Hawk:The Blockchain Model of Cryptography and Privacy-Preseving Smart Contracts

Posted by 刘学枫 on November 5, 2018

You may find interesting:

2018.1.18区块链论文讨论班通知

Posted by 王锡亮 on January 16, 2019

Blockchain

Nothing at stake problem of PoS

Posted by 刘学枫 on January 11, 2019

Blockchain Pos

Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts

Introduction

Category

  • Problem Pattern: Well studied problems

Motivation

Background

  1. The research problem is the emerging smart contract systems over decentralized cryptocurrencise lack transactional privacy, as a result all transactions, including flow of money between pseudonyms and amount transacted, are exposed on the blockchain.
  2. The lack of privacy is a major hindrance towards the broad adoption of decentralized smart contracts, since financial transactions are considered by many individuals and organizations as being highly secret.

  3. The original Bitcoin offers limited programmability. Ethereum allows for programmability but does not guarantee transactional privacy, while Zerocash guarantees transactional privacy but at the price of even reduced programmability than Bitcoin.

  4. 该论文研究点主要针对去中心化加密货币系统缺少交易隐私的问题,在这些新兴的智能合约系统里,所有的交易,包括匿名所使用的假名和交易金额之间的资金流动,都暴露在区块链上。
  5. 由于金融交易一般都会被视为高度机密,而缺乏隐私保护则是智能合约合约系统未能被广泛采用的主要障碍。
  6. 比特币的最初版本仅提供有限的可编程性。以太坊提供可编程性,但不保证交易的隐私性,而Zerocash能保证交易的隐私性,但代价却是仅能提供比比特币更低的可编程性。

Literature Review

Leveraging blockchain for financial fairness. A few prior works have explored how to leverage the blockchain technology to achieve fairness in protocol design. For example, Bentov et al., Andrychowicz et al., Kumaresan et al. [40], Kiayias et al. [36], as well as Zyskind et al. [59], show how Bitcoin can be used to ensure fairness in secure multi-party computation protocols. These protocols also perform off-chain secure computation of various types, but do not guarantee transactional privacy (i.e., hiding the currency flows and amounts transacted). For example, it is not clear how to implement our sealed auction example using these earlier techniques. Second, these earlier works either do not offer system implementations or provide implementations only for specific applications (e.g., lottery). In comparison, Hawk provides a generic platform such that nonspecialist programmers can easily develop privacy-preserving smart contracts.

之前的一些工作探讨了如何利用区块链技术实现协议设计的公平性(引文[36])。引文[59]展示了比特币如何用于确保安全的多方计算协议的公平性。这些协议还执行各种类型的离线安全计算,但不保证交易隐私(即隐藏货币流和交易金额)。例如,目前尚不清楚如何使用这些早期的技术来实现论文的密封拍卖示例。其次,这些早期的工作要么不提供系统实现,要么仅为特定应用(例如,彩票)提供实现。相比之下,Hawk 提供了一个通用平台,非专业程序员也可以轻松开发用于保护隐私的智能合约。

Smart contracts. The conceptual idea of programmable electronic “smart contracts” dates back nearly twenty years [53]. Besides recent decentralized cryptocurrencies, which guarantee authenticity but not privacy, other smart contract implementations rely on trusted servers for security [46]. Our work therefore comes closest to realizing the original vision of parties interacting with a trustworthy “virtual computer” that executes programs involving money and data.

可编程电子“智能合约”的概念可追溯到近二十年[53]。 除了最近保证真实性但不保护隐私性的分散加密货币,其他智能合约的实施依赖于可信服务器来保证安全性[46]。 因此,我们的工作最接近于实现各方与执行涉及金钱和数据的程序的可靠“虚拟计算机”交互的原始愿景。

Programming frameworks for cryptography. Several works have developed programming frameworks that take in highlevel programs as specifications and generate cryptographic implementations, including compilers for secure multi-party computation [19], [39], [41], [51], authenticated data structures [44], and (zero-knowledge) proofs [12], [30], [31], [49]. Zheng et al. show how to generate secure distributed protocols such as sealed auctions, battleship games, and banking applications [58]. These works support various notions of security, but none of them interact directly with money or leverage public blockchains for ensuring financial fairness. Thus our work is among the first to combine the “correct-by-construction” cryptography approach with smart contracts.

In concurrent and independent work, Kiayias et al. propose a blockchain model in the (Generalized) Universal Composability framework and use it to derive results that are similar to what we describe in Appendix G-A, i.e., fair MPC with public deposits.

Research Niche

Despite the expressiveness and power of the blockchain and smart contracts, the present form of these technologies lacks transactional privacy. The entire sequence of actions taken in a smart contract are propagated across the network and/or recorded on the blockchain, and therefore are publicly visible. Even though parties can create new pseudonymous public keys to increase their anonymity, the values of all transactions and balances for each (pseudonymous) public key are publicly visible. Further, recent works have also demonstrated deanonymization attacks by analyzing the transactional graph structures of cryptocurrencies.

lack of privacy is a major hindrance towards the broad adoption of decentralized smart contracts, since financial transactions (e.g., insurance contracts or stock trading) are considered by many individuals and organizations as being highly secret. Although there has been progress in designing privacy-preserving cryptocurrencies such as Zerocash, this system forgo programmability, and it is unclear a priori how to enable programmability without exposing transactions and data in cleartext to miners.

Work

Research Objectives

Hawk proposed by this paper is the first to simultaneously offer transactional privacy and programmability in a decentralized cryptocurrency system.

Hawk is a framework for building privacy-preserving smart contracts. And with Hawk, a non-specialist programmer can easily write a Hawk program without having to implement any cryptography.

Research Summary

To use Hawk which is the blockchain model of cryptography and privacy-preserving smart contracts.

Evaluation

Evaluation Summary

We built a Hawk prototype and evaluated its performance by implementing several example applications, including a sealed-bid auction, a “rock, paper, scissors” game, a crowdfunding application, and a swap financial instrument. We propose interesting protocol optimizations that gained us a factor of 10× in performance relative to a straightforward implementation. We show that for at about 100 parties (e.g., auction and crowdfunding), the manager’s cryptographic computation (the most expensive part of the protocol) is under 2.85min using 4 cores, translating to under $0.14 of EC2 time. Further, all on-chain computation (performed by all miners) is very cheap, and under 20ms for all cases.

Implications

We propose interesting protocol optimizations that gained us a factor of 10 in performance relative to a straightforward implementation. We show that for at about 100 parties (e.g., auction and crowdfunding), the manager’s cryptographic computation (the most expensive part of the protocol) is under 2.85min using 4 cores, translating to under $0.14 of EC2 time. Further, all on-chain computation (performed by all miners) is very cheap, and under 20ms for all cases.

Novelty

Contributions

Hawk is the first to simultaneously offer transactional privacy and programmability in a decentralized cryptocurrency system.

Formal models for decentralized smart contracts. We are among the first ones to initiate a formal, academic treatment of the blockchain model of cryptography. We present a formal, Universal Composability (UC) model for the blockchain model of cryptography – this formal model is of independent interest, and can be useful in general for defining and modeling the security of protocols in the blockchain model. Our formal model has also been adopted by the Gyges work in designing criminal smart contracts.

In defining for formal blockchain model, we rely on a notion called wrappers to modularize our protocol design and to simplify presentation. Wrappers handle a set of common details such as timers, pseudonyms, global ledgers in a centralized place such that they need not be repeated in every protocol.

New cryptography suite. We implement a new cryptography suite that binds private transactions with programmable logic. Our protocol suite contains three essential primitives freeze, compute, and finalize. The freeze primitive allows parties to commit to not only normal data, but also coins. Committed coins are frozen in the contract, and the payout distribution will later be determined by the program Øpriv. During compute, parties open their committed data and currency to the manager, such that the manager can compute the function Øpriv. Based on the outcome of Øpriv, the manager now constructs new private coins to be paid to each recipient. The manager then submits to the blockchain both the new private coins as well as zeroknowledge proofs of their well-formedness. At this moment, the previously frozen coins are now redistributed among the users. Our protocol suite strictly generalizes Zerocash since Zerocash implements only private money transfers between users without programmability.

We define the security of our primitives using ideal functionalities, and formally prove security of our constructions under a simulation-based paradigm.

Implementation and evaluation. We built a Hawk prototype and evaluated its performance by implementing several example applications, including a sealed-bid auction, a “rock, paper, scissors” game, a crowdfunding application, and a swap financial instrument. We propose interesting protocol optimizations that gained us a factor of 10× in performance relative to a straightforward implementation. We show that for at about 100 parties (e.g., auction and crowdfunding), the manager’s cryptographic computation (the most expensive part of the protocol) is under 2.85min using 4 cores, translating to under $0.14 of EC2 time. Further, all on-chain computation (performed by all miners) is very cheap, and under 20ms for all cases. We will open source our Hawk framework in the near future.

Key Concepts

区块链

区块链是一种去中心化的分布式账本系统,它可以用于登记和发行数字化资产、产权凭证、积分等,并以点对点的方式进行转账、支付和交易。区块链系统与传统的中心化账本系统相比,具有完全公开、不可篡改、防止多重支付等优点,并且不依赖于任何的可信第三方

共识机制

由于点对点网络下存在较高的网络延迟,各个节点所观察到的事务先后顺序不可能完全一致。因此区块链系统需要设计一种机制对在差不多时间内发生的事务的先后顺序进行共识。这种对一个时间窗口内的事务的先后顺序达成共识的算法被称为”共识机制”。

暗标拍卖

封闭式拍卖,俗称“暗标”,是指拍卖之前起拍价和保留价严格保密。竞买人不仅事先无法知道起拍价,也无法在拍卖之前计算出相应的利益。不光竞买人,就连拍卖人对起拍价和保留价也完全不知情,因为很多封闭式竞价拍卖的起拍价和保留价是装在一个密封的信封内,由委托方当场送上去的。

以太坊

以太坊是一个平台和一种编程语言,使开发人员能够建立和发布下一代分布式应用。 以太坊可以用来编程,分散,担保和交易任何事物:投票,域名,金融交易所,众筹,公司管理, 合同和大部分的协议,知识产权,还有得益于硬件集成的智能资产。

零知识证明

“零知识证明”-zero-knowledge proof,是由S.Goldwasser、S.Micali及C.Rackoff在20世纪80年代初提出的。它指的是证明者能够在不向验证者提供任何有用的信息的情况下,使验证者相信某个论断是正确的。零知识证明实质上是一种涉及两方或更多方的协议,即两方或更多方完成一项任务所需采取的一系列步骤。证明者向验证者证明并使其相信自己知道或拥有某一消息,但证明过程不能向验证者泄漏任何关于被证明消息的信息。大量事实证明,零知识证明在密码学中非常有用。如果能够将零知识证明用于验证,将可以有效解决许多问题

其他术语

Universal Composability(UC) Model

论文中提出的一种模型: We present a formal, Universal Composability (UC) model for the blockchain model of cryptography – this formal model is of independent interest, and can be useful in general for defining and modeling the security of protocols in the blockchain model

Wrapper

论文中还有一个叫Wrapper的东西,用来对论文的加密协议进行模块化设计以及简化文字表述。具体来说就是: Wrappers handle a set of common details such as timers, pseudonyms, global ledgers in a centralized place such that they need not be repeated in every protocol.

New Cryptography suite

论文实现了一套新的加密组件,可以将私人交易用编程逻辑来绑定。这个组件由三个基本原语组成:Freeze,compute, and finalize. 该加密组件主要是在Zerocash之上实现的。

Freeze

Freeze原语允许用户提交他们的正常数据和coins。提交的coins会被合约给冻结,然后付款的分配会稍后由私有程序决定。

Compute

在计算过程中(off-chain),合同当事方会公开他们提交的数据和货币给代理人(Manager),由代理人来执行Hawk程序的私有部分Øpriv。根据私有部分程序Øpriv的执行结果,代理人会构造新的隐私币(private coins)付给每一个收款方(recipient)。代理人最后将新构造的隐私币以及零知识证明提交给区块链。在这个过程中,之前被合约冻结的coin会重新分配给各个合同当事方。

Finalize

当代理人(Manager)提交了私有部分Øpriv的执行结果和一个正确执行的零知识证明给区块链hawk时,区块链hawk会验证证明并且将冻结的钱返还给每个对应的用户。在这里,区块链hawk同样会发送代理人(Manager)的公开输入和公开输出结果给公共Hawk合约Øpub。公共Hawk合约Øpub会触发check函数去验证代理人(Manager)的输入,并且重新分配公开的抵押金。