Onion-Routed Shipments
- Introduction and Some Preliminaries
- The Onion Packing Slip
- Clearnet vs “Hidden Service” Shipping
- Role of Arbiters and Incentives for Relay Operators
- Could this work without arbiters?
- The Potential
- Appendix 1: Should this be a DAO?
- Appendix 2: Some Acronym Ideas
Introduction and Some Preliminaries
Here we propose a system for the onion-routed distribution of physical goods.
Alice wants to send a package to Zed. To do so, they collectively construct a “circuit”, similar to Tor, of service providers. These providers could be sourced from and have independent arbitration agreements as specified in protocols like Catallax. I will refer to elements of the Catallax protocol in the following. In this example, Bob, Carly and Doug are chosen as the relay chain for the package.
Alice (the Consignor) has a package that gets routed through Bob, Carly and Doug before reaching Zed (the Consignee):
| Consignor | Relay 1 | Relay 2 | Relay 3 | Consignee |
|---|---|---|---|---|
| Alice ➡ | Bob ➡ | Carly ➡ | Doug ➡ | Zed |
The Onion Packing Slip
This is a set of nested, encrypted secrets, along with the shipping information of the next shipper that is printed and physically inserted into the package at the beginning of the shipment (by Alice).
Each level of nesting is encrypted with the recipient’s public key. It contains a secret, which could be a colorful icon (blue walrus, green hippo, etc), a seed phrase, a nonce, a QR code, or similar. These secrets are constructed once for each relay chain between Alice and Zed, and shared only with the arbiters for each shipping link.
So in Alice’s initial package she inserts a physically printed message encrypted to Bob’s public key with the following:
- A secret for Bob (his proof of receipt)
- Carly’s shipping information (the next link in the relay chain)
Ciphertext encrypted with Carly's public key
Bob then transmits his received secret to the arbiter (assuming the Catallax protocol or something like it). This proves he received the package from Alice, but his job is not done yet. Now, he takes #3 in the above, the encrypted message for Carly, and sends it to her as a physically printed message with the package.
Now Carly decrypts the message with her private key, and she sees:
- A secret for Carly (her proof of receipt)
- Doug’s shipping information (the next link in the relay chain)
Ciphertext encrypted with Doug's public key
Once Carly receives the package, she performs a similar procedure, reports her secret to the arbiter, and then Bob gets paid. She then forwards the package to the next link of the relay chain, and so it goes until it arrives at Zed.
The design of the system is so that the Nth relay operator is required to both prove that they physically received the package (which pays the N-1th relay), and have the N+1th relay in turn prove they received the package, before N gets paid.
Clearnet vs “Hidden Service” Shipping
In the above example, Alice knows Zed’s shipping information1 and they form the entire shipping relay chain together, but this isn’t strictly necessary. Zed could, for instance, decide on “guard” shippers. In this way, Alice would only know the first N (>= 1) hops before reaching Zed. In doing so, Zed would protect his address from being revealed to Alice.
How does he do this? In the previous example, as the Onion packing slip is formed, Zed doesn’t have to reveal his shipping information to anyone except for Doug (the last link in the relay chain). Then, Zed’s address is protected in a message that only Doug can decrypt, which in turn is encrypted with Carly’s public key, and so on.
The relay could be formed with Alice knowing as little as the 1st shipping link in the chain. Afterwards, Zed might have N hops, as many as he wishes. Presumably more hops will lead to greater risk of package loss (and increased cost), so Zed will have to balance this against his desire for privacy and anonymity.
Role of Arbiters and Incentives for Relay Operators
Here I will propose some kind of arbitration system for each link in the shipping relay chain. The arbiters technically don’t need to know one another, but do need to have communication with at least 2 links in the relay chain. This is where the role of the “secrets” distributed in the onion packing slip comes in. These secrets prove that each link in the relay chain (Bob, Carly and Doug) has received the package.
A shipper in the relay chain is only paid when they (a) report their secret to the arbiter, and (b) the next shipper does the same, in that sequence.
So let’s say John is the arbiter for the shipment between Bob and Carly. Bob needs to first (a) report his secret to John, who knows it in advance based on his previous coordination with Alice and/or Zed. This proves Bob has physically received the goods, but he can’t (or shouldn’t) be paid yet until there is proof that he actually sends the goods to Carly and she successfully receives them. So the arbiter (John) has to receive the secret from Carly as well, which completes the transaction.
What if Bob and Carly decide to cheat? Since they might have contact information for one another, they could in principle collude to steal the goods. For instance, if Bob (say) takes a picture of his encrypted onion packing slip and sends it to Carly digitally, she could decrypt it herself, and then both Bob and Carly would show their secrets to the arbiter (John), which would trigger John’s payment. Bob now has now both stolen the goods, and taken the fee for himself.
Aside from the hit from whatever reputation market this might entail for the participants, there is one other problem: Carly is also engaged in a separate agreement to ship to Doug. If he (Doug) doesn’t receive the goods, Carly won’t get paid. So this scenario is seen as unlikely.
Could this work without arbiters?
I initially thought this would work with some complex version of multisig / P2SH Bitcoin transactions, but now I’m not so sure. The issue is constructing a payment chain where the Nth relay operator is properly incentivized to (a) sign the transaction that funds the N-1th operator, (b) have a reasonable assurance that if she ships to the N+1th relay she will get paid, and (c) not be able to collude with N+1 to steal the entire shipping budget.
So far I haven’t been able to figure out how to make that work using current Bitcoin technology. If you have an idea, let me know in the comments!
The Potential
Trust Minimized Double-Blind Shipping
It should be noted though in contrast to how the Silk Road operated in which individual buyers were required to disclose their actual address to sellers to receive their goods, in this case, nobody needs to know any of that. In the example above, Alice and Zed don’t need to know one another’s addresses, real names, or shipping information for any of this to work.
Transport-Agnosticism
Individual relay operators can specify shipping (transport) mechanisms that aren’t necessarily conventional shipments, as in the aforementioned dead-drops. Delivery methods could be drone, submarine, carrier pigeon, etc…
The “conventional” vs “unconventional” spectrum of delivery arrangements could be calibrated based on the risk-reward calculations of individual actors in the system; however, it should be noted that even contemporary Darknet markets tend to utilize national post systems and this seems to work for their purposes.
Atomization of Commodities and Assembled Parts
Depending on the severity of the trade restriction regime, it might be possible to “atomize” finished goods into smaller parts, then distribute these parts across 10’s, 100’s, or even 1000’s of separate shipments, to be re-assembled behind trade barriers. This is similar in some ways to contemporary strategies for tariff avoidance, but could operate with a much broader scope and scale, due to the potential for Bitcoin-based microtransactions and the general “composability” of software.
For instance, take the case of steel: a large enough tariff would incentive a system where rather than trying to ship a large bar of steel across the border, the shipment was “atomized” into 100’s of billets that could be carried in 100’s of people in personal luggage. These would then be concentrated and melted down at the destination. This would be an almost impossible coordination task for conventional tariff avoidance strategies, but such an automated system of Bitcoin-powered payments could make it possible.
Similar strategies could be employed for a variety of finished products: A motherboard here, a piece of glass there; disassembled at the point of origin, sent across the network as nigh-untraceable “packets”, and then re-assembled at their destination.
Appendix 1: Should this be a DAO?
The concept of the decentralized autonomous organization (DAO) is very tempting here. A DAO could, in principle, securely store the information of all parties, distribute that information (for instance the N+1th relay operator’s shipping info to the Nth once the latter confirms receipt), handle payments, perform routing, and deal with edge-case failures.
However, this would require an alternative Blockchain to Bitcoin, potentially Ethereum. This might or might not be a problem depending on the robustness of the network and sensitivity to State actor attack.
Perhaps a sufficiently designed script-based system in Bitcoin could handle all this, especially if (for instance) instead of 2-of-2 transactions we employ 2-of-3 where the 3rd part is an arbiter in case things go wrong.
Appendix 2: Some Acronym Ideas
Decentralized Autonomous Shipment Router –> DASHer
(This was more relevant when I thought this entire thing needed to be a DAO, which I’m not 100% convinced of anymore.)
Decentralized Onion Routing of Stuff –> DOoRS
Your ideas?
I am using “shipping information” rather than, say, postal address because the means of shipping might include things like drone delivery, dead drops, carrier pigeon, etc. ↩