Privacy 3.0: Encryption tools for the decentralized web
Many organizations rely on cryptography to protect our privacy and we have long trusted these organizations to encrypt our personal data in a rigorous and responsible manner. But when what should never happen happens, HealthNet, Equifax, Cambridge Analytica, we are forced to confront our dependency on these third parties.
As decentralized networks, blockchains offer a way to bypass centralized institutions and eliminate the need to trust only one party. This means greater transparency, since the network sees and validates each transaction. However, this newfound transparency also makes user activities much more vulnerable. Without appropriate privacy-preserving environments, users of a Blockchain's decentralized infrastructure can suffer from the very transparency it provides.
Bitcoin privacy model: the pseudonym as a lure
Bitcoin is the blockchain's most popular application, and many of its descendants share its privacy model. The network does not store IP addresses or personal information. Instead, it relies on cryptographic nicknames to protect the identities of its users. A user - let's call him Dorian - generates a new address every time he cashes a payment. Dorian gives the payer this new account number without history. The payer can not guess much about Dorian.
The main concern comes when Dorian spends his money. A Bitcoin transaction often has multiple inputs and outputs. We can make the following assumptions (not always true, as we will see later):
When a transaction has many entries, the owner of these is the same person.
When a transaction has two exits, one will go to the recipient, and the other will be the change money (unspent transaction exit).
A bad actor can explore the transaction graph and group addresses that may belong to the same person. All you need to expose account holders is to associate one of these nicknames with an identity. So it's like rolling a ball of strings.
In concrete terms, when you disclose your identity with a payment, the beneficiary can guess your bank statement. And they can track your future transactions. More worryingly, the recipient may not be the one who spies on you. An ICO may be assigned, an exchange may be hacked, or a shopping site may have curious cookies.
The machines and analysis algorithms are much better for data mining than humans. They can retrieve data from social networks, combine multiple data sources, and build a probabilistic model that associates addresses and identities. In practice, the privacy model that our ecosystem has inherited from Bitcoin is very weak.
Dorian happens to be passionate about Blockchains. He writes a Medium article that ends with a "please tip" section and a "please follow me on Twitter" section. You guessed it: there is a BTC address, the same one that he included in his signature on his favorite forum, which you understand would only compromise his privacy. You give him a tip (because you like his job) and send him a private message on Twitter to thank him for his efforts. He wants to return the favor and tells the world how generous you are. He tweets, "Thank you @xxxxxxxxxxxxxxxxx for your advice. Thanks to Dorian, now you are vulnerable too. A simple algorithm looks for incoming transactions in Dorian's tip address. He filters them through a period of time - say, between his article and his tweet - and signals the senders of your identity. Today, sophisticated tools that use machine learning and grouping techniques can be designed to remove anonymity from most block strings.
Le protocole Gossip: Comprendre les schémas de réseau à travers les nœuds de honeypot
Une autre préoccupation concerne l'analyse des métadonnées de nos communications personnelles (la preuve la plus infâme dans les révélations d'Edward Snowden sur le programme de surveillance de la NSA, PRISM). Dans une étude sur l'anonymat du réseau de Bitcoin, les chercheurs ont collecté des données en créant un faux pot de miel. A l'époque, le noeud connecté avait plus de paires que blockchain.info.
L'étude à plusieurs plusieurs modèles. Parfois, un ordinateur envoyé une seule transaction - ce qui impliquait probablement une association entre une adresse IP et une adresse BTC. Un autre modèle était lié aux mises à niveau logiques. Ils semblaient déclencher une vague de transactions à partir d'une adresse unique IP. L'heuristique a aidé à mapper plus de 1000 adresses IP à BTC, ce qui, à l'époque, représentait environ 2% du réseau. Cette recherche a été menée à 5 ans - une éternité dans l'espace des cryptos. Plus les transactions de la Blockchain d'entropie sont nombreuses, plus il est facile de les lettres aux identités.
Maintenir des «portefeuilles» isolés avec divers pseudonymes est une tâche laborieuse pour nous, humains. Nous favorisons naturellement l'utilisation d'une seule adresse pour recevoir les paiements. L'Ethereum costume actuellement ce modèle de compte. Il nous encourage à réutiliser la même adresse pour toutes nos transactions, ce qui signifie que ses propriétés de confidentialité par défaut sont pires que celle de Bitcoin.
Le besoin de confidentialité sur les Blockchains est légitime et vital pour chaque application (applications décentralisées sur Ethereum), et pas seulement pour les transactions bancaires et financières. Un système de vote doit être voté, voté, et voté pour votr. Une configuration de la chaîne de distribution avec dissimuler les relations d'affaires entre les participants. Une transaction symbolique ERC-20 devrait cacher la valeur et les participants, tout en garantissant une conservation de masse.
Systèmes de protection de la vie privée
Les normes de confidentialité pour l'industrie et les compromis que nous sommes prêts à faire. Pour les transferts d'actifs - crypto-monnaies, jetons ERC-20 - une bonne confidentialité signifie préserver la confidentialité du graphique des transactions. Les transactions doivent être insubmersibles et impossibles à retracer, et les participants doivent rester anonymes. CryptoNote a clarifier les normes un système de protection de la vie privée
Désolidarisation: Pour deux transactions sortantes, il est impossible de prouver qu'elles ont été envoyées à la même personne.
Non traçabilité: pour chaque transaction entrante, tous les expéditeurs possibles sont équiprobables.
Portons cela à la métaphore du grand livre. Sur verrait apparaître des lignes (débit, crédit, solde), sans savoir qui est impliqué. Une façon d'utiliser un service de mixage (plus de détails plus tard). Cependant, ces informations peuvent être liées à une source de données non-blockchain, et le bouclier de confidentialité peut ne pas tenir. Nous avons besoin de plus. Nous devons cacher les montants. Cette «ligne apparaissant» ne doit divulguer ni les participants, ni les montants, mais elle doit contenir les données qui garantissent un état cohérent au livre blanc.
Le système de faire en sorte que nous ne créons pas d'actifs à l'improviste ni ne doubleons les dépenses. Un schéma de cryptage anonyme qui fait exactement cela est celui de Zerocash. Du point de vue de la Blockchain, cela signifie que nous ne stockons pas à l'état mondial. Nous stockons des preuves que l'état du monde est cohérent et que les transitions d'état sont valides. La responsabilité de l'utilisateur de maintenir son propre état mondial.
Il est important de noter qu'une partie importante de travail consiste à dissimuler des montants de transaction: services de mélange, transactions confidentielles, preuves d'idées nulles. Malheureusement, ces constructions ne généralisent pas bien le calcul arbitraire.
Couche de calcul de l'Ethereum anonyme
Le ledger n'est qu'une application des Blockchains. Donc, si une Blockchain n'est pas un ledger, qu'est-ce que c'est?
Des projets comme l'Ethereum rendent ce protocole programmable. L'Ethereum ajoute une couche de calcul via les contrats intelligents et la machine virtuelle de l'Ethereum. Un contrat intelligent peut implémenter un registre, un système de vote, un jeu, et plus encore - les possibilités sont illimitées et cela faisant partie de l'enthousiasme autour de la Blockchain.
The Blockchain is a state machine replication protocol, producing a linearly ordered log across many peers.
Things get more complicated, though, by trying to address confidentiality for this layer of computation. We have two ways to look at this: either calculate in broad daylight (and make sure the executor of a calculation can not understand what he calculates), or calculate off-line and prove that we did it right. .
These problems have been studied over the past 30 years and involve a variety of topics:
Secure Multiparty Calculation (SMPC)
Approved Execution Environment (EEO)
Calculation check
Fully Homomorphic Encryption (FHE)
Indistincible Obfuscation (obscuring)
Zero evidence of knowledge
Performing obscure smart contracts seems ideal but may not be practical. For example, calculating a simple zk-SNARK (proof of zero knowledge) can take 1min +. Verification of the evidence on the Ethereum main grid may cost 1M + of gas. At today's rate, it's $ 3 transaction fee.
A FHE public key offering security properties similar to 2048bits RSA key weight around 2GB. The cyphertext suffers from this and will be a burden.
On paper, the approach that seems to have the least impact would be the TEE. Several projects in space (Enigma, Corda, Sawtooth) have chosen to make Intel SGX a first class citizen. Intelligent contract obfuscation would be accomplished by trusting the hardware to hide what it does (even to its owner) and to provide an attestation of what program it is running. Currently, it is necessary to contact Intel's servers to verify this certification. TEE is something we are very excited about and we are looking to see if it is evolving after the recent vulnerabilities that have been raised - cache attacks, spectrum (patch hardware, anyone?).
Current methods of preserving confidentiality
To what extent are privacy systems practical? How do they manage cable encryption, idle encryption, network analysis and metadata? Are they suitable for private or public networks? I observe the following categories:
Mixing services
The general idea behind mixing services is that if many peers agree to join their inputs and outputs in the same transaction, no one can tell which input is associated with which output. Various protocols rely on mixing services such as Blindcoin, Coinjoin, CoinShuffle, XIM and TumbleBit.
Anonymous encryption
These schemas can hide origin, destination, and transaction amounts using encryption tools such as Zero Knowledge Proofs, Pedersen Commitments, and Ring Signatures. Chain cryptographic approaches include Zerocash, Mimblewimble, and the Monero protocol.
Secure Multiparty Calculation (SMPC)
In a SMPC, a given number of participants, p1, p2, ..., pN, each have private data, respectively d1, d2, ..., dN. Participants want to calculate the value of a public function on these private data: F (d1, d2, ..., dN) while keeping their own secret entries. One way that can be applied to the execution of intelligent contracts is to express the computation as a Boolean circuit using the AND and NOT gates. The circuit would work with encrypted data and produce a result readable by only one party. The techniques under this umbrella include secret sharing schemes, Enigma, Hawk, or Fully Homomorphic Encryption. TrueBit aims for accurate calculations through economic incentives, but it does not do much for privacy.
Offline constructions
One way to preserve privacy is to not use the backbone to conduct confidential transactions. The logic is relentless. If many parties want to carry out transactions in private, they do so in a private network and install themselves on the main network if necessary. State channels, plasma, sharding, private consortia networks or side chains could fit this description. The calculation is done on a separate network and the result ends on the main network. As uPort has shown, non-string constructs also derive future attacks. A Blockchain is permanent: encrypted data with current algorithms can be threatened in a decade!
Towards an Anonymous Blockchain Construction
A powerful, general and completely anonymous Blockchain construction has yet to be built. The ZKP conference at MIT last week seems to be a big step in the right direction.
