Blockchain Privacy Preserving Techniques XU Cheng < chengxu@comp.hkbu.edu.hk > October 12, 2019 @ NDBC 2019 Department of Computer Science, Hong Kong Baptist University
Blockchain Technology • Blockchain: Append-only data structure collectively maintained by a network of (untrusted) nodes • Hash chain • Consensus • Immutability • A wide range of applications • Digital identities • Decentralized notary • Distributed storage • Smart Contracts • Blockchain Structure [Credit: Wikipedia] 1/17 • Decentralization
Blockchain Technology • Blockchain: Append-only data structure collectively maintained by a network of (untrusted) nodes • Hash chain • Consensus • Immutability • A wide range of applications • Digital identities • Decentralized notary • Distributed storage • Smart Contracts Blockchain Applications [Credit: FAHM Technology Partners] 1/17 • Decentralization • · · ·
Smart Contract Computer Smart Contract CPU Computation Blockchain RAM Storage VM Blockchain Traditional • A trusted program to execute user-defjned capabilities • Ofger trusted storage and computation consensus protocol • Execution integrity is ensured by the data computation upon the blockchain 2/17 • Smart Contract reads and writes blockchain • Function as a trusted virtual machine
• Cannot fulfjll the right to be forgotten Privacy Issues in Blockchain • Blockchain data is public and transparent • E.g., health records, bank accounts, business contracts • Limit the application of blockchain technology • Blockchain data is immutable • Once data is written into blockchain, it cannot be removed • Incompatible with GDPR [Credit: Gergely Acs] [Credit: David Alayón] 3/17 • Cannot store confjdential data • Any interaction with the smart contract is also public
Privacy Issues in Blockchain • Blockchain data is public and transparent • E.g., health records, bank accounts, business contracts • Limit the application of blockchain technology • Blockchain data is immutable • Once data is written into blockchain, it cannot be removed • Incompatible with GDPR [Credit: Gergely Acs] [Credit: David Alayón] 3/17 • Cannot store confjdential data • Any interaction with the smart contract is also public • Cannot fulfjll the right to be forgotten
• Limitations Strawman Approach • Problem: blockchain data is public • Encrypt the data before writing into the blockchain • Smart contract cannot process ciphertext • Computation can only be done locally • decrypt process encrypt • Encrypted computation results cannot be publicly verifjed • Access pattern still leaks confjdential information [Credit: Pixabay] 4/17 • Strawman Approach
Strawman Approach • Problem: blockchain data is public • Encrypt the data before writing into the blockchain • Smart contract cannot process ciphertext • Computation can only be done locally • Encrypted computation results cannot be publicly verifjed • Access pattern still leaks confjdential information [Credit: Pixabay] 4/17 • Strawman Approach • Limitations • decrypt → process → encrypt
g y mh y y 2 m 1 m 2 h y 1 enc m 1 m 2 Homomorphic Encryption • An encryption technique allows mathematical operations A. Acar et al. , “A survey on homomorphic encryption schemes,” ACM Computing Surveys , 2018 enc enc f eval m y 2 g y 1 enc m 2 • enc m 1 • enc m • Example of partial homomorphic encryption (ElGamal) Effjcient but limited functions • Partial homomorphic encryption: Expressive but high overhead • Fully homomorphic encryption: • State-of-the-art • Enable smart contract to process encrypted data directly on plaintext to be carried out on ciphertext 5/17 enc ( m ) enc ( f ( m )) f ( m )
g y mh y y 2 m 1 m 2 h y 1 enc m 1 m 2 Homomorphic Encryption • An encryption technique allows mathematical operations A. Acar et al. , “A survey on homomorphic encryption schemes,” ACM Computing Surveys , 2018 enc enc f eval m y 2 g y 1 enc m 2 • enc m 1 • enc m • Example of partial homomorphic encryption (ElGamal) Effjcient but limited functions • Partial homomorphic encryption: Expressive but high overhead • Fully homomorphic encryption: • State-of-the-art • Enable smart contract to process encrypted data directly on plaintext to be carried out on ciphertext 5/17 enc ( m ) enc ( f ( m )) f ( m )
Homomorphic Encryption • An encryption technique allows mathematical operations A. Acar et al. , “A survey on homomorphic encryption schemes,” ACM Computing Surveys , 2018 enc enc f eval m 5/17 • Example of partial homomorphic encryption (ElGamal) Effjcient but limited functions • Partial homomorphic encryption: Expressive but high overhead • Fully homomorphic encryption: • State-of-the-art • Enable smart contract to process encrypted data directly on plaintext to be carried out on ciphertext enc ( m ) enc ( f ( m )) f ( m ) • enc ( m ) = ( g y , mh y ) • enc ( m 1 ) · enc ( m 2 ) = ( g y 1 + y 2 , m 1 m 2 h y 1 + y 2 ) = enc ( m 1 · m 2 )
• zk-SNARKs • Zero-Knowledge: the verifjer learns nothing apart from the • Succinct: the size of the message is tiny in comparison to the • Non-interactive: there is no or only little interaction • Arguments: the verifjer is only protected against computa- Zero-Knowledge Proofs (ZKP) A. Kosba et al. , “Hawk: The blockchain model of cryptography and privacy-preserving smart contracts,” in IEEE S&P , 2016 [Credit: Vitalik Buterin] tionally limited provers validity of the statement length of the actual computation • Zero-Knowledge Proofs allow (Zero-Knowledge Succinct Non-Interactive ARguments of Knowledge) (e.g., internal states, private inputs, etc.) 6/17 • Publicly verify some statement • Leak no information beyond the statement itself
Zero-Knowledge Proofs (ZKP) • Zero-Knowledge Proofs allow A. Kosba et al. , “Hawk: The blockchain model of cryptography and privacy-preserving smart contracts,” in IEEE S&P , 2016 [Credit: Vitalik Buterin] tionally limited provers length of the actual computation validity of the statement (e.g., internal states, private inputs, etc.) (Zero-Knowledge Succinct Non-Interactive ARguments of Knowledge) 6/17 • Publicly verify some statement • Leak no information beyond the statement itself • zk-SNARKs • Zero-Knowledge: the verifjer learns nothing apart from the • Succinct: the size of the message is tiny in comparison to the • Non-interactive: there is no or only little interaction • Arguments: the verifjer is only protected against computa-
• KeyGen 1 • Prove pk x w • Verify vk x zk-SNARKs 1. w s.t. C x w Output 1 ifg 0 1 w.r.t. pk x w . Generate the proof pk vk Generate proving key pk and verifjcation key vk for program C . Program C zk-SNARKs consist of a tupe of PPT algorithms (KeyGen, Prove, Verify) zk-SNARKs function C(x, w) { return sha256(w) == x; } Example A program can be viewed as C(x, w) -> {0, 1} . 7/17 • x is the public input. • w is the secret witness input. B. Parno et al. , “Pinocchio: Nearly practical verifjable computation,” in IEEE S&P , 2013
• KeyGen 1 • Prove pk x w • Verify vk x zk-SNARKs 1. w s.t. C x w Output 1 ifg 0 1 w.r.t. pk x w . Generate the proof pk vk Generate proving key pk and verifjcation key vk for program C . Program C zk-SNARKs consist of a tupe of PPT algorithms (KeyGen, Prove, Verify) zk-SNARKs function C(x, w) { return sha256(w) == x; } Example A program can be viewed as C(x, w) -> {0, 1} . 7/17 • x is the public input. • w is the secret witness input. B. Parno et al. , “Pinocchio: Nearly practical verifjable computation,” in IEEE S&P , 2013
zk-SNARKs Program A program can be viewed as C(x, w) -> {0, 1} . Example function C(x, w) { return sha256(w) == x; } zk-SNARKs zk-SNARKs consist of a tupe of PPT algorithms (KeyGen, Prove, Verify) B. Parno et al. , “Pinocchio: Nearly practical verifjable computation,” in IEEE S&P , 2013 7/17 • x is the public input. • w is the secret witness input. • KeyGen ( 1 λ , C ) → ( pk , vk ) Generate proving key pk and verifjcation key vk for program C . • Prove ( pk , x , w ) → π Generate the proof π w.r.t. pk , x , w . • Verify ( vk , x , π ) → { 0 , 1 } Output 1 ifg ∃ w s.t. C ( x , w ) = 1.
Recommend
More recommend
