Back to 2301 Classroom2:30 PM - 3:00 PM PDT
Account logic in ATProto using Trusted Execution Environments2301 Classroom · Conference Day #1
Kobi Gurkan avatar
Kobi Gurkan@kobi.bsky.social

ATProto is fundamentally verifiable - identities have cryptographic keys attached to them, posts are signed and integrity is upheld by authenticated data structure. This is the core of what enables the trustless decentralized nature of ATProto.
What if we could go beyond signatures and add verifiable end-to-end logic attached to accounts? We present a recent project, exploring the use of Trusted Execution Environments to manage cryptographic keys that only sign records under specific rules.
We show a couple of examples of possible rules for Bluesky accounts:

  1. One that requires 2-out-of-3 signatures, allowing company and group accounts

  2. Another that uses an LLM to analyze each post before posting
    We further discuss how end-to-end verifiability is achieved with TEEs, through reproducible builds and remote attestation.
    This project was done with Nick Gerakines, a prominent ATProto contributor, utilizing Nick Gerakines’s recent work on adding attestations to ATProto records.

Cryptography in the service of ATProto

The ATProto ecosystem is maturing has the desire to add functionalities in a way that preserves its ethos of decentralization and user protection. With an ecosystem having tens of millions of users, these solutions have to be both scalable and secure.
We review work on mutual contact discovery (and discovery in general), identity, anonymous credentials and payments, and different ways to achieve them using advanced cryptography and trusted execution environments.
We discuss the assumptions and trust models the community needs to keep in mind and what is possible to do, and gradual deployment methods to be able to experiment with different ideas.
We hope it can be a call to action to explore these ideas in ATProto more deeply.

Attendees
Emelia avatar
John Luther avatar
Christian avatar
bryan newbold avatar
dad (aka miguel) avatar
More from this room
OAuth Masterclass
9:30 AM - 12:30 PM
Nick Gerakines avatar
Nick Gerakines
Abstracting the Appview Workshop
2:00 PM - 4:00 PM
Chad's workshop dives into AppViews, what they are, how they work, and the different ways to implement them. He'll explore how tools like quickslice can abstract away the complexity so you can stay focused on your Lexicons and UI/UX. We'll also look at additional tools, including Tap, AIP, Constellation, and more, covering approaches from getting started all the way to production. Bring your questions. Many answers are 'it depends', shaped by your specific product and Lexicon design.
Chad avatar
Chad
Verified Human Users, game changer in the atmosphere
4:00 PM - 5:00 PM
Bots are swarming on most social media, and dominating in some. Social media has become asocial. How can we bring sanity and social exchange back again? W Social makes a strong bet on verified human users, meaning passport scanning in order to get a W Social account. But do we always want to know who is behind every account? We propose a model with a user information firewall. One side knows exactly who each user is, but not which social media account belongs to her. The other knows everything about the user's friends, likes and followers, but not her true identity.
Jan Lindblad avatar
Jan Lindblad
Consuming the ATmosphere
9:30 AM - 12:30 PM
This will be an introductory workshop for developers who may have some JS/TS experience but almost no AT experience, who want to learn how to read posts and other data from the Atmosphere.
Alex avatar
Alex