Topic: [OLD] CRYPTOGRAPHIC PROOF OF ASSOCIATION (Read 7702 times)

Hello and thank you for your question, I will add it to the FAQ

• In essence we log the number or hits each subkey receives and so provide an indication to the consumer as to whether their particular item is unique or not.
• The consumer is also able to see at a glance who the registered vendor is without having to understand what an SSL certificate is and how to verify it's signature, we take care of that for them by getting the vendor to verify their identity in advance using the SSL certificate provided at the https url they own.
• An added advantage to this is that value may be sent to this key because it is a valid address on the BTC network which is a feature the vendor may make use of if they wish.
• Vendors are also able to monitor the number of hits each subkey has received which can be used for analytical reasons.

**UPDATE

    Scanner app for Android now available for testing here. (source)
    SHA256 Hash: a5db1ff1e601cb8cd2e80648b74e81ef60765e52e16382cb619548ecda4750e7  cryptoproof_scanner.apk

    Android app # COMPLETED 12/11/2015
    Multisig Support # ENABLED 26/11/2015
    Publicly auditable database # ENABLED 28/11/2015

    prlog press release 13112015

    Example cryptoproof id card (front and back)
    

Interesting. Can you explain what this solves that public key certificates don't solve ?

This is how ssl certificates work too ...you sign using your private key and then user can verify using publickey. Same thing can be done with bitcoin public/private keys pair. For products, the vendor can the sign something like a product code and user can verify the signature .

Thank you .
I have added your question to the FAQ and updated the opining post.

Key generation docker container has been updated.

Woohoo!, off the mark with our first ever contributor "Det O", Thank you Det O!
https://www.kickstarter.com/projects/343175079/cryptoproofinfo

if that is true then it is amazing and i will watch this project with lots of interest. good luck 

In the future when you order an item from a vendor such as a cup or a toy for example it seems sensible to envision a scenario where rather than have the vendor mail it to you or send it by drone they instead send the blueprint to your 3D printer which produces the item instantly for you at home or maybe they print the item for you themselves and then physically send it but in either case how can you know that you purchased the item from the producer in question and not someone who ordered an item themselves, intercepted the blueprint or scanned the product which was delivered to them and just sold you a clone? (this is a huge problem in the pharmaceutical industry)

Cryptoproof solves this by providing a common place where vendors can register master cryptographic keys and then brand each item with a unique subkey which cryptoproof can verify so that the consumer can know if the product originates from the producer that they think it does (by seeing if a verified account is associated with it) and if there is more than one copy of that item in existence (by seeing if/how many times that key has been submitted in the past).

Using Bitcoin keys for this purpose adds an extra dimension to the scenario because, for instance, value can be transmitted to and from these keys which allows not only for verification but also can be used to keep an immutable record showing how much was paid for the item, who paid it and when the transaction took place.

looks like there is some potential here, why is the thread is so dead?
i like this but how can it work for things that are 3D printed if you cant tell them apart because it means they are identical?

We've been hard at work these last few months testing and debugging the site, we would now like to invite the community to participate in beta testing!  
Please see site updates in OP, more information coming soon.

Implemented search API.
Docker containers now available for easy bip32 key generation and encrypted string decoding for account verification.
Links now available in OP.

Connections to cryptoproof.info now encrypted using modern cypher suite TLS 1.2

Now on KICKSTARTER and STARTJOIN

Instructional video for account creation and verification now available on youtube here.

Please refer to the opening post for details.

So what exactly does this service do you?

I already have my private key encrypted.

Good luck.

No harm in giving them the option though.

There would be no advantage to logging hits in the blockchain, you would still end up maintaining a database only you're needlessly impacting the blockchain now.

We can discover the answer to that question by providing it in the first place .

Great, so what do they use those addresses for? Do they send/receive any bitcoin to it? Nope. You're not using the blockchain in any way, as you have already admitted, so what does this thing have to do with cryptocurrencies?

You could do the same using regular OpenPGP subkeys and registering them in your centralized system. People already use similar cryptographic solutions for all kinds of things (but not pills, because that's pretty silly) so why would they use your service?

Yes, the holder of the master private key. Which isn't us because we never have access to that.

I realize it. Now, tell me, does anybody have the master keys for those unique addresses?  (not the master-key from which they were derived, but the actual key to spend any bitcoin inside them).

Please realise these unique identifiers are valid addresses on the bitcoin blockchain.

There are over two billion subkeys per master key, the website is based on the idea that your particular key has been manipulated is so unlikely that you can rationally trust the result.

That is indeed an alternative solution.

Just because you have a string of numbers in the form of a bitcoin address doesn't mean that you are actually using the cryptocurrency. They are just unique identifiers derived from a master key, it has nothing to do with cryptocurrencies. Can you prove ownership of the baby address inthe blockchain? nope. Do you use those addresses (to receive some dust, for instance) in any way? nope.

So what if you don't store any master keys? you are still a centralized point of failure. When you say that a certain address has not been submitted before, why should I trust you? (since the database that counts how many times it has been submitted can be altered)


Then what's the point of this? Just put a tamper-proof device in the bottle and be done with it. The image does get an idea across quite nicely, shame it is not actually the idea you have.

Like, if the image you are using to get your point across shows something that is, in your own words "silly" and you cannot even be bothered to put enough effort to a) show a proper representation of your idea and b) learn how to photoshop a QR code on top of an image. Why would anybody believe you are going to be acting professionally?


Well, you have convinced me of the usefulness of your system.

It's bitcoin addresses that are logged and so the association with cryptocurrency, we take every security precaution, master keys are not stored, subkey addresses are hashed, etc.

No, that would be silly, the pills are so numerous for a start that people wouldn't bother to scan them on a regular basis. I suspect the bottle would be more sensible. The image gets the idea across quite nicely though.

Well that's a murderer and there's no stopping him.

I think it could be useful actually for any business who cared to participate. Nobody can be forced to use the service.

So you have master key from which unique baby public keys are created. Then someone registers their master-key in your system and, from then on, people can check how many times a related public key has been submitted before.

Right?

Now riddle me this:

1) what the hell does this have to do with bitcoin or any other cryptocurrency? It's just a centralized service that uses basic cryptography. Why would people trust your service? it can be hacked, your internal database modified, etc.

2) Are you seriously expecting people to print (and scan!) QR codes on individual pills?  Really?

3) Finally, what is stopping some asshole from taking a pill from a bottle and replacing it with another pill with the same code?

Like, I don't want to be mean, but this is among the dumbest ideas I've ever heard.

It's not publication, it's production.
Publication suggests a way to derive if an object existed at a particular time which is not the case regarding CPOP because there is no blockchain involved.

This is exactly the case with CPOP.

Not true, You're assuming we keep the public master on record which we do not.
We log the hashed versions of the subkey addresses so a database hack would be no use to forgers.

At no time is the master public key written to disk.

But it does matter because you are using the derives public keys/addresses as proof of knowing the public master. The scheme is not sound because a leak of your database leaks every possible key, allowing un-noticed forgery.

Sorry but this is handwaving away a serious objection. If you are calling something cryptographic proof-of-publication it really needs to have both cryptography and proof-of-publication as part of it's methodology.

There is no proof-of-publication in this scheme which would make data tamper-proof.
You are relying on a public key for validation but if the public master key is leaked then anyone can derive all the public keys/bitcoin addresses. The entire security of your system relies on your ability to not get hacked, and for the client to not reveal their public master key allowing anyone to generate addresses without anyone's knowledge. If this were cryptographically secure then it wouldn't matter if your database were hacked because no-one could derive the public bitcoin addresses anyway. If you were using real proof-of-publication then your data couldn't be tampered with.