Talk at DEPCON, Ethereum 10th Anniversary Event in Tokyo

Transcript

1. The Power of Smart Contracts Enabled by Cryptography ҉߸͕୓͘εϚʔτίϯτϥΫτͷྗ
 4PSB
   4VFHBNJ
   

   .BDIJOB
   J0
   14&
   &UIFSFVN
   'PVOEBUJPO
   
   

2. Smart Contract as Powerful as the Laws of Physics Just

   as time cannot be reversed or stopped and the laws of physics never change, so an ideal blockchain cannot be rolled back or halted, and its (non-upgradable) smart contracts cannot be modified. ͕࣌ؒר͖໭Βͳ͍ɺࢭ·Βͳ͍ɺͦͯ͠෺ཧ๏ଇ͕มΘΒͳ͍Α͏ʹɺ ཧ૝తͳϒϩοΫνΣʔϯ΋ר͖໭Βͳ͍ɺࢭ·Βͳ͍ɺͦͯ͠ʢΞοϓ σʔτෆՄೳͳʣεϚʔτίϯτϥΫτ΋มߋͰ͖ͳ͍ɻ

3. Limitation of Existing Smart Contracts Alice.eth 100 ETH

4. My core research questions: 1. How can cryptography expand the

   power of smart contracts? 2. How can we apply the new power to build useful applications?

5. ZK Email adds “eyes” to read emails [email protected] requests token

   transfer

6. iO allows smart contracts to hide their “secret memories” Alice.eth

   100 ETH

7. iO allows smart contracts to talk with any server privately

   Alice.eth 100 ETH Encrypted Message Server

8. Global-scale Private Computation Platform x1 x2 x3

9. Global-scale Private Computation Platform x1 x2 x3

10. Global-scale Private Computation Platform x1 x2 x3 f(x1 , x2

    , x3 )

11. Outline 1. How iO enables privacy-preserving smart contract (private smart

    contract)? 2. Trust as a bottleneck in a private computation platform 3. How to make practical iO?

12. Outline 1. How iO enables privacy-preserving smart contract (private smart

    contract)? 2. Trust as a bottleneck in a private computation platform 3. How to make practical iO?

13. C ˜ C J0 iO as a program compiler x

    x y y

14. iO in practice Obf(C) Eval(˜ C , x1 ) →

    C(x1 ) Eval(˜ C , x2 ) → C(x2 ) Eval(˜ C , x3 ) → C(x3 ) ˜ C (Informal) Any user can evaluate the obfuscated program on arbitrary input non- interactively, but no user can learn secret value/functions inside . ˜ C x ˜ C

15. iO in practice with distributed setup Eval(˜ C , x1

    ) → C(x1 ) Eval(˜ C , x2 ) → C(x2 ) Eval(˜ C , x3 ) → C(x3 ) ˜ C The functionality itself is public, but some hardcoded private keys should remain unknown to everyone. K1 K2 K3 ˜ C := Obf(C(K1 + K2 + K3 , ⋅ ))

16. Indistinguishability Obfuscation: 😁 It can be constructed without heuristic assumptions.

    😢 The definition only guarantees that obfuscations of two circuits with the same functionalities are indistinguishable. Two formal definitions of “iO” which can support arbitrary circuits Ideal Obfuscation: 😁 The definiton guarantees that the obfuscated circuit reveals no more information beyond its input-output pairs. 😢 The construction requires (pseudo)random oracle, which can be instantiated by a hash function. Hash + Public key encryption [JLL+23]

17. Private Smart Contract - Interface Input (Transaction/Intent) Current State New

    State Log/Event Key K Sign(K, m) Enc(K, m) Program

18. iO and Ethereum are complementary iO can obfuscate stateless programs

    Ethereum provides trustless persistent state ˜ C

19. iO and Ethereum are complementary Read/Write Encrypted States ˜ C

20. QSJW,FZ &OD(xi ) &OD(TUBUFi−1 ) %FDSZQU xi $ yi &ODSZQU

    Private Smart Contract - Implementation Obfuscated circuit design for private smart contracts consensus proof πi Verify TUBUFi−1 TUBUFi QVC,FZ &OD(TUBUFi ) A signature on by can be additionally output. Enc(statei ) privKey *G
    USVF

21. Private Smart Contract Communicates with a Server Privately State Private

    Smart Contract Server Key K Key K Enc(K, m) m m′  Enc(K, m′  ) m′  m The shared key is generated through a key-exchange protocol K

22. Private Smart Contract Communicates with a TLS Server? State Private

    Smart Contract TLS Server Key K Enc(K, m) Enc(K, m′  ) The shared key is generated through a key-exchange protocol K Enc(K, m) Enc(K, m′  ) Relayer = TLE client Key K

23. Outline 1. How iO enables privacy-preserving smart contract (private smart

    contract)? 2. Trust as a bottleneck in a private computation platform 3. How to make practical iO?

24. Global-scale Private Computation Platform x1 x2 x3 State Private Smart

    Contract Key K

25. Global-scale Private Computation Platform x1 x2 x3 State Private Smart

    Contract Key K

26. Global-scale Private Computation Platform x1 x2 x3 State Private Smart

    Contract Key K f(x1 , x2 , x3 )

27. Private matching with iO Private Matching: A protocol that keeps

    each participant’s private data hidden while outputting only the optimal match computed from that data. • Individual × Individual for dating • Job Seeker × Company for recruitment • Buyer Company × Supplier for B2B transactions • Country × Country for nuclear-fuel swap As the matching results are useful not only for cryptocurrency users but also for others, they unlock entirely new segments of users for the Ethereum ecosystem!

28. Scaling privacy with MPC/FHE/TEE /POTDBMBCMF
    QSJWBDZ
    "T
    UIF
    BDDVNVMBUFE
    WBMVF
    PG
    QSJWBUF
    EBUB
    JODSFBTFT
    UIF
    EBUB
    CSFBDI
    QSPCBCJMJUZ
    JODSFBTFT

    
    SFEVDJOH
    UIF
    HVBSBOUFFE
    QSJWBDZ
    Privacy := −log2 Pr [data breach]

29. %BUB
    7PMVNF7BMVF 6TFST`
    USVTU
    JO
    UIF
    QMBUGPSN (VBSBOUFFE
    1SJWBDZ Scaling privacy with MPC/FHE/TEE (SPXUI
    3BUF
    PG
    %BUB
    7PMVNF7BMVF The accumulated

    value of private data is bounded when the growth rate becomes zero!

30. Scaling privacy with iO 4DBMBCMF
    QSJWBDZ
    &WFO
    JG
    UIF
    BDDVNVMBUFE
    WBMVF
    PG
    QSJWBUF
    EBUB
    JODSFBTFT
    UIF
    HVBSBOUFFE
    QSJWBDZ
    SFNBJO
    DPOTUBOU

    Privacy := −log2 Pr [data breach]

31. Scaling privacy with iO The accumulated value of private data

    increases virtually without limit. %BUB
    7PMVNF7BMVF 6TFST`
    USVTU
    JO
    UIF
    QMBUGPSN (VBSBOUFFE
    1SJWBDZ (SPXUI
    3BUF
    PG
    %BUB
    7PMVNF7BMVF

32. Remaining limitations 1. Trust assumption in the distributed trusted setup

    => At least one party need to be honest (i.e., discarded the randomness after the setup). 2. Trust assumption in the Ethereum L1 validators => Suppose that the iO evaluation cannot be executed within an MPC in practice, one of the colluding parties needs to releases a consensus proof that includes the list of signing validators.

33. Building iO iO Standard assumptions New lattice assumptions Functional encryption

    iO [JLS21, JLS22, RVV25] [BDGM20, GP21,JLLW23, AKY24a] [AJ15, BV18]

34. Building iO iO Standard assumptions New lattice assumptions Functional encryption

    iO [JLS21, JLS22, RVV25] [BDGM20, GP21,JLLW23, AKY24a] [AJ15, BV18] 5SBOTGPSNBUJPO
    GSPN
    '&
    UP
    J0
    SFRVJSFT
    DPTUMZ
    SFDVSTJWF
    '&
    FODSZQUJPO
    GPS
    FBDI
    JOQVU
    CJUŠSVOOJOH
    UIF
    '&
    FODSZQUJPO
    BMHPSJUIN
    BT
    UIF
    GVODUJPO
    FWBMVBUFE
    EVSJOH
    EFDSZQUJPO '&%FD< > xi+1 '&&OD ct(xi ) xi ct(xi+1 )

35. Our Contributions iO Standard assumptions New lattice assumptions Functional encryption

    iO [JLS21, JLS22, RVV25] [BDGM20, GP21,JLLW23, AKY24a] [AJ15, BV18] Diam ond iO [SBP25] %JBNPOE
    J0
    SFQMBDFT
    UIF
    SFDVSTJWF
    '&
    FODSZQUJPO
    XJUI
    TJNQMF
    NBUSJY
    PQFSBUJPOT

36. iO Standard assumptions New lattice assumptions Functional encryption iO [JLS21,

    JLS22, RVV25] [BDGM20, GP21,JLLW23, AKY24a] [AJ15, BV18] Diam ond iO [SBP25] w 6TF
    UIF
    '&
    TDIFNF
    JOUSPEVDFE
    JO
    <",:>
    JO
    B
    OPOCMBDLCPY
    NBOOFS
    w 1SPWF
    UIF
    TFDVSJUZ
    VOEFS
    -8&
    
    FWBTJWF
    -8&
    
    PVS
    OFX
    MBUUJDF
    BTTVNQUJPO
    BMMQSPEVDU
    -8&
    JO
    UIF
    QTFVEPSBOEPN
    PSBDMF
    NPEFM
    w $PO fi SN
    UIBU
    LOPXO
    BUUBDLT
    PO
    FWBTJWF
    -8&
    EP
    OPU
    UISFBUFO
    PVS
    DPOTUSVDUJPO
    Our Contributions
37. None

38. Benchmark results Main Bottleneck: the modulus increases exponentially with respect

    to the input size. q

39. Technical Milestone "
    'FX
    CJUT d,#
    
    (PBM *ODSFBTF
    UIF
    JOQVU
    TJ[F 5IFO
    XF
    DBO
    PCGVTDBUF
    B
    CSPBEFS
    DMBTT
    PG
    GVODUJPOT
    CZ
    JODSFBTJOH
    UIF
    DPNQMFYJUZ
    PG
    

    DJSDVJUT
    GPS ')&
    BOE
    ;,1
    JOTUFBE
    PG
    J0
    <(() >

40. 3FGFSFODFT • [AJ15] Ananth, P., & Jain, A. (2015, August).

    Indistinguishability obfuscation from compact functional encryption. In Annual Cryptology Conference (pp. 308-326). Berlin, Heidelberg: Springer Berlin Heidelberg. • [BV15] Bitansky, N., & Vaikuntanathan, V. (2015, October). Indistinguishability Obfuscation from Functional Encryption. In 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (pp. 171-190). IEEE. [JLS21] Jain, A., Lin, H., & Sahai, A. (2021, June). Indistinguishability obfuscation from well-founded assumptions. In Proceedings of the 53rd annual ACM SIGACT symposium on theory of computing (pp. 60-73). • [JLS22] Jain, A., Lin, H., & Sahai, A. (2022, May). Indistinguishability obfuscation from LPN over F p, DLIN, and PRGs in NC 0. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 670-699). Cham: Springer International Publishing. • [BDGM20] Brakerski, Z., Döttling, N., Garg, S., & Malavolta, G. (2020). Candidate iO from Homomorphic Encryption Schemes. In Advances in Cryptology–EUROCRYPT 2020: 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part I 39 (pp. 79-109). Springer International Publishing.ISO 690 • [GP21] Gay, R., & Pass, R. (2021, June). Indistinguishability obfuscation from circular security. In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing (pp. 736-749).ISO 690 • [RVV25] Ragavan, S., Vafa, N., & Vaikuntanathan, V. (2025). Indistinguishability obfuscation from bilinear maps and LPN variants. In Theory of Cryptography Conference (pp. 3-36). Springer, Cham. • [HJL25] Hsieh, Y. C., Jain, A., & Lin, H. (2025). Lattice-based post-quantum iO from circular security with random opening assumption (part II: zeroizing attacks against private-coin evasive LWE assumptions). Cryptology ePrint Archive. • [AMY+25] Agrawal, S., Modi, A., Yadav, A., & Yamada, S. (2025). Evasive LWE: attacks, variants & obfustopia. Cryptology ePrint Archive. • [AKY24] Agrawal, S., Kumari, S., & Yamada, S. (2024). Compact Pseudorandom Functional Encryption from Evasive LWE. Cryptology ePrint Archive. • [BGG+14] Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., ... & Vinayagamurthy, D. (2014). Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In Advances in Cryptology–EUROCRYPT 2014: 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings 33 (pp. 533-556). Springer Berlin Heidelberg. • [JLL+23] Jain, A., Lin, H., Luo, J., & Wichs, D. (2023, August). The pseudorandom oracle model and ideal obfuscation. In Annual International Cryptology Conference (pp. 233-262). Cham: Springer Nature Switzerland. • [BDJ+24] Branco, P., Döttling, N., Jain, A., Malavolta, G., Mathialagan, S., Peters, S., & Vaikuntanathan, V. (2024). Pseudorandom Obfuscation and Applications. Cryptology ePrint Archive. • [AKY24B] Agrawal, S., Kumari, S., & Yamada, S. (2024). Pseudorandom Multi-Input Functional Encryption and Applications. Cryptology ePrint Archive. • [GVW15] Gorbunov, S., Vaikuntanathan, V., & Wee, H. (2015, August). Predicate encryption for circuits from LWE. In Annual Cryptology Conference (pp. 503-523). Berlin, Heidelberg: Springer Berlin Heidelberg. • [BTV+17] Brakerski, Z., Tsabary, R., Vaikuntanathan, V., & Wee, H. (2017, November). Private constrained PRFs (and more) from LWE. In Theory of Cryptography Conference (pp. 264-302). Cham: Springer International Publishing. • [HLL23] Hsieh, Y. C., Lin, H., & Luo, J. (2023, November). Attribute-based encryption for circuits of unbounded depth from lattices. In 2023 IEEE 64th Annual Symposium on Foundations of Computer Science (FOCS) (pp. 415-434). IEEE. • [Wee22] Wee, H. (2022, May). Optimal broadcast encryption and CP-ABE from evasive lattice assumptions. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 217-241). Cham: Springer International Publishing. • [GGH+15] Gentry, C., Gorbunov, S., & Halevi, S. (2015). Graph-induced multilinear maps from lattices. In Theory of Cryptography: 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, Part II 12 (pp. 498-527). Springer Berlin Heidelberg. • [BUW24] Brzuska, C., Ünal, A., & Woo, I. K. (2024, December). Evasive LWE assumptions: Definitions, classes, and counterexamples. In International Conference on the Theory and Application of Cryptology and Information Security (pp. 418-449). Singapore: Springer Nature Singapore. • [Wee24] Wee, H. (2024, August). Circuit ABE with poly (depth, λ)-sized ciphertexts and keys from lattices. In Annual International Cryptology Conference (pp. 178-209). Cham: Springer Nature Switzerland. • [GGH+13] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., & Waters, B. (2013, October). Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. In Proceedings of the 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (pp. 40-49).