Open in app

Sign in

Write

Sign in

Introducing Tweedentity, a simple identity model for KYC and authentication in ÐApps

Francesco Sullo
0xNIL
Published in
6 min readMar 5, 2018

--

After the first round of the Initial Free Offering of NIL token, I realized that a KYC is necessary during the second round to avoid spam. However, I don’t like the old school approach used by the most of the projects out there.

Identity is a huge problem in the decentralized world, and I am sure that it will be the next big thing. Right now, there are many promising projects (like, for example, uPort), but they are far from being usable in practical cases. For this reason, almost every ICO requires investors to sign up with an email and password (🤔 I guess you like it as much as I do 😝).

Months ago I was telling myself that there must be a better approach that is easy enough, and at the same time can evolve and be used by other projects, until one night the idea about Tweedentity popped up in my mind.

A tweedentity is a univocal association between an Ethereum address and a Twitter account.

Easy enough?

How it works

An Ethereum wallet is an interface between your keys and the Ethereum VM. Your keys are a private key and a public key. The last 20 bytes of the hash of the public key, prefixed with 0x, constitute your Ethereum address.

A nice characteristic of asymmetrical cryptography is that you can sign a string with your private key, and anyone else can verify that your signature is correct knowing just your public key.

We are going to use this for our identity system.

Let’s say that Jack Dorsey needs a tweedentity (sooner or later he will 😜).

His userId is 12 (the first active Twitter userId ever 😮).

If he uses MyEtherWallet Sign Message page to sign the string twitter/12@tweedentity he will obtain something like this:

{
  "address": "0x96feae029a90b1637ce958b7171404f66ec8b630",
  "msg": "twitter/12@tweedentity",
  "sig": "0xe86c816d7b39c661033cdd9a1e2911c09100e3d2bcf4ac00412f90a42eaae80d56905c6b3a794f124e727690e5d92ec08b522440e246ec148317a326490c61731b",
  "version": "2"
}

(For this example, I used the newly generated private key 9aa29c2f38547c2325a3870dd21384b3f55e9932ea14c3f5ceb1a9af67a2f714 so that you can replicate the process, if you like.)

Supposing that that is Jack’s private wallet (and obviously it is not) and that his computer isn’t compromised, he is the only one in the world that can produce that specific signature, as well as he is the only one that can publish the sig above on his Twitter account.

If we can retrieve that tweet from a smart contract in the Ethereum VM and verify that the signature is correct, we can be sure that @jack owns 0x96feae029a90b1637ce958b7171404f66ec8b630, and save the couple address-userId in the blockchain 👏

To do it, I created two projects:

  1. Tweedentity API, an API to retrieve the tweet and verify that the address who signed it is the same that is executing the smart contract that is calling the API.
  2. Tweedentity Store, a set of smart contracts that use Oraclize to call the API above and wait to have back the Twitter userId, saving the couple address-userId in the blockchain.

Advantages of this approach

If you use an in-browser wallet like Metamask, anytime you visit a web app, it injects the Javascript library web3 in the page so that the app knows the address of the currently active wallet. This way, the app can interrogate the Tweedentity Store smart contract in the blockchain to check if there is a Twitter userId associated with that address and interact with the user in the easiest possible way.

For example, let’s say that I want to participate in the SomeWeirdCoin ICO. The SomeWeirdCoin app, instead of asking me to sign up with email and password, just knows that I am @sullof, that I live in the Bay Area, that I have more than a thousand followers, that I am quite active on Twitter, etc. They have all that they need to allow me to participate in the ICO (or denying it because I am resident in the US 😞).

They just have to ask me the address that I will use to send the ether and receive the tokens … et voilà!

🤔 What about privacy?

A first problem is evident: you can’t use any wallet as an identity wallet because that address would be public and your entire Ethereum story will be public as well.

At the opposite, you want to use a brand new wallet that you won’t use for anything else. The problem is that to activate the identity, with the current version of Ethereum, you need a bit of gas to execute the smart contract. This implies that you have to send a bit of ether from another wallet to your identity wallet, and if you transfer the ether from another wallet of yours, the privacy is gone.

How could you solve this?

A good solution is to use ShapeShift to receive ether in exchange for a private coin like Dash, Zcash or Monero.

The good thing is that if you don’t own any of them, you can use ShapeShift to buy them. The not so good thing is that exchanges on ShapeShift are relatively expensive. However, since we are talking about your identity and it’s a one-time operation, I think that it is worth to spend a little bit for it.
I successfully tested the process exchanging a bit of Dash for 0.005 ether, more than enough to activate the tweedentity.

A simpler (but somehow hackable) alternative is a mixer like ETH-mixer. As the name says, it mixes ether among the people requesting a mix. The more people are mixing at a particular moment, the better.

A second, more general privacy problem with Metamask (and similar in-browser wallets) is that when it is active, it injects web3 in any opened tab and, consequently, any tab can know about your active wallet address. This is a weak behavior, and I am sure that MetaMask will solve it soon, allowing users to chose where to use their wallet.
(August 7th, 2018. MetaMask did it.)

What about countries from which you can’t access Twitter?

I thought a lot about the fact that, among others, my Chinese friends living in China cannot access Twitter and, consequently, can’t have a tweedentity. For this reason, I am studying how to develop a parallel verification for Sina Weibo.

Future developments

First off, I have to say that my initial idea was to use Oraclize just to retrieve the tweet and do the signature verification in the contract. The problem with this approach (that you can find in this branch of the repo) is that the cost of the execution was crazily high, requiring a gas limit of more than 2,000,000, which is around 0.042 ETH at a gas price of 21 Gwei, i.e., ~$35 🙀
I am sure that that could be optimized, but not that much. So, sadly, I abandoned the pure decentralized solution.

To improve the decentralization, the idea is to deploy the api server in a docker image on the Docker Hub so that I can ask Oraclize to download, install and execute the image. This way, anyone can download the image and audit it, making the API trustable. The cons is that the cost of the verification will be higher for the user and this is the only reason why I won’t start with this solution from the beginning.

That said, before these improvements, my next goal is to deploy API and contracts, and build the Tweedentity website with a ÐApp that makes the entire process super easy.

Any suggestion, comment, critic is very welcome. Anyway, the second round of the 0xNIL IFO will be perfect to verify that tweedentities do the job.

If you like this post, please 👏 and share it!

Ethereum
Identity
Blockchain
Decentralization
Twitter

--

--

Francesco Sullo
0xNIL

897 Followers
Editor for

Polymath. CTO at Superpower Labs & @MOBLANDHQ. Before founded @Passpack, and was at @Turo, @Yahoo, @Tronfoundationand others. More at https://sullo.co

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams