# Ferveo
<!-- Put the link to this slide here so people can follow -->
slide: https://hackmd.io/@joebebel/HJZj9lb_Y
---
## Miner extractable value
"a measure devised to study consensus security by modeling the profit a miner (or validator, sequencer, or other privileged protocol actor) can make through their ability to arbitrarily include, exclude, or re-order transactions from the blocks they produce"
(https://github.com/flashbots/mev-research)
---
## What can we do?
Don't reveal content of transactions until block inclusion and ordering are committed
- Time-lock encryption (Verifiable Delay Functions)
- Threshold decryption
---
### Threshold decryption
Messages (transactions) can be encrypted to a single public key
No one knows the private key, but $n$ parties own "private key shares", such that every subset at least $t$ parties can decrypt the message, while every subset of at most $t-1$ parties cannot decrypt.
---
#### Distributed key generation and threshold decryption in BFT consensus
Tendermint Proof of Stake: more than 2/3 weight (by stake) of validators vote to commit blocks
Very natural correspondance between "validators" and "private key share owners"
---
#### Model
- Validators generate a common public key
- Alice encrypts her transaction to this public key
- Validators include Alice's encrypted transaction in a block
- Validators vote with "decryption shares" of Alice's transaction
- The block is finalized and Alice's transaction is decrypted and executed
---
#### Aligning decryption with consensus
Validators: 2/3 by count $\ne$ 2/3 by stake
Ideal outcome: validator subset can finalize a block if and only if they can decrypt transactions
---
#### Weighting private key shares
- Higher stake validators get more private key shares
- $n$ number of private shares -> bandwidth and computation must be $O(n \log n)$
---
#### Distributed key generation (DKG)
- Publicly Verifiable Secret Sharing (PVSS) with no dispute round
- In PVSS, the validity of every step of the DKG can be checked by every other validator
- No issues if a validator goes offline
---
### Distributed key generation (DKG)
- Synchronous, on-chain message passing (pruneable later)
- Much simpler when a blockchain is already available
---
#### Threshold decryption
- Technical issue: PVSS-based DKG generates private key shares that are elliptic curve points, not scalars.
- Solution: a new pairing-based encryption scheme that supports threshold decryption with PVSS-generated keys
---
#### Optimizations and Features
- "Fast" $O(n \log n)$ algebra operations
- 1 decryption share/tx/validator, not per tx/private key share
- Key-committing: all valid txs must be decrypted
---
#### Concrete Performance
On-chain data:
- DKG: 138 MB per epoch (pruneable)
- Decryption share: 1 $\mathbb{G}_1$ point per tx per validator (48 bytes)
- Ciphertext overhead: 208 bytes per tx
(Rough single-core measurements:)
- ~4000 ms compute per block
- ~16 ms extra compute per tx
- ~5.6 s total compute per block (100 tx)
---
#### Check out work-in-progress
- https://github.com/anoma/ferveo

{"title":"Ferveo","tags":"Cryptography, Blockchain","description":"Distributed key generation and threshold decryption for front running prevention"}