not.bot

Why Chia?

not.bot™ is a system of cryptographic identity for humans. At launch, a person will enroll by scanning the NFC chip in their passport, and can then prove they are a human, prove their age, or sign content so that others can confirm its author, without disclosing their name or linking their separate accounts. Each not.bot identity is an instance of the did:julia method, recorded on the Chia blockchain.

Building on a public blockchain, and on Chia in particular, is a foundational design decision. This document describes the reasoning behind it: why an identity system of this kind requires a public blockchain and why Chia among the available blockchains.

Why a public blockchain for digital identity?

An identity system of this kind has to satisfy several requirements at once. An identity must be verifiable by any party to whom it is presented. It must remain under the control of the entity it describes rather than an operator. And its use should not produce a record of when and where it was used.

Other identity architectures satisfy some of these requirements and not others. A central registry places one operator in control of the records; that operator can alter or deny a record, and its failure removes access for everyone. An identity provider that mediates each use observes every transaction, which makes the architecture a means of surveillance.

A public blockchain removes the operator from the position of control. It provides four properties relevant to identity:

  • A record under no single party's control. Julia Social cannot alter an identity, seize it, or create one in another person's name. The blockchain holds the record, and its integrity rests on the consensus of the network rather than on the conduct of a company.
  • Verification independent of the issuer. Any party to whom an identity is presented can confirm it against the blockchain. Julia Social is not contacted and need not be available for an identity to function.
  • No disclosure on use. Presenting an identity contacts no central service. No party is informed that a person signed in to a site or signed a document.
  • Independent verification. A party can operate its own Chia node and verify against it, which removes any dependence on a third party and keeps verification queries inside the party's own infrastructure.

Together these properties allow an identity to be verifiable by any party while remaining outside the control of any single one, a combination that a server operated by one company cannot provide.

Why Chia specifically?

Public blockchains differ in ways that determine their suitability for identity. did:julia depends on a specific set of properties. Chia provides all of them, and few other blockchains provide more than a subset. This section states the requirements, describes how Chia satisfies each, and compares the main alternatives.

Requirements

did:julia requires the following of its underlying blockchain:

  • Each identity exists as a discrete object controlled by its owner, with no shared state accessible to a central party.
  • The conditions for using an identity are programmable, so that ownership, recovery, delegation, and revocation are defined within the identity itself.
  • Verifiable Credentials from independent issuers combine into a single Verifiable Presentation, allowing several credentials to be presented and verified together.
  • Verifiers cannot extract individual credentials from a presentation.
  • A signed assertion can be presented to a counterparty and verified off-chain, without a transaction reaching the blockchain.
  • A node used for verification runs at low enough cost that an individual user or a small organization can operate one.
  • A large set of publicly-accessible nodes, so that a verifier who does not run a node can query one at random without identifying itself.
  • The consensus securing the record withstands attack from any party short of a majority of the network.
  • Credential revocation is recorded on the blockchain and checkable against any node.
  • A person can transact on the blockchain without first acquiring the native cryptocurrency.

How Chia satisfies the requirements

Signature aggregation. Chia uses BLS12-381 signatures. A set of BLS signatures produced by different signers can be combined into a single signature that a verifier checks in one operation, with no interaction among the signers. did:julia uses this property for credential composition: issuers sign each credential individually, and a holder presenting several credentials at once combines them into a single signature. A presentation of multiple facts, for example that the subject is a human, is over 21, and holds a valid professional license, is verified as one aggregated signature. The verifier is unable to disaggregate the individual credentials out of the presentation.

Independent identity state. Chia uses a coin model in which each coin is a discrete object carrying its own spending rules, with no shared global state. Each did:julia identity is a singleton, a coin with an id for which the chain allows one unspent instance and no more. Updating the identity spends the current coin and creates its successor under the same id, so the identity persists as a single object with an unbroken history. The coin stores its state, including the keys that control it, as curried data: values fixed into its program when the coin is created, which no other party can change. Julia Social operates no central contract in which identities reside, so no identity can be altered or frozen by Julia Social. Control of an identity rests only with the holder of its key(s).

Programmable rules and offline verification. Chia's programming language, Chialisp, specifies the conditions under which a coin may be spent. Chialisp is a functional language: the same program given the same inputs produces the same outputs. A transaction prepared from such programs has one possible effect, the one its author wrote, and a verifier can confirm that effect in advance by requesting a few coin states from any node. did:julia encodes ownership, recovery, delegation, and revocation in the identity coin itself. Because an identity commits to the key that created it and records its own history, a verifier can confirm an identity without prior knowledge of it and without contacting a server, including when offline. The Chialisp contracts that implement the method are open source as of this document's publication, which allows independent review of the rules that govern a not.bot identity.

Concurrent operation. A Chia mechanism called fast-forward binds the validity of a prepared transaction to the spending rules rather than to a specific coin generation: a transaction prepared against an earlier state of the identity still applies after the identity advances, provided the rules are unchanged. Several devices can prepare valid operations on one identity at the same time without conflict.

Off-chain presentation. Singletons, fast-forward, and functional determinism combine into the capability that distinguishes did:julia: a signature that works without touching the chain. The owner of an identity prepares a spend bundle against the identity coin whose program emits a statement, the activity or content the owner chose to sign, then signs the bundle and sends it to a counterparty in place of broadcasting it. The counterparty requests a few coin states from any node and confirms that the bundle is valid, that its one possible effect is the emission of that statement, and that the identity behind the singleton signed it. Fast-forward keeps the bundle verifiable after the identity advances on chain. No transaction reaches the blockchain, no fee is paid, and the chain holds no record that the exchange took place.

Low-cost node operation. Chia's consensus mechanism, proof of space and time, runs a full verifying node on commodity hardware rather than on specialized equipment. About 30,000 nodes operate the network, a number that follows from the low cost of joining it. A user or organization can run a node and verify identities and credentials without reliance on any third party.

Verification without observation. The node network is a privacy mechanism as well as an availability mechanism. A verifier checking an identity selects a node at random from the tens of thousands available and connects without identifying itself. Each node answers an anonymous query against the public record, with nothing to link one query to another, so no operator can assemble a record of who verifies whom. A verifier who runs its own node closes the remaining gap: the query never leaves the verifier's hardware, and no outside party learns that the identity was used.

Consensus security. The identity record is as trustworthy as the chain that holds it. Chia's proof of space and time pairs storage with a sequence of verifiable time proofs computed by machines called timelords. Chia Network designed and deployed ASIC timelords that compute these proofs near the physical limit, so an attacker cannot gain ground with faster hardware and must control a majority of the network's storage space to rewrite the chain.

On-chain revocation. Revocation of a credential is recorded on the blockchain and is checkable against any node. Confirming revocation status requires no issuer-operated service and discloses nothing to the issuer or any 3rd party.

Comparison with other blockchains

Three blockchains illustrate why Julia Social uses the Chia blockchain rather than a better-known alternative.

Bitcoin uses a coin model comparable to Chia's, which isolates identity state, but its scripting language cannot express the identity logic did:julia requires.

Ethereum and other account-model blockchains are programmable but maintain state in shared accounts and contracts. An identity implemented on such a blockchain resides within a contract that some party deployed and can control, which reintroduces the central operator that a public ledger is intended to remove. Many contracts carry upgrade paths that let the deployer change the rules after users depend on them. No one can change the program of a Chia coin after the coin is created, so the owner of an identity knows at each moment what rules govern it. These blockchains also lack non-interactive signature aggregation.

Cardano is the closest comparison, the other production blockchain with a programmable coin model. Chia remains better suited to identity in three respects. Chia's signatures aggregate credentials as a native operation, where Cardano performs the equivalent cryptography within metered scripts. A did:julia identity is a coin held directly by its owner, where identity frameworks on Cardano operate at a layer above the base ledger. And Chia supports concurrent operations on a single identity, where Cardano's model requires serialization and retry for transactions that contend for the same state. The same difference governs off-chain presentation: a prepared Cardano transaction pins the exact UTXO it spends and goes stale the moment the identity advances, where fast-forward keeps a Chia presentation verifiable against the identity's current state. For the requirements of did:julia, Chia provides as native operations what Cardano provides through additional layers.

not.bot and cryptocurrency

not.bot is built to use the blockchain as a database. Users do not think of an application by reference to the database it uses; the database is an implementation detail chosen for its fit to the task. An Uber rider judges the ride and gives no thought to the database behind it. Julia Social uses the Chia blockchain in the same role, as a specialized database suited to digital identity. It operates beneath the application and is not part of what the user sees.

A not.bot user does not hold or transact in cryptocurrency. There is no not.bot token, and nothing in the system is bought, sold, or held for speculation. Each blockchain transaction incurs a small fee, which Julia Social supplies through a mechanism called the faucet: the fee is provided by Julia Social and bound to the user's transaction, so that the user never receives or holds any XCH, the native unit of the Chia blockchain. The user maintains no wallet, and because no asset is transferred to the user, there is no cryptocurrency receipt and no opportunity for a taxable event.

The architecture does not preclude cryptocurrency use. A not.bot identity can act on the blockchain when its owner directs it to. A planned feature will allow a website to present a transaction to the not.bot app for signature by the user's identity, which supports a range of applications that includes cryptocurrency trading. The capability is available to users who want it and absent from the experience of those who do not.

View this page as Markdown