Ferveo

Miner extractable value

"a measure devised to study consensus security by modeling the profit a miner (or validator, sequencer, or other privileged protocol actor) can make through their ability to arbitrarily include, exclude, or re-order transactions from the blocks they produce"

(https://github.com/flashbots/mev-research)

What can we do?

Don't reveal content of transactions until block inclusion and ordering are committed

• Time-lock encryption (Verifiable Delay Functions)
• Threshold decryption

Threshold decryption

Messages (transactions) can be encrypted to a single public key

No one knows the private key, but \(n\) parties own "private key shares", such that every subset at least \(t\) parties can decrypt the message, while every subset of at most \(t-1\) parties cannot decrypt.

Distributed key generation and threshold decryption in BFT consensus

Tendermint Proof of Stake: more than 2/3 weight (by stake) of validators vote to commit blocks

Very natural correspondance between "validators" and "private key share owners"

Model

• Validators generate a common public key
• Alice encrypts her transaction to this public key
• Validators include Alice's encrypted transaction in a block
• Validators vote with "decryption shares" of Alice's transaction
• The block is finalized and Alice's transaction is decrypted and executed

Aligning decryption with consensus

Validators: 2/3 by count \(\ne\) 2/3 by stake

Ideal outcome: validator subset can finalize a block if and only if they can decrypt transactions

Weighting private key shares

• Higher stake validators get more private key shares
• \(n\) number of private shares -> bandwidth and computation must be \(O(n \log n)\)

Distributed key generation (DKG)

• Publicly Verifiable Secret Sharing (PVSS) with no dispute round
• In PVSS, the validity of every step of the DKG can be checked by every other validator
• No issues if a validator goes offline

Distributed key generation (DKG)

• Synchronous, on-chain message passing (pruneable later)
• Much simpler when a blockchain is already available

Threshold decryption

• Technical issue: PVSS-based DKG generates private key shares that are elliptic curve points, not scalars.
• Solution: a new pairing-based encryption scheme that supports threshold decryption with PVSS-generated keys

Optimizations and Features

• "Fast" \(O(n \log n)\) algebra operations
• 1 decryption share/tx/validator, not per tx/private key share
• Key-committing: all valid txs must be decrypted

Concrete Performance

On-chain data:

• DKG: 138 MB per epoch (pruneable)
• Decryption share: 1 \(\mathbb{G}_1\) point per tx per validator (48 bytes)
• Ciphertext overhead: 208 bytes per tx

(Rough single-core measurements:)

• ~4000 ms compute per block
• ~16 ms extra compute per tx
• ~5.6 s total compute per block (100 tx)

Check out work-in-progress

• https://github.com/anoma/ferveo