arkworks-rs / dpc Goto Github PK

View Code? Open in Web Editor NEW

18.0 7.0 5.0 211 KB

A library for decentralized private computation

Home Page: https://ia.cr/2018/962

License: Apache License 2.0

Shell 0.53% Rust 99.47%

rust cryptography blockchain snark zksnarks

dpc's Introduction

ZEXE (Zero knowledge EXEcution)

ZEXE (pronounced /zeksē/) is a Rust library for decentralized private computation.

This library was initially developed as part of the paper "ZEXE: Enabling Decentralized Private Computation", and it is released under the MIT License and the Apache v2 License (see License).

WARNING: This is an academic proof-of-concept prototype, and in particular has not received careful code review. This implementation is NOT ready for production use.

Overview

This library implements a ledger-based system that enables users to execute offline computations and subsequently produce publicly-verifiable transactions that attest to the correctness of these offline executions. The transactions contain zero-knowledge succinct arguments (zkSNARKs) attesting to the correctness of the offline computations, and provide strong notions of privacy and succinctness.

Privacy - transactions reveal no information about the offline computation.
Succinctness - transactions can be validated in time that is independent of the offline computation.
Application isolation - malicious applications cannot affect the execution of honest applications.
Application interaction - applications can safely communicate with each other.

Informally, the library provides the ability to create transactions that run arbitrary (Turing-complete) scripts on hidden data stored on the ledger. In more detail, the library implements a cryptographic primitive known as decentralized private computation (DPC) schemes, which are described in detail in the ZEXE paper.

Directory structure

This repository contains several Rust crates that implement the different building blocks of ZEXE. The high-level structure of the repository is as follows.

algebra-core: Rust crate that provides generic arithmetic for finite fields and elliptic curves
algebra: Rust crate that provides concrete instantiations of some finite fields and elliptic curves
crypto-primitives: Rust crate that implements some useful cryptographic primitives (and constraints for them)
dpc: Rust crate that implements DPC schemes (the main cryptographic primitive in this repository)
ff-fft: Rust crate that provides efficient finite field polynomial arithmetic based on finite field FFTs
r1cs-core: Rust crate that defines core interfaces for a Rank-1 Constraint System (R1CS)
r1cs-std: Rust crate that provides various gadgets used to construct R1CS
gm17: Rust crate that implements the zkSNARK of Groth and Maller
groth16: Rust crate that implements the zkSNARK of Groth

In addition, there is a bench-utils crate which contains infrastructure for benchmarking. This crate includes macros for timing code segments and is used for profiling the building blocks of ZEXE.

Build guide

The library compiles on the stable toolchain of the Rust compiler. To install the latest version of Rust, first install rustup by following the instructions here, or via your platform's package manager. Once rustup is installed, install the Rust toolchain by invoking:

rustup install stable

After that, use cargo, the standard Rust build tool, to build the library:

git clone https://github.com/scipr-lab/zexe.git
cd zexe/dpc
cargo build --release

This library comes with unit tests for each of the provided crates. Run the tests with:

cargo test

This library comes with benchmarks for the following crates:

These benchmarks require the nightly Rust toolchain; to install this, run rustup install nightly. Then, to run benchmarks, run the following command:

cargo +nightly bench

Compiling with adcxq, adoxq and mulxq instructions can lead to a 30-70% speedup. These are available on most x86_64 platforms (Broadwell onwards for Intel and Ryzen onwards for AMD). Run the following command:

RUSTFLAGS="-C target-feature=+bmi2,+adx" cargo +nightly test/build/bench --features asm

Tip: If optimising for performance, your mileage may vary with passing --emit=asm to RUSTFLAGS.

To bench algebra-benches with greater accuracy, especially for functions with execution times on the order of nanoseconds, use the n_fold feature to run selected functions 1000x per iteration. To run with multiple features, make sure to double quote the features.

cargo +nightly bench --features "n_fold bls12_381"

License

ZEXE is licensed under either of the following licenses, at your discretion.

Apache License Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

Unless you explicitly state otherwise, any contribution submitted for inclusion in ZEXE by you shall be dual licensed as above (as defined in the Apache v2 License), without any additional terms or conditions.

Reference paper

ZEXE: Enabling Decentralized Private Computation
Sean Bowe, Alessandro Chiesa, Matthew Green, Ian Miers, Pratyush Mishra, Howard Wu
IEEE S&P 2020 (IACR ePrint Report 2018/962)

Acknowledgements

This work was supported by: a Google Faculty Award; the National Science Foundation; the UC Berkeley Center for Long-Term Cybersecurity; and donations from the Ethereum Foundation, the Interchain Foundation, and Qtum.

Some parts of the finite field arithmetic, elliptic curve arithmetic, FFTs, and multi-threading infrastructure in the algebra crate have been adapted from code in the ff, pairing, and bellman crates, developed by Sean Bowe and others from Zcash.

dpc's People

Contributors

Stargazers

Watchers

Forkers

valardragon bonedaddy ninevone karincryptodev kennethyc

dpc's Issues

Dependabot can't resolve your Rust dependency files

Dependabot can't resolve your Rust dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

    Updating git repository `https://github.com/scipr-lab/zexe`
    Updating crates.io index
error: no matching package named `algebra` found
location searched: https://github.com/scipr-lab/zexe
required by package `dpc v0.1.1-alpha.0 (/home/dependabot/dependabot-updater/dependabot_tmp_dir

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Homomorphic Encryption of delegated DPC computations (based on enclaves)

As a wild idea, I would like to suggest the possibility of a privacy-preserving version of delegated DPC. Although most would be willing to trust a cloud server for DPC, there may be some who might want to initiate transactions from their mobile phone who would want greater privacy yet reap the benefits of lower latency.

I can suggest the option using the BFV scheme to perform relatively efficient homomorphically encrypted modular arithmetic for MSM (I will give a think to FFTs later on). It is not clear a priori whether delegating computation in this way will help achieve low latencies desired (1-2s?).

For the MSMs, we perform EC operations given an n-bit EC group in projective coordinates. The delegating party encrypts their polynomial's coefficients a_k in the following way. If the a given bit of a_k is 1, they encode it as a pair of triples, (a, b) = (1, 1, 1), (0, 0, 0). Else, they encode (0, 0, 0), (0, 1, 0) (a more efficient way of doing things is encoding the bit values themselves, and deriving the above representations homomorphically. This is cheap as it's plaintext-ciphertext mult.)

However, the communication cost of this is 2^m*n. Concrete numbers look like 2^20*256, which given a 1280-bit encoding of each bit, stands at about 44GB. So this is already an arrow to the knee.

For the jth bit, the server obtains an element representing P = (x:y:z) = [2^j*k]tau by repeated doubling, and then encodes this as a BFV value. Then, the server performs the following operation element-wise on the triples homomorphically: P*a + b. One can check this either gives the element at infinity if the bit was set to 0 and returns P otherwise.

Then, the server will perform elliptic curve point additions homomorphically on all the encoded points. It remains to be seen what depths of circuit can be utilised - complexity for BFV goes as at least n^2 in the depth.

There is an issue here in that formulas differ for point doubling and point addition. One could get around this issue by using an equality check (check that all coordinates are the same) and choose the appropriate condition based on this (perform both operations and multiply one by 0 and one by 1, similar to above). However, the method I know to do this is exceedingly expensive (Fermat's little theorem) and I think impractical. Alternatively, one can assume it exceedingly unlikely that two points not equal to zero are equal to one another. Hence, one should keep the original encrypted bit-values handy, propogating a point at infinity if and only if the operands are both points at infinity (this can all be done homomorphically) and returning the point addition otherwise.

Overall, I think this idea is ill-conceived as one cannot expand the computation homomorphically from a small piece of data, as is done for neural network inference, for instance, due to the memory-intensivity of polynomial commitments.

Nonetheless, it is plausible that a method using enclaves to perform computations on sensitive data be performed side by side a powerful parallel machine. Enclaves, however have the downside of having limited memory (~90MB). Nevertheless, an enclave can emit ciphertexts of partial transcripts of computation or coefficients of a polynomial piece by piece, delegate the FFTs/point additions to a nearby machine, and refresh ciphertexts whenever required.

Due to the computational overhead (50-100x), I estimate that at least 20 64 logical core machines will be needed to bring prover times to acceptable speeds (10s). Utilising GPUs or more machines can help bring this down further. This seems equitable if one has many users opting for (and willing to pay for) private computation. If one is aiming for 100 tx/s, this method may be economically viable if at least 1 in 1000 users opt for additional privacy (this is in order to provide the service on demand. I am not sure how long it takes to spin up a prover on a service like AWS px large). 32 GPUs on EC2 costs $40/hr. So it could cost less than $0.1 to homomorphically prove a private transaction (with the help of enclaves). Nonetheless there is a lot of uncertainty about how much security an enclave actually provides.

Note that there is additional overhead as the algorithm considered above is just parallel scalar multiplication, not MSM. I don't think there is a privacy-preserving version of MSM.

Use DPC with non-trivial predicate

How can I use DPC to instantiate the very simple "conserve" predicate required to encode the basic user-defined asset from the reference paper [1]?

I could not figure out how to do this. The current implementation hardcodes an "always accept" predicate and it's unclear how to instantiate the "conserve" predicate: the sum of inputs should equal the sum of outputs.

[1] https://eprint.iacr.org/2018/962

Upgrade dependencies to `arkworks-rs` ecosystem