Right now in Zbay we’re registering usernames by sending encrypted memos with a name to the network, using an approach similar to the one originally described by Aaron Swartz where everyone checks the list and only the first registration is the valid one.
However, we’d like to have a way where users can quickly verify that a given user is the real owner of a given name, without having to look through the whole list.
It’s easy to verify that the user has registered a name. They can point to a transaction and we can ask a lightwalletd about it, and maybe the lightwalletd can even prove to us that it’s valid. However, that doesn’t tell us that they were the first to register that username, so they could still be impersonating the real user.
So our question is, is there some property in a transaction that is:
Checked for uniqueness by miners and thus guaranteed to be unique and
Mappable 1:1 to arbitrary data like a name, so that it’s uniqueness tells you that the name is unique too.
For example, let’s imagine that by setting some parameters of transaction we can control the ID of the UTXO that the transaction creates. If we find a function that translates username into this is, than we could say, that user owns a username if he had transaction creating this UTXO included in a block.
So one way to solve this is if we can control the ID of the UTXO created such that its uniqueness also guarantees the uniqueness of a name. Is this possible? How would you construct such a transaction? (Note: it can be a transparent transaction; it doesn’t have to be shielded.)
But if this doesn’t work, is there some other value checked for uniqueness by miners?
I haven’t thought too closely yet about whether there’s currently a way to do this in Zcash, but I wanted to note that this would be something you could potentially achieve with (permissionless) UDAs: have each name correspond to an asset type, and only mint a single 1-zatoshi coin per name.
The name uniqueness check would be part of the minting protocol: when a name is first registered, the consensus rules would check against the full list of registered names. But after that initial full-list check, a proof-of-name-ownership is equivalent to a proof-of-spend-authority for a coin corresponding to that name (of which there is only one at a time, since the coin is transferrable but indivisible). This can be both created and verified without reference to the global list, since the recipient of such a proof can rely on the consensus rules to enforce uniqueness both within that list, and of the named-coin ownership (modulo the fact that proof-of-spend-authority does not prevent multiple people from having access to that spend authority; from the perspective of the Zcash protocol, “spend authority” is indistinguishable from “spender”).
Got it, so the UDA would have a name, which in the “normal” UDA case might be “zDAI” or “zBTC” or something. But in this case the UDA would be named “holmes” or “ZNS.holmes” or something.
And you can create as many assets as you want. But the UDA scheme would not allow for the creation of assets with the same name. And you can do something to show there’s only one coin per asset. So if somebody has it, they have it.
Cool!
That said, there would be simpler ways to achieve unique names than permissionless UDAs if protocol changes are on the table. It would be enough to include an optional arbitrary value in each transaction that miners require to be unique, for example, right?
Also, it would be amazing if there was some way to achieve this with the existing protocol, using nullifiers, for example.