Proof of Machinehood(PoM) is a verifiable attestation that proves ownership of a specific device. This repository contains Solidity libraries designed for integration with third-party smart contracts. These libraries enable on-chain verification of PoM attestations, ensuring secure and reliable confirmation of device ownership.
The PoM attestation is a cryptographically-signed statement provided by users' devices. The format and content of this attestation can vary depending on the device type. This includes SafetyNet Attestations for Android phones, TPM Key Attestations for Windows devices, and App Attestations for Apple devices.
In this project, we utilize Web Authentication to acquire attestations from different devices. This approach allows us to gather attestations in a standardized manner, without delving into the specifics of each device type. Using Web Authentication to create credentials yields a signed data object known as the "attestation statement." This statement includes information about the credential and the device that created it. We use the attestation statement to substantiate the PoM of a device.
Experience it yourself with the Proof of Machinehood Demo and attest your own device!
Currently, we support the following devices:
- Android Device
- Windows Device
- Yubikey
struct AttStmt {
ISigVerifyLib.Algorithm alg;
string jwtHeader;
string jwtPayload;
string jwtSignature;
ISigVerifyLib.Certificate[] x5c;
}Below is the attestation statement from an Android device, verified by this library, along with a detailed explanation of each field:
alg: The algorithm used to generate the signature(jwtSignature) for the JWT (JSON Web Token).jwtHeader: The header of the JWT obtained from Google's SafetyNet Service. This field contains a certificate chain that can be used to verify the identity of the device.jwtPayload: The payload of the JWT from Google's SafetyNet Service. It includes fields such asctsProfileMatchandbasicIntegrity, which help in checking the device's integrity.jwtSignature: The signature part of the JWT from Google's SafetyNet Service, which is signed using the first certificate in the x5c array.x5c: The certificate chain included in thejwtHeader. This field is added to simplify the on-chain implementation process. Technically, it's possible to extract the certificate chain directly from thejwtHeader.
For more detailed information, please refer to the complete verification procedure.
struct AttStmt {
ISigVerifyLib.Algorithm alg;
bytes sig;
ISigVerifyLib.Certificate[] x5c;
bytes certInfo;
}Below is the attestation statement from a Windows device, verified by this library, along with a detailed explanation of each field:
alg: The algorithm used to generate the signaturesig.sig: The signature created using the first certificate inx5c. It provides cryptographic proof of various properties of the device and the credential.x5c: The certificate chain that verifies the identity of the device.certInfo: This is the data that is signed and represents a complex structure defined by Microsoft.
For more comprehensive information, please refer to the complete verification procedure.
struct AttStmt {
ISigVerifyLib.Algorithm alg;
bytes signature;
ISigVerifyLib.Certificate[] x5c;
}Below is the attestation statement from a Yubikey, verified by this library, along with a detailed explanation of each field:
alg: The algorithm used to generate the signaturesig.sig: The signature created using the first certificate inx5c. It provides cryptographic proof of specific properties of the device and the credential.x5c: The certificate chain that verifies the identity of the device.
For more comprehensive information, please refer to the complete verification procedure.
No, your privacy is well protected. The attestation only proves that it is generated by a specific type of device and does not include any identifiable information about the device itself. Therefore, even though the verification is completed on-chain, this process will not compromise your privacy.
No, the attestation itself cannot conclusively prove that users own the device. It only confirms that the user had control over a specific device at the time of attestation generation. This is because generating the attestation requires completing device-specific authentication, such as entering a PIN code or using a fingerprint. However, it doesn't guarantee continued ownership or control of the device thereafter.
To be precise, attestation can only verify device ownership within a specific time frame. For instance, when a user generates an attestation, we can be certain they owned the device at that moment. However, the certainty of ownership naturally decreases over time. As an illustrative example, this might hypothetically drop to 98% after 5 minutes and further to 80% after a day, though these specific percentages are not actual measurements but rather are used to demonstrate the concept. Therefore, when integrating the PoM library, you should consider how to interpret and utilize the attestation data based on the specific needs and context of your application.
Solidity developers can simply import AttestationVerificationBase.sol to their contract regardless of the device type, since they all implement the verifyAttStmt() method. See example below:
import {AttestationVerificationBase} from "@automata-network/proof-of-machinehood-contracts/AttestationVerificationBase.sol";
contract ExamplePOM {
AttestationVerificationBase android;
AttestationVerificationBase windows;
// ...
constructor(address _android, address _windows) {
android = AttestationVerificationBase(_android);
windows = AttestationVerificationBase(_windows);
}
/// @dev it only cares about Android, cuz Google rocks!
function verifyAndroidAttestation(
bool isAndroid,
bytes calldata challenge,
bytes calldata attStmt,
bytes calldata authData,
bytes calldata clientData
) external returns (bool verified) {
// ...
if (isAndroid) {
(verified, ) = android.verifyAttStmt(
challenge,
attStmt,
authData,
clientData
);
}
}
}
$ forge build$ forge test$ forge fmt$ forge snapshot