berkeley cs276 & mit 6
TRANSCRIPT
Berkeley CS276 & MIT 6.875
Specialized homomorphic encryption, commitments and
applications
Lecturer: Raluca Ada Popa
Announcementsβ’ Starting to record
Specialized/partial homomorphic encryption
β’ An encryption scheme that is homomorphic with respect to a specific function, and cannot compute arbitrary functions like FHE
β’ Usually faster than FHE due to specialization (but not always)
3
El Gamal encryption (1985)
A semantically secure public-key encryption scheme
4
Enc(ππ,π):- Choose random 0 β€ π β€ π β 2- Output (π!πππ π,π Γ ππ! πππ π)
Dec π π, π!, π" :- Output π"π#$%& πππ π
π!π"#$% = π ππ& π#&$% = π π$% &π#& $% =π
π β [1, π β 1] Why?
How to decrypt?
Setup(1)): -Generate large prime π of size π-Choose generator 1 < π < π β 1-Output (π, π)
KeyGen(1)): - Choose random 0 β€ sk β€ π β 2-Let ππ = π%& πππ π-Output (π π, ππ)
DDH assumption
5
Enc(ππ,π):- Choose random 0 β€ π β€ π β 2- Output (π!πππ π,π Γ ππ! πππ π)
Diffie-Hellman key exchange in disguise + used as one time pad
Semantic security relies on the Decisional Diffie Hellman assumption:For all nonuniform PPT A,
| Pr π, π β πππ‘π’π 1% ; π, π β 0, π β 2 , π΄ π, π, π' , π( , πππ = 1 βPr π, π β πππ‘π’π 1% ; π, π, π β 0, π β 2 , π΄ π, π, π' , π( , ππ = 1 | < ππππ(π)
Proof of security
6
Decisional Diffie Hellman assumption: β nonuniform PPT π΄, | Pr π, π β πππ‘π’π 1% ; π, π β 0, π β 2 , π΄ π, π, π' , π( , πππ = 1 β
Pr π, π β πππ‘π’π 1% ; π, π, π β 0, π β 2 , π΄ π, π, π' , π( , ππ = 1 | < ππππ(π)
Claim: If DDH holds, El Gamal is semantically secure.
Proof: Assume π΄ can break El Gamalβs security, letβs show that π΅can break DDH. π΅ must distinguish between π' , π( , π'( and π' , π( , π,
π΄ can distinguish between π$% , π& , π- π$%& and π$% , π& , π"π$% &
B feeds π'( or π, times π( to A for π random. If it is π,, A cannot guess, else A guesses correctly.
Other partially homomorphic encryption schemes
7
Scheme Homomorphism
Goldwasser-Micaliβ82 XOR
Paillierβ99 +
Boneh-Goh-Nissimβ05 +, then one *, then +based on bilinear maps
PHE/SHE (partially homomorphic encryption)
Some polynomial
Recall: commitments
8
Pedersen commitmentSetup (1&) - at the receiver:
β select large primes π and π of size π such that π divides π β 1β select a generator π of the order-π subgroup of π'β
β generate randomly π β π)β let β = πππππ πβ output (π, β, π)
Commit(π, β, π, π₯) - by the sender: - choose random π β ππ- output ππππ = ππ₯βππππ πReveal - by the sender: - send π₯ and π to receiver - the receiver verifies that ππππ = ππ₯βππππ π and accepts if so, else rejects
9
Perfectly hidingCommit(π, β, π, π₯) - by the sender: - choose random π β ππ- output ππππ = ππ₯βππππ π
β’ For a commitment ππππ, every π₯ could have been committed to in ππππ
β’ Given π₯, π and any π₯β, βπβ such that ππ₯βπ = ππ₯ββπβπβ = π₯ β π₯β π!" + π πππ π
10
Computationally bindingβ’ Assume the sender can find π₯β, πβ, s.t π₯C β π₯ and
ππππ = πD βE= πD!βE!
β’ β = πππππ π implies π₯ + ππ = π₯β + ππβ πππ πβ’ The sender can compute π = π₯β β π₯ π β πβ F!
=> Sender solved discrete logarithm of h base g!!
11
Commit(π, β, π, π₯) - by the sender: - choose random π β ππ- output ππππ(π₯, π) = ππ₯βππππ π
12
Why is Pedersen homomorphic?
ππππ π₯", π" β ππππ π₯!, π! = π2!32"β&!3&" πππ π
The sender reveals this commitment by showing π₯" + π₯! and π" + π!
Application: zkLedgerβ’ Privacy-preserving auditing for distributed ledgersβ’ A cryptographic system built out of:
β Pedersen commitments and their homomorphismβ Zero-knowledge proofs
13
[Narula-Wasquez-Virzaβ18]
First: the use case
(all cryptographic systems should have a use case)
14
Structure of the financial system
15
JP Morgan Citibank Bank of America
Credit Suisse Barclays UBS
HSBC Wells Fargo BNY Mellon
β’ Dozens of large investment banks
β’ Trading:β Securitiesβ Currenciesβ Commoditiesβ Derivatives
β’ Trillions of dollars
Goldman Sachs
Deutsche Bank
Morgan Stanley
Financial Investments Regulatory Authority on OTC markets
zkLedger slides adapted from Neha Narula
A ledger records financial transactions
16
ID Asset From To Amount90 $ Citibank Goldman Sachs 1,000,00091 β¬ JP Morgan UBS 200,00092 β¬ JP Morgan Barclays 3,000,000
sig
sig
sig
JP MorganCitibank Barclays
Assume a trusted ledger: append-only, immutable, consistent & visible to everyone
Can verify important financial invariants
17
ID Asset From To Amount90 $ Citibank Goldman Sachs 1,000,00091 β¬ JP Morgan UBS 200,00092 β¬ JP Morgan Barclays 3,000,000
Consent to transferHas assets to transferAssets neither created nor destroyed
Verify
sig
sig
sig
Examining ledger
Banks care about privacy
18
Trades reveal sensitive strategy information
Verifying invariants are maintained with privacy
19
ID Asset From To Amount90 $ Citibank Goldman Sachs 1,000,00091 β¬ JP Morgan UBS 200,00092 β¬ JP Morgan Barclays 3,000,000
Consent to transferHas assets to transferAssets neither created nor destroyed
Verify
sig
sig
sig
Verifying invariants are maintained with privacy
20
ID Asset From, To, Amount90 $91 β¬92 β¬
Consent to transferHas assets to transferAssets neither created nor destroyed
Zerocash (zk-SNARKs) [S&P 2014]Solidus (PVORM) [CCS 2017]
Verify
ProblemRegulators need insight into markets to maintain financial stability and protect investors
Participants would like to measure counterparty risk
21
β’ Leverageβ’ Exposureβ’ Overall market concentration
How to confidently audit banks to determine risk?
22
What fraction of your assets are
in Euros?
3 million / 100 million
How exposed is this bank to a
drop in the Euro? ???
Auditor
zkLedgerA private, auditable transaction ledger
β’ Privacy: Hides transacting banks and amountsβ’ Integrity with public verification: Everyone can
verify transactions are well-formedβ’ Auditing: Compute provably-correct linear functions
over transactions
23
Outlineβ’ System & threat modelβ’ zkLedger designβ Pedersen commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation24
Outlineβ’ System & threat modelβ’ zkLedger designβ Pedersen commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation25
zkLedger system model
26
ID Asset Transaction details1 $2 β¬3 β¬
An auditor can obtain correct answers on ledger contents
27
ID Asset Transaction details1 $2 β¬3 β¬
Auditor
What fraction of your assets are
in Euros?
Ο
3 million / 100 million
Measurements zkLedger supportsβ’ Ratios and percentages of holdingsβ’ Sums, averages, variance, skewβ’ Outliersβ’ Approximations and orders of magnitudeβ’ Changes over timeβ’ Well-known financial risk measurements (Herfindahl-
Hirschmann index)
28
Security goals
β’ The auditor and non-involved parties cannot seetransaction participants or amounts
β’ Banks cannot lie to the auditor or omit transactions
β’ Banks cannot violate financial invariantsβ Honest banks can always convince the auditor of a correct
answer
β’ A malicious bank cannot block other banks from transacting
29
Threat modelBanks might attempt to steal or hide assets, manipulate balances, or lie to the auditorBanks can arbitrarily colludeBanks or the auditor might try to learn transaction contents
Out of scope: A ledger that omits transactions or is unavailableAn adversary watching network trafficBanks leaking their own transactions
30
Outlineβ’ System & threat modelβ’ zkLedger designβ Pedersen commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation31
Example public transaction ledger
32
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30,000,000
2 β¬ Goldman Sachs JP Morgan 10,000,000
3 β¬ JP Morgan Barclays 1,000,000
4 β¬ JP Morgan Barclays 2,000,000
Depositor injects assets to the ledger
33
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30,000,000
2 β¬ Goldman Sachs JP Morgan 10,000,000
3 β¬ JP Morgan Barclays 1,000,000
4 β¬ JP Morgan Barclays 2,000,000
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30,000,000
2 β¬ Goldman Sachs JP Morgan 10,000,000
3 β¬ JP Morgan Barclays 1,000,000
4 β¬ JP Morgan Barclays 2,000,000
Goals: auditing + privacy
34
Goals:β’ Provably audit Barclays to find Euro holdingsβ’ Hide participants, amounts, and transaction graph
Hide amounts with commitments
35
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
= comm(13M)
ΓΓ
Hide participants with other techniques
36
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
Strawman: audit by opening up combined commitments
37
How many Euros do you hold?
3 millionBarclays
Open comm(1M) Γ comm(2M) to 3M
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
AuditorReveals transactions
Problems?
How many Euros do you hold?
1 millionBarclays
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
Auditor
A malicious bank could omit transactions
38Open comm(1M) to 1M
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
A malicious bank could omit transactions
39
zkLedger design: an entry for every bank in every transaction
40
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
Spenderβs column commits to negative value, receiverβs positive valueFor non-involved banks, entries commit to 0
Indistinguishable from commitments to non-zero values
Depositor transactions are public
Key insight: auditor audits every transaction
41
How many Euros do you hold?
Barclays
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
3 million
Open [ comm(0) Γ comm(1M) Γ comm(2M)] to 3M
Auditor
A malicious bank canβt produce a proof for a different answer
42
How many Euros do you hold?
Barclays
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
Open comm(1M)to 1M
1 million
Auditor
Security goals
β’ The auditor and non-involved parties cannot seetransaction participants, amounts, or transaction graph
β’ Banks cannot lie to the auditor or omit transactions
β’ Banks cannot violate financial invariantsβ Honest banks can always convince the auditor of a correct
answer
β’ A malicious bank cannot block other banks from transacting
45
How to maintain financial invariants?
46
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
use non-interactive zero-knowledge proofs (NIZKs)!
comm(π ππ45)comm(π ππ67)comm(π ππ67)
What are the NIZK proof statements?
47
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
Sender proves in zero knowledge that it knows sk for signing, values committed to in row, and decommitment randomness for all of them such that :
- Values in the transaction row sum to zero- Signature verifies with the PK of sending bank on that amount - One bank receives, all others are zero- Bank has assets to transfer from previous transactions
comm(π ππ45)comm(π ππ67)comm(π ππ67)
Preliminaries
- Anyone can compute the aggregate commitment for every bank π(over all transactions including this new transaction): ππππ*++,-
- Let π be the number of banks- ππππ./# contains the signature on the transaction- Let ππΎ- be the verification key of bank π with signing key ππΎ-- Assume that the receiver obtains the decommitment values from
the spender using an out-of-band channel
48
in
The spender proves in zero-knowledge that it knows - π the index of spending bank, β the index of receiving bank, - decommitment values π" and values π£"- signature randomness π and π π, - π#$$, π£#$$ for ππππ#$$,&, such that:- ππππ" opens up with π" and π£" ,- π£'() ππ π ππ produced with π, π π and π ππ verifies with ππΎ& on transaction
content[transaction is authorized]
- π£& β€ 0, π£& = βπ£β, π£" = 0 for π β 1, π β β, π , [spender loses money, receiver gains same money, the rest have zero]
- ππππ#$$,& opens up with π#$$ and π£#$$ and π£#$$ β₯ 0[spender spends no more than resources]
49Instead of one monolithic proof enforcing these properties, zkLedgerdoes a set of more efficient things but they are less relevant here
Outlineβ’ System modelβ’ zkLedger designβ Hiding commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation50
Implementationβ’ zkLedger written in Goβ’ Elliptic curve library: btcec, secp256k1β’ ~4000 loc
51
Evaluationβ’ How fast is auditing?β’ How does zkLedger scale with the number of banks?
Experiments on 12 4 core Intel Xeon 2.5Ghz VMs, 24 GB RAM
52
Simple auditing is fast and independent of ledger size
53
0
2
4
6
8
10
12
0K 20K 40K 60K 80K 100K
Au
diti
ng
tim
e (
ms)
Transactions in ledger
online auditor
Auditing 4 banks measuring market concentration
Pedersen commitments +
table design amenable to
caching
Cost in a transaction per bankβ’ Entry size: 4.5KB
β’ Creating an entry: 8ms
β’ Verifying an entry: 7ms
57
Γ # banks
Highly parallelizable
Significant opportunities for compression and speedup
Summary- Specialized/partial homomorphic encryption enables
specific functionalities and tend to be faster than FHE at computing these
- Pedersen commitment is also homomorphic- zkLedger provides privacy and auditing on transaction ledgers using Pedersen commitments, their homomorphism and NIZKs
58