Private Smart Contracts Using Homomorphic Encryption

May 23, 2023

—

Rand Hindi

× ⚠️🚀 Zama released the alpha code and white paper for the fhEVM.
See it on Github here, and please ⭐ star the repo to support our work.

FHE EVM demo - watch video

‍

Homomorphic encryption (FHE) is a technology that enables processing data without decrypting it. This can be used to create private smart contracts on top of public, permissionless blockchains, where only specific users would be able to see the transaction data and contract states. While FHE used to be too slow to be practical, recent breakthroughs are now making this possible in the next couple of years.

‍

Note: this blog post is an updated version of Rand Hindi's presentation during EDCON 2023.

‍

Slide 1/23

‍

Private smart contracts using homomorphic encryption

Slide 2/23

Everything on a blockchain is public

How else would nodes agree on state?

Slide 3/23

This makes web3 unsafe

‍Theft

‍Criminals can see what you own, so they can easily target you and steal your crypto.

‍

Surveillance‍

Governments can surveil you, even if you use multiple addresses.

‍

‍MEV‍

Bots can front-run you, creating a hidden tax on every transaction.

‍

Slide 4/23

Homomorphic Encryption (FHE) enables encrypted data processing

e.g. $ Enc(a) + Enc(b) = Enc(a+b) $ or more generally $ f(Enc(x)) = Enc(f(x)) $.

Slide 5/23

FHE enables privacy in smart contracts while keeping everything on-chain

Encrypted transaction data

Data included in transactions is encrypted and never visible to anyone.

‍

Encrypted state updates

States are updated while remaining encrypted at all times. Not even block producers can see the data.

‍

Encrypted on-chain data

Data stored on-chain remains encrypted end-to-end, even when used by smart contacts.

‍

Slide 6/23

Some cool use cases enabled by FHE

‍Trustless bridges

Use an encrypted key to sign bridge transactions homomorphically.

‍

‍Blind auctions

Great for NFT auctions, RWAs, DeFi darkpools, marketplaces, etc...

‍

‍Confidential voting

Keep choices and token amounts encrypted when voting.

‍

Slide 7/23

ZK is for scalability, FHE is for privacy

Slide 8/23

‍

Slide 9/23

Ciphertext = encrypted data + noise

We need to add random noise to the encrypted data to guarantee security.

Slide 10/23

Problem: noise grows with every operation

If the noise grows too big, it will overwrite bits of data with random ones.

Slide 11/23

On-chain states can be updated indefinitely

This means noise will eventually grow too big and lead to incorrect states.

‍

Slide 12/23

Bootstrapping reduces noise

Bootstrapping is a special operation that resets the noise to its nominal level.

Slide 13/23

How can we compute exact comparisons?

Using additions and multiplications alone can only approximate them.

Slide 14/23

TFHE to the rescue

TFHE is a scheme that enables fast bootstrapping and exact arbitrary computations.

Slide 15/23

FHE is getting exponentially faster

FHE smart contracts are doable today, with a throughput of ~5 tps. FHE ASICs will enable 1,000+ tps at a fraction of the cost.

Zama FHE performance (Million FHE gates/$)

Slide 16/23

‍

A private smart contract protocol using (T)FHE

Slide 17/23

What we want

‍Simple user experience

Users should interact with a private contract the same way they interact with a public one.

‍

Simple developer experience

Developers should not have to learn a new language to write private smart contracts.

‍

Simple integration

Chains should have as little to integrate as possible, and not disrupt their existing ecosystem.

‍

Slide 18/23

FHE token contract in Solidity

Slide 19/23

There are many technical challenges

Access control

How do we selectively decrypt states without a centralized decryption key?

‍

‍Composability

How can contracts be composable without breaking privacy?

‍

‍Performance

How do we increase throughput while keeping block sizes small?

‍

Slide 20/23

Secure the private key with Threshold FHE

Split the secret key amongst validators such that at least 2/3 are needed for decryption.

1. Secret sharing

Generate and distribute pieces of the secret key to each validator.

2. Partial decryption

Each validator then does a partial decryption (or keyswitch).

3. Aggregation

The partial decryptions are aggregated to yield the full decrypted value.

Note: Needs a fixed number of validators such as in DPoS, NPoS, etc..

Slide 21/23

Zero-knowledge proof of input awareness

Users need to submit a proof that they know the value of the encrypted inputs.

1. Encrypt data

Users encrypt the transaction inputs they want to keep secret.

‍

2. Generate proof

They then generate a zero-knowledge proof to show they know the inputs.

‍

3. Validate proof

Validators then check the input proofs before executing transactions.

‍

Slide 22/23

Next: going from 5 tps to 1000+ tps

‍Tranciphering

Tranciphering allows sending encrypted inputs with minimal size expansion vs plaintext.

‍

‍FHE-rollups

Optimistic FHE rollups are already possible, and ZK FHE rollups will be possible within ~3 years.

‍

HW acceleration

FHE hardware accelerators are coming in 2025 and will speedup FHE by 1000x or more.

‍

Slide 23/23

‍

Written by Rand Hindi

‍

Dr Rand Hindi is the CEO at Zama and an investor in 30+ companies across privacy, AI, blockchain, medtech and psychedelics.

Follow Rand on Twitter.

Related Blog Posts

[Video Tutorial] Improving Multiple-GPU Throughput Using TFHE-rs

Tutorials

In this tutorial, Zama team member Agnes Leroy, shows you how to improve multiple-GPU throughput using TFHE-rs.

Zama Bounty Program Season 8

Announcements

Announcing the winning submissions from Season 7 and the new bounties for Season 8.

Call For Builders: Onboard The Next Trillions In DeFi With Confidential Lending

Confidential Blockchain

DeFi is fast, open, and efficient—but too transparent for institutions. What if it offered Swiss-bank-level privacy?

Read more →

Back to blog

Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world.If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to.Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself.Therefore, privacy in an open society requires anonymous transaction systems. Until now, cash has been the primary such system. An anonymous transaction system is not a secret transaction system. An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy.Privacy in an open society also requires cryptography. If I say something, I want it heard only by those for whom I intend it. If the content of my speech is available to the world, I have no privacy. To encrypt is to indicate the desire for privacy, and to encrypt with weak cryptography is to indicate not too much desire for privacy. Furthermore, to reveal one's identity with assurance when the default is anonymity requires the cryptographic signature.We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. To try to prevent their speech is to fight against the realities of information. Information does not just want to be free, it longs to be free. Information expands to fill the available storage space. Information is Rumor's younger, stronger cousin; Information is fleeter of foot, has more eyes, knows more, and understands less than Rumor.We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down.Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation's border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. Privacy only extends so far as the cooperation of one's fellows in society. We the Cypherpunks seek your questions and your concerns and hope we may engage you so that we do not deceive ourselves. We will not, however, be moved out of our course because some may disagree with our goals.The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace.Onward.Eric Hughes9 March 1993