fast and its usage is limited to hi-end computers, websites with 5 USD per month hosting won't be able to use it.

Btw, TL;DR version will help a lot. I bet only a few ppl managed to read the whole text.

Thanks, I will move the Summary to the top.

Re: blockchain, I was thinking a site could simply query blockchain.info.

[misterbigg]

Can you find any weaknesses or possible exploits?

It's an interesting idea but what prevents the site operator from extorting users, threatening them with the loss of their bond?

[CIYAM]

It's an interesting idea but what prevents the site operator from extorting users, threatening them with the loss of their bond?

Maybe if combined with escrow this could work better (of course you need to be able to trust the escrow)?

[justusranvier]

I proposed a similar idea as a general solution to the shortcomings of wot-style rating systems a little over a week ago.

https://bitcointalk.org/index.php?topic=153221.msg1628630#msg1628630

[CIYAM]

That is an interesting idea and I think one that is worth thrashing out further.

[remotemass]

What about simply sending satoshis when registering to the sites? When registering, the sites could say how many satoshis to send to tie it even more.
Also number of tips received on that user bitcoin address could be used to calculate a reputation value.
You could even use a formula for that reputation calculation that would weight the tippers' tips, making them as much more more significant as more reputation the tippers had.

[joecascio]

Can you find any weaknesses or possible exploits?

It's an interesting idea but what prevents the site operator from extorting users, threatening them with the loss of their bond?

See section "Collateral Ownership". The owner always retains the bitcoins.

Collateral ownership
An important point to note here is that the money pledged as collateral never leaves the user’s possession. She doesn’t have to worry that a site she’s pledged it to will lose or abscond with it, and she doesn’t have to trust any third party, like an escrow service, to hold it or report truthfully about it. It’s as though she locked some amount of cash in a glass jar in front of the town hall. Only she has the key to get it out, but it’s there for anyone to see and verify.

If she decides that she really needs the money pledged to that particular CID, it is her decision and her decision only whether or not to give up the value-time reputation she’s built up in it by spending the bitcoin. In reality, sites accepting CIDs as membership IDs would have their own way of accumulating a “trust balance” for an ID. If a person owning a CID behaves responsibly for a certain amount of time, or contributes otherwise the site’s community, the site may cease to check the bitcoin balance and rely on their own history with her.

[jgarzik]

Not a new idea.  In general, you need to provably attach some sort of cost associated with an identity.  That cost could be a monetary cost (bitcoins or dollars), a proof of work, or something else.

[joecascio]

There may be a better word to use than collateral. The purpose of associating a bitcoin value with the identity is to defeat sockpuppets by making it expensive or time-consuming to create identities. It's not intended to be a forfeit for a failure to perform.

[joecascio]

Not a new idea.  In general, you need to provably attach some sort of cost associated with an identity.  That cost could be a monetary cost (bitcoins or dollars), a proof of work, or something else.

If it's not a new idea, then at least it can't be patented, which would suck mightily. One of my motivations for publishing this was to keep someone from patenting it.

Jeff, Regardless of its novelty, do you think it's practical to implement and would it be a worthwhile thing to do?

[joecascio]

That is an interesting idea and I think one that is worth thrashing out further.

Can you see any holes in it? That is, ways it could be circumvented or defeated so bad actors could create many such identities without pledging bitcoins for each one for a period of time?

[herzmeister]

this paper is back from 2002:

Anonymous Identity and Trust for Peer-to-Peer Networks

In this paper, we present a new way of establishing independently-verifiable identities, based on the notion of computationally expensive key generation. We then describe a fully decentralized framework where these identities can be used to assign blame and to construct auditable blacklists of cheaters.


http://www.cs.cmu.edu/~tom7/papers/peer.pdf

[joecascio]

this paper is back from 2002:

Anonymous Identity and Trust for Peer-to-Peer Networks

In this paper, we present a new way of establishing independently-verifiable identities, based on the notion of computationally expensive key generation. We then describe a fully decentralized framework where these identities can be used to assign blame and to construct auditable blacklists of cheaters.


http://www.cs.cmu.edu/~tom7/papers/peer.pdf

Yes, I read that paper a few months ago and actually traded a couple of emails with the author. I thought it was a great idea until the ASIC miners started appearing. They introduce too much spread in the ability of normal people with home computers to produce hash collisions and someone with an ASIC hash rig, who could produce thousands of sockpuppet type cheap ids in the same time it took a normal person to produce one.

And it actually started me on the path to develop this idea about collateralized identity. You can't cheat on bitcoins or time. Yes, some people may have a lot of money, but time ticks at the same rate for everyone.

[CIYAM]

Can you see any holes in it? That is, ways it could be circumvented or defeated so bad actors could create many such identities without pledging bitcoins for each one for a period of time?

Actually I don't see any real problem apart from that of software for the implementation (hinted at with your mentioning about wallets).

To accomplish the signing of a nonce in a straight forward manner I think that what you are probably really going need is a blockchain.info kind of wallet (i.e. one that is stored in localStorage).

This has the advantage of being built "in the browser" so that both the creation of the address and its signing can be done without running separate software. The downside of course is that you couldn't just log in from any computer as you would need access to the private key (solutions?).

Hmm... think I just solved my own problem - if you still have a unique "username" then the "encrypted private key" could be stored in the website and thus be retrieved during login (so not necessary to put it in localStorage at all but instead turns logging in into a 2 part process which shouldn't be even be noticed assuming the connection speed is good).

[jgarzik]

It can be useful to prove someone controls a certain amount of bitcoin balance, using the sign message feature.

But it is also useful to consider a fresh transaction, that intentionally "burns" a specific amount of money by giving it to the miner as a transaction fee.  This helps support a public service -- bitcoin transaction validation -- while assuring that real cost, real effort was spent to create an identity.

The keys used to spent the bitcoins in question provide another sign-message entry point.

[joecascio]

Can you see any holes in it? That is, ways it could be circumvented or defeated so bad actors could create many such identities without pledging bitcoins for each one for a period of time?

Actually I don't see any real problem apart from that of software for the implementation (hinted at with your mentioning about wallets).

To accomplish the signing of a nonce in a straight forward manner I think that what you are probably really going need is a blockchain.info kind of wallet (i.e. one that is stored in localStorage).

This has the advantage of being built "in the browser" so that both the creation of the address and its signing can be done without running separate software. The downside of course is that you couldn't just log in from any computer as you would need access to the private key (solutions?).

Hmm... think I just solved my own problem - if you still have a unique "username" then the "encrypted private key" could be stored in the website and thus be retrieved during login (so not necessary to put it in localStorage at all but instead turns logging in into a 2 part process which shouldn't be even be noticed assuming the connection speed is good).

I'm not seeing why signing a message with a nonce requires anything particularly special. Also, I'm not sure what you mean by "blockchain.info kind of wallet in localStorage".

Allowing login from any computer is an issue but I really don't like storing the private keys, even in an encrypted form, at the websites. I'd rather solve that using a mobile phone approach. I wouldn't be comfortable putting in a passphrase on computer I didn't own, but of course, that's up to each individual's preference I guess.

[joecascio]

It can be useful to prove someone controls a certain amount of bitcoin balance, using the sign message feature.

But it is also useful to consider a fresh transaction, that intentionally "burns" a specific amount of money by giving it to the miner as a transaction fee.  This helps support a public service -- bitcoin transaction validation -- while assuring that real cost, real effort was spent to create an identity.

The keys used to spent the bitcoins in question provide another sign-message entry point.

That is an intriguing idea, since you can't know which miner will get it. I think people would prefer, though, to retain possession of the funds, esp if it's a large amount. That way, if you decide to stop using a particular identity, you haven't lost the money associated with it.

[CIYAM]

I'm not seeing why signing a message with a nonce requires anything particularly special. Also, I'm not sure what you mean by "blockchain.info kind of wallet in localStorage".

It requires software that has access to the (encrypted) "private key" and the necessary crypto algos in order to sign the message with the nonce. I don't know about how *special* that is but certainly no standard "login" software exists in the world to do this right now AFAIA (although I don't believe it would be very difficult to write and most of it has already been written in .js that can be freely used).

The idea with blockchain.info is that the private keys are not stored (at least in an unencrypted way) on their server - am not sure actually whether they use localStorage (as I had worked out is not actually necessary in my last paragraph) so no need to focus on that (they may actually be using sessionStorage instead - both are part of the HTML 5 DOM stuff).

Allowing login from any computer is an issue but I really don't like storing the private keys, even in an encrypted form, at the websites. I'd rather solve that using a mobile phone approach. I wouldn't be comfortable putting in a passphrase on computer I didn't own, but of course, that's up to each individual's preference I guess.

Convenience is always going to be a trade off when it comes to security.

With mobile phones nowadays being internet connected (and just as susceptible to malware) is it really any safer to store encrypted private keys on them?