Once again, if you take nothing else from this post, try to understand that ring signatures require no cooperation between alleged signers other than sharing a public key.
The state of the art of ring signatures
The only real ring signature usage that you can see in the wild is the cryptocurrency Monero. Ring signatures make it very difficult to trace Monero transactions, unlike Bitcoin. That’s not very helpful to whistleblowers though, what they need is an existing network of persistent keypairs tied to identities of real people.
A couple years ago I led a small project to produce a Mac app called ZebraSign that lets users create and verify ring signatures. The keys it generates aren’t usable for anything else, which means that any network based on that app would be running largely on altruism and magnanimity, which is less reliable than self-interest. I considered making the keys compatible with PGP which might have helped a bit but regardless, I foresaw a long and uphill battle in getting people to use it.[1] Fortunately, that may all be unnecessary.
Last month I learned about the open protocol NOSTR (Notes and Other Stuff Transmitted by Relay). I initially thought Nostr was just another decentralized Twitter competitor like Mastodon, but then I read that Nostr users generate and control their own private/public keypairs! That's an absolute game changer, it means there are thousands of active identities just waiting to be implicated in a ring signature. I did some searching and found that someone else had the same idea, and they created a basic command line interface for computing ring signatures using Nostr keys. It’s called Nostringer. Be warned that it has not yet received a formal security audit, so it’s not currently safe for real use.
I want there to be a graphical user interface for Nostringer so that people can use it without the command line. I’m talking to some rust developers and drafting small grant proposals. Contact me if you’re interested.[2]
Using Nostr
Here is a ring-signed message provably written by either me or famous whistleblower Edward Snowden, posted from a pseudonymous account. Given the circumstances, you will readily guess that this one was me, but you cannot prove it cryptographically. Needless to day, in real scenarios the circumstances will tend to be less clear. Here is an image, in case the relays delete it as spam:
I don't expect a bunch of Anthropic and OpenAI employees to join Nostr and open themselves up to ring signatures. But I might end up wrong about that, and in any case, AI companies are not the only institutions that could benefit from ring signatures. Someone's gotta be the change they want to see in the world.
...Okay, but should you in particular do it? If you are interested in all of this, I recommend first spending a few minutes learning about the Nostr protocol, the relays, clients, remote signers, and so on. After that, here are some additional things to consider:
Key security is essential and it is entirely the responsibility of each individual Nostr user, for better and for worse. Here is the profile of a meat-themed bot account that had to be burned due private key leakage.
If you want to delete a note, you have to send a deletion request to the relays that host it, and its up to them to fulfill that request. It’s not like deleting a tweet.
Now that Nostringer exists, any Nostr user can be implicated in a ring-signed message that they may disagree with, alongside names they may not want to be associated with.
It bears repeating that Nostringer has not yet been formally audited for security.
Relays are not blind to the requests that they receive, they are able to see who writes which content, but also who reads it.[3] This poses a trilemma: (1)be potentially tracked by relay owners (2) run your own relay (3) don’t use Nostr[4]. This is especially important for anyone using ring signatures for whistleblowing. Pay attention to which relays you’re connecting to and what identifiable information they’re getting from you. It is generally recommended to always connect through a VPN or Tor.
Nostr is a work in progress, and it’s decentralized. My experience of it has been somewhat shoddy and patchy, regardless of which client I use.
As mentioned above, spam is an issue, and a ring-signed message might get deleted for looking like spam. "Not your relay, not your notes," as they say. The best solution that I've thought of is to have multiple relays that specifically invite ring signatures, and charge different prices to post.[5] This solves the signal/noise problem: the more money it cost someone to post a ring signature, the more likely it is to be worth the trouble of running it through the verifier.
From what I can tell, Nostr has a few thousand users. Some people post notes saying that Nostr is a failed endeavor, with the hashtag #deadstr. Others post every day about the cool new apps and improvements being made. You can make your own judgment.
As with Mastodon, anyone can host their own Nostr relay with their own moderation policies. I started scrolling Nostr posts and immediately found myself wading through a bunch of racism and vacuous bitcoin hype. It reminded me of that one Scott Alexander quote: “...if you’re against witch-hunts, and you promise to found your own little utopian community where witch-hunts will never happen, your new society will end up consisting of approximately three principled civil libertarians and seven zillion witches. It will be a terrible place to live even if witch-hunts are genuinely wrong.” My experience improved after I made an account, curated my feed, and focused on long-form content. Your mileage may vary.
Tools with applications that overlap with applications of ring signatures
If an organization grants Google workspace accounts to its employees or members, one of those employees can post to StealthNote as an anonymous member of that organization.
Makes merkle trees to zero-knowledge-prove that someone within a particular group made a particular message.
It’s kind of hard for me to fully grasp from their website. But it looks like it requires a trusted manager/gatekeeper for each group. The manager can’t see who says what, but they choose who is allowed to submit messages. The manager can decline to invite people to join the group, but I can’t tell if they have other censorship options than that. I'd love to read an ELI5 for this.
Messages are tagged with unique identifiers that preserve anonymity within the group while preventing individuals from looking like multiple different users. The basic ring signature scheme does not have this feature, but linked ring signatures do.
I was planning to have this sorted out before posting, but it's only about once per year that the lack of good whistleblowing tools becomes a distinct thread in The Discourse.
This is similar to how websites can see which traffic comes from which accounts or IP addresses. It’s essential for preventing abuse, but it’s a complication for those who have valid reasons to read or write pseudonymously. This isn't a hypothetical consideration, I have pseudonymously posted some highly controversial writing online, and I made sure to use a different sign-up email and route the traffic through a proxy, just so that I wouldn’t have to think about it.
Previous: A Quick Intro to Ring Signatures
Once again, if you take nothing else from this post, try to understand that ring signatures require no cooperation between alleged signers other than sharing a public key.
The state of the art of ring signatures
The only real ring signature usage that you can see in the wild is the cryptocurrency Monero. Ring signatures make it very difficult to trace Monero transactions, unlike Bitcoin. That’s not very helpful to whistleblowers though, what they need is an existing network of persistent keypairs tied to identities of real people.
A couple years ago I led a small project to produce a Mac app called ZebraSign that lets users create and verify ring signatures. The keys it generates aren’t usable for anything else, which means that any network based on that app would be running largely on altruism and magnanimity, which is less reliable than self-interest. I considered making the keys compatible with PGP which might have helped a bit but regardless, I foresaw a long and uphill battle in getting people to use it.[1] Fortunately, that may all be unnecessary.
Last month I learned about the open protocol NOSTR (Notes and Other Stuff Transmitted by Relay). I initially thought Nostr was just another decentralized Twitter competitor like Mastodon, but then I read that Nostr users generate and control their own private/public keypairs! That's an absolute game changer, it means there are thousands of active identities just waiting to be implicated in a ring signature. I did some searching and found that someone else had the same idea, and they created a basic command line interface for computing ring signatures using Nostr keys. It’s called Nostringer. Be warned that it has not yet received a formal security audit, so it’s not currently safe for real use.
I want there to be a graphical user interface for Nostringer so that people can use it without the command line. I’m talking to some rust developers and drafting small grant proposals. Contact me if you’re interested.[2]
Using Nostr
Here is a ring-signed message provably written by either me or famous whistleblower Edward Snowden, posted from a pseudonymous account. Given the circumstances, you will readily guess that this one was me, but you cannot prove it cryptographically. Needless to day, in real scenarios the circumstances will tend to be less clear. Here is an image, in case the relays delete it as spam:
e956fd4b84a2b1cfb7ccf19475847fe8d87eac92a3d39f5f74e99122d6010671
c0: e61de2eb97feb5fac359ee0ab63fb1a85659e082c676fcf3451b893328928ef0
[0]: 7c3696c5a6ac5d0a6acf5ef003b0dfc278ecbf15707833aadb7934e6d17028d8
[1]: a8a05e6b0cc8d67eb874a3d6eeb74e3bc2bff555479d65db3bd3d58eae94b48b
I don't expect a bunch of Anthropic and OpenAI employees to join Nostr and open themselves up to ring signatures. But I might end up wrong about that, and in any case, AI companies are not the only institutions that could benefit from ring signatures. Someone's gotta be the change they want to see in the world.
...Okay, but should you in particular do it? If you are interested in all of this, I recommend first spending a few minutes learning about the Nostr protocol, the relays, clients, remote signers, and so on. After that, here are some additional things to consider:
Tools with applications that overlap with applications of ring signatures
I also never got around to getting the Apple certification, so you have to override the standard Mac security settings to use it.
I was planning to have this sorted out before posting, but it's only about once per year that the lack of good whistleblowing tools becomes a distinct thread in The Discourse.
This is similar to how websites can see which traffic comes from which accounts or IP addresses. It’s essential for preventing abuse, but it’s a complication for those who have valid reasons to read or write pseudonymously. This isn't a hypothetical consideration, I have pseudonymously posted some highly controversial writing online, and I made sure to use a different sign-up email and route the traffic through a proxy, just so that I wouldn’t have to think about it.
For more discussion about Nostr's surveillance concerns and what could be done about it, see: Proving You Belong Without Saying Who You Are and Private Relay Connections: ZK Solutions for Nostr.
Paid relays are already a normal part of the ecosystem.