This AIP isAIP-61: Keyless Accountsextension that allows users to have a wallet tied to their OpenID account and sign transactions for the blockchain through their OIDC provider rather than through a key. As summarized in AIP-61, "your blockchain account = your OIDC account."
However, OpenID Connect authenticates users based on personally identifiable information (e.g., email address or Twitter username). There are two privacy goals in this regard:
Է OpenID Providershould notLearn which wallet address is associated with which OpenID user.
Է Validators (and other external observers) alsoshould notLearn the association between the wallet address and the OpenID user.
For privacy, the user provides the authenticator withZero Knowledge Proof (ZKP) to validate transactionsTheIt is computationally intensive to have to generate such a proof every time a user logs in, and then also whenever the user's temporary public key expires. In order for users to be able to quickly log in and operate on low-power hardware, proof-of-concept computing must be proven to serveUninstallation.
The focus of this AIP is on the motivation, design, and risks of this attestation service.
1. Objectives
The objectives of the certification service are as follows:
1. Enable fast and hassle-free login for keyless users.
2. Protecting the privacy of the user with respect to the OIDC provider and the blockchain.
3. Realize aAuxiliary Modeto prevent errors in a zero-knowledge system (ZKS).
Initially, the privacy of the user and the proof service itselfwill not (act, happen etc)have anything to do with it; only the OIDC provider and the blockchain are involved.
In other words, the proof service willat the instant sth happensLearn private information about users, including:
Է The user's OIDC handle. For example, if logging in with Google, the proof service will know the user's email.
Է User privacy protection pepper.
The fact that the proof service knows this information poses some privacy and centrality risks, as discussed below.
locomotive
The Proofreader service enables the most time-consuming part of the login process to be moved to a powerful cloud-based virtual machine for execution, rather than being performed locally. This dramatically reduces the time it takes a keyless account user to log in and be ready to execute a transaction from approximately 25 seconds to just 3 seconds. As a result, the keyless account user experience is significantly enhanced.
affect (usually adversely)
The direct impact of this AIP will be primarily on users without key accounts. The impact will be threefold:
1. Users will have a faster login experience than when generating proofs in the client.
Initial benchmarking showed that generating proofs in the browser took a very long time and was completely unusable (i.e., more than 25 seconds to generate a proof).
In contrast, server-side generation of proofs takes less than 3 seconds.
2. As long asAuxiliary Modeis activated, the user's funds are safe even if there is an error in the ZKP toolchain (e.g., circom).
3. The user's private information will be sent to the proof service. This introduces an assumption of trust: the user must believe that the proof service will not disclose this information. This is discussed under "Risks and drawbacks".
Alternative solutions
The most obvious alternative is to require the user to generate the proof on the client side. As mentioned above, this solution is not feasible, at least not for the current Groth16 based ZKP system described in AIP-61.
standardize
As explained in AIP-61, in order to authenticate a payment transaction, the user needs a Zero Knowledge Proof (ZKP) about the relation right Groth16 that encodes the logic for linking the **Empty Provisional Global (EPK)** to the keyless account via a signed JWT with a tag encoding a random number of that EPK and the transition date Specifically, $\ mathcal{R}$ has the following inputs: $$ \mathcal{R}\begin{pmatrix} \textbf{x} = [ (\mathsf{iss_val}, \mathsf{jwk}, \mathsf {header}), (\mathsf{epk} , \mathsf{exp_date}), \mathsf{addr_idc}, \mathsf{exp_horizon} ],\ \textbf{w} = [ (\mathsf{aud_val}, \mathsf{ uid_key}, \mathsf{uid_val}, r), (\ sigma_\mathsf{oidc}, \mathsf{jwt}), \rho] \end{pmatrix}, $$ and has the validation logic as defined in Ref.
1. Prevent ZKP errors
Keep in mind that one of the goals of the provender service is to provide initial protection against errors in the ZKP toolchain. This is achieved by enabling in the first months of deployment the so-calledAuxiliary Modeto realize it. In this model, the prover will have aSecondary Signature Keyand the verifier will know the correspondingAuxiliary Wheel Public Key. The verifier will then reject any keyless transaction unless the proof and statement are signed under this PK.
2. Proof of service behavior and certification process
At a high level, the Proof Service will have the following behavior. As a configuration, it will accept a Groth16 proof key that encodes the relation 𝑅, as well as an auxiliary signing key.
In the following, we will refer to aclient (computing)The client logic is implemented using our typescript SDK. The following shows the flowchart between the client, the OIDC provider and the proof service. After the client receives the signed JWT from the OIDC provider (steps ❶ and ❷), it will interact with the proof service. It will send a message to the Proof Service in the format (x,w) request, where x respond in singing w as mentioned above 𝑅 (step ❸). The Proof Service then performs the following actions:
- Compute the Groth16 proof for (x,w) 𝜋
- Compute the auxiliary signature for the message 𝑚=𝐻(x)||𝜋 𝜎
- Compute for the message 𝑚 = 𝐻(x)||𝜋 Auxiliary signature 𝜎
Once the client has obtained 𝜋 and 𝜎, it can use them to authenticate transactions for its keyless account (step ❺).
3.API
The provender service is accessed via the following endpoint: https://prover.keyless.devnet.aptoslabs.com/v0/prove
Next, we describe the format of the proof request and its associated response as follows.
3.1 Request format
The request body for routing /v0/prove must be a JSON object whose structure is specified by the following Rust RequestInput structure. This structure encodes the relationship 𝑅 The public inputs in the 𝑥𝑥 and private inputs 𝑤The
The exact structure of the requested JSON object is determined by the following factors:
ꔷ RequestInput structure, taken from src/api.rs in the proof service code
ꔷ JSON deserialization behavior of the serde_json library
ꔷ Custom serialization logic for EphemeralPublicKey and Pepper types defined in aptos-types
#[derive(Debug, Serialize, Deserialize)]
pub struct RequestInput {
pub jwt_b64: String, String, String, String, String, String, String, String, String, String.
pub epk: EphemeralPublicKey, String, String, String, String, String, String, String, String, String.
#[serde(with = "hex")]
pub epk_blinder: EphemeralPublicKeyBlinder, #[serde(with = "hex")].
pub exp_date_secs: u64,
pub exp_horizon_secs: u64,
pub exp_date_secs: u64, pub exp_horizon_secs: u64, pub pepper: Pepper,
pub pub uid_key: String, pub exp_horizon_secs: u64
pub extra_field: Option,
pub aud_override: Option, pub aud_key: String
}3.2 Response format
The Proof Service response for /v0/prove routes is a JSON object whose structure is specified by the following Rust ProverServiceResponse enumeration. In the case of successful proof generation, this enumeration encodes the proof, the Poseidon hash of the public input, and the auxiliary round signature. If an error occurs during proof generation, the enumeration encodes an explanatory error message that is displayed to the client.
The exact structure of the response JSON object is determined by the following factors:
ꔷ The following comes from the attestation service code in the
ProverServiceResponse enumeration from src/api.rs
ꔷ Groth16Proof structure defined in aptos-types
ꔷ JSON deserialization behavior of the serde_json library
ꔷ Custom serialization logic for the Ed25519Signature, G1Bytes, and G2Bytes structures defined in aptos-crypto and aptos-types.
pub type PoseidonHash = [u8; 32].
#[derive(Debug, Serialize, Deserialize)]
#[serde(untagged)]
pub enum ProverServiceResponse {
Success {
proof: Groth16Proof,
#[serde(with = "hex")]
public_inputs_hash: PoseidonHash.
training_wheels_signature: Ed25519Signature,
}
Error {
message: String,
},
}
#[derive(
Copy, Clone, Debug, Deserialize, PartialEq, Eq, Hash, Serialize, CryptoHasher, BCSCryptoHash.
)]
pub struct Groth16Proof {
a: G1Bytes,
c: G1Bytes.
}reference implementation
The code repository for the proof service can be found at https://github.com/aptos-labs/prover-service.
Risks and drawbacks
The main risks of attestation services fall into three categories:
Է Privacy Risks. The attestation service obtains sensitive information (i.e., the user's pepper and OIDC handle). This will allow us to recognize non-key users.
Please note that this sensitive information does not allow us to authorize transactions on behalf of the user, as the Proof Service does not have access to the user's temporary key.
This privacy risk is currently mitigated by making the proof service stateless: it does not store any information about the user after completing their request.
Ultimately, this risk will be eliminated by eliminating the need for proof services through multi-party computational proof technology or by reducing the time to proof in our ZKP toolchain. (See "Problems to be solved.")
Է Cost risk. Proof services can become expensive with increased key account adoption.
Է Concentration risk.
i.Since users must trust that the attestation service will not reveal their identity information, this will make it more difficult for new operators to launch new attestation services, since most users are likely to have already established strong trust in the initial attestation service. ii.
ii. whenever a training wheel is open, there can only be one proof service (i.e., the service that controls the signature key of the associated training wheel)
ꔷ Even with training wheels disabled, users will be more inclined to use reputable services due to the fact that proving services handle sensitive user information.
The main risks of the attestor service fall into three categories:
Է Privacy Risks.The prover service learns sensitive information (i.e., the user's pepper and OIDC handle). This will allow us to de-anonymize keyless users.
Note that this sensitive information(negative prefix)permissibleWe authorize transactions on behalf of our users because the certifier service(negative prefix)Learn the user's temporary secret key.
Currently, this privacy risk is mitigated by making the prover stateless: after completing a user request, it does not store any information about the user.
Ultimately, this risk will be eliminated by either (1) multi-party computational attestation techniques or (2) reducing attestation time in our ZKP toolchain, thereby eliminating the need for attestor services. (See "Open Problems.")
ԷCost risk.As keyless account adoption increases, prover services may become increasingly expensive.
Է Concentration risk.
i.Since users must trust that the attestor service will not reveal their identifying information, this will make it more difficult for new operators to launch new attestor services, since most users may have already established strong trust in the initial attestor service. ii.
ii. as long as auxiliary modes (training wheels) are on, there can only be one prover service (i.e., the service that controls the associated auxiliary mode signature key)
ԷEven after assisted mode is turned off, users will be more inclined to use services with established reputations because of the sensitive user information handled by the provender service.
Recommended implementation/deployment schedule
The proof service has been implemented and will be deployed as part of the mainnet release v1.10.
Future potential/pending issues
To mitigate the privacy, cost and centralization risks described above, the following issues are critical:
Է Can we design a new ZKP with fast proof times that would allow client-side proofs, thus eliminating proof services altogether?
Է If not, is it possible to design a proof service that is "blind", i.e., it does not learn any sensitive information about the user? In principle, this could be achieved through multi-party computation, but the implementation complexity may be high.
bibliography
- https://github.com/rex1fernando/AIPs/blob/main/aips/aip-61.md#specification
- https://docs.circom.io/circom-language/signals/
All of the above content is reproduced from the Internet, does not represent the position of AptosNews, is not investment advice, investment risk, the market need to be cautious, such as infringement, please contact the administrator to delete.
WeChat Sweep 
Alipay Sweep 
