Try โ€‚โ€‰HackMD

๐Ÿšง: Using Order-Revealing Encryption (ORE) to Provide Mempool Privacy

Required Reading

1 https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8434214
2 https://eprint.iacr.org/2018/953.pdf
3 https://github.com/flashbots/mev-research/issues/34
4 https://eprint.iacr.org/2016/612.pdf

What is ORE?

ORE is a cryptographic primitive that enables range queries over encrypted ciphertexts. Its main application is in the database world, where it's used to enable queries over encrypted databases to provide assurances in the case of data breaches.

For each of exposition, we will be simply providing a high-level definition.

ORE schemes are defined as follows:

  • KeyGen(ฮป)    : Given a security parameter
    ฮป    , generate a secret key
    sk
  • Encrypt(sk,m)    : Given a secret key
    sk     and message
    m    , outputs a ciphertext
    ct
  • Compare(ct1,ct2):     Given ciphertexts
    ct1     and
    ct2    , outputs a bit
    b

How can ORE help us with getting mempool privacy?

ORE provides us with a way to efficiently encrypt transactions such that miners can still compare gas-related fields without actually revealing those fields. Using the

Compare procedure, miners can compare different ciphertexts for transactions based on their gas-related fields and include them into blocks as they normally would.

In more details, users will each usehave their own

sk
and encrypt their transactions. Then they will send these ORE encrypted transactions to miners who will then be able to compare different ORE encrypted transactions using
Compare.

However, as described, there are a few immediate problems with this approach. The first one is that miners still need to be able to execute transactions after they have verified that the transaction satisfies some gas related constraint. But, using ORE, the user will now need to decrypt their transactions in order for this to be possible, losing all of the benefits of using ORE.

How can this problem be potentially be resolved?

Let's consider a variant of ORE called multi-client ORE that is better suited for multi-client interaction. A slightly modified version of how we can provide mempool privacy is as follows:

  • Each user creates a secret key
    ski     with the help of a trusted party called the key manager with its own key
    MK
  • A new key is generated taking the indices of different users
    i     and
    j     along with
    MK    , call it
    ski,j    .
  • A new comparison algorithm
    CompareMC     takes as input ciphertexts from different users,
    ski,j     that returns a bit.

Now, we have more problems. In this multi-client ORE scheme, we now have a trusted manager, multiple more keys to distributed and more comparison functions to handle.

How does ORE differ from current solutions to mempool privacy?

TODO: Compare and contrast solutions

Solution MEV Security Execution Delay Consensus Time Speed Requires hard fork?
SGX
Timelock Encryption
Threshold Decryption
Order-Revealing Encryption

Open Questions

  • Is it possible to still execute the transaction if it has been encrypted using ORE?
  • If not, can ORE be modified/extended to work in a more asymetric context for example threshold ORE, timelock ORE, etc?
Last changed by 
โ€‰
HashCloak
0
774

Read more

Multi-sigs against BLS signatures

---reuf tags: research For simplicity , a multi-signature scheme MS = (Pg, Kg, Sign , Vf) consists of Parameter generation (system wide , runs by central authority , does it have to ?) Key generation (Kg -> (pk,sk) , non-interactive process) Signing Verification ( ($L={pk_1...pk_n}$, m ,$\sigma$) -> 1)

Jul 16, 2023
Anonymity metrics

Definition: An anonymity metric indicates the uncertainty of the identity of a fixed entity is , from the point of view by advarsary A. Objective function This should include two ingredients , i.e. anonymity level and anonymity loss. Anonymity level Anonymity level depends on: 1) distribution of probabilities (see towards measuring anonymity) ; 2) size of anonymity set (see A system for anonymous and unobservable internet access & The disadvantages of free mix routes and how to overcome them in Hannes Federath) Edman et al. orginally propose to count the number of possible perfect matching in G , i.e. computing the permanent of the adjacency matrix A.

Mar 11, 2021
Auto-tuning algorithm of mixnets

[toc] Preliminary Quantify the anonymity (get objective function valued ) : Initial parameter space : x=[x_1,....,x_n] f(x) : performane(anonymity provided) of a particular configuration by running the full application. f(x*) : the best application performance

Mar 11, 2021
IT-PIR for Tendermint Flow

Motivation Currently in Tendermint, all queries made by light clients in Tendermint are public. In other words, whenever a light client queries Tendermint for application-specific state, anyone listening on the communication can associated a particular light client with certain application state information. There are several instances in which might want to hide what they are querying about to an outside observer, for example: A user wanting to query a block explorer may not want the block explorer service to know exactly what they are querying for. A user wanting to use and interact with a sensitive Tendermint-based application may not want an outside observer to know what they are querying for on that blockchain. Proposal This proposal is to add support for various private information retrieval protocols (PIR) in Tendermint. We propose several additions and changes to the light client, full nodes and ABCI components.

Feb 1, 2021
Read more from HashCloak
Published on HackMD