Uploaded by wu shuang

ПриБанк: Скалирање поверљивог блокчејна

advertisement
PriBank: Confidential Blockchain Scaling Using Short
Commit-and-Prove NIZK Argument
Kristian Gjøsteen
Mayank Raikwar
Shuang Wu
NTNU - Norwegian University of Science and Technology, Trondheim, Norway
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
1 / 24
Account-based Blockchain Cryptocurrency Systems
v1 , sig1
u1 : b1
u2 : b2
u3 : b3
u1
v2 , sig2
u2
v3 , sig3
u3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
2 / 24
Problems
Scalability
Low transaction throughput and high transaction fee
Ethereum: 13 transactions per second
Privacy
Everything is public
Users’ balances
Transaction values, senders, recipients
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
3 / 24
Layer 2 Scaling Solution (ZK-Rollup)
Layer 2 Blockchain Scaling Architecture
No changes for the fundamental blockchain (layer 1)
Perform a vast majority of computations off-chain and later put the
compressed updates about users’ states on-chain.
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
4 / 24
Account-based Blockchain Cryptocurrency Systems
v1 , sig1
u1 : b1
u2 : b2
u3 : b3
u1
v2 , sig2
u2
v3 , sig3
u3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
5 / 24
ZK-Rollup
da
tes
v1 , sig1
Up
u1
{v1 , v2 , v3 ...}
u1 : b1
u2 : b2
u3 : b3
v2 , sig2
u2
v3 , sig3
Operator
u3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
6 / 24
ZK-Rollup
epoch r − 2
epoch r − 1
Register/Transfer
Commit
epoch r
Exit
Register/Transfer
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
epoch r + 1
Commit
Exit
February 7, 2022
7 / 24
ZK-Rollup
da
tes
v1 , sig1
Up
u1
{$, %, &...}
u1 : ?
u2 : ?
u3 : ?
v2 , sig2
u2
v3 , sig3
Operator
u3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
8 / 24
ZK-Rollup
da
tes
v1 , sig1
Up
u1
{v1 , v2 , v3 ...}
u1 : b1
u2 : b2
u3 : b3
SNARK
v2 , sig2
u2
v3 , sig3
Operator
u3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
9 / 24
Our Goal
Add privacy on layer-2 scaling solutions
Hide users’ balances
Hide transaction values
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
10 / 24
Layer 2 Scaling + Privacy
Hide the values by Pedersen commitment
da
tes
v1 , sig1
Up
u1
{cv1 , cv2 , cv3 ...}
u1 : b1
u2 : b2
u3 : b3
v2 , sig2
u2
v3 , sig3
u
Operator
PriBank: Confidential
3 Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
11 / 24
Layer 2 Scaling + Privacy
Hide the values by Pedersen commitment
da
tes
v1 , sig1
Up
u1
{cv1 , cv2 , cv3 ...}
u1 : cb1
u2 : cb2
u3 : cb3
ZK Proof
v2 , sig2
u2
v3 , sig3
u
Operator
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
12 / 24
Layer 2 Scaling + Privacy
Hide the values by Pedersen commitment
da
tes
v1 , sig1
Up
u1
{cv1 , cv2 , cv3 ...}
u1 : cb1
u2 : cb2
u3 : cb3
ZK Proof
v2 , sig2
u2
v3 , sig3
u
Operator
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
13 / 24
Layer 2 Scaling + Privacy
da
tes
v1 , sig1
Up
u1
{cv1 , cv2 , cv3 ...}
u1 : cb1
u2 : cb2
u3 : cb3
ZK Proof
v2 , sig2
u2
v3 , sig3
Operator
The blockchain records
cbi , cti , and d
ti : pre-agreed randomness
d: balance mask
such that bi = ti − di
u3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
14 / 24
Privacy on the top of Blockchain Scaling Model
What do we need to prove?
1
2
3
4
bi , bi0 , vi ∈ {0, ..., 2n }
P
bi − vij ∈ {0, ..., 2n }
P
P
bi0 = bi − vij + vji
bi0 = ti − di
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
15 / 24
Commit-and-Prove NIZK Argument
We present the computations as an arithmetic circuit and build an NIZK
argument for the satisfaction of the circuit.
Arithmetic circuit
Notation:
assign each wire in the circuit on variables a1 , a2 , ..., am
each gate gives a constraint.
For example: a1 · a2 = a3
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
16 / 24
Commit-and-Prove NIZK Argument
An arithmetic circuit satisfaction problem can be represented to a
Quadratic Arithmetic Program (QAP) satisfaction problem, where the
circuit is reduced to a polynomial equation.
m
X
i=0
ai ui (X ) ·
m
X
i=0
ai vi (X ) =
m
X
ai wi (X ) + h(X )t(X )
i=0
statements: a1 , ..., al
witness al+1 , ..., am , and coefficients of h(X ): h0 , h1 , ..., h2n−2
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
17 / 24
NIZK Argument
1
2
3
Communication complexity is logarithmic to the size of the circuit.
Verification computation is linear to the size of the circuit.
No trusted setup
Proof Size, Transaction Size and number of Gates
Gate Number
Transaction Size
Proof Size per User
2.5
1,500
KB
2
1,000
1.5
1
Number of Gates
2,000
3
500
0.5
0
0
2
4
Number of Users
6
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
8
0
February 7, 2022
18 / 24
Security Definition
We define two security requirements for the security of a
Privacy-preserving blockchain based protocol,
Transaction Indistinguishability (Privacy)
Overdraft Safety (Balance & Withdraw)
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
19 / 24
Security Definition
Transaction Indistinguishability
An adversary sends two different transactions to the challenger. Only one
will be recorded on the blockchain, while the adversary is not able to
distinguish which one of these two is recorded. This security property
could indicate the anonymity of the users as well as the privacy of the
transaction values, depending on leakage.
Requirement:
Public information consistent
Leakage function
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
20 / 24
Security Definition
Overdraft Safety
Overdraft safety specifies that an honest user can withdraw all the balance
that she owns according to her state in the withdraw phase of any epoch.
This security requirement prohibits an adversary to withdraw more than
what it has, since otherwise there must be an honest user who cannot
withdraw all of his balance because of the lack of the funds in the smart
contract.
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
21 / 24
Security Definition from Zcash
Ledger Indistinguishability
A challenger samples a random bit b and initialises two ledgers L0 and L1 .
Throughout, the challenger allows A to issue queries to each ledger. At
the end the challenger provides the adversary with the view of both ledgers,
but in randomized order: LLeft := Lb and LRight := L1−b . The adversary’s
goal is to distinguish whether the view he sees corresponds to (LLeft , LRight )
= (L0 , L1 ), i.e. b = 0, or to (LLeft , LRight ) = (L1 , L0 ), i.e. b = 1.
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
22 / 24
Security Definitions
We prove these two security definitions are equivalent.
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
23 / 24
Thank you
PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument
February 7, 2022
24 / 24
Download