zkLedger: Privacy-Preserving Auditing for Distributed Ledgers
zkLedger:保护分布式分类帐的隐私审计
论文:https://www.usenix.org/system/files/conference/nsdi18/nsdi18-narula.pdf
Abstract
摘要
Distributed ledgers (e.g. blockchains) enable financial institutions to efficiently reconcile cross-organization transactions. For example, banks might use a distributed ledger as a settlement log for digital assets. Unfortunately, these ledgers are either entirely public to all participants, revealing sensitive strategy and trading information, or are private but do not support third-party auditing without revealing the contents of transactions to the auditor. Auditing and financial oversight are critical to proving institutions are complying with regulation.
分布式账本(例如区块链)使金融机构能够有效地协调跨组织交易。例如,银行可能使用分布式账本作为数字资产的结算日志。不幸的是,这些分类账要么全部公开给所有参与者,要么透露敏感的策略和交易信息,要么是私有的,但不支持第三方审计,而不向审计师透露交易内容。审计和财务监督对于证明机构遵守监管至关重要。
This paper presents zkLedger, the first system to protect ledger participants’ privacy and provide fast, provably correct auditing. Banks create digital asset transactions that are visible only to the organizations party to the transaction, but are publicly verifiable. An auditor sends queries to banks, for example “What is the outstanding amount of a certain digital asset on your balance sheet?” and gets a response and cryptographic assurance that the response is correct. zkLedger has two important benefits over previous work. First, zkLedger provides fast, rich auditing with a new proof scheme using Schnorr-type noninteractive zero-knowledge proofs. Unlike zk-SNARKs, our techniques do not require trusted setup and only rely on widely-used cryptographic assumptions. Second, zkLedger provides completeness; it uses a columnar ledger construction so that banks cannot hide transactions from the auditor, and participants can use rolling caches to produce and verify answers quickly. We implement a distributed version of zkLedger that can produce provablycorrect answers to auditor queries on a ledger with a hundred thousand transactions in less than 10 milliseconds.
本文介绍了zkLedger,这是第一个保护分类账参与者隐私并提供快速,可证明正确的审计的系统。银行创建的数字资产交易仅对交易的组织方可见,但是公开可验证。审计员向银行发送查询,例如“资产负债表上某项数字资产的未偿还金额是多少?”,并获得响应和加密保证,表明响应是正确的。 zkLedger对以前的工作有两个重要的好处。首先,zkLedger使用Schnorr型非交互式零知识证明提供快速,丰富的审计和新的证明方案。与zk-SNARK不同,我们的技术不需要可信设置,只依赖于广泛使用的加密假设。其次,zkLedger提供完整性;它使用柱状分类帐构造,以便银行无法隐藏审计员的交易,参与者可以使用滚动缓存快速生成和验证答案。我们实现了zkLedger的分布式版本,该版本可以在不到10毫秒的十万次交易中为分类账上的审计员查询提供可证明的正确答案。
1 Introduction
1简介
Institutions engage trusted third-party auditors to prove that they are complying with laws and regulation. Traditionally this is done by auditing companies like Deloitte, Pricewaterhouse Coopers, Ernst and Young, and KPMG (known as the “Big Four”), which together audit 99% of * Work completed at the MIT Media Lab.
机构聘请受信任的第三方审计师来证明他们遵守法律法规。传统上,这是由Deloitte,Pricewaterhouse Coopers,Ernst and Young和KPMG(称为“四大”)等审计公司完成的,这些公司共同审计了麻省理工学院媒体实验室完成的99%的工作。
† Source code and full version of the paper: zkledger.org.
†源代码和论文的完整版本:zkledger.org。
the companies in the S&P 500 [19]. This type of auditing is laborious and time-consuming, so regulators and investors do not get real-time access to information about the financial status of institutions. In addition, trusted third parties can make mistakes. The most well-known example of this is the collapse of Arthur Anderson in 2002, after it failed to catch Enron’s $100 billion accounting fraud.
标准普尔500指数中的公司[19]。这种类型的审计既费力又费时,因此监管机构和投资者无法实时获取有关机构财务状况的信息。此外,受信任的第三方可能会犯错误。其中最着名的例子是亚瑟安德森在2002年失败后未能抓住安然1000亿美元的会计欺诈案。
Recently, financial institutions are exploring distributed ledgers (or blockchains) to reduce verification and reconciliation costs in an environment with multiple distrusting parties. Distributed ledgers enable real-time validation by all participants (known as public verifiability), but at the cost of privacy—every participant must download all transactions in order to verify their integrity. This is untenable for institutions that rely on secrecy to protect strategy and intellectual property (e.g. trading strategies), and for organizations that have to comply with laws and regulation around data privacy (for example, the General Data Protection Regulation in Europe [24]).
最近,金融机构正在探索分布式分类账(或区块链),以减少在多个不信任方的环境中的验证和对账成本。分布式账本允许所有参与者进行实时验证(称为公共验证),但以隐私为代价 - 每个参与者必须下载所有交易以验证其完整性。对于依赖保密来保护战略和知识产权的机构(例如交易策略),以及必须遵守有关数据隐私的法律和法规的组织(例如,欧洲的通用数据保护法规[24]),这是站不住脚的。 。
Distributed ledgers that support privacy generally operate in one of two ways: either by only committing to hashes of transactions on the ledger, using trusted third parties to independently verify transactions [22, 23], or by using cryptographic commitment schemes to hide the content of transactions [17, 42, 47, 51]. The former class of ledgers suffers from the fact that participants can no longer verify the integrity of private transactions, eliminating the distributed ledger benefit. The latter class still has public verifiability, but either reveals the transaction graph [17, 42] or requires trusted setup, which, if compromised, would let an adversary undetectably create new assets [47, 51]. None of the existing privacy-preserving distributed ledgers offer an important property for realworld systems—efficient auditing.
支持隐私的分布式分类帐通常以两种方式之一运行:通过仅在分类帐上提交事务哈希,使用受信任的第三方独立验证事务[22,23],或使用加密承诺方案隐藏内容交易[17,24,47,51]。前一类分类账受到以下事实:参与者无法再验证私人交易的完整性,从而消除了分布式分类账的利益。后一类仍具有公共验证能力,但要么显示交易图[17,42],要么需要可信设置,如果受到损害,将会让对手无法创建新资产[47,51]。现有的保护隐私的分布式账本都不是现实世界系统的重要特性 - 高效的审计。
This paper presents zkLedger, the first distributed ledger system to support strong transaction privacy, public verifiability, and practical, useful auditing. zkLedger provides strong transaction privacy: an adversary cannot tell who is participating in a transaction or how much is being transacted, and crucially, zkLedger does not reveal the transaction graph, or linkages between transactions. The time of transactions and the type of asset being transferred are public. All participants in zkLedger can still verify transactions are maintaining important financial invariants, like conservation of assets, and an auditor can issue a rich set of auditing queries to the participants and receive answers that are provably consistent with the ledger. zkLedger supports a useful set of auditing primitives including sums, moving averages, variance, standard deviation, and ratios. An auditor can use these primitives to measure financial leverage, asset illiquidity, counterparty risk exposures, and market concentration, for the system as a whole or for individual participants.
本文介绍了zkLedger,这是第一个支持强大的交易隐私,公共验证和实用,有用的审计的分布式分类帐系统。 zkLedger提供强大的交易隐私:攻击者无法分辨谁参与交易或交易多少,而且至关重要的是,zkLedger不会泄露交易图或交易之间的联系。交易时间和转让的资产类型是公开的。zkLedger的所有参与者仍然可以验证交易是否保持重要的金融不变量,例如资产保护,审计员可以向参与者发出一组丰富的审计查询,并接收与分类账一致的答案。 zkLedger支持一组有用的审计原语,包括总和,移动平均值,方差,标准差和比率。审计师可以使用这些原语来衡量整个系统或个人参与者的财务杠杆,资产非流动性,交易对手风险敞口和市场集中度。
A set of banks might use zkLedger to construct a settlement log for an over-the-counter market trading digital assets. In these markets, buyers and sellers are matched via electronic exchanges, trades are frequent and fast settlement helps lower counterparty risk. Once a trade is confirmed, a bank can initiate the transfer of the asset as a transaction in zkLedger, which, when accepted in the ledger, settles the transaction. Each bank stores plain-text transaction data in its own private datastores. In zkLedger, instead of storing plain-text transactions, participants store value commitments on the distributed ledger.Importantly, these commitments can be homomorphically combined. A bank can prove to an auditor how much of an asset it has on its balance sheet by opening up the product of all transaction commitments it has referencing that asset. The auditor can confirm that the opened product is consistent with the product of the commitments on the ledger.
一组银行可能会使用zkLedger为交易数字资产的场外交易市场构建结算日志。在这些市场中,买家和卖家通过电子交易进行匹配,交易频繁,快速结算有助于降低交易对手风险。一旦交易被确认,银行可以在zkLedger中作为交易启动资产转移,当在分类账中接受时,该交易结算交易。每个银行都将纯文本交易数据存储在自己的私有数据存储中。在zkLedger中,参与者不是存储纯文本事务,而是在分布式分类帐上存储值承诺。重要的是,这些承诺可以是同态的。银行可以通过开放其引用该资产的所有交易承诺的产品,向审计师证明其资产负债表上有多少资产。审核员可以确认已打开的产品与分类帐上的承诺产品一致。
Designing zkLedger required overcoming three key challenges:
设计zkLedger需要克服三个关键挑战:
Providing privacy and auditing. The first challenge is to preserve privacy while still allowing an auditor to compute provably correct measurements over the data in the ledger. zkLedger is the first system to simultaneously achieve this, by combining several cryptographic primitives. To hide values, zkLedger uses Pedersen commitments [41]. Pedersen commitments can be homomorphically combined, so a verifier can, for example, confirm that the sum of the outputs is less than or equal to the sum of the inputs, conserving assets. More than that, an auditor can combine commitments to compute linear combinations of values in different rows in the ledger. Previous confidential blockchain systems also use Pedersen commitments to hide values but end up revealing linkages between transactions, and do not support private auditing [17, 34, 42].
提供隐私和审计。第一个挑战是保护隐私,同时仍然允许审计员计算分类账中数据的可证明的正确测量结果。 zkLedger是第一个通过组合多个加密原语同时实现这一目标的系统。为了隐藏价值,zkLedger使用Pedersen承诺[41]。Pedersen的承诺可以是同态的,因此例如,验证者可以确定输出的总和小于或等于输入的总和,节约资产。更重要的是,审核员可以结合承诺来计算分类帐中不同行的值的线性组合。以前的保密区块链系统也使用Pedersen承诺来隐藏价值,但最终揭示交易之间的联系,并且不支持私人审计[17,34,42]。
zkLedger uses an interactive map/reduce paradigm over the ledger with non-interactive zero-knowledge proofs (NIZKs) to compute measurements that go beyond sums. These are Generalized Schnorr Proofs [48], which are fast and rely only on widely accepted cryptographic assump tions. Banks can provably recommit to functions over values in the ledger, such as f : v → v2, which lets the auditor compute measurements like variance, skew, and outliers without revealing individual transaction details.
zkLedger在分类账上使用交互式地图/简化范例,使用非交互式零知识证明(NIZK)来计算超出总和的测量值。这些是广义Schnorr证明[48],它们很快并且仅依赖于广泛接受的加密假设。银行可以证明重新使用分类账中的函数,例如f:v→v2,这使得审计员可以计算诸如方差,偏差和异常值之类的测量值,而不会泄露单个交易细节。
Auditing completeness. Since an auditor cannot determine who was involved in which transactions, zkLedger must ensure that during auditing, a participant cannot leave out transactions to hide assets from the auditor. We call this property completeness. At the same time, we do not want to reveal to the auditor who was involved in which transactions. zkLedger uses a novel table-construction in the ledger.A transaction is a row which includes an entry for every participant, and an empty entry is indistinguishable from an entry involving a transfer of assets. All of a participant’s transfers are in its column in the ledger. An auditor audits every transaction when auditing a participant, meaning a participant cannot hide transactions. This presents efficiency challenges, which zkLedger addresses by using commitment caches and audit tokens, described below.
审计完整性。由于审计员无法确定谁参与了哪些交易,因此zkLedger必须确保在审计期间,参与者不能遗漏交易以隐藏审计师的资产。我们称这个属性为完整性。与此同时,我们不希望向参与哪些交易的审计员透露。 zkLedger在分类帐中使用了一种新颖的表格结构。事务是包含每个参与者的条目的行,并且空条目与涉及资产转移的条目无法区分。所有参与者的转移都在分类帐的列中。审核员在审核参与者时审核每笔交易,这意味着参与者无法隐藏交易。这提出了效率挑战,zkLedger通过使用承诺缓存和审计令牌来解决,如下所述。
Efficiency. The third challenge is supporting all of this efficiently. zkLedger implements a number of optimizations: every participant and the auditor keeps commitment caches, which are rolling products of every participants’ column in the ledger; this makes it fast to generate asset proofs and to answer audits. To reduce communication costs, zkLedger is designed so that participants do not have to interact to construct the proofs for the transaction; the spender can create the transaction alone (this is similar to how other blockchain systems work). But a malicious spender could try to encode incorrect values in the commitments for other banks—we must ensure all of the commitments and proofs are correct and that every participant has what they need to later respond to an audit. To do this, we designed a set of proofs that everyone can publicly verify—transactions with incorrect proofs will be ignored. These proofs ensure that every participant has an audit token, which they can use to later open up commitments for that row, and that all proofs and commitments are consistent. The audit token and the consistency proofs are publicly verifiable, but do not leak any transaction information. They are also non-interactive, so zkLedger makes progress even if banks cannot communicate, and they are encoded for a specific bank, so a token for one bank cannot be used by another bank to lie to the auditor.
EF法fi ciency。第三个挑战是如何有效地支持所有这些。 zkLedger实现了许多优化:每个参与者和审计员都会保留承诺缓存,这些缓存是分类帐中每个参与者列的滚动产品;这样可以快速生成资产证明并回答审核。为了降低通信成本,zkLedger的设计使参与者无需进行交互即可构建交易证明;消费者可以单独创建交易(这与其他区块链系统的工作方式类似)。但是,恶意消费者可能会尝试在其他银行的承诺中编码不正确的值 - 我们必须确保所有承诺和证据都是正确的,并且每个参与者都有他们需要以后回应审计的所需。为此,我们设计了一套证明,每个人都可以公开验证 - 不正确的证据交易将被忽略。这些证据确保每个参与者都有一个审计令牌,他们可以使用这个令牌以便以后开放该行的承诺,并且所有证据和承诺都是一致的。审计令牌和一致性证明是公开可验证的,但不泄漏任何交易信息。它们也是非交互式的,因此即使银行无法进行通信,zkLedger也会取得进展,并且它们是针对特定银行编码的,因此一家银行的代币不能被另一家银行用于欺骗审计员。
The slowest part of transaction creation and validation are range proofs, which ensure that an asset’s value is in a pre-specified range, and prevent a malicious attacker from undetectably creating new assets. Range proofs are 10× the size of the other proofs and take 5× as much time to prove and verify.A naive implementation of zkLedger might require multiple range proofs, but by using disjunctive proofs, we can multiplex different values into one range proof per entry.
事务创建和验证中最慢的部分是范围证明,它确保资产的价值处于预先指定的范围内,并防止恶意攻击者无法无法创建新资产。范围校样是其他样张的10倍,并且需要5倍的时间来证明和验证。zkLedger的简单实现可能需要多个范围证明,但通过使用析取证明,我们可以将不同的值复用到每个条目的一个范围证明中。
In summary, the contributions of this paper are:
总之,本文的贡献是:
• zkLedger, the first distributed ledger system to achieve strong privacy and complete auditing;
•zkLedger,第一个分布式分类帐系统,可实现强大的隐私和完整的审计;
• a design combining fast, well-understood cryptographic primitives using audit tokens and map/reduce to compute provably correct answers to queries;
•一种设计,结合快速,易于理解的加密原语,使用审计令牌和map / reduce来计算可证明的正确的查询答案;
• an evaluation of zkLedger showing efficient transaction creation and auditing; and
•对zkLedger的评估,显示有效的交易创建和审计;和
• an analysis of the types of queries zkLedger can support, suggesting that zkLedger can efficiently handle a useful set of auditing measurements.
•分析zkLedger可以支持的查询类型,表明zkLedger可以有效地处理一组有用的审计测量。
2 Related Work
2相关工作
zkLedger is related to work in auditing or computing on private data and privacy-preserving blockchains. zkLedger achieves fast, provably correct auditing by creating a new distributed ledger table model and applying a new scheme using zero-knowledge proofs.
zkLedger与私人数据和隐私保护区块链的审计或计算工作有关。通过创建新的分布式分类帐表模型并使用零知识证明应用新方案,zkLedger实现了快速,可证明正确的审计。
2.1 Computing on Private Data
2.1私有数据计算
Previous work proposed a multi-party computation scheme in which participants use a secure protocol to compute the results of functions which answer questions about systemic financial risk, the same problem which zkLedger aims to address [3, 10], and network security [14]. This work provides privacy benefits over existing analytics systems by allowing participants to keep their data secret. However, it only supports overall system auditing, it is not a solution to audit individual participants. There is also nothing preventing participants from lying in the inputs to the multi-party computation; they do not achieve completeness.
以前的工作提出了一种多方计算方案,其中参与者使用安全协议来计算功能结果,这些功能回答有关系统性金融风险的问题,zkLedger旨在解决的问题[3,10]和网络安全[14] 。这项工作通过允许参与者保密其数据,为现有分析系统提供隐私保护。但是,它仅支持整体系统审核,不是审核个体参与者的解决方案。也没有什么能阻止参与者参与多方计算的输入;他们没有达到完整。
Provisions [21] is a way for Bitcoin exchanges to prove they are solvent without revealing their total holdings. Provisions uses Proof of Assets and Proof of Liabilities, which are very similar to the zero-knowledge proofs we use in zkLedger. However, in Provisions, an exchange could “borrow” private keys from another Bitcoin holder and thus prove assets they do not actually hold; in fact multiple exchanges could share the same assets. Moreover, Provisions does not provide completeness. By using a columnar construction with a distributed ledger, zkLedger achieves completeness.
条款[21]是比特币交易所证明它们具有偿付能力而不泄露其总持有量的一种方式。规定使用资产证明和负债证明,这与我们在zkLedger中使用的零知识证明非常相似。但是,在规定中,交易所可以从另一个比特币持有人“借”私钥,从而证明他们实际上没有持有的资产;事实上,多个交易所可以共享相同的资产。此外,规定并未提供完整性。通过使用带分布式分类帐的柱状结构,zkLedger可实现完整性。
In Prio [18], untrusted servers can compute privately on mobile client data. Prio does not operate on distributed ledgers, and thus does not guarantee public verifiability.
在Prio [18]中,不受信任的服务器可以私下计算移动客户端数据。Prio不对分布式账本进行操作,因此不保证公共验证。
Prio requires all servers to cooperate in order for client proofs to validate; zkLedger can tolerate non-cooperating participants.
Prio要求所有服务器合作,以便客户证明验证; zkLedger可以容忍不合作的参与者。
Several systems provide private and correct computing using trusted hardware [4–6, 49, 52]. In our setting, we cannot guarantee that all participants will trust the same hardware provider. In addition, it would be a conflict of interest to use such a system to audit the company providing the trusted hardware.
有几个系统使用可信硬件提供私有和正确的计算[4-6,49,52]。在我们的设置中,我们无法保证所有参与者都信任相同的硬件提供商。此外,使用这样的系统审核提供可信硬件的公司将是一个令人感兴趣的冲突。
There are many systems which compute on encrypted data to protect user confidentiality in the event of a server compromise [25, 31, 32, 40, 43, 44, 50]. These systems address a different problem than what zkLedger is trying to solve. Instead, we provide interactive, provably correct auditing over private data generated by many parties.
有许多系统在加密数据上进行计算,以在服务器受损时保护用户的机密性[25,31,32,40,43,44,50]。这些系统解决了与zkLedger试图解决的问题不同的问题。相反,我们为许多方生成的私人数据提供交互式,可证明的正确审计。
2.2 Privacy-preserving blockchains
2.2保护隐私的区块链
Bitcoin, a decentralized cryptocurrency released in 2009, was the first blockchain [37]. Many companies have explored using a blockchain to record the transfer of assets. These systems are marked by the following characteristics: (1) Multiple, possibly distrusting participants, all with write permissions and no single point of failure or control; (2) A consensus protocol to construct an appendonly, globally ordered log with a chain of hashes to prevent tampering with the past; and (3) Digitally signed transactions to indicate intent to transfer ownership.
比特币是2009年发布的分散式加密货币,是第一个区块链[37]。许多公司已探索使用区块链来记录资产转移。这些系统具有以下特征:(1)多个,可能不信任的参与者,都具有写权限,没有单点故障或控制; (2)一个共识协议,用于建立一个带有一系列哈希的附加的,全局有序的日志,以防止篡改过去; (3)数字签名交易以表明转让所有权的意图。
In Bitcoin and most other blockchains, all transactions are public: every participant receives each transaction, and can verify all the details. Users create pseudonyms by generating one-time use public keys for payment addresses, but transaction amounts and the links between transactions are still globally visible. Confidential Transactions [34] and Confidential Assets [17, 42] are extensions to Bitcoin which blind the assets and amounts in transactions while still ensuring that all participants can validate transactions. Though these systems hide assets and amounts, they leak the transaction graph and do not support private auditing—an auditor would require access to all plain-text transactions in order to ensure completeness. The transaction graph alone leaks substantial information [36, 38, 45, 46]; for example, the FBI followed linked transactions to trace bitcoins and used this as evidence in court [28]. zkLedger provides stronger transaction privacy and private auditing, but at the cost of scalability.Transactions in zkLedger are sized order the number of participants in the whole system, requiring more time to produce and verify as the number of participants grows. This makes zkLedger more suitable to ledgers with fewer participants who require more privacy. Solidus [16] is a distributed ledger system that uses Oblivious RAM to hide the transaction graph and trans action amount between bank customers. While this construction also provides private transactions, Solidus can only support auditing by revealing all of the keys used in the system to an auditor, and opening transactions. zkLedger achieves performance similar to Solidus while providing private auditing.
在比特币和大多数其他区块链中,所有交易都是公开的:每个参与者都接收每笔交易,并且可以验证所有细节。用户通过为付款地址生成一次性使用公钥来创建假名,但交易金额和交易之间的链接仍然是全局可见的。保证交易[34]和保密资产[17,42]是比特币的扩展,它使交易中的资产和金额失明,同时仍然确保所有参与者都能验证交易。虽然这些系统隐藏了资产和金额,但它们泄露了交易图并且不支持私人审计 - 审计员需要访问所有纯文本交易才能确保完整性。仅交易图表泄漏了大量信息[36,38,45,46];例如,联邦调查局跟踪关联交易以跟踪比特币并将其用作法庭证据[28]。 zkLedger提供更强大的事务隐私和私有审计,但代价是可伸缩性。zkLedger中的事务按大小顺序排列整个系统中的参与者数量,随着参与者数量的增长需要更多时间来生成和验证。这使得zkLedger更适合需要更多隐私的参与者较少的分类帐。Solidus [16]是一个分布式分类账系统,它使用无意识RAM来隐藏银行客户之间的交易图和交易金额。虽然这种结构也提供私人交易,但Solidus只能通过向审计员披露系统中使用的所有密钥并打开交易来支持审计。 zkLedger在提供私人审计的同时实现了与Solidus类似的性能。
R3’s Corda [22], and Digital Asset Holding’s Global Synchronization Log (GSL) [23] are distributed ledgers geared towards financial institutions that rely on trusted third parties to pass through information. In Corda, notaries verify transactions and maintain privacy of participants, while GSL segments its ledger, only storing a hash of the values globally and limiting access to fine-grained transaction data. Neither support private auditing.
R3的Corda [22]和Digital Asset Holding的全球同步日志(GSL)[23]是分布式账本,面向依赖可信第三方传递信息的金融机构。在Corda中,公证人验证交易并维护参与者的隐私,而GSL对其分类账进行分段,仅在全局存储值的散列并限制对细粒度交易数据的访问。既不支持私人审计。
Another approach is that of Zerocash [47], and its related implementation Zcash [51], an anonymous cryptocurrency based on Bitcoin. Zerocash uses zk-SNARKs
另一种方法是Zerocash [47]及其相关实现Zcash [51],一种基于比特币的匿名加密货币。 Zerocash使用zk-SNARKs
[7] to hide transaction amounts, participants, and the transaction graph. The zk-SNARKs as used in Zcash can be extended to handle policies to enforce regulations, KYC/AML laws, and taxes [27]. These policies do not support arbitrary queries, but instead put limits on the new types of transactions that can take place. These ideas have not yet been implemented in a practical system.
[7]隐藏交易金额,参与者和交易图。Zcash中使用的zk-SNARK可以扩展到处理执行法规,KYC / AML法律和税收的政策[27]。这些策略不支持任意查询,而是对可能发生的新类型的事务设置限制。这些想法尚未在实际系统中实施。
zk-SNARKs are quite efficient for some statements but unfortunately, the price of this efficiency is paid in setup assumptions: as of now, all concretely efficient zk-SNARKs require a trusted third party for setup. The consequences of incorrect or compromised setup are potentially disastrous: an adversary who can learn the secret randomness used during setup can make fraudulent proofs of false statements that are indistinguishable from proofs of true statements. In our setting (international banking), such proofs would permit unrestricted creation or destruction of financial assets or liabilities. There may not even be a viable party to perform the one-time trusted setup. For example, Russia might not trust the Federal Reserve or the European Central Bank, or it might not be politically expedient to be seen as doing so.While it is possible to mitigate this concern, e.g., by distributing the setup between multiple parties [8, 11, 12], this process is onerous and expensive. Ideally, the financial integrity of the system would not rely on trusted setup at all. We choose to base consensus-critical portions of zkLedger’s design on standard NIZKs.
zk-SNARKs对于某些陈述非常有效,但不幸的是,这种效率的价格是在设置假设中支付的:截至目前,所有具体高效的zk-SNARK都需要一个可信赖的第三方进行设置。设置不正确或受损的后果可能是灾难性的:能够学习设置过程中使用的秘密随机性的对手可以进行虚假陈述的欺诈性证明,这些证据与真实陈述的证明无法区分。在我们的环境(国际银行业务)中,此类证据可以允许不受限制地创建或销毁金融资产或负债。甚至可能没有可行的一方来执行一次性可信设置。例如,俄罗斯可能不信任美联储或欧洲中央银行,或者在政治上可能不会被视为这样做。虽然可以减轻这种担忧,例如,通过在多方之间分配设置[8,11,12],但是这个过程繁重且昂贵。理想情况下,系统的财务完整性根本不依赖于可信设置。我们选择在标准NIZK上建立zkLedger设计的共识关键部分。
3 zkLedger Overview
3 zkLedger概述
3.1 Architecture
3.1架构
System participants. There are n participants which we call banks that issue transactions to transfer digital assets, Bank1,. , Bankn and an auditor Auditor, that verifies certain operational aspects of transactions performed by the banks (e.g. “is a particular bank Banki solvent?”). These roles are not distinct; a bank could also audit. A Depositor or set of Depositors can issue and withdraw assets from the system; for example, the European Central Bank might issue 1M C to Banki in the system. Issuance and withdrawal of all assets are controlled by the Depositors and are global, public events.
系统参与者。有n个参与者,我们称之为银行,发行交易以转移数字资产Bank1。 ,Bankn和审计师审计员,核实银行进行的交易的某些操作方面(例如“是特定的银行Banki溶剂?”)。这些角色并不明显;银行也可以审计。存款人或存款人可以从系统中发放和提取资产;例如,欧洲中央银行可能会在系统中向Banki发放1M C.所有资产的发行和撤回均由存款人控制,是全球性的公共活动。
Transactions. Banks exchange assets by creating transfer transactions, whose details are hidden. A transfer transaction captures an event where Banki is transferring v shares of asset t to Bank j. Our scheme supports a bank transferring to multiple other banks, but for simplicity we assume there is one spending and one receiving bank in each transaction. Banks determine the details of a transfer transaction outside of zkLedger, perhaps through an exchange. We assume they use encrypted channels.
交易。银行通过创建转移交易来交换资产,其细节是隐藏的。转移交易捕获Banki将v股资产t转移到Bank j的事件。我们的计划支持银行转账到其他多家银行,但为简单起见,我们假设每笔交易都有一个支出和一个收款银行。银行可以通过交易所确定zkLedger之外的转账交易的详细信息。我们假设他们使用加密渠道。
Append-only ledger. Banks submit transactions to an append-only ledger, which globally orders all valid transactions. If a digital asset only exists on the ledger, then transfer on the ledger is change in legal custody of the digital assets, not merely a record of ownership change, and an Auditor is guaranteed a Bank is not hiding assets. This ledger could be maintained by a trusted third party, by the banks themselves, or via a blockchain like Ethereum or Bitcoin. Maintaining a fault-tolerant, globally ordered log is outside the scope of this paper, but can be done using standard techniques [15, 30, 39].
仅附加分类帐。银行将交易提交给仅附加分类账,该分类账全局下达所有有效交易。如果数字资产仅存在于分类账上,则分类账的转移是对数字资产的合法保管的变更,而不仅仅是所有权变更的记录,并且审计员保证银行不会隐藏资产。该分类账可由受信任的第三方,银行本身或通过像以太坊或比特币在内的区块链维护。维护容错,全局排序的日志超出了本文的范围,但可以使用标准技术[15,30,39]完成。
3.2 Cryptographic building blocks
3.2加密构建块
Commitment schemes. To protect their privacy participant banks do not broadcast payment details, such as the transaction amount, in plain. Instead the banks post hiding commitments to the append-only ledger; in particular, zkLedger uses Pedersen commitments [41]. Let G be a cyclic group with s elements, and let g and h be two random generators of G. Then a Pedersen commitment to an integer v 0, 1,. , s − 1} is formed as follows: pick commitment randomness r, and return the commitment cm : v, r gvhr.
承诺计划。为了保护他们的隐私参与者,银行不会简单地广播支付细节,例如交易金额。相反,银行将隐藏承诺隐藏在仅附加分类账中;特别是,zkLedger使用Pedersen的承诺[41]。设G是一个带有 元素的循环群,让g和h是G的两个随机生成元。然后Pedersen承诺一个整数v 0,1,。 ,s - 1}形成如下:选择承诺随机性r,并返回承诺cm: v,r gvhr。
Pedersen commitments are perfectly hiding: the commitment cm reveals nothing about the committed value v. In a similar way, the commitments are also computationally binding: if an adversary can open a commitment cm in two different ways (for the same r, two different values v and v ), then the same adversary can be used to compute logh(g) and thus break the discrete logarithm problem in G. In zkLedger we choose G to be the group of points on the elliptic curve secp256k1.
Pedersen的承诺完全隐藏:承诺cm没有揭示承诺的价值v。以类似的方式,承诺也具有计算约束力:如果对手可以以两种不同的方式打开承诺cm(对于相同的r,两个不同的值v和v ),则可以使用相同的对手来计算logh( g)从而打破了G中的离散对数问题。在zkLedger中,我们选择G作为椭圆曲线secp256k1上的点组。
A very useful property of Pedersen commitments is that they are additively homomorphic. If cm1 and cm2 are two commitments to values v1 and v2, using commitment randomness r1 and r2, respectively, then cm : 1 2 is a commitment to v1 + v2 using randomness r1 + r2, as gv1 hr1 gv2 hr2 gv1+v2 hr1+r2. To speed up transaction generation and auditing zkLedger makes extensive use of the ability to additively combine commitments.
Pedersen承诺的一个非常有用的特性是它们是加性同态的。如果cm1和cm2是值v1和v2的两个承诺,分别使用承诺随机性r1和r2,则cm: 1 2是使用随机性r1 + r2对v1 + v2的承诺,如 gv1 hr1 gv2 hr2 gv1 + v2 hr1 + r2。为了加快交易生成和审计,zkLedger广泛使用了附加组合承诺的能力。
Public-key encryption. Every bank i also generates a Schnorr signature keypair keypair consisting of a secret key ski and public key pki := hski , and distributes the public key pki to all other system participants.
公钥加密。每个银行我也生成一个Schnorr签名密钥对密钥对,包括密钥滑雪和公钥pki:= hski,并将公钥pki分发给所有其他系统参与者。
Non-interactive zero-knowledge proofs. To make privacy-preserving assertions about payment details zkLedger relies on non-interactive zero-knowledge proofs (NIZKs) [9]. In brief, zero-knowledge proofs concern two parties: the prover, who holds some private data, and the verifier, who wishes to be convinced of some property about this private data. For example, the prover might know the opening of a commitment cm, and wish to convince the verifier that the committed value v is in some range, e.g., 0 ≤ v < 106. Using NIZKs, the prover can produce a binary string π, the proof, that simultaneously persuades the verifier, yet does not reveal anything else about v. Verifying π does not require any interaction between the prover and the verifier, and the prover can append π to the ledger, where it can be verified by any party of the system.
非交互式零知识证明。为了保证关于支付细节的隐私保护断言,zkLedger依赖于非交互式零知识证明(NIZKs)[9]。简而言之,零知识证明涉及两方:持有一些私人数据的证明者,以及希望确信某些有关此私人数据的属性的验证者。例如,证明者可能知道承诺cm的打开,并且希望说服验证者确认值v在某个范围内,例如0≤v<106。使用NIZK,证明者可以产生二进制字符串π,证明,同时说服验证者,但不会透露关于v的任何其他内容。验证π不需要证明者和证明者之间的任何交互,并且证明者可以将π附加到分类账,其可以由系统的任何一方进行验证。
In theory, NIZK proof systems exist for all properties in NP whereas the practical feasibility of NIZKs is highlydependent on the complexity of the property at hand. In particular, algebraic properties in cyclic groups, such as, knowledge of discrete logarithm, equality of values committed in Pedersen commitments, or similar have very efficient NIZK proof systems. The design of zkLedger is carefully structured so that all NIZK proofs have particularly efficient constructions.
理论上,NIZK证明系统存在于NP中的所有属性,而NIZK的实际可行性高度依赖于手头的属性的复杂性。特别是,循环群中的代数性质,例如,离散对数的知识,在Pedersen承诺中提交的值的相等性,或类似的具有非常有效的NIZK证明系统。zkLedger的设计经过精心设计,因此所有NIZK样张都具有特别高效的结构。
3.3 Security Goals
3.3安全目标
The goals of zkLedger are to hide the amounts, participants, and links between transactions while maintaining a verifiable transaction ledger, and for the Auditor to receive reliable answers to its queries.Specifically, zkLedger lets banks issue hidden transfer transactions which are still publicly verifiable by all other participants; every participant can confirm a transaction conserves assets and assets are only transferred with the spending bank’s authority. For example, if Banki transfers 10,000 C to Bank j, both the banks and amount are hidden. The asset ( C) and time of the transaction are not hidden. zkLedger also hides the transaction graph, meaning which previous transaction(s) supplied the 10,000 C to Banki in the first place.
zkLedger的目标是隐藏交易之间的金额,参与者和链接,同时维护可验证的交易分类账,并使审计员能够接收其查询的可靠答案。具体而言,zkLedger允许银行发行隐藏的转账交易,这些交易仍然是所有其他参与者公开验证的;每个参与者都可以确认交易节约资产,资产只能通过支出银行的权限进行转移。例如,如果Banki将10,000 C转移到Bank j,则银行和金额都被隐藏。不隐藏资产(C)和交易时间。 zkLedger还隐藏了交易图,这意味着先前哪些交易首先向Banki提供了10,000C。
An Auditor can query a Bank about its contents on the ledger, for example “How many euros does Bank j hold?” A bank should be able to produce commitments which will convince the auditor that the bank’s answer to the auditing query is correct, meaning consistent with the transactions on the ledger. zkLedger ensures that if a bank gives the Auditor an answer that is inconsistent with the ledger, the Auditor will catch such attempt of cheating with high probability (and of course, a trustworthy answer must always be accepted).
审计师可以向银行查询其在分类账上的内容,例如“银行持有多少欧元?”银行应该能够产生承诺,使审计员相信银行对审计查询的答案是正确的,这意味着与分类帐上的交易一致。 zkLedger确保如果银行向审计员提供与分类账不一致的答案,审计员将很有可能捕获这种欺骗行为(当然,必须始终接受值得信赖的答案)。
3.4 Threat model
3.4威胁模型
zkLedger does not assume that banks will behave honestly—they can attempt to steal assets, hide assets, manipulate their account balances, or lie to auditors. We assume banks can arbitrarily collude. zkLedger keeps the amounts and participants of transactions private as long as neither the spender nor receiver in a transaction collude with an observer, like the Auditor. We assume that the ledger does not omit transactions and is available. zkLedger does not protect against an adversary who observes traffic on the network; for example, if only two banks are exchanging messages, it’s reasonable to assume the transactions in the ledger involve those banks. Nothing beyond what is necessarily leaked by an audit is revealed. However, frequent auditing might reveal transaction contents; e.g. if an auditor asks for banks’ assets after every transaction.
zkLedger并不认为银行会诚实行事 - 他们可能会企图窃取资产,隐藏资产,操纵账户余额或欺骗审计师。我们假设银行可以任意勾结。只要交易中的消费者和接收者都没有像审计员那样与观察者勾结,zkLedger就会将交易金额和参与者保密。我们假设分类帐不会省略交易并且可用。 zkLedger无法防范在网络上观察交通的对手;例如,如果只有两家银行正在交换信息,那么假设分类账中的交易涉及这些银行是合理的。没有超出审计所必然泄露的内容。但是,频繁的审计可能会揭示交易内容;例如如果审计师在每笔交易后要求银行的资产。
4 Design
4设计
The challenge in creating zkLedger is to practically support complete, confidential auditing—an Auditor should not be able to see individual bank transactions, but a Bank should not be able to hide assets from the Auditor during an audit, and the auditor should be able to detect an incorrect answer.
创建zkLedger的挑战是实际上支持完整的保密审计 - 审计师不应该看到个别银行交易,但银行不应该能够在审计期间隐藏审计师的资产,审计师应该能够检测到错误的答案。
Figure 1 shows a general overview of zkLedger. There are banks which determine transactions out of band and then settle them by appending transactions to the ledger. The ledger makes sure all banks and any auditors see new transactions. Each bank and auditor maintains a commitment cache, which are commitments to summed values used to make creating transactions and responding to audits faster.Each bank also has private stores of plaintext transaction data.
图1显示了zkLedger的一般概述。有些银行在带外确定交易,然后通过将交易附加到分类账来解决它们。分类帐确保所有银行和任何审计员都能看到新的交易。每个银行和审计员都维护一个承诺缓存,这是对用于创建交易和更快地响应审计的总和值的承诺。每家银行还有明文交易数据的私人商店。
The rest of this section describes the zkLedger transaction format, how banks create transactions, and how a bank can answer a simple query from the auditor.
本节的其余部分描述了zkLedger事务格式,银行如何创建交易,以及银行如何回答审计员的简单查询。
4.1 Transactions
4.1交易
The ledger in zkLedger is a table where transactions correspond to rows, and Banks correspond to columns. Each transaction has an entry for each Bank. Figure 2 shows a ledger with n banks. Each entry in a transaction includes a commitment to a value which is the amount of the asset that is being debited or credited to the bank. For example, if Banki wants to transfer 100 shares of an asset to Bank j, i’s entry in the transaction would contain a commitment to -100 and j’s would contain a commitment to
zkLedger中的分类帐是一个表,其中事务对应于行,而Banks对应于列。每笔交易都有一个每个银行的条目。图2显示了一个带有n个库的分类帐。交易中的每个条目都包括对价值的承诺,该价值是正在借记或记入银行的资产金额。例如,如果Banki希望将100股资产转移到Bank j,那么我在交易中的条目将包含对-100的承诺,并且j将包含对
100. All other entries in the transaction would contain commitments to 0, since none of the other bank balances were changed. This scheme has the nice property that an outside observer can look at a bank’s entire column and know that this represents the entirety of the bank’s holdings.
100.交易中的所有其他条目将包含0的承诺,因为没有其他银行余额发生变化。这个方案具有很好的特性,外部观察者可以查看银行的整个列,并知道这代表了银行持有的全部资产。
Hiding amounts. As described in §3.2, zkLedger does not include the value in plain-text in the transaction. Instead, zkLedger uses Pedersen commitments to commit to the value in transfer transactions. This makes value commitments completely indistinguishable—an outside observer cannot tell the difference between a commitment to a positive value, a negative value, or 0. Recall that a commitment to a value v is cm : v, r gvhr. If desired, a prover can reveal v and r to a verifier who knows cm and the verifier can confirm this is consistent.
隐藏金额。如§3.2中所述,zkLedger不包含事务中纯文本的值。相反,zkLedger使用Pedersen承诺来承诺转移交易中的价值。这使得价值承诺完全无法区分 - 外部观察者无法区分对正值,负值或0的承诺之间的区别。回想一下,对值v的承诺是cm: v,r gvhr。如果需要,证明者可以向知道cm的验证者揭示v和r,并且验证者可以证实这是一致的。
Since a transaction in zkLedger contains an entry for every Bank, there is a size-n vector committing to values in ⃗v. Each commitment cmk uses a fresh commitment randomness rk. Most of the entries will contain commitments to 0, for banks that are not involved with the transaction, but this is not apparent to an outside observer. zkLedger maintains the following financial invariants:
由于zkLedger中的事务包含每个Bank的条目,因此有一个size-n向量 提交到⃗v中的值。每个承诺cmk使用新承诺随机性rk。对于没有参与交易的银行,大多数条目将包含对0的承诺,但这对外部观察者来说并不明显。 zkLedger维护以下金融不变量:
• A transfer transaction cannot create or destroy assets
•转移交易无法创建或销毁资产
• The spending bank must give consent to the transfer and must actually own enough of the particular asset to execute this transaction
•支出银行必须同意转让,并且必须拥有足够的特定资产来执行此交易
In a public blockchain, the validators could simply confirm that these things are true by looking at the history of transactions and the current transaction, and making sure the spending bank has the funds to spend. However, in zkLedger these values are not public. Instead, we create a set of proofs that the spender can create to prove the invariants are maintained. The spender can create a transaction without interacting with any of the other banks.
在公共区块链中,验证人可以通过查看交易历史和当前交易来确认这些事情是真实的,并确保支出银行有资金支出。但是,在zkLedger中,这些值不公开。相反,我们创建了一组证明,花费者可以创建证明不变量的维护。消费者可以创建交易而无需与任何其他银行交互。
First, zkLedger introduces a Proof of Balance ( ). This is a proof that the transaction conserves assets; no assets are created or destroyed (of course, public issuance and withdrawal transactions do not have such proofs). More formally, the committed values should satisfy ∑nk=1 vk = 0. To prove this, the prover chooses the rk carefully: it should also be the case that ∑nk=1 rk = 0. If this is true and the values also sum to 0, then the verifier can check to make sure that ∏nk=1 cmk = 1 for the commitments in the row.
首先,zkLedger引入了平衡证明( )。这证明交易可以节省资产;没有资产被创建或销毁(当然,公开发行和提取交易没有这样的证据)。更正式地,承诺值应满足Σnk= 1 vk = 0。为了证明这一点,证明者仔细选择了rk:它也应该是Σnk= 1 rk = 0的情况。如果这是真的并且值也总和为0,则验证者可以检查以确保行中的承诺的Πnk= 1 cmk = 1。
Next, zkLedger must ensure that the spending bank actually has the assets to transfer. To do this, zkLedger introduces a Proof of Assets ( ). Other privacy-preserving blockchain systems use Unspent Transaction Outputs, or UTXOs, to show proof of assets and prevent double spending. For example, if Alice wants to send a coin to Bob, she chooses one of her coins, creates a new transaction addressing the coin to Bob, and includes a pointer to the previous transaction where she received the coin. This previous transaction is an output. All of the validators in the system maintain the invariant that outputs can only be spent once. Unfortunately, in systems without zkSNARKs, this leaks the transaction graph. In zkLedger, a bank proves it has assets by creating a commitment to the sum of the values for the asset in its column, including this transaction. If the sum is greater than or equal to 0, then the bank has assets to transfer. Note that this is true since the bank’s column represents all the assets it has received or spent, and the Pedersen commitments can be homomorphically added in columns as well as in rows. In order to produce a proof with the correct sum, the bank must have seen every previous transaction. This implies that banks must create transactions serially. In its own entry where the value is negative, the bank includes proof of knowledge of secret key to show that it authorized the transaction. This requires creating a disjunctive proof— either the committed value for entry i has vi ≥ 0, or the creator of the transaction knows the secret key for Banki.
接下来,zkLedger必须确保支出银行实际上有资产转移。为此,zkLedger引入了资产证明( )。其他隐私保护区块链系统使用未花费的交易输出或UTXO来显示资产证明并防止双重支出。例如,如果Alice想要向Bob发送硬币,则她选择她的一个硬币,创建向Bob发送硬币的新交易,并且包括指向她接收硬币的先前交易的指针。此前一个事务是输出。系统中的所有验证器都保持输出只能使用一次的不变量。不幸的是,在没有zkSNARKs的系统中,这会泄漏事务图。在zkLedger中,银行通过在其列中创建资产价值总和(包括此交易)来证明其拥有资产。如果总和大于或等于0,则银行有资产转移。请注意,这是正确的,因为银行的列代表它已收到或花费的所有资产,并且Pedersen承诺可以在列和行中同态添加。为了生成具有正确金额的证明,银行必须已经看过每个先前的交易。这意味着银行必须连续创建交易。在其值为负的条目中,银行包括对密钥的知识证明,以表明其授权交易。这需要创建一个析取证明 - 入口的承诺值i具有vi≥0,或者交易的创建者知道Banki的密钥。
Range proofs. Because commitment values are in an elliptic curve group and rely on modulus, we need to make sure that the commited values are within an acceptable range. To see why, note that if N is the order of the group, then v, r v + N, r); there is no way to distinguish between the two. Without a check to make sure the commited value is within the range [0, N − 1], a malicious bank could undetectably create assets. To address this, we use range proofs as described in Confidential Assets [42], which uses Borromean ring signatures [35]. zkLedger supports asset value amounts up to a trillion. Range proofs are the most expensive part of the transaction; as described, our scheme requires two range proofs—one for the commitment value, and another for the sum of assets in the column. We can squash the two range proofs down to one range proof by introducing an auxiliary commitment, i. i is either a re-commitment to the value in cmi or the sum of the values in the column up to row m, ∑mk=0 vk, which can be achieved by computing the product of the commitments in the column, ∏mk=0 cmk. Then, we can do one range proof on the value in i. Either this is the spending bank, in which case i must be a commitment to the sum, or it is another bank which is receiving funds or not involved, in which case i could be either (and it does not matter which it is).
范围证明。由于承诺值在椭圆曲线组中并且依赖于模数,因此我们需要确保提交的值在可接受的范围内。要了解原因,请注意,如果N是组的顺序,那么 v,r v + N,r);没有办法区分这两者。如果没有检查以确保提交的值在[0,N-1]范围内,则恶意银行可能无法无法创建资产。为了解决这个问题,我们使用Con fi dential Assets [42]中描述的范围证明,它使用Borromean环签名[35]。 zkLedger支持高达万亿的资产价值。范围证明是交易中最昂贵的部分;如上所述,我们的方案需要两个范围证明 - 一个用于承诺值,另一个用于列中的资产总和。我们可以通过引入辅助承诺 i将两个范围证明压缩到一个范围证明。 i要么重新承诺cmi中的值,要么是列m中的值之和,直到行m,Σmk= 0 vk,这可以通过计算列中的承诺的乘积来实现,Πmk = 0 cmk。然后,我们可以对 i中的值进行一次范围证明。要么这是支出银行,在这种情况下 我必须是对这笔款项的承诺,或者是另一家接受资金或不参与的银行,在这种情况下 我也可以(并且它无关紧要) )。
This satisfies the financial invariants described above. However, a particular design choice we made in zkLedger is that a spending bank can create a transaction spending its own assets without interacting with other banks. This means that a malicious bank could create transactions which maintain financial invariants but are ill-formed. We will address this problem after describing how auditing works.
这满足了上述金融不变量。然而,我们在zkLedger中做出的一个特定设计选择是,支出银行可以创建一个交易来支出自己的资产,而无需与其他银行进行交互。这意味着恶意银行可以创建维持金融不变量但形式不正确的交易。在描述审计的工作原理之后,我们将解决这个问题。
Once created, a bank broadcasts the transaction, and it will be appended to the ledger. If the banks are maintaining the ledger, each bank is responsible for validating the transaction before accepting it to the ledger. If a third party is maintaining the ledger, then the third party should verify the proofs in a transaction before accepting it.
创建后,银行广播该交易,并将其附加到分类帐。如果银行正在维护分类账,则每个银行负责在接受分类账之前验证交易。如果第三方维护分类帐,则第三方应在接受之前验证交易中的证明。
Example transaction. Figure 2 shows a transaction where Bank of America is transferring one million euros to Goldman Sachs. Bank of America creates the transfer transaction, publishing the transaction id, timestamp, and asset type (euros) publicly. Bank of America commits to the amount deducted from its own assets, −1, 000, 000, in its own entry and 1, 000, 000 in Goldman Sachs’s entry. For every other bank, Bank of America commits to
示例交易。图2显示了美国银行向高盛转移100万欧元的交易。美国银行创建转账交易,公开发布交易ID,时间戳和资产类型(欧元)。美国银行承诺从其自己的资产中扣除自己的资产-1,000,000,并在高盛的条目中扣除1,000,000美元。对于其他银行,美国银行承诺
0. This serves to hide the banks involved in the transfer; no one except Bank of America can distinguish between the commitments to determine which are commiting to nonzero values. Bank of America then broadcasts the transaction to the ledger. The ledger maintainer validates the transaction and appends it to the ledger. Once accepted to the ledger, this serves as a complete transfer of 1, 000, 000 euros from Bank of America to Goldman Sachs.
这有助于隐藏参与转移的银行;除了美国银行之外,没有人可以区分确定哪些承诺是非零价值的承诺。然后,美国银行将交易广播到分类账。分类帐维护者验证事务并将其附加到分类帐。一旦被接受到分类账,这将从美国银行向高盛公司全面转账1,000,000欧元。
4.2 Auditing Protocol
4.2审计协议
The Auditor has a copy of the ledger and interacts with the banks to calculate functions on their private data, in order to get a view of the financial system represented by the ledger.
审计员有一份分类帐副本,并与银行交互以计算其私人数据的功能,以便查看分类帐所代表的金融系统。
The Auditor audits Banki by issuing a query to Banki, for example, “How many euros do you hold at time t?”. Banki responds to the auditor with an answer and a proof that the answer is consistent with the transactions on the ledger. The Auditor multiplies the commitments on the ledger in Banki’s column for euros, and verifies the proof and answer with the total. This is a commitment to the the total amount of euros Banki holds.
审计员通过向Banki发出查询来审计Banki,例如,“您在时间t持有多少欧元?”。Banki向审核员回复答案并证明答案与分类帐上的交易一致。审计员将Banki专栏中的分类账上的承诺与欧元相乘,并用总数验证证据和答案。这是对Banki持有的欧元总额的承诺。
The key insight here is that given this table construction, the Auditor can read bank i’s column and know that it is seeing every asset transfer involving i. There is no way for i to “hide” assets on the ledger without actually transferring assets and giving control to another bank. In contrast, during a traditional audit, a bank could simply not show the auditor some of its balance sheet.
这里的关键见解是,鉴于这种表格结构,审计员可以阅读银行i的专栏,并知道它正在看到涉及i的每一项资产转移。我无法在没有实际转移资产和控制另一家银行的情况下“隐藏”分类账上的资产。相比之下,在传统审计中,银行可能根本不向审计师展示其资产负债表。
Banks could collude to hold assets for each other temporarily; for example Bank j might transfer assets to Banki and take them back later. For that time period, the assets would be part of Banki’s holdings.But banks cannot collude after an Auditor poses a query because the Auditor has already specified the time t at which the query applies. Any transfer would necessarily have to be after t. So at this point, it is too late for a malicious bank to create a new transaction transferring assets to another bank.
银行可以勾结,暂时为彼此持有资产;例如,Bank j可能会将资产转移到Banki并稍后将其收回。在那段时间内,资产将成为Banki持股的一部分。但是,在审计员提出查询后银行不能串通,因为审计员已经指定了查询适用的时间t。任何转移都必须在t之后。因此,此时,恶意银行创建将资产转移到另一家银行的新交易为时已晚。
As described above, a bank can create a transaction transferring its own assets without any interaction.This is common with most blockchain systems, where only the signature of the sender is required to create a valid transaction. There is no in-protocol way for a receiver to object to a transfer. Given our table construction, every bank is affected by every transaction, because a bank must total all of the commitments in its column to respond to the Auditor—even commitments for transactions in which it was not involved. A malicious Banki could create a transaction and not inform the another Bank j of the r j used in its entry, even if it is not transferring assets to Bank j. Bank j would be unable to respond to the Auditor because it would not be able to open up the product of the commitments in its column.
如上所述,银行可以创建在没有任何交互的情况下转移其自己的资产的交易。这在大多数区块链系统中很常见,其中只需要发件人的签名来创建有效的交易。接收器没有协议方式来反对传输。鉴于我们的表格构建,每个银行都受到每笔交易的影响,因为银行必须将其列中的所有承诺全部用于响应审计员 - 甚至是未参与的交易承诺。恶意的Banki可以创建一个交易而不会通知另一个银行j其条目中使用的r j,即使它没有将资产转移到Bank j。银行j将无法回应审计员,因为它无法在其专栏中公开承诺的产品。
In order to prove the integrity of a transfer transaction, zkLedger must ensure an additional invariant:
为了证明传输事务的完整性,zkLedger必须确保额外的不变量:
• All banks have enough information in the transaction to open up commitments for the Auditor
•所有银行在交易中都有足够的信息来开放审计师的承诺
zkLedger does this by requiring the spending bank to include a publicly verifiable Token in every entry. This is defined as Tokenk : k)rk. Bankk uses this token to open up the product of its commitments for the Auditor, without needing to know rk.
zkLedger通过要求支出银行在每个条目中包含一个公开的可验证令牌来做到这一点。这被定义为Tokenk: k)rk。 Bankk使用此令牌打开其对审计员的承诺的产品,而无需了解rk。
Using audit tokens. Consider a query for a sum of values in a bank’s column. One way of answering this query would be to reveal ∑ vk and ∑ rk. Then the auditor would simply check that these plain values are consistent with the homomorphically computed value k = g∑ vk h∑ rk. However, a bank does not necessarily know all the commitment randomnesses rk (in particular, these values are unknown for any transaction that the bank was not party to), so the naive approach does not work.
使用审计令牌。考虑查询银行列中的值总和。回答此查询的一种方法是显示Σvk和Σrk。然后,审计员将简单地检查这些普通值是否与同态计算值 k =gΣvkhΣrk一致。但是,银行不一定知道所有承诺随机性rk(特别是,这些值对于银行不参与的任何交易都是未知的),因此天真的方法不起作用。
One approach could be to ask the preparer of the transaction (i.e. the sender) to encrypt rk so that the nonparticipating bank Bankk can decrypt it. To prevent the sending bank from placing a “garbage” ciphertext on the ledger (and thus making Bankk fail the auditor’s queries), one would need a zero-knowledge proof of consistency between the encrypted value and the commitment. Constructing a concretely efficient proof for this statement is non-trivial: in a nutshell, standard encryption schemes (e.g. ElGamal) embed plain-text in a group element, while Pedersen commitments would have this value in the exponent.
一种方法可以是要求交易的准备者(即发送者)加密rk,以便非参与银行Bankk可以解密它。为了防止发送银行在分类账上放置“垃圾”密文(从而使Bankk无法通过审计员的查询),需要对加密值和承诺之间的一致性进行零知识证明。为这个陈述构建一个具体的有效证明是非常重要的:简而言之,标准加密方案(例如ElGamal)将纯文本嵌入到组元素中,而Pedersen承诺将在指数中具有该值。
Our insight is that Bankk does not need to open ∑ rk to prove that ∑ vk is correct. Instead, suppose that Bankk wants to claim that s = g∑ vk h∑ rk opens up to a value ∑ vk. To do so, the bank computes s s/g∑ vk = h∑ rk and t k Tokenk = h rk. Note that the auditor can also compute the values of s and t from the ledger and the claimed answer ∑ vk.
我们的见解是,Bankk不需要打开Σrk来证明Σvk是正确的。相反,假设Bankk想声称s =gΣvkhΣrk打开到值Σvk。为此,银行计算 s /gΣvk=hΣrk和t k Tokenk = h rk。请注意,审核员还可以从分类帐和声明的答案Σvk计算s 和t的值。
It suffices for the bank to prove that logs t = logh pk. Observe that both logarithms evaluate to sk so a bank can produce this proof without knowing ∑ ri. Moreover, if this equation holds then t 1 s s/g∑ v, but if the ∑ v was incorrect then knowledge of sk would reveal a linear relationship between g and h, which is ruled out by our security assumption.
它使银行能够证明日志 t = logh pk。观察两个对数都评估为sk,以便银行可以在不知道Σri的情况下生成此证明。此外,如果该等式保持t 1 s s /gΣv,但如果Σv不正确,则sk的知识将揭示g和h之间的线性关系,这由我们的安全假设排除。
To show that the r in the Tokenk is the same as the r in rk, we require an additional Proof of Consistency ( ). This is a zero-knowledge proof asserting that for each k the value rk used to form cmk and Tokenk is the same. (See Appendix B for details of how such proof is constructed.)
为了证明Tokenk中的r与rk中的r相同,我们需要一个额外的一致性证明( )。这是一个零知识证明断言,对于每个k,用于形成cmk和Tokenk的值rk是相同的。 (有关如何构建此类证据的详细信息,请参阅附录B.)
Note that audit tokens are only useful to the bank opening its commitment; though public, a malicious bank cannot use another bank’s Token to successfully open an incorrect result or learn information about other bank’s transactions.
请注意,审计令牌仅对开立其承诺的银行有用;虽然是公开的,但是恶意银行不能使用其他银行的令牌来成功地打开不正确的结果或了解有关其他银行交易的信息。
4.3 Final transaction construction
4.3最终交易建设
For a transfer transaction in row m, each entry i contains the following items:
对于行m中的转移事务,每个条目i包含以下项目:
• Commitment (cmi): (gvi hri ) a Pedersen commitment to the value we are transferring.
•承诺(cmi):( gvi hri)Pedersen对我们正在转移的价值的承诺。
• Audit Token (Tokeni): i)ri. This is used to answer audits without knowing the randomness used in the commitment.
•审计令牌(Tokeni): i)ri。这用于在不知道承诺中使用的随机性的情况下回答审核。
• Proof of Balance ( ): a zero-knowledge proof asserting that the committed values satisfy ∑nk=1 vk = 0.
•平衡证明( ):零知识证明,声明承诺值满足Σnk= 1 vk = 0。
• Proof of Assets ( ): a new commitment i, corresponding token i, and a zero-knowledge proof asserting that either i is a re-commitment of the value in cmi or a recommitment to the sum of the values in ∏mj=0 cm j, and i is in range [0, 240). If the committed value in cmi is negative, the proof asserts bank i consented to the transfer.
•资产证明( ):新的承诺 i,相应的令牌 i,以及零知识证明断言 i是cmi中值的重新承诺或者是对值的总和的重新承诺Πmj= 0 cm j, i在[0,240]范围内。如果cmi中的承诺值为负数,则证明银行同意转让。
• Proof of Consistency ( ): two zero-knowledge proofs asserting the randomness used in cmi and Tokeni are the same, and the randomness used in i and i are the same. This is to prevent a malicious bank from adding data to the ledger that would stop another bank from being able to open its commitments for the Auditor.
•一致性证明( ):断言cmi和Tokeni中使用的随机性的两个零知识证明是相同的,并且 i和 i中使用的随机性是相同的。这是为了防止恶意银行向分类账添加数据,这会阻止另一家银行开启其对审计师的承诺。
Transactions may contain additional metadata in plaintext or not. For example, banks might want to include encrypted account numbers, addresses, or identifying information on behalf of a customer to satisfy the Travel Rule specified in the Bank Secrecy Act of 1970 [1]. zkLedger supports auditing over metadata in the transaction as well, but it does not have a way to publicly verify additional metadata.
事务可能包含明文或非明文的其他元数据。例如,银行可能希望代表客户包括加密的帐号,地址或识别信息,以满足1970年银行保密法中规定的旅行规则[1]。 zkLedger也支持对事务中的元数据进行审计,但它没有办法公开验证其他元数据。
4.4 Adding or removing banks
4.4添加或删除银行
zkLedger can support dynamically adding or removing banks if done so publicly. The participants (or another authority) append a signed transaction to the ledger indicating which banks, and thus columns, should be added or removed. For example, to add a new bank to the ledger shown in Figure 2, the involved banks would append a transaction to the ledger indicating an intent to add Bankn+1. From that point forward, all transactions should contain n + 1 entries. The Proof of Assets for Bankn+1’s entry in each transaction will start at the row where Bankn+1 was added. Similarly, if a bank is removed, later transactions should not include entries for that bank. Since all participants can see which banks were added or removed, they can adjust their proofs and verifications accordingly.
如果公开这样做,zkLedger可以支持动态添加或删除银行。参与者(或其他权威机构)将已签名的交易附加到分类帐,指示应添加或删除哪些银行以及列。例如,要将新银行添加到图2所示的分类账中,涉及的银行会将一个交易附加到分类账,表明有意添加Bankn + 1。从那时起,所有交易都应包含n + 1个条目。Bankn + 1在每笔交易中的资产证明将从添加Bankn + 1的行开始。同样,如果银行被删除,以后的交易不应包括该银行的条目。由于所有参与者都可以看到添加或删除了哪些银行,因此他们可以相应地调整其证明和证明。
4.5 Optimizations
4.5优化
zkLedger employs several optimizations to make producing and verifying these proofs faster, and to support faster auditing. First, caching the product of the commitments in a bank’s column improves auditing and proof creation speed. Each bank stores a rolling product of commitments by row and by asset so that it can quickly produce proofs of assets and answer queries from auditors. Using these caches, a bank can quickly answer an auditor’s query on a subset of rows in the ledger.
zkLedger采用多种优化方法,可以更快地生成和验证这些证明,并支持更快的审计。首先,在银行专栏中缓存承诺的产品可以提高审计和证明创建速度。每个银行按行和按资产存储承诺的滚动产品,以便它可以快速生成资产证明并回答审计员的查询。使用这些缓存,银行可以快速回答审计员对分类帐中行的子集的查询。
Most transactions in zkLedger do not include every bank. Every bank can pre-generate many range proofs for the value 0. We speedup transaction throughput by parallelizing range proof generation and validation.
zkLedger中的大多数交易不包括每个银行。每家银行都可以预先为价值0生成许多范围证明。我们通过并行范围证明生成和验证来加速事务吞吐量。
5 Auditing
5审计
Auditing is a critical component of the financial system, and regulators use various techniques to measure systemic financial risk. Through the use of sums, means, ratios, variance, co-variance, and standard deviation, an auditor in zkLedger can determine the following, among other measurements: • Leverage ratios. zkLedger can show how much of an asset a bank has on its books compared to its other holdings. This is helpful to estimate counterparty risk. • Concentration. Regulators use a measure called the Herfindahl-Hirschman Index (HHI) to measure how competitive an industry is [29].
审计是金融体系的重要组成部分,监管机构使用各种技术来衡量系统性金融风险。通过使用总和,均值,比率,方差,协方差和标准差,zkLedger中的审计员可以确定以下测量值:•杠杆比率。 zkLedger可以显示银行在账面上与其他持股相比有多少资产。这有助于估计交易对手风险。 • 浓度。监管机构使用一种名为Her fi ndahl-Hirschman指数(HHI)的指标来衡量一个行业的竞争力[29]。
• Real-time price indexes. Auditors can get a sense of the price of assets that are traded over-the-counter and thus not tracked through exchanges.
•实时价格指数。审计人员可以了解在场外交易的资产价格,因此无法通过交易所进行跟踪。
Natively, zkLedger supports sums, which means linear combinations of values stored in the ledger. This comes from the additive structure of Pedersen commitments. But zkLedger also supports a more general query model, which can be considered in two parts: A map step and a reduce step.
本地,zkLedger支持总和,这意味着存储在分类帐中的值的线性组合。这来自Pedersen承诺的附加结构。但是zkLedger还支持更通用的查询模型,可以分为两部分:映射步骤和缩减步骤。
Basic auditing. Consider the basic example where an auditor wants to determine how much of an asset a bank has on its books. As described in §4.2, the auditor will filter the rows by asset, multiply the entries in the bank’s column, and then ask the bank to open the commitment product. This only requires one round of communication between the auditor and the bank and the messages are a constant size, independent of the number of rows. Because of zkLedger’s commitment caches, this is very fast.
基本审计。考虑一个基本示例,其中审计员想要确定银行在其账簿上有多少资产。如§4.2所述,审核员将按资产过滤行,将银行列中的条目相乘,然后要求银行打开承诺产品。这只需要审计员和银行之间的一轮通信,并且消息是恒定的大小,与行数无关。由于zkLedger的承诺缓存,这非常快。
Map/reduce. An auditor can issue more complex queries that might require the exchange of more data or might require the participants to look at most of the rows in the ledger. Let’s consider an auditor which wants to know the mean transaction size for a given bank and asset. An auditor cannot verify a bank’s answer by simply totaling the bank’s column of commitments and dividing the opened value by the number of rows, because such a computation would have an incorrect denominator. Namely, when the bank is not involved in a transaction, its column in the row will be commitment to 0, and should be discounted. In order to determine the correct denominator, the auditor and the bank run the following protocol:
地图/减少。审计员可以发出更复杂的查询,这些查询可能需要交换更多数据,或者可能要求参与者查看分类帐中的大多数行。让我们考虑一个想知道给定银行和资产的平均交易规模的审计师。审计员无法通过简单地计算银行的承诺列并将打开的值除以行数来验证银行的答案,因为这样的计算会产生不正确的分母。也就是说,当银行不参与交易时,其行中的列将承诺为0,并且应该打折。为了确定正确的分母,审计员和银行运行以下协议:
1. Filter. The bank will filter the rows by asset.
1.过滤。银行将按资产过滤行。
2. Produce new commitments. For each row, the bank will commit to a single bit b, 1 or 0, depending on if the bank was involved in the transaction or not, and create a proof that the bank has done this recommitment correctly. Crucially, the auditor cannot distinguish between these commitments and so the bank’s transactions are not revealed. We call this act of producing new commitments the map step.The map step also requires producing proofs that the new values were
2.产生新的承诺。对于每一行,银行将承诺单个位b,1或0,具体取决于银行是否参与交易,并创建银行已正确完成此重新授权的证据。至关重要的是,审计师无法区分这些承诺,因此银行的交易不会泄露。我们称之为在地图步骤中产生新承诺的行为。地图步骤还需要生成新值的证明
correctly computed; in our example, for each transaction, the bank would produce a NIZK proof that b = 1 if and only if the transaction value was not equal to 0.
正确计算;在我们的例子中,对于每个交易,当且仅当交易值不等于0时,银行才会产生一个NIZK证明,即b = 1。
3. Compute number of non-zero transactions. The bank computes the homomorphic sum of the new commitments to bits ⃗b and opens it to reveal how many transactions were non-zero. This is the reduce step. This is the correct denominator to compute the mean transaction size. The auditor cannot tell anything about the values in⃗b beyond what is revealed by the sum.
3.计算非零交易的数量。银行计算新的承诺到比特homb的同态和,并打开它以揭示有多少交易是非零的。这是减少步骤。这是计算平均交易规模的正确分母。审计员不能告诉任何超出总和所揭示的价值的事情。
4. Respond to auditor. The bank then sends the auditor the sum of the values in its column, the vector of bit commitments and corresponding NIZK proofs, the number of its non-zero transactions n, and the sum of the r values in the commitments.
4.回应审计员。然后,银行向审计员发送其列中的值的总和,比特承诺的向量和相应的NIZK证明,其非零交易的数量n以及承诺中的r值的总和。
5. Verification. The auditor verifies the map step by verifying the commitments were done correctly, and verifies the reduce step and the number of non-zero transactions by confirming that the product of the vector of bit commitments is gnh∑Nk=1 rk .
5.验证。审计员通过验证承诺是否正确完成来验证映射步骤,并通过确认位承诺矢量的乘积为gnhΣNk= 1 rk来验证减少步骤和非零事务的数量。
6. Compute answer. The auditor computes the mean from the sum of the bank’s column and the number of non-zero transactions.
6.计算答案。审计员根据银行列和非零交易数之和计算平均值。
An auditor could ask a bank for outlier transactions using a similar technique. For each row, the bank will commit to a bit b where b = 1 if a transaction’s value for that bank is outside a specified range. As when computing the mean, the auditor can verify these commitments were produced correctly and obtain the sum. The bank can then open only the transactions where b = 1, and the auditor knows exactly how many transactions should be opened.
审计员可以使用类似的技术要求银行进行异常交易。对于每一行,如果该银行的交易价值超出指定范围,银行将提交b位,其中b = 1。在计算均值时,审计员可以验证这些承诺是否正确生成并获得总和。然后,银行只能打开b = 1的交易,审计员确切地知道应该打开多少交易。
More complex auditing queries require multiple map and reduce computations. For example, here is how an auditor can learn the variance of transaction values v1,. , vN :
更复杂的审计查询需要多个映射并减少计算。例如,以下是审计员如何了解交易价值v1的方差。 ,vN:
1. Compute the average transaction value. Execute the protocol described above to compute the number of non-zero transactions n, and their average value ¯v.
1.计算平均交易价值。执行上述协议以计算非零事务的数量n及其平均值¯v。
2. Apply the squaring map. For each entry vi in its row, the bank produces a fresh commitment i to v2i and sends these commitments to the auditor. The bank also supplies NIZK proofs that the value hidden in each i is exactly the square of the value vi committed to on the ledger.
2.应用平方图。对于其行中的每个条目vi,银行产生新的承诺 i到v2i并将这些承诺发送给审计员。该银行还提供NIZK证据,证明每个 i中隐藏的值恰好是在分类账上提交的值vi的平方。
3. Apply the reduce step. The auditor computes the product of the commitments i, and the bank opens up this commitment as V = v21 v2N by revealing R Ni=1 ri. The auditor confirms that the product of the commitments is equal to gV hR.
3.应用reduce步骤。审计员计算承诺 i的产品,银行通过揭示R Ni = 1 ri将此承诺打开为V = v21 v2N。审计员确认承诺的乘积等于gV hR。
The auditor now computes the variance σ as follows: σ 2 = 1n ∑vi 0(vi − ¯v)2 = 1nV − ¯v2.
现在,审计员计算方差σ如下:σ2=1nΣvi (vi - v)2 = 1nV - v2。
We note that whereas the square mapping used above corresponds to the second moment (variance), zkLedger can also compute higher statistical moments (e.g. skewness and kurtosis) using similar techniques and using cubing and fourth power mappings, respectively. See Appendix A for a list of measurements zkLedger supports. zkLedger can support limited information release by using more complex reduce mappings. For example, instead of releasing the sum of values, the bank can produce a commitment to the rounded sum of values (e.g. to the first two decimal places), and use range proofs, also implemented in zkLedger, to show that the rounding was done correctly. Revealing just the order of magnitude of the quantity at hand lets the parties balance the granularity of information disclosure.
我们注意到,尽管上面使用的方形映射对应于第二个矩(方差),但是zkLedger还可以使用类似的技术并分别使用立方和第四次幂映射来计算更高的统计矩(例如偏度和峰度)。有关zkLedger支持的测量列表,请参阅附录A. zkLedger可以通过使用更复杂的reduce映射来支持有限的信息发布。例如,不是释放值的总和,而是银行可以对舍入的值(例如,到前两个小数位)产生承诺,并使用范围证明(也在zkLedger中实现)来表示舍入已完成正确。仅仅显示手头数量的数量级,可以让各方平衡信息披露的粒度。
6 Implementation
6实施
To evaluate zkLedger’s design, we implemented a prototype of zkLedger in Go. Our prototype uses a modified version of the btcec library [2] that contains the parameters and methods to compute with the elliptic curve secp256k1. We use Go’s built-in SHA-256 implementation for our cryptographic hash function, and deterministically pick g and h by applying point decompression to the “nothing-up-my-sleeve” strings 0) and 1). Our prototype consists of approximately 3,200 lines of code, of which 40% implement cryptographic tools used by zkLedger (zero-knowledge proofs, range proofs, etc).
为了评估zkLedger的设计,我们在Go中实现了zkLedger的原型。我们的原型使用btcec库[2]的修改版本,其中包含使用椭圆曲线secp256k1计算的参数和方法。我们使用Go的内置SHA-256实现来加密哈希函数,并通过将点解压缩应用于“无所事事的”字符串 0)和 1)来确定性地选择g和h。我们的原型包含大约3,200行代码,其中40%实现了zkLedger使用的加密工具(零知识证明,范围证明等)。
The implementation of the curve in zkLedger uses Go’s big.Int type, which we make no effort to compress or serialize in an efficient way. A more optimized implementation could compress curve points. Our range proofs implement the protocol used in Confidential Assets [42]. Our NIZKs are based on Generalized Schnorr Proofs, which are three move interactive protocols; to make them non-interactive we apply the Fiat-Shamir heuristic [26], where we instantiate the random oracle using the SHA256 hash function. Our prototype implementation does not implement the complex queries described in §5, and thus we do not evaluate them in §7.
zkLedger中曲线的实现使用Go的big.Int类型,我们不会以高效的方式压缩或序列化。更优化的实现可以压缩曲线点。我们的范围证明实现了Con fi dential Assets [42]中使用的协议。我们的NIZK基于广义Schnorr Proofs,这是三个移动互动协议;为了使它们成为非交互式的,我们应用了Fiat-Shamir启发式[26],我们使用SHA256哈希函数实例化随机预言。我们的原型实现没有实现§5中描述的复杂查询,因此我们不在§7中对它们进行评估。
7 Evaluation
7评估
Our evaluation answers the following questions: • How expensive is it to store, prove and verify the different proofs in zkLedger? (§7.2) • How does auditing scale with the size of the ledger? (§7.3) • How does zkLedger scale with the number of banks? (§7.4)
我们的评估回答了以下问题:•在zkLedger中存储,证明和验证不同证据的成本是多少? (§7.2)•审计如何与分类账的大小成比例? (§7.3)•zkLedger如何根据银行数量进行扩展? (§7.4)
# Component Create Verify Size 2k Commitment 0.5 ms 0.5 ms 64 B 2k Consistency 0.7 ms 0.8 ms 224 B k Disjunctive 0.9 ms 0.9 ms 288 B k Range 4.7 ms 3.5 ms 3936 B Table 1: Number of each proof component in a transaction for k banks. Size of and time to create and verify the components with 12 cores. The range proof create and verify benefit from the additional cores.
#组件创建验证大小2k承诺0.5 ms 0.5 ms 64 B 2k一致性0.7 ms 0.8 ms 224 B k析取0.9 ms 0.9 ms 288 B k范围4.7 ms 3.5 ms 3936 B表1:k事务中每个证明组件的编号银行。创建和验证具有12个内核的组件的大小和时间。范围证明创建并验证来自附加核心的好处。
7.1 Experimental setup
7.1实验装置
Microbenchmarks. We run microbenchmarks on a 12 core Intel machine with i7-X980 3.33 GHz CPUs and 24GB of RAM, running 64-bit Linux 4.4.0 on Ubuntu 16.04.3. Each microbenchmark runs the same code a Bank runs to create and validate transactions.
微基准。我们在12核Intel机器上运行microbenchmarks,配备i7-X980 3.33 GHz CPU和24GB RAM,在Ubuntu 16.04.3上运行64位Linux 4.4.0。每个微基准测试都运行与Bank运行相同的代码来创建和验证事务。
Distributed experiment. We run the distributed experiments on a set of 12 virtual machines each with 4 cores of Intel Xeon E5-2640 2.5 GHz processors, 24GB of RAM, and the same software setup as above.There is one auditor, one server providing the service of the ledger, and a varying number of banks, one per server. Servers communicate using the Go package over TCP. All experiments use Go version 1.9.
分布式实验。我们在一组12个虚拟机上运行分布式实验,每个虚拟机具有4个Intel Xeon E5-2640 2.5 GHz处理器核心,24GB RAM以及与上述相同的软件设置。有一个审核员,一个服务器提供分类帐的服务,以及不同数量的银行,每个服务器一个。服务器通过TCP使用 Go包进行通信。所有实验都使用Go版本1.9。
7.2 Proof overhead in zkLedger
7.2 zkLedger中的证明开销
Table 1 shows the time to prove and verify the proofs in a transaction in zkLedger. There are two commitments, two consistency proofs, and one each of the disjunctive and range proofs in a transaction entry. There is a transaction entry per Bank. Table 1 also shows the sizes of the various proofs, in bytes.These sizes are estimated based on the size of the underlying fields in the struct in memory; these proofs could be further compressed. Range proofs dominate the size of the transactions.
表1显示了在zkLedger中证明和验证事务中的证明的时间。交易条目中有两个承诺,两个一致性证明和一个析取和范围证明。每个银行都有一个交易条目。表1还显示了各种证明的大小,以字节为单位。这些大小是根据内存中结构中底层字段的大小估算的;这些证据可以进一步压缩。范围证明主导了交易的规模。
The left graph in Figure 3 shows the time it takes to create and verify a transaction varying the number of overall banks, which increases the number of entries per transaction. This indicates that as we increase the number of banks, both transaction creation and verification times per bank increase linearly, but parallelization helps. Proving and validating range proofs dominates transaction creation and verification, but this cost is also highly parallelizable. 12 cores gives a 2.8× speedup when creating a transaction with 20 banks; a bank can create or validate a transaction for up to 20 banks in less than 200ms.
图3中的左图显示了创建和验证事务所需的时间,从而改变了整个银行的数量,这增加了每个事务的条目数。这表明,随着我们增加银行数量,每个银行的交易创建和验证时间都会线性增加,但并行化有所帮助。证明和验证范围证明在交易创建和验证中占主导地位,但这种成本也是高度可并行化的。在与20家银行建立交易时,12个核心的速度提高了2.8倍;银行可以在不到200ms的时间内为多达20家银行创建或验证交易。
As described in §4.1, zkLedger uses Borromean ring signatures to prove that a value is in a certain range, and supports values up to 240. Reducing the supported range of values would reduce range proof cost since that cost is linear in the number of bits in the size of the range. There are also newer proof systems, such as Bulletproofs, which might create much smaller range proofs [13]. We plan to evaluate zkLedger with Bulletproofs in future work.
如§4.1所述,zkLedger使用Borromean环签名来证明某个值在某个范围内,并支持最多240个值。减少支持的值范围将降低范围证明成本,因为该成本与范围大小的位数成线性关系。还有更新的证明系统,如防弹,可能会创建更小范围的证据[13]。我们计划在未来的工作中使用Bulletproofs评估zkLedger。
7.3 Cost of auditing ledgers
7.3审计分类账的成本
The left graph in Figure 4 shows that for certain functions, the time to audit is independent of the number of transactions in the ledger. This is because the Auditor and Banks maintain commitment caches, which already have the commitment product necessary to prove to the auditor the sum of the values in its column. The audit function is measuring the Herfindhal-Hirschman Index, so the auditor communicates with each bank.
图4中的左图显示,对于某些功能,审计时间与分类帐中的事务数无关。这是因为审计员和银行维持承诺缓存,这些缓存已经具有向审计员证明其列中值的总和所必需的承诺产品。审计功能是衡量她的指数 - 赫希曼指数,因此审计师与每个银行进行沟通。
When the auditor cannot use a commitment cache, perhaps because it was offline, it must process the whole ledger to compute the commitment product. This also applies to more complex auditing like the types described in §5, when the auditor has to verify recommitments for every row in the ledger. These costs are shown in the middle graph in Figure 4. This graph shows how long it takes the auditor to compute the Herfindahl-Hirschman Index on a ledger of varying sizes without using the commitment caches, so the auditor must process every row of the ledger. In these measurements, the auditor does not verify each row. As expected, this time increases linearly with the number of rows. This indicates that maintaining commitment caches is important for real-time auditing. However, even without commitment caches, auditing time is reasonable: 3.5 seconds for 100K transactions. This suggests the complex auditing queries, in which the auditor computes a similar set of operations per row, will also be on the order of many seconds. zkLedger currently only maintains commitment product caches per asset per bank, but could maintain more.
当审计员不能使用承诺缓存时,也许是因为它很复杂,它必须处理整个分类账来计算承诺产品。这也适用于更复杂的审计,如§5中描述的类型,当审计员必须验证分类帐中每一行的重新许可时。这些成本显示在图4的中间图中。此图表显示审核员在不使用承诺缓存的情况下在不同大小的分类帐上计算Her fi ndahl-Hirschman指数所需的时间,因此审核员必须处理分类帐的每一行。在这些测量中,审核员不会验证每一行。正如预期的那样,此时间与行数呈线性增长。这表明维护承诺缓存对于实时审计非常重要。但是,即使没有承诺缓存,审计时间也是合理的:100K交易需要3.5秒。这表明复杂的审计查询,其中审计员每行计算一组类似的操作,也将是许多秒的量级。 zkLedger目前仅维护每个银行每个资产的承诺产品缓存,但可以维持更多。
For a fixed size ledger, this audit function costs order the number of banks. The right graph in Figure 4 demonstrates the auditing costs of computing the HerfindahlHirschman Index on a ledger of 2000 transactions as we vary the number of banks, both with and without commitment caches. The auditor audits the banks in parallel. Auditing cost for this function grows slightly with the number of banks, since more banks increase the variability in parallel auditing and the auditor must wait for the last bank to respond before computing the final answer. In these figures, each point is the mean of running the auditing query 20 times, with error bars representing one standard deviation from the mean.
对于固定大小的分类帐,此审计功能会对银行的数量进行排序。图4中的右图显示了在2000个交易的分类账中计算Her fi ndahlHirschman指数的审计成本,因为我们改变了银行的数量,无论是否有承诺缓存。审计员并行审计银行。此功能的审计成本随着银行数量的增加而略有增加,因为更多银行增加了并行审计的可变性,审计师必须等待最后一家银行在计算最终答案之前作出回应。在这些图中,每个点是运行审计查询20次的平均值,误差条表示与平均值的一个标准偏差。
7.4 Scaling with more banks
7.4与更多银行进行扩展
There are two significant costs that grow with the number of banks in zkLedger: a serial step to create transactions that increases linearly, and verifying transactions which increases quadratically with the number of banks. As described in §4.1, a bank needs to use its entry from transaction n − 1 to create transaction n. So though a bank can use many cores to produce the proofs for a single transaction in parallel, multiple banks cannot produce different transactions in parallel. In zkLedger, banks start creating transaction n before seeing n − 1 but the bank cannot complete the transaction until n − 1 is accepted to the ledger and verified, causing an inherent bottleneck.
有两个重要的成本随着zkLedger中的银行数量而增长:创建线性增长的交易的连续步骤,以及验证与银行数量成比例增加的交易。如§4.1所述,银行需要使用其来自事务n - 1的条目来创建事务n。因此,虽然银行可以使用多个核心来并行生成单个交易的证明,但多个银行不能并行生成不同的交易。在zkLedger中,银行在看到n - 1之前开始创建交易n,但是银行无法完成交易,直到n - 1被分类账接受并进行验证,从而造成固有的瓶颈。
Figure 3: Transaction creation and verification time for one bank (left), varying the number of entries in the transaction. Single-threaded and multi-threaded performance, with 12 threads. Time to fully process a transaction including creation, broadcast to ledger, banks and auditor, and verification by all parties (middle). Throughput (right) varying the number of banks.
图3:一个银行的交易创建和验证时间(左),改变交易中的条目数量。单线程和多线程性能,12个线程。是时候完全处理交易,包括创建,广播到分类账,银行和审计员,以及各方(中)的验证。吞吐量(右)改变银行数量。
Figure 4: Time to audit ledgers of different sizes (4 banks), and with a varying number of banks (2000 row ledger). Audit time is independent of the size of the ledger (left) thanks to commitment caches maintained by the online auditor. When commitment cache optimization is turned off (middle) the audit time is linear in the size of the ledger. Audit time grows with the number of banks (right) and is much higher without commitment caches.
图4:审核不同规模(4个银行)的分类账,以及不同数量的银行(2000行分类账)的时间。由于在线审计员维护的承诺缓存,审计时间与分类账的大小无关(左)。当关闭承诺缓存优化(中间)时,审核时间与分类帐的大小成线性关系。审计时间随着银行数量的增加而增加(右),如果没有承诺缓存,审计时间会更长。
The second major cost is around verification. Every bank must verify every transaction, so the more banks, the larger each transaction and thus the more work that needs to be done by each bank. The middle graph in Figure 3 measures the time it takes one bank to create and all participants in zkLedger to completely process a transaction. One bank creates a transaction and sends it to the ledger, which then broadcasts the transaction to all banks and an online auditor. The auditor and every bank verify the transaction. As we increase the number of banks, work increases quadratically; however, banks can verify transactions in parallel so the time to process transactions only increases linearly. The right graph in Figure 3 shows that as we surmised, zkLedger’s throughput worsens with more banks. The one bank transacting line in this graph is the same data as the middle graph.
第二个主要成本是围绕验证。每家银行都必须验证每笔交易,因此银行越多,每笔交易就越大,因此每家银行需要完成的工作量就越多。图3中的中间图测量了一个银行创建的时间以及zkLedger中所有参与者完全处理交易所需的时间。一家银行创建交易并将其发送到分类账,然后分类账将交易广播给所有银行和在线审计员。审核员和每家银行验证交易。随着我们增加银行数量,工作增加了两次;但是,银行可以并行验证交易,因此处理交易的时间只会线性增加。图3中的右图显示,正如我们推测的那样,zkLedger的吞吐量随着更多银行的增加而恶化。此图中的一个银行交易行与中间图相同。
Since range proofs dominate the costs of transaction creation and verification, we are optimistic that a faster range proof implementation will directly improve performance. zkLedger’s current performance is comparable to Solidus, a privacy-preserving distributed ledger which achieves 3-4 transactions per second with online validation but, unlike zkLedger, does not support auditing.
由于范围证明主导了交易创建和验证的成本,我们乐观地认为更快的范围验证实施将直接提高性能。 zkLedger目前的性能与Solidus相当,Solidus是一种隐私保护的分布式分类账,通过在线验证可实现每秒3-4次交易,但与zkLedger不同,它不支持审计。
8 Future work
8未来的工作
zkLedger focuses on providing provably correct auditing over private transaction data, but zkLedger does not have a way to recover if the distributed ledger is corrupted. In this case, the parties maintaining the ledger would have to come together to recreate historical transactions. zkLedger also does not provide recourse if a bank commits an unintended transaction to the ledger. A future version of zkLedger might provide rectifying transactions or participant agreed-upon rollback.
zkLedger专注于为私有事务数据提供可证明的正确审计,但如果分布式分类帐已损坏,zkLedger无法恢复。在这种情况下,维护分类帐的各方必须聚集在一起以重新创建历史交易。如果银行向分类账进行意外交易,zkLedger也不提供追索权。未来版本的zkLedger可能会提供纠正事务或参与者同意的回滚。
9 Conclusion
9结论
zkLedger is the first distributed ledger system to provide strong transaction privacy, public verifiability, and complete, provably correct auditing. zkLedger supports a rich set of auditing queries which are useful to measure the financial health of a market. We developed a design using non-interactive zero-knowledge proofs to prove transactions maintain financial invariants and to support auditing. Our evaluation shows that zkLedger has reasonable performance for transaction settlement and auditing.
zkLedger是第一个分布式分类帐系统,可提供强大的交易隐私,公共验证以及完整,可证明正确的审计。 zkLedger支持一组丰富的审计查询,这些查询可用于衡量市场的财务状况。我们使用非交互式零知识证明开发了一种设计,以证明交易维持金融不变量并支持审计。我们的评估表明,zkLedger在交易结算和审计方面具有合理的表现。
10 Acknowledgements
10致谢
We thank Alexander Chernyakhovsky, Thaddeus Dryja, David Lazar, Ronald L. Rivest, C.J. Williams, and our shepherd and reviewers for helpful comments. The research leading to these results has received funding from: the Center for Science of Information (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370; and the Ethics and Governance of Artificial Intelligence Fund.
我们感谢Alexander Chernyakhovsky,Thaddeus Dryja,David Lazar,Ronald L. Rivest,C.J。Williams以及我们的牧羊人和评论家的有益评论。导致这些结果的研究得到了以下资金:信息科学中心(CSoI),NSF科学技术中心,资助协议CCF-0939370;和人工智能基金的伦理与治理。
References
参考
[1] Bank secrecy act of 1970, October 1970. 12 U.S.C. 103.
[1] 1970年的银行保密法,1970年10月.12 U.S.C. 103。
[2] Package btcec implements support for the elliptic curves needed for Bitcoin., July 2017. https://godoc.org/ github.com/btcsuite/btcd/btcec.
[2]软件包btcec实现了对比特币所需的椭圆曲线的支持。,2017年7月.https://godoc.org/ github.com/btcsuite/btcd/btcec。
[3] ABBE, E. A., KHANDANI, A. E., AND LO, A. W. Privacy-preserving methods for sharing financial risk exposures. The American Economic Review 102, 3 (2012), 65–70.
[3] ABBE,E。A.,KHANDANI,A。E.,AND LO,A。W.用于分享金融风险敞口的隐私保护方法。美国经济评论102,3(2012),65-70。
[4] ARASU, A., BLANAS, S., EGURO, K., KAUSHIK, R., KOSSMANN, D., RAMAMURTHY, R., AND VENKATESAN, R. Orthogonal security with cipherbase. In CIDR (2013).
[4] ARASU,A.,BLANAS,S.,EGURO,K.,KAUSHIK,R.,KOSSMANN,D.,RAMAMURTHY,R.,AND卡特桑,R.正交安全与cipherbase。在CIDR(2013)。
[5] BAJAJ, S., AND SION, R. Trusteddb: A trusted hardwarebased database with privacy and data confidentiality. IEEE Transactions on Knowledge and Data Engineering 26, 3 (2014), 752–765.
[5] BAJAJ,S。,AND SION,R。Trusteddb:一个受信任的基于硬件的数据库,具有隐私和数据保密性。IEEE Transactions on Knowledge and Data Engineering 26,3(2014),752-765。
[6] BAUMANN, A., PEINADO, M., AND HUNT, G. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 8.
[6] BAUMANN,A.,PEINADO,M.,AND HUNT,G。来自不受信任的云与避风港的应用程序。ACM计算机系统交易(TOCS)33,3(2015),8。
[7] BEN-SASSON, E., CHIESA, A., GENKIN, D., TROMER, E., AND VIRZA, M. SNARKs for C: Verifying program executions succinctly and in zero knowledge. In Advances in Cryptology–CRYPTO 2013. Springer, 2013, pp. 90–108.
[7] BEN-SASSON,E.,CHURCH,A.,GENKIN,D.,TROMER,E.,AND VIRZA,M。C的SNARK:简明扼要地验证程序执行情况。 In Advances in Cryptology-CRYPTO 2013. Springer,2013,pp.90-108。
[8] BEN-SASSON, E., CHIESA, A., GREEN, M., TROMER, E., AND VIRZA, M. Secure sampling of public parameters for succinct zero knowledge proofs. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (2015), SP ’15, pp. 287–304.
[8] BEN-SASSON,E.,CHIESA,A.,GREEN,M.,TROMER,E。,和VIRZA,M。安全地对公共参数进行采样,以获得简洁的零知识证明。在2015年IEEE安全与隐私研讨会论文集(2015年),SP '15,第287-304页。
[9] BLUM, M., FELDMAN, P., AND MICALI, S. Noninteractive zero-knowledge and its applications.In Proceedings of the 20th Annual ACM Symposium on Theory of Computing (1988), STOC ’88, pp. 103–112.
[9] BLUM,M.,FELDMAN,P.,AND MICALI,S。非交互式零知识及其应用。在“第20届ACM计算理论研讨会论文集”(1988年),STOC '88,第103-112页。
[10] BOGDANOV, D., TALVISTE, R., AND WILLEMSON, J. Deploying secure multi-party computation for financial data analysis. In International Conference on Financial Cryptography and Data Security (2012), Springer, pp. 57– 64.
[10] BOGDANOV,D.,TALVISTE,R。,和WILLEMSON,J。为财务数据分析部署安全的多方计算。在国际金融密码学和数据安全会议(2012年),Springer,第57-64页。
[11] BOWE, S., GABIZON, A., AND GREEN, M. A multiparty protocol for constructing the public parameters of the Pinocchio zk-SNARK. Cryptology ePrint Archive, Report 2017/602, 2017.
[11] BOWE,S.,GABIZON,A。,AND GREEN,M。用于构建Pinocchio zk-SNARK的公共参数的多方协议。密码学ePrint档案,报告2017/602,2017。
[12] BOWE, S., GABIZON, A., AND MIERS, I. Scalable multiparty computation for zk-SNARK parameters in the random beacon model. Cryptology ePrint Archive, Report 2017/1050, 2017.
[12] BOWE,S.,GABIZON,A.,AND MIERS,I。随机信标模型中zk-SNARK参数的可扩展多方计算。密码学ePrint档案,报告2017/1050,2017。
[13] B ¨UNZ, B., BOOTLE, J., BONEH, D., POELSTRA, A., AND MAXWELL, G. Bulletproofs: Short proofs for Confidential Transactions and more. In Security and Privacy (SP), 2018 IEEE Symposium on (2018), IEEE.
[13]B¨UNZ,B.,BOOTLE,J.,BONEH,D.,POELSTRA,A。,AND MAXWELL,G。防弹:保证交易的简短证明等。在安全和隐私(SP),2018 IEEE Symposium on(2018),IEEE。
[14] BURKHART, M., STRASSER, M., MANY, D., AND DIMITROPOULOS, X. Sepia: Privacy-preserving aggregation of multi-domain network events and statistics. Network 1, 101101 (2010).
[14] BURKHART,M.,STRASSER,M.,MANY,D.,AND DIMITROPOULOS,X。棕褐色:保护隐私 - 多域网络事件和统计数据的聚合。 Network 1,101101(2010)。
[15] CASTRO, M., AND LISKOV, B. Practical byzantine fault tolerance. In OSDI (1999), vol. 99, pp. 173–186.
[15] CASTRO,M.,AND LISKOV,B。实际的拜占庭容错。在OSDI(1999),第一卷。 99,pp.173-186。
[16] CECCHETTI, E., ZHANG, F., JI, Y., KOSBA, A., JUELS, A., AND SHI, E. Solidus: Confidential distributed ledger transactions via pvorm.
[16] CECCHETTI,E.,ZHANG,F.,JI,Y.,KOSBA,A.,JUELS,A。,AND SHI,E。Solidus:通过pvorm进行的有限分布式分类账交易。
[17] CHAIN, I. Confidential assets. https: //blog.chain.com/hidden-in-plain
[17] CHAIN,I。保证资产。 https://blog.chain.com/hidden-in-plain
sight-transacting-privately-on-ablockchain-835ab75c01cb.
视力交易,私人上ablockchain-835ab75c01cb。
[18] CORRIGAN-GIBBS, H., AND BONEH, D. Prio: Private, robust, and scalable computation of aggregate statistics. arXiv preprint arXiv:1703.06255 (2017).
[18] CORRIGAN-GIBBS,H.,AND BONEH,D。Prio:对统计数据进行私密,稳健和可扩展的计算。 arXiv preprint arXiv:1703.06255(2017)。
[19] COUNCIL, F. R. Developments in audit 2016/2017 full report, 2017. http://www.frc.org.uk/ getattachment/915c15a4-dbc7-4223-b8ae
[19]理事会,F。R. 2016/2017年度审计报告2017年完整报告.http://www.frc.org.uk/ getattachment / 915c15a4-dbc7-4223-b8ae
[20] CRAMER, R., DAMG ˚ARD, I., AND SCHOENMAKERS, B. Proofs of partial knowledge and simplified design of witness hiding protocols. In Advances in Cryptology CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings (1994), pp. 174–187.
[20] CRAMER,R.,DAMG˚ARD,I。,和SCHOENMAKERS,B。部分知识的证明和见证隐藏协议的简化设计。在密码学进展CRYPTO '94,第14届年度国际密码学会议,美国加利福尼亚州圣巴巴拉,1994年8月21日至25日,Proceedings(1994),第174-187页。
[21] DAGHER, G. G., B ¨UNZ, B., BONNEAU, J., CLARK, J., AND BONEH, D. Provisions: Privacy-preserving proofs of solvency for Bitcoin exchanges. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, CO, 2015), ACM, pp. 720– 731.
[21] DAGHER,G.G。,B¨UNZ,B.,BONNEAU,J.,CLARK,J.,AND BONEH,D。规定:保护比特币交换的偿付能力的隐私保护证明。在第22届ACM SIGSAC计算机与通信安全会议论文集(丹佛,科罗拉多州,2015年),ACM,第720-731页。
[22] Corda, 2017. https://github.com/corda/ corda.
[22] Corda,2017。https://github.com/corda/ rope。
[23] Digital asset holdings, 2017. http://digitalasset. com.
[23]数字资产持有,2017年.http:// digitalasset。 COM。
[24] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119 (May 2016), 1–88.
[24] 2016年4月27日欧洲议会和理事会关于在处理个人数据和自由流动此类数据方面保护自然人的第2016/679号条例(EU),并废除指令95 / 46 / EC(通用数据保护条例)。官方杂志的欧盟L119(2016年5月),1-88。
[25] FELDMAN, A. J., ZELLER, W. P., FREEDMAN, M. J., AND FELTEN, E. W. Sporc: Group collaboration using untrusted cloud resources. In OSDI (2010), vol. 10, pp. 337–350.
[25] FELDMAN,A。J.,ZELLER,W。P.,FREEDMAN,M。J.,AND FELTEN,E。W. Sporc:使用不受信任的云资源进行群组协作。在OSDI(2010),第一卷。 10,pp.337-350。
[26] FIAT, A., AND SHAMIR, A. How to prove yourself: practical solutions to identification and signature problems. In Proceedings of the 6th Annual International Cryptology Conference (1987), CRYPTO ’87, pp. 186–194.
[26] FIAT,A。和SHAMIR,A。如何证明自己:识别和签名问题的实用解决方案。在第六届国际密码学会议论文集(1987年),CRYPTO '87,第186-194页。
[27] GARMAN, C., GREEN, M., AND MIERS, I. Accountable privacy for decentralized anonymous payments. Cryptology ePrint Archive, Report 2016/061, 2016. http: //eprint.iacr.org/2016/061.
[27] GARMAN,C.,GREEN,M.,AND MIERS,I。分散匿名支付的责任隐私。Cryptology ePrint Archive,Report 2016/061,2016。http://eprint.iacr.org/2016/061。
[28] GREENBERG, A. Fbi says it’s seized $28.5 million in bitcoins from ross ulbricht, alleged owner of silk road. Forbes 25 (2013).
[28]格林伯格,A。Fbi表示,他从罗斯·乌布里希特手中夺走了2850万美元的比特币,据称是丝绸之路的所有者。福布斯25(2013)。
[29] HERFINDAHL, O. C. Concentration in the steel industry. PhD thesis, Columbia University New York, 1950.
[29] HERFINDAHL,O。C.钢铁行业的集中。博士论文,纽约哥伦比亚大学,1950年。
[30] LAMPORT, L., ET AL. Paxos made simple. ACM Sigact News 32, 4 (2001), 18–25.
[30] LAMPORT,L.,ET AL。 Paxos变得简单。 ACM Sigact News 32,4(2001),18-25。
[31] LI, J., KROHN, M. N., MAZIERES, D., AND SHASHA, D. E. Secure untrusted data repository (sundr). In OSDI (2004), vol. 4, pp. 9–9.
[31] LI,J.,KROHN,M。N.,MAZIERES,D.,AND SHASHA,D。E. Secure untrusted data repository(sundr)。在OSDI(2004),第一卷。 4,pp.9-9。
[32] MAHAJAN, P., SETTY, S., LEE, S., CLEMENT, A., ALVISI, L., DAHLIN, M., AND WALFISH, M. Depot: Cloud storage with minimal trust. ACM Transactions on Computer Systems (TOCS) 29, 4 (2011), 12.
[32] MAHAJAN,P.,SETTY,S.,LEE,S.,CLEMENT,A.,ALVISI,L.,DAHLIN,M.,AND WALFISH,M。Depot:云存储,信任度最低。 ACM计算机系统交易(TOCS)29,4(2011),12。
[33] MAURER, U. Unifying zero-knowledge proofs of knowledge. Proceedings of the 2nd International Conference on Cryptology in Africa (2009), 272–286.
[33] MAURER,U。统一零知识的知识证明。第二届非洲密码学国际会议论文集(2009年),第272-286页。
[34] MAXWELL, G. Confidential transactions. https: //people.xiph.org/˜greg/confidential_ values.txt (Accessed 8/2017) (2015).
[34] MAXWELL,G。保密交易。 https://people.xiph.org/~greg/confidential_ values.txt(8月8日访问)(2015年)。
[35] MAXWELL, G., AND POELSTRA, A. Borromean ring signatures. https://raw.githubusercontent. com/Blockstream/borromean_paper/
[35] MAXWELL,G.,AND POELSTRA,A。Borromean环签名。 HTTPS://raw.githubusercontent。 COM / Blockstream / borromean_paper /
[36] MEIKLEJOHN, S., POMAROLE, M., JORDAN, G., LEVCHENKO, K., MCCOY, D., VOELKER, G. M., AND SAVAGE, S. A fistful of bitcoins: characterizing payments among men with no names. In Proceedings of the 2013 conference on Internet measurement conference (2013), ACM, pp. 127–140.
[36] MEIKLEJOHN,S.,POMAROLE,M.,JORDAN,G.,LEVCHENKO,K.,MCCOY,D.,VOELKER,G。M.,AND SAVAGE,S。一些比特币:描述没有名字的男人之间的付款。在2013年互联网测量会议论文集(2013年),ACM,第127-140页。
[37] NAKAMOTO, S. Bitcoin: A peer-to-peer electronic cash system, 2008.
[37] NAKAMOTO,S。比特币:点对点电子现金系统,2008年。
[38] OBER, M., KATZENBEISSER, S., AND HAMACHER, K. Structure and anonymity of the bitcoin transaction graph. Future internet 5, 2 (2013), 237–250.
[38] OBER,M.,KATZENBEISSER,S。和HAMACHER,K。比特币交易图的结构和匿名性。未来互联网5,2(2013),237-250。
[39] ONGARO, D., AND OUSTERHOUT, J. K. In search of an understandable consensus algorithm. In USENIX Annual Technical Conference (2014), pp. 305–319.
[39] ONGARO,D。和OUSTERHOUT,J。K.寻找可理解的一致性算法。在USENIX年度技术会议(2014年),第305-319页。
[40] PAPADIMITRIOU, A., BHAGWAN, R., CHANDRAN, N., RAMJEE, R., HAEBERLEN, A., SINGH, H., MODI, A., AND BADRINARAYANAN, S. Big data analytics over encrypted datasets with seabed. In OSDI (2016), pp. 587– 602.
[40] PAPADIMITRIOU ,, A.,BHAGWAN,R.,德兰,N.,RAMJEE,R.,HAEBERLEN,A.,SINGH,H. MODI,A.,AND BADRINARAYANAN,S.使用海底对加密数据集进行大数据分析。在OSDI(2016),第587- 602页。
[41] PEDERSEN, T. P. Non-interactive and informationtheoretic secure verifiable secret sharing. In Proceedings of the 11th Annual International Cryptology Conference (1992), CRYPTO ’91, pp. 129–140.
[41] PEDERSEN,T。P.非交互式和信息理论安全可验证秘密共享。在第11届国际密码学会议论文集(1992年),CRYPTO '91,第129-140页。
[42] POELSTRA, A., BACK, A., FRIEDENBACH, M., MAXWELL, G., AND WUILLE, P. Confidential assets,
[42] POELSTRA,A.,BACK,A.,FRIEDENBACH,M.,MAXWELL,G.,AND WUILLE,P。Con fi dential assets,
2017. 4th Workshop on Bitcoin and Blockchain Research.
2017年。第四届比特币和区块链研究研讨会。
[43] POPA, R. A., REDFIELD, C., ZELDOVICH, N., AND BALAKRISHNAN, H. CryptDB: protecting confidentiality with encrypted query processing. In Proceedings of the TwentyThird ACM Symposium on Operating Systems Principles (2011), ACM, pp. 85–100.
[43] POPA,R.A.,REDFIELD,C.,ZELDOVICH,N。,AND BALAKRISHNAN,H。CryptDB:通过加密查询处理保护机密性。在“第二十三届ACM操作系统原理研讨会论文集”(2011年),ACM,第85-100页。
[44] POPA, R. A., STARK, E., HELFER, J., VALDEZ, S., ZELDOVICH, N., KAASHOEK, M. F., AND BALAKRISHNAN,
[44] POPA,R.A.,STARK,E.,HELFER,J.,VALDEZ,S.,ZELDOVICH,N.,KAASHOEK,M。F.,AND BALAKRISHNAN,
H. Building web applications on top of encrypted data using mylar. In NSDI (2014), pp. 157–172.
H.使用mylar在加密数据之上构建Web应用程序。在NSDI(2014),第157-172页。
[45] REID, F., AND HARRIGAN, M. An analysis of anonymity in the bitcoin system. In Security and privacy in social networks. Springer, 2013, pp. 197–223.
[45] REID,F.,AND HARRIGAN,M。对比特币系统中匿名性的分析。在社交网络中的安全和隐私。 Springer,2013年,第197-223页。
[46] RON, D., AND SHAMIR, A. Quantitative analysis of the full bitcoin transaction graph. In International Conference on Financial Cryptography and Data Security (2013), Springer, pp. 6–24.
[46] RON,D.,AND SHAMIR,A。完整比特币交易图的定量分析。在金融密码学和数据安全国际会议(2013年),Springer,第6-24页。
[47] SASSON, E. B., CHIESA, A., GARMAN, C., GREEN, M., MIERS, I., TROMER, E., AND VIRZA, M. Zerocash: Decentralized anonymous payments from Bitcoin. In Security and Privacy (SP), 2014 IEEE Symposium on (2014), IEEE, pp. 459–474.
[47] SASSON,E.B.,CHIESA,A.,GARMAN,C.,GREEN,M.,MIERS,I.,TROMER,E.,AND VIRZA,M。Zerocash:分散比特币的匿名付款。在安全和隐私(SP),2014 IEEE Symposium on(2014),IEEE,pp.459-474。
[48] SCHNORR, C.-P. Efficient signature generation by smart cards. Journal of cryptology 4, 3 (1991), 161–174.
[48] SCHNORR,C.-P。通过智能卡生成高效的签名。 Journal of cryptology 4,3(1991),161-174。
[49] SCHUSTER, F., COSTA, M., FOURNET, C., GKANTSIDIS, C., PEINADO, M., MAINAR-RUIZ, G., AND RUSSINOVICH, M. Vc3: Trustworthy data analytics in the cloud using sgx. In Security and Privacy (SP), 2015 IEEE Symposium on (2015), IEEE, pp. 38–54.
[49] SCHUSTER,F.,COSTA,M.,FOURNET,C.,GKANTSIDIS,C.,PEINADO,M.,MAINAR-RUIZ,G.,AND RUSSINOVICH,M。Vc3:使用sgx在云中进行可信赖的数据分析。在安全和隐私(SP),2015 IEEE Symposium on(2015),IEEE,pp.38-54。
[50] TU, S., KAASHOEK, M. F., MADDEN, S., AND ZELDOVICH, N. Processing analytical queries over encrypted data. In Proceedings of the VLDB Endowment (2013), vol. 6, VLDB Endowment, pp. 289–300.
[50] TU,S.,KAASHOEK,M.F.,MADDEN,S。,和ZELDOVICH,N。处理对加密数据的分析查询。在VLDB捐赠会议记录(2013年),第一卷。 6,VLDB Endowment,pp.289-300。
[51] Zcash, 2017. http://z.cash.
[51] Zcash,2017。http://z.cash。
[52] ZHENG, W., DAVE, A., BEEKMAN, J. G., POPA, R. A., GONZALEZ, J. E., AND STOICA, I. Opaque: An oblivious and encrypted distributed analytics platform. In NSDI (2017), pp. 283–298.
[52] ZHENG,W.,DAVE,A.,BEEKMAN,J.G.,POPA,R.A.,GONZALEZ,J.E。,AND STOICA,I。Opaque:一个不经意和加密的分布式分析平台。在NSDI(2017),第283-298页。
A Auditing Queries
审核查询
Figure 5 is a list of the types of measurements zkLedger supports, including the estimated running time and the data beyond the measurement that is leaked. For example, as described in §5, computing transaction size variance requires leaking the mean transaction size and number of transactions per bank.
图5是zkLedger支持的测量类型列表,包括估计的运行时间和泄漏测量之外的数据。例如,如§5所述,计算交易规模差异需要泄漏平均交易规模和每个银行的交易数量。
B Zero-knowledge proofs and privacy guarantees
B零知识证明和隐私保证
To build our zero-knowledge protocols we rely on the following general result of Maurer (Theorem 3, [33]):
为了构建我们的零知识协议,我们依赖于Maurer的以下一般结果(定理3,[33]):
Theorem B.1. Let (H1 and (H2 be two (notnecessarily commutative) groups and f : H1 → H2 be a group homomorphism: f (x ⋆ y f (x f (y). Let , u ∈ H1, be such that:
定理B.1。设(H1 和(H2 为两个(不一定是可交换的)组和f:H1→H2为组同态:f(x⋆y f(x f(y)。让 ,u∈H1, 如下:
1. gcd(c1 − c2 1 for all c1, c2 (with c1 c2), and 2. f (u zℓ.
1. gcd(c1 - c2 1表示所有c1,c2 (c1 c2)和2. f(u zℓ。
There exists a 2-extractable Σ-protocol for language L : z : ∃w s.t. z = f (w . Moreover, a protocol con
对于语言L存在2可提取的Σ-协议: z:∃wss.t。 z = f(w 。此外,协议con
Measurement Time Additional information leaked Sum total of asset(s) per bank O(1) none Outlier transactions per bank O(n) none Concentration O(k) Sum totals per bank Ratio holdings O(k) Sum totals per bank, number of transactions per bank Mean transaction size per bank O(kn) Number of transactions per bank Variance, skew, kurtosis O(kn) Mean per bank, number of transactions per bank Real-time price averages O(kn) Number of transactions and average per bank over time period t Figure 5: Types of supported auditing queries, their running time to audit based on the number of banks k and the number of rows in the ledger n, and a description of what information is leaked to the auditor.
计量时间泄露的附加信息每个银行的资产总和O(1)无每个银行的异常值交易O(n)无集中度O(k)每个银行的总和比率持有量O(k)每个银行的总和,数量每家银行的交易数量每银行的交易手数O(kn)每家银行的交易数量差异,歪斜,峰度O(kn)每家银行的平均值,每条银行的交易数量实时价格平均预订O(kn)交易数量和平均值银行随着时间的推移t图5:支持的审计查询的类型,它们根据银行数量k进行审计的运行时间以及分类帐n中的行数,以及泄漏给审计员的信息的描述。
sisting of s rounds is proof-of-knowledge if 1 s is negligible, and zero-knowledge if is polynomially bounded.
如果1 s可以忽略不计,那么s轮的s s是知识证明,如果 是多项式有界的,则知识为零。
Using Theorem B.1 we can now unify the treatment of most of the zero-knowledge proofs used in our system. For example, the consistency proofs rely on the following result:
使用定理B.1,我们现在可以统一处理我们系统中使用的大多数零知识证明。例如, 的一致性证明依赖于以下结果:
Theorem B.2. Let G be an order-r cyclic group and g, h be any three elements of G. There exists a 2-extractable Σ-protocol for language : : ∃v, r s.t. gvhr r}.
定理B.2。令G为order-r循环群,g,h 为G的任意三个元素。对于语言 ,存在一个2可提取的Σ-协议: :∃v,r s.t。 gvhr r}。
Proof. Consider H1 r r, defining the group operation to be component-wise addition, and let H2 , similarly defining group operation to be componentwise. Then f (x, y) : gxhy y) is a group homomorphism between H1 and H2. Indeed, f (x1 + x2, y1 + y2 (gx1+x2 hy1+y2 y1+y2 f (x1, y1 f (x2, y2). Furthermore, setting r and u 0, 0) we have that for all z ∈ H2 the following holds: z 1, 1 f (u). Therefore, we can apply Theorem B.1 and conclude that has a 2-extractable Σ-protocol.
证明。考虑H1 r r,将组操作定义为分量加法,并让H2 ,类似地将组操作定义为分量。那么f(x,y): gxhy y)是H1和H2之间的群同态。实际上,f(x1 + x2,y1 + y2 (gx1 + x2 hy1 + y2 y1 + y2 f(x1,y1 f(x2,y2)。此外,设置 r和u 0,0)我们对所有z∈H2都有以下成立:z 1,1 f(u)。因此,我们可以应用定理B.1并得出结论: 具有2个可提取的Σ-协议。
To summarize, the three proofs in zkLedger (see Section 4.3) that relate commitments cmi :=: gvi hri and audit tokens Tokeni : i)ri have the following form: • Proof of Assets ( ). This proof consists of a new commitment i, together with an audit token i, and a zero-knowledge proof asserting that either i is a re-commitment of the value in cmi or a recommitment to the sum of the values in ∏mj=0 cm j. To create this proof zkLedger relies on Theorem B.1 for constituent proofs; as these are Sigma-protocols we apply the standard OR-composition [20] to get the final disjunctive zero-knowledge proof. To prove that the commited value is in the range we use the range proofs in Confidential Assets [42]. We are investigating more recent proof systems (e.g. Bulletproofs [13]) to further reduce the proof size.
总而言之,zkLedger中的三个证明(见第4.3节)涉及承诺cmi:=:gvi hri和审计令牌Tokeni: i)ri具有以下形式:•资产证明( )。该证明包括新的承诺 i,以及审计令牌 i,以及零知识证明断言 i是cmi中的值的重新承诺或者是对Π中的值的总和的重新承诺mj = 0 cm j。为了创建这个证明,zkLedger依赖于定理B.1来进行成分证明;因为这些是Sigma协议,我们应用标准OR-组合[20]来获得最终的分离零知识证明。为了证明提交值在范围内,我们使用了保证资产[42]中的范围证明。我们正在研究更新的证据系统(例如Bulletproofs [13]),以进一步减少证明尺寸。
• Proof of Balance ( ). In our implementation this proof is an empty string: the prover simply chooses the
•平衡证明( )。在我们的实现中,这个证明是一个空字符串:证明者只需选择
commitment randomness subject to condition ∑ ri = 0. With such a choice the auditor homomorphically adds the commitments and checks that this addition results in the neutral element of the group i = g∑ vi h∑ ri = g0h0 = 1.
承诺随机性受条件Σri= 0。通过这样的选择,审核员同形地添加承诺并检查该添加导致组 的中性元素i =gΣviΣi= g0h0 = 1。
• Proof of Consistency ( ). We use two proofs derived from Theorem B.2 to assert that the randomness used in cmi and Tokeni are the same, and the randomness used in i and i are the same.
•一致性证明( )。我们使用从定理B.2导出的两个证明来断言cmi和Tokeni中使用的随机性是相同的,并且 i和 i中使用的随机性是相同的。
C Privacy in the combined system
C组合系统中的隐私
Pedersen commitments provide information-theoretic privacy. In zkLedger Pedersen commitments are published together with authentication tokens and zero-knowledge proofs. We note that zero-knowledge proofs indeed don’t spoil the information-theoretic privacy of committed values: the output of the zero-knowledge proof simulator is identical to the output produced by parties in the system. However, when combining Pedersen commitments and authentication tokens, the privacy guarantees become computational as we now explain.
Pedersen承诺提供信息理论隐私。在zkLedger中,Pedersen的承诺与认证令牌和零知识证明一起发布。我们注意到,零知识证明确实不会破坏承诺值的信息理论隐私:零知识证明模拟器的输出与系统中各方产生的输出相同。但是,在结合Pedersen承诺和身份验证令牌时,隐私保证会变得像我们现在解释的那样。
The commitment, audit token, and public key triple is of the form (gvhr r (gvhr, h r, h , and these three values uniquely determine the v. That is, if an adversary could break the discrete logarithm problem, it could solve for sk, use that and value of Token to infer r, and finally recover v. That said, under the Decisional Diffie-Hellman (DDH) assumption, no information is leaked. Furthermore, the DDH assumption is widely assumed to hold in zkLedger’s elliptic curve group.
承诺,审计令牌和公钥三重 的格式为(gvhr r (gvhr,h r,h ,这三个值唯一确定v。也就是说,如果攻击者可以打破离散对数问题,它可以解决sk,使用Token的值来推断r,并最终恢复v。也就是说,根据Decisional Dif-e-Hellman(DDH)的假设,没有信息被泄露。此外,人们普遍认为DDH假设存在于zkLedger的椭圆曲线组中。
Recall, that DDH holds if no polynomially-bounded adversary can distinguish between tuples of the form (h, ha, hb, hab) and (h, ha, hb, hc) for a randomly chosen generator h and exponents a, b, c.Assume that a stateful adversary , when given input (g, h is able to produce two values v1 and v2 such that it can distinguish commitments (and associated audit tokens) to v1 from commitments (and audit tokens) to v2, i.e. the adversary is able to distinguish the distributions (gv1 hr, h r, h and (gv2 hr, h r, h . We now show how to use to construct an adversary breaking the DDH assumptions.
回想一下,如果没有多项式有界对手可以区分形式(h,ha,hb,hab)和(h,ha,hb,hc)元组的随机选择的发生器h和指数a,b,c,则DDH成立。假设有状态对手 ,当给定输入时(g,h 能够产生两个值v1和v2,使得它可以将承诺(和相关的审计令牌)与v1从承诺(和审计令牌)区分为v2,即敌人能够区分分布(gv1 hr,h r,h 和(gv2 hr,h r,h )。我们现在展示如何使用 构建一个违反DDH假设的对手 。
After receiving its challenge (h, x, y, z), where (x, y, z) is distributed either as (ha, hb, hab) or as (ha, hb, hc), the adversary proceeds as follows. It samples a random generator g and calls on input (g, h, x), x now serving the role of the bank’s public key. When returns two values v1 and v2, the DDH adversary picks a random k 1, 2} and prepares cmk = gvk y, z and sends k to . Finally, if ’s guess for k is correct, responds that the DDH challenge was of the form (h, ha, hb, hab) (i.e. a DDH quadruple), otherwise it responds that the DDH challenge was of the form (h, ha, hb, hc) (i.e. a random quadruple).
在接收到其挑战(h,x,y,z)之后,其中(x,y,z)被分配为(ha,hb,hab)或(ha,hb,hc),对手 如下进行。它对随机生成器g进行采样,并在输入(g,h,x)上调用 ,x现在用作银行公钥的角色。当 返回两个值v1和v2时,DDH对手 选择随机k 1,2}并准备cmk = gvk y, z并将 k 发送到 。最后,如果 对k的猜测是正确的, 会回应DDH挑战的形式(h,ha,hb,hab)(即DDH四倍),否则它会回应DDH挑战的形式( h,ha,hb,hc)(即随机四倍)。
Note that when ’s challenge is a DDH quadruple, the zkLedger adversary is run on a distribution it expects. In particular, all of its inputs are correctly formed with respect to a and r = b. Whereas, when ’s challenge is a random quadruple, the inputs to have information-theoretically no information about the committed value: indeed, hc is unrelated to gvhb. Therefore, if the zkLedger adversary wins the commitment hiding game with non-negligible advantage, so does in the DDH game. Note that the proof extends to the multiple entry case by a standard hybrid argument.
请注意,当 的挑战是DDH四倍时,zkLedger对手 将在其预期的分布上运行。特别是,它的所有输入都是相对于 a和r = b正确形成的。然而,当 的挑战是随机四重时, 的输入有信息 - 理论上没有关于提交值的信息:实际上, hc与 gvhb无关。因此,如果zkLedger对手 以不可忽视的优势赢得承诺隐藏游戏,那么DDH游戏中的 也是如此。请注意,证明通过标准混合参数扩展到多条目案例。
所有论文
通天塔