Private bridging

Private bridging

Plaintext bridge (relay) flow (Outdated)

Here, I am unwrapping more the logic without privacy as digested from IBC relayers for my own understanding of the workflow.

Blockchain A with tokens a,b,c
Blockchain B with tokens d,e,f
User U from blockchain A with N tokens of type a wants to exhange n a's for m d's within a transaction object,
$t d$ .
A sends a message to B
B opens the message and sends back an ack
A burns n tokens and sends a proof(what is that proof?) that those tokens have been actually burnt. Certificate of transaction is sent.
B validates the proof and creates a voucher which authorizes the creation of m d's to bc B and are equivalent to n d's of bc A.

Q:How those messages are sent actually since those are two different blockchains with different Consensus and state machines rules ? Who is transporting the packages/messages?

A: The relayers are responisble to act as the transporters of packages messages between A and B. Those relayers are light-clients who perform validations and orchestrate the networking between A and B. They are not full nodes in the sense that they do not need to download the entire state but they can still validate/verify

A has each own light-client LC-A and B has each own LC-B
All LCs constitute the relayer/bridge logic

Seems like those relayers are centralized components who hold logic for cross chain transactions.

IBC world: client, connections, channels, ports, and packets:

Chain A <––––––––––> LC-A<->LC-B<–––––––––>Chain B
Client

      create_client(type b on chain A and type a on chain B)
      update_client
      https://github.com/informalsystems/hermes-ibc-workshop/blob/main/docs/clients.md

Bridges (Functionality goal: Transfer tokens from bc A to bc B, with privacy)

Blockchain A with tokens a,b,c
Blockchain B with tokens d,e,f
User U from blockchain A with N tokens of type a wants to exhange n a's for m d's within a transaction object,
$t d$ . That is:
Blockchain A keeps balance sheet for total amount (total outstanding balance) of transactions that happen from A to B for all tokens of A: a,b,c. Lets call those balance sheets BSa, BSb and BSc. Those BS's are encrypted with the public key of the blockchain(Q:since anyone can encrypt and send encrypted balances, how the system preserves malicious entities be it users, or the blockchain itself just sending incorrect balances from transactions that do not exist?)
U encrypts transaction data: token type:tt ,token amount: ta with the public key of the blockchain A pkA:
$E_{p k A} (t d) = C_{t d}$ . The bridge module in blockchain A, updates the state of BSa with
$C_{t d}$ in a private way such that the BS keeps the correct encrypted amount.
U publishes note commitment to blockchain A that includes (d, amount, recipientAddress) marked as to-be-sent (cross-chain transaction) to blockchain B, and U provides a proof that amount == ta from the encrypted amount in the previous step.
Blockchain B is informed by the relayer (who copies the note commitment and light client proofs) that the transaction on Blockchain A happened (blockchain B can check the light client proofs) and now that user needs to mint in total m tokens of type c.(Q: where the information that user U owns those c tokens is recorded? in bridge A, bridge B or both?)

On the way back, if U sends token d back to blockchain A, where token d on blockchain B corresponds to token a on blockchain A, blockchain A, when it receives a new note commitment from blockchain B over the bridge which contains a tokens, will decrement the BSa encrypted counter and check that it is non-negative (thus preventing blockchain B from sending more token a back than it was originally sent by blockchain A).

Private Counters

MPC Approach:

Each user additively secret shares the value
$t v$ inside a
${tx}_{c r o s s}$ transaction with validators responsible to act as watchdogs for the counter.
For
$i = 0. . n - 2$ , where
$n =$ #validators, U picks random numbers
$r_{i}$ and distributes one
$r_{i}$ to each validator
$v_{i}$ . Finally it computes
$r_{n - 1} = t v - \sum_{i = 0}^{n - 2} r_{i}$ and distributes it to the last validator
$v_{n - 1}$
Observe that the sum of all shares
$r_{i}, 0 \leq i \leq n - 1$ equals the total value
$t v$ . There is full threshold security here: All validators need to collude to reveal
$t v$ .
Correctness of shares: We assume at the first version that secret shares are computed correctly (does that sound very powerful assumption? If user U secret shares gibberish data what can go wrong?Is that captured at a later stage? Can we force user to produce proofs that secret share equal the
$t v$ that has been part of the commitment? We need a protocol as follows: User(prover) secret shares
$r_{i}, 0 \leq i \leq n - 1$ sum to
$t v$ without revealing
$t v$ and
$t v$ is input to a note where a commitment has been put on the MT. )
For additive properties (accumulating the total balance) additive secret sharing over a group is fine but for comparison we need to transform additive shares to boolean (edaBits/daBits: https://eprint.iacr.org/2021/119.pdf, https://mkskeller.github.io/files/programming.pdf). The general idea is: to check whether
$x < y$ we check whether
$x - y < 0$ . If subtraction result is negative it is equivalent to
$x < y$ otherwise when
$x > y$ the subtraction is a positive number. It suffices to check only the sign of the subtraction which can be done by extracting the MSB of
$x - y$ and check in two complement's notation.
Having additively secret shares of two numbers in
$Z_{N} : [x]_{Z_{N}}$ and
$[y]_{Z_{N}}$ perform:
- perform subtraction and publish
  $[z] = [x - y]$
- run
  $bitDecompose$ to
  $[z]$ such that
  $z$ is been shared with boolean shares in
  $Z_{2}$
- run
  $MSBExtract ([z]_{Z_{2}})$ )

Plaintext example:

Assume we are in a

4

digits register computer for simplicity and

a = 0010 (2)

and

b = 0100 (4)

b [i]

denotes the ith bit of

b

starting rightmost from position

0

, i.e:

b [0] = 1, b [1] = 0

, etc. We want to compute the function:

f_{<} (a, b) = {\begin{cases} 0 & if a>=b \\ 1 & otherwise \end{cases}

In their bit decomposition thinking in big-endian machines(most significant bit is leftmost) we are looking to extract the the first leftmost bit where two numbers first differ. Obviously whichever's number bit is 0 at that position is less than the other one. So the task of comparing two numbers in their bit decomposition is reduced into:

finding the first position
$p$ where the numbers start to differ starting from the most significant part (leftmost part)
Extract from both numbers their bit at position
$p$
if
$b [p] == 0$ then
$a < b$

In bitwise arithmetics the above algorithm is translated as follows:

Compute bitwise XOR of
$a$ and
$b$ and store it to
$c$ . That will result in a bit vector where at
$0$ positions
$a$ and
$b$ are equal and at
$1$ positions they differ.
Compute the OR of each bit of
$c$ starting from the leftmost bit and store it to
$d$ .

$d [l - 1] = c [l - 1], d [l - 2] = d [l - 1] \lor c [l - 2]$ ,…
That results in a bit vector of
$0$ 's followed with
$1$ 's starting at the position where
$a$ and
$b$ started to differ from leftmost.
Perform component wise subtraction at vector
$d$ starting leftmost as in the previous step and store it in
$e$ . That will result in a bit vector with only a single
$1$ at the position where
$a$ and
$b$ started to differ from leftmost.
Sum all individual bits of the value
$b$ with
$e$ .
$e$ is a one bit vector so that operation extracts the bit value of
$b$ in that positions where
$e [i] = 1$
Finally
$\sum b \cdot e = {\begin{cases} 0 & if a>=b \\ 1 & if a<b \end{cases}$

Running example

$f_{<} (a = 2, b = 4)$ :

position	3	2	1	0
$a$	0	0	1	0
$b$	0	1	0	0

First step:

$a$ xor $b$	3	2	1	0
$c$	0	1	1	0

Second step:

or $c$	3	2	1	0
$d$	0	1	1	1

Third step:

subtruct d	3	2	1	0
$e$	0	1	0	0

Fourth step:

$b \cdot e$	3	2	1	0
$f$	0	1	0	0

Fifth step:

r = \sum f [i] = 1

so output 1, meaning

a < b

, which is true:

2 < 4

Multiplicative shares

OR and AND gates require multiplication circuit which cannot be computed separately by the existing additive shares parties hold.
E.g: Two computing parties
$A$ and
$B$ and two users
$U 1$ and
$U 2$ with two values
$v 1 = 5, v 2 = 4$ , respectively.
$U 1$ secret shares
$v 1$ with
$A$ and
$B$ giving
$A$
$[v 1]_{A} = 3$ and to
$B$
$[v 1]_{B} = 2$ .
$U 2$ respectively secret shares
$v 2$ giving
$A$
$[v 2]_{A} = 1$ and to
$B$ :
$[v 2]_{B} = 3$ Notice that without colluding
$A$ and
$B$ know nothing about the values
$v 1$ and
$v 2$ .
$A$ and
$B$ can do any computation requires addition/subtraction locally: meaning without the need of extra secret from additional parties or extra communication:

$v 1 + v 2 = [v 1]_{A} + [v 1]_{B} + [v 2]_{A} + [v 2]_{B}$
A computes
$[v 1]_{A} + [v 2]_{A}$ and reveals it,
$B$ accordingly computes
$[v 1]_{B} + [v 2]_{B}$ and reveals it and now anyone can compute
$v 1 + v 2$ .
multiplition only from additive shares does not work:

$\begin{aligned} ([v 1]_{A} + [v 1]_{B}) \cdot ([v 2]_{A} + [v 2]_{B}) & = [v 1]_{A} \cdot [v 2]_{A} \\ + [v 1]_{A} \cdot [v 2]_{B} \\ + [v 1]_{B} \cdot [v 2]_{A} \\ + [v 1]_{B} \cdot [v 2]_{B} \end{aligned}$
Setting :

$q 1 = [v 1]_{A} \cdot [v 2]_{A}$

$q 2 = [v 1]_{A} \cdot [[v 2]_{B}$

$q 3 = [v 1]_{B} \cdot [v 2]_{A}$

$q 4 = [v 1]_{B} \cdot [v 2]_{B}$

q 1

and

q 4

can be computed locally by

A

and

B

respectively but

q 2

and

q 3

not because parties hold additive shares and sharing any of the shares from A to B and vice versa is not allowed as it will reveal parties' values in cleartext.

Here is beaver trick:

Imagine an imaginary party choosing uniformly at random
$a, b$ and
$c$ such that
$a \cdot b = c$ and additively secret shares all values
$[a], [b]$ and
$[c]$ with
$A$ and
$B$ .
A and B compute locally:
$d = [v 1] - [a]$ and
$e = [v 2] - [b]$ and reveal
$e$ and
$d$ which are perfectly hiding
$v 1$ and
$v 2$ .
Both compute:

\begin{aligned} d \cdot [v 2] + e \cdot [v 1] + [c] - e \cdot d & = \\ (v 1 - a) \cdot [v 2] + (v 2 - b) \cdot [v 1] + [c] - (v 1 - a) \cdot (v 2 - b) & = \\ [v 1 \cdot v 2] - [a] \cdot [v 2] + [v 1 \cdot v 2] - [b] \cdot [v 1] + [a] \cdot [b] - [v 1 \cdot v 2] + [b] \cdot [v 1] + [a] \cdot [v 2] - [a] \cdot [b] & = \\ [v 1 \cdot v 2] \end{aligned}

Full protocol with passive security and honest users

Architecture

A lot of users:
$U$ 's wishing to perform cross chain transactions from A to B blockchains.
Some validators being deployed by anoma, running anoma software:
$V$ .
A smart contract controlled by the target blockchain B:
$SC$
A subset of validators called MPC computing parties (
$CP$ 's) responsible for the bridging protocol act as MPC computing parties receiving the secret shared data inputs by the user.
A locking account on issue blockchain A acting as a vault:
$Vault$

Phases

Issue():
Redeem():

Asssumptions

A trusted dealer distributing correlated randomness and not communicating with CPs during online phase (when data are secret shared among CPs which also hold the correlated randomness)
Fixed set of
$n$ CP's which are available at the beginning of a computation period. We assume parties are fixed within a computation period and

Description

Building Blocks

$[x] \leftarrow SShare$ (
$x$ ,n): holding private data input
$x$ . Run my the user U hTakes as input the integer number
$x$ than needs to be protected and the number of CP's n and returns secret shares of
$x$ ,
$[x]$ , such that
$\sum_{i = 0}^{n - 1} [x_{i}]_{M} = x$ .
For
$i = 0. . n - 2$ , where
$n =$ #CP, U picks random numbers
$r_{i}$ and distributes one
$r_{i}$ to each CP
$v_{i}$ . Finally it computes
$r_{n - 1} = x - \sum_{i = 0}^{n - 2} r_{i}$ and distributes it to the last CP
$v_{n - 1}$
$[x + y]_{M} \leftarrow SAdd$ (
$[x]_{M}, [y]_{M}$ ): Non interactive protocol where CP's locally add their share for
$[x]$ and
$[y]$ and every one publishes
$[x + y]$ . Finally an aggregator add all shares and reveals
$x + y$ .
$[x * y]_{M} \leftarrow SMul$ (
$[x]_{M}, [y]_{M}$ ):Beaver
$[x]_{2} \leftarrow bitDecompose$ (
$[x]_{M}$ ): Parties hold arithmetic secret shares of
$x$ which is an
$l$ -bit number, denoted as [x] in its secret shared form and they wish without revealing x to secret share each bit of
$x : a_{l - 1}, a_{l - 2}, . . ., a_{0}$ with secret shares of the bit vector [a] in
$Z_{2}$ such that
$x = \sum a_{i} 2^{i}$ . We denote with
$[a]_{i}^{j}$ the secret share of the
$i$ th bit of
$x$ held by party
$j$ ,
$0 \leq j \leq n - 1$ ,
$0 \leq i \leq l - 1$

Input: Each

C P_{i}

holds a share

[x]_{M}

x

Output: Each

C P_{i}

holds a share

[x]_{2}

of bit

x

Each CP secret shares a
$l$ random bit
$r_{i}$ with all other parties such that no one knows
$r = \sum r_{i} 2^{i}$
Parties compute
$[x] - \sum_{i = 0}^{l - 1} \sum_{j = 0}^{n - 1} r_{i}^{j} 2^{i} \in Z_{M}$
CP's open
$c = x - r \in Z_{M}$
CP's bitwise compute
$[x_{l - 1}], . . ., [x_{0}] = c_{l - 1} + [r_{l - 1}], . . ., c_{0} + [r_{0}]$

$MSBExtract ([z]_{Z_{2}})$

Analysis

Security

Efficiency

Disadvantages: Threshold assumptions might be a bit wavy: If all validators collude they can reveal all the private information which is secret shared. Can we make assumptions on that as in research papers that all parties cannot collude? Validators might collude under the table. Can we enforce/incentivize correct behavior, otherwise slashed?

Challenges:

How input is validated from users being potentially malicious? What stops a malicious user adding gibberish but welformed data to the counter? https://www.usenix.org/system/files/conference/nsdi17/nsdi17-corrigan-gibbs.pdf
How validators prove correct MPC execution

To study:

Transaction Execution a la Zerocash

A transaction Tx:=snd,rcv,ic,oc, where ic equals the input coins and oc the output coins.

Zcast checks in private way:

Check that ic is active
Check that Tx sender is authorized
Check that value at ocj is preserved: ocj.amount=ici.amount

With a ZKP:
Sender sends commitments cm1 corresponding to ic and cm2,cm3,… corresponding to output coins and computes a zkp:

Open commitment cm1
Show that cm1
$\in$ CMTree
sn1
$\in$ to non spent Tree
cm2+cm3+…+cm3 underlying values correspond to cm1
Check that signature of Tx is by sender.pk

Create_Address():

Each address comes with a public and secret key computed as follows:

secret address key
$a_{s k}$ is chosen at random by user
$U$
public key of the adress is
$a_{p k} = P R F_{a_{s k}} (0)$
$U$ also choses public secret keys for public key encryption scheme
$E$ , which is key private(looking ciphertexts cannot tell the the public key under which have been encrypted):
${pk}_{e n c}, {sk}_{e n c}$

Now somebody knowing
$a_{s k}$ can assign a coin
$c$ of value
$v$ to that address or can use
$a_{p k}$ as target for payments.

Create_Coin(v,

$a_{s k}$ )->c,cm:

To mint a token
$c$ of value
$v$ , U proceeds as follows:

Choose
$ρ$ at random
Compute
$sn = P R F_{a_{s k}} (ρ)$
Commit to (
$a_{p k}, v, ρ$ ) in two phases to hide public key:
i.
$k = {COMM}_{r} (a_{p k}, ρ)$ , for a hiding/binding commitment
$COMM$ with randomness
$r$ .
ii.
$cm = {COMM}_{s} (k, v)$
Coin is defined as
$c = (a_{p k}, r, ρ, v, s, cm)$
e. transaction for that minting is
${tx}_{m i n t} = (cm, v, k, s)$ . Anyone can verify that
$cm$ contains a coin of value
$v$ as long as
$U$ deposited coins of value
$v$ . \mathsf{cm} is added to the merklee tree with root rt.

The nested commitment preserves anonymity of the the user since its public key is not explicitely part of the transaction but still anyone can verify that this was part of a valid pk unwrapping membership proofs. Transaction is also untrackable since serial number is hidden insiden
$k$ - as such when
$U$ sends that coin it cannot track it.

Spend/Pour_Coin(c,

$a_{s k}$ ):

Owner of
$a_{s k}$ who has minted coin
$c = (a_{p k}, r, ρ, v, s, cm)$ wishes to spend/send it to a new address:

$U$ proceeds with rerunning Create_Coin(v,
$a_{s k}$ ) twice for
$v 1$ and
$v 2$ such that
$v = v 1 + v 2$ creating two new coins:
- $c 1 = (a_{p k 1}, r 1, ρ_{1}, v 1, s 1, cm 1)$
- $c 2 = (a_{p k 2}, r 2, ρ_{2}, v 2, s 2, cm 2)$
  and the corresponing commitments:
- $k 1 = {COMM}_{r} 1 (a_{p k 1}, ρ 1)$
- $k 2 = {COMM}_{r} 2 (a_{p k 2}, ρ 2)$
- $cm 1 = {COMM}_{s} 1 (k 1, v 1)$
- $cm 2 = {COMM}_{s} 2 (k 2, v 2)$
$U$ proves in ZK with
$π_{p o u r}$ proof the followings:
1.
$cm$ was part of the rt
2.
$v = v 1 + v 2$
3.
$sn$ was created correctly in
$sn = P R F_{a_{s k}} (ρ)$
4.
$a_{p k}$ was created correctly in
$a_{p k} = P R F_{a_{s k}} (0)$
5. commitments for c: k, cm were correct by opening them
6.
$cm 1$ and
$cm 2$ are correct

Finally pour transaction is created as follows:

{tx}_{p o u r} = (r t, sn, cm 1, cm 2, π_{p o u r})

Send(

$r, ρ, v, s, {pk}_{e n c}, a_{p k}$ ):

Owner of
$(r, ρ, v, s)$ coin who has pured it running the Spend/Pour_Coin wishes to send his coin to the address defined by
$a_{p k}$ in a private manner without exposing the values of the coin that identify its value or old owner.

Compute ciphertext
$C = E_{{pk}_{e n c}} (r, ρ, v, s)$
Put it on the ledger as part of the
${tx}_{p o u r}$ transaction

The above works for one token type and is different from Zcash (need to digest the differences)

Christopher Goes

2022/09/07 22:00:37

User U from blockchain A with N tokens of type **a** wants to exhange n **a**'s for m **d**'s within a transaction object, $td$.

yeah - keep in mind that these tokens are pegged so it isn't really an "exchange" (Edited)

2022/09/07 22:01:01

burns n tokens and sends a proof(what is that proof?) that those tokens have been actually burnt. Certificate of transaction is sent.

a already has to burn the tokens when the message is sent. you can check ICS20 in the IBC specs for a guide here (Edited)

2022/09/07 22:01:28

validates the proof and creates a voucher which authorizes the creation of m **d**'s to bc B and are equivalent to n **d**'s of bc A. >

we should spell out what we mean by equivalent (namely, that they can be sent back and redeemed for the original denomination on chain A) (Edited)

2022/09/07 22:02:17

a data relayer is responsible for transporting the physical packet data, although they're not trusted for safety since all the proofs are checked on the blockchains (Edited)

2022/09/07 22:05:11

Q:since anyone can encrypt and send encrypted balances, how the system preserves malicious entities be it users, or the blockchain itself just sending incorrect balances from transactions that do not exist?)

not entirely sure that I understand the question, what sequence of actions by an attacker are you concerned about here? (Edited)

2022/09/07 22:07:32

Blockchain B is informed by the relayer (who copies the note commitment and light client proofs) that the transaction on Blockchain A happened (blockchain B can check the light client proofs) and now that user needs to mint in total m tokens of type **c**.(Q: where the information that user U owns those c tokens is recorded? in bridge A, bridge B or both?)

blockchain B just needs to isolate denominations of created tokens so that any tokens sent by chain A are "prefixed" under A somehow - then it can safely accept notes from A (Edited)

2022/09/07 22:09:32

preserving secrecy unless all validators collude is actually quite good in this case, but the problem is that we want to retain liveness when <1/3 validators are offline, so we probably need a 2/3 threshold (and correspondingly weaker collusion assumptions) (Edited)

2022/09/07 22:09:53

it's safe for users to require a higher threshold, though (and accept less liveness)

Iraklis

2022/09/08 08:19:30

Ok good to know thanks (Edited)

2022/09/08 08:22:51

initiate cross chain transactions from thin air. User does not have the amount of coins it claims in the counter. What is encrypted/secret shared with MPC it is not validated that it is a valid. So what stops users from flooding with MPC encrypted gibberish data? (Edited)

2022/09/08 08:24:37

you mean that step 6 comes along with step 4? (Edited)

2022/09/08 08:49:51

There are some interoperability issues between the MPC encrypted value and the validaty thereof: there should be a technical connection between valid notes of a user and the MPC encrypted value: somehow validators should validate that the underlying MPC encrypted values comes from a valid note, which is an open problem (Edited)