 Thank you all for braving the tsunami for one of the best last talks of the conference. This is the talk on Sotoshi has no clothes. What about Zabo? So do we need privacy for smart contracts? I sort of started about thinking about this because everyone Sort of understands that you want privacy for money for some reasons that the problem for cryptocurrencies is That they are basically Twitter for your bank account Expose all of your spending details to everybody right your creepy ex-girlfriend or boyfriend your business competitors Literally everybody so this is a thing that was starting to understand these days But it's not clear what the analogy we should draw for smart contracts is it's not exactly clear what we mean by privacy And it's not clear how we could possibly get it, right? So if you know cryptocurrency is Twitter for your bank account You know, what is a smart contract? Well, it could be Twitter for your EC2 account, but EC2 already has that That's Amazon S3 that everyone fails to secure and like leaks all the credit card databases and such So it's not that Twitter for your Tamagotchi clone is a nice description of crypto kitties But doesn't tell you why you care about privacy and similarly Twitter for your Ponzi scheme Well, that doesn't work either so we don't have that kind of analogy But there is an interesting one that I think it's worth mentioning because it's linked to privacy which is you know Smart contracts are like privacy in a different way, right? We have this fail way old problem right so for those of you who you know use Twitter back in the day Twitter broadcasts all your data to everyone and They had the scaling problem where they couldn't handle the massive amount of data that was public And so it turns out that if you could solve whatever it is about privacy in some way for payments And you do it for smart contracts as well You'd actually end up helping scaling in the same way because you'd have less data, right? So something vaguely before figuring out what privacy is these two things are linked, right? If you reduce the amount of information that's out there for everyone to see about you You also reduce the amount of information the network has to deal with So, okay, well, what's a smart contract? Well, okay, I'm a computer scientist I'm about to be a professor at the University of Maryland Next year it's founding scientist Zcash, you know, I tend to try to define things So you can look at a smart contract as a function F on some state S and it takes inputs, you know X and it doesn't update to get you a new state The blockchain checks that all this stuff is enforced. This is really just formalism So you start thinking through this and you start thinking about well, what can we hide? Right, we can hide the inputs that you're calling the smart contract on that's one thing We could hide the actual state of the smart contract That's another thing and then importantly we could hide what the actual smart contract even is so that nobody knows that like Crypto KD's old rock ran, but when we start thinking about it in this way in this sort of dry academic approach We just go what what are we even trying to do here again like this formalism doesn't sort of reflect real life It's not clear what to think about this is not the way you should go about this Right, so the first question is like why does privacy matter for contracts at all, right? And it's hard to give just one reason because unlike, you know payments, right? Well, we all know what payments are on a day-to-day life. We know what Bitcoin was trying to do Smart contracts are everything to everybody, right? There is no one use case. There is no one privacy story I can tell you right For things like actual legal contracts going back to like the Nick Zabber ideas of these things Right, you have some kind of settlement mechanism for an actual like agreement you made between parties It's kind of obvious that you need some form of confidentiality because when businesses sign contractual relationships between each other They don't publish them to everybody the world, right? And so if you really use Smart contracts as part of business relationships then all of a company's business relationships would be public and no business will do that They just won't use these tools that prefer to pay lawyers $400 an hour to do actual contracts that are confidential Right, so that's one use case, right? Another one if you're trying to do DeFi, right? Well, you don't want trading strategies to be public You don't want all the information about how you you're trading what you're doing to be visible to everybody And I think this is probably one of the more compelling use cases for privacy on the blockchain Because we know that finance firms try to get any edge. They possibly can Right, so if you've used Google Maps, right, you know that there's a satellite photo button that you can get satellite photos of the entire Earth, right? Google is not the one financing all the satellites those companies that do commercial satellite photography One of their principal clients is hedge funds Because they buy overhead and help photos to be able to figure out how much forming someone's doing how much business Factory is making how many employees someone has based on who's in the parking lot, right? So these are guys who are willing to build spy satellites to get information about what they're doing on the market So compared to that downloading your blockchain and doing a bunch of analysis is a really easy thing Right, so you need privacy in that setting If you want to do some kind of crazy global computer It's not clear what you're going to do with this what your access policies are But we already know that you don't want your actual computational stuff to be public, right? This is again back to s3 right Amazon leaking everything mistakes happening things getting breached You just you don't want your computer hard drive to be public to the internet, right? Anybody here want to put up their entire hard drive on like that kind of share link to Twitter anybody can read it Right, nobody wants to do that, right? So that's the use case there the bottom line is that no business is going to use any of this stuff that leaks all this data So you need to have stories about how to mitigate what's going on and to provide privacy options So now we're back to this. Well, what is a smart contract and again? It turns out definition is useful, but the real thing you need to think about is You know, what do you what are you actually trying to do right? So there are four questions, right? Who needs to verify your data, right? Where when do they need to do it? Where is the secrets? Where are the secrets in this system, right? And then finally, what are you trying to hide? So in terms of verifying it? Yeah, it could be just you but if you're just trying to verify your own data Well, that's kind of sad and you really don't need a blockchain, right? If it's the current participants, that's actually a thing we know how to do and that's really nice If you want anybody in the future to possibly be able to verify what's going on Things get interesting and actually we'll get to some research on that that solves it at the end of this talk Right. The other important question is when do you need to verify it, right? If there was a smart contract or you know, you're doing some computation with people Do you just need to know it's correct right now? Do you need to know it's correct as the computation goes on after you've left it or no longer participating? Do you need to know it's correct before you even get started? Like you walk into a room people have been dealing cards and playing a game Do you need to know that the deck wasn't loaded even though you never saw that part of the of the game happen? It depends, right? The next question is where do secrets live and this is actually probably the real gotcha with smart contracts Because if you want your secrets to live with random people off-chain the people are participating. It's fine but Two people can share it can keep a secret if one of them is not a blockchain right block chains don't keep secrets And so the usual problem we run into when people start thinking about private smart contracts as they go Oh, I want the blockchain to hold an encryption key to hold my password to hold some data And that turns out to be incredibly hard to do and quite problematic So you you'd prefer to avoid it And then finally and this is sort of the mundane more low-level putting my professor hat on like What are you trying to hide right? Are you trying to tie the state of the contract? Which the state metadata like which contracts being run that one turns out to be important the inputs or even the actual function, right? So Well, okay, what are these things? How do they break down? Well, let's look at a couple of examples I'm going to go over three of them, right? Which are sort of common things that come to mind, right? One of them is a simple game poker, right? The next one is let's consider something like payments This could also be like custom tokens custom assets any of these crazy d5 projects, right? They all have these like custom tokens that underlie them, right? It's like a video game arcade at Chuck E cheese, right? You built this whole complicated machine But you also have these custom tokens you have to put into it to power it and you might need privacy there And then finally a typical thing that comes up. I'm not really sure why but it's what everyone thinks of is like auctions Right, you want to do a sealed bid auction to price an asset, right? And these all it turns out have some privacy goal they want but they're different Right, so in terms of poker, right? Who needs to verify? What's going on? Well, it's only the people playing the game, right? If you all show up to a poker table you decide to deal a hand the only people who care what's going on in the poker game Really all the people there, right? And they only care about it for as long as they're playing the game and when they get the money out after that Nobody cares, right? So they'll need to verify it then and finally, right the secrets You know who has what card what hand that's just shared between them the blockchain never needs to know about it Right, you don't need to get them to keep something permanently. So this is somewhat easy, right? The state you want to keep private is you know what people's hands are the inputs actually the bats the actions that like Rays call flip the river card. Those actually can be public So this is one setting In contrast payments get a lot harder because in the payment system Everybody needs to be able to verify what's going on because anybody you might pay needs to know that your money is actually good so This poses a bit of a problem, right? and They need to verify at any time in the future the people who keep the secrets Well, that is simple in this case as anyone who's holding the bag, right? Anybody who has money has crypto tokens those bag holders. They need to keep the secrets, but nobody else And for that you're keeping all the data secret the balance the from the to everything else Okay, and then finally for like a sealed bid auction Again, we're back to the participants needing to just know what's going on only during the auction So this is similar to a poker game But the difference is that the secrets are kept with an auctioneer. Those are the bids and The bids are what you need to keep secret. So what do we do about this? There are a couple of different techniques you can use that can work for various things There are basically three on the first one is a thing that's called referee the computation This came out of academic work in 2009 10 that nobody ever heard of and nobody ever cites But then got sort of reinvented I think completely by happenstance by things like two bit an arbitrary and off-chain labs And no doubt other things I haven't thought of this is sort of like state channels in a certain sense and these provide a certain kind of Privacy the next thing is trusted execution in the form of either SGX or MPC And this is really sort of the holy grail But it turns out to be problematic and then the final thing which is sort of what my research is on and in fact I have a paper appearing this year on is Sort of zero-knowledge based execution protocols and so this starts with Zcash Which does privacy just for a fixed function which is payments It got generalized and some things that say oh you can have multiple different functions that stand alone It's basically different blockchains thing called hawk and then the latest piece of research Which is by me and my co-authors actually so so you can have general computation instead of a composable way Right, so I'll give you a brief overview of these three sets of techniques so referee computation is you know sort of like a state channel and It actually is the closest thing to a will like contract in the sense of what we have under the law Right you have some parties. They agree to do some stuff They do whatever it is off-chain as long as everybody's honest, right? They don't disagree nothing happens on chain. You have no privacy problems if there's ever a dispute though You take it to the blockchain and the blockchain is supposed to mediate the dispute Right and so this works quite effectively quite efficiently It doesn't have privacy Inherently when you resolve it usually when you resolve it on chain everything's public similarly to a court case But if you do have some other privacy solution for doing private computation on chain Turns out you can make this private right and you can use this for something like a poker game quite well It works nicely right and so in this case right this works for systems where you know only the participants care about the correctness only ensures correctness well participating because you actually have to be moderating with these people and It hides pretty much everything if you get the dispute process right so that's One option, but it's limited right it basically works for these things where you only care as long as you're in the room Right it doesn't work for money and the reason it doesn't work for money or anything like it is because a Year ago when you weren't part of the cryptocurrency scene or whatever 20 guys could have gotten together and decided they were gonna invent a bunch of Extra money and since you weren't in the room you didn't see them do this So you couldn't dispute it on chain and now you have no idea what happened right? It's the only this only works when you've seen all the state transitions All right, the next thing you can do is SGX right or multi-party computation These are actually very similar from a conceptual point of view They basically both conjure a trusted third party out of thin air right and they either do it by assuming you have hardware that's secure Well by assuming that you have some number of servers one or five of them are honest and then you do some crazy cryptography and Ideally this provides exactly what you would want like a perfectly private smart contract They can keep secrets and do everything In practice, it's a little bit of a challenge Trusted hardware is frequently broken right like Intel has had problems We don't really think you can do this securely if you're dealing with a serious attacker and the MPC stuff is actually expensive And in particular dealing with parties who go offline both for SGX and for MPC is hard because if you have encrypted data on your blockchain and the guy holding the key even if you trust him disappears your data is gone So you have to figure out some way to you know share a secret share the key and have a bunch of people then You know we've refreshed shares when someone goes offline You have to hope people don't get corrupted if you screw this up and someone pretends to go offline and then comes back They can end up holding all the keys and either MPC or SGX and then they have all your data So it's risky right, but it does give you the ideal right so an SGX MPC what happens everyone can verify because they are supposed to trust this mechanism They can verify forever before or after assuming they trust the nodes that are running it The MPC or the SGX can actually keep secrets. It can keep encrypted data on a blockchain and everything's hidden But at a very high cost, which is just conceptually this stuff is incredibly broad So that brings us to the zero-knowledge approach right in any idea is instead of Posting your input to the smart contract and the existing state on chain You just replace all that with a zero-knowledge proof that hey, we did this update and it's totally correct Naively if you do this you'd reveal the actual state. So okay, you encrypt that you hide that same thing you do in like say Zcash But there are two problems with this naively if you do this this way It reveals the metadata of like what program is being run what payments are being made And it we view and it reveals what function you're running So what do I mean by this well consider a basic ERC 20 token right your state is a table of who has what money? The function, you know allows payments decrement one row increment the other and if you naively did this just let's prove This is correct. You'd run into One of two problems either everybody would be able to view this table who was part of the ERC 20 tokens Who would have no privacy or you do something weird where you'd leak which things being updated, right? So what do you do instead why you take this table and you split it up into little mini tables Which are kind of like UTXOs where each person has their own separate state, right? And now nobody can see all this thing necessarily when they're doing an update And so you have this but you still haven't solved your privacy problem because if you want to make a payment from like Bob to Charlie You have to say I'm gonna update this entry this blob and this blob and people gonna know you're updating those Thankfully we know how to solve this right we just do the same thing that Zcash does right we put everything in a Merkel tree We prove that your entries in the tree and we Show that the records are correct and we break this linkage, right? This is Fairly simple it was straightforward to do once you have decent zk snarks The question is and the thing we actually really did in sexy is you know How do you get this to work? What's the computational model? And so in this the computational model is you have a commitment to data on chain And the commitment contains the code that created it and the code that's going to run when you try to like update it And then every time you do a transaction all you do is prove in zero knowledge that The code that created it was valid and actually ran That your transaction is well-formed and that the code that was supposed to run when you updated it actually ran correctly Right, and you actually do this via a layer of indirection where you have multiple different Zk snarks and the cool thing about this is that unlike previous work Which did this is a standalone thing in this system? You can have multiple different assets multiple different custom contracts and they can all communicate with each other privately And nobody will know which one switch right versus in the previous models you had Basically a version which was Zcash a version that was some custom asset another custom asset And everyone could tell which one was moving back and forth So in this model you can verify everyone can verify what's going on because the zero knowledge proofs are correct You can do it at any time The secrets however do have to remain off-chain And so that's a little bit better a little bit worse But this is I think quite effective and so we have you know these kind of options to do all this stuff And I think the zero knowledge one is actually something you could seriously consider So with that I'll take questions also in the off chance that any of you want to study this stuff I'm starting at fall 2020 as a professor and I'm looking for grad students. Thank you