diff --git a/bitcoin_payment_pow_for_anon_identity_strengthening.md b/bitcoin_payment_pow_for_anon_identity_strengthening.md new file mode 100644 index 0000000000..b97b2ce258 --- /dev/null +++ b/bitcoin_payment_pow_for_anon_identity_strengthening.md @@ -0,0 +1,189 @@ +# NIP-Z: Anonymous Bitcoin-Fee-Based Proof-of-Work for Identity Strengthening + +Draft — Work in Progress + +## 1. Summary + +This NIP defines a mechanism for generating anonymous, non-replayable Proof-of-Work (PoW) for Nostr identities using Bitcoin transaction fees. +Users prove in zero knowledge that they created a Bitcoin transaction that: + +- Pays `fees ≥ threshold`, and +- Commits to their anonymous identity inside a Taproot Pay-to-Contract (P2C) output, without revealing which Bitcoin transaction was used. + +The resulting PoW update event strengthens an anonymous identity without leaking any link between Nostr activity and Bitcoin activity. + +## 2. Motivation + +Bitcoin transaction fees represent verifiable, irreversible economic cost. +By binding a Bitcoin payment to a hidden identity commitment, users can: + +- Strengthen their anonymous identity (increase trust), + +- Without revealing which Bitcoin address or transaction they used, + +- Without relying on centralized services. + +This PoW is: + +- **Unstealable** (others cannot reuse your tx), + +- **Unlinkable** (no on-chain identifier ties to your identity), + +- **Non-replayable** (each tx can be used only once), + +- **Decentralized** (no trusted parties). + +## 3. Identity Commitment + +User chooses a private secret s, computes: + +C = H(s) + + +C is the anonymous identity commitment used in PoW. + +## 4. Taproot Pay-to-Contract Commitment + +To bind a Bitcoin transaction to C without revealing it: + +Nostr client generates a Taproot internal key: + +`P = internal_pubkey` + + +Compute Taproot tweak: + +`t = H(P || C)` + + +Compute tweaked Taproot output key: + +`Q = P + t·G` + + +Encode Q as a standard Taproot address (bech32m): + +`bc1p...Q` + + +User then sends any Bitcoin amount from any wallet to this address. + +### Privacy guarantee + +- On-chain observers see only Q. + +- They cannot detect the commitment. + +- They cannot derive C, s, or whether P2C was used. + +## 5. Requirements for the Bitcoin Transaction + +The PoW Bitcoin transaction tx must: + +- Include at least one output paying to Taproot key Q, + +- Have fee = sum(inputs) - sum(outputs), + +- Satisfy `fee ≥ pow_threshold`. + +The funds remain spendable by the user because they know the internal private key and tweak. + +## 6. ZK Proof Statement + +User proves in zero knowledge: + +**Private Inputs** + +``` +s (identity secret) + +tx (full Bitcoin transaction) + +P (internal Taproot pubkey) + +Bitcoin Merkle branch (block inclusion proof) + +fee (computed internally) +``` + +**Public Inputs** + +``` +C + +txid_hash = H(txid) + +pown = H(txid || s) (PoW nullifier) + +pow_threshold +``` + +**Constraints** + +1. C = H(s) +2. Transaction is included in the Bitcoin chain. +3. `fee ≥ pow_threshold`. +4. Transaction contains a Taproot output Q = P + H(P || C)·G. +5. pown = H(txid || s) (prevents reuse across identities or updates). + +**Proof outputs:** + +``` +C + +pown + +txid_hash + +ZK proof +``` + +The Bitcoin transaction itself is never revealed. + +## 7. PoW Update Event + +Kind: `39011` + +**Tags:** + +``` +["c", ""] +["pown", ""] +["txh", ""] +["work", ""] +``` + +**Content:** +Base64-encoded ZK proof described above. + +**Relay/MRP behavior** + +- Verify the ZK proof. +- Reject if txid_hash or pown was previously used. +- Add work to the identity’s PoW score. + +## 8. Security Properties + +**Unlinkability** +- No Bitcoin address or tx is exposed. +- Taproot tweaks hide commitments invisibly. +- Proof reveals nothing about which UTXOs were used. + +**Unstealable PoW** +- Only transactions committing to C can strengthen identity C. +- Attackers cannot reuse someone else’s tx. + +**Non-Replayable** +- Each tx yields a unique pown = H(txid || s). + +**Decentralized** +- Anyone can verify the proof. +- No centralized registry of transactions. +- No trusted setup beyond ZKP scheme assumptions. + +## 9. Notes + +- Multiple P2C PoW events accumulate as increasing trust score for the identity. +- Users may keep or later spend the funds sent to their P2C address. +- No custom Bitcoin wallet is required: +- Users only need to send to a generated Taproot address. diff --git a/nip_x_merkle_root_provider.md b/nip_x_merkle_root_provider.md new file mode 100644 index 0000000000..e77cc7043b --- /dev/null +++ b/nip_x_merkle_root_provider.md @@ -0,0 +1,197 @@ +# NIP-X: Merkle Root Providers (MRPs) + +## Identity Commitment Trees for Anonymous, PoW-Weighted Actions + +NIP: X + +Title: Merkle Root Providers (MRPs) + +Author: Stelios Rammos + +Status: Draft + +Type: Standard + +Created: 2025-06-12 + +License: MIT + +## 1. Summary + +This NIP defines the **Merkle Root Provider** (MRP) role: a service that maintains an anonymous identity commitment tree using public Nostr events (`39011`) and periodically publishes configuration metadata and Merkle root snapshots (`39012`). +MRPs can be replaced or replicated by anyone, as both their inputs and deterministic rules are fully public. + +This NIP enables the identity layer used by NIP-Y for anonymous, PoW-weighted Nostr interactions. + +## 2. Motivation + +Identity commitments and PoW-based trust scoring require deterministic, globally replayable state. +Rather than requiring every relay to maintain its own Merkle tree, this NIP: + +- Defines a standardized identity-tree service + +- Ensures deterministic replayability and replaceability + +- Enables relays/clients to verify ZK proofs offline using published roots + +- Allows multiple MRPs to coexist with varying policies + +- Keeps Nostr decentralized—relays choose which MRPs to trust + +- MRPs do not see or verify anonymous action proofs; they only publish public state. + +## 3. Definitions + +**Identity commitment:** `C = H(s)` + +**PoW score:** accumulated work for commitment C + +**Leaf:** `(C, pow_score)` + +**Membership tree:** Merkle tree over all leaves + +**Root snapshot:** Merkle root published as a Nostr event + +**MRP:** A service that produces the membership tree/roots + +## 4. Consumed Events + +MRPs MUST ingest a single event type to build and update the membership tree. + +### 4.1 Identity & PoW Update (Kind 39011) + +Registers or updates an anonymous identity commitment `C = H(s)` and optionally +adds PoW to it. + +**Kind:** `39011` +**Required Tags:** + +``` +["c", ""] +["work", ""] +["root", ""] (optional for first update) +``` + +- `c`: identity commitment `C = H(s)`. +- `work`: amount of PoW to add (MAY be `"0"`). +- `root`: the MRP root used when generating the proof (if required by the circuit). + +**Content:** + +- If `work > 0`: base64-encoded ZK proof asserting: + 1. knowledge of `s` with `C = H(s)`, + 2. valid PoW (`H(s || n)` meets difficulty), + 3. correct derivation of `work`, + 4. (optionally) relation to `root`. +- If `work = 0`: MAY be empty or contain a lightweight proof; MRPs MAY ignore + such events or treat them as zero-score registrations. + +**MRP behavior:** + +- If `work > 0`: + - Verify the ZK proof. + - If invalid → ignore. + - If valid: + - If `C` is new, create `{ C, pow_score = work }`. + - If `C` exists, increase `pow_score(C)` by `work`. + - Recompute the membership tree and publish a new root (39013). +- If `work = 0`: + - MRPs MAY: + - ignore the event entirely, OR + - insert `{ C, pow_score = 0 }` without requiring a proof. + +## 5. Produced Events + +### 5.1 Config & Root Snapshot (Kind 39012) + +MRPs MUST publish Merkle roots and monotonically increasing sequence numbers. + +Tags: + +``` +["mrp", ""] +["root", ""] +["seq", ""] +["leaf_order", ""] +["pow_func", ""] +["pow_min", ""] +["config_version", ""] +["leaf_count", ""] (optional) +["upto_created_at", ""] (optional) +``` + +These roots allow clients to construct anonymous proofs and relays to verify them. + +## 6. Replaceability + +MRPs MUST be fully replaceable. + +A new MRP can perfectly replicate an old one if: + +- All identity and PoW events (`39011`) are public + +- The configuration event (`39012`) is public + +- All root snapshots (`39013`) are public + +Any party MAY replay all events + configuration to generate identical roots and seamlessly continue the role of a disappeared MRP. + +## 7. Root History Window + +Relays SHOULD maintain a cache of recent root snapshots for verification. + +Proofs referencing any cached root SHOULD be accepted + +MRPs do not need to be online for proof verification + +Caches MAY be time-based or size-based + +Relays MAY employ strict mode (only latest root), but this is discouraged. + +## 8. Trust Model + +Clients and relays independently choose which MRPs to trust + +Proof events MUST specify: + +`["mrp", ""]` + +`["root", ""]` + +Relays verify proofs only against trusted roots + +Multiple MRPs MAY coexist. + +## 9. Rationale + +Separating MRPs from relays: + +- Reduces complexity for relays + +- Enables proof reuse across relays + +- Allows specialized infrastructure for identity trees + +- Preserves decentralization through replaceability + +## 10. Backwards Compatibility + +This NIP introduces new kinds and does not affect existing Nostr behavior. + +## 11. Reference Implementation + +TBD — minimal reference implementation MUST: + +- Ingest events + +- Maintain `(C, pow_score)` pairs + +- Build Merkle tree + +- Publish root snapshots + +- MUST determine the algorithm used for the merkle tree and proof. + +## 12. License + +MIT diff --git a/nip_y_anon_pow_based_actions.md b/nip_y_anon_pow_based_actions.md new file mode 100644 index 0000000000..1d05f2aade --- /dev/null +++ b/nip_y_anon_pow_based_actions.md @@ -0,0 +1,290 @@ +# NIP-Y: Anonymous, PoW-Weighted Actions + +Title: Anonymous, PoW-Weighted Actions + +Author: Stelios Rammos + +Status: Draft + +Type: Standard + +Created: 2025-12-06 + +License: MIT + +Depends: NIP-X + + +## 1. Summary + +This NIP defines anonymous, Sybil-resistant, verifiable actions (like views, likes, etc.) for Nostr notes. +Users maintain anonymous identity commitments, accumulate PoW trust scores, and publish zero-knowledge proofs that assert: + +- Membership in an MRP-maintained identity tree + +- A PoW score meeting relay/client thresholds + +- Uniqueness via cryptographic nullifiers + +- Proofs reveal no identity or linkable metadata. + +## 2. Motivation + +Native Nostr likes (kind 7) reveal identity and create full reaction graphs. +Views (for analytics) are either not available or entirely local. + +This NIP allows: + +- Private, unlinkable interactions + +- Strong Sybil resistance via PoW + +- Relay-verified uniqueness of actions + +- PoW-weighted engagement metrics + +- Compatibility with existing Nostr infrastructure + +## 3. Identity Layer + +Defined in NIP-X: + +``` +C = H(s) +Leaf = { C, pow_score } +``` + +Users never reveal `C` or `s`. + +## 4. Nullifiers + +To ensure unique actions: + +``` +N_view = H(s, "view", event_id) +N_like = H(s, "like", event_id) +``` + +Nullifiers: + +- enforce uniqueness + +- do not reveal identity + +- cannot be linked across events + +## 5. Event Kinds + +Purpose Kind: +- Anonymous View Proof `39014` +- Anonymous Like Proof `39015` + +## 6. Proof Event Specifications + +### 6.1 Anonymous View Proof — Kind 39014 + +Tags: + +``` +["mrp", ""] +["root", ""] +["e", ""] +["n", ""] +["pow", ""] +["type", "view"] +``` + +**Content:** Base64-encoded ZK proof. + +Relay behavior (optional): + +- Verify ZK proof + +- Confirm trusted MRP + +- Confirm root is in cache + +- Reject duplicate nullifiers + +- Count view + +### 6.2 Anonymous Like Proof — Kind 39015 + +Tags: + +``` +["mrp", ""] +["root", ""] +["e", ""] +["n", ""] +["pow", ""] +["type", "like"] +``` + +**Content:** Base64-encoded ZK proof. + +Relay behavior (optional): + +- Verify ZK proof +- Enforce nullifier uniqueness +- Count like + +## 7. ZK Circuit Requirements + +**Public Inputs** +``` +event_id +membership_root +action_type +pow_threshold +nullifier_out +``` + +**Private Inputs** +``` +s +C = H(s) +pow_score +merkle_path +``` + +**Constraints** + +- `C = H(s)` + +- Leaf `(C, pow_score)` is included in `membership_root` + +- `pow_score ≥ pow_threshold` + +- `nullifier_out = H(s, action_type, event_id)` + +## 8. Client Workflow +### 8.1 Fetch MRP State + +Clients subscribe to: + +- MRP configuration (`39012`) + +- MRP root snapshots (`39013`) + +### 8.2 Generate Proof (Offline) + +1. Select MRP + valid root + +2. Compute nullifier + +3. Generate ZK proof offline + +### 8.3 Publish Proof Event + +Send `39014` or `39015` with: + +``` +["mrp", ""] +["root", ""] +["e", ""] +["n", ""] +["pow", ""] +``` + +## 9. Relay Workflow + +Relays COULD: + +- Confirm the referenced MRP is trusted + +- Check the root is stored in its root-history window + +- Verify the ZK proof + +- Enforce nullifier uniqueness + +MRPs are not contacted during verification. + +## 10. Security Considerations + +- Nullifiers must be checked per (event_id, action_type). + +- PoW thresholds determine spam resistance. + +- Cached roots must be authentic MRP snapshots. + +## 11. Privacy Considerations + +- Proofs are unlinkable across events + +- Nullifiers leak nothing about identity + +- PoW updates reveal no user behavior + +## 12. Rationale + +This NIP separates: + +- Identity state management (NIP-X) + +- Anonymous interaction proofs (this NIP) + +- allowing relays and clients to adopt different MRPs while keeping proofs local, verifiable, and privacy-preserving. + +## 13. Backwards Compatibility + +This NIP introduces new event kinds. It does not modify or conflict with existing Nostr semantics. + +## 14. Proof Size and Event Weight + +Anonymous view/like proofs can use succinct SNARKs (e.g., Groth16), keeping events small. + +Typical proof size: ~200–250 bytes + +Base64 content size: ~300–400 bytes + +Total event size (including tags): ~600–800 bytes + +The circuit is minimal (hash checks, Merkle inclusion, PoW comparison), so proof size does not grow with tree size. Events remain lightweight, efficient to gossip, and suitable for mobile clients. + +## 15. Diagram + +```mermaid +sequenceDiagram + autonumber + + participant C as Client + participant M as MRP
(Merkle Root Provider) + participant R as Relay + + Note over M: Startup
Publish first root snapshot + M->>R: 39012 (MRP Config & Root Snapshot)
root=X, seq=n + + Note over C: Identity creation + C->>R: 39011 (Identity & PoW Update)
C=H(s), work=0 or >0 + R->>M: Forward 39011 + + alt work > 0 + M->>M: Verify ZK PoW proof
Update pow_score(C) + else work = 0 + M->>M: (Optional) register C with pow_score=0 + end + + M->>R: 39012 (MRP Config & Root Snapshot)
root=X, seq=n + + Note over C: Client syncs identity state + C->>R: REQ for 39012 and 39013 + R->>C: Return latest MRP config + roots + + Note over C: Build anonymous proof offline + C->>C: Compute nullifier N
Generate ZK proof using root=X + + Note over C: Publish anonymous view + C->>R: 39014 (Anonymous View Proof)
tags: mrp, root, e, n, pow + + R->>R: Verify ZK proof
Check root in cache
Check nullifier uniqueness + + Note over R: Accept/Count View + + R->>R: Verify proof + nullifier
Count Like +``` + +## 16. License + +MIT