HAWK:
Privacy-Preserving Smart Contracts
Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, Charalampos Papamanthou
Bitcoin: Market Cap ($6.5B)
Financial Institution Investments
in “Blockchain”
Linq:
Private equity trading “on the blockchain”
The Blockchain Model of Computation
Contracts
Peer-to-Peer Blockchain Consensus Protocol
Code
Storage
Data
Users
Money
Bitcoin privacy guarantees are abysmal
Variety of transaction graph analysis techniques
We know how to fix this:
- Interactive mixing (Mixcoin, Coinjoin)
- Noninteractive mixing (Monero)
- Zerocash
Naive smart contracts LEAK EVERYTHING
- Code of the contract is public
- Data sent to the contract is public
- Money sent/received is public
- Adversaries can “front run”
- “Weakly pseudonymous” by default
Unsuitable for many real-world applications
Our solution: Hawk
Protocol suite and compiler for privacy preserving smart contracts
E.g. Auctions, Crowdfunding, Games, Financial instruments
Application developers do not have to know crypto details
Hawk
Serpent
Bitcoin
Zerocash
Ethereum
Programmability
Privacy
Hawk
Input
bids
1
Output
2
Blockchain Contract
Winner pays 2nd price
Other bidders get refund
Seller receives 2nd price
refunds
2nd price
leaked
Naive Blockchain
Auction
Main Idea: Zero-knowledge proofs
Contracts use underlying cash system (Zerocash)
Only encryptions of data are published
ZK proofs attest to validity of the data
A designated party (the manager) collects inputs from parties and produces a ZK proof
The blockchain acts as verifier of the ZK proofs
Freeze
comm( )
1
Compute
Encryption( ) , ZKP
2
Finalize
3
Encryption( ), ZKP
Verification Key
Blockchain Contract
Hawk Auction
Abort handler
Minimally trusted
manager (i.e., auctioneer)
Can be implemented with SGX or MPC
Sealed-bid auction�
Sealed-bid auction�
Rock-paper-scissors
Sealed-bid auction�
Rock-paper-scissors
Kick-starter
Sealed-bid auction�
Rock-paper-scissors
Kick-starter
Financial Swap
Our compiler architecture
Pinocchio
jSNARK
libsnark
Performance
100-user auction or crowd-funding
Auctioneer: 2.8 min
User: 50 secs (independent of # users)
On-chain cost: ~1.5 second
Main overhead: SNARK proofs
Contract
User Protocol
Ideal Program
Ideal World
F( )
Wrapper
Pi( )
Wrapper
G( )
Wrapper
Real World
Simulation-based security in Smart Contract Model
More details in our tech report: http://oblivm.com/hawk/
How to use SNARKs in UC: https://eprint.iacr.org/2015/1093
New SNARK-smithing tools: https://github.com/akosba/jsnark
Ongoing efforts:
- Integration with Ethereum, other blockchain prototypes
- Implement alternatives with trusted hardware, MPC
- More protocols (e.g., multiple rounds)
Hawk provides privacy preserving contracts for blockchain application developers
Auction Manager
Create Contract
Send(Comm(P,v,nonce))
Pay(deposit)
Participant
Send([value,nonce])
Pay(value - deposit)
Receive deposits back
except if a winner / cheater
Receive(deposit +
winners/cheaters deposit)
Auction Contract
Store Commitments
Verify Commitments
Identify Winners /
Cheaters
Zero-knowledge proofs (zkSNARK)
ZkPoK{ (w) : P(stmt, w) }
Arbitrary function
Hidden Witness
Prover(statement, witness) → proof
Verifier(statement, proof) → {0,1}
A Toy version of “Zerocash” in Ethereum
data merkleTree, serialNumbers[]
def deposit(com):
assert msg.value == 1
merkleTree.treeInsert( com )
This is a commitment to:
( serialNumber, publicKey )
data merkleTree, serialNumbers[]
...
def withdraw(proof, serialNumber, destination):
assert verify(proof)
for ZkPoK{ ( publicKey, merkleProof, com, sig ) :
- com is included in merkleTree (using merkleProof)
- com is a commitment to (serialNumber, publicKey)
- sig is a signature on destination for publicKey
}
assert serialNumber is not yet in serialNumbers[]
add serialNumber to serialNumbers[]
send(destination, 1)
Smart Contract Model (e.g., Ethereum)
Contracts
Mined Block
Miners, public watchdogs
Block
# i
Block
# i + 1
Block
# i + 2
Time
Blockchain
……
Code
Storage
Data
Users
Money
All data and money
transactions are public