zexe: enabling decentralized private computation · 1 zexe: enabling decentralized private...
TRANSCRIPT
1
ZEXE: EnablingDecentralized Private Computation
Sean Bowe Alessandro Chiesa
Matthew Green Ian Miers
Pratyush Mishra Howard Wu
Zcash UC Berkeley JHU Cornell Tech UC Berkeley UC Berkeley
ia.cr/2018/962 libzexe.org
PENCIL Workshop, 2019
Computing on distributed ledgers
Computing on distributed ledgers
• Today we have a number of systems for running general computations on distributed ledgers: Ethereum, Tezos, EOS…
Computing on distributed ledgers
• Today we have a number of systems for running general computations on distributed ledgers: Ethereum, Tezos, EOS…
• These usually work by re-execution: every node re-executes every transaction.
Computing on distributed ledgers
• Today we have a number of systems for running general computations on distributed ledgers: Ethereum, Tezos, EOS…
• These usually work by re-execution: every node re-executes every transaction.
3
Scalability and privacy issuesScalability Privacy
3
Scalability and privacy issuesScalability Privacy
3
Scalability and privacy issuesScalability Privacy
3
Scalability and privacy issuesScalability Privacy
3
Scalability and privacy issuesScalability Privacy
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node•Independent of consensus-layer
improvements
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node•Independent of consensus-layer
improvements
Anyone can see:
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node•Independent of consensus-layer
improvements
executed program
Anyone can see:
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node•Independent of consensus-layer
improvements
executed program input
data
Anyone can see:
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node•Independent of consensus-layer
improvements
executed program input
datacaller
Anyone can see:
3
Scalability and privacy issuesScalability Privacy
•Bottlenecked by weakest node•Independent of consensus-layer
improvements
executed program input
datacaller
Anyone can see:
•Permanently stored on the ledger
This work: ZEXE
4
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computation
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50ms
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)• isolation (malicious functions do not affect honest ones)
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)• isolation (malicious functions do not affect honest ones)• inter-process communication (functions can interact)
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)• isolation (malicious functions do not affect honest ones)• inter-process communication (functions can interact)
Example applications:
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)• isolation (malicious functions do not affect honest ones)• inter-process communication (functions can interact)
Example applications:• private user-defined assets
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)• isolation (malicious functions do not affect honest ones)• inter-process communication (functions can interact)
Example applications:• private user-defined assets• private stablecoins
This work: ZEXE
4
A ledger-based system that enables users to conduct offline computations and then publish transactions about these.
Privacy: tx reveals no info about offline computationSuccinctness: tx can be validated in poly(k) time
|tx|<1KB Verify(tx) in <50msFunctionality:
• extensibility (user-defined functions)• isolation (malicious functions do not affect honest ones)• inter-process communication (functions can interact)
Example applications:• private user-defined assets• private stablecoins• private decentralized exchanges
This talk: ZEXE
5
This talk: ZEXE
5
Will use ideas from ZEXE to construct
This talk: ZEXE
5
Will use ideas from ZEXE to construct
private user-defined assets
This talk: ZEXE
5
Will use ideas from ZEXE to construct
private user-defined assetsprivate decentralized exchanges
This talk: ZEXE
5
Will use ideas from ZEXE to construct
private user-defined assetsprivate decentralized exchangesprivate stablecoins
Trading digital assets
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
+ Efficient: infrequent on-chain activity
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
+ Efficient: infrequent on-chain activity
+ (Somewhat) private: only exchange learns trade details
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
+ Efficient: infrequent on-chain activity
+ (Somewhat) private: only exchange learns trade details
Decentralized exchanges
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
+ Efficient: infrequent on-chain activity
+ (Somewhat) private: only exchange learns trade details
Decentralized exchanges
+ Users retain custody of assets
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
+ Efficient: infrequent on-chain activity
+ (Somewhat) private: only exchange learns trade details
Decentralized exchanges
+ Users retain custody of assets
- Inefficient: on-chain activity for all trades
Trading digital assets• Custom, user-defined assets are most successful
application of smart contract systems.
• Many different kinds of assets such as ERC-20, ERC-721 tokens and stablecoins. Different properties and controlling authorities.
• How to trade such assets?Centralized exchanges
- Users give up custody of assets.
- Can lead to loss of funds due to fraud/breach/error
+ Efficient: infrequent on-chain activity
+ (Somewhat) private: only exchange learns trade details
Decentralized exchanges
+ Users retain custody of assets
- Inefficient: on-chain activity for all trades
- Non-private: any observer can see trade details
Limitations of DEXs
Limitations of DEXs
Privacy:
Limitations of DEXs
Privacy:• Every trade goes on the ledger.
Limitations of DEXs
Privacy:• Every trade goes on the ledger.• Transactions reveal participating parties, assets and
values.
Limitations of DEXs
Privacy:• Every trade goes on the ledger.• Transactions reveal participating parties, assets and
values.
Limitations of DEXs
Privacy:• Every trade goes on the ledger.• Transactions reveal participating parties, assets and
values.
User financial privacy
Limitations of DEXs
Privacy:• Every trade goes on the ledger.• Transactions reveal participating parties, assets and
values.
User financial privacy
Trading history of users is public on the ledger, which reduces fungibility and can reveal secrets like trading patterns and techniques.
Limitations of DEXs
Privacy:• Every trade goes on the ledger.• Transactions reveal participating parties, assets and
values.
Frontrunning
Miners’ privileged network position enables them to see big orders before others, allowing them to place their own orders before prices change.
User financial privacy
Trading history of users is public on the ledger, which reduces fungibility and can reveal secrets like trading patterns and techniques.
Limitations of DEXs
Privacy:• Every trade goes on the ledger.• Transactions reveal participating parties, assets and
values.
Frontrunning
Miners’ privileged network position enables them to see big orders before others, allowing them to place their own orders before prices change.
User financial privacy
Trading history of users is public on the ledger, which reduces fungibility and can reveal secrets like trading patterns and techniques.
[BDJT17, BBDJLZ17, DGKLZBBJ19]
8
8
Private user-defined assets
8
Private DEX
Private user-defined assets
8
Private DEX
Private user-defined assets
Private stablecoins
8
Private DEX
Private user-defined assets
Private stablecoins
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
[BCGGMTV14]
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
[BCGGMTV14]
sn1 cma
sn2 cmb
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
[BCGGMTV14]
sn1 cma
sn2 cmb
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
[BCGGMTV14]
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
HIDDEN
[BCGGMTV14]
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
v5+v6=ve+vfHIDDEN
[BCGGMTV14]
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
v5+v6=ve+vfHIDDEN
[BCGGMTV14]
all created coins (commitments)
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
v5+v6=ve+vfHIDDEN
[BCGGMTV14]
all created coins (commitments)
cmb
cme cmc...
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
v5+v6=ve+vfHIDDEN
[BCGGMTV14]
all created coins (commitments)
consumed coins (serial numbers)
cmb
cme cmc...
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
v5+v6=ve+vfHIDDEN
[BCGGMTV14]
all created coins (commitments)
consumed coins (serial numbers)
cmb sn5
cme cmc...
...
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
The Zerocash Paradigm
9
Each transaction consumes old coins and creates new coins. The senders, receivers, and values are provably hidden.
sn3 cmc
sn4 cmd
∗
v5+v6=ve+vfHIDDEN
[BCGGMTV14]
all created coins (commitments)
consumed coins (serial numbers)
cmb sn5
cme cmc...
...
sn1 cma
sn2 cmb
∗sn5 cme
sn6 cmf
∗
Sketch of Zerocash
10
tx
old coin serial numbers
new coin commitments
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
Sketch of Zerocash
10
𝛑tx
old coin serial numbers
new coin commitments ZKP
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
Sketch of Zerocash
10
𝛑tx
old coin serial numbers
new coin commitments ZKP
COMM
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i v𝗈𝗅𝖽
i ρ𝗈𝗅𝖽ic𝗈𝗅𝖽
i
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
Sketch of Zerocash
10
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
COMM
∈
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i v𝗈𝗅𝖽
i ρ𝗈𝗅𝖽ic𝗈𝗅𝖽
i
𝖼𝗆𝗈𝗅𝖽i
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
Sketch of Zerocash
10
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMM
∈
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i v𝗈𝗅𝖽
i ρ𝗈𝗅𝖽ic𝗈𝗅𝖽
i
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
Sketch of Zerocash
10
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i v𝗈𝗅𝖽
i ρ𝗈𝗅𝖽i 𝗉𝗄𝗇𝖾𝗐
j v𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jc𝗈𝗅𝖽i c𝗇𝖾𝗐
j
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
Sketch of Zerocash
10
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
[BCGGMTV14]
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i v𝗈𝗅𝖽
i ρ𝗈𝗅𝖽i 𝗉𝗄𝗇𝖾𝗐
j v𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jc𝗈𝗅𝖽i c𝗇𝖾𝗐
j
𝖼𝗆𝗈𝗅𝖽i
∑i
v𝗈𝗅𝖽i = ∑
j
v𝗇𝖾𝗐j
𝗌𝗄𝗈𝗅𝖽i
Simplify: just say that proof proves four things: Existence of coins, unique spends, construction of new coins, and correct values.
Reason: don’t use it in the rest of the talk anyway.
11
Zerocash achieves ideal anonymity for a single asset
(on a single blockchain).
11
Zerocash achieves ideal anonymity for a single asset
(on a single blockchain).
How to achieve ideal privacy for multiple user-defined assets (on the same blockchain)?
Private user-defined assets
12
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i ρ𝗈𝗅𝖽
i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jc𝗈𝗅𝖽i c𝗇𝖾𝗐
j
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
* For now we ignore how to mint an initial supply and generate a unique id.
*
Private user-defined assets
12
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i (𝗂𝖽𝗈𝗅𝖽
i , v𝗈𝗅𝖽i ) ρ𝗈𝗅𝖽
i 𝗉𝗄𝗇𝖾𝗐j (𝗂𝖽𝗇𝖾𝗐
j , v𝗇𝖾𝗐j ) ρ𝗇𝖾𝗐
jc𝗈𝗅𝖽i c𝗇𝖾𝗐
j
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
* For now we ignore how to mint an initial supply and generate a unique id.
*
Private user-defined assets
12
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
𝗉𝗄𝗈𝗅𝖽i (𝗂𝖽𝗈𝗅𝖽
i , v𝗈𝗅𝖽i ) ρ𝗈𝗅𝖽
i 𝗉𝗄𝗇𝖾𝗐j (𝗂𝖽𝗇𝖾𝗐
j , v𝗇𝖾𝗐j ) ρ𝗇𝖾𝗐
jc𝗈𝗅𝖽i c𝗇𝖾𝗐
j
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
* For now we ignore how to mint an initial supply and generate a unique id.
For every id in tx, id-value is conserved
*
13
13
So far: multiple, private, user-defined assets in the same transaction, with the same anonymity pool.
13
So far: multiple, private, user-defined assets in the same transaction, with the same anonymity pool.
But: assets are still isolated.
13
So far: multiple, private, user-defined assets in the same transaction, with the same anonymity pool.
But: assets are still isolated.
How to enable applications that interact with multiple assets?
Custom access to user-defined assets
14
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
c𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
∙ ∀𝗂𝖽, 𝗂𝖽-value is conserved
𝗌𝗄𝗈𝗅𝖽i
c𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽i 𝗉𝗄𝗇𝖾𝗐
j ρ𝗇𝖾𝗐j(𝗂𝖽𝗈𝗅𝖽
i , v𝗈𝗅𝖽i , 𝖺𝗎𝗑𝗈𝗅𝖽
i ) (𝗂𝖽𝗇𝖾𝗐j , v𝗇𝖾𝗐
j , 𝖺𝗎𝗑𝗇𝖾𝗐j )
Custom access to user-defined assets
14
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
c𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
∙ ∀𝗂𝖽, 𝗂𝖽-value is conserved
𝗌𝗄𝗈𝗅𝖽i
c𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽iϕ𝗈𝗅𝖽
i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jϕ𝗇𝖾𝗐j
∙ ∀i, ϕ𝗈𝗅𝖽i (all coins) = 1
(𝗂𝖽𝗈𝗅𝖽i , v𝗈𝗅𝖽
i , 𝖺𝗎𝗑𝗈𝗅𝖽i ) (𝗂𝖽𝗇𝖾𝗐
j , v𝗇𝖾𝗐j , 𝖺𝗎𝗑𝗇𝖾𝗐
j )
Custom access to user-defined assets
14
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
c𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
∙ ∀𝗂𝖽, 𝗂𝖽-value is conserved
𝗌𝗄𝗈𝗅𝖽i
c𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽iϕ𝗈𝗅𝖽
i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jϕ𝗇𝖾𝗐j
∙ ∀i, ϕ𝗈𝗅𝖽i (all coins) = 1
(𝗂𝖽𝗈𝗅𝖽i , v𝗈𝗅𝖽
i , 𝖺𝗎𝗑𝗈𝗅𝖽i ) (𝗂𝖽𝗇𝖾𝗐
j , v𝗇𝖾𝗐j , 𝖺𝗎𝗑𝗇𝖾𝗐
j )
Transaction reveals no information about asset
identifier, value, or predicate
15
Private atomic swaps
15
Private atomic swaps Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps
(𝗂𝖽𝗈𝗅𝖽2 , v𝗈𝗅𝖽
2 , 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
(𝗂𝖽𝗇𝖾𝗐1 , v𝗇𝖾𝗐
1 , ⊥ )
ϕ𝗇𝖾𝗐1
𝗉𝗄𝗇𝖾𝗐1
c𝗇𝖾𝗐1
(𝗂𝖽𝗇𝖾𝗐2 , v𝗇𝖾𝗐
2 , ⊥ )
ϕ𝗇𝖾𝗐2
𝗉𝗄𝗇𝖾𝗐2
c𝗇𝖾𝗐2
Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps
ϕ𝖾𝗑𝖼𝗁(c𝗈𝗅𝖽1 , c𝗈𝗅𝖽
2 , c𝗇𝖾𝗐1 , c𝗇𝖾𝗐
2 ) :
(𝗂𝖽𝗈𝗅𝖽2 , v𝗈𝗅𝖽
2 , 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
(𝗂𝖽𝗇𝖾𝗐1 , v𝗇𝖾𝗐
1 , ⊥ )
ϕ𝗇𝖾𝗐1
𝗉𝗄𝗇𝖾𝗐1
c𝗇𝖾𝗐1
(𝗂𝖽𝗇𝖾𝗐2 , v𝗇𝖾𝗐
2 , ⊥ )
ϕ𝗇𝖾𝗐2
𝗉𝗄𝗇𝖾𝗐2
c𝗇𝖾𝗐2
Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps
ϕ𝖾𝗑𝖼𝗁(c𝗈𝗅𝖽1 , c𝗈𝗅𝖽
2 , c𝗇𝖾𝗐1 , c𝗇𝖾𝗐
2 ) :
Parse 𝖺𝗎𝗑𝗈𝗅𝖽1 as (𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
(𝗂𝖽𝗈𝗅𝖽2 , v𝗈𝗅𝖽
2 , 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
(𝗂𝖽𝗇𝖾𝗐1 , v𝗇𝖾𝗐
1 , ⊥ )
ϕ𝗇𝖾𝗐1
𝗉𝗄𝗇𝖾𝗐1
c𝗇𝖾𝗐1
(𝗂𝖽𝗇𝖾𝗐2 , v𝗇𝖾𝗐
2 , ⊥ )
ϕ𝗇𝖾𝗐2
𝗉𝗄𝗇𝖾𝗐2
c𝗇𝖾𝗐2
(𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps
ϕ𝖾𝗑𝖼𝗁(c𝗈𝗅𝖽1 , c𝗈𝗅𝖽
2 , c𝗇𝖾𝗐1 , c𝗇𝖾𝗐
2 ) :
Parse 𝖺𝗎𝗑𝗈𝗅𝖽1 as (𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
Check that 𝗂𝖽𝗈𝗅𝖽2 = 𝗂𝖽⋆ and v𝗈𝗅𝖽
2 = v⋆
(𝗂𝖽𝗈𝗅𝖽2 , v𝗈𝗅𝖽
2 , 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
(𝗂𝖽𝗇𝖾𝗐1 , v𝗇𝖾𝗐
1 , ⊥ )
ϕ𝗇𝖾𝗐1
𝗉𝗄𝗇𝖾𝗐1
c𝗇𝖾𝗐1
(𝗂𝖽𝗇𝖾𝗐2 , v𝗇𝖾𝗐
2 , ⊥ )
ϕ𝗇𝖾𝗐2
𝗉𝗄𝗇𝖾𝗐2
c𝗇𝖾𝗐2
(𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps
ϕ𝖾𝗑𝖼𝗁(c𝗈𝗅𝖽1 , c𝗈𝗅𝖽
2 , c𝗇𝖾𝗐1 , c𝗇𝖾𝗐
2 ) :
Parse 𝖺𝗎𝗑𝗈𝗅𝖽1 as (𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
Check that 𝗂𝖽𝗈𝗅𝖽2 = 𝗂𝖽⋆ and v𝗈𝗅𝖽
2 = v⋆
Perform swap: 𝗂𝖽𝗇𝖾𝗐
1 = 𝗂𝖽𝗈𝗅𝖽2 ; v𝗇𝖾𝗐
1 = v𝗈𝗅𝖽2
𝗂𝖽𝗇𝖾𝗐2 = 𝗂𝖽𝗈𝗅𝖽
1 ; v𝗇𝖾𝗐2 = v𝗈𝗅𝖽
1
(𝗂𝖽𝗈𝗅𝖽2 , v𝗈𝗅𝖽
2 , 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
(𝗂𝖽𝗇𝖾𝗐1 , v𝗇𝖾𝗐
1 , ⊥ )
ϕ𝗇𝖾𝗐1
𝗉𝗄𝗇𝖾𝗐1
c𝗇𝖾𝗐1
(𝗂𝖽𝗇𝖾𝗐2 , v𝗇𝖾𝗐
2 , ⊥ )
ϕ𝗇𝖾𝗐2
𝗉𝗄𝗇𝖾𝗐2
c𝗇𝖾𝗐2
(𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
Key primitive for constructing DEXs
(𝗂𝖽𝗈𝗅𝖽1 , v𝗈𝗅𝖽
1 , 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝗈𝗅𝖽1 = ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1
15
Private atomic swaps
ϕ𝖾𝗑𝖼𝗁(c𝗈𝗅𝖽1 , c𝗈𝗅𝖽
2 , c𝗇𝖾𝗐1 , c𝗇𝖾𝗐
2 ) :
Parse 𝖺𝗎𝗑𝗈𝗅𝖽1 as (𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
Check that 𝗂𝖽𝗈𝗅𝖽2 = 𝗂𝖽⋆ and v𝗈𝗅𝖽
2 = v⋆
Perform swap: 𝗂𝖽𝗇𝖾𝗐
1 = 𝗂𝖽𝗈𝗅𝖽2 ; v𝗇𝖾𝗐
1 = v𝗈𝗅𝖽2
𝗂𝖽𝗇𝖾𝗐2 = 𝗂𝖽𝗈𝗅𝖽
1 ; v𝗇𝖾𝗐2 = v𝗈𝗅𝖽
1
Check addresses: 𝗉𝗄𝗇𝖾𝗐
1 = 𝗉𝗄⋆
𝗉𝗄𝗇𝖾𝗐2 = 𝗉𝗄𝗈𝗅𝖽
2
(𝗂𝖽𝗈𝗅𝖽2 , v𝗈𝗅𝖽
2 , 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
(𝗂𝖽𝗇𝖾𝗐1 , v𝗇𝖾𝗐
1 , ⊥ )
ϕ𝗇𝖾𝗐1
𝗉𝗄𝗇𝖾𝗐1
c𝗇𝖾𝗐1
(𝗂𝖽𝗇𝖾𝗐2 , v𝗇𝖾𝗐
2 , ⊥ )
ϕ𝗇𝖾𝗐2
𝗉𝗄𝗇𝖾𝗐2
c𝗇𝖾𝗐2
(𝗂𝖽⋆, v⋆, 𝗉𝗄⋆)
= 𝗉𝗄⋆
Key primitive for constructing DEXs
16
DEX
16
DEX
Atomic swap
16
DEX
Atomic swap
Order creation
Trade finalizationOrder discovery
17
DEX Architectures
17
DEX Architectures
Order-based:
17
• Order book maintains list of orders published by makers
DEX Architectures
Order-based:
17
• Order book maintains list of orders published by makers
DEX Architectures
Order-based: (A, B, vA, vB, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them
DEX Architectures
Order-based: (A, B, vA, vB, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based: (A, B, vA, vB, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based:
Index-based:
(A, B, vA, vB, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based:
• Index maintains list of “intents-to-trade” published by makersIndex-based:
(A, B, vA, vB, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based:
• Index maintains list of “intents-to-trade” published by makersIndex-based:
(A, B, vA, vB, …)
(A, B, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based:
• Index maintains list of “intents-to-trade” published by makers• Takers can scan for intentions and interact with makers to fill
orders
Index-based:
(A, B, vA, vB, …)
(A, B, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based:
• Index maintains list of “intents-to-trade” published by makers• Takers can scan for intentions and interact with makers to fill
orders• Eg: AirSwap
Index-based:
(A, B, vA, vB, …)
(A, B, …)
17
• Order book maintains list of orders published by makers• Takers can scan for open orders and fill them• Eg: Radar Relay, IDEX.
DEX Architectures
Order-based:
• Index maintains list of “intents-to-trade” published by makers• Takers can scan for intentions and interact with makers to fill
orders• Eg: AirSwap
Index-based:
(A, B, vA, vB, …)
(A, B, …)
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Intent-based DEX
18
Index
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Intent-based DEX
18
Maker
Index
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Intent-based DEX
18
Maker
Index
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Intent-based DEX
18
Maker Taker
Index
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Intent-based DEX
18
Maker Taker
Index
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Intent-based DEX
18
Maker Taker
tx
Index
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Intent-based DEX
18
Maker Taker
tx Ledger
Index
19
Privacy Leakage
Ledger
tx
M T
19
Privacy Leakage
Ledger
tx“The addresses
addrM and addrT are exchanging
vA units of A for
vB units of B”
M T
19
Privacy Leakage
Ledger
tx“The addresses
addrM and addrT are exchanging
vA units of A for
vB units of B”
identities of transacting parties
M T
19
Privacy Leakage
Ledger
tx“The addresses
addrM and addrT are exchanging
vA units of A for
vB units of B”
identities of transacting parties
assets and values in the trade
M T
19
Privacy Leakage
Ledger
tx“The addresses
addrM and addrT are exchanging
vA units of A for
vB units of B”
identities of transacting parties
assets and values in the trade
Trade anonymityNo information about participants in the trade is revealed.
M T
19
Privacy Leakage
Ledger
tx“The addresses
addrM and addrT are exchanging
vA units of A for
vB units of B”
identities of transacting parties
assets and values in the trade
Trade anonymityNo information about participants in the trade is revealed.
Trade confidentialityNo information about the assets and values used in the trade is revealed.
M T
Private Intent-based DEX
20
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Index
Private Intent-based DEX
20
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Maker
Index
Private Intent-based DEX
20
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Maker
Index
Private Intent-based DEX
20
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Maker Taker
Index
Private Intent-based DEX
20
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Maker Taker
Index
Private Intent-based DEX
20
(A, vA) (B, vB)
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
Sell Buy Public key
BAT MKR pk1
ZRX OMG pk2
A B pkM
Maker Taker
Index
(A, vA) (B, vB)
Private Intent-based DEX
21
Maker
Private Intent-based DEX
21
(A, vA, 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1(B, vB, 𝗉𝗄𝖬)
Maker
Private Intent-based DEX
21
(A, vA, 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1(B, vB, 𝗉𝗄𝖬)
(c𝗈𝗅𝖽1 , 𝗌𝗄𝗈𝗅𝖽
1 )
Maker Taker
Private Intent-based DEX
21
(A, vA, 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1(B, vB, 𝗉𝗄𝖬)
(c𝗈𝗅𝖽1 , 𝗌𝗄𝗈𝗅𝖽
1 ) (B, vB, 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
Maker Taker
Private Intent-based DEX
21
tx
(A, vA, 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1(B, vB, 𝗉𝗄𝖬)
(c𝗈𝗅𝖽1 , 𝗌𝗄𝗈𝗅𝖽
1 ) (B, vB, 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
Maker Taker
Private Intent-based DEX
21
tx
Ledger
(A, vA, 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1(B, vB, 𝗉𝗄𝖬)
(c𝗈𝗅𝖽1 , 𝗌𝗄𝗈𝗅𝖽
1 ) (B, vB, 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
Maker Taker
Private Intent-based DEX
21
tx
Ledger
(A, vA, 𝖺𝗎𝗑𝗈𝗅𝖽1 )
ϕ𝖾𝗑𝖼𝗁
𝗉𝗄𝗈𝗅𝖽1
c𝗈𝗅𝖽1(B, vB, 𝗉𝗄𝖬)
(c𝗈𝗅𝖽1 , 𝗌𝗄𝗈𝗅𝖽
1 ) (B, vB, 𝖺𝗎𝗑𝗈𝗅𝖽2 )
ϕ𝗈𝗅𝖽2
𝗉𝗄𝗈𝗅𝖽2
c𝗈𝗅𝖽2
Maker Taker
Trade anonymity:tx hides all information about Maker and Taker.
Trade confidentiality: tx hides all information about A, B, vA, and vB.
22
22
Private user-defined assets
22
Private user-defined assets
Custom access to private user-defined
assets
22
Private DEX
Private user-defined assets
Custom access to private user-defined
assets
23
23
But what if you want a user-defined asset with a different (custom) policy?
23
But what if you want a user-defined asset with a different (custom) policy?
For example, simple ERC-20 tokens require only value-conservation. other tokens, like stablecoins, need to also implement blacklists and whitelists.
Birth predicates
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
c𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
c𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽i 𝗉𝗄𝗇𝖾𝗐
j ρ𝗇𝖾𝗐j(𝗂𝖽𝗈𝗅𝖽
i , v𝗈𝗅𝖽i , c𝗈𝗅𝖽
i ) (𝗂𝖽𝗇𝖾𝗐j , v𝗇𝖾𝗐
j , c𝗇𝖾𝗐j )
24
Birth predicates
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
c𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
c𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽iϕ𝗈𝗅𝖽
𝖽,i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jϕ𝗇𝖾𝗐𝖽, j
ϕ𝗈𝗅𝖽𝖽,i ( ⋅ ) = 1
ϕ𝗇𝖾𝗐𝖻, j ( ⋅ ) = 1
(𝗂𝖽𝗈𝗅𝖽i , v𝗈𝗅𝖽
i , c𝗈𝗅𝖽i ) (𝗂𝖽𝗇𝖾𝗐
j , v𝗇𝖾𝗐j , c𝗇𝖾𝗐
j )
24
ϕ𝗇𝖾𝗐𝖻, jϕ𝗈𝗅𝖽
𝖻,i
Birth predicates
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
c𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
c𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽iϕ𝗈𝗅𝖽
𝖽,i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jϕ𝗇𝖾𝗐𝖽, j
ϕ𝗈𝗅𝖽𝖽,i ( ⋅ ) = 1
ϕ𝗇𝖾𝗐𝖻, j ( ⋅ ) = 1
(𝗂𝖽𝗈𝗅𝖽i , v𝗈𝗅𝖽
i , c𝗈𝗅𝖽i ) (𝗂𝖽𝗇𝖾𝗐
j , v𝗇𝖾𝗐j , c𝗇𝖾𝗐
j )
24
ϕ𝗇𝖾𝗐𝖻, jϕ𝗈𝗅𝖽
𝖻,i
∙ ∀𝗂𝖽, 𝗂𝖽-value is conserved∙ Policy p is enforced
Supporting arbitrary data and computation
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
r𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
r𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽iϕ𝗈𝗅𝖽
𝖽,i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jϕ𝗇𝖾𝗐𝖽, j
ϕ𝗈𝗅𝖽𝖽,i ( ⋅ ) = 1
ϕ𝗇𝖾𝗐𝖻, j ( ⋅ ) = 1
𝗉𝖺𝗒𝗅𝗈𝖺𝖽 𝗉𝖺𝗒𝗅𝗈𝖺𝖽
25
ϕ𝗇𝖾𝗐𝖻, jϕ𝗈𝗅𝖽
𝖻,i
Supporting arbitrary data and computation
rt 𝛑tx
set of all coin commitments
old coin serial numbers
new coin commitments ZKP
PRF
COMMCOMM
∈
𝗌𝗇𝗈𝗅𝖽i 𝖼𝗆𝗇𝖾𝗐
j
r𝗈𝗅𝖽i
𝖼𝗆𝗈𝗅𝖽i
𝗌𝗄𝗈𝗅𝖽i
r𝗇𝖾𝗐j𝗉𝗄𝗈𝗅𝖽
i ρ𝗈𝗅𝖽iϕ𝗈𝗅𝖽
𝖽,i 𝗉𝗄𝗇𝖾𝗐j ρ𝗇𝖾𝗐
jϕ𝗇𝖾𝗐𝖽, j
ϕ𝗈𝗅𝖽𝖽,i ( ⋅ ) = 1
ϕ𝗇𝖾𝗐𝖻, j ( ⋅ ) = 1
𝗉𝖺𝗒𝗅𝗈𝖺𝖽 𝗉𝖺𝗒𝗅𝗈𝖺𝖽
25
ϕ𝗇𝖾𝗐𝖻, jϕ𝗈𝗅𝖽
𝖻,i
Store arbitrary data
Store arbitrary data
ZEXE
26
ZEXE
26
Modeling: Records Nano-Kernelminimalist shared execution environment that defines rules for computing on records (units of data)
ZEXE
26
Modeling: Records Nano-Kernelminimalist shared execution environment that defines rules for computing on records (units of data)
ZEXE
26
Modeling: Records Nano-Kernelminimalist shared execution environment that defines rules for computing on records (units of data)
Theoretical crypto: Decentralized Private Computation
crypto primitive that realizes a ledger-based RNK where txs reveal NO information about computations
ZEXE
26
Modeling: Records Nano-Kernelminimalist shared execution environment that defines rules for computing on records (units of data)
Theoretical crypto: Decentralized Private Computation
crypto primitive that realizes a ledger-based RNK where txs reveal NO information about computations
ZEXE
26
Modeling: Records Nano-Kernelminimalist shared execution environment that defines rules for computing on records (units of data)
Theoretical crypto: Decentralized Private Computation
crypto primitive that realizes a ledger-based RNK where txs reveal NO information about computations
Applied crypto: ZEXE
leverage techniques from zkSNARKs, recursive composition, and efficient circuit design
ZEXE
26
Modeling: Records Nano-Kernelminimalist shared execution environment that defines rules for computing on records (units of data)
Theoretical crypto: Decentralized Private Computation
crypto primitive that realizes a ledger-based RNK where txs reveal NO information about computations
Applied crypto: ZEXE
leverage techniques from zkSNARKs, recursive composition, and efficient circuit design
libzexe.org