Download - Berkeley CS276 & MIT 6
![Page 1: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/1.jpg)
Berkeley CS276 & MIT 6.875
Specialized homomorphic encryption, commitments and
applications
Lecturer: Raluca Ada Popa
![Page 2: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/2.jpg)
Announcementsβ’ Starting to record
![Page 3: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/3.jpg)
Specialized/partial homomorphic encryption
β’ An encryption scheme that is homomorphic with respect to a specific function, and cannot compute arbitrary functions like FHE
β’ Usually faster than FHE due to specialization (but not always)
3
![Page 4: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/4.jpg)
El Gamal encryption (1985)
A semantically secure public-key encryption scheme
4
Enc(ππ,π):- Choose random 0 β€ π β€ π β 2- Output (π!πππ π,π Γ ππ! πππ π)
Dec π π, π!, π" :- Output π"π#$%& πππ π
π!π"#$% = π ππ& π#&$% = π π$% &π#& $% =π
π β [1, π β 1] Why?
How to decrypt?
Setup(1)): -Generate large prime π of size π-Choose generator 1 < π < π β 1-Output (π, π)
KeyGen(1)): - Choose random 0 β€ sk β€ π β 2-Let ππ = π%& πππ π-Output (π π, ππ)
![Page 5: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/5.jpg)
DDH assumption
5
Enc(ππ,π):- Choose random 0 β€ π β€ π β 2- Output (π!πππ π,π Γ ππ! πππ π)
Diffie-Hellman key exchange in disguise + used as one time pad
Semantic security relies on the Decisional Diffie Hellman assumption:For all nonuniform PPT A,
| Pr π, π β πππ‘π’π 1% ; π, π β 0, π β 2 , π΄ π, π, π' , π( , πππ = 1 βPr π, π β πππ‘π’π 1% ; π, π, π β 0, π β 2 , π΄ π, π, π' , π( , ππ = 1 | < ππππ(π)
![Page 6: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/6.jpg)
Proof of security
6
Decisional Diffie Hellman assumption: β nonuniform PPT π΄, | Pr π, π β πππ‘π’π 1% ; π, π β 0, π β 2 , π΄ π, π, π' , π( , πππ = 1 β
Pr π, π β πππ‘π’π 1% ; π, π, π β 0, π β 2 , π΄ π, π, π' , π( , ππ = 1 | < ππππ(π)
Claim: If DDH holds, El Gamal is semantically secure.
Proof: Assume π΄ can break El Gamalβs security, letβs show that π΅can break DDH. π΅ must distinguish between π' , π( , π'( and π' , π( , π,
π΄ can distinguish between π$% , π& , π- π$%& and π$% , π& , π"π$% &
B feeds π'( or π, times π( to A for π random. If it is π,, A cannot guess, else A guesses correctly.
![Page 7: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/7.jpg)
Other partially homomorphic encryption schemes
7
Scheme Homomorphism
Goldwasser-Micaliβ82 XOR
Paillierβ99 +
Boneh-Goh-Nissimβ05 +, then one *, then +based on bilinear maps
PHE/SHE (partially homomorphic encryption)
Some polynomial
![Page 8: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/8.jpg)
Recall: commitments
8
![Page 9: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/9.jpg)
Pedersen commitmentSetup (1&) - at the receiver:
β select large primes π and π of size π such that π divides π β 1β select a generator π of the order-π subgroup of π'β
β generate randomly π β π)β let β = πππππ πβ output (π, β, π)
Commit(π, β, π, π₯) - by the sender: - choose random π β ππ- output ππππ = ππ₯βππππ πReveal - by the sender: - send π₯ and π to receiver - the receiver verifies that ππππ = ππ₯βππππ π and accepts if so, else rejects
9
![Page 10: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/10.jpg)
Perfectly hidingCommit(π, β, π, π₯) - by the sender: - choose random π β ππ- output ππππ = ππ₯βππππ π
β’ For a commitment ππππ, every π₯ could have been committed to in ππππ
β’ Given π₯, π and any π₯β, βπβ such that ππ₯βπ = ππ₯ββπβπβ = π₯ β π₯β π!" + π πππ π
10
![Page 11: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/11.jpg)
Computationally bindingβ’ Assume the sender can find π₯β, πβ, s.t π₯C β π₯ and
ππππ = πD βE= πD!βE!
β’ β = πππππ π implies π₯ + ππ = π₯β + ππβ πππ πβ’ The sender can compute π = π₯β β π₯ π β πβ F!
=> Sender solved discrete logarithm of h base g!!
11
![Page 12: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/12.jpg)
Commit(π, β, π, π₯) - by the sender: - choose random π β ππ- output ππππ(π₯, π) = ππ₯βππππ π
12
Why is Pedersen homomorphic?
ππππ π₯", π" β ππππ π₯!, π! = π2!32"β&!3&" πππ π
The sender reveals this commitment by showing π₯" + π₯! and π" + π!
![Page 13: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/13.jpg)
Application: zkLedgerβ’ Privacy-preserving auditing for distributed ledgersβ’ A cryptographic system built out of:
β Pedersen commitments and their homomorphismβ Zero-knowledge proofs
13
[Narula-Wasquez-Virzaβ18]
![Page 14: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/14.jpg)
First: the use case
(all cryptographic systems should have a use case)
14
![Page 15: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/15.jpg)
Structure of the financial system
15
JP Morgan Citibank Bank of America
Credit Suisse Barclays UBS
HSBC Wells Fargo BNY Mellon
β’ Dozens of large investment banks
β’ Trading:β Securitiesβ Currenciesβ Commoditiesβ Derivatives
β’ Trillions of dollars
Goldman Sachs
Deutsche Bank
Morgan Stanley
Financial Investments Regulatory Authority on OTC markets
zkLedger slides adapted from Neha Narula
![Page 16: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/16.jpg)
A ledger records financial transactions
16
ID Asset From To Amount90 $ Citibank Goldman Sachs 1,000,00091 β¬ JP Morgan UBS 200,00092 β¬ JP Morgan Barclays 3,000,000
sig
sig
sig
JP MorganCitibank Barclays
Assume a trusted ledger: append-only, immutable, consistent & visible to everyone
![Page 17: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/17.jpg)
Can verify important financial invariants
17
ID Asset From To Amount90 $ Citibank Goldman Sachs 1,000,00091 β¬ JP Morgan UBS 200,00092 β¬ JP Morgan Barclays 3,000,000
Consent to transferHas assets to transferAssets neither created nor destroyed
Verify
sig
sig
sig
Examining ledger
![Page 18: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/18.jpg)
Banks care about privacy
18
Trades reveal sensitive strategy information
![Page 19: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/19.jpg)
Verifying invariants are maintained with privacy
19
ID Asset From To Amount90 $ Citibank Goldman Sachs 1,000,00091 β¬ JP Morgan UBS 200,00092 β¬ JP Morgan Barclays 3,000,000
Consent to transferHas assets to transferAssets neither created nor destroyed
Verify
sig
sig
sig
![Page 20: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/20.jpg)
Verifying invariants are maintained with privacy
20
ID Asset From, To, Amount90 $91 β¬92 β¬
Consent to transferHas assets to transferAssets neither created nor destroyed
Zerocash (zk-SNARKs) [S&P 2014]Solidus (PVORM) [CCS 2017]
Verify
![Page 21: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/21.jpg)
ProblemRegulators need insight into markets to maintain financial stability and protect investors
Participants would like to measure counterparty risk
21
β’ Leverageβ’ Exposureβ’ Overall market concentration
![Page 22: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/22.jpg)
How to confidently audit banks to determine risk?
22
What fraction of your assets are
in Euros?
3 million / 100 million
How exposed is this bank to a
drop in the Euro? ???
Auditor
![Page 23: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/23.jpg)
zkLedgerA private, auditable transaction ledger
β’ Privacy: Hides transacting banks and amountsβ’ Integrity with public verification: Everyone can
verify transactions are well-formedβ’ Auditing: Compute provably-correct linear functions
over transactions
23
![Page 24: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/24.jpg)
Outlineβ’ System & threat modelβ’ zkLedger designβ Pedersen commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation24
![Page 25: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/25.jpg)
Outlineβ’ System & threat modelβ’ zkLedger designβ Pedersen commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation25
![Page 26: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/26.jpg)
zkLedger system model
26
ID Asset Transaction details1 $2 β¬3 β¬
![Page 27: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/27.jpg)
An auditor can obtain correct answers on ledger contents
27
ID Asset Transaction details1 $2 β¬3 β¬
Auditor
What fraction of your assets are
in Euros?
Ο
3 million / 100 million
![Page 28: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/28.jpg)
Measurements zkLedger supportsβ’ Ratios and percentages of holdingsβ’ Sums, averages, variance, skewβ’ Outliersβ’ Approximations and orders of magnitudeβ’ Changes over timeβ’ Well-known financial risk measurements (Herfindahl-
Hirschmann index)
28
![Page 29: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/29.jpg)
Security goals
β’ The auditor and non-involved parties cannot seetransaction participants or amounts
β’ Banks cannot lie to the auditor or omit transactions
β’ Banks cannot violate financial invariantsβ Honest banks can always convince the auditor of a correct
answer
β’ A malicious bank cannot block other banks from transacting
29
![Page 30: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/30.jpg)
Threat modelBanks might attempt to steal or hide assets, manipulate balances, or lie to the auditorBanks can arbitrarily colludeBanks or the auditor might try to learn transaction contents
Out of scope: A ledger that omits transactions or is unavailableAn adversary watching network trafficBanks leaking their own transactions
30
![Page 31: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/31.jpg)
Outlineβ’ System & threat modelβ’ zkLedger designβ Pedersen commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation31
![Page 32: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/32.jpg)
Example public transaction ledger
32
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30,000,000
2 β¬ Goldman Sachs JP Morgan 10,000,000
3 β¬ JP Morgan Barclays 1,000,000
4 β¬ JP Morgan Barclays 2,000,000
![Page 33: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/33.jpg)
Depositor injects assets to the ledger
33
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30,000,000
2 β¬ Goldman Sachs JP Morgan 10,000,000
3 β¬ JP Morgan Barclays 1,000,000
4 β¬ JP Morgan Barclays 2,000,000
![Page 34: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/34.jpg)
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30,000,000
2 β¬ Goldman Sachs JP Morgan 10,000,000
3 β¬ JP Morgan Barclays 1,000,000
4 β¬ JP Morgan Barclays 2,000,000
Goals: auditing + privacy
34
Goals:β’ Provably audit Barclays to find Euro holdingsβ’ Hide participants, amounts, and transaction graph
![Page 35: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/35.jpg)
Hide amounts with commitments
35
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
= comm(13M)
ΓΓ
![Page 36: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/36.jpg)
Hide participants with other techniques
36
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
![Page 37: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/37.jpg)
Strawman: audit by opening up combined commitments
37
How many Euros do you hold?
3 millionBarclays
Open comm(1M) Γ comm(2M) to 3M
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
AuditorReveals transactions
Problems?
![Page 38: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/38.jpg)
How many Euros do you hold?
1 millionBarclays
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
Auditor
A malicious bank could omit transactions
38Open comm(1M) to 1M
![Page 39: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/39.jpg)
ID Asset From To Amount
1 β¬ Depositor Goldman Sachs 30M
2 β¬ Goldman Sachs JP Morgan comm(10M)
3 β¬ JP Morgan Barclays comm(1M)
4 β¬ JP Morgan Barclays comm(2M)
A malicious bank could omit transactions
39
![Page 40: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/40.jpg)
zkLedger design: an entry for every bank in every transaction
40
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
Spenderβs column commits to negative value, receiverβs positive valueFor non-involved banks, entries commit to 0
Indistinguishable from commitments to non-zero values
Depositor transactions are public
![Page 41: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/41.jpg)
Key insight: auditor audits every transaction
41
How many Euros do you hold?
Barclays
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
3 million
Open [ comm(0) Γ comm(1M) Γ comm(2M)] to 3M
Auditor
![Page 42: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/42.jpg)
A malicious bank canβt produce a proof for a different answer
42
How many Euros do you hold?
Barclays
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
Open comm(1M)to 1M
1 million
Auditor
![Page 43: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/43.jpg)
Security goals
β’ The auditor and non-involved parties cannot seetransaction participants, amounts, or transaction graph
β’ Banks cannot lie to the auditor or omit transactions
β’ Banks cannot violate financial invariantsβ Honest banks can always convince the auditor of a correct
answer
β’ A malicious bank cannot block other banks from transacting
45
![Page 44: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/44.jpg)
How to maintain financial invariants?
46
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
use non-interactive zero-knowledge proofs (NIZKs)!
comm(π ππ45)comm(π ππ67)comm(π ππ67)
![Page 45: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/45.jpg)
What are the NIZK proof statements?
47
ID Asset Goldman Sachs JP Morgan Barclays
1 β¬ Depositor, Goldman Sachs, 30M
2 β¬ comm(-10M) comm(10M) comm(0)
3 β¬ comm(0) comm(-1M) comm(1M)
4 β¬ comm(0) comm(-2M) comm(2M)
Sender proves in zero knowledge that it knows sk for signing, values committed to in row, and decommitment randomness for all of them such that :
- Values in the transaction row sum to zero- Signature verifies with the PK of sending bank on that amount - One bank receives, all others are zero- Bank has assets to transfer from previous transactions
comm(π ππ45)comm(π ππ67)comm(π ππ67)
![Page 46: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/46.jpg)
Preliminaries
- Anyone can compute the aggregate commitment for every bank π(over all transactions including this new transaction): ππππ*++,-
- Let π be the number of banks- ππππ./# contains the signature on the transaction- Let ππΎ- be the verification key of bank π with signing key ππΎ-- Assume that the receiver obtains the decommitment values from
the spender using an out-of-band channel
48
![Page 47: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/47.jpg)
in
The spender proves in zero-knowledge that it knows - π the index of spending bank, β the index of receiving bank, - decommitment values π" and values π£"- signature randomness π and π π, - π#$$, π£#$$ for ππππ#$$,&, such that:- ππππ" opens up with π" and π£" ,- π£'() ππ π ππ produced with π, π π and π ππ verifies with ππΎ& on transaction
content[transaction is authorized]
- π£& β€ 0, π£& = βπ£β, π£" = 0 for π β 1, π β β, π , [spender loses money, receiver gains same money, the rest have zero]
- ππππ#$$,& opens up with π#$$ and π£#$$ and π£#$$ β₯ 0[spender spends no more than resources]
49Instead of one monolithic proof enforcing these properties, zkLedgerdoes a set of more efficient things but they are less relevant here
![Page 48: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/48.jpg)
Outlineβ’ System modelβ’ zkLedger designβ Hiding commitmentsβ Ledger table formatβ Zero-knowledge proofs
β’ Evaluation50
![Page 49: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/49.jpg)
Implementationβ’ zkLedger written in Goβ’ Elliptic curve library: btcec, secp256k1β’ ~4000 loc
51
![Page 50: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/50.jpg)
Evaluationβ’ How fast is auditing?β’ How does zkLedger scale with the number of banks?
Experiments on 12 4 core Intel Xeon 2.5Ghz VMs, 24 GB RAM
52
![Page 51: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/51.jpg)
Simple auditing is fast and independent of ledger size
53
0
2
4
6
8
10
12
0K 20K 40K 60K 80K 100K
Au
diti
ng
tim
e (
ms)
Transactions in ledger
online auditor
Auditing 4 banks measuring market concentration
Pedersen commitments +
table design amenable to
caching
![Page 52: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/52.jpg)
Cost in a transaction per bankβ’ Entry size: 4.5KB
β’ Creating an entry: 8ms
β’ Verifying an entry: 7ms
57
Γ # banks
Highly parallelizable
Significant opportunities for compression and speedup
![Page 53: Berkeley CS276 & MIT 6](https://reader033.vdocuments.us/reader033/viewer/2022061101/629b625b0f836474612596e7/html5/thumbnails/53.jpg)
Summary- Specialized/partial homomorphic encryption enables
specific functionalities and tend to be faster than FHE at computing these
- Pedersen commitment is also homomorphic- zkLedger provides privacy and auditing on transaction ledgers using Pedersen commitments, their homomorphism and NIZKs
58