2021-07-14

This post is about an experimental project to distribute rewards in a privacy-preserving manner running on StarkNet.

Introduction

Blockchain projects seek to reward community members who perform activities that are beneficial to the network.

For example, technical users participating in a test network for a project might get a few tokens in return for their participation. Another example includes users reteweeting a few tweets posted by the project.

This brings up a privacy problem. In contrast to normal pseudonymous transactions, these rewards usually require some form of Know Your Customer procedure, even if it's just a twitter handle. From this, it follows that the project awarding the tokens, or in some cases anyone, can track the user's activity after receiving the reward.

We can do better!

StarDrop allows users in a group to claim a reward allocated to them, without the network or the project learning a link between the claims and the users. It uses techniques adapted from Privacy Pass to build a Verifiable Oblivious Pseudo Random Function.

The result is a system allowing a project to blindly sign a token that the user can use to redeem a reward later. Moreover, it does so in an on-chain zkrollup, StarkNet, allowing to do this verifiable in scale in low cost, as is appropriate for rewards that are usually not large.

Disclaimer - I've created this project mostly to learn and experiment with StarkNet and it should not be used in production!

Privacy Pass

Let's first describe a sketch of a simplified version of Privacy Pass that we'll use to build our protocol. In general, Privacy Pass is a 2-party protocol allowing a user to create a blinded token, that a server will sign after performing their checks, and the user afterwards unblinding the signed token and being able to use it without the server learning which token belonged to which user. For a more in-depth description, check out my post about Privacy Pass.

A user generates a token $t$, which is a string of their choice.
The user then hashes it to a curve $H(t)$, resulting in an element of a specific elliptic curve.
The user chooses a random blinding factor $b$ and computes $T=bH(t)$.
The user then sends $T$ to the server.
The server uses their private key $s$, having public key $P=sG$ where $G$ is a known generator of the curve, and sign the token, resulting in $S=sT$. The server provides a proof that $S$ and $T$ have the same ratio as $P$ and $G$, proving that $S$ is a valid signed token.
The user verifiers the proof and then unblinds it using the inverse of their blinding factor, resulting in $R=b^{-1}S=b^{-1}sT=b^{-1}sbH(t)=sH(t)$. Notice that this is still a signed token, just without the blinding factor.
The user can then use the signed token $R$ to redeem their reward. They do it by sending $t$ and $R$ to the server.