Previous: A Quick Intro to Ring Signatures

Once again, if you take nothing else from this post, try to understand that ring signatures require no cooperation between alleged signers other than sharing a public key.

The state of the art of ring signatures

The only real ring signature usage that you can see in the wild is the cryptocurrency Monero. Ring signatures make it very difficult to trace Monero transactions, unlike Bitcoin. That’s not very helpful to whistleblowers though, what they need is an existing network of persistent keypairs tied to identities of real people.

A couple years ago I led a small project to produce a Mac app called ZebraSign that lets users create and verify ring signatures. The keys it generates aren’t usable for anything else, which means that any network based on that app would be running largely on altruism and magnanimity, which is less reliable than self-interest. I considered making the keys compatible with PGP which might have helped a bit since then any PGP user would be available for adding to rings, but either way, I foresaw a long and uphill battle in getting people to use it.^[1] Fortunately, that may all be unnecessary.

Recently I found out about the open protocol NOSTR (Notes and Other Stuff Transmitted by Relay). I initially thought Nostr was just another decentralized Twitter competitor like Mastodon, but then I read that Nostr users generate and control their own private/public keypairs! That's an absolute game changer, it means there are thousands of active online accounts just waiting to be implicated in a ring signature. I did some searching and found that someone else had the same idea, and they created a basic command line interface for computing ring signatures using Nostr keys. It’s called Nostringer. Be warned that it has not yet received a formal security audit, so it’s not currently safe for real use.

I want there to be a graphical user interface for Nostringer so that people can use it without the command line. I’m talking to some rust developers and drafting small grant proposals. Contact me if you’re interested.

 Using Nostr

I don't expect a bunch of Anthropic and OpenAI employees to join Nostr and open themselves up to ring signatures. But if somehow they did decide to do that, it would probably only happen after a bunch of other people (perhaps like you) did it first. Also, AI development is not the only setting that could use more transparency and less Spiral of Silence.

Here is a ring-signed message provably written by either me or famous whistleblower Edward Snowden, posted from a pseudonymous account. Below is a screenshot. Given the circumstances, you will readily guess that this one was me, but you cannot prove it cryptographically. Needless to day, in real scenarios there won't always be such an obvious interpretation--indeed, that's the whole point.

...Okay, but should you in particular wade into these waters? If you are thinking about it, I recommend first spending a few minutes learning about the Nostr protocol, the relays, clients, remote signers, and so on. After that, here are some additional things to consider:

• Key security is essential and it is entirely the responsibility of each individual Nostr user, for better and for worse. See footnote for examples of compromised accounts.^[2]
• If you want to delete a note, you have to send a deletion request to the relays that host it, and its up to them to fulfill that request. It’s not like deleting a tweet.
• Now that Nostringer exists, any Nostr user can be implicated in a ring-signed message that they may disagree with, alongside names they may not want to be associated with. That's the whole point of this post.
• It bears repeating that Nostringer has not yet been formally audited for security.
• Relays are not blind to the requests that they receive, they are able to see who writes which content, but also who reads it.^[3] This poses a trilemma: (1) be potentially tracked by relay owners (2) run your own relay (3) don’t use Nostr^[4]. This is especially important for anyone using ring signatures for whistleblowing. Pay attention to which relays you’re connecting to and what identifiable information they’re getting from you. It is generally recommended to always connect through a VPN or Tor.
• Nostr is a work in progress, and it’s decentralized. My experience of it has been somewhat shoddy and patchy, regardless of which client I use.
• As mentioned above, spam is an issue, and a ring-signed message might get deleted for looking like spam. "Not your relay, not your notes," as they say. The best solution that I've thought of is to have multiple relays that specifically invite ring signatures, and charge different prices to post.^[5] This solves the signal/noise problem: the more money it cost someone to post a ring signature, the more likely it is to be worth the trouble of running it through the verifier.
• From what I can tell, Nostr has a few thousand users. Some people post notes saying that Nostr is a failed endeavor, with the hashtag #deadstr. Others post every day about the groundbreaking new apps and improvements being made. You can make your own judgment.
• As with Mastodon, anyone can host their own Nostr relay with their own moderation policies. I started scrolling Nostr posts and immediately found myself wading through a bunch of racism and vacuous bitcoin hype. It reminded me of that one Scott Alexander quote: “...if you’re against witch-hunts, and you promise to found your own little utopian community where witch-hunts will never happen, your new society will end up consisting of approximately three principled civil libertarians and seven zillion witches. It will be a terrible place to live even if witch-hunts are genuinely wrong.” My experience improved after I made an account, curated my feed, and focused on long-form content. Your mileage may vary. 

Tools with applications that overlap with the applications of ring signatures

• StealthNote
  • If an organization grants Google workspace accounts to its employees or members, one of those employees can post to StealthNote as an anonymous member of that organization.
  • Runs on a ZK proof of a google authentication token (technical explanation).
  • Verification is done on Aztec’s end and hosted on their website, so they retain censorship authority.
• Spartacus.app 
  • Temporary anonymity for group endorsements. Identities are all revealed at once if enough people endorse within a given time period.
  • You sign up with your phone number. The site says that it will implement gatekeeping via government ID verification one of these days.
  • Quorum trigger cannot be set lower than 8 endorsements.
• Semaphore
  • Makes merkle trees to zero-knowledge-prove that someone within a particular group made a particular message.
  • It’s kind of hard for me to fully grasp from their website. But it looks like it requires a trusted manager/gatekeeper for each group. The manager can’t see who says what, but they choose who is allowed to submit messages. The manager can decline to invite people to join the group, but I can’t tell if they have other censorship options than that. I'd love to read an ELI5 for this.
  • Messages are tagged with unique identifiers that preserve anonymity within the group while preventing individuals from looking like multiple different users. The basic ring signature scheme does not have this feature, but linked ring signatures do.
     

1. ^{^}

   I also never got around to getting the Apple certification, so you have to override the standard Mac security settings to use it.

2. ^{^}

   https://primal.net/p/nprofile1qqsyhq0crndu4rvx7jdx7llum0d04ghd874rsx8q7n6qzsmmz590p5gjfdjm9 https://primal.net/p/nprofile1qqsza4wgsdrqmrldlx96tqhmq2ephv99rrtemh6a6nfwg42vq0mvu6qdpadv5 https://primal.net/p/nprofile1qqstqc6ad2v9r5aw6rxkcj2m9qsk0t8hv9efq7xewh7rgxezv59s0wge0w8hm 

3. ^{^}

   This is similar to how websites can see which traffic comes from which accounts or IP addresses. It’s essential for preventing abuse, but it’s a concern for those who have valid reasons to read or write pseudonymously. This isn't a hypothetical consideration: I have pseudonymously posted some highly controversial writing online, and I made sure to use a different sign-up email and route the traffic through a proxy, just so that I wouldn’t have to worry about hostile or gossipy moderators.

4. ^{^}

   For more discussion about Nostr's surveillance concerns and what could be done about it, see: Proving You Belong Without Saying Who You Are and Private Relay Connections: ZK Solutions for Nostr.

5. ^{^}

   Paid relays are already a normal part of the ecosystem.