2013-11-19: Buying a new identity

[Mike Hearn]

An article on the concept variously known as fidelity bonds, anonymous passports, SINs, proofs of sacrifice:

   http://www.economist.com/blogs/babbage/2013/11/internet-security

Babbage unfortunately wrote the article so it sounds like I invented this concept. It's really the result of collaborative brainstorming on this forum between many people, but Jeff Garzik and especially Peter Todd deserve a tip of the hat for their contributions.

Internet security
Buying a new identity
Nov 19th 2013, 20:44 by G.F. | SEATTLE

BITCOIN hits the headlines when the virtual currency's exchange rate hits new highs (or lows) against real-world monies. And so it did when the rate spiked to $900 from around $400 a week earlier, following some positive noises during a hearing on it and its kind in the American Senate. (It has since fallen back to around $700.) Less talked about is the potential of Bitcoin's ingenious inner workings to transform other online activities.

Take internet identities, used to shop on the web, validate e-mail addresses or create social media accounts. Mike Hearn, one of the core developers of the software that powers the Bitcoin system (whose niceties we explain here), says that creating such identities poses a conundrum. Most forms of online ID (eg, a social-media account) are verified using other forms (such as an e-mail address) which are easy to crack, hijack or forge.

Mr Hearn suggests relying instead on the cryptographic trick that ensures the security of Bitcoin transactions. Bitcoin is a peer-to-peer computer network made up of its users’ machines, similar to BitTorrent, a file-sharing system. New Bitcoins are minted, or "mined", as the computers in this network execute hard number-crunching tasks. The entire network is then used to monitor and verify both the creation of new Bitcoins through mining and the transfer of Bitcoins between users.

Every new transaction is broadcast across the Bitcoin network and appended to a collective log, called a block chain, of all previous transactions in the system. The machines in the Bitcoin network communicate to create and agree on updates to the block chain. Roughly every 10 minutes a user whose updates to the log have been accepted by the network is awarded a fixed number (currently 25) of new Bitcoins.

The system makes it computationally difficult to create a doctored block—one containing illicit transactions such as sending the same Bitcoins twice to two people, say, or reversing a Bitcoin transfer to a vendor after he had dispatched the purchased product. That is because having such forged transactions validated and attached to the globally accepted block chain would require outpacing the network's combined computing power. Only a fraudster who controls more than half of the network's total number-crunching capacity—a tall order—could achieve such a feat, and only for transactions less than about an hour old.

Mr Hearn's secure-ID scheme similarly relies on a block chain and on rewarding miners who keep it up to date. An identity would be established by performing a transaction in which no Bitcoins are transfered from the owner to another named party. Instead, the owner would donate a sum—say, $200 worth of Bitcoins—that the first miner to approve a block with this transaction in it would get as his mining fee. (Since the winning miner is always revealed at random, the owner cannot simply redirect the virtual cash back into his account.)

The donor thus possesses a receipt of the transaction that can always be verified against the public Bitcoin ledger. Stealing someone's identity would require swiping his private key. It comes in the form of a unique private cryptographic key mathematically matched to a public key embedded in the donation record. The Bitcoin-based private key then comes to resemble traditional digital signatures, which also use a combination of private and public keys to verify the holder's identity. Except, that is, that Bitcoin's anonymity ensures that the donor's identity would no longer need to be verified by an outside, signature-granting authority. It could, in other words, be confirmed without ever being revealed to anyone.

Like account-passwords for many sites, private keys are vulnerable if stored in online Bitcoin wallets (which have been hacked); much less so if maintained on a user's computer (since hacking a particular desktop, while not impossible, is harder than inflitrating the cloud). Serious Bitcoin users anyway keep their private keys in "cold" storage on unpowered hard drives that are never linked up directly to internet-connected computers.

The scheme also has another feature Mr Hearn thinks desirable: accountability. If the ID-buyer uses it to access a website only to break its rules—for instance by trolling on online forums or slandering someone on Facebook—and be banished from it, he can always go back to Bitcoin and secure a new Bitcoin ID simply by making another donation. But at least it will cost him.

[1715643083]

1715643083

[1715643083]

1715643083

[1715643083]

1715643083

[giszmo]

What exactly are you proposing? That services require you to have a costly account to mitigate the potential to create thousands of accounts for free? Why donate to miners and not a set of charities? Why exclude people who only have an annual income of 200$?

[Carlton Banks]

What exactly are you proposing? That services require you to have a costly account to mitigate the potential to create thousands of accounts for free? Why donate to miners and not a set of charities? Why exclude people who only have an annual income of 200$?

Well, it's the miners and the blockchain that are verifying the veracity of the transaction that creates the identity, the idea is to send a special transaction with no recipient or amount, just fees. And I think the $200 figure is kind of notional, they imply that in the text. The fact that it's a fees-only transaction should give you an idea of the price range they will start from from for the cheapest.

I think it's a good plan, as is. Jeff Garzik described it as "choose your own level of privacy", and that's boadly what it could offer. And what's more, it puts more informational power in the hands of each individual, instead of with authorities (particularly individuals that suffer from the actions of unpleasant governments). Imagine you're the government in a country where they have big problems with foreign political subversion by agents from another state. You would start insisting that all tourists, NGO and Embassy/Diplomatic staff have passports linked to blockchain identities with very very high fees attached. You could check the blockchain yourself to see that it was all as you require. It would be a smart way of handling that kind of problem; states with malign secret services can get fake identity documents at virtually zero cost, and with huge benefits to them.

This identity scheme seems to level the playing field when it comes to these systems. All of a sudden, government ID documents aren't as valid as the ones you can knock up yourself. And you can have more than one (keep your forum, blogging, social media, medical purchases, career or nightlife identity totally separate from each other. Or not, as preference and circumstances demand)


Also, plaudits to the Economist. They rarely cover Bitcoin, and they often get the technical aspects just a tiny bit muddled (as they did describing mining, both in this article and a previous one). And that they picked this issue shows some genuine insight, as I suspect this ID Protocol has the potential to introduce even more transformational qualities from Bitcoin system. And at least they're not that mixture of Chicken Little and fanatical luddism like the rest of the established press so often are. For them, at least maintaining a pretense of rationalism is their raison d'etre  

[BTC4Victory]

Am I reading this right, or is this really a very trivial application which basically boils down to "you can make use of the fact that the blockchain is a public ledger to link your identity to a BTC address, and then sign messages with your private key to prove going-forward that you are who you say you are?"

And not to knock it, because, true, it certainly be used to do that (but, of course, can also do *so* much more...).  It sort of confirms a suspicion I've had for awhile: obviously (almost by definition) the detractors of Bitcoinl clearly don't understand what it is and what it can do -- but I suspect that there are an awful lot of "supporters" (especially newcomers to the bandwagon) of Bitcoin who also haven't even yet really grasped why it's so revolutionary and what it can really do when its potential is fully realized.

In other words: wow, Economist, if you're impressed by the fact that Bitcoin lets you create a persistent provable online identity by signing messages with your private key, it's *really* gonna bake your noodle when somebody (like, say, Mike Hearn) sits down with you and explains colored coins and smart property and multi-sig transactions and autonomous agents, and...  

[Mike Hearn]

As a point of comparison, bulk-created fake Gmail accounts cost about $1 for 10 on the grey market. So if your sacrifice was more than about 10 cents, you'd have created yourself an identity with about as much weight as a Gmail account. In practice this is often good enough. The difference is that getting the cost of spammy Gmail accounts that high took years of work by a dedicated team, whereas anyone can implement Bitcoin anonymous identities very easily.

Actually I spent a lot of time talking with Babbage from the Economist and explained many things. There will be a longer article in the print edition coming out in the near future.

[odolvlobo]

Other than establishing the age of an identity, is there a benefit to publishing it in the block chain?

[Carlton Banks]

Other than establishing the age of an identity, is there a benefit to publishing it in the block chain?

The cryptographic angle.

You can take any piece of digital information, and use the ID to sign a digital signature of that piece of digital information. This is what makes these ID's so powerful.

The entry requirements for getting a social media network account could be a signed photograph of yourself. Or a signed copy of a document with your postal address on it, if they're particularly snoopy. Somewhere like Linked In might well insist on a fairly high level of identity proof; they don't need the hassle of known fraudsters using their network to perpetrate confidence based scams, it hurts the reputation of Linke In, it devalues their network. Don't like how nosy the network is? As long as we have the freedom to choose, and developers/businesses have the freedom to create the platform they want to provide, then you can still be odolvlobo and I can still be Carlton Banks.

The killer for me is to sign a digital copy of your complete genome with your Bitcoin ID, a near absolute identity. Birth Certificates are so 2nd millennium these days, pah.

[odolvlobo]

Other than establishing the age of an identity, is there a benefit to publishing it in the block chain?

The cryptographic angle.
You can take any piece of digital information, and use the ID to sign a digital signature of that piece of digital information. This is what makes these ID's so powerful. ...

You don't need the block chain to do that.

[Carlton Banks]

Other than establishing the age of an identity, is there a benefit to publishing it in the block chain?

The cryptographic angle.
You can take any piece of digital information, and use the ID to sign a digital signature of that piece of digital information. This is what makes these ID's so powerful. ...

You don't need the block chain to do that.

No, but the cost to creating multiple PGP keys is the time it takes to write yourself a bash script to do so, really. In circumstances where you really want to put people off from abusing the ability to sign things digitally to present as a form of proof, you can disincentive that with an ID you have to pay for.

Another example would be these very forums, we get spammed and trolled with great enthusiasm. I'd argue that the clever trolls should be allowed to stay, as you can learn something from mischief that involves thought and innovation. I guess that it could be the decision of the moderators and site operators to decide their own policies, as well as when to make exceptions for them.

You can't outlaw trolling or spamming, but you could achieve a decent increase in the amount signal to noise. There suddenly exists another tool to shape cultures.

[TraderTimm]

The cost isn't a deterrent at that level. It would only foster pushing fraud to the edges, stealing enough to "sacrifice" yourself a new identity.

How is this better, at all?

[Carlton Banks]

The cost isn't a deterrent at that level. It would only foster pushing fraud to the edges, stealing enough to "sacrifice" yourself a new identity.

How is this better, at all?

The amount of mining fees you use for the ID is provable, recorded in the blockchain. You can choose the fees now, as you no doubt will be able to for these IDs. So, if your service is getting way too much ID fraud, or too much abuse from people using cheap IDs, you raise the minimum amount of sacrifice that was use to create the ID for all new people registering.

I'm not saying this is perfect, and at the risk of getting labelled as "Mike Hearn's new best friend", I'm still going to say that this needs to be discussed.

Remember as well that there are all sorts of times in life where being able to prove your identity is really useful. If someone for some reason accuses you of something you didn't do, being able to offer evidence as to who you definitely are and what you were really doing or where you really were when the alleged incident took place, it's almost priceless, depending on the accusation. Everyone's face and voice are the most basic identities there are, I don't think people who value their privacy more than your average person would advocate for wearing masks and voice-distorters just to achieve perfect privacy at all times. Who would trust the faceless voice-less stranger? Maybe they could build up a relationship with the faceless/voiceless person to get a feel for how you behave, but then you become really easy to impersonate, the impersonater needs a copy of your mask and the same voice distortion settings. It's a complicated problem.

[Peter R]

This idea is fascinating.  It solves parts of the identity problem much better than "government issued ID" while still allowing reasonable anonymity (or separation between nightlife-self, work-self, etc, as mentioned earlier).  

Would it be possible to take this idea further and create identities in such a way that we are reasonably sure that the owner of the private key has reached the age of majority in their state or country?*  Imagine that a market for bitcoin "Notary Publics" emerges:  each notary public has paid a very high fee for their identity (say, $100,000) so they do not want to be discredited--they have a strong incentive to be honest.  They could offer a service where they would digitally sign a message with their private key to the blockchain to vouch that the human identity behind your public key was, say, >= 19 years old.  You would have to show them reasonable proof of this fact in order for them to "vouch" for you.  If crooked notaries emerged, they would eventually get found out by unhappy mothers or police sting operations, and they would be quickly put out of business and render their $100,000 investment worthless.  


*I ask because I read early today that the operators of sites that deliver x-rated content are hesitant to allow bitcoin payments because it could be a 12 year old kid on the other end [https://bitcointalk.org/index.php?topic=340145] [Apparently, despite the fact that the 12-year old can download pornography for free, if he buys it and his parents create a stir, this can cause problems for the site operator].  Bitcoin + x-rated content is obviously a very large and mostly untapped market.
  
 

[jgarzik]

Would it be possible to take this idea further and create identities in such a way that we are reasonably sure that the owner of the private key has reached the age of majority in their state or country?*  Imagine that a market for bitcoin "Notary Publics" emerges:  each notary public has paid a very high fee for their identity (say, $100,000) so they do not want to be discredited--they have a strong incentive to be honest.  They could offer a service where they would digitally sign a message with their private key to the blockchain to vouch that the human identity behind your public key was, say, >= 19 years old.  You would have to show them reasonable proof of this fact in order for them to "vouch" for you.  If crooked notaries emerged, they would eventually get found out by unhappy mothers or police sting operations, and they would be quickly put out of business and render their $100,000 investment worthless.  

Yes.  That's digital attestations.  Background Checks, Inc. can perform a background check on me, and then sign my identity "jgarzik (key 0x1234) passed our background check level 1 on date Y/M/D".  Anyone who trusts the signature of Background Checks Inc. may trust key 0x1234 as having passed a background check.

You may also offer this signature as hash(signature), and only reveal the actual signature privately upon request, to enhance privacy further.

Plug for my own identity tech spec: https://en.bitcoin.it/wiki/Identity_protocol_v1

[Mike Hearn]

Would it be possible to take this idea further and create identities in such a way that we are reasonably sure that the owner of the private key has reached the age of majority in their state or country?*

The "identities" created by proof of sacrifice aren't really identities, they're just arbitrarily expensive objects that can be created with an app. There's no name or anything else attached to them. That's why I call them  "anonymous passports" but that name isn't really right either. I think we need to invent new words to describe these things. I'm not really happy with any of the names proposed so far.

If you want to prove your age but nothing else at all, then I'm researching convenient ways to do that as well. The recent cryptographic breakthroughs with zk-SNARKs open up the possibility of being able to use an Android NFC-capable phone to create provable derivatives of your passport with certain fields left out. For instance you could create yourself a proof that your name is Peter and you were born in 1981, but nothing else.

I've heard in the USA it's a bit different, but at least in most parts of the world I've been to, ~everyone has a passport and lots of people have Android phones. If you don't you could always borrow a friends, or purchase a cheap USB NFC reader.

However the above technique doesn't rely on Bitcoin at all. You could present a passport-proof and a sacrifice-proof together I guess, to prove you are over-age and still remain anonymous/bannable.

[Carlton Banks]

Would it be possible to take this idea further and create identities in such a way that we are reasonably sure that the owner of the private key has reached the age of majority in their state or country?

Yes.  That's digital attestations.  Background Checks, Inc. can perform a background check on me, and then sign my identity "jgarzik (key 0x1234) passed our background check level 1 on date Y/M/D".  Anyone who trusts the signature of Background Checks Inc. may trust key 0x1234 as having passed a background check.

If you want to prove your age but nothing else at all, then I'm researching convenient ways to do that as well. The recent cryptographic breakthroughs with zk-SNARKs open up the possibility of being able to use an Android NFC-capable phone to create provable derivatives of your passport with certain fields left out. For instance you could create yourself a proof that your name is Peter and you were born in 1981, but nothing else.

I knew someone would say this, and I was tempted to say so myself. But what stopped me was the fact that, as Jeff alludes to, this does not prove your identity or your age. At all.

It still requires you to trust all past and present employees or those with access to the facilities of the background checking/passport agency who provide the document that is signed. Even if that company also signs the ID/age verification data themself, it's open to abuse. You could still get that apalling set of circumstances where a person who has been dead for years has their ID information stolen, then signed and accredited by the passport agency or suchlike organisation via a miscreant employee. The ID of an unaccountable ghost is then used to commit a whole range of crimes. Cases such as this have happened in the past where the everyday police have arrived at the house belonging to the parents of the dead ID theft victim, and the mother of a child who has been dead since infancy has to put up with a traumatic ordeal, whereby the police officers accuse her of harbouring the child, of making up wild and elaborate fantasy stories about the child being long dead. These parents could be subjected to hours of this sort of questioning, perhaps in police custody. This sort of thing is a total disgrace, of course. It should not even be possible to commit such disgusting abuses of an ID system, and I suggest that the blockchain offers us a way to introduce an improved system where this cannot be done.

Corrupting ID schemes hacks away right at their essence. In the currently proposed usage, the Bitcoin system becomes the 4th party. Why trust another layer, when you may prefer someone to produce their passport to verify the (designed for portability anyway). It becomes less about empowering the user and more about the potential 2nd instance verifier saying "So, what does this Bitcoin ID associated person get up to online, eh?". Why not create a new layer that improves trust in the veracity of the ID mechanism itself? The proposed usage only creates an opportunity to collect more reliably attributable data about it's users.


I don't know if it's technically possible, but with the use of a similar mining fees sacrifice mechanism, these abuses could be averted. Put a hash of real ID information in the blockchain. Instead of using 3rd party meta-data (that can be subverted in more ways than one throughout the process), use genuinely unfalsifiable data like a complete genome, or genetic fingerprint. Possibly this would be technically inadequate for some reason, perhaps the available 80 bytes isn't enough to ensure that collision hashes aren't easy to reproduce for such large sample data as those of DNA fingerprints. But if it could be done, it would be a much more powerful identity system for it.

This is an unprecedented opportunity to create a mechanism for IDs that is very difficult to subvert or abuse, and the world would be a better place for it. The real issue today is that we do not have a level playing field, powerful organisations that are part of the industry for verifying ID can be (and are) used to gently chip away at the trust in the very system they are administering. Why not do for these organisations the same thing Bitcoin has been designed to do for the financial services and the central banks: usurp their relevance and their usefulness entirely, by providing an altogether improved system. After all, at the most fundamental level, we all like Bitcoin so much because it's a system where no-one can cheat.

[ancore]

Mr Hearn's secure-ID scheme similarly relies on a block chain and on rewarding miners who keep it up to date. An identity would be established by performing a transaction in which no Bitcoins are transfered from the owner to another named party. Instead, the owner would donate a sum—say, $200 worth of Bitcoins—that the first miner to approve a block with this transaction in it would get as his mining fee. (Since the winning miner is always revealed at random, the owner cannot simply redirect the virtual cash back into his account.)

So is this ID only usable with parties who have seen the "sacrifice transaction" publicly announced on the network?, otherwise couldn't the id seeking person just make a deal with some miner or pool to not announce this transaction, mine it and get his $200 back minus a fee for the miner.

[Peter Todd]

Mr Hearn's secure-ID scheme similarly relies on a block chain and on rewarding miners who keep it up to date. An identity would be established by performing a transaction in which no Bitcoins are transfered from the owner to another named party. Instead, the owner would donate a sum—say, $200 worth of Bitcoins—that the first miner to approve a block with this transaction in it would get as his mining fee. (Since the winning miner is always revealed at random, the owner cannot simply redirect the virtual cash back into his account.)

So is this ID only usable with parties who have seen the "sacrifice transaction" publicly announced on the network?, otherwise couldn't the id seeking person just make a deal with some miner or pool to not announce this transaction, mine it and get his $200 back minus a fee for the miner.

See my first ever post to the bitcoin-development email list: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg01005.html

Much improved upon a few months later: https://bitcointalk.org/index.php?topic=134827.0

Though these days I'm thinking spend to unspendable is a lot safer for a variety of reasons...

[Mike Hearn]

The object includes an spv proof of inclusion in the block chain. All the verifier needs is the block headers.

[Walter Rothbard]

What exactly are you proposing? That services require you to have a costly account to mitigate the potential to create thousands of accounts for free? Why donate to miners and not a set of charities? Why exclude people who only have an annual income of 200$?

Well, it's the miners and the blockchain that are verifying the veracity of the transaction that creates the identity, the idea is to send a special transaction with no recipient or amount, just fees. And I think the $200 figure is kind of notional, they imply that in the text. The fact that it's a fees-only transaction should give you an idea of the price range they will start from from for the cheapest.

This has probably been answered already, but what stops me from keeping the transaction to myself (not broadcasting it) and mining for the block that contains the transaction myself, so that the fees go to me, and I essentially don't pay fees?  (Or at least mining for it with a mining pool I control, so that I get some chunk of the fee back?)

[ancore]

thanks for the replies

I get how Retep's suggestion for a number of consecutive transactions could help or sending it to a blackhole,
but I'm not that familiar with svp proof