Blog

Identity done right, onchain & off

Identity has been an old time cliche in the blockchain space, many of us have rolled our eyes at the countless pitches promising that our health records and other precious information would be put on the blockchain for the world to see.

We are told that verification of your identity is a simple transaction away, only costing you $1.53 at current gas prices & will allow you to reveal your life story to the bartender who asks for ID.

No, I am not gonna tell the world about my checkup at the dentist

While I know that there has been plenty of bullsh*t in this field, I believe it is possible to do identity right and have it seamlessly integrate with blockchain services, all without giving up your privacy to everyone.

Welcome Cryptographic Attestations

Cryptographic attestations are basically assertions of the validity of your identity via a cryptographic signature.

For example, “I Alice, agree that Bob is born on 14/07/1990 and is a US citizen” signed by Alice’s private key.

Such things have actually been around for a long time (think key signing parties and PGP signatures) & they exist independently of the blockchain.

Despite this, many in the industry have regressed and believe that we must hold our full identity inside the blockchain, an approach that is not only expensive but a huge risk to privacy in general.

Such attestations not only exist on a personal level, the same thinking applies when you visit a webpage and see the green HTTPS bar in the browser, basically a signing authority cryptographically acknowledges the validity of the websites SSL certificate.

Attestations? What does that have to do with the Blockchain?

Since it is possible to assign cryptographic attestations to your wallet keys that hold your crypto, it is possible to create some pretty cool dApps that enable use of an attestation whilst keeping the bulk of it’s information offchain.

Thinking further, since adoption of blockchain technology will push industry to adopt services that utilise keys, it will be possible to imagine authorities like your bank, doctor, Google or local/federal government issuing you an attestation that can prove your identity.

Since this can be done using your existing keys, it is possible to envision a world where you use these attestations, both on and off chain; to gain access to services at a click of a button and without (hopefully) revealing your life secrets to the world.

Privacy enabled attestations

So, we now know it is possible to get cryptographic attestations on your key, but what can you do with them and how does it relate to blockchains like Ethereum?

For starters, you can actually use your attestations without ever touching the blockchain. If you wanted to access facebook for example, you could provide your attestation and sign a challenge message to gain access to your account.

But let’s say that you have an attestation from your local driving authority that provides information about your date of birth, name, address and driving level but you only want to use it to enter a nightclub who’s only requirement is that you be above age 18.

Naturally, you don’t want to have to reveal all your attestation to the nightclub as it is unnecessary and a breach of privacy.

This is where privacy enabled attestations come in, using what is called a merkle tree you can split the attestation up into branches, e.g. “above 18: true, signed by x” and then only reveal that piece of information to the nightclub.

Merkle trees allow you to prove that the branched attestation comes from the original source without having to reveal the full source of information. I will not go into detail about this here, but my colleagues paper on ethereum attestations goes into greater detail.

Using your attestations in Ethereum

We can see how the offchain example works, but what about if we want to use this attestation in a smart contract?

Let’s say that you want to buy a beer token on ethereum that can be redeemed for an actual beer at the store and that to buy this token, you need to prove you are above 18.

Using the merkle tree model I mentioned above, you could attach a saltedmerkle tree inside the buy function in the beer token contract, which can then verify the attestation and either approve or deny the purchase attempt.

The implications of this are far beyond just buying beer tokens. Imagine being able to purchase an ICO token or stock without creating an account, or being able to seamlessly gain access to any service requiring identity; all from your crypto wallet.

What do you think about the future of identity? Leave your comments below