A Programming Language Approach to Smart Contract Privacy

Abstract

In distributed ledgers (often called blockchains), a globally distributed state is updated by a history of irrevocable transactions. Modern blockchains allow programming these updates with custom logic using so-called smart contracts, which enables realizing decentralized applications without requiring a trusted third party. Typically, the data stored and processed on programmable blockchains is public, which prevents applications handling sensitive data from being ported to smart contracts. In this thesis, we investigate how to ensure privacy for general smart contracts. While many works on private cryptocurrency transfers exist, the few proposals targeting general smart contracts suffer from various limitations and often require developers to instantiate advanced cryptographic primitives. In contrast, we adopt a programming language approach and design three systems usable by developers without cryptographic expertise. First, we introduce the zkay language and compiler, which hide the data involved in smart contracts using encryption and non-interactive zero-knowledge (NIZK) proofs. The zkay language features a privacy type system allowing developers to express data ownership and preventing implicit information leaks. Our compiler automatically compiles zkay contracts to contracts executable on the popular Ethereum blockchain. In our second system ZeeStar, we extend zkay to support computations on unknown private data---an essential feature required to implement important applications such as confidential payments. To this end, we modify zkay's type system and extend its compiler to instantiate additively homomorphic encryption. Third, we explore how to not only hide the data but also the parties involved in a transaction. Specifically, we introduce the Zapper system, which hides the accessed objects and the identities of its users using a combination of Merkle hash trees, key-private encryption, and NIZK proofs. Zapper contracts are compiled to a custom assembly language, which is subject to an access control mechanism and executed on a NIZK processor. For each system, we provide a proof demonstrating that it respects a well-defined notion of privacy. We implement all systems, relying on advanced techniques including elliptic curve embedding to achieve practical performance when combining cryptographic primitives. Finally, we demonstrate the systems' versatility and efficiency on a variety of example contracts.