We both wanted to solve the problem of bringing ownership and control over one's data. Non-Econ brought the product mindset and a use case looking for a techncial solution & Harry brought in the technical architecture and looking for a problem to solve.
Conceptually, there's no way to attribute if someone has collected data and that it can be trusted. Imagine someone who's falsely accused of drinking and driving but their breathalyzer test showed otherwise - if the test results were on-chain and data collection integrity can be proven, they'd not be framed. If someone was drunk but don't want to be judged about past decisions, they can have ability to consent to show test results with whom it concerns.
Technically we are trying to solve the oracle problem, because for all oracle which depends on real world sensing data, they can only rely on the concensus of majority nodes now, and we need to have much trust on the data source. We solve this problem by integrating Apple's App Attest service, which generates a signature for unique data hash on a genuine app running on a real device, which can be proven using zkVM.
For this particular project, we focused on proving data collection from analog sensors on devices that hook up to an iOS app. The solution we designed, for instance, could be used to prove whether some analytics data was collected on our bluetooth headphones or a breathalyzer that connects to our iOS apps and more. Because of the nature of the analog sensors, we focus on IoT devices whose owner is the same as that of a the phone that runs the iOS app.
Designing the Architecture such that the compute we prove does indeed prove data collection: Couple unique issues - App Attest not supported on MacOS & Raspberry Pi + analog sensors does not send unique device ID. Assuming the breathalyzer is controlled by the user of the data, we resolved the issues by letting Raspberry Pi only send data to the iOS app while the iOS app checks through App Attest that Raspberry Pi is sending over some hard-stored info that can be matched with an unique ID about the iPhone running the app. Assuming that only trusted compute can access the Raspberry Pi, proving the attestation of the hard-stored info on the Pi serves as the proof of data collection.
After generating the signature using App Attest, we need to verify the signature in zkVM which is in a complex CBOR format with certificate information. We need to verify the certificate is valid using Apple's root certificate, and also the signature is actually signed using this certificate over the hash of data. After doing some research we found an open source Rust library about x509 certificate verification, which can be used to verify App Attest signature.
Raspberry Pi & Analog Sensors don't have unique ID: We decided to link the particular IoT device (Emualted through Raspberry Pi Pico WH) to the iPhone running the iOS app by having the user of the iPhone hard-store some unique identifying information about themselves or their phone to the IoT device. That way, the proof of data collection is just proving that some perturbed version of IDs match on both device and phone.
Raspberry Pi <-> iOS App - How can someone trust?: Way Raspberry Pi Pico WH handles data encoding and formatting vs the iOS app is of course different. But because it stops running after succesfully sending data to the App wirelessly, it took about 2-3 mins per experiment. Solution was to be optimal in each iteration when we debugged the integration.
Tracks Applied (4)
RISC Zero
RISC Zero
RISC Zero
Aligned
Discussion