Account Logic in ATProto
using Trusted Execution Environments

Kobi Gurkan · Bain Capital Crypto

Accounts in ATProto

Each user (DID) has a repo signing key managed by their PDS

Records (= posts) are authenticated cryptographically

"This DID agreed for this record to be published"

End-to-end verifiability — anyone can verify this guarantee

Can it be more expressive?

"Verified to be non-toxic using a local LLM"

"Contains images that have come from real cameras"

"Signed by 2 out of 3 approved signers of the org"

"Bot with a given system prompt"

What if we attach logic to record authorization?

Limitations of Signing

// proves

Key ownership

"DID agreed to publish this"

// cannot prove

That specific logic was executed

"DID ran this program before signing"

Adds trust assumptions on the signer, or subjectivity

Trusted Execution Environments

Guarantee what code is running

All the way down to base OS, program source, reproducible builds

Add a trust assumption on the TEE provider

If you trust the TEE infrastructure → you can trust the execution of the logic

Key Encumbrance

A key whose private key is only known to a TEE

Signing only happens under specific conditions

The key is tied to a program

Verify the TEE setup once → each signature implies program execution

Verifiability all the way down

Root certificate → this is the correct hardware

Proof of program + arguments → this is the expected logic

Signatures by the encumbered key → the logic agrees with the arguments

Assuming some verify the proofs, everyone else can trust signatures

How to know what keys that DID approved?

did:web

Whatever is published

did:plc

Verify the DID hash chain from the directory

Audit Log

      Loading audit log...
    

plc.directory audit log

What Key to Encumber?

#atproto key

Repo signing key

Controls the entire repository

Signs all the records

Native

#sign key

Proof attestation key

Only signs attestations on records

Requires extra verification infrastructure

Proof of Concept

Signer 3 is offline. Scroll ↓ to advance.

bsky.app/profile/bsat-author.bsky.social

The TEE Program

Receive post draft containing the signatures

Verify the PLC audit log hashchain

Get the co-signer keys

Verify 2-of-3 signatures against the CID

Sign the CID with the encumbered key

What does the post look like?

      Loading post...
    

Reproducible builds

Take code in C/Rust/whatever

Have an environment that is stable and the toolchain doesn't let things like timestamps affect it

You get a binary — hash it

Anyone can rebuild and verify independently

Live Verification

Other Methods

// MPC

Honest majority must agree that the logic executed correctly

Transparent, still just signatures

// ZK proofs

Prove that the program on given inputs resulted in claimed outputs

Requires verifying ZKPs instead of just signatures

Open questions

Protecting the DID itself

Freshness of DID hashchain

Many other things :)

Account Logic in ATProtousing Trusted Execution Environments