Inspiration
In a new era where artificial intelligence can synthesize content almost indistinguishable from human creation, how will we trust what we see on the Internet? I envision a paradigm shift in how we interact with others online, based on asymmetric cryptography and personal signing keys to provide irrefutable proof that someone indeed said or created something.
What it does
By cryptographically signing all content on the site, and envisioning a world where everyone owns a personal, secure hardware encryption device, Pretty Good Social ties all user-generated content to identities unique to each user. Then, what was "following" on previous social media sites becomes a statement of trust that you believe the content signed by some key is indeed real. By creating an explicit opt-in trust model, we can move away from having information fed to us that is true until proven otherwise, and towards a world where the trust systems we use online more closely reflect those that we use with real people.
To sign up, users do not need to remember another username and password; rather, they simply plug in their hardware encryption key and push a button, which internally will cryptographically sign a challenge response to prove that the user has authority over their signing key. There do not exist explicit "accounts," instead, there is just metadata associated with public keys. Posting follows a similar flow, as the hardware key must be utilized to sign the message the user wants to publish.
How we built it
Internally, the backend is written in Python with what I would consider "FastAPI-lite" (raw Starlette + SQLAlchemy) which was chosen just out of personal preference. Critically, the authentication layer is implemented as a simple middleware that can be applied to any route of the API. I prototyped a basic hardware signing key using an Arduino Uno, with firmware written in Rust, though binding to a C library for the cryptographic functions. I picked ED25519 signatures for the cryptographic signing due to their great balance between security and computational efficiency. Finally, I started writing the frontend with TypeScript, but I did not get particularly far with it.
Challenges we ran into
Most disappointingly, I was unable to get my hardware key prototype to actually work. In the end, the 2kB of RAM on the ATMega328p is not enough to pull off ED25519 signing no matter how hard I tried. I spent a lot of time trying to get that to work, so in the end the project did not progress a whole lot.
Accomplishments that we're proud of
I am happy that I was able to pull off the authentication system at least in a simulated environment where the signing occurs directly on the device the user is accessing the platform through. In a sense, the only barrier was getting the hardware key to work, so in the end there was quite a bit of success.
What we learned
Interestingly, while researching some of the cryptographic techniques I used, I came across the WebAuthn specification, which has similar goals to my project. While I thought WebAuthn was insufficient for what I imagined, mainly due to it generating unique key pairs per website, reading the spec did raise the awareness that replay attacks are a real threat in this type of authentication scheme. Originally I had no plans to have any sort of challenge system to keep the API secure, but once I understood the motivation I immediately factored it into my plans.
What's next for Pretty Good Social
Obviously the next step would be implementing a better hardware key prototype that actually works. From there, I'm not really sure. There's a lot more that goes into making a sustainable social media platform besides proving the authenticity of what gets posted, so there is still a lot of design work that needs to happen.
Log in or sign up for Devpost to join the conversation.