Atlantic Council

Report Part Title: APPENDIX: CRYPTOGRAPHIC APPROACHES TO THE TRANSPARENT

PRIVACY PROBLEM

Report Title: Assessing Blockchain’s Future in Transactive Energy

Report Author(s): Ben Hertz-Shargel and David Livingston
Published by: Atlantic Council (2019)
Stable URL: https://www.jstor.org/stable/resrep24585.10

JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact [email protected].

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms

Atlantic Council is collaborating with JSTOR to digitize, preserve and extend access to this
content.

This content downloaded from 49.207.55.133 on Wed, 03 Apr 2024 01:32:03 +00:00
All use subject to https://about.jstor.org/terms
 Assessing Blockchain’s Future in Transactive Energy

APPENDIX:
CRYPTOGRAPHIC APPROACHES TO THE
TRANSPARENT PRIVACY PROBLEM

T
ransparent privacy is a vexing challenge for network validators, rather than be interrogated by each
blockchain. Most real-world applications, validator in turn, a requirement of other protocols.
including transactive energy, involve confidential
transaction data, and yet third-party validator nodes Zk-SNARKs require an elaborate, trusted setup
require access to this data, at least to the extent that procedure for each confidential algorithm they are to
they can verify transaction correctness. These opposing certify, such as Zcash transactions. One or more parties
needs arise from blockchain’s ambition to hide must come together to jointly create cryptographic
confidential data in plain sight, outside of a corporate secrets, which are used to generate a public proving
firewall. The three most prominently proposed key and validating key for the network. These keys are
techniques for addressing transparent privacy are zero- used going forward by participants to produce and
knowledge proofs, multi-party computation, and secure to verify zero-knowledge proofs, certifying invocation
hardware enclaves. Understanding the capabilities and of the algorithm on confidential data. It is critical that
limitations of these techniques is crucial for assessing at least one participant destroy their share of the
the degree to which blockchain can be trusted with cryptographic setup secrets in order for the network
confidential data in a transactive energy system and to be secure, however. The reason is that these secrets,
other critical applications. referred to as toxic waste, could be used to generate
false proofs, validating malicious transactions such as
All three techniques are early stage and have not been token counterfeit.
attempted in energy-related applications. In order
to evaluate their potential for transactive energy, The trusted setup phase can be thought of as
therefore, one is restricted to the handful of present-day concentrating the vulnerability of the algorithm at the
blockchain projects to which they have been applied. moment of its creation. Zcash founders meticulously
Zero-knowledge proofs, for example, are the basis documented the creation, use, and then destruction
of Zcash, a cryptocurrency blockchain that supports of its cryptographic secrets, concluding with the
private transactions. The details of these transactions spectacular destruction of the computer hardware
are fully encrypted on the blockchain, shielded from involved. In order for zk-SNARKs to become a practical
public inspection, but the transactions themselves can solution for smart contracts and other distributed
nevertheless be validated by the network, ensuring applications in blockchains, researchers must devise a
for instance that the sender has the required balance way to significantly automate this setup phase, without
of unspent tokens and that the sum of the input notes diminishing participants’ confidence in the network.
equals the sum of the output notes. The specific type of This could be thought of as somewhat akin, in a stylized
zero-knowledge proofs used by Zcash, and anticipated way, to similar issues in the international governance
for other blockchains, such as Ethereum, is called a regime created around nuclear nonproliferation.
zero-knowledge succinct noninteractive argument of
knowledge, or zk-SNARK. The noninteractive aspect To address some of these residual privacy concerns,
is crucial: It means that transactors can simply publish researchers are pursuing alternative zero-knowledge
a single proof to be evaluated independently by all proofs that do not rely on a trusted setup phase,

ATLANTIC COUNCIL 35
This content downloaded from 49.207.55.133 on Wed, 03 Apr 2024 01:32:03 +00:00
All use subject to https://about.jstor.org/terms
Assessing Blockchain’s Future in Transactive Energy

surrendering zk-SNARK’s convenient noninteractive used by Monero as well as Zether, and Aztec Protocol,
property, fast validation time, or general flexibility are being developed.95 Zether is estimated by its
in order to jettison this requirement.91 Researchers creators to cost the equivalent of around $1.51 per
at Stanford University and Visa, for example, have transaction as of early 2019, but this could potentially
proposed Zether, a confidential transaction payment be ameliorated through small changes to the Ethereum
method that operates as a smart contract within public network in which it is traded.96
blockchains, such as Ethereum.92 No trusted setup
is required, but its functionality is limited to token Multi-party computation (MPC) is another approach
transfers, rather than arbitrary business logic, and its to transparent privacy that faces computational cost
zero-knowledge proofs involve a multistep interaction challenges. In MPC, a network of untrusted computers
between transaction prover and verifier. collectively perform computations on sensitive data
without having direct access to it: each node receives
A second challenge facing zk-SNARKs is their a unique cryptographic reference to each secret value,
computational burden. State-of-the-art proof which the node can operate on as if they were the values
generation techniques require between one and four themselves, and which collectively serve as decoding
times the amount of computation involved in the keys to obtain the result.97 The trick is the transformation
underlying algorithm being shielded.93 This is not an from data to reference, which is known in mathematics
issue for simple applications like Zcash token transfers, as a homomorphism: Operations on the reference have
but becomes problematic for more complex and real- the same effect as operations on the data itself, so when
time applications, such as those involving electric grid the reference is transformed back into data, the result
management or market operations. Exacerbating the is the same as if the transformation never took place.
issue is that the input to the proof generation procedure The MPC nodes work only with the reference data, and
is the value of every single variable computed in the therefore perform the desired computation without ever
course of the private algorithm. Modern software seeing the data underlying it. Multiple nodes are involved
execution environments achieve much of their efficiency in order to protect against errors or manipulation; as
by intelligently discarding intermediate data once its with blockchain consensus, a critical number of nodes
purpose is served, which implies that private algorithms must collude in order to break the system.
must be run in special-purpose environments burdened
by full auditing, incurring what could be significantly The computational challenges of MPC begin with its
greater runtime.94 On the other hand, many more expressiveness: the only operations that are supported
computational reduction efforts, including Bulletproofs, are the addition and multiplication of cryptographic

91 Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Greg Maxwell, “Bulletproofs: Short Proofs for
Confidential Transactions and More,” in 2018 IEEE Symposium on Security and Privacy (SP) (IEEE, 2018), 315-334.
92 Benedikt Bünz, Shashank Agrawal, Mahdi Zamani, and Dan Boneh, Zether: Towards Privacy in a Smart Contract World (Stanford,
February 20, 2019), https://eprint.iacr.org/2019/191.pdf.
93 B. Parno, J. Howell, C. Gentry, and M. Raykova, “Pinocchio: Nearly Practical Verifiable Computation,” 2013 IEEE Symposium on Security
and Privacy, doi:10.1109/sp.2013.47; Jens Groth, “On the Size of Pairing-Based Non-interactive Arguments,” Advances in Cryptology—
EUROCRYPT 2016 Lecture Notes in Computer Science (2016), 305-26, doi:10.1007/978-3-662-49896-5_11.
94 Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza, “SNARKs for C: Verifying Program Executions
Succinctly and in Zero Knowledge,” in Advances in Cryptology—CRYPTO 2013 Lecture Notes in Computer Science (2013), 90-108,
doi:10.1007/978-3-642-40084-1_6.
95 Lucas Nuzzi, “Monero Becomes Bulletproof,” DigitalAssetResearch, October 18, 2018, https://medium.com/digitalassetresearch/
monero-becomes-bulletproof-f98c6408babf; “AZTEC Protocol,” AZTEC Protocol, https://www.aztecprotocol.com/.
96 Bünz, Agrawal, Zamani, and Boneh, Zether: Towards Privacy in a Smart Contract World.
97 Adi Shamir, “How to Share a Secret,” Communications of the ACM 22, no. 11 (1979): 612-613.

36 ATLANTIC COUNCIL
This content downloaded from 49.207.55.133 on Wed, 03 Apr 2024 01:32:03 +00:00
All use subject to https://about.jstor.org/terms
 Assessing Blockchain’s Future in Transactive Energy

references.98 Zero-knowledge proofs share this described secret contracts on public blockchains.101
limitation, and while these operations do in theory In the Enigma model, the blockchain manages
allow for universal computation, in the case of MPC data access permission and public data, including
the multiplication of two references—representing, say, nonsensitive references to secret data (distinct from the
energy and price—requires communication between cryptographic references), while the Enigma network is
nodes. In comparison, today’s high-performance responsible for calculations involving sensitive data.
software is tailored meticulously to the underlying
hardware, leveraging calculation rates on the order of While Enigma and the cryptography research
billions of floating point operations per second (flops) community work to advance MPC, Enigma has replaced
for graphical processing units, the hardware of choice it with a technology that exists today: secure hardware
for large-scale computing.99 Network communication enclaves. Secure enclaves encrypt both computer code
latency is an eternity compared to such optimized and the data it operates on, shielding them from even the
numerical operations, and inserting it between every computer’s operating system. They offer confidential
multiplication would effectively ground applications to computing as well as an attestation that the result was
a halt. produced, as intended, by the enclave, and not a rogue
third party. Enigma nodes are required to use Intel chips
A second computational cost challenge for MPC arises supporting Software Guard Extensions (SGX), Intel’s
from conditional logic, the if-then-else statements implementation of the technology.
pervasive at all levels of software. Without knowledge
of the underlying values, it is impossible for MPC nodes Competing secure enclave implementations exist,
to evaluate questions as simple as whether one number such as ARM’s TrustZone and Secure Encrypted
is greater than another, whose result nevertheless Virtualization—an enclave for cloud computing—as well
governs the remainder of the computation. Nodes must as Keystone, an open- source enclave.102 A sequence of
therefore travel every conditional path, computing high-profile exploits have called the enclave approach
every possible sequence of operations, whose number to transparent privacy into question, however, revealing
grows exponentially with the number of conditionals— that even these carefully protected data environments
an impossibility in real-world applications.100 remain vulnerable.103 Closed source implementations
such as SGX and TrustZone also arguably defeat the
Despite its practical challenges, MPC is the aspiration purpose of blockchain, putting network security in the
of Enigma, a blockchain startup aiming to support self- hands of a single corporate entity, such as Intel.

98 Michael Ben-Or, Avi Wigderson, and Shafi Goldwasser, “Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed
Computation,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing—STOC 88 (May 2-4, 1988), 1–10,
https://doi.org/10.1145/62212.62213.
99 Alberto Cano, “A Survey on Graphic Processing Unit Computing for Large-Scale Data Mining,” Wiley Interdisciplinary Reviews: Data
Mining and Knowledge Discovery 8 no. 1 (February 2017), https://doi.org/10.1002/widm.1232.
100 Zyskind, Nathan, and Pentland, “Enigma: Decentralized Computation Platform with Guaranteed Privacy.”
101 Ibid; “Expanding Enigma’s Roadmap: Towards a Privacy Layer for the Decentralized Web,” Enigma, September 20, 2018, https://blog.
enigma.co/expanding-enigmas-roadmap-towards-a-privacy-layer-for-the-decentralized-web-f1d6b7908251.
102 “Keystone,” Keystone Project, https://keystone-enclave.org/.
103 Lily Hay Newman, “Critical Flaw Undermines Intel CPUs’ Most Secure Element,” Wired, August 20, 2018, https://www.wired.com/story/
foreshadow-intel-secure-enclave-vulnerability/; Richard Chirgwin, “Boffins Show Intel’s SGX Can Leak Crypto Keys,” Register, April
16, 2017, https://www.theregister.co.uk/2017/03/07/eggheads_slip_a_note_under_intels_door_sgx_can_leak_crypto_keys/; Richard
Chirgwin, “Foreshadow and Intel SGX Software Attestation: ‘The Whole Trust Model Collapses,’” Register, August 15, 2018, https://
www.theregister.co.uk/2018/08/15/foreshadow_sgx_software_attestations_collateral_damage/; Sangho Lee, Ming-Wei Shih, Prasun
Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado, Inferring Fine-Grained Control Flow Inside SGX Enclaves with Branch Shadowing
(November 21, 2016); Mohit Kumar, “Researchers Defeat AMD’s SEV Virtual Machine Encryption,” Hacker News, May 28, 2018, https://
thehackernews.com/2018/05/amd-sev-encryption.html.

ATLANTIC COUNCIL 37
This content downloaded from 49.207.55.133 on Wed, 03 Apr 2024 01:32:03 +00:00
All use subject to https://about.jstor.org/terms