Threshold Access Control (TACo)
  • What is TACo?
    • How TACo works
    • Value Propositions
  • Use cases
    • Seed phrase recovery & transfer
    • Digital Rights Management for on-chain assets
    • Trustless channels for journalists, archivists & whistleblowers
    • Crowdsourcing real-world data with trustless contribution
  • Quickstart (Testnet)
  • Integrate TACo into apps
    • Testnets
    • Mainnet Access
    • Mainnet Deployment
  • Ecosystem Integrations
    • OrbisDB
    • Waku
    • Irys
    • ComposeDB
    • Turbo
  • Encrypt & Decrypt API
  • Authentication
    • Condition Context
  • Access Control
    • TimeCondition
    • RpcCondition
    • ContractCondition
      • Use custom contract calls
      • Implement access revocation via smart contract
    • CompoundCondition
    • WIP / Feature Requests
      • SequentialCondition
      • IfThenElseCondition
      • JSON Endpoint Conditions
        • JsonApiCondition
        • JsonRpcCondition
      • OAuth
      • Any (Major) EVM Chain Condition Support
  • Fees & Allowlists
    • Mainnet Fees
    • Encryptor Allowlist
  • Trust Assumptions
    • Mainnet Trust Disclosure (Provider Answers)
    • Mainnet Trust Model Foundation
    • Trust levers & parameter packages
  • Architecture
    • Porter
    • Contract Addresses
  • Extensions
  • API References
  • Threshold Community
  • NODE OPERATOR
    • Duties, Compensation & Penalties
    • Minimum System Requirements
    • Stake Authorization
    • Run a TACo Node with Docker
    • TACo Node Management
    • TACo Node Recovery
Powered by GitBook
On this page
  • Use case ideas
  • Example application & repo
  • Integration steps
  • 1. Installation & dependencies
  • 2. Define access condition & encrypt the data
  • 3. Connect to Irys & store the data
  • 4. Retrieve & decrypt the data
  • Using Irys & TACo in production
  1. Ecosystem Integrations

Irys

This three-step guide explains how to integrate TACo with Irys, thereby enabling end-users to flexibly share/access encrypted data uploaded to permanent storage on Arweave. There are plenty of reasons to combine these technologies. Irys's sub-millisecond upload & data egress can be parallelized with TACo's low-latency decryption flow, ensuring rapid access to shared data. Provenance features like transaction receipts and cryptographic proof-of-time are fully compatible with TACo and are equally (or arguably more) important for sensitive information and messages. Broadly, integrating Irys & TACo offers long-term sovereignty to end-users – i.e. that their private data will remain accessible to qualifying devices forever.

Use case ideas

  • Governance. Generate tamper-proof, timestamped records of voting activity, enhancing transparency and reducing trust assumptions.

  • Connected Vehicles. Store sensitive real-time vehicle diagnostics and geolocation data, such that the data stream is instantly available when required (e.g. while driving) but not leaked beyond known and legitimate recipients (e.g. a smart city traffic system).

  • Private NFTs. Move beyond the status quo of symbolic receipts stored on centralized platforms, to a world where one owns the decryption rights to a movie, track, in-game asset, or piece of art – trustlessly and in perpetuity.

Example application & repo

Check out this token-gated photo album, an intuitive mini-app that demonstrates the power and simplicity of using Irys & TACo in concert. Images are encrypted via the TACo API and stored on-chain via Irys. To view the images, users must prove they hold special-purpose NFT.

Integration steps

1. Installation & dependencies

yarn add @nucypher/taco
yarn add @nucypher/taco-auth
yarn add @irys/sdk

2. Define access condition & encrypt the data

First, we initialize the taco-web library.

As the data producer, we create an access condition. Here we use the simple condition ownsNFT – data consumers must prove ownership of a specific ERC-721 NFT in order to gain decryption material pertaining to the encrypted message. More on condition types here. We encrypt the message using the ownsNFT condition, specifying the aforementioned testnet domain and ritualID, and a standard web3 provider/signer. The output of this function is a messageKit – a payload containing both the encrypted data and embedded condition metadata necessary for a qualifying data consumer to decrypt the message. Finally, we convert the messageKitto a hex string format, which will help us upload it via Irys in a single transaction.

import { encrypt, conditions, domains, initialize, toHexString } from '@nucypher/taco';
import { ethers } from "ethers";

// We have to initialize the TACo library first
await initialize();

const web3Provider = new ethers.providers.Web3Provider(window.ethereum);

const ownsNFT = new conditions.predefined.erc721.ERC721Ownership({
  contractAddress: '0x1e988ba4692e52Bc50b375bcC8585b95c48AaD77',
  parameters: [3591],
  chain: 11155111,
});
const ritualId = 6

const message = "this will be here forever";

const messageKit = await encrypt(
  web3Provider,
  domains.TESTNET,
  message,
  ownsNFT,
  ritualId,
  web3Provider.getSigner() 
);
const encryptedMessageHex = toHexString(messageKit.toBytes());

This guide utilizes the parameters ritualId = 6 and domains.TESTNET. These refer to an open DKG public key and hacker-facing stable testnet respectively. Although fully functional and up-to-date with Mainnet, this development environment is not decentralized and unsuitable for real-world sensitive data. For more information, see the trust assumptions section.

3. Connect to Irys & store the data

First, we connect to an Irys Devnet node. This requires funding a wallet with any of the devnet tokens supported by Irys. In this example, we're using Polygon (Amoy) MATIC.

The Irys Devnet is for testing purposes only. It is not decentralized and data will only remain on Irys servers for ~60 days. See the final section on using TACo & Irys in production.

We then construct a single JSON object from the encryptedMessageHex. We can now upload the encrypted data to Arweave, which will be retrievable once an Irys gateway has indexed the data. This is identifiable via the receiptID, which is provided to the data consumer via a side-channel.

import { WebIrys } from '@irys/sdk';

const token = 'matic';
const network = 'devnet';
const wallet = { rpcUrl: https://rpc-amoy.polygon.technology/, name: 'ethersv5', web3Provider };
const webIrys = new WebIrys({ network, token, wallet });

await webIrys.ready();

const dataToUpload = JSON.stringify(encryptedMessageHex);
const receipt = await webIrys.upload(dataToUpload);

console.log(`Data uploaded ==> https://gateway.irys.xyz/${receipt.id}`);

4. Retrieve & decrypt the data

From the data consumer's perspective, we now use the receiptID to find and retrieve the encrypted payload via an Irys gateway. Note that the same data identifier works with Arweave gateways.

Finally, we prove we own a wallet that this wallet holds the correct NFT, retrieve fragments of decryption material from TACo nodes, assemble these fragments locally, and decrypt the payload. All of these steps are contained in the decrypt() function below.

import { conditions, decrypt, ThresholdMessageKit } from '@nucypher/taco';
import { EIP4361AuthProvider, USER_ADDRESS_PARAM_DEFAULT } from '@nucypher/taco-auth';

const response = await fetch(`https://gateway.irys.xyz/${receipt.id}`);
const dataJson = await response.text();
const encryptedMessage = ThresholdMessageKit.fromBytes(
  Buffer.from(JSON.parse(dataJson), 'hex'),
);

// auth provider when condition contains ":userAddress" context variable
// the decryptor user must provide a signature to prove ownership of the wallet address
const authProvider = new EIP4361AuthProvider(
  web3Provider,
  web3Provider.getSigner(),
);
const conditionContext =
  conditions.context.ConditionContext.fromMessageKit(encryptedMessage);
conditionContext.addAuthProvider(USER_ADDRESS_PARAM_DEFAULT, authProvider);

const decryptedMessage = await decrypt(
  web3Provider,
  domains.TESTNET,
  encryptedMessage,
  conditionContext,
);

console.log(decryptedMessage);

Using Irys & TACo in production

As noted, the parameters specified in this guide are for testing and hacking only. For real-world use cases where uploaded data should remain private & permanent, production versions of Irys & TACo are required:

  • For Irys, connect to a Mainnet Node rather than a Devnet node. This requires a wallet funded with any of the supported Mainnet payment tokens.

  • For TACo, a funded Mainnet ritualID is required – this connects the encrypt/decrypt API to a cohort of independently operated nodes and corresponds to a DKG public key generated by independent parties. A dedicated ritualID for Irys + TACo projects will be sponsored soon. Watch for updates here or in the Discord #taco channel.

PreviousWakuNextComposeDB

Last updated 17 days ago