The crypto bubble has burst, but trust in the future looks set to rely on a new generation of crypto techniques.
The blockchain bubble claimed another victim at the beginning of March. An institution on the US west coast set up, like many of its peers, to collect deposits to lend on land and property purchases, Silvergate Bank moved into what seemed to be the lucrative world of blockchain almost a decade ago. It found a business in funnelling cash between conventional currencies and a rapidly burgeoning range of cryptocurrencies. But as the FTX empire collapsed and cryptocoin values fell, the bank became another piece of collateral damage.
Since the bubble’s peak, interest in non-fungible tokens (NFTs) issued on various blockchains has fallen sharply as well. The daily value of sales of NFTs on the Ethereum blockchain fell to less than $10m at the end of 2022, from a peak of close to $200m at the beginning of the year. As with the core Bitcoin bubble itself, much of the air in the market came from a rush to own assets, whether cryptocoins or links to ‘collectible’ images and videos, often in the hope they would continue to grow in value as more collectors piled in.
As reality sets in, is it all over for blockchains? Though it is possible, that might only be through a spot of rebranding. Some, such as Jay Graber, CEO of distributed social-media startup Bluesky, see the cryptographic foundations shared with blockchains as holding firm, but the blockchain part being far from essential (see The Distributed Self feature). Others see the world of blockchains as providing not just a playground for more adventurous uses of cryptography, and way of getting the projects funded: token trading provides a way of funnelling money into projects instead of relying purely on venture-capital investors.
Both communities are seeing decades of cryptography research crystallise into practical technologies. Bitcoin itself demonstrated how the conceptually simple hash function can be used to build trust in an environment where no-one can be trusted. To add anything to the blockchain, miners must do something that is computationally intensive, but easy to prove successful when it is done. In this case, it is to use a hash function to generate a particular starting pattern of bits of the miner’s own data, which is added to transaction data that needs to go on the chain. As outputs of hash functions are extremely hard to predict from inputs – this is their key attribute – work needed involves a lot of trial and error, and processor cycles.
The amount of computing done to mine a coin has had to increase over time as more miners turned on increasingly powerful machines. Organising work so it is hard for any single group to control most transactions maintains trust in the validity of those additions to the blockchain. So, trust-building comes at an immense cost.
According to some estimates, energy used by Bitcoin mining rigs around the world may have hit 100TWh in a year. That works out at roughly a third of the electricity used by large-scale data centres doing everything else. Yet according to work published in 2021 by Charles Bertucci and colleagues working at a group of Parisian universities, the energy still winds up being a comparatively small part of the cost. Miners have wound up spending much of their income on even more accelerated hardware to go and mine more Bitcoins.
The Bitcoin ecosystem has resisted calls to change the proof-of-work protocol to something less intensive. Ethereum’s community is keen to carve out a different niche: one in which the consensus mechanism provides a way to perform computing in a trusted way, particularly where there is more than one party who relies on the result. Smart contracts revolve around the idea that multiple parties can come together and run shared code on the blockchain and produce a result they all agree on.
The problem for smart contracts is that you cannot run much code on the blockchain before costs spiral upwards. It is even worse if you want results quickly, as priority jobs will generally cost more, particularly at busy times. At the peak of the NFT boom, running a smart contract to mint one, which is a relatively simple procedure, could cost more than the equivalent of $100.
For this reason, smart-contract users have pushed what they can off-chain, but this leads to a loss of trust: how do you know that computations have not been faked to the benefit of the hardware owner? Some choose to run their code on their own servers. DapperLabs, the developer behind the CryptoKitties, had the code that produces offspring from two ‘mating’ NFTs run on its own machines. People must simply trust that the code being run is legitimate.
For those situations where you need better guarantees, Ethereum’s founders turned to mathematical constructs developed almost 40 years ago, but which have seen comparatively little commercial use until recently, partly because the initial forms were computationally cumbersome. The community experimented with a range of options, but one based on zero-knowledge proofs, which had already been applied by smaller blockchains such as ZCash, turned out to offer the best combination of guarantees and performance.
The promise of the zero-knowledge proofs seems impossible at an intuitive level. In essence, it provides a mechanism for a machine to tell another that it has the correct answer to a question, but at no point does it have to disclose what that answer is. There is no direct way to formulate a fully effective proof that does this in one step. A full zero-knowledge proof is interactive: in effect, the verifier asks a series of questions and if the prover comes up with the right answers, the verifier eventually determines the probability of the prover being right to be high enough to trust them. All without revealing data that supports whatever the verifier wants to confirm, such as a date of birth. All they find out is that the other party is over or below a certain age.
To gain better performance, proofs used by Ethereum dispense with the interactive back-and-forth, hence the name of ‘succinct non-interactive argument of knowledge’ (SNARK), which uses a similar type of operation as that used to generate pairs of keys in conventional cryptosystems. The resulting zk-SNARKs run at least 10 times faster than ‘bulletproof’ interactive protocols, which can take thousands of seconds in the worst case.
Because they can provide ways of confirming attributes about people without revealing their details, zero-knowledge proofs are likely to be used outside Ethereum and other blockchains. Zero-knowledge proof are likely to help underpin the digital-identity standards being developed by the European Union, as well as in attempts to break the monopoly of today’s social-media giants. Designers of these systems may choose to employ more secure interactive protocols, as security is more likely to trump performance than in blockchain environments where SNARKs are now used to support on-chain games, such as Dark Forest.
Developed by 0xPARC founder Brian Gu, who works under the pseudonym Gubsheep, Dark Forest is a game inspired by Liu Cixin’s Three Body Problem series of novels. It relies on the ability for players to keep their information about their in-game societies secret if they can. SNARKs make it possible for them to make moves on the public blockchain without ever revealing their absolute locations. Gu argued at the Ethereum Devcon late last year that zk-SNARKs provide the basis for what he called “programmable cryptography”.
In Gu’s argument, the zk-SNARKs provide the basis of “an expressive language of claims”. To make even an apparently simple change to a cryptographic system, such as letting anyone in a group sign a document rather a named individual involves intensive R&D and the creation of novel protocols. “With zk-SNARKs, making a system capable of dealing with the difference between these two claims is a two-line change,” he claims.
The concept of programmable cryptography potentially goes far beyond being able to support arbitrary claims. One example that may wind up being used in blockchain applications is witness encryption. Instead of encrypting a piece of data or document with a fixed piece of secret information, the key may be the solution to a puzzle or some other attributes, such as the time of day, or a combination of calculations and private keys.
The other direction is to have computers work directly on encrypted data. There are many situations where a user needs to know the result of a calculation but be sure to not reveal how that calculation works. The easy way to do this today is to make sure the computations run on a machine you control. In many cases, this is going to make far more sense. In sectors like chip design and healthcare, this remains one reason why companies are hesitant to push computation into the cloud, though for some tasks where they have little choice, such as pressing deadlines, many chipmakers have chosen to take the risk of exposing intellectual property to the cloud-computing companies.
The idea you could hide computations from the hardware owner has been around for decades. Not long after they were involved in the creation of the public-key encryption that currently secures most financial systems, cryptographers Ron Rivest and Leonard Adleman, working with Michael Dertouzos, theorised a way to work on data that is encrypted without having to unscramble it first. One part of the RSA public-key encryption standard involves the ability to multiply two encrypted numbers and the answer is the same as multiplying two regular numbers and encrypting the result. The problem lies in extending this to all possible computations.
For years, the idea of fully homomorphic encryption remained largely theoretical. Then in 2009, for his PhD thesis, Craig Gentry found a way of using lattices, which also lie at the heart of some quantum-safe encryption techniques, to implement the core of a workable system. There are, however, major limitations. More than 10 years on, in a talk for the International Mathematical Union last year, Gentry noted, “We’re still kind of stuck on the same framework. So, if a mathematician comes up to me and says, ‘why didn’t you just do it this way, it’s really simple’, that would be ideal.”
In its current form, seemingly simple operations that would take just a few cycles to compute need hundreds or thousands, if not millions to perform in their encrypted form. The nature of the schemes in use today means data is partially masked by noise. If you perform just a few simple operations, this noise makes no difference to the final answer. But as you work on more intensive algorithms, the noise eventually overwhelms the result. You can re-encode the data before the predicted noise reaches a threshold, but it adds to the complexity and overhead.
A second issue is that calculations work on combinations of logic gates, a form that does not fit the loop- and branch-heavy code found in typical applications. To evaluate a series of branches, the encrypted code must run every possible combination, which adds many more cycles to the execution time.
Though specialists like Cornami and Optalysys are working on accelerators for homomorphic encryption that could speed up the computations, many companies in the cloud computing arena favour what they call confidential computing. This involves putting protections into hardware processors to protect against eavesdropping, and which – in principle – make it harder even for the hardware owner to reverse engineer the software if they tried. Homomorphic encryption will likely need to find niches where it has clear advantages over confidential computing.
Some vendors have made a virtue out of restrictions that homomorphic encryption and its variants entail. Blyss, for example, specialises in building software that can host large data repositories that users can search and access without revealing what they are looking for.
Zama is focusing on machine learning. Jordan Fréry, research scientist at the French start-up, points to how organisations working in healthcare are stymied by legislation that protects individual privacy from sharing data that could improve treatments. Similarly, financial institutions that want to develop ways of spotting money laundering cannot access account data from competitors or partners to train models. In principle, homomorphic encryption makes it possible to provide wider access to sensitive data for mining, and model training and inference, without revealing personally identifiable information.
However, with training, another limitation of today’s homomorphic encryption crops up: the current systems only support integer arithmetic. Training algorithms rely on the huge numeric range of floating-point arithmetic. Even translating those algorithms into large integers imposes a huge overhead as performance drops off dramatically with more bits. On the other hand, the core multiplication and table look-up operations needed for machine learning are relatively easy to implement and provide big opportunities for acceleration.
Homomorphic encryption is not the only solution even here. For years, the semiconductor industry has used encrypted data to allow it to be used in design tools that might be used by competitors. For example, foundries such as TSMC put information about how to lay out chips most effectively into the design kits used by the tools supplied by Cadence Design Systems, Synopsys, and others. This information can provide clues on what affects production yield at its fabs. The databases are encrypted to make it difficult to reverse-engineer and use.
US startup TripleBlind, where Gentry now works as CTO, has attempted to sidestep several problems of homomorphic encryption by developing a different scheme. This, the company claims, only adds a penalty of around 15 per cent and which checks how the data is accessed to prevent, for example, a competitor’s code trying to grab personalised data.
Even as the blockchain bubble bursts, the legacy of decades of work in cryptography is now beginning to ripple through into commercial reality. And the blockchain’s ecosystem may prove to be fertile ground for many of these techniques to be tried to see how well they can work at scale.
However, continuing problems of computational overhead may mean both zero-knowledge proofs, homomorphic encryption and their derivatives wind up being squeezed into niches where only they can satisfy a need. Elsewhere, the market may well continue to make do with what it can using classic public-key encryption and computing devices.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.