@ -8,7 +8,7 @@ Decentralized Name Registry with Trust-Weighted Consensus
## Abstract
## Abstract
This NIP defines a decentralized name registry protocol for human-readable resource naming with trustless title transfer. The protocol uses trust-weighted attestations from relay operators to achieve Byzantine fault tolerance without requiring centralized coordination or proof-of-work. Consensus is reached through social mechanisms of association and affinity, enabling the network to scale to thousands of participating relays while maintaining ~51% Byzantine fault tolerance against censorship.
This NIP defines a decentralized name registry protocol for human-readable resource naming with trustless title transfer. The protocol is implemented as an independent service that uses Nostr relays for communication (via ephemeral events) and persistent storage (for name state records). The service uses trust-weighted attestations from registry service operators to achieve Byzantine fault tolerance without requiring centralized coordination or proof-of-work. Consensus is reached through social mechanisms of association and affinity, enabling the network to scale to thousands of participating registry services while maintaining ~51% Byzantine fault tolerance against censorship.
## Motivation
## Motivation
@ -17,15 +17,53 @@ Many peer-to-peer applications require human-readable naming systems for locatin
This proposal leverages Nostr's existing social graph and relay infrastructure to create a naming system that is:
This proposal leverages Nostr's existing social graph and relay infrastructure to create a naming system that is:
- **Trustless**: No single authority controls name registration
- **Trustless**: No single authority controls name registration
- **Byzantine fault tolerant**: Resistant to malicious relays (up to ~51% by trust weight)
- **Byzantine fault tolerant**: Resistant to malicious registry services (up to ~51% by trust weight)
- **Scalable**: Supports thousands of participating relays
- **Scalable**: Supports thousands of participating registry services
- **Censorship resistant**: Diverse trust graphs make network-wide censorship difficult
- **Censorship resistant**: Diverse trust graphs make network-wide censorship difficult
- **Permissionless**: Anyone can operate a relay and participate in consensus
- **Permissionless**: Anyone can operate a registry service and participate in consensus
- **Relay-agnostic**: Uses standard Nostr relays for communication and storage without requiring relay modifications
The protocol achieves finality in 1-2 minutes, which is acceptable for DNS-like use cases while avoiding the complexity and resource requirements of traditional blockchain consensus.
The protocol is implemented as an independent service (separate from relay software) that communicates via ephemeral Nostr events and stores persistent state as parameterized replaceable events. This achieves finality in 1-2 minutes, which is acceptable for DNS-like use cases while avoiding the complexity and resource requirements of traditional blockchain consensus.
## Specification
## Specification
### Architecture Overview
The name registry protocol is implemented as an independent service that runs separately from Nostr relay software. The service architecture consists of:
**Registry Service:**
- A standalone daemon/process operated by registry service providers
- Subscribes to registration proposals and attestations from Nostr relays
- Computes consensus independently using trust-weighted voting
- Publishes attestations (ephemeral) and name state (persistent) back to relays
- Maintains local trust graph and consensus state
**Communication Layer (Ephemeral Events):**
- **Attestations (kind 20100)**: Service-to-service communication via ephemeral events
- Posted to Nostr relays for propagation to other registry services
- Short-lived (pruned after attestation window completes)
- Enables decentralized coordination without direct peer connections
**Storage Layer (Persistent Events):**
- **Registration Proposals (kind 30100)**: User requests stored on relays
- **Trust Graphs (kind 30101)**: Service trust relationships stored on relays
- **Name State (kind 30102)**: Consensus results stored on relays
- Parameterized replaceable events ensure only current state is maintained
**Relay Role:**
- Standard Nostr relays (no modifications required)
- Store persistent events (kinds 30100, 30101, 30102)
- Propagate ephemeral attestations (kind 20100) between services
- Serve queries from clients and registry services
- No consensus logic or special name registry support needed
**Advantages of Independent Service Architecture:**
- Relays remain simple event stores and routers
- Service operators can upgrade consensus logic independently
- Multiple competing registry implementations can coexist
- Clear separation of concerns (relay = transport/storage, service = consensus)
- Registry services can use multiple relays for redundancy
### Event Kinds
### Event Kinds
This NIP defines the following event kinds:
This NIP defines the following event kinds:
@ -73,19 +111,19 @@ This prevents unauthorized transfers and ensures the current owner explicitly ap
### Attestation (Kind 20100)
### Attestation (Kind 20100)
An ephemeral event where relay operators attest to their acceptance or rejection of a registration proposal:
An ephemeral event where registry service operators attest to their acceptance or rejection of a registration proposal. This event is published to Nostr relays for propagation to other registry services:
```json
```json
{
{
"kind": 20100,
"kind": 20100,
"pubkey": "<relay_operator_pubkey>",
"pubkey": "<registry_service_pubkey>",
"created_at": <unix_timestamp>,
"created_at": <unix_timestamp>,
"tags": [
"tags": [
["e", "<proposal_event_id>"], // the registration proposal being attested
["e", "<proposal_event_id>"], // the registration proposal being attested
["decision", "approve"], // "approve", "reject", or "abstain"
["decision", "approve"], // "approve", "reject", or "abstain"
- `reason` tag: Optional human-readable justification for audit trails
- `reason` tag: Optional human-readable justification for audit trails
- `relay` tag: WebSocket URL of the relay this operator controls
- `service` tag: Optional identifier for the registry service (URL or other identifier)
**Attestation Window:**
**Attestation Window:**
Relays SHOULD publish attestations within 60-120 seconds of receiving a registration proposal. This allows sufficient time for gossip propagation while maintaining reasonable finality times.
Registry services SHOULD publish attestations within 60-120 seconds of receiving a registration proposal. Attestations are posted to Nostr relays as ephemeral events, allowing them to propagate to other registry services via relay gossip. This allows sufficient time for event propagation while maintaining reasonable finality times.
### Trust Graph (Kind 30101)
### Trust Graph (Kind 30101)
A parameterized replaceable event where relay operators declare their trust relationships:
A parameterized replaceable event where registry service operators declare their trust relationships. This event is stored on Nostr relays and used by other registry services to build trust graphs:
```json
```json
{
{
"kind": 30101,
"kind": 30101,
"pubkey": "<relay_operator_pubkey>",
"pubkey": "<registry_service_pubkey>",
"created_at": <unix_timestamp>,
"created_at": <unix_timestamp>,
"tags": [
"tags": [
["d", "trust-graph"], // identifier for replacement
["d", "trust-graph"], // identifier for replacement
@ -129,31 +167,31 @@ A parameterized replaceable event where relay operators declare their trust rela
**Field Specifications:**
**Field Specifications:**
- `p` tag: Defines trust in another relay operator
- `p` tag: Defines trust in another registry service operator
- First parameter: Trusted relay operator's pubkey
- First parameter: Trusted registry service's pubkey
- Second parameter: Relay WebSocket URL
- Second parameter: Optional service identifier (URL or other identifier)
- Third parameter: Trust score (0.0 to 1.0, where 1.0 = complete trust)
- Third parameter: Trust score (0.0 to 1.0, where 1.0 = complete trust)
**Trust Score Guidelines:**
**Trust Score Guidelines:**
- `1.0`: Complete trust (e.g., operator's own other relays)
- `1.0`: Complete trust (e.g., operator's own other registry services)
- `0.7-0.9`: High trust (well-known, reputable operators)
- `0.7-0.9`: High trust (well-known, reputable service operators)
- `0.4-0.6`: Moderate trust (established but less familiar)
- `0.4-0.6`: Moderate trust (established but less familiar operators)
- `0.1-0.3`: Low trust (new or unknown operators)
- `0.1-0.3`: Low trust (new or unknown operators)
- `0.0`: No trust (excluded from consensus)
- `0.0`: No trust (excluded from consensus)
**Trust Graph Updates:**
**Trust Graph Updates:**
Relay operators SHOULD update their trust graphs gradually. Rapid changes to trust relationships MAY be penalized in weighted consensus calculations to prevent manipulation.
Registry service operators SHOULD update their trust graphs gradually. Rapid changes to trust relationships MAY be penalized in weighted consensus calculations to prevent manipulation. Trust graphs are stored as parameterized replaceable events on Nostr relays, making them publicly auditable.
### Name State (Kind 30102)
### Name State (Kind 30102)
A parameterized replaceable event representing the current ownership state of a name:
A parameterized replaceable event representing the current ownership state of a name. This event is published by registry services after consensus is reached and stored on Nostr relays:
```json
```json
{
{
"kind": 30102,
"kind": 30102,
"pubkey": "<relay_operator_pubkey>",
"pubkey": "<registry_service_pubkey>",
"created_at": <unix_timestamp>,
"created_at": <unix_timestamp>,
"tags": [
"tags": [
["d", "<name>"], // the name
["d", "<name>"], // the name
@ -168,19 +206,19 @@ A parameterized replaceable event representing the current ownership state of a
}
}
```
```
This event is published by relays after consensus is reached, allowing clients to quickly query current ownership state without recomputing consensus.
This event is published by registry services after consensus is reached and stored on Nostr relays as a parameterized replaceable event. This allows clients to quickly query current ownership state from relays without recomputing consensus or running their own registry service.
### Consensus Algorithm
### Consensus Algorithm
Each relay independently computes consensus using the following algorithm:
Each registry service independently computes consensus using the following algorithm. Registry services subscribe to events from Nostr relays to receive proposals and attestations:
#### 1. Attestation Window
#### 1. Attestation Window
When a relay receives a registration proposal for name `N`:
When a registry service receives a registration proposal for name `N` (via subscription to kind 30100 events on relays):
1. Start a timer for `T` seconds (recommended: 60-120s)
1. Start a timer for `T` seconds (recommended: 60-120s)
2. Collect all attestations for this proposal
2. Collect all attestations for this proposal (kind 20100 events from relays)
3. Collect competing proposals for the same name `N`
3. Collect competing proposals for the same name `N` (kind 30100 events from relays)
#### 2. Trust-Weighted Scoring
#### 2. Trust-Weighted Scoring
@ -201,15 +239,16 @@ Where:
#### 3. Trust Distance Calculation
#### 3. Trust Distance Calculation
Trust distance is computed using the relay's trust graph (kind 30101 events):
Trust distance is computed using the registry service's trust graph (assembled from kind 30101 events retrieved from relays):
1. Build a directed graph from all relay trust declarations
1. Subscribe to kind 30101 events from relays to build a trust graph
2. Use Dijkstra's algorithm or breadth-first search to find shortest trust path
2. Build a directed graph from all registry service trust declarations
3. Multiply trust scores along the path for effective trust weight
3. Use Dijkstra's algorithm or breadth-first search to find shortest trust path
4. Multiply trust scores along the path for effective trust weight
**Example:**
**Example:**
```
```
Relay A → Relay B (0.9) → Relay C (0.8)
Service A → Service B (0.9) → Service C (0.8)
Effective trust from A to C: 0.9 × 0.8 × 0.8 (1-hop decay) = 0.576
Effective trust from A to C: 0.9 × 0.8 × 0.8 (1-hop decay) = 0.576
```
```
@ -229,21 +268,21 @@ After the attestation window expires:
- Multiple proposals exceed threshold with similar scores (within 5%)
- Multiple proposals exceed threshold with similar scores (within 5%)
- Insufficient attestations received (coverage <30%oftrustgraph)
- Insufficient attestations received (coverage <30%oftrustgraph)
5. **Publish name state** (kind 30102) once consensus is reached
5. **Publish name state** (kind 30102) to Nostr relays once consensus is reached
### Sparse Attestation Optimization
### Sparse Attestation Optimization
To reduce network load, relays MAY use sparse attestation where they only attest when:
To reduce network load, registry services MAY use sparse attestation where they only publish attestations when:
1. **Local interest**: One of the relay's connected clients queries this name
1. **Local interest**: One of the service's clients queries this name
Note: Registry services can prune ephemeral attestations after consensus is reached. Persistent data (proposals, trust graphs, name state) is stored on Nostr relays, not in the registry service.
- Trust graph: ~100 KB per 1000 relays
- Active proposals: ~1 MB per 1000 pending registrations
- Attestations (7-day window): ~100 MB per 1000 relays at 1000 registrations/day
- Name state: ~1 KB per name
### Bootstrap Relay Discovery
### Bootstrap Service Discovery
New relays should bootstrap their trust graph by:
New registry services should bootstrap their trust graph by:
1. Connecting to well-known seed relays (similar to NIP-65 relay lists)
1. Connecting to well-known Nostr relays to fetch kind 30101 events
2. Importing trust graphs from 3-5 reputable relays
2. Importing trust graphs from 3-5 reputable registry services
3. Using weighted average of imported trust scores as initial state
3. Using weighted average of imported trust scores as initial state
4. Gradually adjusting trust based on observed relay behavior over 30 days
4. Gradually adjusting trust based on observed service behavior over 30 days
5. Publishing their own trust graph (kind 30101) to relays once established
## Security Considerations
## Security Considerations
@ -331,31 +376,32 @@ New relays should bootstrap their trust graph by:
#### 1. Sybil Attack
#### 1. Sybil Attack
**Attack**: Attacker creates thousands of relay identities to dominate attestations.
**Attack**: Attacker creates thousands of registry service identities to dominate attestations.
**Mitigation**:
**Mitigation**:
- Trust-weighted consensus prevents new relays from having immediate influence
- Trust-weighted consensus prevents new services from having immediate influence
- Established relays must trust new relays before they gain weight
- Established services must trust new services before they gain weight
- Age-weighted trust (new relays have reduced influence for 30 days)
- Age-weighted trust (new services have reduced influence for 30 days)
- Trust graphs stored on relays are publicly auditable
#### 2. Trust Graph Manipulation
#### 2. Trust Graph Manipulation
**Attack**: Attacker gradually builds trust relationships then exploits them.
**Attack**: Attacker gradually builds trust relationships then exploits them.
**Mitigation**:
**Mitigation**:
- Audit trails (kind 30101 events are public and verifiable)
- Audit trails (kind 30101 events stored on relays are public and verifiable)
- Sudden trust changes are penalized in consensus calculations
- Sudden trust changes are penalized in consensus calculations
- Diverse trust graphs mean attacker must control different sets of relays for different victims
- Diverse trust graphs mean attacker must control different sets of services for different victims
#### 3. Censorship
#### 3. Censorship
**Attack**: Powerful relays refuse to attest certain names (e.g., dissidents, competitors).
**Attack**: Powerful registry services refuse to attest certain names (e.g., dissidents, competitors).
**Mitigation**:
**Mitigation**:
- Subjective consensus means each relay has its own trust graph
- Subjective consensus means each registry service has its own trust graph
- Censoring a name requires controlling >51% of *each relay's* trust graph
- Censoring a name requires controlling >51% of *each service's* trust graph
- More difficult than controlling 51% of network-wide consensus
- More difficult than controlling 51% of network-wide consensus
- Users can choose relays aligned with their values
- Users can query different registry services via different relays aligned with their values
#### 4. Name Squatting
#### 4. Name Squatting
@ -373,56 +419,58 @@ New relays should bootstrap their trust graph by:
**Mitigation**:
**Mitigation**:
- Transfer requires cryptographic signature from previous owner (`prev_sig`)
- Transfer requires cryptographic signature from previous owner (`prev_sig`)
- Signature includes timestamp to prevent replay attacks
- Signature includes timestamp to prevent replay attacks
- Invalid signatures cause immediate rejection by honest relays
- Invalid signatures cause immediate rejection by honest registry services
### Privacy Considerations
### Privacy Considerations
- Registration proposals are public (necessary for consensus)
- Registration proposals are public and stored on relays (necessary for consensus)
- Ownership history is permanently visible on relays
- Ownership history is permanently visible on relays storing kind 30100/30102 events
- Trust relationships are public (required for verifiable consensus)
- Trust relationships are public on relays (required for verifiable consensus)
- Clients leaking name queries to relays (similar to DNS privacy issues)
- Clients leaking name queries to relays (similar to DNS privacy issues)
- Mitigation: Use private relays or Tor for sensitive queries
- Mitigation: Use private relays or Tor for sensitive queries
- Registry service attestations are ephemeral but visible during attestation window
- Attestations reveal which services are active and participating
## Discussion
## Discussion
### Trust Graph Bootstrapping
### Trust Graph Bootstrapping
The effectiveness of trust-weighted consensus depends on establishing a healthy trust graph. This presents a chicken-and-egg problem: new relays need trust to participate, but must participate to earn trust.
The effectiveness of trust-weighted consensus depends on establishing a healthy trust graph. This presents a chicken-and-egg problem: new registry services need trust to participate, but must participate to earn trust.
**Proposed bootstrapping strategies:**
**Proposed bootstrapping strategies:**
#### 1. Seed Relay Trust Inheritance
#### 1. Seed Service Trust Inheritance
New relays can inherit trust graphs from established "seed" relays:
New registry services can inherit trust graphs from established "seed" services by fetching their kind 30101 events from relays:
```json
```json
{
{
"kind": 30101,
"kind": 30101,
"tags": [
"tags": [
["inherit", "<seed_relay_pubkey>", "0.8"],
["inherit", "<seed_service_pubkey>", "0.8"],
["inherit", "<seed_relay_pubkey2>", "0.6"]
["inherit", "<seed_service_pubkey2>", "0.6"]
]
]
}
}
```
```
The new relay computes its initial trust graph as a weighted average of the seed relays' graphs. Over time (30-90 days), the relay adjusts trust based on observed behavior.
The new service computes its initial trust graph as a weighted average of the seed services' graphs. Over time (30-90 days), the service adjusts trust based on observed behavior and publishes updated trust graphs to relays.
**Trade-offs:**
**Trade-offs:**
- ✅ Enables immediate participation
- ✅ Enables immediate participation
- ✅ Leverages existing reputation
- ✅ Leverages existing reputation
- ❌ Creates trust concentrations around seed relays
- ❌ Creates trust concentrations around seed services
- ❌ Seed relay compromise affects many descendants
- ❌ Seed service compromise affects many descendants
#### 2. Web of Trust Endorsements
#### 2. Web of Trust Endorsements
Established relay operators can endorse new relays through signed endorsements:
Established registry service operators can endorse new services through signed endorsements (stored on relays):
```json
```json
{
{
"kind": 1100,
"kind": 1100,
"pubkey": "<established_relay_pubkey>",
"pubkey": "<established_service_pubkey>",
"tags": [
"tags": [
["p", "<new_relay_pubkey>"],
["p", "<new_service_pubkey>"],
["endorsement", "verified"],
["endorsement", "verified"],
["duration", "30d"],
["duration", "30d"],
["initial_trust", "0.3"]
["initial_trust", "0.3"]
@ -430,23 +478,23 @@ Established relay operators can endorse new relays through signed endorsements:
}
}
```
```
Other relays consuming this endorsement automatically grant the new relay temporary trust (e.g., 0.3 for 30 days), after which it decays to 0 unless organically reinforced.
Other services consuming this endorsement (from relays) automatically grant the new service temporary trust (e.g., 0.3 for 30 days), after which it decays to 0 unless organically reinforced.
**Trade-offs:**
**Trade-offs:**
- ✅ Decentralized trust building
- ✅ Decentralized trust building
- ✅ Time-limited risk exposure
- ✅ Time-limited risk exposure
- ✅ Organic network growth
- ✅ Organic network growth
- ❌ Slower bootstrap for new relays
- ❌ Slower bootstrap for new services
- ❌ Endorsement spam risk
- ❌ Endorsement spam risk
#### 3. Proof-of-Stake Bootstrap
#### 3. Proof-of-Stake Bootstrap
New relays can stake economic value (e.g., lock tokens in a Bitcoin Lightning channel) to gain initial trust:
New registry services can stake economic value (e.g., lock tokens in a Bitcoin Lightning channel) to gain initial trust. Stake proof events are published to relays:
@ -455,7 +503,7 @@ New relays can stake economic value (e.g., lock tokens in a Bitcoin Lightning ch
}
}
```
```
Relays treat staked relays as having trust proportional to stake amount. Dishonest behavior results in slashing (stake destruction).
Other services fetching these events from relays treat staked services as having trust proportional to stake amount. Dishonest behavior results in slashing (stake destruction).
**Trade-offs:**
**Trade-offs:**
- ✅ Sybil resistant (economic cost)
- ✅ Sybil resistant (economic cost)
@ -467,12 +515,12 @@ Relays treat staked relays as having trust proportional to stake amount. Dishone
#### 4. Proof-of-Work Bootstrap
#### 4. Proof-of-Work Bootstrap
New relays solve computational puzzles to earn temporary trust:
New registry services solve computational puzzles to earn temporary trust. PoW proof events are published to relays:
```json
```json
{
{
"kind": 30104,
"kind": 30104,
"pubkey": "<new_relay_pubkey>",
"pubkey": "<new_service_pubkey>",
"tags": [
"tags": [
["pow", "<nonce>", "24"], // 24-bit difficulty
["pow", "<nonce>", "24"], // 24-bit difficulty
["pow_created", "<timestamp>"]
["pow_created", "<timestamp>"]
@ -491,14 +539,14 @@ Higher difficulty equals higher initial trust. PoW expires after 90 days unless
2. Network partitions (some services missed attestations from relays)
3. Byzantine relays (malicious responses)
3. Byzantine services (malicious responses)
**Conflict resolution strategies:**
**Conflict resolution strategies:**
#### 1. Majority Consensus
#### 1. Majority Consensus
Client queries N relays (recommended N=5) and accepts the majority response:
Client queries kind 30102 events from N relays (recommended N=5) to get name state from different registry services, then accepts the majority response:
mleku
2 months ago