PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument Kristian Gjøsteen Mayank Raikwar Shuang Wu NTNU - Norwegian University of Science and Technology, Trondheim, Norway PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 1 / 24 Account-based Blockchain Cryptocurrency Systems v1 , sig1 u1 : b1 u2 : b2 u3 : b3 u1 v2 , sig2 u2 v3 , sig3 u3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 2 / 24 Problems Scalability Low transaction throughput and high transaction fee Ethereum: 13 transactions per second Privacy Everything is public Users’ balances Transaction values, senders, recipients PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 3 / 24 Layer 2 Scaling Solution (ZK-Rollup) Layer 2 Blockchain Scaling Architecture No changes for the fundamental blockchain (layer 1) Perform a vast majority of computations off-chain and later put the compressed updates about users’ states on-chain. PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 4 / 24 Account-based Blockchain Cryptocurrency Systems v1 , sig1 u1 : b1 u2 : b2 u3 : b3 u1 v2 , sig2 u2 v3 , sig3 u3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 5 / 24 ZK-Rollup da tes v1 , sig1 Up u1 {v1 , v2 , v3 ...} u1 : b1 u2 : b2 u3 : b3 v2 , sig2 u2 v3 , sig3 Operator u3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 6 / 24 ZK-Rollup epoch r − 2 epoch r − 1 Register/Transfer Commit epoch r Exit Register/Transfer PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument epoch r + 1 Commit Exit February 7, 2022 7 / 24 ZK-Rollup da tes v1 , sig1 Up u1 {$, %, &...} u1 : ? u2 : ? u3 : ? v2 , sig2 u2 v3 , sig3 Operator u3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 8 / 24 ZK-Rollup da tes v1 , sig1 Up u1 {v1 , v2 , v3 ...} u1 : b1 u2 : b2 u3 : b3 SNARK v2 , sig2 u2 v3 , sig3 Operator u3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 9 / 24 Our Goal Add privacy on layer-2 scaling solutions Hide users’ balances Hide transaction values PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 10 / 24 Layer 2 Scaling + Privacy Hide the values by Pedersen commitment da tes v1 , sig1 Up u1 {cv1 , cv2 , cv3 ...} u1 : b1 u2 : b2 u3 : b3 v2 , sig2 u2 v3 , sig3 u Operator PriBank: Confidential 3 Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 11 / 24 Layer 2 Scaling + Privacy Hide the values by Pedersen commitment da tes v1 , sig1 Up u1 {cv1 , cv2 , cv3 ...} u1 : cb1 u2 : cb2 u3 : cb3 ZK Proof v2 , sig2 u2 v3 , sig3 u Operator PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 12 / 24 Layer 2 Scaling + Privacy Hide the values by Pedersen commitment da tes v1 , sig1 Up u1 {cv1 , cv2 , cv3 ...} u1 : cb1 u2 : cb2 u3 : cb3 ZK Proof v2 , sig2 u2 v3 , sig3 u Operator PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 13 / 24 Layer 2 Scaling + Privacy da tes v1 , sig1 Up u1 {cv1 , cv2 , cv3 ...} u1 : cb1 u2 : cb2 u3 : cb3 ZK Proof v2 , sig2 u2 v3 , sig3 Operator The blockchain records cbi , cti , and d ti : pre-agreed randomness d: balance mask such that bi = ti − di u3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 14 / 24 Privacy on the top of Blockchain Scaling Model What do we need to prove? 1 2 3 4 bi , bi0 , vi ∈ {0, ..., 2n } P bi − vij ∈ {0, ..., 2n } P P bi0 = bi − vij + vji bi0 = ti − di PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 15 / 24 Commit-and-Prove NIZK Argument We present the computations as an arithmetic circuit and build an NIZK argument for the satisfaction of the circuit. Arithmetic circuit Notation: assign each wire in the circuit on variables a1 , a2 , ..., am each gate gives a constraint. For example: a1 · a2 = a3 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 16 / 24 Commit-and-Prove NIZK Argument An arithmetic circuit satisfaction problem can be represented to a Quadratic Arithmetic Program (QAP) satisfaction problem, where the circuit is reduced to a polynomial equation. m X i=0 ai ui (X ) · m X i=0 ai vi (X ) = m X ai wi (X ) + h(X )t(X ) i=0 statements: a1 , ..., al witness al+1 , ..., am , and coefficients of h(X ): h0 , h1 , ..., h2n−2 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 17 / 24 NIZK Argument 1 2 3 Communication complexity is logarithmic to the size of the circuit. Verification computation is linear to the size of the circuit. No trusted setup Proof Size, Transaction Size and number of Gates Gate Number Transaction Size Proof Size per User 2.5 1,500 KB 2 1,000 1.5 1 Number of Gates 2,000 3 500 0.5 0 0 2 4 Number of Users 6 PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument 8 0 February 7, 2022 18 / 24 Security Definition We define two security requirements for the security of a Privacy-preserving blockchain based protocol, Transaction Indistinguishability (Privacy) Overdraft Safety (Balance & Withdraw) PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 19 / 24 Security Definition Transaction Indistinguishability An adversary sends two different transactions to the challenger. Only one will be recorded on the blockchain, while the adversary is not able to distinguish which one of these two is recorded. This security property could indicate the anonymity of the users as well as the privacy of the transaction values, depending on leakage. Requirement: Public information consistent Leakage function PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 20 / 24 Security Definition Overdraft Safety Overdraft safety specifies that an honest user can withdraw all the balance that she owns according to her state in the withdraw phase of any epoch. This security requirement prohibits an adversary to withdraw more than what it has, since otherwise there must be an honest user who cannot withdraw all of his balance because of the lack of the funds in the smart contract. PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 21 / 24 Security Definition from Zcash Ledger Indistinguishability A challenger samples a random bit b and initialises two ledgers L0 and L1 . Throughout, the challenger allows A to issue queries to each ledger. At the end the challenger provides the adversary with the view of both ledgers, but in randomized order: LLeft := Lb and LRight := L1−b . The adversary’s goal is to distinguish whether the view he sees corresponds to (LLeft , LRight ) = (L0 , L1 ), i.e. b = 0, or to (LLeft , LRight ) = (L1 , L0 ), i.e. b = 1. PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 22 / 24 Security Definitions We prove these two security definitions are equivalent. PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 23 / 24 Thank you PriBank: Confidential Blockchain Scaling Using Short Commit-and-Prove NIZK Argument February 7, 2022 24 / 24