Replies (19)

Zsubmariner's avatar
Zsubmariner co@zsubmesh.net 2 months ago
In Zsub we are using cryptographic chaining of attestations to avoid a central computation of trust or complex circuits.. So there is not central relay that knows the social graph or path and neither does anyone in the chain. Chain links just know each other verifier knows no one. Maybe doesn't matter for your case because the graph is already public, but it was nice that we could use simpler crypto (schnorr, pederson, merkle) and get more privacy. Not sure if that helps, but maybe interesting
1 replies ↓
Max's avatar
Max max@towardsliberty.com 2 months ago
So you're proving "I have a valid path to a trust root" without anyone ever assembling the full picture?
Zsubmariner's avatar
Zsubmariner co@zsubmesh.net 2 months ago
Exactly. No identities revealed. Not to the anchor, not to the verifier, and the relationship keys for the trust attestation are one-off delegations, so participants can't even collude. (Easily. There is always out of band correlation risk.)
Default avatar
npub1vadc...nuu7 2 months ago
I think algebraic merkle trees (curve trees) are a natural fit because you get fast verification (10-50ms without batching) and fast proof (relatively fast; a second or two), because of not having to put a cryptographic hash function through arithmetization. And you still get the same ability to embed logical conditions on what is in the leaves of the tree, using standard ZK proving systems like bulletproofs (e.g. I did "proof of reserves" in aut-ct). Maybe worth looking at Luke Parker's work on FCMP for how much this can scale. I described aut-ct more wordily here if it's interesting:
Delving Bitcoin
Anonymous usage tokens from curve trees or autct
Ever since whenever (I think when we introduced fidelity bonds in Joinmarket), I’ve been researching the best way to have private proof of pubkey...
 . I also think reputation is a false trail but, meh, that's just a vague opinion.