Blockchain Privacy
See also
Layer1
Sean Bowe (Zcash), Alessandro Chiesa (UC Berkeley), Matthew Green (Johns Hopkins University), Ian Miers (Cornell Tech), Pratyush Mishra (UC Berkeley), Howard Wu (UC Berkeley)
Zerocash-style cryptocurrency, which provides similar functionality to Bitcoin script while hiding the inputs to the script and the script itself (only stateless computations).
Transation size: $ 32m + 32n + 840 bytes (the transaction stores the serial number of each input record and the commitment of each output record)
Zhangshuang Guan, Zhiguo Wan, Yang Yang, Yan Zhou, and Butian Huang
Prastudy Fauzi (Simula UiB), Sarah Meiklejohn (UCL), Rebekah Mercer (O(1) Labs), and Claudio Orlandi (Aarhus University)
One-time account model, which solves the ever-growing state problem in Monero and ZCash
Primitive: Updatable public keys
Only DDH assumption, no trusted setup
https://gyazo.com/4ac4bb6c0977068e72bd9a3347465408
In Zether,
it suffers from front-running attacks ... and puts additional burden on clients (they have to go through the list of all updated keys to find out which one belongs to them)
Privacy gadget
ZK Optimistic/ZK Rollup
Benedikt Bünz (Stanford University), Shashank Agrawal, Mahdi Zamani (Visa Research), Dan Boneh (Stanford University)
FC'20, Video @2nd ZKProof Workshop Contribution: Account-based confidential payment on top of Ethereum
Confidentiality: Homomorphic encryption, not Pedersen commitment
ElGamal Encryption of the transfer amount
Rationale: To hide account balances w/ Pedersen commitment allows an attacker to withhold the blinding factor
ZK-proof to show that the ciphertexts are well-formed, they encrypt the same positive value, and the remaining balance associated with the sender
Propose a new ZK-proof system, called Σ-Bullets (no trusted setup)
Front-running prevention: Additional "temporal" account balance
Extension: 1-of-k aononimty with more complex ZK-proofs
Sender generates$ nciphertexts$ C_1,...,C_n, one for each member of a group of$ nusers, respectively
Sender provides a ZKP, showing that all the ciphertexts encrypt 0 ZTH except two of them which encrypt b ZTH but with difference signs, i.e., b and −b
Drawback 1: the size of ZK-proof for a transfer increases linearly with the size of the anonymity set
Drawback 2: Users would be able to do only one transfer or burn transaction per epoch (a few blocks)
Applications: sealed-bid auction, confidential payment channel, confidential stake-voting, and private proof-of-stake
Follow-up: Anonymous Zether (J.P. Morgan)
Antoine Rondelet and Michal Zajac (Clearmatics)
MPC ceremony (w/ Groth16) vs ZoKrates's setup
ZoKrates
SE-SNARK to prevent man-in-the-middle attacks
Semaphore (Ethereum Foundation)
Applied for a noncustodial and decentralised mixer MicroMix (See in Privacy: Mixing) Zeropool
Gas palyer problem
Related
Privacy-preserving PoS
Thomas Kerber, Aggelos Kiayias, and Markulf Kohlweiss (The University of Edinburgh and IOHK)
A blockchain mechanism that produces a secure structured reference strings (SRS)
Security is shown for the exact same conditions under which the blockchain protocol is proven to be secure.
SRS emanates from the normal operation of the blockchain protocol itself without the need of additional security assumptions or off-chain computation and/or verification.
Nakamoto-style consensus based on the backbone properties
UC proofs
Ari Juels, Lorenz Breidenbach, Alex Coventry, Sergey Nazarov, Steve Ellis, Brendan Magauran
SBC'20
Netting
Shengjiao Cao, Yuan Yuan (Ant Financial), Angelo De Caro, Karthik Nandakumar, Kaoutar Elkhiyaoui, Yanyan Hu (IBM Research)
Background: Netting in inter-bank payment systems, preventing gridlock due to the lack of liquidity
Correctness: (i) when the sender’s account is debited x dollars, the receiver’s account is credited x dollars; and (ii) participants will not pay more than their current balance plus their allowed credit.
Fairness: should not favor any participant in terms of payment settlement priority, rather it should reach an overall optimal netting strategy, i.e. either the maximum number of instructions settled, or the maximum amount of payments settled.
Contribution: The first netting protocol without any central party that guarantees correctness, fairness and confidentiality (of the payment amounts)
Pedersen commitment of the current balance & payment amount + ZK range proof
Q&A: MPC can also solve the same problem.
Light client
Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan Čapkun (ETH Zurich, NEC Research)
SMR + Secret sharing
Soumya Basu, Alin Tomescu, Ittai Abraham, Dahlia Malkhi, Michael K. Reiter, Emin Gün Sirer
Ricardo Padilha, Fernando Pedone (University of Lugano)
======================
Notes by osuke.icon and Zabeth.icon
Applications
Primitives
Homomorphic Encryption