Achieving Trust without Disclosure: Dark Pools and a Role for Secrecy-Preserving Verification

Can an exchange be “dark,” so that orders are not displayed, while simultaneously trustworthy, so that the execution of trades and flow of information occur as promised? SEC actions against dark pools suggest cause for concern, and regulators seem to be moving towards requiring more disclosure. Yet there is a clear tension: trading order information is widely exploited. Therefore, institutional investors have a strong interest in keeping pre-trade information about large trades hidden. Secrecy-preserving proofs of correctness can be used to build trust without revealing unnecessary information. By performing operations on obfuscated representations of orders (perhaps encrypted or otherwise hidden), a zero knowledge proof can be provided, allowing anyone to verify correctness of trades. Crucially, this can be done without revealing any information beyond this correctness. This technology can be usefully applied to construct provably trustworthy dark pools. Additional practical protocols relax the definition of “zero knowledge" to reveal limited information, providing necessary transparency for efficient market operation while limiting information that can be exploited by observers. Coupled with Trusted Computing hardware, these protocols can provide an excellent balance of practicality with secrecyEngineering and Applied Science

Publicly Verifiable Auctions with Privacy

Online auctions have a steadily growing market size, creating billions of US dollars in sales value every year. To ensure fairness and auditability while preserving the bidder\u27s privacy is the main challenge of an auction scheme. At the same time, utility driven blockchain technology is picking up the pace, offering transparency and data integrity to many applications. In this paper, we present a blockchain-based first price sealed-bid auction scheme. Our scheme offers privacy and public verifiability. It can be built on any public blockchain, which is leveraged to provide transparency, data integrity, and hence auditability. The inability to double spend on a blockchain is used to prevent bid replay attacks. Moreover, our scheme can achieve non-repudiation for both bidders and the auctioneer without revealing the bids and we encapsulate this concept inside the public verification of the auction. We propose to use ElGamal encryption and Bulletproofs to construct an efficient instantiation of our scheme. We also propose to use recursive zkSNARKs to reduce the number of comparison proofs from $N-1$ to $1$, where $N$ is the number of bidders

PESCA: A Privacy-Enhancing Smart-Contract Architecture

Public blockchains are state machines replicated via distributed consensus protocols. Information on blockchains is public by default---marking privacy as one of the key challenges. We identify two shortcomings of existing approaches to building blockchains for general privacy-preserving applications, namely (1) the reliance on external trust assumptions and (2) the dependency on execution environments (on-chain, off-chain, zero-knowledge, etc.) with heterogeneous programming frameworks. Towards solving these problems, we propose PESCA---a privacy-enhancing smart contract architecture. PESCA utilizes generic building blocks such as threshold fully-homomorphic encryption (FHE), distributed key generation (DKG), dynamic proactive secrete sharing (DPSS), Byzantine-fault-tolerant (BFT) consensus, and universal succinct non-interactive zero-knowledge proofs (zk-SNARKs). First, we formalize the problem of replicating state machines augmented with threshold decryption protocols and discuss how existing BFT consensus protocols can be adapted to this setting. We describe how to instantiate a blockchain with a fixed FHE public key and have FHE-encrypted chain states programmatically decrypted via consensus. Next, we describe a smart-contract framework for engineering privacy-preserving applications, where programs are expressed---in a unified manner---between four types of computation: transparent on-chain, confidential (FHE) on-chain, user off-chain, and zero-knowledge off-chain. Lastly, to showcase the generality and expressiveness of PESCA, we provide two simple application designs for constant function market makers (CFMMs) and first-price sealed-bid auctions (FPSBAs), both with maximal privacy guarantees

Zether: Towards Privacy in a Smart Contract World

Blockchain-based smart contract platforms like Ethereum have become quite popular as a way to remove trust and add transparency to distributed applications. While different types of important applications can be easily built on such platforms, there does not seem to be an easy way to add a meaningful level of privacy to them. In this paper, we propose Zether, a fully-decentralized, confidential payment mechanism that is compatible with Ethereum and other smart contract platforms. We take an account-based approach similar to Ethereum for efficiency and usability. We design a new smart contract that keeps the account balances encrypted and exposes methods to deposit, transfer and withdraw funds to/from accounts through cryptographic proofs. We describe techniques to protect Zether against replay attacks and front-running situations. We also develop a mechanism to enable interoperability with arbitrary smart contracts. This helps to make several popular applications like auctions, payment channels, voting, etc. confidential. As a part of our protocol, we propose $\Sigma$-Bullets, an improvement of the existing zero-knowledge proof system, Bulletproofs. $\Sigma$-Bullets make Bulletproofs more inter-operable with Sigma protocols, which is of general interest. We implement Zether as an Ethereum smart contract and show the practicality of our design by measuring the amount of gas used by the Zether contract. A Zether confidential transaction costs about 0.014 ETH or approximately $1.51 (as of early Feb, 2019). We discuss how small changes to Ethereum, which are already being discussed independently of Zether, would drastically reduce this cost

BigDipper: A hyperscale BFT system with short term censorship resistance

Byzantine-fault-tolerant (BFT) protocols underlie a variety of decentralized applications including payments, auctions, data feed oracles, and decentralized social networks. In most leader-based BFT protocols, an important property that has been missing is the censorship resistance of transaction in the short term. The protocol should provide inclusion guarantees in the next block height even if the current and future leaders have the intent of censoring. In this paper, we present a BFT system, BigDipper, that achieves censorship resistance while providing fast confirmation for clients and hyperscale throughput. The core idea is to decentralize inclusion of transactions by allowing every BFT replica to create their own mini-block, and then enforcing the leader on their inclusions. To achieve this, BigDipper creates a modular system made of three components. First, we provide a transaction broadcast protocol used by clients as an interface to achieve a spectrum of probabilistic inclusion guarantees. Afterwards, a distribution of BFT replicas will receive the client's transactions and prepare mini-blocks to send to the data availability (DA) component. The DA component characterizes the censorship resistant properties of the whole system. We design three censorship resistant DA (DA-CR) protocols with distinct properties captured by three parameters and demonstrate their trade-offs. The third component interleaves the DA-CR protocols into the consensus path of leader based BFT protocols, it enforces the leader to include all the data from the DA-CR into the BFT block. We demonstrate an integration with a two-phase Hotstuff-2 BFT protocol with minimal changes. BigDipper is a modular system that can switch the consensus to other leader based BFT protocol including Tendermint

SoK: Privacy-Enhancing Technologies in Finance

Recent years have seen the emergence of practical advanced cryptographic tools that not only protect data privacy and authenticity, but also allow for jointly processing data from different institutions without sacrificing privacy. The ability to do so has enabled implementations a number of traditional and decentralized financial applications that would have required sacrificing privacy or trusting a third party. The main catalyst of this revolution was the advent of decentralized cryptocurrencies that use public ledgers to register financial transactions, which must be verifiable by any third party, while keeping sensitive data private. Zero Knowledge (ZK) proofs rose to prominence as a solution to this challenge, allowing for the owner of sensitive data (e.g. the identities of users involved in an operation) to convince a third party verifier that a certain operation has been correctly executed without revealing said data. It quickly became clear that performing arbitrary computation on private data from multiple sources by means of secure Multiparty Computation (MPC) and related techniques allows for more powerful financial applications, also in traditional finance. In this SoK, we categorize the main traditional and decentralized financial applications that can benefit from state-of-the-art Privacy-Enhancing Technologies (PETs) and identify design patterns commonly used when applying PETs in the context of these applications. In particular, we consider the following classes of applications: 1. Identity Management, KYC & AML; and 2. Markets & Settlement; 3. Legal; and 4. Digital Asset Custody. We examine how ZK proofs, MPC and related PETs have been used to tackle the main security challenges in each of these applications. Moreover, we provide an assessment of the technological readiness of each PET in the context of different financial applications according to the availability of: theoretical feasibility results, preliminary benchmarks (in scientific papers) or benchmarks achieving real-world performance (in commercially deployed solutions). Finally, we propose future applications of PETs as Fintech solutions to currently unsolved issues. While we systematize financial applications of PETs at large, we focus mainly on those applications that require privacy preserving computation on data from multiple parties