Skip to content
This repository has been archived by the owner on Jun 21, 2023. It is now read-only.

Store hashed solutions instead of solution arrays so that the database of solutions is obfuscated and more secure #114

Open
7 tasks
forgetso opened this issue May 17, 2022 · 0 comments
Open
7 tasks

Store hashed solutions instead of solution arrays so that the database of solutions is obfuscated and more secure #114

forgetso opened this issue May 17, 2022 · 0 comments
Assignees
@Lupus7
Labels
enhancement New feature or request
Milestone
MVP

Comments

@forgetso
Copy link
Member

forgetso commented May 17, 2022
edited
Loading

Current Functionality and Idea

Datasets currently have the following format in which solutions are provided as indexes of the items array.

  "captchas": [
    {
      "salt": "0x01",
      "solution": [
        2,
        3,
        8
      ],
      "items": [
        {
          "path": "http://localhost:4000/img/test_image_png_5.png",
          "type": "image"
        },
        {
          "path": "http://localhost:4000/img/test_image_png_24.png",
          "type": "image"
        },
...
      ],
      "target": "dog"
    },

When we process datasets we are already hashing images / text:

https://github.com/prosopo-io/contract/blob/31a52da278164296a064adfe19a0fc36033a351b/src/captcha/captcha.ts#L125-L136

It makes sense for us to use the item hashes as the solution. In the above example, the solution [2,3,8] would become:

      "solution": [ 
        sort(
          hash(item2),
          hash(item3),
          hash(item8),
        )
      ],

This leaves us free to randomise the order of the captcha when we are passing them to users. When you're sending the captcha to the user from the API you can do something like:

send ( random_order( captcha.items ) )

The user sends back their solution array

[hash5, hash2, hash0]

Then you sort it alphabetically and compare to the stored solution array of hashes.

Spec

Importing datasets that include indexed solutions:

Importing dataset

  • items to include hash for each item
  • exclude solution from captchas collection in database
  • include solved flag (true for captcha that included the solution when dataset was imported)

Dataset ID hash (merkle tree root) to include hashed solution

Solution validation

When checking a solution sent by the frontend, re-compute + compare merkle tree root to check whether they answered correctly. The following is a rough idea of how this should work.

  • In dappUserSolution get the merkle tree for the dataset currently being used by the provider
  • Calculate the captchaIds including solutions passed by the dapp user
  • Generate a proof for each captchaId to ensure that it is part of the merkle tree and check that the datasetId is correct in each case
@forgetso forgetso added this to the Milestone2 milestone May 17, 2022
@forgetso forgetso added the enhancement New feature or request label May 17, 2022
@forgetso forgetso modified the milestones: Milestone2, MVP Jun 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Lupus7 Lupus7

Labels
enhancement New feature or request
Projects
None yet
Milestone
MVP
Development

No branches or pull requests
2 participants
@forgetso @Lupus7