# Ferveo <!-- Put the link to this slide here so people can follow --> slide: https://hackmd.io/@joebebel/HJZj9lb_Y --- ## Miner extractable value "a measure devised to study consensus security by modeling the profit a miner (or validator, sequencer, or other privileged protocol actor) can make through their ability to arbitrarily include, exclude, or re-order transactions from the blocks they produce" (https://github.com/flashbots/mev-research) --- ## What can we do? Don't reveal content of transactions until block inclusion and ordering are committed - Time-lock encryption (Verifiable Delay Functions) - Threshold decryption --- ### Threshold decryption Messages (transactions) can be encrypted to a single public key No one knows the private key, but $n$ parties own "private key shares", such that every subset at least $t$ parties can decrypt the message, while every subset of at most $t-1$ parties cannot decrypt. --- #### Distributed key generation and threshold decryption in BFT consensus Tendermint Proof of Stake: more than 2/3 weight (by stake) of validators vote to commit blocks Very natural correspondance between "validators" and "private key share owners" --- #### Model - Validators generate a common public key - Alice encrypts her transaction to this public key - Validators include Alice's encrypted transaction in a block - Validators vote with "decryption shares" of Alice's transaction - The block is finalized and Alice's transaction is decrypted and executed --- #### Aligning decryption with consensus Validators: 2/3 by count $\ne$ 2/3 by stake Ideal outcome: validator subset can finalize a block if and only if they can decrypt transactions --- #### Weighting private key shares - Higher stake validators get more private key shares - $n$ number of private shares -> bandwidth and computation must be $O(n \log n)$ --- #### Distributed key generation (DKG) - Publicly Verifiable Secret Sharing (PVSS) with no dispute round - In PVSS, the validity of every step of the DKG can be checked by every other validator - No issues if a validator goes offline --- ### Distributed key generation (DKG) - Synchronous, on-chain message passing (pruneable later) - Much simpler when a blockchain is already available --- #### Threshold decryption - Technical issue: PVSS-based DKG generates private key shares that are elliptic curve points, not scalars. - Solution: a new pairing-based encryption scheme that supports threshold decryption with PVSS-generated keys --- #### Optimizations and Features - "Fast" $O(n \log n)$ algebra operations - 1 decryption share/tx/validator, not per tx/private key share - Key-committing: all valid txs must be decrypted --- #### Concrete Performance On-chain data: - DKG: 138 MB per epoch (pruneable) - Decryption share: 1 $\mathbb{G}_1$ point per tx per validator (48 bytes) - Ciphertext overhead: 208 bytes per tx (Rough single-core measurements:) - ~4000 ms compute per block - ~16 ms extra compute per tx - ~5.6 s total compute per block (100 tx) --- #### Check out work-in-progress - https://github.com/anoma/ferveo