ZK11: Aptos Keyless: Blockchain Accounts without Secret Keys - Alin Tomescu

00:00

[Music]

00:07

um so my name is alen I'm the head of

00:09

cryptography at Aptos labs and today I

00:12

want to tell you about Aptos keyless

00:14

accounts which are blockchain accounts

00:16

that avoid the use of secret Keys um and

00:19

what they base their security on is a

00:21

traditional web to account like your

00:23

Google account or your Facebook account

00:25

or your Apple account so let's get

00:28

started but before we do I want to say

00:30

this is Joint work with the core team at

00:33

abos Labs the core keyless theme uh

00:35

Michael and Rex should be in the

00:37

audience and you can meet them today uh

00:39

Michael designed our circuit Rex audited

00:41

it and worked on the prover service and

00:44

also the broader app TOS Labs team and

00:45

the folks at geometry research some of

00:47

them in the audience right here uh who

00:49

helped us secure the ZK

00:51

circuit so what is a keyless account uh

00:54

well it's just the way I think about it

00:57

your blockchain account is your Google

00:58

account there are no user managed secret

01:01

Keys uh and as a result you get many

01:03

goodies which are going to which I'm

01:04

going to mention throughout the talk and

01:07

in the stock when I say Google I want

01:09

you to think Facebook I want you to

01:11

think GitHub or any open ID connect

01:13

provider or oidc provider but for

01:16

Simplicity I'm just going to say

01:18

Google so why do this why enable keyless

01:21

account the short answer is we want to

01:23

onboard the next 1 billion users we

01:25

don't think this is going to happen if

01:26

every time a user enters a space they

01:28

have to write down 24 words and put them

01:30

somewhere safely and lose them and then

01:33

never engage with the space again so if

01:35

we're going to get people in this space

01:38

we need to find a way for them to join

01:39

the space very easily so if you think

01:42

about the current user experience of

01:44

using a d app or a web 3 application you

01:47

have to install a wallet what the hell

01:49

is a wallet users are very confused they

01:51

have to write down this memonic this is

01:53

very

01:54

combersome uh it's very easy for them to

01:56

lose this pneumonic and lose their money

01:59

uh they have to deal with transaction

02:00

prompts what the hell is a transaction

02:01

prompt most users don't know and it's

02:04

very painful to move your device uh to

02:06

move your account from your laptop to

02:08

your mobile phone to your

02:11

tablet so what we want is kind of the

02:13

opposite we want we still want wallets

02:15

but we want the possibility of being

02:17

wallets we want users to directly sign

02:19

up for a d app without installing extra

02:21

software we don't want users to write

02:23

down the monics that's just painful uh

02:26

nonetheless we still want the account to

02:28

be very hard to lose and we'd like to

02:31

avoid transaction prompts if possible

02:33

and we'd also like to for things to work

02:35

across

02:37

device and additionally we might also

02:40

want other goodies like we might want

02:41

kyc via the IDC provider we might might

02:44

want to be able to send transactions

02:46

directly to an email address that would

02:47

be great um so that's what I'm going to

02:50

tell you about in this talk how to

02:52

enable all these things so how do

02:54

keyless accounts work at a really high

02:56

level there's four things I want to say

02:58

here so first a keyless account its

03:01

address is derived from two things your

03:04

email address and the application ID of

03:07

the wallet or the D app you're using so

03:09

that means these accounts are app

03:12

specific uh so they're associated with a

03:14

D app like d app. XYZ or they're

03:16

associated with a wallet like metamask

03:19

and this is what prevents a malicious

03:21

website like medium.com from stealing

03:24

your keyless account associated with

03:26

dxyz the fact that you have this the dab

03:29

specific

03:30

binding and this is also what allows for

03:33

wallet list apps um the fact that we

03:36

have this binding now a keyless

03:39

transaction signature the way this works

03:42

is it's really the same thing as an open

03:44

ID connect signature from the provider

03:46

and really it's a zero knowledge proof

03:48

of knowledge of such a signature for

03:50

privacy reasons and this signature from

03:52

Google is over a couple of things the

03:54

transaction hash your email address and

03:57

the application ID

03:59

and lastly we add a splash of zero

04:01

knowledge for privacy so we want to hide

04:03

a couple of things we want to hide the

04:05

email address and the application ID

04:07

from the chain from the full nodes

04:08

validators everybody but we also want to

04:11

hide transactions from Google we don't

04:13

want Google to be able to track which

04:14

email addresses are are associated with

04:18

each blockchain addresses and which

04:20

transactions are associated with an

04:22

email

04:23

address so at a high level this is the

04:25

picture uh next I want to go a little

04:28

bit deeper and actually show you some

04:29

some

04:30

details um so let's start with uh the

04:34

open ID connect protocol and how

04:36

applications register in this protocol

04:39

in order to get a client ID a so-called

04:42

client ID so if you have an application

04:44

like media.com or dap. XYZ you go on the

04:46

Google Cloud console for example and you

04:49

register it in there and at the end of

04:50

this sort of manual process you get a

04:52

so-called client ID so this will be the

04:55

application identifier that I mentioned

04:57

before which is committed in your

04:58

address and it's also signed by Google

05:01

when it signs your transaction right so

05:04

that's the first step so now that the

05:06

application is registered let's see how

05:08

kind of uh open ID connect flow works so

05:10

you're all familiar with this because

05:12

you've all used websites that asked you

05:14

to sign in with Google so this is what

05:15

happens when you use those websites you

05:17

you go to the app and the app displays

05:20

to you this prompt uh by redirecting you

05:22

to Google and in the URL that the app uh

05:26

redirects you with you actually have a

05:29

few param in there so you have this

05:30

client ID that I mentioned before which

05:32

is the identity of the application and

05:35

very very importantly the application

05:37

can specify any arbitrary data to Google

05:40

and what Google will do when you sign in

05:42

with your cookies is it'll send the app

05:45

this signature right and the signature

05:48

will be over three things your email

05:50

address that you successfully logged in

05:52

with the app's identity and this

05:54

arbitrary data that the app included

05:56

right and this of course this arbitary

05:59

data here will be very important because

06:01

guess what that arbitrary data will be a

06:03

transaction so and this is how we're

06:05

going to get Google to sign your

06:06

transactions for you and this is how

06:07

we're going to make the account be

06:10

keyless um and what's worth emphasizing

06:13

here also is that this is a digital

06:14

signature right so this is publicly

06:16

verifiable so anyone who has Google's

06:18

public key can take the signature and

06:20

verify it so now here's a couple of

06:23

observations what if this third party

06:25

verifier is a

06:27

blockchain and what if the application

06:30

is a wallet or a d app and what if the

06:33

data being signed is a transaction right

06:37

then you're basically looking at the

06:39

keyless picture if you get one thing

06:41

from the stock it's this slide this is

06:43

basically 90% of a picture the next part

06:46

of the talk I'm going to refine it a

06:47

little bit since we we're going to need

06:49

to deal with

06:51

privacy um right so the way it works

06:55

is your wallet will will sign you in and

06:58

then you want to send transaction for

07:00

your

07:02

address and you will include this oidc

07:05

signature from Google together with the

07:07

application ID and your email address so

07:10

so far this is not privacy preserving

07:12

right we're going to fix it in a second

07:14

and you can send this at the blockchain

07:15

validators and what the blockchain

07:17

validators can do is they can verify the

07:19

signature like I showed you before

07:21

because they have your email address

07:22

they have the client ID and they have

07:24

the transaction and additionally they're

07:26

going to match that the address you

07:28

included in the transaction

07:30

is indeed associated with the account in

07:32

the signature right so they're going to

07:34

verify for example the address is the

07:37

hash of the email address and the client

07:39

ID right so far so

07:43

good but there's a problem you are

07:45

revealing in plain text your email

07:47

address and the application ID and in

07:50

particular the email address is very

07:51

worrisome but even the client ID could

07:53

be problematic if you reveal it because

07:55

it leaks which applications are doing

07:58

what so we got to fix that and obviously

08:01

the very trivial fix is to just throw a

08:03

zero knowledge proof at it right so

08:05

instead of giving all of the secret

08:07

witness like the client ID and the and

08:10

the signature and the user email we're

08:12

going to we're going to move it inside

08:14

of a zero knowledge proof and we're

08:15

going to do all of the work inside the

08:16

zero knowledge relation here so this is

08:18

a zero knowledge proof of knowledge of

08:21

an oidc signature and an email address

08:24

and a client ID such that the IDC

08:26

signature verifies over the public input

08:29

public key and over the public

08:31

transaction input right and such that

08:34

the public address input is derived from

08:37

the secret email address and the secret

08:39

client ID so from the blockchain

08:41

validator perspective all they see is an

08:43

address and a transaction and Google's

08:46

public key and this proof assures them

08:49

that there is an oidc signature over the

08:52

email address inside the blockchain

08:55

address right and the client ID and over

08:57

the public transaction

09:00

okay so this is again a very you know it

09:03

looks very simple when you put it on the

09:05

slide it's very hard to implement but

09:07

it's a very simple change you just throw

09:10

a zero knowledge proof at things this is

09:11

what we like to do in this community

09:13

anyway good so there are some

09:16

complications with the zero knowledge

09:17

proof uh it takes I think about 30

09:20

seconds to compute in the browser so if

09:22

we're going to use this for our users

09:24

it's going to be very bad ux so we'd

09:26

like to speed it up so we have to rely

09:28

on aover service

09:30

um which is going to make the

09:32

computation of the Zer knowledge proof

09:33

much faster we can compute it in under

09:35

two seconds but it's going to have some

09:38

privacy implications and we can talk

09:39

about those

09:41

later because in particular the prover

09:43

service will learn the secret witness so

09:45

it learn the email address and the

09:46

client ID uh nonetheless I should say

09:49

it's very important to emphasize here

09:50

that theover service cannot steal your

09:51

funds I'll I'll describe that uh in a

09:54

second as

09:56

well uh nonetheless there's still more

09:59

problems left so as you can see here

10:01

Alice has to compute one zkp per

10:03

transaction and the blockchain has to

10:05

verify one zkp per transaction so we

10:08

don't like that for performance reasons

10:10

so the way to fix that is using a layer

10:12

of indirection that's every problem in

10:14

computer science can be solved with a

10:15

layer of indirection uh so what Alice is

10:18

going to do is she's going to generate

10:20

an ephemeral key

10:24

pair let's see right I have an ephemeral

10:27

key pair here es and an EPK

10:30

and next what we're going to do is

10:32

instead of signing the transaction we

10:35

will give Google this EPK to

10:38

sign and in the transaction signature we

10:41

will include an ephemeral signature over

10:43

the

10:44

transaction under this es right and then

10:47

the blockchain validators can simply

10:50

verify this ephemeral signature so we've

10:52

added a layer of IND Direction so now

10:54

you can think of the zkp as a

10:57

certificate for this ephemeral public

10:59

key and the transactions are signed by

11:01

the ephemeral public key and this

11:03

signature verification is in plain text

11:06

right the validator see an Emeral public

11:07

key and a signature on the transaction

11:09

there's no privacy loss there and notice

11:13

that although there's a key here these

11:15

keys are ephemeral you can lose them it

11:16

doesn't matter if you lose them you sign

11:18

back in you generate a new es and Google

11:21

will gladly sign it for you so they're

11:23

not sensitive from a loss

11:26

perspective and for those of you who are

11:28

familiar this keare can actually be a

11:31

web aen Pass key keare so this way you

11:33

can actually be very secure that it

11:35

won't it won't be stolen right if it's

11:38

backed up in your iPhone's Enclave let's

11:42

say still we have more problems the

11:45

address uh that uh is stored on chain is

11:49

a function over the email address and

11:51

the client ID so it obviously leaks an

11:53

attacker can brute force your email

11:55

address and the client ID and tell who

11:57

you are on chain so we want to fix that

12:00

too and the very simple fix there is to

12:02

just make the address be a commitment

12:05

rather than a hash of the email address

12:08

right so we're going to use a blinding

12:10

factor for that we call this blinding

12:12

factor a pepper uh these are just random

12:15

bits now if we did this naively the user

12:18

would have to pick those bits and

12:19

remember them and if the user loses

12:21

those bits then they can no longer

12:23

access their account so that would

12:24

defeat the purpose of this whole

12:26

approach because the whole point is we

12:28

want to avoid

12:29

storing long-term secrets so instead

12:32

what we're going to do is we're going to

12:33

have a pepper service that's going to

12:35

help users remember their pepper so the

12:38

way this will work is the pepper service

12:40

will evaluate a verifiable unpredictable

12:43

function over the email address and the

12:46

client ID and that defines the pepper in

12:49

the blockchain address associated with

12:51

these two and this actually makes the

12:54

pepper service a very simple service it

12:55

just has to store a 32 by VF key like a

12:58

BLS key

12:59

and it's also very easy to decentralize

13:01

so you can have a decentralized pepper

13:03

service with 20 servers that just

13:05

computes a threshold signature for the

13:07

user to get the user the pepper and of

13:09

course there's an access control issue

13:11

because the pepper service better not

13:13

give my pepper to somebody else it

13:16

better only give it to me and the way we

13:18

actually guarantee access control is

13:19

also via the open ID connect protocol

13:22

because the pepper service can actually

13:23

verify these these

13:25

signatures uh from Google before giving

13:27

you your pepper

13:29

um so that's the good news about the

13:31

pepper service and right now the pepper

13:34

service is not privacy preserving but we

13:36

can actually make it price of reserving

13:38

as well so the pepper service could in

13:40

principle receive a zero knowledge proof

13:42

of knowledge of an IDC signature and a

13:45

blinded um hash of the email address and

13:49

the client ID and evaluate the BLS

13:51

signature over that blinded hash so that

13:54

so that it doesn't even learn which User

13:56

it's Computing the pepper for uh we

13:58

haven't down yet but that's plans for

14:00

the

14:02

future good so next step is one last

14:06

tiny detail is that Google will actually

14:08

see this EPK here in the nons right and

14:12

if it can see this EPK then it can track

14:14

transactions on chain um so now it knows

14:18

which user is doing which transactions

14:20

this is also a very trivial fix instead

14:22

of putting the EPK in the open ID

14:24

connect signature we're going to put a

14:26

commitment to the EPK using some

14:28

different blind Factor R which is part

14:30

of the secret witness of the

14:33

zkp and basically we're done that's the

14:36

design this is it so if you get a second

14:38

thing from the stock it's this picture

14:41

right here uh which is the complete

14:43

privacy preserving story with the pepper

14:46

service and the approver service for

14:50

performance all right for the next part

14:52

of the talk I just want to uh mention

14:54

some things about our implementation so

14:57

when we built this because because this

14:59

is a layer one primitive right we are

15:01

putting these kind of keyless signature

15:04

on our transactions we have some pretty

15:06

aggressive performance goals so we want

15:09

the verification time of such a keyless

15:11

transaction to be very small and also

15:13

the proof size the zkp to be very small

15:16

uh in particular this is kind of

15:18

stringent if you think about it because

15:20

if an attacker puts bad zkps in your

15:22

transactions you have no recourse like

15:25

you're going to get dossed because if

15:27

the zkp fails to verify there's no

15:29

account that you can charge gas to right

15:31

there's nothing you can do so you really

15:33

have to make the implementation fast uh

15:36

so our only choice was to do gr 16 over

15:38

a fast curve

15:40

b254 and to implement the relation in in

15:44

uh in gr 16 we use circom we have 1.3

15:47

million R1 CS constraints and our code

15:50

is actually public we invite you to look

15:52

at it we invite you to build over it um

15:55

it's in a way very related to the ZK

15:56

email work that you've seen before and

15:59

some previous work on verifying jwt's in

16:03

snarks um and what's interesting about

16:05

our circuit is that we have some new

16:07

polinomial based protocols for doing

16:09

substring matching in a circuit which is

16:12

otherwise very complicated to do and

16:14

very expensive to do I should say so

16:16

this is what helps us achieve a small

16:17

number of

16:19

constraints we did an NPC ceremony for

16:21

the circuit we used potion uh fixed a

16:24

couple of bugs in it and we had 140

16:27

participants over the duration of one

16:28

week

16:30

and our prover service is implemented

16:32

via a hardened version of Rapid snark

16:34

which is a C++ code base it's really

16:36

fast the only thing faster than rapid

16:38

snark that I could find is maybe gar but

16:41

I couldn't manage yet to Benchmark our

16:42

circuit in gar because we have to take

16:46

our circom circuit and put it in gnark

16:48

if any of you know anything about that

16:49

please talk to me uh our pepper service

16:52

is just a rust based service uh that

16:55

uses BLS uh to evaluate the pepper

16:59

and that's it that's our implementation

17:01

so to conclude the talk um I think ux is

17:05

key for blockchains and good ux Is

17:08

keyless so open source uh codebase

17:12

please take a look at our rust validator

17:14

code at our repo uh at our MPC trusted

17:17

ceremony and Prov service I think and

17:20

pepper service are all public we have a

17:22

test deployments uh active on the appos

17:25

blockchain this is deployed in devet and

17:27

in testnet and will become to main net

17:30

pretty soon um it's also already been

17:33

used in the app toss random hack where

17:35

we've seen a few projects build on top

17:37

of it so that's very exciting uh and if

17:40

you want the nitty-gritty details and

17:42

all of the security implications and

17:44

details you can find them in an Aptos

17:46

Improvement proposal that I wrote

17:48

there's a PR open there's a couple of

17:50

more things to address

17:52

there um future work I think this kind

17:56

of approach raises some interesting

17:57

questions about

17:59

what kind of oidc providers would you be

18:02

willing to trust with your blockchain

18:04

accounts so this approach is not to say

18:06

that all users should use it it's

18:08

probably for 90% of users who are novice

18:10

right but even for those users maybe

18:13

Google is not the right choice so maybe

18:15

we There's an opportunity here to think

18:17

about identity providers for blockchain

18:19

users and maybe there's even a business

18:21

space in that um we want to try and move

18:25

the pepper service on top of the

18:27

validator so that it's as secure as our

18:29

validators as well as making it privacy

18:31

preserving we also want to try to

18:33

potentially move the trusted setup on

18:35

top of of our of our validator so we can

18:37

easily bug fix and upgrade our circuit

18:40

or ideally move to a universal snark

18:42

that meets our performance goals and

18:45

obviously we want to work on faster

18:46

proving to eliminate the prover service

18:49

um and there's a lot of cool features

18:51

that I did not get to discuss I'll I'll

18:53

leave them here for you and also a lot

18:55

of nuance and details in particular the

18:57

this Emeral key that I mentioned

18:59

actually has an expiration date it

19:01

doesn't leave live indefinitely and

19:03

there's implications around D specific

19:05

accounts that you have to deal with and

19:07

there's implication around wallet list D

19:09

apps that you have to deal with and just

19:11

this Json web token stuff this open ID

19:14

signature format uh and and how we deal

19:17

with it in our application uh but that's

19:20

it uh thank you so much for your

19:21

attention and would love to get lots of

19:27

questions thank thank you do we have any

19:29

questions there's a microphone do you

19:32

know the system by now okay don't sy so

19:36

is it's coming up all right fantastic

19:38

thanks great talk uh I had a question

19:40

about malleability and whether it's an

19:43

issue here so great if right so was the

19:47

intuition um I'll wait for the slides to

19:50

come yeah can I get the slides

19:52

back yeah malleability was actually I

19:54

think in the list of stuff it was sorry

19:56

like I blanked at that point then I yeah

19:59

so we we deal with it in a very simple

20:00

way we get non-malleability by signing

20:02

the proof with the ephemeral secret key

20:05

uh which is a nonmalleable signature as

20:08

well um that's how we got nonm and and

20:11

yeah we were worried about it in

20:12

principle all of our transaction

20:13

signatures are non-malleable because we

20:16

don't want people to worry about

20:17

malleability so so this solves the

20:19

problem of

20:22

malleability of the of the gr 16 yeah

20:25

because the ephemeral signature itself

20:26

is non malleable and then there's just

20:28

gr 16 and then you have to be careful

20:29

that other things like metadata next to

20:31

the zkp and the FML signature is not

20:33

malleable as far as we know it's not but

20:36

if you want to take a look at our code

20:38

thanks thanks for the

20:40

answerers okay any other questions yes

20:43

in the

20:45

back there's a microphone down on on the

20:49

chair just press the

20:53

button uh sometimes they don't work now

20:56

now you can hear okay so I want want to

20:58

ask what's your sensorship resistant

21:00

model and more specifically what's the

21:02

fallback in case the signature provider

21:04

goes down or doesn't want to provide the

21:06

signature for a specific user uh I

21:09

couldn't hear it very well could you put

21:11

the mic can you put here is it better

21:13

okay so I'm going again what's your

21:16

sensorship resistant model and to be

21:18

more specific what the fallback in case

21:22

the signature provider doesn't want to

21:23

provide the signal to specific user or

21:26

anyone else yeah that's that's a

21:29

that's a very good question so there's a

21:30

few ways to deal with that um it so at a

21:35

fundamental level you want to pick o IDC

21:37

providers that you have recovery

21:39

mechanisms for in case they stop playing

21:43

bow that doesn't answer the question

21:46

though because any provider can go down

21:48

any day so if I have an account in an

21:50

app using a kills model that means if

21:53

the signning provider goes down for any

21:54

reason reason or doesn't want to give a

21:57

signature for my user for example that

22:00

means that I lose everything yeah

22:01

correct so if you if you have a bad

22:03

provider that that's bad for you you

22:06

don't pick bad providers you would pick

22:07

really trustworthy providers I think the

22:09

only risk here is that the provider

22:12

probably says look I don't want to have

22:14

to do anything with blockchain

22:15

applications so any client ID that is a

22:17

wallet or a d app I'm just not going to

22:19

provide signatures for and in that case

22:21

you need a recovery mechanism for your

22:22

users and there's two things that we can

22:25

imagine doing one thing is we can use

22:27

for example the ZK email approach to

22:29

recover your account if you've been to

22:31

their talk so basically you can send an

22:33

email from your Google account which has

22:34

a signature from Google and that email

22:36

can authorize a key rotation for your

22:38

keyless account so that that would be

22:40

okay it would be kind of user unfriendly

22:42

but in principle it would give you back

22:43

access to your funds another way would

22:45

be to have a recovery service so a

22:47

recovery service with its own client ID

22:49

that users log into and the only thing

22:51

this Recovery Service does is it rotates

22:53

your key so maybe you know Google stops

22:56

playing ball but it allows this recovery

22:58

service to help users recover um so

23:01

those are two things that you can do and

23:02

in general that's what I mean by yanto

23:04

IDC providers that admit recovery

23:07

mechanism so let's say you use Twitter

23:08

you could use a public tweet to rotate

23:10

your account to a new publicy if you had

23:12

an HTTP Oracle on chain right that's

23:16

another recovery mechanism for another

23:18

provider I I hope that answers your

23:20

question but I'm happy yeah we can also

23:22

talk after discusser yeah there's a

23:24

microphone on the ground do you see it

23:31

it should be red

23:37

light yeah sometimes they don't

23:40

work okay thank you uh so you have

23:43

mentioned that you are using proven

23:45

service in your application is it is it

23:47

trust us or to which degree is it trust

23:51

I suppose uh I I fail to emphasize that

23:54

huh not sure what happened with my

23:57

slides uh it's trustless so if you think

24:00

about it the prover

24:02

Service uh gets this soidc signature

24:04

over an EPK right it doesn't know the

24:07

associated es to sign transactions with

24:10

so the approver service simply you know

24:12

you lose privacy with respect to the

24:13

approver service but there's ways to

24:14

deal with that you can MPC the appr

24:17

service and in fact snarks like grat 16

24:19

admit very efficient MPC protocols but

24:23

you know that's the only problem privacy

24:25

which which is addressable um stealing

24:27

your account isn't impossible because

24:29

the approver service doesn't have the es

24:31

and it cannot get a new IDC signature

24:33

over an EPK whose es it knows right does

24:37

that make sense yeah thank

24:42

you any other questions where the

24:45

front Okay we have time for a couple

24:48

questions I'll just take this one first

24:49

out of proximity I'll come to you um

24:52

does the pepper service generate the

24:55

peppers or stores them too yeah good so

24:58

um I mentioned in the talk that the

25:00

pepper service is uh using a verifiable

25:03

unpredictable function to generate a

25:06

pepper given an email address and a

25:08

client ID by simply evaluating a VF over

25:11

them a VF an example of a VF is a

25:14

deterministic signature scheme like BLS

25:17

why can't users do that themselves is it

25:19

too expensive or what but well they

25:21

would have to remember it if they did it

25:23

that that themselves right so it does

25:25

store it or generates it time it only

25:27

stores is the secret key of the VF so

25:30

that's 32 bytes and from that secret key

25:33

and a email address and a client ID it

25:36

can derive the pepper without ever

25:38

having to store it but what happens if

25:40

the pepper service fails if the pepper

25:44

service fails then users are locked out

25:46

of their account if they don't have

25:47

their pepper right so it's very easy to

25:49

mitigate against that so one one way is

25:51

for users to back up their peppers if

25:53

they're paranoid but we don't like that

25:55

uh another way is to actually

25:57

decentralize the pepper service and make

25:59

sure the key is never lost what you want

26:00

to ensure is that the secret key of the

26:02

pepper service is not lost now maybe you

26:05

know the top 2% of users uh might just

26:08

generate their own peppers and they

26:09

won't use the pepper service we I don't

26:11

think that's realistic for 90% of the

26:13

users but some subset of users might

26:15

want to uh in general we're not very

26:17

worried about the secret key of the

26:18

pepper service getting lost because it's

26:20

really easy to protect the key for you

26:23

know getting lost okay

26:26

thanks good so many questions it's good

26:29

thing your presentation was

26:31

shorter yeah I just wanted to connect to

26:34

what was saying the person before so you

26:36

say that the prover you have kind of no

26:38

privacy to the prover but then since the

26:41

secret key is in your possession then

26:43

you know it can in reality gross 16

26:46

proofs can be are maleable in itself so

26:49

the pro can randomize them to embed

26:52

tagging information in the proof itself

26:54

and then the user will sign and will go

26:57

so

26:59

yeah uh one second let me just okay uh

27:03

you're saying a malicious prover could

27:06

yeah because if the Malisha approver has

27:07

access to the email address it can

27:09

somehow embed it by randomizing the

27:11

proof and until some bites match like

27:14

grinding through proofs that's a really

27:16

interesting uh uh yeah I like that

27:18

that's interesting I would say the way

27:20

to mitigate against that is probably the

27:21

same way you would mitigate against the

27:23

uh the Privacy issue by MPC and the pro

27:26

service which would which would fix that

27:28

but yeah actually we haven't considered

27:30

that I really like that thanks a lot

27:31

okay we can discuss later yeah did we

27:34

have another question here cool I think

27:38

that's um hi can you derive uh public um

27:43

address from email address like if I

27:46

want to send some funds to someone who

27:48

hasn't used the the service correct so

27:51

what you could do if you wanted to send

27:53

funds to someone that isn't signed up is

27:55

you could derive an address for them so

27:57

let's say you want to send fun to Alice

27:59

on some wallet or some pay application

28:04

um like let's call it pay to email right

28:06

so pay to email has a client ID you know

28:08

it and you know Alice's email and then

28:09

you just pick a pepper for Alice you

28:11

pick it for her you pick random 256 bits

28:14

and then you email Alice hey Alice I

28:16

send you funds here's the pepper for

28:18

your address Al Alice can rederive the

28:21

same address and can sign in with Google

28:23

into the application and obtain a open

28:26

ID signature engage approver service get

28:29

a zkp and as a result get access to

28:31

those funds but the only difference in

28:33

this case is that you're not using the

28:35

pepper service Alice is simply using the

28:37

pepper that Bob picked to pay her is is

28:41

the pepper choosed by Bob or just Bob

28:43

initial initiated uh the pepper service

28:47

I mean no it's it's it would be chosen

28:48

by Bob would probably be the best way to

28:50

do it but you could also imagine that

28:51

the pay to email application could when

28:54

I say chosen by Bob is really by that

28:56

application right and then that

28:58

application would email Alice with the

28:59

pepper or maybe you would create a link

29:01

and embed the pepper in the link um and

29:05

Bob can can't use this pepper to gain an

29:08

advant advantage of this

29:11

account uh no no so remember that

29:14

there's two things you need to access

29:18

this keyless account for Alice you will

29:20

need the pepper because you will need to

29:22

do the address match but you're also

29:24

going to need an oidc signature from

29:26

Google and Bob is not going to be able

29:28

to get that IDC signature because he

29:30

doesn't control Alice's Google

29:36

account okay I think that's all we have

29:38

time for so thank you so much elen

29:40

another round of applause please thank

29:42

you so much for the questions