Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Blockchain Privacy Preserving Techniques


Published on

A Deep Dive on Ring Signatures, Ring Confidential Transactions, Zero Knowledge Proofs, Smart Contract Obfuscation, Circular Queue, Block Matrix etc. from the Blockchain Privacy Perspective. From my session on Blockchain Security in the Blockchain 2.0 Summit organised by Clavent in Bangalore.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Introduction to Blockchain Privacy Preserving Techniques

  1. 1. Blockchain Privacy Persevering Techniques Ring Signatures, Zero Knowledge Proofs, Circular Queues, Block Matrices and Much More !
  2. 2. Most powerful privacy preserving technique is Cryptographically Secure Obfuscation
  3. 3. Perfect blackbox obfuscation is mathematically impossible
  4. 4. There is a weaker standard known as indictngushability obfuscation that we can satisfy.
  5. 5. When an obfuscation program uses a cryptographic private key , if insistingushability is satisfied from each other, then we know that the two obfuscated programs cannot be distingushed from each other. Even if someone is in possession of the obfuscated program definitely has no way of extracting the private key, otherwise that would be a way of distinguishing the program.
  6. 6. What happens when we obfuscate a smart contract Obfuscated smart contract will contain private key and will accept instructions encrypted with the curresponding public key The contract stores account balances in storage encrypted and if the contract wants to read the storage it decrypts it internally and if the contract wants to storage it encrypts the desired result before writing it If someone wants to read the balance of their account, they encode that request as a transaction and simulate it on their own machine The obfuscated smart contract code will check the signature on the transaction to see if that user is entitled to read the balance
  7. 7. Constraints and Challenges in Obfuscation Techniques Executing 2 bit multiplication circuit on the same CPU would take 1.3 X 10^8 years. Additionally, if you want to prevent reads and writes to storage from being a data leak vector, you must also set up the contract so that read and write operations always modify large portions of a contract's entire state - another source of overhead.
  8. 8. Alternatives : Secure Multi Party Computation Secure multi party computation allows for a program and its state to be split among N parties in such a way that you need M of them to cooperate in order to either complete the computation or reveal any internal data in the program or the state. Thus, if you can trust the majority of the participants to be honest, the scheme is as good as obfuscation. Enigma protocol uses multi-party computation to implement a secret sharing DAO concept.
  9. 9. Constraints and Challenges on SMPC Addition operations can be processed very quickly but every time an SMPC instance performs some very small fixed number of multiplication operations it needs to perform a degree reduction step involving messages being sent from every node to every node in the network
  10. 10. Constraints and Challenges on SMPC • The requirement of trust on the participants is also an onerous one. Participants have the ability to save the data and then collude to uncover at any future point in history. • Additionally it is impossible to tell that they have done this and so it is impossible to inventivise the participants to maintain the system’s privacy. • For this reason, secure multi party computation is arguably much more suitable for private blockchians, where incentives can come from outside the protocol, than public chains.
  11. 11. Agenda Ring Signature Zero Knowledge Proofs Trusted Execution Environment Circular Queue Block Matrix
  12. 12. Zero Knowledge Proof Systems •The notion of zero-knowledge was first proposed in 1985 by MIT researchers Shafi Goldwasser, Silvio Micali and Charles Rackoff in their paper “The knowledge complexity of interactive proof systems”: •A zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true.
  13. 13. Zero Knowledge Proof Systems • Zero-knowledge proofs allow a user to construct a mathematical proof that a given program, when executed on some (possibly hidden) input known by the user, has a particular (publicly known) output, without revealing any other information. • You can think of a digital signature as a kind of zero- knowledge proof showing that you know the value of a private key which, when processed using a standard algorithm, can be converted into a particular public key.
  14. 14. Requirements for Zero Knowledge Proofs • Completeness: If the input is true, the zero- knowledge proof always returns ‘true’ • Soundness: If the input is false, it is not possible to trick the zero-knowledge proof to return ‘true’ • Privacy: The input can not be obtained by any other party
  15. 15. Succinct Zero Knowledge Proofs ( Zk-SNARKS) • The term was introduced in 2012 by Nir Bitansky, Ran Canetti, Alessandro Chiesa & Eran Tromer and describes a special variation of the zero-knowledge technique. • Zero Knowledge, Succint, Non-Interactive, Arguments of Knowledge • Most importantly, zk-SNARKs reduce the size of the proofs and the computational effort required to verify them.
  16. 16. Zero Knowledge Proof for Digital Identity Systems You would then make a zero-knowledge proof showing that you have an input that, when passed through this function, returns 1, and sign the proof with another private key that you want to use for future interactions with this service. The service would verify the proof and if the proof is correct, it would accept messages signed with your private key as valid.
  17. 17. Zero Knowledge Proof for Digital Token Ownership In order to have a functioning digital token system, you do not strictly need to have visible accounts and balances; in fact, all that you need is a way to solve the "double spending" problem The claim that you would zero-knowledge-prove is something like "I know a secret number behind one of the accounts in this set of accounts that have been created, and it does not match any of the secret numbers that have already been revealed”. Accounts in this scheme become one-time-use: an "account" is created every time assets are sent, and the sender account is completely consumed. If you do not want to completely consume a given account, then you must simply create two accounts, one controlled by the recipient and the other with the remaining "change" controlled by the sender themselves.
  18. 18. Zero Knowledge Proof for Two Party Smart Contracts • When the contract is first negotiated, instead of creating a smart contract containing the actual formula by which the funds will eventually be released, create a contract containing the hash of the formula. • (eg. in a binary option, the formula would be "if index I as released by some data source is greater than X, send everything to A, otherwise send everything to B”) • When the contract is to be closed, either party can themselves compute the amount that A and B should receive, and provide the result alongside a zero-knowledge-proof that a formula with the correct hash provides that result. • The blockchain finds out how much A and B each put in, and how much they get out, but not why they put in or get out that amount.
  19. 19. Advantages of Zero Knowledge Proofs • Zero knowledge transfer as the name suggest • Computational efficiency- No Encryption • Based on problem like discrete logarithms and integer factorization • No degradation of the protocol
  20. 20. Bitcoin Approach to Privacy Preservation Just like with Zcash, every transaction must completely empty one or more accounts, and create one or more new accounts, and it is recommended for users to generate a new private key for every new account that they intend to receive funds into (though it is possible to have multiple accounts with the same private key). The main benefit that this brings is that a user's funds are not linked to each other by default.
  21. 21. However, there is a problem. If, at any point in the future, you make a transaction consuming from two accounts at the same time, then you irrevertibly "link" those accounts, making it obvious to the world that they come from one user. And, what's more, these linkages are transitive: if, at any point, you link together A and B, and then at any other point link together A and C, and so forth, then you've created a large amount of evidence by which statistical analysis can link up your entire set of assets.
  22. 22. Bitcoin developer Mike Hearn came up with a mitigation strategy that reduces the likelihood of this happening called merge avoidance: essentially, a fancy term for trying really really hard to minimize the number of times that you link accounts together by spending from them at the same time. This definitely helps, but even still, privacy inside of the Bitcoin system has proven to be highly porous and heuristic, with nothing even close to approaching high guarantees.
  23. 23. Two Party Smart Contracts with Cryptoeconomics beyond Cryptography Auditable Computation and Verifiable Data Structures The participants send their funds into a contract which stores the hash of the code. When it comes time to send out funds, either party can submit the result. The other party can either send a transaction to agree on the result, allowing the funds to be sent, or it can publish the actual code to the contract, at which point the code will run and distribute the funds correctly. A security deposit can be used to incentivize the parties to participate honestly.
  24. 24. Ring Signatures A ring signature is essentially a signature that proves that the signer has a private key corresponding to one of a specific set of public keys, without revealing which one. A ring signature algorithm includes a mathematical function which can be computed normally with just a public key, but where knowing the private key allows you to add a seed to the input to make the output be whatever specific value you want. The signature itself consists of a list of values, where each value is set to the function applied to the previous value (plus some seed); producing a valid signature requires using knowledge of a private key to "close the loop", forcing the last value that you compute to equal the first. Given a valid "ring" produced in this way, anyone can verify that it is indeed a "ring", so each value is equal to the function computed on the previous value plus the given seed, but there is no way to tell at which "link" in the ring a private key was used.
  25. 25. Ring Signature : Definite Properties • Ring signatures are a type of cryptographic digital signature and were actually invented back in 2001 by Ron Rivest, Adi Shamir, and Yael Tauman and subsequently introduced at Asiacrypt. • The concept is similar to that of group signatures, however, there is no way to identify the actual signer of a ring signature transaction and an arbitrary group of users can be included in the ring signature without any additional setup.
  26. 26. The original concept was for ring signatures to function as a way to leak secret information, specifically, from high ranking government officials, without actually revealing who signed the message.
  27. 27. Eiichiro Fujisaki and Koutarou Suzuki proposed Traceable Ring Signatures in 2006 as an improvement to some of the vulnerabilities around ring signatures concerning manipulation by malicious or irresponsible signers. An optimized version of this type of ring signature is what is currently employed in the CryptoNote coins and is used to provide untraceability of the sender in a P2P transaction by obscuring the source of the inputs in the transaction.
  28. 28. Ring Signatures : Essential Concepts • Ring signatures may require multiple different public keys for verification and the word “ring” is used because it consists of a group of partial digital signatures from various users that come together to form a unique signature that is used to sign a transaction. • This group is known as the ring and can be arbitrarily selected from outputs from other users on the blockchain.
  29. 29. Addressing Double Spending Possibility in Ring Signatures using Key Images • A key image is a cryptographic key that is derived from an output being spent and is part of every ring signature transaction. • There is only one, unique key image for each output on the blockchain and a list of all used key images is maintained on the blockchain. • Due to the cryptographic properties of key images, it is not possible to make a correlation between an output on the blockchain and its key image.
  30. 30. Ring Confidential Transactions • In the initial ring signature format, outputs had to be broken up into separate rings since ring signatures could only contain outputs of the same value. • Due to this, third parties were able to see the actual amounts being transacted. Implementing Ring CTs makes the transactions stored in the blockchain opaque rather than transparent as in a cryptocurrency such as Bitcoin.
  31. 31. Range Proofs in Ring Confidential Transactions • Ring CTs also use a commitment scheme that is enabled through a range proof. • These rang proofs prove that an amount used in a transaction is greater than 0 and less than some other number without actually revealing the amounts transacted. So, outside observers cannot actually see the transaction but can be assured through cryptographic verification that the transaction is valid.
  32. 32. A Data Structure for Integrity Protection with Erasure Capability The European General Data Protection Regulation (GDPR) requires that organizations make it possible to delete all information related to a particular individual, at that person's request. This requirement may be incompatible with current blockchain data structures, including private (permissioned) blockchains, because blockchains are designed to ensure that block contents are immutable. Any change in a block will invalidate subsequent hashes in following blocks, losing integrity protection. This note describes a data structure that provides the capability of deleting specified blocks while retaining hash-based assurance that other blocks are unchanged. It is primarily designed to be implemented in a permissioned infrastructure, providing certain features of existing permissioned blockchains. 
  33. 33. Blockmatrix is a data structure that supports the ongoing audition of hash linked records while also allowing the deletion of arbitrary records, preserving hash based integrity.
  34. 34. Blocks are numbered 1to k and added to the data structure staring with cell 0,1. It is desirable to keep cells on the dingonal null.
  35. 35. Properties of Block Matrix Balance Cells are filled in a Balanced Manner so that the upper half contains at most one additional cell more than the lower half Hashchain length The number of blocks in a row or column hash chain is proportional to square root of the N for a matrix of N blocks, by the balance property Block Dispersal No consecutive blocks appear in the same row or column. . Because no two consecutive blocks appear in the same row or column, Because no consecutive blocks appear in the same row or column, it is possible to delete two consecutive blocks simultaneously without disturbing integrity protection for others.
  36. 36. A Data Structure Encryption Algorithm based on Circular Queue to Enhance Data Security An algorithm that uses the shifting and replacing operations of bi-column-bi-row for circular queue to increase security. A random number is used in this algorithm to control the shifting between the row and the column, eventually this lead to increase the complexity of plaintext encryption An elliptical curve algorithm can be developed based on matrix scrambling using circular queue
  37. 37. This algorithm enabled the shifting elements in the outer or inner array, swapping elements among circular arrays and XORing based on generating random number.
  38. 38. Future of Privacy : Challenges There are two major challenges with privacy preserving protocols in blockchains. One of the challenges is statistical: in order for any privacy-preserving scheme to be computationally practical, the scheme must only alter a small part of the blockchain state with every transaction. However, even if the contents of the alteration are privacy, there will inevitably be some amount of metadata that is not. The second challenge is the developer experience challenge.