There may be some unstated assumptions here that I'm missing, but as presented this does not appear to be a useful idea.
The meat of the idea, as I understand it, is: passports can be easily validated (because they contain a secret key signed by a government's Document Signing Certificate), but they cannot be cloned (because that secret key is in tamper-resistant hardware). So let's prove work by generating preimages of signatures under these keys.
Trusting this purported PoW system requires that you trust the government not to issue fake certificates. Otherwise, they can just use their signing key to generate lots of new certificates and massively parallelize the "proof of work". Moreover, at the point that you trust the government to behave honestly, there's no need for proof of work! Since you're trusting that a passport key is uniquely tied to an individual, you can (for example) just vote---the required assumption already implies that there cannot be any Sybils. (Or use any other mechanism that requires Sybil-free PKI, since that's what the assumption implies.)
(As another practical matter, there does not appear to be any reason to believe that each individual only has one physical passport. Some countries allow people to have multiple passports.)
> that you trust the government not to issue fake certificates
But we know it's not true - the government does issue fake passports, e.g. for spies, maybe for other purposes too.
> each individual only has one physical passport
Passports can be lost. In that case, the government keeps the database of revoked passports (IIRC in cases I've seen they actually track when the latest one was issued and will reject ones with earlier issue date). However, if you don't have access to that database, I don't think you have any way to distinguish between passports issued to the same person.
At that would be true for pretty much every country I imagine - I don't think any country would not allow their citizens to replace a lost passport.
People also get multiple passports for things such as traveling to countries where having a visa from one in your passport would preclude you from entering the other. Military service or diplomatic service often means you get a "black" diplomatic passport, which would have the same chip in it as any other e-passport. You can be sending one passport in to receive a visa (Russia, for instance, can take over a month), but you still need to travel so you're issued a secondary temporary passport. I'm sure there's dozens of other exceptions on why assuming every user has only one passport doesn't work out. (This is aside from the fact North Korea or China can just issue 10,000's of fake passports to hack this anyways)
people get multiple mining machines. Somw even multiple thousands. It is not necessarily about more democracy where one person has only one vote, but it is about more true decentralisation of control - as i understand it.
One solution that I have thought of is to have a mining difficulty by country and another one by passport.
If the passports of a certain country mine a lot of blocks the difficulty for this country would increase. In this scenario it would take 51% of the countries to go rogue in order to perform a 51% attack.
Another thing to implement as well is to increase the difficulty for a passport to find a new block once it has already found a block. This way even if someone extracts the private key of a passport he will only be able to take a very limited advantage out of it because the difficulty for him would skyrocket, as a consequence the reward of doing this should be lower than the costs of doing the hardware hacking.
>One solution that I have thought of is to have a mining difficulty by country and another one by passport. If the passports of a certain country mine a lot of blocks the difficulty for this country would increase.
But countries are a completely arbitrary distinction. Should Liechtenstein mining 100 blocks raise its difficulty as China mining 100 blocks? If not, how should we weigh each country? By population? By GDP? What's stopping countries from gaming their statistics to get more votes?
The NFC chips have static processing capability and do not scale with difficulty like a bitcoin server farm.
How does increasing the mining difficulty affect the time it takes to scan a passport in line at the airport? It seems counter-intuitive to make passport processing take longer for higher-frequency travelers.
> How does increasing the mining difficulty affect the time it takes to scan a passport in line at the airport?
It doesn't. The idea is not to change the actual passport, is to change the software that uses the passport to perform these calculations. That software would have to ask the passport to do 10000x operations instead of 100x. But each would take the same time as before.
You're describing a blockchain with nation-level votes instead of proof of work. I don't see any valuable properties in such a system compared to a normal bank. If the member nations get to control the contents of the blockchain anyway (because they can locally decide to to sybil attacks or whatever), why would I bother using such a system instead of just having an account at Barclays or whatever?
Barclays doesn't require the consensus of 51% of countries to do shenanigans. Plus their shenanigans are easy to keep hidden for years, whereas this attack would be quite obvious as it was performed.
Yes, both require some level of trust in governments, but that doesn't mean they are the same.
Even if the consensus rules accept any passport public key certified by a government, how would this cope with revoked passports? Or worse yet, with a revoked government certificate signing key?
This idea goes against the decentralized, trustless and permissionless nature of cryptocurrencies.
Revoked government certificates are published on the website of the ICAO, so it isn't very difficult to get this information.
For revoked passports there is no solution as of now.
I’m nitpicking, but there’s no rule that a blockchain node can’t check a website before deciding whether a block is valid or not. It’s usually a bad idea, since if the page changes between different nodes’ requests, those nodes would end up disagreeing on validity. And it’s not necessary for this scenario. But it’s possible. It does imply trusting the owner of the website, whereas most cryptocurrencies aim to be trustless, but in this case the premise already involves trusting the government.
Proof of Work require no secret information as an input and have to be easy to verify. But most importantly, why would anyone do this?
Passport issuer can act like certification authority, this is not a trustless system where PoW can be used for something. Public key infrastructure is a solved thing with it's own problems, but verification is not one of them if authority is working as it should.
EDIT: Let's not even mention that smartcards have effective lifetime and efficiency.
I think the author of this piece has not fully understood the concept of proof-of-work. Hashing algorithms are used precisely because they do not rely on a private key - and thus everyone can verify work that has been claimed to be done.
Passports signing some data would provide a different output for every passport. You could verify that the person doing the hashing indeed is the person who owns the passport if you distributed the public key. But what is the point of this?
Additionally there are other issues on so many different levels with this idea: lack of anonymity, an artificially constrained hash rate (if there's an incentive to increase the hash rate, someone _will_ extract the private key from their passport and mine on dedicated hardware), wearing out the NFC chip through massive use, creative an incentive to steal passports...
As I read it, the point is not to authenticate individuals but rather to use the relative scarcity of passports as the bounding factor for executing a sybil attack.
The anonymity of Bitcoin has led to it being mostly only used for crime and scams. Getting rid of it may be seen as a feature by many rather than a drawback.
> because they do not rely on a private key - and thus everyone can verify work that has been claimed to be done.
Huh?
While, yes, it is necessary that everyone can verify that the work has been done, one can certainly check that a signature signed by a private key, is a valid signature corresponding to a given public key.
My understanding of the idea proposed, is that the mining here would consist of, instead of hashing (hash of previous block + transactions + nonce-for-which-many-values-are-tried), and succeeding if the hash is small enough, just the same thing except with signing instead of hashing.
Though, the public key would need to be specified, either along with or as part of the block, or maybe if it had been used before, just referenced, which, as public keys are iirc not all that small, might cause some issue? (Not sure how much data is in a typical block in existing chains.)
I agree with the other issues you mention (privacy, incentive to steal passports, wearing out the chip).
While I don’t think this is probably that great of an idea, I would like to describe some possible mitigations for some of the issues.
One person mentioned that, if one key was used substantially more frequently than others, which are also actively being used, that that could be taken as indication that they had extracted their private key and are running on alternate hardware, and could thus be penalized in some form (e.g. there could be a cap or on the rate at which a given private key’s blocks could be accepted. If each chip has a fixed maximum hash rate, then if they are producing blocks at a rate which would be statistically implausible at the given difficulty level, they can’t mine more blocks until it would be plausible).
(This countermeasure of course relies on the lack of privacy.)
As for wearing out the NFC chip, I imagine that it could be possible to mitigate this somewhat by limiting how frequently it is useful to call the chip.
How could this be done?
Suppose we make the hashing algorithm a little more complicated, in order to make it so that for each block, only a fraction of the miners are able to use their hashing power:
To mine a block, first sign (hash of previous block + the current time, but discretized to intervals a little shorter than the desired block time), with no nonce. If the value of this signature is small enough, only then can you proceed to the next step. (In case no one gets a signature small enough for this step, the difficulty for this step depends on the time since the previous block, such that for a sufficiently long time it is certain to succeed).
Then, if the previous step succeeded, make signatures of (the signature just mentioned + the transactions to include + a nonce).
(This part would be where the limit on rate of work would have to be applied)
The single check per block time would not contribute nearly as much wear to the chip, and if the fraction of miners which pass the first step were to be adjusted based on the number of active miners, the average number of attempts for the second stage could be kept relatively low.
It seems like this would keep the average rate of uses of the chip, while still much higher than was intended, still fairly low.
A possible exploit to what I just described!: if there are multiple latest blocks, then in the first stage, or generally if there is a fork (possibly from an attack), then if the block which you would ordinarily consider the current head of the chain, doesn’t result in you getting past the first stage, because you aren’t doing anything else with your hashpower, you may as well try signing on some alternative head! This appears to break the incentive to always attempt to mine on the true/main chain!
That’s a problem!
(Essentially “which head to use” ends up playing the role of the nonce.)
Two possible solutions to this:
1) because these are signatures, not hashes, if one does this, it is possible for others to prove on the main chain that one has done this, and therefore it can be punished.
2) Have the first check not involve the previous block at all, just include the time, and have the second check (the one which includes the nonce) be the one to include the hash of the previous block.
Notably, with the second case, one can compute far ahead of time what difficulty levels would result in being a candidate for the second check. This would, I suppose, make some things easier for miners to plan? It also might open up some attacks by giving people an incentive to alter the difficulty at different times?
But, I suspect that if we are to use an assumed-unique-per-person keypair system, I suspect we don’t even need PoW at all? Because it already solves Sibyl attacks, and in that context aren’t there already older solutions to reaching consensus on event orders? I could be wrong about that.
Also, yes, the incentive to steal passports is an issue.
However, is the incentive to steal mail-in-ballots or buy votes not also an issue? When we attempt to restrict the distribution of how much influence people have over something that people want to influence, it produces an incentive for people to transgress against that restriction in order to gain more influence.
General-purpose-influence-over-the-world has a kind of gravity, the more one has, generally, the easier it is to obtain more. Any substantial attempt to go against this tendency is likely to encounter difficulties.
This offers literally none of the security properties that are required for a secure decentralized currency and betrays a very fundamental misunderstanding of what proof of work is for or its (economic) security properties.
The most obvious problem with this proposal is that it’s clearly not secure - if someone manages to make fake passports (either because the cryptosystem isn’t secure, they steal the signing key, or they control the passport issuance authority) they fully control the system.
I answered a solution to this in another comment, above. If the mining difficulty is set by country, it would take 51% of the countries to go rogue in order to perform a 51% attack.
So what you're actually proposing is a blockchain where the mining process is based on e.g. UN member countries voting. Cool, but that's not proof of work, it's not a cryptocurrency, and it's not very useful. They already have something a lot like this - it's called "Banks in the EEA".
> I am surprised that so little has been done to combine the NFC capabilities of passports with the blockchain and hope that this field will be explored in the future.
If you are surprised about why a technology is missing, sometimes it means that you have come up with something novel. Other times it means that you have come up with another idea that was ruled out by others.
In this case, it's the latter. The utility of cryptocoins is due to trustless, decentralized storage/transfer of value. If it's not decentralized, it's useless. If it's not trustless, it's useless.
Hmm, those big projects like btc or eth are NOT at all decentralised, that is just a meme. It is more like proof-of-materialism. That alone is a good reason to keep on searching for other decentralised solutions. Btc is allready ruled out by the majority of people on this planet.
The article never clearly states it, but the goal of proof-of-work, and by extension this protocol, is to throttle access to write privileges on a ledger.
Bitcoin does this by forcing miners grind on a nonce to try to get a block hash below a certain value.
In this protocol, it appears that miners would do the same thing.
The difference is that the supply of passports is considered limited. A given person only gets one. That suggests that it might be possible to avoid the ever-increasing difficulty that Bitcoin has faced.
Bitcoin was intended as a one CPU, one vote system. This new one appears to be intended as a one passport, one vote system.
There are two main concerns with such a system:
1. security - how easy is it to forge passport identities?
2. privacy - how easy is it to link a signature to the original passport?
I suspect the actual utility of this protocol revolves around these two points.
But very hard for everyone else. The e-passport chip needs to be signed with the government's private key. Also, governments publish lists of all the e-passports they've created, so they could slip a few by but if they started creating large amounts of passports it would be noticed.
I generally agree with a minor quibble: There isn't an identity card that can be used as a passport. There are identity cards that are sufficient for limited travel and are unrecognized elsewhere. In the relatively widespread EU++ ID card system, at least in the country I live in, ID cards can't even be used in biometric immigration gates which require passports.
Americans can actually get "passport card" which functions like the EU national identity cards, within the United States. It is intended for use within the United States, as ID laws are changing. However, the RFID chip in the US passport card only has the identifying number encoded in it, for lookup in government databases. US biometric passports of course contain all of the traveler's information. Likewise EU national identity cards are biometric, as this is the standard.
With respect to the EU, as you know, there is to be a transition to biometric EU national ID cards, if countries have not already switched to them. The vast majority of countries already have. Some EU national ID cards are more useful than others, giving people online identities, for example.
Although I am culturally an American, I am also Croatian. I hold two citizenships. Croatia participates in the eID scheme [1]. Next time I go to Croatia, I am getting my eID, so I have an official identity on the internet. I am excited, as silly as it sounds.
> assume that passport chips are similar enough so that they would provide a similar signing rate per second. Making it probably the most egalitarian POW mechanism that could exist.
If you're going to base a system on this, you'd need to be prepared for the possibility of the government passport-issuing service switching to a different chip (different vendor, next gen design, etc.).
It might be equal now, but what happens if everyone who renews their passport suddenly starts getting different hardware? People could even realize what's going on and there might be a mad rush to renew passports.
Basically, when you piggyback on someone else's system, you add a variable you don't control.
Not sure if proof-of-work is a great use-case here, but leveraging NFC chips in passports could be a great proof-of-personhood in a field where it is extremely hard to do so. If you have proof-of-personhood you can do things like airdrops much more effectively without giving a huge amount of coins to someone with a ton of compute-power.
This is what UBIC is doing by basically distributing a continuous airdrop every block to all registered e-passport holders.
Q was trying to do the same, both projects are mentioned on the bottom of the article.
This seems like a variant of https://news.ycombinator.com/item?id=15382911, but instead of trusting a couple of entities (Intel/AMD), you're trusting 200+ entities, with some being very corrupt?
Bitcoin trusts thousands of entities, and some are undoubtedly outright evil. The trick is requiring cooperation of an absolute majority to pull off an attack. That's harder to achieve that just between Intel/AMD.
Actually bitcoin as we know it means trusting a few dozend entities which control everything with their miningpools and of which more than 50 % hashpower are based in China. That is why i never took it too serious.
That's not proof of work; it's proof of authority. You can jigger it any which way with randomization and challenge-response: it's still proof of authority. Not that there is anything wrong with PoA; most mined networks end up effectively PoA anyway (because dominated by 1-2 mining consortiums).
And it doesn't matter if you use a passport NFC chip or some other kind of secure element (say, a ledger nano) with strong KYC; same thing.
To the best of my knowledge, the electronic signature function in German Personalausweis/eAT/passport documents is unusable due to legal reasons since 2017 (!!) [1], and even before that it was not universally available, you had to purchase commercial one-year certificates. I'd really be interested how the author made the passport digitally sign something!
It seems he's just talking about technical signature, and not a legal one.
It's a chip, with a hard to extract private key. You give it some input, and you get an output which is the signature of that input signed by that private key. The article isn't talking about whether this signature is legally admissable.
> You give it some input, and you get an output which is the signature of that input signed by that private key.
My point is, this is technically impossible at the moment with German ID documents because using this function requires a commercial certificate which have not been issued since 2017.
I accidentally left my passport in the microwave for 1 second while heating up a pain au chocolat. Now it can't be remotely sidebanded and is no longer Turing complete apparently too. Silly me!
This just means you can't use electronic passport gates, so you spend more time at border control and may be targeted for harassment for non-compliance. There's a small chance you could be fined, since the passport isn't actually yours it belongs to the government.
The passport deliberately requires the MRV as input for the NFC data stream, so to get the data out of it a hypothetical attacker has to read your passport (because that's where the MRV is). That's why the electronic gates require you to show them the passport open at the right page with your data on it. They literally need that data to get the exact same data from NFC.
For a machine this is brilliant news, it can now let you through the gate after deciding that you're allowed in. For a human adversary it's not an improvement at all because looking at a photograph versus downloading a JPEG of the exact same photograph is not different.
The feature this talks about isn't free, it requires a bunch more compute capability in the NFC chip, which drives up prices and you most likely wouldn't know if you have it. What's the result?
Passports are expensive documents, but what you'd expect is that even though the document is expensive anyway there's an incentive to cut corner on expensive features that aren't noticed.
Sure enough my actual British passport (issued after it became apparent that idiot Leavers would get their way but before they wasted money having the passports arbitrarily changed colour and removing the words "European Union") does not have the "Active Authentication" feature.
It has the obligatory embarrassing photo encoded, and it carries proof this document was issued by the UKPA, for whatever that is worth, but it isn't capable of "active authentication" and so it would be useless for this PoW trick.
Now maybe the United Kingdom is an outlier. Maybe every other passport authority in the world has been issuing these for a decade. But I'd guess exactly the opposite. One or two security enthusiastic countries have it, or worse, it's available as a demo from the handful of companies that make passports, but the vast majority of people who have a passport don't have one of these.
If you own an NFC reader you can get software that checks for Active Authentication. I'd be a tiny bit interested in the results if you see anything interesting for yours.
Aha! I read further, Active Authentication is also disliked because the exact feature this blog post relies on prevents deniability - and that's a Privacy no-no, so some countries like Germany explicitly do not want it.
With Active Authentication you can basically show the passport a nonce, and get the passport to give you signed proof that it saw this nonce. As a result you can show other people that nonce, and the signature, and they know it was a real passport.
But alternative schemes avoid this, you and the passport perform a dance in which either the passport is genuine and you get the answer you expected, or it isn't and you don't, but you don't get a durable proof you can show to anybody else as output.
This latter scheme works more like a physical document while also defeating cheap "clone" attempts and so privacy-friendly countries have no reason to use Active Authentication.
I wonder if this wouldn't cause extra wear on the passport chip. I don't know if it has a counter which increments on every signature (like credit cards have); if it has, then every signature would be another write to the non-volatile memory of the chip.
This could be useful for email authentication as an anti-spam measure. Yes, on rare occasions there are fake passports signed by governments, but not in the quantities spammers need.
The meat of the idea, as I understand it, is: passports can be easily validated (because they contain a secret key signed by a government's Document Signing Certificate), but they cannot be cloned (because that secret key is in tamper-resistant hardware). So let's prove work by generating preimages of signatures under these keys.
Trusting this purported PoW system requires that you trust the government not to issue fake certificates. Otherwise, they can just use their signing key to generate lots of new certificates and massively parallelize the "proof of work". Moreover, at the point that you trust the government to behave honestly, there's no need for proof of work! Since you're trusting that a passport key is uniquely tied to an individual, you can (for example) just vote---the required assumption already implies that there cannot be any Sybils. (Or use any other mechanism that requires Sybil-free PKI, since that's what the assumption implies.)
(As another practical matter, there does not appear to be any reason to believe that each individual only has one physical passport. Some countries allow people to have multiple passports.)