Privacy, Security & Commit-Reveal Mechanism
Reppo’s architecture prioritizes data privacy, user sovereignty, and auditability. The protocol ensures that creators, voters, and subnet operators can coordinate on data quality without exposing sensitive information. Privacy is enforced through both cryptographic voting (commit-reveal) and data-governance controls across subnets.
1. Commit-Reveal Voting (Privacy by Design)
Reppo uses a commit-reveal scheme to prevent bias, bribery, or vote manipulation during emissions and evaluation cycles.
Commit Phase
Voters generate a hash of their vote combined with a secret salt:
commit = hash(vote + salt)This commit is published on-chain. No one can infer the actual vote or voter preference at this stage.
Reveal Phase
After the commit window closes, voters reveal both their original vote and salt.
The system verifies that
hash(vote + salt)matches the earlier commit.Only valid reveals are counted toward results and emissions.
Advantages
Prevents early disclosure of results.
Ensures votes cannot be changed after committing.
Keeps voting anonymous and verifiable.
Example Flow:
User → commit("positive", salt123) → stored hash on-chain → later reveals ("positive", salt123) → system verifies → reward distribution.
This process preserves fairness while anchoring a public proof of participation on the blockchain.
2. Data Retention and Minimization
On-chain data: Only cryptographic proofs, vote hashes, and balances are stored permanently. No human-readable content or PII ever touches the blockchain.
Off-chain data: Content and metadata live in distributed storage (e.g., IPFS, Arweave, subnet databases) for the minimum time required for verification or audits.
Expiry policy: Once emissions and disputes are settled, off-chain data may be pruned or re-encrypted to remove wallet linkability.
3. Access Controls for Private Subnets
Private subnets allow organizations and creators to maintain full control over sensitive datasets.
Role-based access: Subnet owners define who can read, write, and vote. Access is enforced by wallet allowlists or role tokens.
Encryption: All private data is encrypted at rest and in transit. Only subnet owners or their delegates hold the decryption keys.
Verifiable audits: Each access or update emits a lightweight on-chain proof, ensuring transparency without revealing underlying data.
4. Compliance & Legal Alignment
Reppo aligns with major global privacy standards while remaining fully decentralized.
GDPR / CCPA principles
Data minimization: store only essential metadata on-chain.
Right to erasure: subnet owners can rotate or revoke encryption keys to render data inaccessible.
Purpose limitation: data gathered for model training can’t be repurposed or resold without new consent.
PII boundaries: Personally identifiable information should never be uploaded. Content must be anonymized or pseudonymized before submission.
Regional storage: Enterprise subnets can choose regional or jurisdiction-specific storage endpoints to comply with data-localization laws.
5. Security Best Practices
Smart contracts are minimal and audited by Pashov Group, reducing attack surfaces.
Sensitive operations (vote reveals, key management, encryption) are handled off-chain under cryptographic proof.
Reppo supports community bug-bounties and third-party security audits to maintain transparency and trust.
Wallet authentication replaces centralized user accounts, ensuring full key custody by participants.
Summary
Reppo’s privacy design balances transparency and confidentiality:
Votes are provable but anonymous.
Data is verifiable but not exposed.
Users retain control of their information.
Together, commit-reveal and strict data-governance principles ensure Reppo remains a trustless yet privacy-preserving network for human feedback and AI data coordination.
Last updated