Author: Duncan Nevada, Partner at Hack VC; Translation: Golden Finance xiaozou
Transparent cryptographic ledgers fundamentally change how we think about trust systems. As the old saying goes, "don't trust, verify", and transparency allows us to trust. If everything is open, any fraud can be marked. However, this transparency has been shown to be one of several constraints on usability. Of course, some things should be public, such as settlement, reserves, reputation (and perhaps identity), but we don't want all of everyone's financial status and health records to be public along with personal information.
1. Privacy requirements of blockchain
Privacy is a fundamental human right. Without privacy, there is no freedom and democracy.
Just as the early Internet required encryption (or SSL) to enable secure e-commerce and protect user data, blockchain requires strong privacy technologies to reach its full potential. SSL allows websites to encrypt data in transit, ensuring that sensitive information such as credit card numbers cannot be intercepted by malicious actors. Similarly, blockchain requires privacy technologies to protect transaction details and interactions while maintaining the integrity and verifiability of the underlying system.
Privacy protection on blockchain is not just for the protection of individual users, it is critical for enterprise adoption, data protection compliance, and unlocking new design spaces. No company in the world wants every employee to be able to see everyone else's salary, and no company wants competitors to be able to understand and rank their most valuable customers and poach them. In addition, certain industries such as healthcare and finance have strict regulatory requirements for data privacy, which blockchain solutions must meet to become a viable tool.
2. Privacy Enhancement Technology (PET) Map
As the blockchain ecosystem develops, several key PET technologies have emerged, each with its own advantages and trade-offs. These technologies - zero-knowledge proof (ZK), multi-party computation (MPC), fully homomorphic encryption (FHE), and trusted execution environment (TEE) - span six key properties.
Generalizability: How easily a solution can be applied to a wide range of use cases and computations.
Composability: How easily the technology can be combined with other technologies to mitigate weaknesses or unlock new design space.
Computational efficiency: How efficiently a system performs computations.
Network efficiency: How well the system scales as the number of participants or data increases.
Decentralization: The degree to which the security model is distributed.
Cost: The actual cost of privacy.
Just like the blockchain trilemma of scalability, security, and decentralization, achieving all six properties simultaneously is challenging. However, recent developments and hybrid approaches are pushing the boundaries of possibility, bringing us closer to affordable, high-performance, comprehensive privacy solutions.
Now that we have a map in hand, let’s take a look at the big picture and explore the future prospects of these PET technologies.
3. PET landscape map
I think I need to add some definitions here.
(1) Zero-knowledge proof
Zero-knowledge (ZK) is a technique that allows verification that a computation actually took place and achieved a result, without revealing information about the inputs.
Generality: Medium. Circuits are highly application-specific, but can be built using hardware-based abstraction layers such as Ulvatana and Irreducible and general-purpose interpreters such as Nil’s zkLLVM.
Composability: Medium. It works independently of a trusted prover, but the prover must see all the raw data in the network setup.
Computational efficiency: Medium. With real ZK applications like Leo Wallet coming online, proof is growing exponentially through novel deployments. We look forward to further developments as customer adoption increases.
Network efficiency: High. The latest progress in Folding brings great potential for parallelization. Folding is essentially a more efficient way to construct iterative proofs, so its development and construction can be based on completed work. Nexus is one of the projects worth paying attention to.
Decentralization: Medium. In theory, proofs can be generated on any hardware, but in practice, GPUs are more popular. Although hardware is becoming more uniform, further decentralization can be achieved at an economic level through AVS such as Aligned Layer. Inputs are only private when combined with other techniques (see below for details).
Cost: Medium. The initial deployment costs of circuit design and optimization are high. The operating cost is moderate, the proof generation cost is relatively high, but the verification efficiency is also high. A significant factor contributing to this cost structure is proof storage on Ethereum, but this can be mitigated through other methods, such as using a data availability layer such as EigenDA or AVS.
Take Dune: Imagine that Stilgar needs to prove to Lord Leto that he knows the location of a spice field, but doesn't want to reveal the exact location. Stilgar takes Leto, blindfolded, aboard an ornithopter, flies him over the spice field until the scent of cinnamon fills the cabin, and then takes Leto back to Arrakeen. Leto now knows that Stilgar can find the spices, but he doesn't know how to get there himself.
(2) Multi-party computing
Multi-party computation (MPC) is when multiple parties can jointly compute a result without revealing their individual inputs to each other.
Versatility: High. Given the particularity of MPC (such as secret sharing, etc.).
Composability: Medium. MPC is secure, but composability decreases with complexity, as complexity introduces exponential network overhead. However, MPC has the ability to process private inputs from multiple users in the same computation, which is a fairly common use case.
Computational efficiency: Medium.
Network efficiency: Low. The number of participants scales quadratically with the amount of networking that must be done. Projects such as Nillion are working to address this. Erasure coding/Reed-Solomon codes — or more loosely, splitting data into shards and then saving those shards — can also be used to reduce errors, although it is not a traditional MPC technique.
Decentralization: High. However, participants may collude and endanger security.
Cost: High. Moderately expensive to implement. High operating costs due to communication overhead and computing requirements.
Take Dune for example: Consider the large families of Landsraad who make sure they have enough spice reserves between them so they can help each other, but don't want to reveal specific information about their individual reserves. The first family can send a message to the second family, adding a large random number to their actual reserves. The second family then adds their actual reserves, and so on. When the first family receives the final total, they just need to subtract the large random number they added earlier to know the actual total amount of spice reserves.
(3) Fully homomorphic encryption
Fully homomorphic encryption (FHE) allows computations to be performed on encrypted data without prior decryption.
Versatility: High.
Composability: High composability of single user input. Must be combined with other multi-user privacy input technologies.
Computational efficiency: low. But it has been optimized consistently from the mathematical layer to the hardware layer, which will unlock a huge potential. Zama and Fhenix have done a lot of excellent work in this regard.
Network efficiency: High.
Decentralization: Low. This is partly due to computational requirements and complexity, but as the technology improves, FHE’s decentralization may approach that of ZK.
Cost: Very high. Deployment costs are high due to complex encryption and strict hardware requirements. Operation costs are high due to high computational effort.
Take Dune, for example: Imagine a device similar to the Holtzmann shield, but for numbers. You can enter digital data into this shield, activate it, and then give it to a Mentat. The Mentat can perform calculations without being able to see the shielded numbers. When the calculations are done, they return the shield to you. Only you can restore the shield and see the results of the calculations.
(4) Trusted Execution Environment
A Trusted Execution Environment (TEE) is a secure enclave or area within a computer processor, isolated from the rest of the system, where sensitive operations can be performed. TEEs are unique in that they rely on silicon and metals, rather than polynomials and curves. So while they may be a powerful technology today, in theory they should be slower to optimize due to the limitations of expensive hardware.
Versatility: Medium.
Composability: High. However, security is low due to potential side channel attacks.
Computing efficiency: High. Close to server-side efficiency, so much so that Nvidia's latest H100 chipset series is equipped with TEE.
Network efficiency: High.
Decentralization: Low. But limited to specific chipsets, such as Intel's SGX, which means it is vulnerable to side-channel attacks.
Cost: Low. Low deployment cost if using existing TEE hardware. Low operating cost due to near-native performance.
Take Dune: Imagine the Guild's Heighliner. Even the Guild's own navigator can't see or interfere with what's going on inside when it's in use. The navigator goes into the navigator's cabin to do the complex calculations required to fold space, and the cabin itself ensures that everything that goes on inside is private and secure. The Guild provides and maintains this cabin and keeps it safe, but they can't see or interfere with the navigator's work inside.
4. Practical Use Cases
Maybe we don’t need to compete with the spice giants, but just need to ensure that privileged data such as key spices remain privileged. In our real world, some practical use cases for each technology are as follows.
ZK is great when we need to verify that a process produced the correct result. It is an excellent privacy technology when combined with other techniques, but used alone it sacrifices trust and is more akin to compression. Typically we use it to verify that two states are the same (i.e. an “uncompressed” L2 state and a block header published to L1, or to prove that a user is over 18 without revealing any actual personally identifiable information about the user).
MPC is often used for key management, either private keys or decryption keys used in conjunction with other techniques, but it is also used for distributed random number generation, (smaller) privacy-focused computation operations, and oracle aggregation. Essentially, any approach to lightweight aggregation-based computation using multiple parties that shouldn’t be colluding with each other is a good fit for MPC.
FHE is a good choice when simple general-purpose computations need to be done without the computer seeing the data (e.g. credit scoring, smart contract games for the Mafia, or ordering transactions in a mempool without revealing their contents).
Finally, if you are willing to trust the hardware, TEE is well suited for more complex operations. For example, it is the only viable solution for the private equity model (LLMs that exist in enterprises or financial/healthcare/national security agencies). The relevant trade-off is that since TEE is the only hardware-based solution, in theory, the improvement of shortcomings should be slower and more expensive than other technologies.
5. Other solutions
Clearly, there is no perfect solution, and it is unlikely that one technology will ever grow into a perfect solution. Hybrid solutions are exciting because they can leverage the strengths of one approach to mitigate the weaknesses of another. The table below shows some of the new design space that can be unlocked by combining different approaches together. The actual approaches are very different (e.g. combining ZK and FHE may require finding the right curve parameters, while combining MPC and ZK may require finding a certain set of parameters to reduce the final network RTT time).
In short, high-performance general privacy solutions can unlock countless applications ranging from gaming, governance, fairer transaction lifecycles, identity, non-financial services, collaboration, and coordination. This partly explains why we find Nillion, Lit Protocol, and Zama so fascinating.
6. Conclusion
In summary, we see great potential, but we are still in the early stages of exploring the possibilities. Individual technologies may be close to maturity to some extent, but staking technology is still an area to be explored. PET will be tailored to this field, and from an industry perspective, we still have a lot to do.
