Blind Registration via Anonymous Commitment Enrollment — devices register on-chain without revealing their identity to infrastructure operators.
You want to join a club but don’t want anyone to know your name. You put your ID card in a locked box, take a photo of the locked box, and submit only the photo. Later, you can prove “I’m the person who submitted that box” without ever opening it.
Protocol Flow
- Device generates keypair
(pk, sk)inside ATECC608B secure element - Device samples random blinding factor
r - Device computes commitment
C = H(pk || r) - Device transmits
Cto proof server (pkandrremain secret) - Proof server adds
Cto Merkle tree, publishes new root
Attestation Phase
When the device later submits data:
- Device sends
(data, signature, pk, r, Merkle_path)via mesh - Proof server generates ZK proof:
- “I know
(pk, r, path)such thatH(pk||r)is in registered tree” - “AND signature is valid under
pk”
- “I know
- Chain verifies proof, records nullifier
- Neither chain nor proof server learns which device submitted
Security Property
The hiding property of hash function H ensures the proof server cannot link commitment C back to public key pk. Even if the proof server is compromised or coerced, it cannot identify devices.
A soil moisture sensor in Manicaland registers via BRACE. The government compels the telecom to reveal all device activity. They see commitment C = 0x8a3f... submitted data—but cannot determine which of 10,000 registered sensors it was.
Guarantees
| Label | Guarantee |
|---|---|
| PG1 | Device anonymity: identification probability ≤ 1/N + negl(λ) |
| PG2 | Unlinkability: can’t correlate submissions across epochs |
| PG6 | Key secrecy: can’t extract key even with physical device access |