[Cryptography] People vs AI

Andrew Miller andrew at amxl.com
Mon Mar 10 21:11:03 EDT 2025 

On 11/03/2025 10:10, Jerry Leichter wrote:

> Focusing on just one issue:
>> ...Proof of Human is the cornerstone of the networks security.
> I don't see any hope of being able to prove that an entity on the network is human, given even the current state of AI (and it only gets harder from here).  That train left the station.
>
> We need to step back and ask what the exact problem is that we're trying to solve.  In fact, it has little to do with the humanity or lack thereof of someone we correspond with.  It has to do with whether we can trust them for particular purposes.  We're attempting to use the human/not-human dichotomy as a shortcut for this purpose, but it's a bad shortcut.  For any particular purpose, some humans are trustworthy and some are not, and some AI's are trustworth or not.
However, there are applications and protocols where it is desirable that 
people participate on a 'one person, one vote' basis. Not every vote is 
going to be in the right direction, but that doesn't necessarily matter. 
If a decentralised system based on a cryptographic protocol has 1,000 
honest users and 500 dishonest ones, then you can work with that. If a 
decentralised system has 1,000 honest users, and 500 dishonest people 
with 200 users each (i.e. 100,000 dishonest users), that is a much 
harder problem for a protocol designer. So some kind of solution for 
proof-of-humanity greatly broadens what is possible for protocol designers.
>    Think about conversing with an advisor at your bank.  You are willing to trust the entity you are connected to - human or chatbot - when you are willing to trust that they are legitimately associated with the bank.  My bank's chatbot actually provides some useful advice, which I trust.  It doesn't try to appear to be human, but even if it did, that would change nothing.
>
> Suppose we established humanity by requiring that anyone wanting to access the Internet get a "driver's license" from the state, which would provide unforgeable certification of humanity.  What does that "unforgeable certificate of humanity" actually mean?  Whether it says anything about whether the identity it certifies is human depends _entirely_ on how trustworthy the state is in issuing such certificates to humans, only to humans, and only one per human.  Well ... good luck with that.  Even with the most trusted of states, exceptions will certainly be made for "legitimate law enforcement practices."

I think you are right that proof of humanity will need to rely on a 
trusted third party, such as a state (or in Worldcoin's implementation, 
the Worldcoin Foundation), and so will never be truly decentralised. 
However, the alternatives are:

  * Using a proof of work system to make it too costly to create lots of
    users. The problem is, it is quite likely that the minimum many
    legitimate people will spend to create one user is less than the
    maximum per user that people performing Sybil attacks are willing to
    spend. Also, such systems use a lot of energy at scale and so are
    environmentally harmful.
  * Use a proof of stake system - you stake some existing cryptocurrency
    that you can lose under certain circumstances. This has the same
    problem - it is essentially, one dollar one vote, and people will
    pay more for many votes.
  * Some kind of web of trust - but this either lets a small percentage
    of bad actors create fake networks of users, or has serious privacy
    implications.

I'd argue the downsides of some limited centralisation are worth it for 
many otherwise decentralised applications. States creating a few extra 
users isn't necessarily fatal to many applications - and they probably 
wouldn't need to anyway, as a solution that offers good privacy would 
also blind other users to the fact they work for the state. It would be 
a problem if a state conducted a Sybil attack with lots of fake users - 
but for a widely deployed system, solutions that provide visibility into 
the number of users would at least make this obvious (unless the state 
also fudges their official population statistics to cover up a sudden 
rise in real people).

I'm working on a solution I'm calling uniquonym 
(https://lemmy.amxl.com/c/project_uniquonym / 
https://github.com/orgs/uniquonym/repositories) - a portmanteau of 
unique and pseudonym - which will use centralised trust of states as 
arbiters of personhood, combined with zk-STARK proofs, ensuring users 
can only have one pseudonym per namespace per state (at a time - 
eventually uniquonyms expire and can be removed from the Merkle tree of 
identities in a namespace, and can be replaced by a different one). 
States cannot tie pseudonyms in a namespace to real users. Uniquonyms 
can be used for approximate voting, or to slow down how fast malicious 
users can come back after being blocked in a pseudonymous decentralised 
system.

-- Andrew

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250311/df214b4a/attachment.htm>

More information about the cryptography mailing list