《enigma_full.pdf》由会员分享,可在线阅读,更多相关《enigma_full.pdf(14页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Enigma: Decentralized Computation Platform withGuaranteed PrivacyGuy ZyskindOz NathanAlex Sandy PentlandAbstractA peer-to-peer network, enabling different parties to jointly store and run compu-tationsondatawhilekeepingthedatacompletelyprivate. Enigmascomputationalmodel is based on a highly optimize
2、d version of secure multi-party computation,guaranteed by a verifiable secret-sharing scheme. For storage, we use a modi-fied distributed hashtable for holding secret-shared data. An external blockchainis utilized as the controller of the network, manages access control, identities andserves as a ta
3、mper-proof log of events. Security deposits and fees incentivize oper-ation, correctness and fairness of the system. Similar to Bitcoin, Enigma removesthe need for a trusted third party, enabling autonomous control of personal data.For the first time, users are able to share their data with cryptogr
4、aphic guaranteesregarding their privacy.1MotivationSince early human history, centralization has been a major competitive advantage. Societies withcentralized governance were able to develop more advanced technology, accumulate more resourcesand increase their population faster 1. As societies evolv
5、ed, the negative effects of centralizationof power were revealed: corruption, inequality, preservation of the status quo and abuse of power.As it turns out, some separation of powers 2 is necessary. In modern times, we strive to find abalance between the models, maximizing output and efficiency with
6、 centralized control, guarded bychecks and balances of decentralized governance.The original narrative of the web is one of radical decentralization and freedom3. During the lastdecade, the webs incredible growth was coupled with increased centralization. Few large compa-nies now own important junct
7、ures of the web, and consequently a lot of the data created on theweb. The lack of transparency and control over these organizations reveals the negative aspects ofcentralization once again: manipulation 4, surveillance 5, and frequent data breaches 6.Bitcoin 9 and other blockchains 10 (e.g., Ethere
8、um) promise a new future. Internet applicationscan now be built with a decentralized architecture, where no single party has absolute power andcontrol. The public nature of the blockchain guarantees transparency over how applications workand leaves an irrefutable record of activities, providing stro
9、ng incentives for honest behavior. Bitcointhe currency was the first such application, initiating a new paradigm to the web.The intense verification and public nature of the blockchain limits potential use cases, however.Modern applications use huge amounts of data, and run extensive analysis on tha
10、t data. This re-striction means that only fiduciary code can run on the blockchain 7. The problem is, much ofthe most sensitive parts of modern applications require heavy processing on private data. In theircurrent design, blockchains cannot handle privacy at all. Furthermore, they are not well-suit
11、ed forheavy computations. Their public nature means private data would flow through every full node onthe blockchain, fully exposed.guyzmit.edu, , pentlandmit.edu1There is a strange contradiction in this setup. The most sensitive, private data can only be stored andprocessed in the centralized, less
12、 transparent and insecure model. We have seen this paradigm leadto catastrophic data leaks and the systematic lack of privacy we are currently forced to accept in ouronline lives.2EnigmaEnigma is a decentralized computation platform with guaranteed privacy. Our goal is to enabledevelopers to build p
13、rivacy by design, end-to-end decentralized applications, without a trustedthird party.Enigma is private. Using secure multi-party computation (sMPC or MPC), data queries are com-puted in a distributed way, without a trusted third party. Data is split between different nodes, andthey compute function
14、s together without leaking information to other nodes. Specifically, no singleparty ever has access to data in its entirety; instead, every party has a meaningless (i.e., seeminglyrandom) piece of it.Enigma is scalable. Unlike blockchains, computations and data storage are not replicated by everynod
15、e in the network. Only a small subset perform each computation over different parts of the data.The decreased redundancy in storage and computations enables more demanding computations.The key new utility Enigma brings to the table is the ability to run computations on data, withouthaving access to
16、the raw data itself. For example, a group of people can provide access to theirsalary, and together compute the average wage of the group. Each participant learns their relativeposition in the group, but learns nothing about other members salaries. It should be made clearthat this is only a motivati
17、ng example. In practice, any program can be securely evaluated whilemaintaining the inputs a secret.Today, sharing data is an irreversible process; once it is sent, there is no way to take it back or limithow it is used. Allowing access to data for secure computations is reversible and controllable,
18、 sinceno one but the original data owner(s) ever see the raw data. This presents a fundamental change incurrent approaches to data analysis.3Design overviewEnigma is designed to connect to an existing blockchain and off-load private and intensive compu-tations to an off-chain network. All transactio
19、ns are facilitated by the blockchain, which enforcesaccess-control based on digital signatures and programmable permissions.Code is executed both on the blockchain (public parts) and on Enigma (private or computationallyintensive parts). Enigmas execution ensures both privacy and correctness, wherea
20、s a blockchainalone can only ensure the latter. Proofs of correct execution are stored on the blockchain and can beaudited. We supply a scripting language for designing end-to-end decentralized applications usingprivate contracts, which are a more powerful variation of smart contracts that can handl
21、e privateinformation (i.e., their state is not strictly public).The scripting language is also turing-complete, but this is not as important as its scalability. Codeexecution in blockchains is decentralized but not distributed, so every node redundantly executes thesame code and maintains the same p
22、ublic state. In Enigma, the computational work is efficientlydistributed across the network. An interpreter breaks down the execution of a private contract,as is illustrated in Figure 1, resulting in improved run-time, while maintaining both privacy andverifiability.The off-chain network solves the
23、following issues that blockchain technology alone cannot handle:1. Storage. Blockchains are not general-purpose databases. Enigma has a decentralized off-chain distributed hash-table (or DHT) that is accessible through the blockchain, whichstores references to the data but not the data themselves. P
24、rivate data should be encryptedon the client-side before storage and access-control protocols are programmed into theblockchain. Enigma provides simple APIs for these tasks in the scripting language.2BlockchainEnigmaf : X YopipublicprivateFigure 1: Code execution model.2. Privacy-enforcing computati
25、on. Enigmas network can execute code without leaking theraw data to any of the nodes, while ensuring correct execution. This is key in replacing cur-rent centralized solutions and trusted overlay networks that process sensitive business logicin a way that negates the benefits of a blockchain. The co
26、mputational model is describedin detail in section 5.3. Heavy processing. Even when privacy is not a concern, the blockchain cannot scale toclearing many complex transactions. The same off-chain computational network is used torun heavy publicly verifiable computations that are broadcast through the
27、 blockchain.4Off-chain storageOff-chain nodes construct a distributed database. Each node has a distinct view of shares and en-crypted data so that the computation process is guaranteed to be privacy-preserving and fault tol-erant. It is also possible to store large public data (e.g., files) unencry
28、pted and link them to theblockchain. Figure 2 illustrates the database view of a single node.sharesencrypted datapublic dataFigure 2: A nodes local view of the off-chain data.On a network level, the distributed storage is based on a modified Kademlia DHT protocol 11with added persistence and secure
29、point-to-point channels, simulated using a broadcast channel andpublic-key encryption. This protocol assists in distributing the shares in an efficient manner. Whenstoring shares, the original Kademlia distance metric is modified to take into account the preferentialprobability of a node.35Privacy-e
30、nforcing computationIn this section, we describe Enigmas computational model. We begin with a brief introductionto publicly verifiable secure MPC based on state-of-the-art advances in cryptography. Then, wedescribe a series of performance improvements to secure MPC that makes the technology practica
31、leven when the network is large: hierarchical secure MPC, network reduction and adaptable circuits.To use Enigma, developers write high-level code, where public parts are executed on the blockchainand private parts are run off-chain, on Enigmas platform. We call these private contracts, since theyar
32、e smart contracts that can handle private information.5.1Overview of secure multi-party computation5.1.1Privacy (passive adversaries)Yao introduced the first solution to secure two-party computation protocols in 1982 12. In thesame paper, Yao suggested the popular millionaire problem, describing two
33、 millionaires interested inknowing which one of them is richer, without revealing their actual net worth. In the decades since,the two-party problem has been generalized to MPC, which refers to the n-party case. For general-purpose MPC, in which every protocol could be composed from a circuit of ele
34、mentary MPC gates,two major approaches have been developed over the years: Yaos garbaled (boolean) circuits 13and MPC based on secret sharing. The latter has been more commonly used in production systems(e.g., 14 and 15) and is our focus as well.A threshold cryptosystem is defined by (t + 1,n) thres
35、hold, where n is the number of partiesand t + 1 is the minimal number of parties required to decrypt a secret encrypted with thresholdencryption. Secret sharing is an example of a threshold cryptosystem, where a secret s is dividedamong n, s.t. at least t+1 are required to reconstruct s. Any subset
36、of t parties cannot learn anythingabout the secret. A linear secret-sharing scheme (or LSSS) partitions a secret to shares such that theshares are a linear combination of the secret. Shamirs secret sharing (or SSS) is an example of aLSSS, which uses polynomial interpolation and is secure under a fin
37、ite field Fp16. Specifically,to share a secret s, we select a random t degree polynomial q(x) q(x) = a0+ a1x + + atxt,(1)a0= s,ai U(0,p 1).(2)The shares are then given byi 1,n : spi= q(i).(3)Then, given any t+1 shares, q(x) could be trivially reconstructed using Lagrange interpolation andthe secret
38、s recovered using s = q(0). Since SSS is linear, it is also additively homomorphic, soaddition and multiplication by a scalar operations could be performed directly on the shares withoutinteraction. Formally c s = reconstruct(cspit+1in),(4)s1+ s2= reconstruct(s1pi+ s2pit+1in).(5)Multiplication of tw
39、o secrets s1and s2is somewhat more involved. If each party would attempt tolocally compute the product of two secrets, they would collectively obtain a polynomial of degree 2t,requiring a polynomial reduction step (2t t). For an information theoretic setting, this result addsan honest majority const
40、raint (i.e., t n2) on privacy and correctness. If we bound the adversaryscomputational power, both properties are assured for any number of corrupted parties, but fairnessand deciding on an output still requires an honest majority 17.As to performance, a re-sharing step is required in the degree red
41、uction step, implying all partiesmust interact with all other parties (O(n2) communications). This makes MPC impractical foranything larger than a small constant number of parties n. While optimized solutions exist for4improving the amortized complexity, they are based on assumptions that restrict f
42、unctionality inpractice. Conversely, we describe a generic solution to this problem for any functionality in Section5.2, which makes secure MPC feasible for arbitrarily large networks.Note that with secure addition and multiplication protocols, we can construct a circuit for any arith-metic function
43、. For turing-completeness, we need to handle control flow as well. For conditionalstatements involving secret values, this means evaluating both branches and for dynamic loops weadd randomness to the execution. Our general-purpose MPC interpreter is based on these core con-cepts and other optimizati
44、ons presented throughout the paper.5.1.2Correctness (malicious adversaries)So far we have discussed the privacy property. Liveness, namely that computations will terminateand the system will make progress, is also implied given an honest majority, since it is all that isneeded for reconstruction of
45、intermediate and output values. However, in the current frameworkthere are no guarantees about the correctness of the output; party picould send an invalid resultthroughout the computation process which may invalidate the output. While BGW 17 presentedan information-theoretic solution to verifiable
46、MPC, its practical complexity could be as bad asO(n8), given a naive implementation ?.Therefore, our goal is to design an MPC framework that is secure against malicious adversaries buthas the same complexity of the semi-honest setting (O(n2). Later, we would further optimize thisas well.Very recentl
47、y, Baum et al. developed a publicly auditable secure MPC system that ensures correct-ness, even when all computing nodes are covertly malicious, or all but a single node are activelymalicious 18. Their state-of-the-art results are based on a variation of SPDZ (pronounced speedz)19 and depend on a pu
48、blic append-only bulletin board, which stores the trail of each computation.This allows any auditing party to check the output is correct by comparing it to the public ledgerstrail of proofs. Our system uses the blockchain as the bulletin board, thus our overall security isreduced to that of the hos
49、ting blockchain.SPDZ. A protocol secure against malicious adversaries (with dishonest majority), providing cor-rectness guarantees for MPC. In essence, the protocol is comprised of an expensive offline (pre-processing) step that uses somewhat homomorphic encryption (or SHE) to generate shared ran-do
50、mness. Then, in the online stage, the computation is similar to the passive case and there is noexpensive public-key cryptography involved. In the online stage, every share is represented by theadditive share and its MAC, as follows:hsipi= (spi,(s)pi), s.t. (s) = s,(6)where is a fixed secret shared