# The Bleak Outlook of Identity on the Internet

The internet is very much still in its early days, and like any frontier enterprise an element of risk or danger is always at play. The â€śmove fast and break thingsâ€ť mentality has shipped incredible modern convenience into the palms of our hands, but this hasnâ€™t come without a cost. The risk of being doxxed, getting hacked, being defrauded, is just a regular and expected part of experiencing technology today. Regularly, we send websites passwords that we use everywhere. Itâ€™s now casual to upload your government ID to book a hotel, or make a payment. Even worse, sensitive data, such as biometrics or health information, are stored in databases, where malicious incentives and data breaches can cause irreversible harm. This complacency has allowed a **multi-trillion-dollar honeypot** of digital value to emerge, ripe for the taking. And the consequences are not just economic, but also touch civics, governments, and global security.

# Introducing Mishti Network

Mishti Network is Holonym Foundationâ€™s contribution to public defense for user data on the internet. We built Mishti to minimize the damage of future attacks on critical digital infrastructure and lay the foundation for a more resilient internet. At its core, Mishti Network is a key primitive for secure data custody through strong identity proofs and authentication with minimal trust in third parties. It enables

Digital wallets from low-entropy data sources, such as biometrics or passwords

Recoverable keys using identity proofs without trusted custodians

Compliance tools with transparent accountability

Secure nullifiers from low entropy identifying data

*All without the need for centralized intermediaries who see data or private keys.*

# What Mishti Network Does

Mishti Network is a threshold network for elliptic curve scalar multiplication performed over a distributed set of nodes with linear secret sharing. This unlocks several highly versatile cryptographic functions for identity and streamlined key UX: Particularly, it unlocks *threshold verifiable oblivious pseudorandom function (VOPRF) *and* ElGamal decryption over zero knowledge (ZK)-friendly curves.*

## Verifiable Oblivious Pseudorandom Function: The Protector of Low-Entropy Data

Pseudorandom functions (PRFs) can take data that isnâ€™t random, say my password: `MishtiNetworkAdmin123`

and turn it into something far more random and difficult to guess:

`jc1Cfo4dcWG6Ls4MymAk5z0PTz5i5kl8cHpZQ5JPtag=`

The average password has 40 bits of entropy. This means it takes approximately 2^40 tries to guess it. In other words, it can be guessed in one trillion tries, which is quite feasible for a modern computer. For reference a secure cryptographic key today must have at least 128 bits of entropy. Like passwords, biometrics are low in entropy, and so are identifiable characteristics such as name, birthday, address, and phone number.

But PRFs have a catch: they require a secret key to be mixed with the input. A centralized server would typically store the secret key and see the password, biometrics, or identifiable characteristics. This isnâ€™t ideal for security, privacy, or decentralization. Centralization also causes problems with regulatory standards, the custodian of a secret key is often always the effective owner, or controller, of the data or assets its controls. Many companies prefer not to hold risky data or be exposed to complex regulatory compliance requirements that often come with hefty fines.

Oblivious pseudorandom functions solve for custody and security. They allow computation of the PRF without knowing its input! So you can provide a password to a server running an OPRF and it can help you convert it to a private key without learning your password. A convenient and relatively efficient OPRF we use is the 2HashDH algorithm.

If computation occurs blindly, how do we know the OPRF gives the correct result? Here, an efficient zero knowledge proof of discrete log equality (DLEQ) is provided. This makes the OPRF a verifiable OPRF, referred to as a VOPRF. Once it is verifiable, it can be done in a decentralized way since we can hold nodes accountable for their results.

To decentralize it, we compute Lagrange interpolations of individual OPRFs:

$$s \cdot G \cdot \sum_{i=0}^n y_i \ell_i(x)$$

*where $$\ell_i(x)$$ is defined as*

$$\ell_i(x) = \prod_{j=0, j \neq i}^n \frac{x - x_j}{x_i - x_j}$$

Here, **s** is the userâ€™s secret input, **G** is the generator point of an elliptic curve, $$y_i$$ is the $$i^{th}$$ nodeâ€™s secret share and $$\ell(i)$$ is the $$i^{th}$$ nodeâ€™s Lagrange basis defined above. The resulting value is the networkâ€™s contribution to a decentralized OPRF.

It only starts here though â€“ there are numerous hurdles we have overcome in making Mishti network resistant to collusion and asynchronously scalable to billions of users. We look forward to sharing more about such developments in the coming months.

## ElGamal over BabyJubJub: The Privacy / Compliance Compromise Everyone (Dis)Likes

It turns out that the same distributed scalar multiplication for `2HashDH VOPRF`

can also be used for verifiable threshold ElGamal decryption!

ElGamal works by performing a Diffie Hellman key exchange with an ephemeral key and the recipientâ€™s public key. Then this secret key is added to the plaintext. To threshold it in a verifiable way, DLEQ proofs and Lagrange interpolation of individual results are used.

What is this and why does it matter? Threshold decryption allows a network to hold sensitive data and control who decrypts it. No nodes in the network can ever see the encrypted data. There are a couple protocols like this such as Lit Protocol and Threshold Network. These are general-purpose decryption protocols and in fact complementary to Mishti Network. Our approach is tailored for ZK-friendly curves such as BabyJubJub. This enables an important primitive: *provable *encryption to a threshold network. This is critical for harmonizing ZK systems with compliance requirements, and importantly, without sacrificing user agency or giving into the urge for mass surveillance.

Usually, in ZK KYC, nobody can track users. However, law enforcement often requires the ability to investigate users suspected of engaging in illicit finance. This leaves projects with a tough choice: either give users real privacy, or keep it safe by storing their data and following the law. Unsurprisingly, most choose the latter.

The interesting innovation with Mishti Network is that **it enables you to choose both**. Provable encryption lets the overwhelming majority of users retain complete privacy, while the rare few suspected of crimes are revealed to law enforcement â€“ an improvement over the status quo where *no one has privacy*.

# When Mishti Network?

**Now!** Mishti Network is now live in a semi-centralized version. A decentralized testnet is slated to launch in Q2, with mainnet planned for production in Q4. To use the centralized version you will need to be whitelisted; please fill out our __1-minute typeform__.

# How to Use It?

If you are a ZK identity protocol, wallet, or other protocol interested in using Mishti Network, please make sure to fill out __the typeform__.