Private Smart Contracts Using Homomorphic Encryption
Homomorphic encryption (FHE) is a technology that enables processing data without decrypting it. This can be used to create private smart contracts on top of public, permissionless blockchains, where only specific users would be able to see the transaction data and contract states. While FHE used to be too slow to be practical, recent breakthroughs are now making this possible in the next couple of years.
Note: this blog post is an updated version of Rand Hindi's presentation during EDCON 2023.
Everything on a blockchain is public
How else would nodes agree on state?
This makes web3 unsafe
Criminals can see what you own, so they can easily target you and steal your crypto.
Governments can surveil you, even if you use multiple addresses.
Bots can front-run you, creating a hidden tax on every transaction.
Homomorphic Encryption (FHE) enables encrypted data processing
e.g. $ Enc(a) + Enc(b) = Enc(a+b) $ or more generally $ f(Enc(x)) = Enc(f(x)) $.
FHE enables privacy in smart contracts while keeping everything on-chain
Encrypted transaction data
Data included in transactions is encrypted and never visible to anyone.
Encrypted state updates
States are updated while remaining encrypted at all times. Not even block producers can see the data.
Encrypted on-chain data
Data stored on-chain remains encrypted end-to-end, even when used by smart contacts.
Some cool use cases enabled by FHE
Use an encrypted key to sign bridge transactions homomorphically.
Great for NFT auctions, RWAs, DeFi darkpools, marketplaces, etc...
Keep choices and token amounts encrypted when voting.
ZK is for scalability, FHE is for privacy
Ciphertext = encrypted data + noise
We need to add random noise to the encrypted data to guarantee security.
Problem: noise grows with every operation
If the noise grows too big, it will overwrite bits of data with random ones.
On-chain states can be updated indefinitely
This means noise will eventually grow too big and lead to incorrect states.
Bootstrapping reduces noise
Bootstrapping is a special operation that resets the noise to its nominal level.
How can we compute exact comparisons?
Using additions and multiplications alone can only approximate them.
TFHE to the rescue
TFHE is a scheme that enables fast bootstrapping and exact arbitrary computations.
FHE is getting exponentially faster
FHE smart contracts are doable today, with a throughput of ~5 tps. FHE ASICs will enable 1,000+ tps at a fraction of the cost.
What we want
Simple user experience
Users should interact with a private contract the same way they interact with a public one.
Simple developer experience
Developers should not have to learn a new language to write private smart contracts.
Chains should have as little to integrate as possible, and not disrupt their existing ecosystem.
FHE token contract in Solidity
There are many technical challenges
How do we selectively decrypt states without a centralized decryption key?
How can contracts be composable without breaking privacy?
How do we increase throughput while keeping block sizes small?
Secure the private key with Threshold FHE
Split the secret key amongst validators such that at least 2/3 are needed for decryption.
1. Secret sharing
Generate and distribute pieces of the secret key to each validator.
2. Partial decryption
Each validator then does a partial decryption (or keyswitch).
The partial decryptions are aggregated to yield the full decrypted value.
Note: Needs a fixed number of validators such as in DPoS, NPoS, etc..
Zero-knowledge proof of input awareness
Users need to submit a proof that they know the value of the encrypted inputs.
1. Encrypt data
Users encrypt the transaction inputs they want to keep secret.
2. Generate proof
They then generate a zero-knowledge proof to show they know the inputs.
3. Validate proof
Validators then check the input proofs before executing transactions.
Next: going from 5 tps to 1000+ tps
Tranciphering allows sending encrypted inputs with minimal size expansion vs plaintext.
Optimistic FHE rollups are already possible, and ZK FHE rollups will be possible within ~3 years.
FHE hardware accelerators are coming in 2025 and will speedup FHE by 1000x or more.
Dr Rand Hindi is the CEO at Zama and an investor in 30+ companies across privacy, AI, blockchain, medtech and psychedelics.
Follow Rand on Twitter.