CardanoWall - the second stage is available

For the last week, I have been actively working on improving the Proof of Existence idea on which the CardanoWall.com project is built. I also want to thank GnuCanoe on Reddit, who encouraged me to study collision attacks with SHA algorithms in detail. I decided to switch from using the SHA-256 algorithm in the SHA-2 cryptographic hash function set to SHA3-256 in the latest SHA algorithms family. Although at the moment, the creation of collisions for SHA-256 is not feasible; nevertheless, in the future, with the development of technologies and computing power, such a threat may become real. Because there is an SHA-3 family, why not start using the current and best solution right away.

The most important update is adding a public key to the message and the electronic signature of all PoE files signed by a private key. This functionality allows you to create Proof of Existence in its classic form and also anonymously indicate the message’s authorship. I set myself a goal - to make the whole process of working with keys, electronic signatures, and encryption - only in the user’s browser. This can be verified by reviewing my source code or checking the browser’s network activity in the Dev Tools Network tab. No private keys should be sent to the server under any circumstances. The task turned out to be quite tricky; for example, my favorite browser Firefox, for seven years now, has not been able to implement good support for working with ECDSA keys, which has long been implemented in other browsers. I had to look for other ways and make a lot of trial and error to get the result. Besides, I managed to make sure that the formats used are not tied to what browsers use, and the data is converted into popular and generally accepted standards. I love challenging and non-standard tasks the most! Now with CardanoWall, you can safely generate a new private key in PEM (PKCS8) format, save it as a file, or load an existing one. The private key is generated with the maximum security level (EC key with P-521/secp521r1 curve). When you select a file or files from your computer, the browser calculates the SHA3-256 hash for each file. The hash is signed with a private key, and an electronic signature is added in base64 format to each file’s meta-data. The public key is included in the message since it allows others to verify the electronic signatures of files and make sure that signatures are valid and created with the same private key.

Suppose you are not very familiar with cryptography. In that case, the entire paragraph above, with the constant use of the words “private key,” “public key,” “electronic signatures,” “curve,” etc., does not give you enough understanding of why all these complications.

Let me explain it more simply: now, you can leave Proof of Existence in the Cardano blockchain and at the same time add your authorship to it anonymously. Of course, it’s essential not to forget to save your private key to your computer or another device. And if someday you need to prove in a court or somewhere else that the posted PoE was signed by you, then you can do it. With your private key, you can sign any new message (phrase, text, file content), and it can be verified with the same public key that was added to the metadata, along with PoE. All key and signature formats are stored in such formats that the signature verification process could be carried out on any machine using the most popular OpenSSL library.

I do not plan to dwell on this because solving one problem allows me to move on to work on the next, third level of PoE as I envision it. I want to thank everyone who supported and became interested in the project after my previous post, where I introduced the CardanoWall and explained the Proof of Existence principle. I could never imagine that the Cardano community would be so friendly and open-minded.

Try it on https://cardanowall.com/

5 Likes

Why would you require an email address? That seems like a horrible privacy concern, even if you don’t store the email, which we of course can’t confirm. Not exactly trustless.

EDIT
I noticed that you can just enter anything that looks like an email, and it will generate a coupon on the site. Why the hassle with the email, and not just generate one on site? Also, what is the countdown for?

I really like the idea of a “Cardano Wall”, but find the implementation oddly centralized. Correct me if I got it wrong. Maybe the tools to create and confirm a transaction oneself, such as with MetaMask on Ethereum, are just not there yet on Cardano?

As explained, email is used only once to send you a code. If you clear your browser or use it in private mode, then you will lose the code once you visit the website the next time. You need to save the code somewhere. If you don’t want a copy of the code in your email - enter any non-existent email or null@cardanowall.com.

The countdown is for making the payment. The provided payment address a locked and awaiting a tx within 60 minutes. If you do not make a payment, it will be available for other users to use.

What’s “centralized” about CardanoWall? You send a message using your browser, and it’s sent directly to the blockchain to stay there forever. You don’t need CardanoWall to see the message or get PoE data such as hashes, digital signature, and a public key. The signature of PoE can be verified totally outside of CardanoWall in openssl.

I don’t understand any comparison with MetaMask. CardanoWall is a tool for sending text messages to the blockchain. The best usage is Proof of Existence to secure your works as an author, musician, artist, business.

Hey Viggy, thanks for your reply!

Thanks for the clarification that email isn’t actually needed. I’d state that on the site, but it’s your call. :slight_smile:

I don’t know exactly how CardanoWall is built, so maybe I’ve got it all wrong. There are no smart contracts yet on Cardano. So I guess when people send ADA to that address they trust that, using the associated coupon code, the website will actually post to the blockchain for them. In theory, the website could just act as if it sent to the blockchain, display the pictures on its wall, and keep the ADA. (Obviously I’m not saying that that’s what it’s doing – just hypothetically speaking.) Of course if anyone checked the actual blockchain they could figure that out.

In that sense it’s centralized with the website (i.e. you) being the central authority. It’d be decentralized if the user was using the website to post directly to the chain, and not relying on the website to post on his behalf. That would require the user to sign the transaction containing the published content. On Ethereum that’s usually done using MetaMask.

Since there are no smart contracts yet I’m obviously not blaming you for not using smart contracts. :stuck_out_tongue:

Or maybe I’m entirely confused about CardanoWall works! In that case I’d be curious to know more.

There is no need for smart contracts at all. Why do you need smart contracts for storing metadata on the blockchain? You can watch a video on the main page that explains what CW is for.

  1. After you send a message, you see links to external Adatstat, Cardano Explorer, CardanoScan, where you can see your message on the blockchain. I cannot imagine a situation to risk a website trust over 1 ADA purchase, or why wouldn’t CW send the message.

  2. Why would someone want to use their own wallet to send messages? That will show their address, balance to other people. You were concerned about privacy, and at the same time, you want every visitor to use their real wallets to reveal themselves and show their balances. That makes no sense. CardanoWall sends TXs with the metadata for you and handles the technical part. It has no control over sent messages. There is no way to delete, edit or un-send it once it’s written in the blockchain.

PS: Smart contracts are not the answer to many questions. You can build serious and practical products without smart contracts. PoE is one of those cases. You cannot do the same on the Bitcoin network because you are limited to 83 bytes to OP_RETURN. That’s nothing. With Ethereum’s TX fees, it will cost 20x times more than doing to on Cardano. Plus, Cardano’s metadata feature is implemented way better.

1 Like
  1. Whether you can imagine such a situation or not, you have to trust the website. So it’s not
    decentralized. I don’t think it’s too hard to come up with hypothetical scenarios. The question isn’t “would”, but “could” they do it.
  2. Similarly one can follow the chain of transactions back to the poster’s wallet (if CW sends the tx from the wallet that received the 1ADA), or at least try to infer the poster’s wallet by timing (if CW always sends the tx from the same wallet, regardless of which wallet received the payment, which I doubt). So the point about privacy appears to be mute. Anonymity on the block chain is a whole other issue.

Of course, once it’s created it’s in the blockchain and therefore stored in a decentralized fashion. But its creation, which is the service CW offers, is centralized.

I also don’t intend to criticize you in any way for the design choices you made, since I don’t think there’s another way at the moment. My only criticism was regarding the email thing. I very much like the idea of your project.

If people want to trust a centralized service even in the future when smart contracts are introduced, that’s fine too. I just (maybe unnecessarily) pointed out that that’s what this is at the moment.

  1. CW doesn’t need to be decentralized. It’s a tool that works with the blockchain. The “decentralization” or “smart contracts” should be used in places where they are required. I would leave those words to projects that want more hype to use them as much as they can. It’s not a magic solution to everything.

  2. CW will never send a TX with metadata from a wallet from payments. It has multiple wallets, each for its purpose. For each payment, a new address is generated. It’s designed that way for the clients’ privacy. For each TX, a new address is used from multiple separate wallets.

CW is a service that makes complicated things simple and provides PoE at a much advanced level than it existed before. CW uses a lot of cryptography because it’s a big part of it, starting with level 2, 3, and even more with coming level 4. For many people generating a key with a GENERATE button and then saving a PEM file is a complication they do not understand. Things should not be overcomplicated.

1 Like

I’m interested in 2! Can you explain what exactly the flow is? Also, how does CW “use cryptography”?

There is a video explanation right on the main page at the top. I shows how to work with the website and explains PoE levels that I already implemented.