An airdrop that preserves recipient privacy by Riad S. Wahby, Dan Boneh, Christopher Jeffrey, Joseph Poon.
While airdrops to existing blockchains are convenient, using other cryptographic
infrastructure may be more effective at recruiting desirable users. A
very interesting example is GitHub, since it has tens of millions of users,
many of whom use SSH keys to access repositories and PGP keys to sign commits.
GitHub publishes users’ public keys, which allows cryptocurrencies
to design airdrops intended for developers by allowing them to claim airdropped
funds using keys from GitHub. The PGP web of trust, Keybase, GitLab,
and the X.509 PKI are interesting for similar reasons.
Yet, no matter the infrastructure they target, airdrops have a serious flaw:
they offer no privacy to their recipients. This means that an observer can easily
learn whether or not any given recipient has claimed her airdropped value. Even
cryptocurrencies that provide anonymity mechanisms for on-chain transactions
(e.g.,; §8) do not prevent this leakage, because a recipient must first use
her existing identity to claim the airdropped funds. And using cryptographic
infrastructure like GitHub exacerbates this privacy leak since GitHub accounts,
PGP keys, etc., are often tied to software projects and professional activities. All
told, these issues act as a disincentive for privacy-conscious recipients to redeem
their awards, which reduces the airdrop’s effectiveness in recruiting new users.
Existing solutions fall short of addressing this issue. The simplest possible
approach—sending each recipient a fresh secret key for claiming her funds—
carries an even stronger disincentive: it requires recipients to trust the sender.
Both the sender and recipient know the secret key, so either can take the funds,
but neither can prove who did. Meanwhile, a dishonest sender might garner free
publicity with an airdrop, only to claw back the funds; or an incompetent one
might accidentally disclose the secret keys. To avoid this trust requirement, a
workable solution must allow only the recipient to withdraw the funds.
A more plausible approach is to have recipients claim airdrop funds by proving their
identities in zero knowledge. Concretely, a recipient proves that she
knows the secret key for some pre-existing public key (say, the RSA public key of
her GitHub credential), and that no prior airdrop claim has used this public key.
To preserve her privacy, she must do so without revealing which public key she is
using. But proving knowledge of one secret key among a large list of RSA keys using
general-purpose zero-knowledge proof systems
is too expensive: infeasible computational cost, enormous proofs, and/or a setup
phase whose incorrect execution allows proving false statements (see §8).
Meanwhile, infrastructures like GitHub are primarily based on RSA because
it is, anecdotally, the most widely-supported key type for both SSH and
PGP. This means that taking advantage of these infrastructures effectively
requires support for airdrops to RSA keys.
Our contributions. This work builds an efficient and practical private airdrop
system using special-purpose zero-knowledge proofs designed for this task.
First, we define precisely the required functionality and security properties
for a private airdrop scheme (§2.1). Second, we exhibit practical private airdrop
schemes designed to work with ECDSA (§3) and RSA (§4) credentials. Our
ECDSA scheme extends in a straightforward way to Schnorr , EdDSA,