thork.net

designer babies no one asked for: protein cryptography paper speedrun

thorck@protonmail.com (Thor) — Thu, 23 Jan 2025 00:00:00 +0000

designer babies no one asked for: protein cryptography paper speedrun

cryptographers are finally getting around to answering our deepest, most pressing questions

but what if we used babies as encrypted storage format?¹

i surely cannot imagine encoding dad-jokes in my future childrens' proteins.

but no one is actually talking about using babies as a substrate for cryptography (yet). a paper posted to IACR this week explores the idea of using proteins as an encrypted data storage format. we’re going to speedrun explain that paper.

thanks to Keoni Gandall for comments.

wat

okay so three big questions i had going in:

is there some fancy steganographic key hiding that we could do with biology that we could not otherwise do?
- for example, there exists this quantum protocol for tamper-proof one-time-pad distribution, by pre-distributing qubits in superposition, then collapsing these to one-time-pad keys between sender and receiver²
how efficiently could we possibly store (possibly encrypted) data in proteins, what’s our bit-density in amino-acids, and do we need to pay out the ass for encoding error-rates, and maybe error-correcting codes
how far from reality are we really here: how expensive in time and dollars would it be to encode and decode

it turns out the answer is yes.

the paper only speaks to the first question, which is summarized in the next section; the the rest of this post is my rambling and back of the envelope math.

fancy steganography

the only known way to isolate a protein mixed with other proteins, is to purify the target protein using a monoclonal antibody (mAb), before sequencing it³. the adversary must know the correct mAb in advance to isolate the protein.⁴

that is, sequencing (encryption) a protein is easy, but synthesis (decryption) is hard and admits only one destructive attempt.

the authors further note that there is no known way to clone protein “in small amount”, which if possible, would allow for multiple synthesis attempts.

thus we get a basic idea why proteins might be well suited for cryptography; they have some convenient properties:

uncloneability - can’t clone the ciphertext payload
destructive sequencing - attempts to decrypt destroy the payload

this gives us a basic idea for a symmetric encryption scheme: to encrypt: encode a message into a protein and tag the protein with a header that can be isolated by an mAb held by the receiver; then mix the message protein with other “decoy” proteins of similar length and composition.

to decrypt, isolate the protein with the corresponding mAb and synthesize it with mass spectrometry.

the authors term this the Miftah symmetric encryption scheme. we now set about to answer the question, but how impractical is this really?

how efficiently can we pack data in amino acids

let’s first not think about encryption at all, and just try to pack as much data as we can. proteins are made of strings of amino acids. there are 20 natural amino acids, upper bounding us to abt 4.32 bits of information per amino acid. mass spectrometry can be used to read the string of amino acids, destroying the string in the process.

we could try to encode arbitrary proteins from amino acids, but most would be unviable. claude estimates that of length 50 amino acid chains, only 1 in $10^{15}$ would be structurally stable, which still gives us about $4.32*50-\log(10^{15})= 166$ bits in a length 50 protein.

if we take 160 bits in a length 50 protein at face value, we can try to compute for naive density of data.

mass spectrometry needs between 10^12 and 10^15 identical samples for reliable sequencing. amino acids weigh ~110 daltons. 50 AAs = 5500 daltons = 9.13 × 10^-21 grams. we get 160 bits / 9.13 × 10^-21 grams ≈ 1.75 × 10^22 bits/gram.

protein headers for the mAb to grab would be maybe 10-20 amino acids, about 25% overhead for headers, and we might also want to extend our proteins by another 25% to allow for error correcting codes.

supposing optimistically that we only need 10^12 replicas for mass spectrometry, we arrive at around 10^9 bits/gram, which would still be pretty ridiculously good, given that modern hard drives are on the order of 1 × 10^12 bits/gram for naive data storage.

for encryption, the paper doesn’t explore how many decoys would be necessary, but maybe about 100 decoy proteins to every one message protein would be sufficient. that further reduces our information density by another 10^2.

that brings our final estimate to around 1Mb/g for protein encrypted data, which is still pretty neat.

so, uh when should we expect this to become viable at cost?

but how expensive would it be to embed a dad joke in the proteins of my children

for encryption:

protein synthesis ~$1k, multiplied by 100 decoys for security
add ~$20k for sequencing a custom mAb
this all would take on the order of 3 weeks to synthesize the proteins, and 3 months to produce the antibodies

but decryption is relatively cheap! on the order of \$500 in 1-2 days for protein purification and another $200 in a few hours for mass spectrometry.

so, pretty practical. the future is here.

no one is asking this, the authors make did not mention babies once in their paper, but sure i guess we could do it ↩︎
thor has extremely lossy understanding of quantum things, and makes only the weakest claim to have said this correctly ↩︎
a note from Keoni Gandall: there are other ways to purify proteins; “you can purify proteins based on their size with columns and such, as well as methods that use salt (taking advantage of the solubility differences in different proteins)” ↩︎
the paper does not answer the question of how large the key space of possible mAb’s is, but since spectrometry is destructive, the key space doesn’t need to be massive. thor estimate: since an mAb has about 120 amino acids in the variable region, with 20 possible amino acids, that the mAb key space is much larger than $2^{128}$. ↩︎

About the Stone Prover

thorck@protonmail.com (Thor) — Tue, 06 Feb 2024 00:00:00 +0000

What follows an introduction to the Stone Prover. Pebble Stark is my WIP re-implementation of the Stone Prover as a set of modular Rust libraries targeting web-assembly compilation, thereby enabling client-side proving (proving Cairo from a browser or phone). The target audience for this post are those familiar with verfiable computation at a high level, looking to learn more about the Stone Prover in particular. Thanks to StarkWare for supporting this work.

Background

The Stone Prover is a C++ implementation of a STARK¹ proving system developed by StarkWare. There are two architectural approaches for designing proving systems:

Circuit DSL approaches like Plonky 2, Halo 2, and circom allow developers to lay out a circuit representing an arbitrary program, without an intermediate instruction-set representation. These libraries generally allow developers to achieve high levels of circuit performance, but typically offer very low-level developer experience. Circuits are also harder to audit for security and correctness.
Virtual machine² approaches like Stone, Risc-0, and zkEVM construct circuit equivalents for each instruction in the target instruction set. Some zero knowledge virtual machines target existing instruction sets: Risc-0 and zkEVM target RISC-V and the EVM instruction sets respectively; while Stone was designed specifically to prove instances of Cairo Assembly (CASM), designed by the Starkware team for efficient STARK proving. Virtual machines effectively provide an abstraction layer over the the way that a circuit is laid out, allowing for better program modularity and auditability than writing a zk circuit directly.

The pipeline for producing a proof with Stone is as follows.

Diagram scaffold
- User writes Cairo program
- Compiles program to CASM (with what?)
- Proves CASM instance (with stone)
- For cost savings, SHARP aggregates multiple STARK proofs into a single proof - (cairo jobs) - aggregates jobs into a train--aggregated jobs
- starknet - produces cairo jobs for sharp to prove
- where the program is deployed ( on starknet )
- Ethereum chain verifies aggregated proof

Proving a Cairo Program

Given a program written in Cairo, the program is first compiled to the Sierra IR, then to CASM with the Cairo compiler. The Stone Prover executes the CASM program, generating a trace of its execution, and proves the correctness of that trace. The resultant proof may then be aggregated with other proofs, or submitted directly to a verifier.

In more detail, Stone executes the CASM program, taking snapshots of the program state after the execution of each instruction. The collection of these snapshots of the state of the program is called the trace, which is a sort of table describing the entire execution of the program. You may think of a the trace as describing collection of registers, loading and manipulating information in memory. That is, if we have 8 registers, and execute 200 instructions, the trace is said to have width 8, and height 200. The trace describes the program, but keep in mind that the goal is to prevent a cheating prover from lying about the program execution. Therefore, the proof should show that the trace is consistent with a set of constraints. The trace plus the constraints are called the arithmetization scheme. Stone, and STARKs in general, use an arithmetization scheme called Algebraic Intermediate Representation, AIR.

Now, that we have the AIR–the trace and constraints–we need to prove that the trace satisfies the constraints with FRI (Fast Reed-solomon IOPPs). Relative to the two other common proving schemes, KZG and IPA, FRI proofs employed in STARKs generate proofs quickly (the prover does less work), but generate larger proofs, on the order of 100kB. However, as we’ll see in the next step, there are tricks to amortize the cost of verifying larger proofs with recursion. You may think of FRI as a gadget for creating the proof that the trace satisfies the constraints.

That is, the Stone Prover:

inputs a program consisting of CASM instructions
executes the program to generate the trace
lays out the trace in an AIR, representing the constraints between each row of the execution trace
and finally, proves that the trace satisfies the constraints with FRI.

The Stone Prover’s work is done, but for the sake of completeness, we will briefly mention two further steps in the pipeline of proof generation: proof-aggregation, and verification.

Now suppose we have a STARK proof, demonstrating the correct execution of some program. We could directly verify the STARK proof, but if the verifier must verify the proofs corresponding to more than one program, we can save the verifier work by combining the proofs in a clever way. Proof Aggregation is exactly this, a way to combine proofs together. The SHARP proof aggregator implements proof aggregation for Stone. Conveniently, aggregation of FRI proofs can be parallelized.

Proof aggregation batching proof instances; source

Finally, the proof is verified; verification performs the same algorithm regardless of whether the proof is aggregated. Recall that one of the goals of verifiable computation is that the verifier perform sub-linear work to verify the proof, relative to naively computing the program. That is, if the verifier would have perfomed $N$ steps to compute a program naively, the proof will require fewer than $N$ steps to check. Further, if the proof is the aggregated result of $k$ proofs, then the verifier savings on computation are further increased by about a factor of $k$. The work-saving in proof verification is well suited to compute constrained environments, such as blockchains.

footnotes

Scalable Transparant ARguments of Knowledge (STARKs) are proof systems where (1) the prover time is at most quasilinear (at most $O(n\log n)$ time), with (2) sublinear/polylogarithmic verifier time (at most $O(log^k(n)$ ), and (3) without a trusted setup phase. ↩︎
But what is a virtual machine? A virtual machine (VM) is really just a non-native instruction set, meaning that your machine can evaluate programs in an assembly language differing from it’s own. The two most common architectures are Intel x86 and ARM, and your system typically implements instructions at the hardware level for speed. Machines on these hardware architectures may still run programs targeting other instruction sets, by software emulation. That is, even though my machine runs Intel x86, I may run programs in ARM, EVM, or RISC-V via software emulation. The “virtual machine” is the component that does the software emulation. In the case of zkVMs, I may emulate the execution of a program in a particular VM that produces proofs of correct execution. Outside of the context of zkVMs, VMs are also used for server virtualization (VMware vSphere cloud-compute server), reproducible testing and development (Docker), and to run different operating systems on a single hardware platform. ↩︎

Solving ZK Hack Puzzle 3 - Chaos Theory

thorck@protonmail.com (Thor) — Mon, 05 Feb 2024 00:00:00 +0000

What follows is a solution to ZK Hack IV, Puzzle 3. ZK Hack is a series of zero-knowledge cryptography CTFs, workshops, hackathons, and study groups. Thanks to the ZK Hack organizers for creating this CTF, Geometry for this puzzle, and the ZK Hack community. You might also be interested in solution for puzzle 2. If reposting elsewhere, find this post on my blog here.

You might be interested in this post if you’re interested in:

an thought experiment on how building an authentication scheme based in elliptic curve pairings can go horribly awry!
Some background on ElGamal encryption and BLS signatures
The process of (cryptographic) puzzle solving

Of the three ZK Hack puzzles, this was by far the most straight-forward, so this will be a shorter post than the prior two.

`puzzle.solve()`

Background

all the knowledge nuggets you need to solve the puzzle

In this puzzle, we are presented with a novel scheme for the age-old cryptographic primitive, encryption plus authentication. Our Bob combines ElGamal encryption with BLS signatures. The details of each algorithm don’t much matter, but the way Bob re-uses his encryption key for BLS signing very much does. Our goal is to decrypt the ciphertext, without access to the decryption algorithm.

We visit BLS and Elgamal schemes in more depth in the next section, but familiarity with these algorithms is unrequired for working this problem.

Elliptic curve points are denoted in capitals, scalars in lower case. The sender’s secret and private keys are denoted $sk, PK=sk*G$, and the receiver’s are denoted $sk',PK'$. We have 3 algorithms:

Encryption (send): $c=(PK, sk*PK' + M)\gets E_{sk}(M, PK')$
Authentication (authenticate): $\sigma= sk*H(c) \gets A_{sk}(c)$
Auth Verification (check_auth): $b\in {0,1}=e(G,\sigma)=_? e(PK, H(c)) \gets V(PK, c, \sigma)$

Where the final authentication checks satisfies, since: $$\begin{aligned} e(G,\sigma)&=e(PK,H(c)) \\ sk* e(G, H(c)) &= sk * e(G, H(c)) \end{aligned}$$

We also are given a list of messages that Bob may choose to send.

We now demonstrate the exploit.

==🔴Stop! This is the 🚨puzzle solving police🚨! You have been given everything you need to find your own solution! Take ten minutes, pull out your pen, and reap the joy and mathematical gainz of problem solving🔴==

the ‘sploit

The puzzle solution in short

Let’s revisit those 3 algorithms:

Encryption (send): $c=(PK, sk*PK’ + M)\gets E_{sk}(M, PK')$
Authentication (authenticate): $\sigma= sk*H(c) \gets A_{sk}(c)$
Auth Verification (check_auth): $b\in {0,1}=e(G,\sigma)=_? e(PK, H(c)) \gets V(PK, c, \sigma)$

Bob’s only innovation is to re-use the encryption secret key for signing. Because we have the list of messages he may have sent, we can try to peel the message off of $c_2$. By testing each possible message $M_i$, we may compute $skPK'$: $$ X_i = skPK' = c_2 - M_i = (sk*PK' + M) - M_i $$

We have a line-up. One of these $A_i$’s is our guy. How will we differentiate them? We haven’t done anything creative or unusual yet. But unlike secure encryption+authentication, now we have a pairing at our disposal.

We have that, for some $i$, $X=X_i = sk*PK' = sk * sk' G$. That looks a lot like a public key, corresponding to secret key $x=sk * sk'$.

Can we shove $X$ into our verification step? $$\begin{aligned} e(G,\sigma)&=_? e(X_i, H(c)) &\gets V(X_i, c, \sigma) \\ sk* e(G, H(c)) &\not= sk*sk' * e(G, H(c)) \end{aligned}$$ Almost. We need to find a way to squeeze $sk'$ onto the left-hand-side. If we can multiply $G$ or $\sigma$ by $sk'$, we’re done, and the former is just the public key, $PK'$.

We can’t re-use the provided auth verification algorithm, but we can easily write that new auth-verification ourselves:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


pub fn check_auth_evil(s1s2_G: G1Affine, c: &ElGamal, s: G2Affine, receiver_pk: G1Affine) -> bool {
 // let lhs = { Bls12_381::pairing(G1Projective::generator(), s) };
 // (sk_r * G1, sk_s * H(.))
 let lhs = { Bls12_381::pairing(receiver_pk, s) };
 // let lhs = { receiver_pk, s) };

 let hash_c = c.hash_to_curve();
 // (sk_r*sk_s * G1, H(.))
 let rhs = { Bls12_381::pairing(s1s2_G, hash_c) };

 lhs == rhs
}

repo link

Plug that bad-boy in, and we’re done:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


 let sender_pk = blob.sender_pk;
 let c = blob.c.clone();
 let c1 = blob.c.1.clone();
 let s = blob.s;
 let rec_pk = blob.rec_pk;

 for (i, m) in _messages.into_iter().enumerate() {
 let a = (c1 - m.0).into_affine();
 let e = check_auth_evil(a, &c, s, rec_pk);
 if e {
 warn!("found message at index {}", i);
 warn!("win");
 break;
 }
 }

line em up

`puzzle.deets()`

Extended background on BLS and ElGamal encryption. This isn’t technically required to solve the problem, but the interested reader may enjoy the background context.

BLS

The BLS signature scheme is a simple signature aggregation scheme, relying on a elliptic curve pairing. It consists of 3 algorithms, (sign, aggregate_signatures, verify), where verify checks either any individual’s signature, or the whole aggregated signature. We don’t use aggregation at all in this puzzle.

Individual signing - Each individual signature $\sigma_i=sk_i\cdot H(M)$ is curve point on $\mathbb G_2$. Each public key $pk_i=sk_i\cdot G_1$ is a curve point on $\mathbb G_1$.
Individual signature verification and aggregated verification - Verification for any individual signature $\sigma_i$ is the same as for the entire signature, so we drop the indices: $$e(pk, H(M)) = e(G_1,\sigma)$$ Note that we don’t typically verify the individual signatures, only the final aggregated signature. The point of a signature aggregation scheme is that the aggregated signature is valid if and only if each component signature is valid.
Signature aggregation - Simply compute the sum of the signatures and sum of public keys:

$$\begin{aligned} \sigma_{\text{agg}} &= \sum\limits_{i=1}^{n} \sigma_i=(\sum\limits sk_i)H(M) \\ pk_{\text{agg}}&=\sum\limits pk_i=(\sum\limits sk_i)G_1 \end{aligned}$$

ElGamal

ElGamal encryption is a secure but non-standard public-key cryptosystem based on the Diffie-Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal can be used for both encryption and digital signatures. The security of the ElGamal encryption system is based on the difficulty of solving the discrete logarithm problem. ElGamal encryption generally produces larger ciphertexts compared to the original plaintext size, effectively doubling the message size. This can be inefficient in terms of bandwidth and storage.

Denoting scalars in lower case, and elliptic curve points in upper case:

Key Generation:

Private Key: Select a random number $x$ as the recipient private key.
Public Key: Multiply the generator point $G$ of the curve by $x$ to get $Q = xG$. The recipient public key is $Q$.

Encryption: (message, pk) -> ciphertext

Given a plaintext message $M$ represented as a point on the curve:
Choose a random number $r$.
Compute $C_1 = rG$.
Compute $C_2 = M + rQ$.
The ciphertext is the pair $C=(C_1, C_2)$.

Decryption: (ciphertext, sk) -> message

Compute $M = C_2 - xC_1$.
This works because: $C_2 - xC_1 = M + rQ - x(rG) = M + r(xG) - xrG = M$.

`puzzle.log()`

My puzzle solving log, lightly edited for readability. Keeping a log helps navigate overwhelming context dumps, and to avoid doing wrong and/or stupid things repeatedly. I use Obsidian to take these notes, for which I have written an extensive setup and usage guide. My repo can be found here. For taking math notes, I generally use a whiteboard or ipad for my scratch space before writing down my clean notes here, which helps to think n scratch faster. This puzzle in particular may have been faster to just work out on a whiteboard, without a log at all.

it be time for logging

Code runthrough

hasher - same hash as last puzzle it looks like, sha256 based
struct ElGamal representing ciphertext. Over a pair of G1Affine elements, let’s tag it with Debug for convenience.
- hash_to_curve(self) to create a G2 element
- we’re implementing our own hash to curve? check pre-image resistance (not collision resistance based on goal context). Sha256 over 128 bits is still pretty strong, so it seems fine
struct Message over G1Affine
struct Sender over a secret key in Fr and a pk
- verify that pk is correctly constructed
- send a message to receiver
- authenticate generate the tag s in G2Affine: $s = H(c)*sk$
struct Receiver gets a pk
Auditor
- check_auth takes a the sender pk, the cipher-text, and the authentication tag $s$
  - encrypt-then-sign is fine, unless the encryption and authentication are malleable?
  - lhs: $e(G_1, s)$
  - rhs: $e(pk, H(c))$ , where $H$ is our sketchy hash function

I think we have everything we need already to work this out. To the whiteboard!

See above notes for whiteboard observations.

new project: git-merkle (gm)

thorck@protonmail.com (Thor) — Wed, 31 Jan 2024 00:00:00 +0000

GM!

Just a short note describing a recent new project of mine, git merkle (gm)!

gm is a recursive tree of all the repos I’ve worked on since 2017 after a little spring cleaning; I removed about 40% of my pre-existing github repo history in the process of writing gm. There are about 90 repos contained in gm, and counting. I removed about 60.

Why did you do this?!

This is a very real question. Organizing and cleaning up about 6 years of git history, plus writing a script to keep them organized going forward, took about 6 hours across two days. Submodules are somewhat infamously finicky, and the last thing I want to be doing is managing merge conflicts on a nested tree of my commit history.

That is, if a commit is made to a submodule at depth $d$ in the tree, say in my repo helix, for which the path is gm/linux/.files/helix, then $d$ new commits are added to the git-merkle tree.¹

I have a few reasons. One is that it’s very nice to have a copy of the full history of my work on hand to ripgrep through. Another is that it’s a nice way to keep my work presentable for others. But most especially, this is one representation of all the work I’ve done for the last 6 years, and I’m proud of it. This repo is a sort of monument to the pride I feel in the all the work I’ve done. As a cryptography engineer, I find it apropos to represent that work as the workhorse data structure of blockchain cryptography, the merkle tree.

GM.

root = h(n1, n2)
| \
n1=h(n3,n4) n2=h(n5,n6)
| | | |
n3 n4 n5 n6

a merkle tree where the leaves are where data is stored and the root is a single hash

For those of you who are rusty on cryptographic data structures 101, a merkle tree is a tree data structure where the leaves contain the data, and every intermediate node is the hash of it’s leaves, see above. It’s useful for committing to a bunch of data in a single hash (256 bytes), that cryptographically represents the compressed state of the entire set of data, even if there’s a ton of data. Each git commit is produces the hash of the state of the repo, so the submodule tree is a just a tree of commit hashes. ↩︎

Solving ZK Hack IV puzzle 2 - Supervillain

thorck@protonmail.com (Thor) — Wed, 24 Jan 2024 00:00:00 +0000

What follows is a solution to ZK Hack IV, Puzzle 2. ZK Hack is a series of zero-knowledge cryptography CTFs, workshops, hackathons, and study groups. Thanks to the ZK Hack organizers for creating this CTF, Geometry for this puzzle, and the ZK Hack community. You might also be interested in solution for puzzle 1. If reposting elsewhere, find this post on my blog here.

You might be interested in this post if you’re interested in:

a smattering of zk-related trivia about elliptic curve pairing assumptions and proofs of knowledge
The process of (cryptographic) puzzle solving

Recommended reading order:

read this post top to bottom for a concise description and solution of the puzzle, then some mathematical detail nuggets to hold onto, and finally the stream of consciousness log of problem solving.
read this post back to front for the order in which it was actually written (problem solving log, then cleaned up and bloggified knowledge nuggets).

`puzzle.solve()`

Background

all the knowledge nuggets you need to solve the puzzle

In this puzzle we are tasked with exploiting a BLS Signature scheme with a home-baked proof of knowledge argument.

BLS background

Individual signing - Each individual signature $\sigma_i=sk_i\cdot H(M)$ is curve point on $\mathbb G_2$. Each public key $pk_i=sk_i\cdot G_1$ is a curve point on $\mathbb G_1$.
Individual signature verification and aggregated verification - Verification for any individual signature $\sigma_i$ is the same as for the entire signature, so we drop the indices: $$e(pk, H(M)) = e(G_1,\sigma)$$ Note that we don’t typically verify the individual signatures, only the final aggregated signature. The point of a signature aggregation scheme is that the aggregated signature is valid if and only if each component signature is valid.
Signature aggregation - Simply compute the sum of the signatures and sum of public keys:

$$\begin{aligned} \sigma_{\text{agg}} &= \sum\limits_{i=1}^{n} \sigma_i=(\sum\limits sk_i)H(M) \\ pk_{\text{agg}}&=\sum\limits pk_i=(\sum\limits sk_i)G_1 \end{aligned}$$

Proof of knowledge argument background

As noted above, we don’t verify the individual signatures. A malicious party could therefore choose public key without even knowing the corresponding secret key. The proof of knowledge intends to prevent that.

Instead, we require each party $i$ to provide a proof of knowledge $\pi_i$ that the party knows their secret key. The proof relies on a pairing check:

$$e(pk_i, R_i)= e(G_1, \pi_i)$$ Where $R_i$, is randomly generated within $\mathbb G_2$. That is, we check that the party knows $sk_i$ such that they can compute:

$$\pi_i = sk_i*R_i$$

Back to the problem at hand

In the case of this problem, the implementer modifies the BLS signature verification algorithm, negating the message hash:

$$\begin{aligned} e(pk, -H(M)) &= e(G_1,\sigma) \\ e\bigg(\sum\limits(sk_i)G_1, -H(M)\bigg) &= e\bigg(G_1,\sum\limits(sk_i)H(M)\bigg) \end{aligned}$$ This constrains the choice of our secret key $sk'$ such that (note that we start with 8 given public keys, and we are to choose the 9th):

$$sk = sk' + \sum\limits^7_0 sk_i$$ and

$$-sk * e(..) = sk * e(..)\implies 2 * sk = p$$

where $p$ is the prime modulus of our field. Since $p$ is odd, the group $sk=0$ and $pk= sk * G = \mathcal O$. We don’t have the others' secret keys, but we do have their public keys, from which we may construct our own key $pk'$:

$$pk'= \mathcal O - \sum\limits_0^7 pk_i$$ And the aggregate signature:

$$\sigma_{agg} = sk_{agg} * H(M) = 0 * H(M) = \mathcal O$$

However, we do not have a way obtain our own secret key $sk'$ without breaking the discrete log assumption, leads to issues with the proof-of-knowledge if the PoK is correctly implemented.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


/// generate random point R
fn derive_point_for_pok(i: usize) -> G2Affine {
 let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(20399u64);
 G2Affine::rand(rng).mul(Fr::from(i as u64 + 1)).into()
}

/// verify proof of knowledge
fn pok_verify(pk: G1Affine, i: usize, proof: G2Affine) {
 assert!(Bls12_381::multi_pairing(
 [pk, G1Affine::generator()],
 [derive_point_for_pok(i).neg(), // -R_i, not R_i
 proof]
 ).is_zero());
}

Note that instead of:

$$e(pk_i, R_i) = e(G_1, \pi_i)$$ We have:

$$e(pk_i, -R_i)= e(G_1, \pi_i)$$ So we actually need $\pi = -sk_i * R_i$, not $\pi=sk_i*R_i$. Take a moment consider whether this changes anything.¹

We now demonstrate the exploit.

the ‘sploit

The puzzle solution in short Let’s revisit that randomness algorithm.

1
2
3
4
5


/// generate random point R
fn derive_point_for_pok(i: usize) -> G2Affine {
 let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(20399u64);
 G2Affine::rand(rng).mul(Fr::from(i as u64 + 1)).into()
}

That is, let $R\gets\mathbb G_2$, then:

$$R_i = (i+1)R$$ ₒₕ ₙₒ

You thought this would be harder didn’t you? I certainly did. Well, a sanity-check test is in order:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


#[test]
fn test_rng() {
 // let G = G1Projective::generator().into_affine();
 let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(20399u64);
 let R = G2Affine::rand(rng);
 let R_1 = R.mul(Fr::from(2));
 let R_9 = R.mul(Fr::from(10));
 assert_eq!(derive_point_for_pok(1), R_1); // pass
 assert_eq!(derive_point_for_pok(9), R_9); // pass
 use ark_ff::Field;
 let five_inv = Fr::from(5u64).inverse().unwrap();
 let R_9_to_1 = R_9.into_affine().mul(five_inv).into_affine();
 assert_eq!(R_1, R_9_to_1); // pass
}

a test on the malleability in the randomness

This shows that, by the malleability of the randomness, we can solve for our $\pi_9$ by a little algebra on ${\pi_i}$.² We have:

$$\begin{aligned} \pi_9 &= sk_9 \cdot R_9 \\ &= (-\sum\limits_1^8 sk_i)\cdot((1+9)R) \\ &= -10*\sum\limits_1^8 sk_i\frac{R_i}{i+1}\qquad \text{as}\ R=R_i/(i+1)\\ &= -10*\sum\limits_1^8 \frac{\pi_i}{i+1}\qquad \text{as}\ \pi_i=sk_i\cdot R_i\\ \end{aligned}$$ Which we may then simply implement:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


fn extract_proof(new_key: &G1Affine, pis: Vec<G2Affine>) -> G2Affine {
 use ark_ff::Field;
 let pi_sum = pis
 .into_iter()
 .enumerate()
 .map(|(i, pi_i)| {
 let coef = {
 debug!("i+1: {}", i + 1);
 let inv = Fr::from(i as u32 + 1u32).inverse().unwrap();
 Fr::from(10) * inv
 };
 pi_i * coef
 })
 .sum::<G2Projective>()
 .into_affine();

 // pi_9 = -sum(pi_i * (10/(i+1))
 -pi_sum
}

And then enjoy a pamplemousse sparkling water to celebrate our triumph. dalle, upon being asked for triumphant pamplemousse

`puzzle.deets()`

extended background on the B-KEA and KOSK assumptions

The puzzle gives a pair of resources that I didn’t mention. Resources like these tend to assume things like “you won’t stick a knife in your gut on purpose by choosing a malleable source of randomness”. But we did do that, so the resources are maybe only helpful for a little background context for the problem.

Therefore, the following notes are short and somewhat irrelevant to solving the problem, but may be interesting tidbits to take with you.

Mary Maller’s paper gives the Bilinear Knowledge of Exponent Assumption (B-KEA). The B-KEA can be succinctly defined as follows: Given a bilinear group $(G_1, G_2, G_T)$ with a bilinear map $e: G_1 \times G_2 \rightarrow G_T$, and elements $G \in G_1, H \in G_2, xH \in G_2$ for some unknown $x$, if there exists an algorithm that outputs $yG \in G_1$ and $T \in G_T$ such that $e(yG, H) = T$, then there exists an extractor that can compute $y$ given $yG$ and $T$. This assumption implies that the algorithm “knows” the exponent $y$ used to compute $yG$. That is, the B-KEA assumption says that, unless we can break the DLP, we’re not going to be able to extract our secret key $sk’$ from our chosen public key $pk'$.

This is maybe a bummer for hacking the problem, but on the whole, net good that we can use pairings in cryptography and not break all our private keys.

The second paper gives the Knowledge of Secret Key (KOSK) assumption, that it is assumed that the possession and use of a secret key is proof of the identity of the user.

Formally, let $SK$ be a secret key and $PK$ be the corresponding public key. The KOSK Assumption states that if an entity can perform cryptographic operations requiring $SK$ (like decrypting a message encrypted with $PK$ or signing a message verifiable with $PK$), then this entity possesses $SK$.

In other words, if someone can use $SK$, they are assumed to be the legitimate owner of $SK$.

The remainder of Paper 2 gives a series of remarks on multiparty signature schemes with a more in depth coverage of BLS' security than is absolutely necessary to be familiar with.

`puzzle.log()`

My puzzle solving log, lightly edited for readability. You might be interested in this as a map of my state of mind while thinking about the puzzle. Keeping a log helps navigate overwhelming context dumps, and to avoid doing wrong and/or stupid things repeatedly. I use Obsidian to take these notes, for which I have written an extensive setup and usage guide. My repo can be found here. For taking math notes, I generally use a whiteboard or ipad for my scratch space before writing down my clean notes here, which helps to think n scratch faster.

initial problem description

We are tasked with forging a signature.

Bob has been designing a new optimized signature scheme for his L1 based on BLS signatures. Specifically, he wanted to be able to use the most efficient form of BLS signature aggregation, where you just add the signatures together rather than having to delinearize them. In order to do that, he designed a proof-of-possession scheme based on the B-KEA assumption he found in the the Sapling security analysis paper by Mary Maller [1]. Based the reasoning in the Power of Proofs-of-Possession paper [2], he concluded that his scheme would be secure. After he deployed the protocol, he found it was attacked and there was a malicious block entered the system, fooling all the light nodes…

1: https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf

2: https://rist.tech.cornell.edu/papers/pkreg.pdf

noted keywords:

delinearize bls signatures
B-KEA - 1
proof of possession - 2

Immediate candidates for bugs:

pok_verify - perhaps there’s a corner case that pok_verify doesn’t check
aggregation and verification - does it match the BLS spec aggregation step?

The PoK seems more suss than bls, since the we’ve been informed that the implementer designed their own PoK scheme.

initial things to look at, after skimming code

aggregates public keys correctly? - yes
aggregate_signature - huh, we construct this, instead of just publishing our individual signature? that’s one vector for not actually knowing our secret, which leaves pok_verify as the only other measure
bls_verify verifies sig agg correctly? - yes
pok_verify verifies individually proofs correctly? - yes

notes on BLS signatures

a good portion of this comes from copy-pasting my existing notes (e.g. on BLS signatures), and/or telling chatGPT to write a good note on topic for me and editting it

BLS signature aggregation alg:

Individual signing

Each individual signature $\sigma_i=sk_i\cdot H(M)$ is curve point on G2. Each public key $pk_i=sk_i\cdot G$ is a curve point on G1.

Individual verification and BLS verification

Verification for any individual signature $\sigma_i$ is the same as for the entire signature, so we drop the indices: $$e(pk, H(M) = e(G_1,\sigma)$$

Signature aggregation

Simply compute the sum of the signatures and sum of public keys: $$\sigma_{\text{agg}} = \sum\limits_{i=1}^{n} \sigma_i=(\sum\limits sk_i)H(M)$$ $$pk_{\text{agg}}=\sum\limits pk_i=(\sum\limits sk_i)G$$

BLS code check

We don’t test the individual signatures for correctness. This seems weird, as noted above.

public keys look correctly aggregated

1
2


 let aggregate_key =
 public_keys.iter().fold(G1Projective::from(new_key), |acc, (pk, _)| acc + pk).into_affine();

But we get to choose the aggregated signature, rather than submitting an individual signature, which seems like an attack vector for sure.

bls signing check

1
2


#[allow(dead_code)]
fn bls_sign(sk: Fr, msg: &[u8]) -> G2Affine { hasher().hash(msg).unwrap().mul(sk).into_affine() }

matches signing algorithm given above, $\sigma_i=sk_i*H(M)$

bls verify check

recall that we don’t verify individual signatures. We have aggregated $pk=G * sk$ and $\sigma=sk * H(M)$. We compute 2 pairings to check:

$$e(pk,H(M))= sk* e(G,H(M))=e(G,\sigma)$$

bls verification code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


/// multi_pairing: vec<g1>.zip(vec<g2>).map(pairing) and then subtracts one pairing from the other
fn bls_verify(pk: G1Affine, sig: G2Affine, msg: &[u8]) {
// what's deal with `neg`? Looks off
 assert!(Bls12_381::multi_pairing([pk, G1Affine::generator()], [
 hasher().hash(msg).unwrap()
 .neg(), // what?
 sig
 ])
 .is_zero());
}

Looks like we’re taking a negative for some reason. That means our pairing looks like: $$e(pk, -H(M)) = e(G,\sigma)$$ but $\sigma=sk * H(M)$, not $-sk * H(M)$, so there’s only a few values $sk$ could have: $$sk = -sk \mod N \implies 2sk = N $$ where $N$ is the modulus of field Fr that $sk$ lies in. Since $N$ is an odd prime (has no 2 divisor), we have that the aggregate $sk=0$. Our agg sig is then: $$\sigma= sk*H(M) = 0 * H(M)=\mathcal O$$ our shared public key is also just $\mathcal O$, so we choose our individual public key: $$pk_9 = \mathcal O - \sum\limits_0^8 pk_i$$

first shot

Do we win?!³

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


pub fn get_hack(
 pks: Vec<(G1Affine, G2Affine)>,
 msg: &[u8],
) -> (G1Affine, G2Affine, G2Affine) {
 let new_key = pks
 .iter()
 .fold(G1Projective::zero(), |acc, (pk, _)| acc - pk)
 .into();
 // dunno about proof
 let new_proof = G2Projective::generator().mul(Fr::zero()).into_affine();
 let aggregate_signature = G2Affine::zero();
 debug!("new_key: {:?}", new_key);
 (new_key, new_proof, aggregate_signature)
}

first attempt at soln

Still need to figure out what to put in proof $\pi$.

Do we at least satisfy the BLS check?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


/* Enter solution here */
let (new_key, new_proof, aggregate_signature) = get_hack(public_keys.clone(), message);
/* End of solution */

// pok_verify(new_key, new_key_index, new_proof); // not happy
debug!("pok verified successfully");

let aggregate_key = public_keys
 .iter()
 .fold(G1Projective::from(new_key), |acc, (pk, _)| acc + pk)
 .into_affine();
debug!("agg key created successfully");
bls_verify(aggregate_key, aggregate_signature, message)
warn!("win");

puzzle main, sans pok_ver which we haven’t gotten yet

We do. Very cool. Note that we tried some other stuff to see if we could satisfy bls_verify in some other creative ways too.

but how do we satisfy `pok_verify`

pok verify code:

1
2
3
4
5
6
7


fn pok_verify(pk: G1Affine, i: usize, proof: G2Affine) {
 assert!(Bls12_381::multi_pairing([pk, G1Affine::generator()], [
 derive_point_for_pok(i).neg(),
 proof
 ])
 .is_zero());
}

which corresponds to $$e(pk_9, -R_9 = e(G,\pi_9)$$ So we need $\pi_9= -sk_9*R_9$ (note that 9 is the index of my key).

They actually give us a nice convenience helper to write proofs, thanks Kobi!⁴

1
2


#[allow(dead_code)]
fn pok_prove(sk: Fr, i: usize) -> G2Affine { derive_point_for_pok(i).mul(sk).into() }

which would imply that $\pi =R*sk$, dropping the negative. Huh. Idk. There’s very possibly a negative bug somewhere in my life.

We either need to derive $pk_9$ by means unknown, or else, if the proofs are malleable by some twisted algebra, we win. The proofs don’t look malleable, and the rng doesn’t look game-able.⁵

To the reading!

he looks to the reading

revisit keywords:

delinearize BLS signatures
- neither paper uses the word. chatGPT is reluctant and handwavey to define it. only few mentions appear in a search. chat suggests that it involves checking an additional pairing constraint on a secondary hash function, meaning our OG hash function could be underconstrained.
B-KEA - feed the paper to chat, who says:
- The Bilinear Knowledge of Exponent Assumption (B-KEA) is defined over group elements and a bilinear map. It states that, if there exists an algorithm that can produce a certain group element in a bilinear group setting, then there also exists an extractor that can compute a related exponent.
- That basically says, if we can produce the faulty proof $\pi$, then we can extract $sk$ and break the discrete log problem. That seems bearish.
proof of possession - feed the paper to chat, who says:
- Proofs of Possession (PoPs) are mechanisms used to demonstrate that a party possesses a secret key corresponding to a given public key, without revealing the secret key itself. PoPs typically involve the party generating a cryptographic proof, such as a signature using their private key, and then presenting this proof alongside their public key. The verifier checks the proof to ensure that it was indeed created with the corresponding private key. This method ensures that a party cannot claim to own a public key without actually possessing the associated private key.
  - that is indeed what we’re trying to break. We want $\pi=sk*-R$, which we can only compute if already have sk. We have pk we want to derive sk to break the PoP.

Interlude

I read the papers some more, and found them not entirely helpful. Their proofs asserted that everything was fine, which seemed untrue. So I screwed around on the whiteboard a bit more to commit the equations to heart before going to bed. In the morning, as I lay in bed dreaming of algebra, there was insight. I ran to the algebra machine.

honey, get the randomness malleability hammer

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


// on second glance, the random nonces are less random than they once seemed 🙊
#[test]
fn test_rng() {
 // let G = G1Projective::generator().into_affine();
 let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(20399u64);
 let R = G2Affine::rand(rng);
 let R_1 = R.mul(Fr::from(2));
 let R_9 = R.mul(Fr::from(10));
 assert_eq!(derive_point_for_pok(1), R_1); // pass
 assert_eq!(derive_point_for_pok(9), R_9); // pass
 use ark_ff::Field;
 let five_inv = Fr::from(5u64).inverse().unwrap();
 let R_9_to_1 = R_9.into_affine().mul(five_inv).into_affine();
 assert_eq!(R_1, R_9_to_1); // pass
 // oh fun, we nearly done
 //
 // we can construct stuff.
}

not so random anymore!

described in greater depth in puzzle.solve() above.

changelog

2024-01-23 - majority of log written
2024-01-24
- solved the problem while sleeping, woke up with divine insight
- copy log over, edited for readability
- wrote solve() and deets()

footnotes

It doesn’t. We can choose $\pi$ however we want. ↩︎
Sorry, I play a little fast and loose with whether I start from 1 or 0, so don’t pay too much attention to the indices. ↩︎
He did not win. ↩︎
Woe unto thee, Kobi, architect of ledgers and guardian of chains! Kobi you fool, for your help, I shall betray you! Your fields shall burn as I deceive your L2 light clients! We hack-eth your PoK and thus rain fire and brimstone upon nodes! With this hammer, I do decentralize your walls and scatter shards, crypto-Canaan anew. As Pharaoh’s heart was hardened, so shall be the fate of thy PoK. ↩︎
Hard enough, he did not look. ↩︎

Solving ZK Hack IV puzzle 1 - Gamma Ray

thorck@protonmail.com (Thor) — Thu, 18 Jan 2024 00:00:00 +0000

What follows is a solution to ZK Hack IV, Puzzle 1. ZK Hack is a series of zero-knowledge cryptography CTFs, workshops, hackathons, and study groups. Thanks to the ZK Hack organizers for creating this CTF, Geometry for this puzzle, and the ZK Hack community. Thanks to Paul Gafni and Daira Hopwood for discussion.

You might be interested in this post if you’re interested in:

a smattering of zk-related trivia about nullifiers and elliptic curves
The process of (cryptographic) puzzle solving

Recommended reading order:

read this post top to bottom for a concise description and solution of the puzzle first, some mathematical nuggets to hold onto, and finally the messy stream of consciousness log of problem solving.
read this post back to front for the order in which it was actually written (messy problem solving log, then cleaned up and bloggified knowledge nuggets).

`puzzle.solve()`

background

all the knowledge nuggets you need to solve the puzzle

We have a merkle tree constructed with the poseidon hash function over elliptic curve MNT_753_4, with public keys stored at the leaves.
Miyaji–Nakabayashi–Takano (MNT) curves are pairs of elliptic curves suited for elliptic curve pairings; that is, the (scalar, base) field for MNT_753_4 correspond to the (base, scalar) field for MNT_753_6.
A nullifier in Zcash is a unique hash of the public keys stored at the leaves of the merkle tree. For curve generator point $G$ and secret scalar $s$, the public key $pk$ is computed simply, $pk=sG$. Thus the nullifier may be computed: $N=H(pk)$.¹
The prover in the nullifier argument provides a ZK proof of knowledge of $s$ such that the nullifier hash is correct:²
- $N=_?H(pk)=H(sG)$
In this puzzle, we use the Groth16 prover to construct a zk proof of the correctness of the hash.
Zcash uses the Jubjub elliptic curve for their nullifier argument. Jubjub does not support a pairing function.
As remarked on in Zcash spec lemma 5.4.7:

Lemma 5.4.7. Let $P=(u,v) \in \mathbb J^{(r)}.$ Then $(u,-v) \not \in \mathbb J^{(r)}$ (subgroup of Jubjub of order r).

The lemma lends itself to a storage optimization for nullifiers over Jubjub: if $P=pk=(u,v)$, (note the switch to $u,v$ denotes that we are using Twisted Edwards form, rather than Weierstrass form, expanded on in more detail below). We may choose to only store the $u$ coordinate of $pk$, to avoid redundancy.

That is, instead of taking the hash $H(pk)$ as suggested above, the Zcash nullifier takes the hash of only one coordinate: $H(pk.x)$. This optimization is particular to Jubjub, not universal to all curves; and in particular, is not true of MNT_753_4.

We now demonstrate the exploit.

the ‘sploit

The puzzle solution in short

Suppose $pk = sG = (x,y)$, and nullifier $N=H(sG.x)$. Recall that nullifiers must be unique to avoid double-spends. We give a constructive algorithm to obtain $s’$ such that $N=H((s’G).x)$.

Let $s’G=(x,-y)$, assuming such a point exists on our subgroup. Let the order of generator $G$ be denoted $n$. Then: $$\begin{aligned} s’G &= \mathcal O - sG \\ &= nG - sG \\ &= (n-s)G \\ \therefore s'&=n-s \end{aligned}$$

If there exists $s'$ such that $s’G=(x,-y)$ is a point on the curve, then nullifier $N$ may not be unique, that is: $$H(sG.x) = H((x,y).x) = H(x) = H((x,-y).x)= H(s’G.x) $$

Which we may implement as follows:

1
2
3
4
5


/// given a leaked secret, return the double spend secret
fn get_hack(leaked_secret: MNT4BigFr) -> MNT4BigFr {
 let n = MNT4BigFr::from(MNT6BigFr::MODULUS);
 n - leaked_secret
}

github link

One hiccup. We assumed (hoped) that $(x,-y)$ lay on the curve. On Jubjub, it does not. Why does it exist on MNT_753_4? It’s time to put our twisted Edwards hats on.

`puzzle.deets()`

extended background on twisted Edwards elliptic curves, Zcash lemma 5.4.7

Twisted Edwards, and proof Zcash Lemma 5.4.7 with added notes

This lemma was initially confusing; thanks to several folks who helped clarify, including the author of the lemma herself. Historical record of my confusion notes here.

It may be helpful to first recall the twisted Edwards (tE) curve equation[^3]: $$au^2 + v^2 = c^2(1 + du^2v^2)$$

The point addition law: $$\begin{aligned} u_3 &= \frac{u_1v_2 + v_1u_2}{1 + du_1u_2v_1v_2}\\ v_3 &= \frac{v_1v_2 - au_1u_2}{1 - du_1u_2v_1v_2} \end{aligned}$$

And the point doubling law: $$\begin{aligned} u' &= \frac{2uv}{1 + du^2v^2}\\ v' &= \frac{v^2 - au^2}{1 - du^2v^2} \end{aligned}$$

Finally, note that on a tE curve, $-P=(-u,v)$, not $(u,-v)$. Further, all of $(\pm u, \pm v)$ lie on the curve, but may or may not lie on the given subgroup. The point at infinity is denoted $\mathcal O = (0,1)$.

Lemma 5.4.7. Let $P=(u,v) \in \mathbb J^{(r)}.$ Then $(u,-v) \not \in \mathbb J^{(r)}$ (subgroup of Jubjub of order r).

Proof If $P=\mathcal O_J$ is the point at infinity then $(u,v)=(0,1),$ but $(u,-v)=(0,-1)$ which does not lie on the subgroup. All other points $P$ have odd order. Because $P$ lies on some subgroup of order $r$, chosen to be an odd prime.

Further, $v\ne 0$, since if $v=0$: $$au^2+0^2=1\implies u=\pm \sqrt {1/a}$$ An application of the group doubling law, gives: $$ \begin{aligned} u' &= \frac{0}{1 + 0}=0 \\ v' &= \frac{0 - au^2}{1 - 0}=-au^2= -a(1/a)=-1 \end{aligned} $$

Which implies that $[2]P=(0,-1)$ (which does not lie on the subgroup, as argued above) then $2=(0,1)=O$, which obtains $P$ of even order, a further contradiction.

Now, anticipating contradiction, let $P=(u,v), Q=(u,-v)$ be points on the subgroup. By the doubling formula, we have that $[2]Q=-[2]P$: $$\begin{aligned} [2]Q.u &= \frac{2u(-v)}{1 + du^2v^2}=-\frac{2uv}{1 + du^2v^2}=(-[2]P).u\\ [2]Q.v &= \frac{v^2 - au^2}{1 - du^2v^2}=[2]P.v=(-[2]P).v \end{aligned}$$

But also, $2=-[2]P$. Therefore either:

$Q=-P$, a contradiction, since $u=0$ only for $\mathcal O$
Or, doubling is not injective on the subgroup, which contradicts the subgroup’s having odd order.

Lemma 5.4.7 applied to `MNT_753_4`

Returning to the problem, we might ask why we were able to assume that, given $P=(x,y)$ over MNT_753_4, why $(x,-y)$ existed? Because the Prover was defined over good old affine, Weierstrass point coordinates, not Twisted Edwards coordinates!

In the Weierstrass affine coordinate system, we’re working over an entirely different group law, and if $(x,y)$ exists on the subgroup, $(x,-y)$ exists too.

now we steal all the coins, ahem, submit a whitehat bug report

`puzzle.log()`

My puzzle solving log, cut short for readability. You might be interested in this as a map of my state of mind while thinking about the puzzle. Keeping a log helps navigate overwhelming context dumps, and to avoid doing wrong and/or stupid things repeatedly. I use Obsidian to take these notes, for which I have written an extensive setup and usage guide. To see the full log, see this hackmd.

After a bit of information gathering, we know a few things:

curves: we’re using the MNT4/6 cycle of curves for our nullifier, which support a pairing function. Zcash uses the BLS12-381 (pairing-supporting) curves for the nullifier argument. No actually, they use Jub-jub for this, which is pairing-unfriendly.
- ~~both are pairing friendly~~.
- MNT embedding degree 4 and 6, ~~while the BLS curves have embedding degree 12. Larger embedding degree means less efficient pairing computation, and a harder DLP~~.
- ~~BLS has a smaller field size~~.
nullifier argument:
- $N:= H(sk,r)$ where N is the nullifier, H the poseidon hash, r a random nonce, and sk the secret key
  - It does not look like there is a random nonce included included in the hash eval; we see LEAFH::evaluate(&leaf_crh_params, [leaked_secret]), where leaf params are just the poseidon config, and leaked secret is the secret key.
- the zcash-style proof should show:
  - knowledge of (sk, r) such that the nullifier hash is correct
  - knowledge of (v,a,r) such that H(v,a,r)=C - that the coin exists
    - v the note’s value, a the address, C a commitment to the coin’s existence
  - that nullifier N has not already been published
Poseidon is an algebraic hash function used in zk circuits. Its parameter selection here looks a little different from the parameters that Zcash selected, though a vuln in Poseidon parameter selection would be surprising to me, given the hints. Two differences noted in param selection, from the zcash spec:
- partial_rounds = 56 - diff; partial_rounds = 29
- alpha = 5 - diff; alpha = 17
- didn’t check the vector of raw values, or the MDS matrix
Groth16 - the only element of the Groth16 proving system that factors in here is the specification of the SpendCircuit, so it seems unlikely that we’ll find any Groth16-related bugs. The circuit checks:
- outputvar from root
- paramsvar’s for leaf_params and two_to_one_params (which are the same)
- fpvar witness for secret
- outputvar from nullifier
- g1var constant for g1 generator
- pathvar witness for proof
- to construct leaf_g:
  - assign g1var constant for G1 generator (base)
  - construct public key from secret key
  - leaf_g is the public key
- assert that:
  - secret < MNT6’s modulus
  - nullifier hash is correctly calculated
  - leaf_g lies in the merkle tree at index 2
    - recall leaf_g = g1_generator * secret
Shape of the problem, we have:
- a merkle tree, with the target leaked secret at index 2, configured to hash with poseidon over the MNT4BigFr Field
- a nullifier constructed from the hash of the leaked secret
- we want to construct a cheater-secret such that:
  - secret < MNT6’s modulus
  - nullifier hash is correctly calculated:
    - N == LeafHG::evaluate(&params, &[my_secret])?;
  - leaf_g lies in the merkle tree at index 2
    - recall leaf_g = (g1_generator * my_secret).x
- in other words, we have: want construct a secret that obtains a hash collision:
  - h(params, cheat_secret) == h(params, secret)

 root
/ \
h(h0,h1) h(h2,h3)
| | | |
h0 h1 h2 h3 (this row: leaves.bin)
| | | |
l0 l1 l2 l3
^(leaked_secret.bin)

Issue: how are we going to construct a hash collision?

hint 1 updated: see zcash spec lemma 5.4.7 for bob’s reasoning on why to only use the x coordinate when storing public keys.

Lemma 5.4.7. Let $P=(u,v) \in \mathbb J^{(r)}.$ Then $(u,-v) \not \in \mathbb J^{(r)}$.

initial thought: the hint suggests that the x coordinate for the point on the chosen curve may not be unique, i.e. that for $P=(x,y)$, there may exist $y'$ such that $Q=(x,y')$. Then we would have:
- a new nullifier: $N=H(s)$ and $N'=H(s')$
- but with leaf: $l=(s’G).x=(sG).x$, such that the merkle proof verifies correctly.
by the hint, it seems likely that the point we want is $s’G=(x,-y)$.

Given leaked secret $s$ such that $k=(sG).x$, we want to obtain $s'$ such that: $$k'=(s’G).x=(x,-y).x = x = (x,y).x = (sG).x =k$$ Is it possible that $(-s)G=(x,-y)$? Seems unlikely. Checks: nope. Let’s read the proof very carefully.

It’s not immediately obvious how we will peel off $s'$, i.e. solve the discrete log problem. Jubjub, the zcash curve which the lemma describes, does not have a pairing. Can we exploit the pairing? $$e(s'*G_1, G_2)=e(G_1, s'*G_2)= s'*e(G_1,G_2)=s’G_T$$ Maybe if solving the discrete log problem in $G_T$ or $G_2$ is easy, but still, that feels unlikely to be it. But Jubjub isn’t pairing friendly; mnt4/6 is, so that feels like a big hint that we just haven’t figured out how to use yet. Might be worth throwing an hour at the whiteboard.

Still, we’ve made some progress. The state of the problem is now:

we want to obtain $s'$ such that $s’G=(x,-y).x$ where $(x,y).x=sG$. Solving for $s'$ directly would involve solving the discrete log problem.
we’re pretty sure that there’s an exploit on the pairing somehow to help us solve for $s'$.

Lemma and proof

Lemma 5.4.7. Let $P=(u,v) \in \mathbb J^{(r)}.$ Then $(u,-v) \not \in \mathbb J^{(r)}$ (subgroup of Jubjub of order r). Proof:

if P is the point at infinity (u,v)=(0,1), but -P=(0,-1) which does not lie on the curve.
all other points P have odd order.
- further, $v\ne 0$. if v=0, then $au^2=1$ then $[2]P=(0,-1)$ then $2=(0,1)=O$, which would have even order.
  - unsure what the $au^2=1$ argument is saying. $a$ is part of the curve equation, $y^2=x^3 +ax + b$. Check: $0=u^3+au+b$–nope. Maybe there’s another curve representation they’re working over, something twisted-ed related. Oh, u,v denotes twisted edwards notation.
- if $v\ne 0$ then $v\ne -v$.
- Let $Q=(u,-v)$ be a point on the curve. We will show $Q=-P$ is a contradiction.
  - Then $[2]Q=-[2]P=2$, but $Q.v=-P.v$ is contradiction since $-v \ne v$
    - what? Should expand on that
  - Therefore either $Q=-P$ or else doubling is not injective on the curve, which contradicts the curve’s odd order.

Hint 2 released:

Note that the MNT curves are represented in Weierstrass from in the circuit, and use the fact that both (x,y) and (x,-y) are valid points for spending

Which confirms my suspicion that we want $s'=(x,-y)$. Let’s find it.

algebraic insight!

$P=sG=(x,y)$
$-P=O-P=O-sG=s’G=(x,-y)$

We observe that for the order $n$ of generator $G$, we have $nG=O$, therefore:

$$\begin{aligned} s’G &= O-sG = nG-sG\\ &=(n-s)G\\ \therefore s'&=(n-s) \end{aligned}$$ However, note that $s$ lives in the mnt4::Fr field, but the order $n$ of generator $G$ will live in mnt4::Fp, so we’ll have to do a type conversion.

changelog

2024-01-22 - final draft
2024-01-24 - zk hack solution published; fix typos in blog and publish

footnotes

^3]: Why do we use twisted Edwards curves at all? Speed. Every Montgomery form elliptic curve has a birational Twisted Edwards equivalent, though not necessarily a simple Edwards equivalent. Edwards curves have fast addition algorithms, and Twisted Edwards curves are nearly as fast, enabling faster point operations for many curves currently in use.

Unrelated to this puzzle, the Zcash nullifier argument also includes a nonce, so that a public key can be used more than once: $N=H(pk,r)$. ↩︎
Unrelated to this puzzle, the Zcash nullifier must prove two other conditions: (1) that nullifier $N$ has not already been published–this is not included in the proof for the puzzle, but is checked elsewhere in the puzzle driver. Would need to be checked in the proof in real life. And (2) the existence of the note(s) (coins) that will be spent, via proof of knowledge of: ($v,a,r$); the value of the note, address possessing the note, and random nonce, respectively. ↩︎

Walking Through Distributed Key Generation (DKG)

thorck@protonmail.com (Thor) — Thu, 21 Apr 2022 00:00:00 +0000

Walking Through Distributed Key Generation (DKG)

This post is a follow-along to a talk on Distributed Key Generation at DevConnect, Amsterdam 2022 (slides here). It also functions as a stand-alone resource.

The post is intended to briefly introduce the motivation for threshold signatures, relating them to multisignatures, and clarify a Distributed Key Generation protocol introduced by cryptographer Torben Pedersen in 1991, and applied by Gennaro and Goldfeder in their threshold scheme, GG20, S3.1, p14.

Implementing the GG20 protocol has been a core component of my work at Entropy, the trustless decentralized asset custodian.

A mathematically complete description of the protocol begins in the latter half of the document; the first half remains technically high level, and should be accessible to non-technical readers.

Questions and corrections are invited via Twitter.

Knowledge Check!

It will be helpful to be familiar with several concepts:

Langrange interpolation, on which Shamir Secret Sharing relies
Shamir Secret Sharing Scheme
Commitment Schemes, in particular Pedersen’s Commitment Scheme

(everything in cryptography is a scheme, except for programs which are invariably in Rust)

Each have reasonably good Wikipedia articles.

Pallier encryption, Schnorr’s zk proof of knowledge of exponent, and the Feldman modification to Shamir secret sharing, which are used in the signing protocol, will not be necessary here.

What Threshold Signature? And Briefly, What Multisignatures

A t-of-n secret sharing of some secret $u$ produces $n$ “shares” of $u$, of which any $t+1$ can reconstruct $u$. There is some notation confusion whether t-of-n should refer to a minimum of $t+1$ parties or $t$ parties; $t+1$ is the convention used by GG20, so we will use it here.

A similar construction to the threshold signature is the t-of-n multisignature:

$n$ parties hold private keys
Some trusted entity (eg. a smart contract) collects $t+1$ unique signatures on some message, (eg. a transaction), and then signs that message itself

In a t-of-n threshold signature:

Key Generation: Some secret key $u$, secret to all parties, is constructed. At the end of a DKG, every party possesses some secret share from which $u$ may be reconstructed. No party knows another party’s share.
Any $t+1$ parties can collaborate to sign a message, producing a single signature. No party learns of any other party’s share. The protocol effectively reconstructs the private key, $u$, in zero knowledge, and uses it to sign a message.

Relative Advantages of a multisignature

Simplicity of implementation: the trusted party simply must store and verify $t+1$ signatures, before constructing its own
No new cryptography
Async: parties do not need to all be online at the same time

Relative Advantages of a threshold signature

Space-efficiency, verifier-efficiency: Only a single signature need be stored and verified
Modularity: The implementation logic of a threshold signature can be isolated from the environment that verifies the signature, allowing a threshold signature to be computed entirely off-chain

But what if we just…centralized it?

In this centralized setting, a trusted party, Alice, will construct all the shares, and simply send them to the $n$ parties. Alice may simply pick her favorite secret sharing scheme (eg. Shamir’s) to do so.

In the centralized setting, Alice is a back door to the threshold signature, as she may simply construct signatures using the private key. In the next section we will eliminate Alice as a trusted party for true DKG.

The centralized scheme has one “key” property: Alice can bring her own private key to the threshold signature, where the rest of the threshold signing protocol continues as if Alice were a normal player. That is to emphasize that, in the DKG model, an entirely new secret key is constructed that no player possesses.

Therefore, if Alice were to delete her private key, then the setting would be identical to the next section. Since it is impossible to verify whether Alice has kept a copy, we turn to cryptography to construct Distributed Key Generation.

Cryptography time!

This section follows S3.1 in GG20. In several places, I’ve added notation not in the original paper. These are explicitly labelled, noted to avoid creating confusion.

The DKG proceeds in 3 phases. Participants in the protocol will be called “players”.

A word of warning: there will be many moving parts here. Note-taking is encouraged.

Phase 1

Each player selects their private share, and broadcasts a commitment to it. The $:=$ notation is used here to denote a calculation done by a given player.

Each player, $P_i$ constructs:

$u_i$, an initial private share, selected at random by the player
$(KGD_i,KGC_i):=(g^{u_i}, Com(g^{u_i}))$, a commitment to the hiding of $u_i$ to send to each other player. Note that this is essentially a commitment to a commitment of a secret.

Each player receives:

$KGC_j\space \forall j$, the commitment broadcast by all other players
$E_j\space \forall j$, the (Pallier) public key, broadcast by all players. This will be used to encrypt messages sent to player $P_j$, and to perform the signing protocol. That it is a Pallier cryptosystem public key is irrelevant for the scope of this post.

Phase 2

Players first decommit their public keys (broadcasting $g^{u_i}$), then perform a secret sharing and determine the group secret sharing.

Denote the $(t,n)$-secret sharing scheme of the secret $u_i$ (my notation): $$SS_{t,n}(u_i:\text{secret},z:\text{evaluation index})=u_i+a_{i,1}z+…+a_{i,t}z^t$$ and the the jth evaluation of the polynomial, $$s_{i,j} =SS_{t,n}(u_i,j)=u_i+a_{i,1}j+..+a_{i,t}j^t=u_i+\sum_k a_{j,k}j^k$$ Where the coefficients $a_{i,k}$ are selected at random by $P_i$. The reader should verify that $P_i$ can compute $s_{i,j}$ for all $j$.

Each player, $P_i$:

assigns $y_j=KGD_j\space \forall j<t$, the hiding of the of each other player’s secret. Henceforth, the symbol $\forall$ denotes for all players.
computes $y:=\prod y_i=g^{\sum u_i}$, the “public key” of the group; the group’s “secret key” will be the sum of shares, $\sum u_i$.
selects random coefficients to construct $SS_{t,n}(u_i,z)$, the temporary secret sharing polynomial for their own secret.
computes shares $s_{i,j}\space \forall j$ to privately send to each other player. Player $P_i$ receives $s_{j,i}$ from each other player $P_j$.
computes $x_i:=\sum_j s_{j,i}$
computes the hiding of $x_i$, $X_i=g^{x_i}$

Denote the group secret $x=\sum u_i$.

We will now show that Player $P_i$ has computed a $(t,n)$ secret share of $x$: $$x_i:=\sum_j s_{j,i} = \sum_j SS_{t,n}(u_j,i)$$ $$=(\sum_j u_j)+(\sum_j a_{j,1})i+…+(\sum_j a_{j,t})i^t$$ $$=SS_{t,n}(\sum_j u_j: \text{group secret}, i: \text{player index})$$ Note that coefficients of this polynomial are shared by all players, but not known to any player. Therefore, each player $P_i$ now posseses in $x_i$ a $(t,n)$-secret-sharing of $x$.

Phase 3: Verifiability

Suppose Player $P_i$ were able to lie to player $P_j$ about the value of $X_i$, the hiding of their secret key share. This would allow player $P_i$ to volunteer to participate in the signing protocol, but prevent the creation of a valid signature, without anyone knowing!

By adopting the Feldman VSS, which extends the Shamir SS, Player $P_i$ gains the ability to calculate each other player $P_j$’s commitment $X_j$. This step prevents any player from cheating in the signature protocol.

In the Feldman VSS, each party also publishes the hiding of each coefficient of their polynomial, $g^{a_{i,k}}\space \forall k$. For convenience, denote the coefficients of our final polynomial: $$b_k=\sum_j a_{j,k} \quad \text{and} \quad b_0 = \sum u_j$$

Then player $P_i$’s share can be expressed: $$SS_{t,n}(\sum_j u_j,i)=\sum_j b_ji^j$$

By exploiting commitments from Feldman’s, any player $P_i$ may calculate $g^{b_k}\space \forall k$: $$g^{b_k}=g^{\sum_j a_{j,k}}=\prod_j g^{a_{j,k}}$$

Where each player broadcast the hiding of their coefficients $g^{a_{i,k}}$ as part of the Feldman protocol. Player $P_i$ exploits the above lemma to compute $g^{b_k}$, and may thereby compute $X_j$: $$X_j=g^{x_j}=g^{\sum_k b_kj^k}=\prod_k {(g^{b_k})}^{j^k}$$

There are several checks from Phase 3 that are elided. They are straightforward, but would require introducing Pallier encryption, Schnorr’s zk proof-of-knowledge-of-exponent, and a square-free proof, which I feel would bloat the scope of this post.

Wrap up

Yay, you made it here! Things you may have learned:

An application of repeated secret key sharing to construct a distributed secret
What threshold signatures are, and how they compare to multisignatures
Taking good notes is hard!

Experiment: How Effective is Prototyping? Measuring Developer productivity in Python and Rust with Project Euler

thorck@protonmail.com (Thor) — Sat, 16 Oct 2021 00:00:00 +0000

I was interested in the time-effectiveness of problem-solving different programming languages. I looked for research around comparative developer productivity across languages, but came up mostly empty-handed, so I constructed an personal experiment using Project Euler.

Professionally, I write Rust for the smart contract platform NEAR. Years ago, I learned to program in Python, though have not written much for several years, and wanted an excuse to brush up.

In Short:

I solved the first 50 problems in Project Euler in Rust and Python, randomizing the language I started in, then translating the solution to the remaining language. I timed each part of the process. After an adjustment period to regain Python familiarity, I found that solving problems in Python was substantially faster than solving the problems in Rust, even despite my greater experience with the Rust programming language.

My data suggests that any problem taking 35 minutes or more to develop a solution in Rust alone could plausibly be solved quicker by first developing a solution in Python, then translating the solution to Rust.

I note that there are confounding factors to my case study whose effect sizes I have little capacity to estimate the impact of; readers are advised to refrain from over-extrapolating from a case study by a single developer on his sample size of 50 (actually 24, see Confounding Factors below) scope-constrained problems.

Results (see spreadsheet, see code):

Prototyping was worthwhile for any task of reasonable (>35 minutes) complexity; ie. where the solution was not immediately obvious
Python-first implementations averaged 20 minutes, Rust-first implementations averaged 34.7 minutes, a ~40% time difference
Solution translation time averaged 12.5 minutes, both from Rust to Python and vice versa.
The most effective way to increase the time on any problem was to be interrupted repeatedly, followed by trying to solve the problem in a dumb way, and having to re-approach the problem.
Imperative-style solutions were generally harder to debug than Functional-style solutions. Debugging accounted roughly half (not measured) of the total time spent programming. Minimizing the number of mutable variables was useful for debugging, as was preemptively writing debugging logs.
Usage of the Python REPL was less cumbersome than writing Rust tests for testing pieces of code.
My Python fluency increased over the course of the experiment, while my Rust fluency appeared to stay roughly constant.
I hypothesize that language minutia (eg. references, mutability constraints, types) competes with attention toward the total solution, reducing developer productivity for complexity.
Further, I hypothesize that simply whiteboarding out a solution before implementation may have even greater returns on efficiency, as whiteboarding has the least language minutia of all languages :I

Data and Graphs

Data

	mins: solve	mins: translate	mins: rs solve	mins: py solve	mins: rs from py	mins: py from rs
AVERAGES:	25.9	12.3	28.8	22.4	12.5	12.1
AVERAGE: first 25	23.3	12.1	22.0	24.7	12.6	11.7
AVERAGE: 10-25	30.9	16.6	28.1	37.3	20.9	14.6
AVERAGE: last 25	28.2	12.5	34.7	20.0	12.4	12.5

Graphs

Looking but not Finding: The Curse of Walled Garden Research Journals

On Google Scholar and Arxiv, I searched for:

"programming language" efficiency OR productivity
"programming language" AND (productivity OR efficiency OR effectiveness OR prototyping)
comparative "programming language" AND (productivity OR efficiency OR effectiveness)

among several other permutations of keywords.

Unfortunately, results from Google Scholar of any relevance were universally behind journal paywalls, while results from Arxiv were irrelevant. Several results looked reasonably promising, but lacking a subscription to SAGE, Elsevier, or IEEE, the closest I got to any substantial research about the comparative effectiveness of programming languages in terms of developer time was an article by Donnie Berkholz on "Programming languages ranked by expressiveness" from 2013, which was reasonably interesting, but entirely off topic for this review.

I'm not a professional researcher. If someone with more research cred has insight about how I might do better research in the future without paying for journal subscription, I'd love to receive an email from you at thorck at protonmail dot com.

Confounding Factors

Over the course of the experiment, my life was at least a standard deviation over the mean Level of Chaos (the other LoC). Travel, a job change, and personal life changes extended the length of the experiment and disrupted a couple problems. If disrupted, I stopped my running timer and added the taken time to the remaining time to complete the problem. Nevertheless, the variance effects of my meatspace environment on my programmatic attention is difficult to account for. I dropped two problems (18 and 26) from analysis, as they were subject to repeated interruptions and false starts.

My sample size amounts to 50 problems, of which the first 10 were unusually easy to complete. My python fluency returned over the course of the experiment, and the earlier questions are unlikely to reflect the actual results of the experiment. The final 24 problems are a better indicator on effectiveness of Python implementation, and from what I draw my results. This is admittedly, not a large sample size.

Further Questions

If I return to Project Euler for problems 51-X, I would like to test my hypotheses that whiteboarding would likely be as effective as, if not more effective, prototyping a solution in Python.

I'd also be interested in swapping Rust out for another language. Among my industry's lingua franca are Rust, Go, Typescript, and Solidity, though I maintain a personal fascination with more functional languages. Of these, I'd probably choose to swap out Rust for Go (admittedly a very unfunctional language).

Finally, Project Euler problems are reasonably small-scope, and well defined by programming standards. Research on the value of prototyping, for instance, a command-line tool, or a website would be interesting. How significant would differences in language libraries be in confounding the value of prototyping? Is prototyping a better tool for closely scoped problems in general, where the translation from one language to another is reasonably direct? I would guess that, the greater the difference between language libraries, the less worthwhile using another language to prototype would be, as I have done here. But for problems of simple algorithm definition, prototyping seems likely to be at a local maximum for developer utility.

Actionable Takeaways

Outlining Matters. Prototyping was found to be worthwhile when the problem was well-scoped but sufficiently complex. Any problem taking more than 35 minutes to develop a solution for in Rust was worth prototyping in Python. If given choice of language to take a programming interview, I would consider choosing Python over Rust. If taking an interview in Rust, I would emphasize the importance of sketching out a solution on a whiteboard, or as code stubs, before implementing the solution.
Debugging Sucks, So Don't Write Bugs! (or catch them quickly). Anticipating bugs by setting up tests and debugging logs before setting up implementation details was useful for reducing time spent locating problems. Generally prefer functional solutions to imperative solutions. A single mutable data structure is easier to debug than a collection of mutable variables.
"Assembly of Japanese bicycle require great peace of mind!" Distractions are still the Antichrist. I dropped two outlier problems from the dataset. What they had in common: they were started in Rust, I had to rewrite each, and I was distracted and/or pulled away from each of them at least once. My bias to over-value attention health feels justified by the data. Start a problem with a clear mind, without distractions, or else get back to that state of mind.
Think First: Solve the Right Problem with the Right Stuff. Not thinking first is as bad as getting distracted, and is a likely sign that I already am distracted. Reaching the right tools means actively thinking about implementation options before diving in. The reward is not having to rewrite my crappy code, and enjoying more concise and run with lower asymptotic bounds.

NFT Hype: What’s What and What’s to Come

thorck@protonmail.com (Thor) — Fri, 26 Mar 2021 12:16:49 +0100

What's that? Anna asked.

"It's anything you want it to be," said Ted the Tokenmaker.

"But that's not a thing," said Anna.

"That's the magic of crypto," said Olly the Optimist, "the more people believe in these, the more they are."

…

"What's that?" said Alex.

"It's anything you want it to be," said Anna.

"Sounds like magic beans," said Alex.

"They are until they're not, unless they are, but I like them so who cares?" said Anna.

This article responds to the thoughtful piece by Anna Rose, which is recommended pre-reading, as this piece will attempt to respond to the posed questions: What exactly are NFTs for, and what would make me buy an NFT?

How to price NFTs is beyond the scope of this article, but I recommend Nic Carter and William Peaster for some useful takes.

What are NFTs for, and Why you might want one

Much of the noise around NFTs stems from the question, what the hell am I going to do with this? An NFT is a sufficiently general technology that, in theory, there are many uses for NFTs; yet in practice, art and gaming have attracted the greatest share of attention. Looming behind these is the spectre of rampant price speculation, divorcing many NFT products from any semblance of intuitive valuations. At its highest echelons, the NFT investment game is being played by DAOs and whales playing a game of chicken, taking turns in bidding increasingly unbelievable amounts, in turn raising the overall value of their impressive collections (which may then be quietly sold for a tidy profit).

NFTs aren't just for speculation. They're also for status signalling, as Nic Carter of Castle Island Ventures points out:

Most likely, I’m betting that newly-rich Ethereum enthusiasts will see the NFTs as a kind of totem of status, signalling membership in an exclusive club (people that had the foresight to buy the first NFTs on Ethereum, or the financial clout to buy them once they got popular.) My best thesis here is that these are effectively a form of resalable social signalling, like a digital Hermes Birkin bag. The actual contents of the NFT is largely irrelevant.

We see this playing out on Crypto Twitter, where CryptoPunks and MoonCats are becoming increasingly common avatars for prominent crypto community members. Paying the exorbitant price to acquire one of these cements one's identity as a crypto OG, or at least as a community member willing to pay for their status.

Finally though art NFT prices are wild, prices go to supporting artists and artist communities (assuming you're not being duped into fraudulent art!). Much like any piece of art, if a piece on an NFT marketplace like Mintbase, OpenSea, or Rarible catches your eye enough to warrant purchase, do some research about the artist to verify the piece is non-fraudulent before buying. If you do purchase an art NFT, virtual reality worlds like CryptoVoxels and Somnium Space allow users to show off NFTs inside their virtual property (which of course, you may purchase with an NFT).

It's worth taking a time-out to address one criticism of NFTs that seems undeserved. Environmentalist critics have accused NFT artists consuming excessive amounts of energy on Proof of Work chains. But as artist Stirling Crispin points out in an excellently researched essay, NFTs account for about 3% of gas consumption on Ethereum, which in turn uses 0.02% of the total Earth CO2 footprint. There are greater obstacles to energy neutrality than a small community of talented people exploring ways to monetize their work:

The real problem is the giant 72%…it’s fossil fuel subsidies, its coal power plants, its fracking. If your number one motivation is the environment, and you’re behaving rationally, it makes sense to focus on the big things most and the little things least.

Further, NFT platforms are not married to Proof-of-Work blockchains. Mintbase gives our users the tools to deploy their own NFT contracts. We opted to add support for the Proof-of-Stake chain NEAR, so that our users may minimize their transaction costs and environmental impact.

So we've got speculation, status, and support for art and artist communities. I haven't exactly painted a glamorous picture of NFTs, so you'd be excused for the suspicion that NFTs aren't actually that cool. But you'd be WRONG. Downstream from the hype cycle, some great projects are taking form, with NFTs at their core.

Like what?

NFTs are a tool for collaboration and creation. The NFT might be best understood as a Public Key for an item or service, on a public database. The departure from a private database model allows for ease of collaboration, while guaranteeing users to the longevity of their data.

Gaming NFTs, like Dark Forest, Axie Infinity, and Gods Unchained scratch the surface of what's possible, by tokenizing in-game assets, which are easily exchanged on on-chain marketplaces. Further, gaming NFTs can do more than one thing. Imagine if after spending 100 hours grinding in World of Warcraft, the Sword of Coolness item you earned gave you a rare playing card in Hearthstone, a skin in Fortnite, and a ticket to a League of Legends esports event. Since NFTs live on a public ledger, a single NFT can do as many things as there are services willing to attach value to that NFT. Storing game data as an NFT, thereby on a public database, is a departure from prior models, where all data is stored privately. Private databases limit not only users' ability to access and profit from their efforts and data but also limits opportunities for cross-pollination between projects.

Beyond gaming application NFTs in the decades to come are likely to be a force for standardizing an extensible concept of ownership. Extensible, as the base concept of an NFT is very simple. Simplicity that can be extended as the use case demands, by way of extending the base contract, or else by attaching services to the ownership of an NFT. Much like smartphones have simplified the interface to communication, transportation, and social media, NFTs simplify the interface to ownership of access to goods and services.

The NFT-maximal future doesn't have much in common with the NFT speculation today, but for that goods and services that can be represented as NFTs will have incentive to do so, so as to take advantage of ease of issuance, verification, integration with other NFT-enabled businesses, and to reap royalty payments for NFT transfers. Users will be able to view, manage, buy, and sell goods and services across domains. Imagine if your gym membership, blog subscriptions, rewards programs, event tickets, and more, could all be managed, bought, and sold within a single application.

In place of the myriad interfaces we use daily to prove our right of access to goods and services, from tickets to titles to coupons to login credentials, the (1) public, uncensorable verifiability of NFTs, (2) ease of transfer of NFTs, and (3) shared interface to each of these application areas mean that the realm of possibilities of NFT-enabled technology is far-reaching.

Wrap up

To recap. What are NFTs for? At the moment, speculation, status signalling, and artwork are the ascendant NFT applications. But NFTs are incredibly flexible as technological tools, and could someday be for lots of things, or at least, much more than what they're currently used for. Gaming applications are allowing users to reap dividends from their play-time, by representing in-game assets as NFTs. And an NFT future could involve much more (maybe after a hype cycle or two).

The author is a developer at Mintbase, a platform giving users an interface to create and their own NFT minting contracts. We're on Ethereum and have recently launched on NEAR testnet! If you're exploring what's possible with NFTs, check us out.

first posted at the [[https://medium.com/zeroknowledge/nft-hype-whats-what-and-what-s-to-come-9a7642defcb1 ][ZKPodcast blog]]

Zero Knowledge: The Game

thorck@protonmail.com (Thor) — Thu, 11 Feb 2021 12:16:49 +0100

What makes a game a “blockchain game”? A simple definition: some part of the state of the game is stored on a blockchain and is therefore publicly visible. Think chess or tic-tac-toe: each move is a state change on a publicly visible ledger. Compare this to games like League of Legends or Call of Duty, where the game state lives entirely on a private game server.

Suppose we wanted to store the entire game state on-chain. But then, every player would be able to see the entire “game board” and the position of every opposing player. For games like chess, that’s fine. But can we build a game with hidden information like Civilization where players have only a partial view of their environment and opponents?

The game Dark Forest is exactly that. By using zkSNARK cryptography (zero knowledge Succinct Non-interactive ARguments of Knowledge), the developers of Dark Forest have designed a universe and created a game where the state is completely stored on-chain. And yet each coordinate is hidden behind a hash that players may compute. This way all participants can explore and conquer a corner of the universe, and what they discover is consistent with what other participants see when they explore that region.

This article will focus on the game mechanics that the Dark Forest team were able to implement by applying SNARKs, and explore how these schemes push the limit of possible game interaction beyond the limits of prior art, such as commit-reveal schemes.

The Game, Succinctly

In the game of Dark Forest, players compete with one another for interplanetary territory. Players begin in complete darkness. A fog of war covers the universe surrounding their home planet. To explore, the browser makes use of players’ local computing power to compute a hash for each coordinate. Thereafter, that coordinate is revealed to the player and the map is slowly explored. Most coordinates contain nothing but empty space, but some contain planets, either uninhabited, or owned by other players. Once a planet is revealed, the browser can check on-chain to see if another player has staked a claim to the revealed rock, and see if other players try to take that planet.

Beginning with the one planet, a player (let’s call her Alice) publishes state transitions from her original planet to other planets. A state transition moves resources (population and silver) from an owned planet to the discovered planet, thereby colonizing a new planet, or attacking another player’s planet. Moving population between planets is limited by the origin planet’s range and population to move. Players can also upgrade their planets with silver — an in-game resource generated on certain planets that is used to purchase upgrades.

Planets gradually accumulate resources and, as players discover one another, wars break out over high value planets. However, a player is not guaranteed to know where an attack came from; only if the player has revealed the coordinates of an attacking planet will they be able to see the red line indicative of an enemy movement.

What makes the game possible is valid state transitions: how does the game move resources between planets, as on-chain data, without revealing the data, or committing invalid transitions?

What can we do without SNARKing?

Here’s the problem: Alice has a planet X with population N, and wants to send n people from X to planet Y, without revealing information about X, N, n, or Y to the rest of the world (state transitions on silver are in effect identical to population, so we’ll ignore them). Alice will have to prove:

Ownership of X
n < N
A ship from planet X with n population has enough range to reach Y

Without SNARKs, Alice and company can still set their computers to the task of de-fogging the map: hashing each coordinate, looking for planets. There are two schemes that would allow Alice and company to play: 1) a centralized coordinator, or 2) a commit reveal scheme.

Centralized Coordinator Scheme

In the centralized coordinator scheme, Alice and company submit state transitions to a centralized coordinator with a god’s eye view. The coordinator can see X, N, n, and Y, and easily verify that each transition is valid. Most existing games rely on a centralized coordinator.

However, the centralized coordinator is a target for attacks and collusion, either of which could halt the game or reveal the universe to the attacking/colluding party. It’s not really a “Dark Forest” if someone has a universal floodlight, as is the norm with games on hosted game servers! As a cultural side note, companies who host games on servers assuage players’ fears by creating strong punishments for those caught cheating or attempting to cheat by hacking or other measures: players must trust the company’s promise to seek out and ban cheating players.

Commit-Reveal

In a commit-reveal scheme, each participant has some secret s that they want to hide from other players until some event occurs, or after a time delay T. Players publish the hash of their secret, H(s), and reveal the secret after the delay. Poker provides an example: players commit the hash of their cards at the beginning of the round, publishing H(s), and a player reveals the value of s if the hand does not terminate early.

In Dark Forest, players could agree on a time elapse to reveal their actions. If a player revealed an invalid action after the time delay, they could have some or all of their actions reverted, and optionally be punished in some other way (removal, temporary deactivation, etc). In each period, players would commit the hashes of their actions, H(a_1, …, a_k), and the game could proceed, except that no action would be publicly visible until after the period elapsed, along with X, N, n, and Y.

The core problem with a Commit-Reveal scheme is that information eventually must be revealed. Actions are only private up to the point of the next period, not for the entire duration of the game. This incentivizes a longer period of play, but a long period slows game pace, without resolving the fundamental issue of keeping game state private. Revealing concealed information at the end of each interval is fine for round-based games like poker, but not for games with a vast global state with a fog-of-war element (or for that matter, any application that would like to keep mutable state elements indefinitely concealed).

SNARKing through the Fog of Space

By applying a SNARK, Dark Forest players can submit proofs to the Dark Forest contract that X, N, n, and Y satisfy the necessary conditions. The Dark Forest contract verifies the proof, without ever having to know the values of X, N, n, and Y. Therefore, a player can submit moves and upgrade actions to the smart contract without allowing other players to know the contents of their actions.

This is almost perfect zero-knowledge. Other players are still able to see the number of transactions submitted by their rivals, and the block at which each transaction was included. From that on-chain information, a rival could determine when a player was most and least likely to be online, thereby receiving hints about when to attack. To eliminate even that information, Dark Forest would have to operate on a blockchain with shielded addresses or a privacy-enabled Layer 2.

It’s important to note that this applies to more than just games. Zero knowledge technology has broad application beyond Dark Forest. Experiments with zero knowledge systems are underway in voting systems, financial privacy, authentication without identification schemes, and even nuclear disarmament. In a broader context, the power of zero knowledge schemes is to conceal participants’ private information, while guaranteeing honest system-interaction. The Dark Forest zero knowledge game may serve as an approachable introduction to a field that has been respectfully referred to as “moon math”, in reference to its complexity. By bringing broader awareness to this technology, Dark Forest is a harbinger of novel zero-knowledge enabled experiments and applications, introducing the advantages of greater privacy and security in new ways.

first posted at the ZKPodcast blog

Tipping Cows, a Primer on Rust’s Most Bovine Data Structure

thorck@protonmail.com (Thor) — Sun, 05 Jul 2020 00:00:00 +0000

The year was 2020. An epidemic swept across the globe, driving all human life indoors. Unrest concerning police action and longstanding racial inequality in the US drove the very same back into the streets. Like cattle, driven back and forth we were, with global sociopolitical and health trends our ranger.

In other words, there was never a better time to read an primer on Cows. Yes, those magical moo-ers. No, that was a lie. This is going to be about the Cow data structure in Rust, systems programming language and global phenomenon, sorry for the confusion.

So now that I've lied to you once, I hear you asking "Why should I stay?" Well. I offer ye nothing less than knowledge of dark bovine arts. Along the way you'll be sprinkled with Rust language insights and regular attempts at cow-humor.

When you've finished this cool glass of milk, you will know what a Cow is doing when you spot one (in Rust that is, for the alternative consult a local farmer), see several examples of Cow in practice, and maybe even raise your own Cows. Like this. If you're unfamiliar with smart pointers, lifetimes, or the borrowing/ownership system in Rust, don't panic. They're totally on the docket. Cowabunga.

But if you're new to Rust, you might consider first visiting one of the many great explainers of how the compiler helps us avoid careless reference errors by way of its borrow checker. But if you're not here to click links, here's the basic idea:

Similar to C and C++, Rust doesn't have a garbage collector: a process that runs in a program's runtime that tracks which variables reference what data, and when that data will no longer be used, so that memory can be freed up. Most languages (Python, Java, Javascript, C#, Go, etc.) have a garbage collector, which is how they manage memory. In C and C++, memory and references are generally managed by the programmer (and sometimes, programmers make memory management mistakes that may not be obvious until things break). In Rust, the borrow checker does memory management for us, which is ergonomic (don't have to manually manage memory), safe (prevents security errors and issues, especially in concurrent programs), and fast (on par with C and C++). By strictly enforcing a couple rules about mutable and immutable references, we get these nice things.

Enter Cows

If we run over to the Zoo of Rust's Creatures, we find a Cow in captivity:

1
2
3
4
5
6
7


pub enum Cow<'a, B>
where
 B: 'a + ToOwned + ?Sized,
 {
 Borrowed(&'a B),
 Owned(<B as ToOwned>::Owned),
}

The zoo helpfully informs us,

_________________________________________
/ The type Cow is a smart pointer \
| providing clone-on-write functionality: |
| it can enclose and provide immutable |
| access to borrowed data, and clone the |
| data lazily when mutation or ownership |
| is required. The type is designed to |
| work with general borrowed data via the |
\ Borrow trait. /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

Moo. That's a lot to parse. There's roughly three concepts baked into that definition:

What is clone-on-write functionality, and what's the diff to copy-on-write
Why this elitist smart pointer
Where do lifetimes enter in

If you know the answer to all of those questions, you can probably skip ahead to examples. Don't know? Read on!

Let's start with why we care about these concepts: what do we win if we collect them all? Well, in simplest form, we win an runtime optimization technique, for when the data we're handling will sometimes be acceptable to immutably borrow (which is cheap), but other times will have to be owned, which would happen if we had to mutate the data in some way. Back to the concepts.

Copy-on-Write vs Clone-on-Write

Copy and Clone in Rust mean different things. In the non-Rust world, copying usually means reproducing the data at a new location. This is cloning in Rust. Copying is simpler and less expensive: reproduce the data if it's statically sized (ints, floats, bools, etc), or reproduce the pointer if the data is dynamically sized (Vec, String, HashMap, etc). Copying usually happens implicitly; meaning the compiler just does it for us, no muss, no fuss. Cloning, not so: we have to explicitly tell the compiler to clone the data. Any data that can be copied (only fixed size) can also be cloned (fixed or dynamically sized); the reverse is not true. Copy is cheap, Clone is expensive.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


// u32 implements Copy
let i : u32 = 42;
let i_copy = i; // copy occurs implicitly
println!("Can use original int and copy: {}, {}", i, i_copy);

let i_clone = i.clone();
println!("Can use original int and clone: {}, {}", i, i_clone);

// String implements Clone but not Copy.
let s: String::From("Don't Panic")
let s_clone = s.clone();
println!("Can use original string and clone: {}, {}", s, s_clone);

// this will fail, since String does not implement Copy
// let copy_s = s;

Smart Pointers are Runtime Friends

They say runners are are smart (don't ask who "they" are, I'm sure they're out there somewhere). And Smart Pointers are your running friends. Smart pointers were introduced by C++ in the 1990s as a tool to manage resources related to the memory they're pointing to. Like Rust, C++ doesn't have automatic garbage collection, and smart pointers were invented to prevent memory leak situations. Rust does it's best to manages memory without a garbage collector at compile-time with it's ownership system, but at runtime, it's all smart pointers. That's why smart pointers aren't generally a necessary concept to anyone coming from a garbage collected language, like Java or Python (though Java does have a cow).

In the context of Cows, the Cow smart pointer acts like a normal pointer when it merely borrows data, but at runtime, the Cow smart pointer can take ownership of the borrowed data. This is more expensive than borrowing the data: a borrow only requires the borrower to keep a reference to the data, wherever it is. But taking ownership requires the data to be cloned, meaning the runtime will have to reproduce the data on the Heap (whenever we allocate memory in runtime, it's usually safe to assume it's happening on the heap). If the data is particularly large, (a long string or text file, for instance), lazily cloning only when it becomes obviously necessary is a useful optimization.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


use std::borrow::Cow;
fn lazy_abs(input: &mut Cow<[i32]>) {
 for i in 0..input.len(){
 let v = input[i];
 if v < 0 {
 // Clone into vector if not already owned
 input.to_mut()[i] = -v;
 }
 }
}

From Rust's Cow documentation.

Where do lifetimes enter

Lifetimes tell the borrow checker when a borrow is going to end. When a Cow borrows some data, the Cow should never outlive the data. Further, if the Cow takes ownership of the data with a clone, it makes sense that the cloned data still shouldn't outlive the original data. Rememer how we defined Cow? You don't have to, here it is again.

1
2
3
4
5
6
7
8


pub enum Cow<'a, B> // Cow doesn't outlive data with lifetime 'a
where
 // if Cow takes ownership, stay with the herd, keep lifetime 'a
 B: 'a + ToOwned + ?Sized,
 {
 Borrowed(&'a B), // Borrow a generic reference to data B, with lifetime 'a
 Owned(<B as ToOwned>::Owned), // We haven't gotten here yet.
}

Putting it all together

You made it this far cowpoke. Hold onto your milk, because it's time for a pop quiz.

Suppose we've got a struct containing an immutable generic vector. How would we update it to wrap a Cow?

1
2
3
4
5
6
7
8
9


struct VecWrapper<T> {
 v: Vec<T>,
}

impl<T> VecWrapper<T>{
 fn new(v: Vec<T>) -> Self{
 VecWrapper{ v }
 }
}

Well, for starters, we're going to need to import Cow, add lifetimes, and modify some definitions. Let's sprinkle lifetimes everywhere a generic definition appears, and wrap our Vector in a Cow.

1
2
3
4
5
6
7
8
9


use std::borrow::Cow;
struct VecWrapper<'a, T>{
 v: Cow<'a, Vec<T>>,
}
impl<'a, T> VecWrapper<'a, T>{
 fn new(v: Cow<'a, Vec<T>>) -> Self{
 VecWrapper{ v }
 }
}

error[E0277]: the trait bound `T: std::clone::Clone` is not satisfied
--> src/lib.rs:5:3
|
5 | v: Cow<'a, Vec<T>>,
| ^^^^^^^^^^^^^^^^^^ the trait `std::clone::Clone` is not implemented for `T`
|
= note: required because of the requirements on the impl of `std::clone::Clone` for `std::vec::Vec<T>`
= note: required because of the requirements on the impl of `std::borrow::ToOwned` for `std::vec::Vec<T>`
help: consider restricting type parameter `T`
|
2 | struct VecWrapper<'a, T: std::clone::Clone>
| ^^^^^^^^^^^^^^^^^^^
...

Well, it was a noble first try. In the wise words of Rust Sage Gankra, "It should be noted that the authentic Rust learning experience involves writing code, having the compiler scream at you, and trying to figure out what the heck that means." We're living that dream. But the rust compiler is actually pretty helpful here. We need to put a trait bound on T, so that our pet Cow can clone T if and when it needs to.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


use std::borrow::Cow;
struct VecWrapper<'a, T: Clone>
where T: Clone
{
 v: Cow<'a, Vec<T>>,
}

impl<'a, T> VecWrapper<'a, T>
where T: Clone
{
 fn new(v: Cow<'a, Vec<T>>) -> Self{
 VecWrapper{ v }
 }
}

warning: struct is never constructed: `VecWrapper`
--> src/lib.rs:2:8
|
2 | struct VecWrapper<'a, T: Clone>
| ^^^^^^^^^^
|
= note: `#[warn(dead_code)]` on by default
...

Success! If we wanted to take our implementation one step further, the documentation gives an example of wrapping a generic array with a Cow, which would require a couple more trait bounds.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


use std::borrow::Cow
struct Items<'a, X: 'a> where [X]: ToOwned<Owned = Vec<X>> {
 values: Cow<'a, [X]>,
}

impl<'a, X: Clone + 'a> Items<'a, X> where [X]: ToOwned<Owned = Vec<X>> {
 fn new(v: Cow<'a, [X]>) -> Self {
 Items { values: v }
 }
}

Which ends up looking pretty close to our vector wrapper, but since the Vec type implements ToOwned for us and the array doesn't, a we'd have to implement `ToOwned` for our generic array by hand.

Alright, so there's a lot more that can be done with Cows than we got into here. But I'm hoping this was enough of a prod to get you up and mooving with cows. Thanks for joining me, and best of luck in all your future Rust endeavors.

Sources:

Documentation std::borrow::Cow

Smart Pointers Wikipedia

Secret Life of Cows

Leveraging Prediction Markets to Mitigate the Tragedy of the Commons Problem in International Climate Change Agreements

thorck@protonmail.com (Thor) — Thu, 16 Apr 2020 00:00:00 +0000

I wrote this paper as a course paper in sustainability and innovation at the University of Oslo. In the section before the conclusion I propose an original (possibly not, but I didn't find it elsewhere) system for coordinating government agreements around international policy.

Abstract

Climate change presents a pressing range of tragedy of the commons problems, eg. global sea level and atmospheric carbon dioxide concentration. Barring the reduction of democracy to technocracy, there is a niche for innovation in the methodology employed by political bodies toward assessing solution quality and the probable outcome landscape of implementing a policy or resolution. Multilateral policy agendas coordinated between political actors represents one such opportunity. Attempts at collective action solutions often result in the emergence of tragedy-of-the-commons problems. I will analyze the tragedy-of-the-commons failure as pertaining to international climate summit resolutions, and introduce several implementations of prediction markets as a possible solution to the problems incumbent to global climate agreements, and tragedy-of-the-commons problems more generally.

Introduction

Global climate summits an example of the tragedy-of-the-commons problem: political actors employ the ecopragmatist-originated sustainable transformation rhetoric as umbrage for resolution-reneging political failures, while the political incentive to meet international climate summit commitments is regularly outweighed by competing local political factors. Incentivizing multilateral follow-through on climate agreements requires addressing several sub-problems. I will address and analyze the problems incumbent to the present system of climate resolution. Then I explore technocracy as a naive solution to the political problem of information aggregation. Then I will introduce prediction markets, applied to these problems in two possible implementations. Last, I will discuss some of the more common criticisms with prediction markets.

Criticisms of the 2030 Agenda for Sustainable Development

The 2030 Agenda for Sustainable Development and SDGs [a], adopted in 2015 by the UN, outlines 17 goals and 169 targets for reducing poverty and engaging sustainable practices in participating nations. One might infer from the self-congratulatory language used on the website of the European Union that the Agenda’s success is all but assured: “the adoption of the 2030 Agenda was a landmark achievement, providing for a shared global vision towards sustainable development for all.” Claims to the contrary are in evidence. 425 days after the adoption of the Agenda (in 2016), “tangible progress in terms of implementing the SDGs at the country level has been hard to come by” [c], and in the 2019 SDG report, United Nations Secretary-General António Guterres wrote “it is abundantly clear that a much deeper, faster and more ambitious response is needed to unleash the social and economic transformation needed to achieve our 2030 goals” [d]. One obvious problem is the excessive use of vague language in the agenda’s goals, eg. “3. Good Health and Well-Being for people– Ensure healthy lives and promote well-being for all at all ages”, in combination with ludicrously overzealous goals, eg. “1. No Poverty-End poverty in all its forms everywhere.” A child might have written these. For these among other reasons, the SDG goals were called “worse than useless” by The Economist in 2015 [b]. The document continues “All countries have a shared responsibility to achieve the SDGs.” To clarify: the term “shared responsibility” is political umbrage, indicative of no responsibility at all. Political leaders’ motives at summits such as these are not to acquire the relevant information, assemble coherent policy agendas, or otherwise solve any problems at all, but to author rhetorical nonsense, while pretending to be doing something. A better system for aggregating the relevant information and constructing coherent policy agendas is in need. Before proposing an alternative, I analyze some of the problems inherent to the present system. [a] https://ec.europa.eu/environment/sustainable-development/SDGs/index_en.htm [b] https://www.economist.com/leaders/2015/03/26/the-169-commandments [c] https://www.idea.int/sites/default/files/news/16-11-22-The_slumber_of_the_SDGs.pdf [d] https://www.un.org/sustainabledevelopment/progress-report/

Problems Inherent to International Policy Consensus

Three key problems emerge in the UN methodology in designing and implementing goals. The first has to do with the distributed nature of responsibility for implementing policy, resulting in a tragedy-of-the-commons problem. The second has to do with the existing processes by which existing information is aggregated into resolutions and policies. The last has to do with the reporting and accountability process, after resolutions and policies are put in place. The distributed nature of responsibility among United Nations member nations decreases the degree of accountability any particular nation holds in following through on its commitments, eg. As member countries A and B commit to reducing it’s net carbon footprint, country B benefits from country A reducing its carbon footprint, but pays none of the costs incurred by decreasing country B’s own footprint. Thus country B has incentive to renege on its agreements while saddling country A with the costs. The scale of the problem increases with the number of countries, and their relative power differential. For instance, in our previous example, if country B is economically or militarily dependent on country A, country A has further less incentive to sacrifice immediate economic productivity to satisfy an international agreement. This puts weak nations in an impossible political situation, as Leichenko and Silva identify that “not only are the poorest and most marginalized disproportionately affected, but climate change impacts can also exacerbate existing inequalities” [e]. Note that country A may still enter an agreement with no intention of holding to it, so as to enjoy the benefits of other nations’ carbon footprint reduction while paying none of the costs. This provides context for how all 193 of the member countries of the United Nations committed to the SDG agenda, while funding for achieving these goals is 2.5 trillion dollars short of the 5 trillion per annum price tag [f]. The incentive to defect from agreements is a hallmark of the Tragedy-of-the-Commons problem. Holding to the international agreement is in direct competition with satisfying interest groups, promoting economic activity, and securing local objectives. Solving tragedy-of-the-commons problems requires optimization in selecting realistically limited objectives, implementing effective policy to resolve those objectives, and measuring results. Beginning with rational information acquisition, we may ask the question, how well informed with respect to realistic outcomes is current policy? Given that only 2 of the 17 SDG goals are currently on track, it seems safe to conclude: not very. This is a characteristic property of democracy: from the local to the international, voters have little chance to be pivotal in voting, irrational in selecting realistic policy paths, under-informed in policy relevant to them, and tribal in their ultimate policy preference. Their representative politicians, responsible to their constituents, reflect these failures in information aggregation. In this system, relevant information for policy selection is regularly subverted to tribal preference, miscommunicated by media, deprioritized on the basis of technicality, or never brought to light in the first place. The result is the commitment toward ineffective and unrealistic solutions, as in the case of the 17 SDGs. As the power for humans to effect changes on our environment monotonically increases with time, political systems incorporating such failures as these doom the quality of our political decisions. [e] https://onlinelibrary.wiley.com/doi/abs/10.1002/wcc.287 [f] https://www.nature.com/articles/d41586-019-03907-4

Naive Solution: Technocracy

The most naive solution to the criticisms above, in particular with regards to climate action as a primarily scientific and economic domain of policy, would be to simply reduce the poIr of our representative democracy with respect to policy decisions inside certain domains, reallocating the poIr to shape policy to the set of experts perceived to be most relevant. Political systems in this arrangement are referred to as technocracies, and emerge commonly in businesses requiring technical expertise. Though a full analysis of the merits and weaknesses of technocracy is beyond the scope of this paper, a brief treatment of the most relevant problems of technocracy will prepare the ground for prediction markets. Technocracy’s primary advantage in practice is an approximation of meritocracy flavored towards elevating the hierarchical importance of fact-based reasoning and technical ability to engage a somewhat predefined domain of technical problems. The first problem in technocracy one might encounter is a problem with the very definition of what constitutes an “acceptable group of relevant experts.” Each word presents myriad problems. Acceptable to whom? Being acceptable to the public reduces our group of experts to little more than politicians. Being acceptable to other experts (if such a group even exists) exposes age bias, and is still vulnerable to a certain degree of politicking. Does relevant indicate the group should represent a sampling of interdisciplinary fields or should it be more constrained? Should the group’s participants be a dynamic set or a static one? What about overlapping expertise groups? This is to demonstrate that the problem of electing a set of experts in a democracy is quickly reduced to the problem electing politicians. Were it politically popular to elect expects, such would already be the status quo. Even presupposing a mechanism for expert committee selection, a second class of political problem exists: technocracies are aristocracies with a chrome polish. That is, technocracies are closed political systems; once established, members of a technocracy could gate-keep even other experts out of the technocracy. This is acceptable in business, where gatekeeping takes the form of filtering new hires, but not in government, where a political near-invulnerability to criticism is unacceptable. Finally, the problem domains in which technocracies thrive often allow for the opportunity for a posteriori improvements to solutions. Political environments are hostile to iterative policy change; that is, the cost of renegotiating policy decisions is high. Further, there are economic productivity losses in volatile policy environments. Thus policy technocracies are subject to the same constraint restriction of the existing democratic system: policy construction must optimally aggregate the available information landscape while navigating the political network. This implies that the information aggregation problem exists in isolation to the chosen political regime, suggesting that there may be better solutions to the problem of information aggregation with respect to the construction of policy decisions than resorting to a cabal of politically unaccountable domain experts. Prediction Markets in Assessing Policy Directions To my best knowledge, prediction markets were introduced as having potential as a democratic process by economist Robert Hanson [g]. Hanson proposed that “inferior policies happen because our info institutions fail to induce people to acquire and share relevant info with properly-motivated decision makers.” Hanson identified inferior processes for generating and evaluating information relevant to governing as responsible for economic divergence between democracies, and proposed prediction markets as a solution. Prediction markets are effective at aggregating information about the probable outcomes of a proposed action. By their application to policy, nations may optimize policy selection, while resolving an incentive mechanism to counteract the tragedy-of-the-commons problem. Note that the ability of prediction markets is limited to expressing probable outcomes of policy alternatives, not in expressing what outcomes are qualitatively better than one another. Participants in a prediction market bet on the outcome of a particular event by an agreed upon point in time. For example, suppose at time t=0, a prediction market opens around whether policy A will achieve event Z by time t=T. Bettor 0 believes the outcome is likely, and bets $70. Then at time t=1, bettor 1 believes the outcome is only 70% likely to occur, so bettor 5 bets $30 against. The betting market now reflects a 70% chance of action success. If no further bettors enter, and the result is positive, the first seven bettors split the $30 counterbet, and if the result is negative, bettor 1 takes the $70. But now suppose an alleged domain expert, bettor 2, sees the 70% betting odds, and thinks the odds are much closer to 40%. If bettor 2 is correct, he will profit off of making any bet moving the odds closer to 40%. He does so by betting $75 against. The prediction market thereby incentivizes all domain experts, regardless of credentialing, to apply their knowledge for the public interest. This system avoids the closed property of technocracies’ only allowing for the expressed opinions of a narrow, preselected group of experts, while simultaneously allowing for democracy to take place around the most engaged, informed, and affected constituents. Statistics reflect this: in one study, prediction markets around elections were found to be 74% more effective than polling over 964 elections, with an even greater advantage in forecasts beyond 100 days [h]. In the context of policy selection, a political committee could propose several policy alternatives to a betting market in reference to their ability to achieve some outcome. After some waiting period (requiring some mechanism to avoid allowing last minute interference bets), the committee could then implement the policy alternative seen as most likely to succeed, and reset all markets of policy alternatives not taken. One of the most common criticisms of prediction markets as a vector to inform policy decisions is the opportunity for interest groups to tip the scale by betting overwhelmingly in their preferred direction. But placing restrictions on the maximum bet should not be necessary. The event of an interest group betting tremendously in one direction should be seen as a tremendous arbitrage opportunity for prediction market participants, as the interest group is not strictly buying “votes” per se, but expressing an opinion concerning the likelihood of an outcome. For instance, if a petroleum company sought to sabotage a prediction market around the probability that policy A achieves outcome Z by betting overwhelmingly that an alternative policy B achieves outcome Z better than policy A, bettors are incentivized to take the counter-bet of petroleum company on policy B, reaping an arbitrage opportunity. This is because bets are not votes: votes are expressions of preference (which deserve discussion in a paper in their own right), bets are expressions of belief about the state of the world, and the consequences of a given action. [g] http://mason.gmu.edu/~rhanson/futarchy2013.pdf [h] https://www.sciencedirect.com/science/article/abs/pii/S0169207008000320

Prediction Markets as Staking Mechanisms

Bets are mechanisms for forcing alignment between beliefs and actions. Among the problems inherent to the tragedy-of-the-commons is that actors are incentivized to lie about intentions, or to otherwise express under-calibrated opinions. In addition to their role in information aggregation, prediction markets can serve a mechanism for constructing stake in international policy agreements. A staking mechanism is a procedure in which a participating party accept some quantity of risk, for one or more of the following purposes: (i) as collateral against the party to breaking agreements, (ii) as a signaling mechanism intended to encourage further action by other parties, ie. the public, (iii) as a substitute for, or complement to reputation, in systems where reputation is insufficient in one of the two above ways, (iv) as a bet on a particular outcome with some probability and expectation of returns with positive expected value (v) from the perspective of an observer to the staking process, a mechanism for collecting information about the belief state of participants in the staking system. All but definition (iv) are directly relevant to the discussion of inducing actors to commit to and engage in a more desirable set of actions, in particular, with respect to preserving the environment among other desirable outcomes. A proposed system for international politics could proceed as follows: First, a desired outcome is determined, for instance, a k% reduction in carbon footprint by each nation within 3 years, where each nation gets to choose their value for k, but exponentially increasing upfront costs to a nation’s choice of k below some value. Nations would be required to bet some minimum percentage of their GDP as stake toward meeting their target. Finally, delegates from each nation would proceed to place bets on each other nation’s objective being met with and against that nation’s staked bet. This system has several advantages. First, it avoids a one-size-fits-all problem of international politics: policy that is effective or reasonable in one nation may not at all be in another. By calibrating goals with respect to each nation, we avoid the problems inherent to the SDG goals’ being simultaneously vague and exaggerated. Second, if nation A’s delegates bet that nation B succeeds at meeting its policy goal, nation A is incentivized to pressure and assist nation B in meeting that policy goal, fostering international cooperation, rather than creating opportunity for defection from agenda agreements. Third, the process creates a reasonably interesting opportunity for popular engagement in international politics. An international betting market between nations would be the international policy equivalent of the Olympics, and would likely draw a great deal of popular attention, raising the stakes for failing to meet commitments.

Conclusion

I have analyzed several problems with the international political process, embodied in the 2015 SDGs, and proposed two possible implementations of prediction markets as solutions for rationally aggregating information. I introduced technocracy as a toy solution to better information aggregation, and explored the undesirable properties inherent to that solution as an alternative for eliminating the irrationality inherent to democratic processes. I aimed to attempt to solve the tragedy-of-the-commons problem emergent in international politics, while identifying the economic mechanism failures of the existing process.

Bibliography

Berg, J. E., Nelson, F. D., & Rietz, T. A. (2008, April 28). Prediction market accuracy in the long run. Retrieved from https://www.sciencedirect.com/science/article/abs/pii/S0169207008000320 Get the Sustainable Development Goals back on track. (2020, January 1). Retrieved from https://www.nature.com/articles/d41586-019-03907-4 Hanson, R. (n.d.). Shall We Vote on Values, But Bet on Beliefs? Retrieved from http://mason.gmu.edu/~rhanson/futarchy2013.pdf Leichenko, R., & Silva, J. A. (2014, May 2). Climate change and poverty: vulnerability, impacts, and alleviation strategies. Retrieved from https://onlinelibrary.wiley.com/doi/abs/10.1002/wcc.287 Sustainable Development Goals Report - United Nations Sustainable Development. (n.d.). Retrieved from https://www.un.org/sustainabledevelopment/progress-report/ The 169 commandments. (2015, March 26). Retrieved from https://www.economist.com/leaders/2015/03/26/the-169-commandments The 2030 Agenda for Sustainable Development and the SDGs. (n.d.). Retrieved from https://ec.europa.eu/environment/sustainable-development/SDGs/index_en.htm Vandemoortele, J. (2016, November 22). How to bring the SDGs out of their current slumber? Retrieved from https://www.idea.int/sites/default/files/news/16-11-22-The_slumber_of_the_SDGs.pdf

2020 Jan-Mar Book Review Rundown

thorck@protonmail.com (Thor) — Wed, 08 Apr 2020 00:00:00 +0000

23 books, 3 unfinished with no intention to finish anytime soon. 5 fiction, 18 nonfiction (would it be cheeky to count The Little Bitcoin Book as fiction?)

Trends:

non-fiction especially about business, identity, and climate science early on
Biographies and Neal Stephenson towards the end

I'll give a couple sentences of my thoughts about each book and a rating out of 10.

Climate and Society, Robin Leinchenko and Karen O'Brien

Information sparse, introduces the integrative approach to climate change solutions. Well researched, useful to get a bearing on the complexity of proposing a "solution" to climate change, but prolix. 7/10

The Ecology of Commerce, Paul Hawken, unfinished

Hawken is an ecological warrior whose writing should be dated given its publication date of 1992, yet one could rewrite the book today with few changes. Lends support to the conclusion that the environment is doomed and our static political systems are to blame. Unfinished because the book is repetitive. 6/10

The End of Jobs, Taylor Pearson

The 4 hour work week, but 10 years later and less interesting. Was interested in his blog, not polished or content dense enough to justify a book. 3/10

What You Do is Who You Are, Ben Horowitz

Great read on values, stories about vivid figures from history who demonstrate values in motion, which Horowitz terms "virtues", borrowed from samurai literature. Less interested in the business anecdotes, but Horowitz is all around a great story teller. May reread. 9/10.

A Liberated Mind, Steven C. Hayes

Hayes is the father of Acceptance and Commitment Therapy. All the feely goody bubbly nonsense anecdotes therapy is infamous for, but not without a complete lack of substance–Hayes delivers the principles of ACT effectively, despite himself. 7/10.

Sapiens, A Brief History of Humankind, Yuval Noah Harari

Overrated, but not by much. Seemed like a good thing to read to kids, if I had any. 8/10

The Hard Thing about Hard Things, Ben Horowitz, reread

Reread after WYDiWYD. Hard thing about hard things is, as with the next book, about taking the hard things in your hands, communicating honesty in business and in life. Horowitz weaves lessons into the story of his time as CEO of Loudcloud, and a great storyteller he is. 9/10.

Models, Attract Women Through Honesty, Mark Manson

An exploration of masculinity, an area of conversation I find underrated, possibly because it only seems to happen when men talk about dating. Book cogently delivers on its premise, investigating the particulars of holding honest as a value, and using it to connect with others (including women). 9/10

Homo Deus, Yuval Noah Harari, unfinished

Worse than Sapiens due to a greater degree of speculation. Harari is more in his element in 21 Lessons and Sapiens. Was often bored. 6/10.

Range, Why Generalists Triumph in a Specialized World, David Epstein

This book and the next fall into my "standard MBA business book" category, delivering loosely connected anecdotes and studies as defenses of an over-general principle. Barely managed to finish each of them. This one did it better. I'm squarely in the target audience for each and was constantly bored. 6/10. Rebel Talent, Why it Pays to Break the Rules at Work and in Life, Francesca Gino 5/10.

Tribe, On Homecoming and Belonging, Sebastian Junger, reread

Junger's message in Tribe is clearer than Lake Tahoe, and timeless as her mountains. Conciseness is underrated; Junger delivers in 180 short pages several well constructed narratives highlighting our separation from one another, and how we may come together again. 10/10.

Talking to Strangers, Malcolm Gladwell

Depressingly the opposite of the above. Gladwell's winding narrative style is acceptable when he has more to say. He remains an excellent, if somewhat roundabout narrator. I found the premise–that we underrate the value of context and overrate the importance of identity–uninspiring. 7/10.

Words and Rules, Steven Pinker, unfinished

A book only a linguist could love, or finish. Long, thorough, and by the sixth chapter, too systematic for even a man with Aspergers. 6/10

The Little Bitcoin Book, The Bitcoin Collective

Useful in offering the Bitcoin maximalist system of the world. I'd wanted to get a better idea of what this system of the world was, and especially found it in chapter 5, which offers a pair of speculative anecdotes of the world in 2030 with and without decentralized currency. Conciseness is good. 9/10.

Emmy in the Key of Code, Aimee Lucido

What a delightful and unusual children's book this is, discovered through the Embedded.fm podcast. A collection of poems from the perspective of a musical child struggling to find herself in a new place. Struggles with chauvinism, self discovery, appeals to the similarity of code and poetry, musical references, and an utter delight. 10/10.

Hackers and Painters, Paul Graham, reread

The best collection of essays I've ever read on what it is to be a hacker, beyond the obvious: we make stuff. The first chapter, about the quality of education (despite my general agreement with most of the premises), was arguably the worst. The remainder of the book is a welcome investigation into value, hacking, and what it is to be a technologist, without fear of delving deep. 10/10.

King Lear, 'ol Bill Shakespeare

Unrateable: a low rating marks me as uncultured swine, and a high rating suggests a mastery of Shakespeare I am yet to attain. I continue to find reading Shakespeare as challenging and worthwhile a literary exercise as the best mathematical exercise.

Elon Musk, Ashlee Vance, reread

Reread this biography a few months after the more recent controversies of Musk's making an ass out of himself to see if I still resonate with his story and self image as a man possessed to make an impact in the world. I do. It's interesting that he seems content to piss off people so much, something I feel I nearly understand, but just somehow miss. The biography is excellent, and makes me want to defend him. It also makes me want to be like him, which I'm only somewhat uncomfortable with. 10/10.

Steve Jobs, Walter Isaacson

I wanted to compare the Musk biography to another pivotal figure, who exists in the same strata of obscenely multitalented entrepreneur defining and propelling the boundary of technology. I'm unsure if it's simply a testament to Vance's ability as a biographer, or if I simply resonate more deeply with the Musk story, but I came away from the Jobs biography with a certain, "why do I care again?" taste in my mouth. The early half of the book felt more alive. Maybe this is my becoming a Wozniak fan. 7/10.

Atmosphæra Incognita, Neal Stephenson

Stephenson at his shortest. In 100 pages or so, Stephenson lets loose a short story of the tallest building mankind could ever construct. The story appears to be an allegory for technology, progressively hoisting mankind to uncharted heights, with newfound danger and excitement at each new level. I can't stop reading Stephenson after this. 10/10.

The Diamond Age, Neal Stephenson

Snow Crash (read in December) was fantastic, but only periodically ran as deep as I would have liked. The Diamond Age scratches that itch. Stephenson trots out a gorgeous fragmented world replete with a new element: nanotechnology. Deftly exploring coming of age, what it means to be a hypocrite, moral life in a corrupt society, the education of a subversive, and the difference of having everything one needs and having everything one needs to build that which one needs, I'm captured with The Diamond Age world, and its protagonist. 10/10.

Anathem, Neal Stephenson

I wanted The Diamond Age to be Stephenson at his best. I wanted to think, alright, I can stop reading Stephenson now. I especially wanted to avoid reading 2700 pages of the Baroque cycle. But after this, I think I'm doomed to read everything Stephenson ever wrote. I'm absolutely taken by the world building, the allegories to mathematics and technology, the incorporation of astronomical physics and the multiple worlds hypothesis, and of course, Neal Stephenson's uncanny ability to bring his characters to life. 10/10.

Current

Snow Crash, Neal Stephenson, rereading
Turing's Cathedral, George Dyson, reading slowly
Disunited Nations, Peter Zeihan, Roy Worley, unsure if I'll finish

On the "soon" List:

The Critique of Pure Reason Kant, forever procrastinating
Reprogramming the American Dream, Kevin Scott, Greg Shaw
The Sovereign Individual James Dale Davidson, Lord William Rees-Mogg
Evidence for Hope, Kathryn Sikkink
Radical Markets Eric Posner, Glen Weyl, a reread
The Machinery of Freedom, David D. Friedman
The Baroque Cycle, trilogy Neal Stephenson

Human Rights: Entertaining the Illusion

thorck@protonmail.com (Thor) — Tue, 10 Dec 2019 00:00:00 +0000

Introduction

“The speed with which human rights has penetrated every corner of the globe is astounding. Compared to human rights, no other system of universal values has spread so far so fast…. In what amounts to a historical blink of the eye, the idea of human rights has become the lingua franca of international morality” (Normand 8). With the simultaneous rise of secularism and the middle class in colonial Europe in the 19th Century, so rose the need for the decoupling of moral justifications for imperialism from religious precedents. Human rights left the sacred behind as a construction of universal humanist norms, to inspire the support of a rising middle class in a modernizing Europe. By donning the vestiges of moral supremacy, Europeans gained new justification for civilizing, educating, and employing the next century of colonial labor, while stemming criticisms of the rising bourgeois class. Human rights have always been a farce, and they remain expensive moral umbrage for nations and the elite.

The International Criminal Court, established in 2002, took ten years before its first successful prosecution, of Congolese warlord Thomas Lubanga Dyilo. The cost of the ICC, in the first 10 years, exceeds 1 billion dollars. The major international criminal courts in aggregate exceed 6 billion dollars (Stuart 968). The United States, on whom much of the funding and legitimacy for international human rights relies, maintains immunity for its citizens by the 2002 American Service Members’ Protection Act. The rise of political rivals, most prominently Brazil, Russia, India, China, and South Africa, to American and European power, present a valid challenge to the underlying assumption embedded in the most basic premise of human rights: can human rights be truly universal, or are these simply the last vestiges of the once religious, now secular, hypocrite phoenix of moral supremacy? In an examination of the accomplishments of human rights through four eras, I’ll attempt to disentangle the self-aggrandizing mythos of human rights from reality.

Ford, S. “How Leadership in International Criminal Law is Shifting from the U.S. to Europe and Asia: An Analysis of Spending on Contributions to International Criminal Courts (2011). Saint Louis University Law Journal, Vol. 55, p. 953. Normand, R., Zaidi, S. “Human Rights at the UN: The Political History of Universal Justice” (2008). Bloomington: Indiana University Press.

1776-1947: Era of The Bourgeoisie, Secularism, and Capitalism

The modern age of human rights very little resembles its prehistory. Democracies and autocracies, including monarchies, have vastly different requirements of their populations and legal frameworks. Democracies are held to higher standards of justification for political action. The overthrow of European monarchs marks one of the more productive eras in de-facto human rights development, though the language of human rights is mostly a post World War II invention.

While difficult to quantify, one can reasonably hypothesize that the great advances of this era in human rights is the product of the success of popular uprisings, and the initial successes of expanding democracy, and its deceleration in the 20th century represents conflict of haves and have-nots: wealthy democratic countries have no more incentive than wealthy autocratic ones to preserve the human rights of other nations, especially when these rights conflict with at-home economic interests.

At the beginnings of the Age of Exploration, beginning with Portueguese navigators in the 15th and 16th Century, monarchs had little need of moral justification towards the end colonizing and enslaving. In the twin, unrivaled power structures of church and state, were generally sufficient justifications for expansion of empire in the name of God and country. But the trappings of exploration produced rivals to the landed elite: the bourgeoisie, in whom the elites invested.

The British, with far-flung colonies and powerful shipping merchants bore witness to this. The Declaration of Independence, penned by American plantation owner Thomas Jefferson, is the product of the realization by American bourgeoisie that they possess sufficient wealth to contest, and even field armies against traditional monarchical power. Jefferson couches protestations towards monarchal Europe in proto-human rights declarations of offenses by the crown, violating “certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.” The American Constitution re-affirms and cements the political rights of American citizens in The Bill of Rights albeit, excluding most of the population.

Two decades later, revolutionaries in France mirror the American uprising, and take advantage of the financially drained Louis XVI to declare their rights as justification for revolution in The French Declaration of the Rights of Man. The age of the bourgeoisie, while still exclusionary to the vast majority of citizens, makes the beginnings of human rights discussion possible. But by this point in history, rights are not declared by top-down organizations and governments, but are the product of bottom-up uprisings.

The year 1848, known as the Spring of Nations, brought a wave of popular uprisings across over 50 countries in Europe (Evans). The revolutions mostly aimed to overthrow monarchical power, while demanding democracy, freedom for the press, and rights for the working class. These rebellions were mostly secular: religious leaders traditionally worked in concert with monarchs suppress challenges to existing power structures. The revolutions succeeded to varying degrees at establishing democracies, but the agitation for a definitive set of rights, was impossible for elites to ignore. European humanist norms grew out of the revolutions, supporting the rights of the newly established bourgeois.

These rights would come under assault in the first half of the 20th Century. The twin cataclysms of the World Wars reduced Western Europe to rubble, allowing the advancing American economy to surpass its European forebears. The devastating effects of the world wars also propelled the advance of democracy and capitalism in Western Europe, and communist dictatorship in Eastern Europe. The positive narrative identifies this struggle as that of competing ideologies in a brawl of how best to assert the political and social rights against a Hobbsian struggle of all against all. The remaining powers needed new language to justify the shattered myths of the previous century, asserting that humanist rights existed, and could not be abused at any time by the existing power structures, as they had been in the world wars.

It’s worth noting that each of the participants in the Second World War abused and repressed citizens in a major way. Though this list is hardly exhaustive: Jim Crow in the United States, colonial oppression by Western Powers, barbaric war crimes by the Japanese, and genocides by Nazis and Soviets. These were the powers submitting diplomats to pen the first modern document of Human Rights, the Universal Declaration of Human Rights (UDHR). This stands in sharp contrast to the emergence of rights following popular uprisings in the 18th and 19th Centuries.

R.J.W. Evans and Hartmut Pogge von Strandmann, eds., The Revolutions in Europe 1848–1849 (2000) pp. v, 4

Declaration of Independence, Paragraph 2 (1776).

1947-1976: Era of The Universal Declaration of Human Rights

In the aftermath of the Second World war, world leaders gathered in Paris to pen the UDHR. According to international law professor Stephen Hopgood in The Endtimes of Human Rights, the UDHR was “an antidote to a troubling contradiction, the coexistence of progress with intensifying violence, vast social and economic inequality, and fears of “the disenchantment of the world” (Hopgood 1).

The modern language of human rights was borne out of the need for a neutral and secular ideology for developed nations to use as a neutered critique of one another, to limit risk of a third world war. European and American leaders sought to weave into the UDHR an ideological alibi for a new globalized economic system designed to promote international collaboration, benefitting the elites, while only supporting an enhanced sentimentality for human rights in tongue. The UDHR, therefore was a set of thirty non-binding articles, agreed upon by world leaders, but not to be taken seriously. Economist Eric Posner writes in The Twilight of Human Rights “the words in the Universal Declaration may have been stirring, but no one believed at the time that they portended a major change in the way international relations would be conducted, nor did they capture the imagination of voters, politicians, intellectuals, leaders of political movements, or anyone else who might have exerted political pressure on governments” (Posner 17).

Why were the articles non-binding? The authors of the UDHR were not the surviving revolutionaries seeking to validate the rights of humans against their former governments, but the ambassadors of the most powerful nations, who sought to reaffirm their hegemonic power by a set of tacit agreements to not challenge one another militarily. These diplomats were not defending human rights in the sense that human rights protect people from their governments: they were protecting their nations, developed nations, from the threat of war. Any illusion of possible agreement concerning universal ideals was quickly dispelled: there were clashes between the United States diplomat, Elanor Roosevelt, with the Soviets concerning rights to property and political freedoms, opposition by the Saudis towards articles concerning freedom of religion, Latin American diplomats who wanted God mentioned, and fears of colonial intervention by the British and French, while the Japanese were to be stripped of their recent colonial acquisitions (Loeffler).

The effects of the UDHR on human rights around the world were underwhelming. The United Nations established a commission for responding to human rights complaints. In the first ten years of operation, roughly 65,000 letters alleging human rights violations arrived at this newly minted defender of human rights. The commission declined to investigate a single complaint (Loeffler). Issues emerged as larger powers did not want to risk upsetting the power balance between the Soviet Union and the United States, potentially triggering war, and smaller powers had neither the political capital, resources, nor incentive to begin investigations. The UDHR proved an empty set of nice sounding words. This was not unexpected, even at the outset: according to international law expert Hersch Laueterpacht in 1947, “to a lawyer, the enunciation of a right without the provision of a remedy is a judicial heresy…It is clear to me that the declaration does not carry things further and that in some important respects has put the clock back.” (Loeffler)

Loeffler, J. (2018, December 21) “Human rights treaties promised a better future. Why did they fail?”. Washington Post. Hopgood, S. (2015). The Endtimes of Human Rights. Ithaca: Cornell University Press. Posner, E. (2014). Twilight of Human Rights Law. Oxford University Press.

1976-1991: Era of Human Rights Treaty Proliferation and American Money

The modern age of human rights organizations begins in earnest in the 1970s with the International Covenant on Economic, Social and Cultural Rights (ICESCR) and the International Covenant on Civil and Political Rights (Moyn). The covenants were intended as an expansion of the UDHR, but this time, gave overseeing commissions more power to enforce violations. The covenants were contemplated as early as 1948, by American historian Arthur Holcombe, as “a project for a piece of international legislation, more ambitious and perhaps more important than any other in the history of international law. If supported by suitable measures of implementation, it could be a great triumph of reason over force and violence in the development of human relations.” (Holcombe, 413)

Thus, the 1970s represent the shifting tide of human rights from general irrelevance to a proliferation of human rights treaties, to mixed effect. Some of these genuinely treated human rights issues, ie. Convention on the Elimination of Discrimination Against Women (CEDAW), while others were microcosms of the symbolic battles between the United States and the Soviet Union. The United States used human rights law as political leverage against the Soviet Union, while in exchange for ideological concessions, the Soviets bought recognition of autonomy in determining the freedoms of Eastern Europe.

The beginnings of American involvement in human rights in the 1970’s signaled the end of a unipolar European human rights era, though for a time human rights became unipolar about the American-centric perspectives, a phenomena that strengthened after the collapse of the Soviet Union, and has only in the last decade seen significant challenges by economic competitors to the United states, most prominently China. The era of American influence saw the demise of what Hopgood describes as European “secular religiosity” and towards the American style of political intervention in the name of defending democracy—where democracy was a thinly veiled stand-in for American economic interests. Recent examples include American ongoing relations with Saudi Arabia, 1990s support Saddam Hussain in Iraq, and strategic support of torture in Guantanamo Bay.

The Americans, even under the most ardent human rights supporter, President Carter, were inconsistent allies to the human rights endeavor: “human-rights violating allies like Iran and Saudi Arabia were just too important for American security, and seen as an important counterweight to Soviet influence, so Carter could not consistently follow through on his rhetoric by threatening to withhold diplomatic support or economic resources from some of the worst violators of human rights” (Posner 18). While the United States generally supported and provided funding for major human rights organizations, they seldom ratified human rights treaties, and only with a raft of Reservations, Understandings, and Declarations (RUDs) limiting the United States’ liability to upholding the treaty.

Not that this was likely even necessary. Many authoritarian countries ratified the ICCPR, and other human rights treaties, and although these treaties were designed to be more binding, the same issue of political non-incentive for any particular country to take action resurfaced. Further, the treaties often used vague, sometimes self-negating language, or specified requirements that would be aspirational for all but the richest countries. Article 19 of the ICCPR declares the right to freedom of expression, but in the next paragraph, offers governments a get-out clause:

Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.
The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the rights or reputations of others; (b) For the protection of national security or of public order (ordre public), or of public health or morals.

The gates of plausible deniability in the clause, “protection of national security or of public order.. or morals,” swing wide. The failings of the covenants were appreciated at the time. Pakistani legal scholar, Hamid Kizilbash wrote of the covenants in 1976 that “what is most unsatisfactory about the implementation procedure is the fact that the individual has no role in the preparation of reports. States are not called upon to consult or transmit what an individual group within their territory may wish to have included in the report. No system of hearings, public consultation and individual petitions has been provided for. In the absence of such provisions it is clear that the reports will reflect whatever the government of a state wishes to make known” (Kizilbash 57).

Holcombe, A.N. "The Covenants on Human Rights", Law and Contemporary Problems, 14 (Summer 1948), pp. 413-429. International Covenant on Civil and Political Rights, Article 19 (1966). Kizilbash, H. “United Nations and Human Rights: A Failure Report” (1974). Pakistan Horizon Vol. 27, No. 1 (First Quarter, 1974), pp. 50-60 Moyn, S. (2010). The Last Utopia. Harvard University Press.

1991-now: Era of American Pseudo-Unipolarity

In the wake of the fall of the Soviet Union, one might reasonably assume a raft of advances human rights could proceed, over the corpse of their most powerful political opponent. However, immediately following the fall of the Soviet Union, events made a mockery of such an assumption. First, the horrifying genocide in Rwanda, where more than 800,000 Tutsis were slaughtered by the Hutu majority in Rwanda (Posner). The event was made for macabre spectator sport for the human rights organizations of Europe, demonstrating the irrelevance of the now nearly 50 year old Convention on the Prevention and Punishment of the Crime of Genocide and the commission appointed to advise the UN. The lesson repeated itself one year later in the civil war in Yugoslavia where Serbians attempted to ethnically cleanse Bosnians from the region, shocking Europeans to see genocide return once more in the 20th Century to their own continent.

The war criminal trials that followed (the UN was basically immobile during the atrocities) were widely criticized for bias and inconsistency, leading to the establishment of the International Criminal Court in 1998, and official opening in 2002. It has tried few, successfully tried fewer, and those it has tried are exclusively from African nations. The court took 10 years before its first successful prosecution, of the Congolese warlord Thomas Lubanga Dyilo. It is also expensive, costing a billion dollars in its first decade. The United States continues to claim immunity to the court, and refuses to provide funding for the court. Naturally, the court appears mostly irrelevant.

According to Freedom House, every year since 2005 has seen a retreat in democracy and an advance of authoritarianism. Modern democracy has seen a corresponding retreat of the notion of the public space where facts exist as universal. Propaganda experts in Russia successfully used data, with the aid of data company Cambridge Analytica to spread disinformation about political events in the United States and the United Kingdom leading up to the 2016 election, and the Brexit referendum. Facebook has set new norms for the public dialogue between fiction and fact, allowing disinformation to be spread, while making surveillance easier than ever before (Snyder). Democracy has succumbed to populism in Hungary, Poland, Brazil, and Bosnia in the last decade. Human rights efforts, by contrast, appear to be stuck in the 19th century.

In 2017 the Office of the High Commissioner for Human Rights launched their 70th year anniversary campaign. The campaign feature the hashtag, #standup4humanrights, along with a website proclaiming “we can all be Human Rights Champions.” The website encouraged participants to post stories online, on platforms including Snapchat, Instagram, and yes, Facebook, the last of whom there has received no official comment on, or criticism of, by any of the human rights commissions at the UN. “All it takes, apparently, is posting individual stories online and recording an article of the declaration in one’s own language. There is hardly any mention of law or politics; it suffices to ‘promote, engage and reflect.’” (Loeffler)

Snyder, T. (May 21, 2018) “Facism is back. Blame the Internet.” Washington Post.

Conclusion

Throughout this essay, I’ve alluded to the differences between revolutionaries’ claims to rights, and governments’ self-justification via an invented language of international law. Hopgood explains the difference between top-down human and bottom-up human rights as follows, “the local and transnational network of activists who bring publicity to abuses they and their communities face and who try to exert pressure on governments and the United Nations for action, often at tremendous personal cost”, versus “a global structure of laws, courts, norms, organizations that raise money, write reports, run international campaigns, open local offices, lobby governments, and claim to speak with singular authority in the name of humanity as a whole” (Hopgood 2). The criticism reflects the conflict of liberal versus the libertarian, in the question, does greater bureaucracy correspond to gains in human potential, or is the growth that of a cancer, whose purpose is not to serve the body out of which it was conceived, but only to grow?

This central conflict plays out while human rights activists engage bottom-up, grassroots endeavors around the world. These countries lie beyond the political purview of the International Criminal Court in the Hague, struggling against the rise of tyranny and nationalism in places like Bolivia, Venezuela, China, and Russia. Resistance movements can only seldom rely on the international bureaucracy to provide the assistance promised in lofty covenants. If human rights organizations had any legitimate influence, the Arab Spring would have been unnecessary, and dictators in Egypt and Syria would have been replaced by human rights leaders. Instead, politicians in countries like the United States and Russia used human rights declarations as pawns to maintain economic interests in the region.

What is unconscionable is that human rights organizations continue to ignore criticism of the failings of the movement. Foreign policy analyst David Rieff wrote of this phenomenon of cognitive dissonance, “This is predictable. If your expectations are millenarian — if you believe there is a right side of history, yours, and a wrong side of history that is doomed to defeat — skepticism about the human rights project, let alone voices of opposition, is unlikely to sway your position” (Rieff). Human rights activists need to justify the unmerited and costly expansion of their bureaucracies. Human rights documents need to have more substantial teeth than the possibility that a commission will enter into dialogue with a violating nation. The failures of human rights organizations are costly not only in price but in their deception: allowing nations to do the bare minimum to defend democracy and free people around the world.

Rieff, E. “The End of Human Rights?” (April 9, 2018). Foreign Policy Magazine.

thork.net

designer babies no one asked for: protein cryptography paper speedrun

designer babies no one asked for: protein cryptography paper speedrun

wat

fancy steganography

how efficiently can we pack data in amino acids

but how expensive would it be to embed a dad joke in the proteins of my children

About the Stone Prover

Background

footnotes

Solving ZK Hack Puzzle 3 - Chaos Theory

puzzle.solve()

Background

the ‘sploit

puzzle.deets()

BLS

ElGamal

puzzle.log()

Code runthrough

new project: git-merkle (gm)

Why did you do this?!

Solving ZK Hack IV puzzle 2 - Supervillain

puzzle.solve()

Background

BLS background

Proof of knowledge argument background

Back to the problem at hand

the ‘sploit

puzzle.deets()

puzzle.log()

initial problem description

initial things to look at, after skimming code

notes on BLS signatures

Individual signing

Individual verification and BLS verification

Signature aggregation

BLS code check

public keys look correctly aggregated

bls signing check

bls verify check

first shot

but how do we satisfy pok_verify

pok verify code:

he looks to the reading

Interlude

honey, get the randomness malleability hammer

changelog

footnotes

Solving ZK Hack IV puzzle 1 - Gamma Ray

puzzle.solve()

background

the ‘sploit

puzzle.deets()

Twisted Edwards, and proof Zcash Lemma 5.4.7 with added notes

Lemma 5.4.7 applied to MNT_753_4

puzzle.log()

Issue: how are we going to construct a hash collision?

Lemma and proof

algebraic insight!

changelog

footnotes

Walking Through Distributed Key Generation (DKG)

Walking Through Distributed Key Generation (DKG)

Knowledge Check!

What Threshold Signature? And Briefly, What Multisignatures

But what if we just…centralized it?

Cryptography time!

Phase 1

Phase 2

Phase 3: Verifiability

Wrap up

Experiment: How Effective is Prototyping? Measuring Developer productivity in Python and Rust with Project Euler

In Short:

Results (see spreadsheet, see code):

Data and Graphs

Data

Graphs

Looking but not Finding: The Curse of Walled Garden Research Journals

Confounding Factors

Further Questions

`puzzle.solve()`

`puzzle.deets()`

`puzzle.log()`

`puzzle.solve()`

`puzzle.deets()`

`puzzle.log()`

but how do we satisfy `pok_verify`

`puzzle.solve()`

`puzzle.deets()`

Lemma 5.4.7 applied to `MNT_753_4`

`puzzle.log()`