How can I prove group membership in an anonymous way?

Giszmo

12/13/23, 10:52 PM

I want to accredit members so they can pseudonymously give feedback while still being provably part of a group, without a way to give extra accreditations.

Suppose a group of 100 members (I decide and make public who these members are) want to bit by bit create 100 accounts such that nobody knows which member created which account but without a way of ending up with multiple accounts controlled by any one entity.

I could use blind RSA signatures here but the signing entity - myself - would be able to accredit more accounts than there are members without the members knowing who's legit.

How can I provably limit accounts to one per member of a group?

A more concrete example

My project discusses projects $X_{1 .. 100}$ on GitHub.
Each of these projects gets one "peer" token $P_{1 .. 100}$
Nobody - not even me - can link $P_{n}$ to $X_{n}$
Nobody can create a token $P_m$ with $m \notin [1, 100]$
Nobody can create a secondary token for any project
In my project, tokens would be used on nostr and would ideally commit to a nostr identity (Schnorr public key) to avoid requiring yet another mechanism by which the token identifies a nostr identity as group member

Best idea so far

Projects that want their token get processed in batches of $n \geq 10$
Once signed up, I blindly sign $m \leq n$ tokens for them
- tokens are "[nostr pubkey],[signing round counter]"
Projects have to use it or lose it: Within 48 hours $k \leq m$ unblinded tokens get revealed by using the nostr pubkeys with the unblinded tokens and signatures. Later reveals are ignored
$l$ Projects publicly approve their token activation
If $l \leq k$, round was successful for these $l$ projects
- If now one approved project of the round reveals a different token? We got trolled by two colluding entrants and have to repeat the round without this one project?
If $l \gt k$:
- We were provably signing more tokens

The interactivity, long ceremony and the reduced anonymity set is bothering me. Also if projects forget or have their keys compromised, how can I renew tokens? Have them all renew once per year unless they want to reveal the match?

I want to send each of these projects something that they can derive a token from themselves whenever they feel like using this.

0 + 5

blinding

Pegasus

12/14/23, 1:55 AM

Sorry I didn't get it. Does the users of a group will be able to know who else is on the group, if no what stops you to create 80 members and choose 20 random from already existed members in order to construct the group of 100 ? how the rest 20 users will be able to verify who is legit ? I mention it because as i understand the group members should not relying on your trust. I'll remove the comment.

user253751

12/14/23, 10:04 AM

@Pegasus are you asking how someone can know there aren't 100 different keys all owned by the same person?

Giszmo

12/15/23, 9:24 PM

@Pegasus I added my use case. Hope that makes things clearer.

knaccc

12/15/23, 9:41 PM

If there are 100 key pairs, with all public keys publicly known: Just ask each key owner to announce a new public key, using a linkable ring signature to prove they are one of the original 100 public key owners. Because it's a linkable ring signature, it will be obvious to everyone if anyone attempts to announce more than one new public key.

Giszmo

12/17/23, 1:27 AM

Sorry, my crypto is not very advanced. For a start, there are no key pairs. Just 100 projects I hope to sign up to my scheme. 5 might sign up and create key pairs. What next?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I prove group membership in an anonymous way?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.