TEE? ZKP? MPC? FHE?
Everything you need to know about the most important three letter acronyms in crypto
Or, how you win friends and TEE-fluence people 🧵
Everything you need to know about the most important three letter acronyms in crypto
Or, how you win friends and TEE-fluence people 🧵
This thread is based on the talk I gave at @modular_summit:
h/t @socrates1024 and @sufialhussaini from @cyclesmoney for help preparing the talk and associated demos.
h/t @socrates1024 and @sufialhussaini from @cyclesmoney for help preparing the talk and associated demos.
We all want private compute. Privacy is a fundamental human right. And yet our blockchains are woefully transparent. Clearly we need to do something about this. The core cryptography has come an enormous way, but there will always be limits & things cryptography alone cannot do.
ZK proofs have been at the epicenter of privacy in crypto since @zcash. ZKPs are great. They’re fast, efficient and working in production. But the problem with ZKPs is the prover needs all the data to produce a proof.
There’s no privacy from the prover!
There’s no privacy from the prover!
This is fine if the prover is the end-user - their data is theirs - like in the shielded pools of @zcash & @penumbrazone. But in many cases (eg. ZK rollups), the prover is a specialized entity that collects cleartext from many users in order to perform some more global compute
ZKPs maintain privacy from the verifiers but not from the provers. This matters if you don’t want to trust a single entity with all the user data - which we don’t. So ZKPs are not enough for many kinds of privacy we want. For instance the global graph algo we run in @cyclesmoney
In @cyclesmoney, we build up a graph of obligations, payment intents, & credit lines, so solvers can optimize flows to clear the most debt for the most people w/ the least money. ZKPs allow the chain to verify correctness, but they don't help keep the graph private from solvers!
In many scenarios, ZKPs are really more about guaranteeing correctness than privacy. Interestingly, the original constructions (SNARKs) were all about proving a computation correct. Privacy came practically for free after the fact (zk-SNARK).
So ZKPs are not enough. What about Multi-Party Computation (MPC)? MPC actually does give us the full private compute we want. In MPC, we encrypt values to polynomials and distribute them across N agents for compute. So long as K-of-N nodes don’t collude, privacy is preserved.
MPC works great for smaller compute, and is increasingly used to provide secure signing services, for instance in @web3auth and @usecapsule. Key material is split between a user and other service providers (some are themselves federations) and any 2 of 3 can produce a signature
There’s also some cool use cases of MPC in peer-to-peer trading, for instance @renegade_fi’s dark pool does order-matching via MPC between the actually interested parties, which removes collusion concerns (since the compute isn’t being outsourced). This is great protocol design.
But in general MPC is expensive (quadratic in N) due to high network overhead. And we have to trust that K nodes (eg. ⅓ of N) are honest. More nodes means much more overhead. And then, if nodes do collude to break privacy, they don’t leave a trace - there’s no way to detect it!
What about Fully Homomorphic Encryption (FHE) then? FHE is actually not an independent solution - you still need MPC to manage decryption. Otherwise a single agent can decrypt everything. So FHE on its own is basically useless for blockchains.
What is FHE good for? Outsourcing compute, privately. The base case is a user outsourcing some compute they want done while preserving privacy. They know the input and decrypt the output, so no problem. Some other server does the compute with FHE.
In blockchains we can think of FHE as trading off the network/IO overhead of MPC for the compute overhead of FHE. In theory, fast enough FHE can speed up MPC with many nodes - ie. use MPC only for decryption, FHE for the rest. Without MPC, FHE is basically useless for blockchains
This brings us to the obligatory meme section of the thread. @badcryptobitch has been here before us
https://x.com/badcryptobitch/status/1787833590664790424
So. ZK doesn’t give private compute. MPC is expensive and doesn’t give collusion resistance. FHE is expensive but can (in principle) make MPC cheaper.
What’s a practical solution we can use today with sufficient guarantees that can be combined with other techniques as necessary?
What’s a practical solution we can use today with sufficient guarantees that can be combined with other techniques as necessary?
This doesn’t mean the cryptography isn’t important or we shouldn’t keep pushing it - it’s critical and it needs development more than ever. But it can be complemented in many useful ways by TEEs, and there’s lots we can do to reduce TEE risk.
But this thread is already too long, so you’ll unfortunately have to wait til tmrw for groundbreaking insights on how to use TEE’s securely so they’re strictly better than not using them. Make sure to follow me to avoid missing some of the most TEE-fluencing content in the space!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
