Crypto Companions: The PET ecosystem (MPC / FHE / TEE & ZK)

December 2nd, 2024

A primer into the history of cryptography and the web3 PET ecosystem.

Recently I have been diving into MPC, FHE, TEE and ZK and wanted to consolidate my learnings under one wider category of Privacy Enhancing technologies (PETs).

I got into web3 due to the appeal of the cypherpunk movement and financial decentralization but with the recent interest of AI and open communication being punished (i.e. Telegram), there is an increasing need for privacy and using PETs to make the world more equitable.

In this article, I cover what are PETs ,its history, evolution, different PET categories (MPC, FHE, TEE & ZK) and their significance to web3’s industry. Now let’s dive into the world of PETs 🐶

Note: Most likely have missed various protocols on the ecosystem map so feel free to comment new entries here.

WTF are PETs

PETs are a class of cryptographic techniques and approaches designed to protect sensitive data and maintain user privacy in digital environments. These technologies aim to minimize data exposure while still allowing for useful computations and interactions. At its core, it is about using/computing the data without compromising individual privacy.

History of PETs

Cryptography and PETs rose to popularity in the late 1980s and are not a novel concept. The foundations of modern cryptography and privacy-enhancing technologies were laid during this period, coinciding with the early days of computer networking and the Internet age.

The 1970s saw a paradigm shift from traditional symmetric key cryptography to public key cryptography, which became a cornerstone for many future PETs. This era was marked by groundbreaking research that addressed fundamental questions about secure communication in the digital age.

Notable publications that led the foundation this era include:

New directions in cryptography by Diffie, W. and Hellman, M.E. (1976)
A method for obtaining digital signatures and public-key cryptosystems by Rivest, R.L., Shamir, A., and Adleman, L (1977)
Secure communications over insecure channels by Merkle, R.C (1978)
Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms by David Chaum (1981)
Garbled Circuits by Andrew Yao (1986)

These names are now very well-known in the cryptography space and regarded for introducing key developments to public key cryptography, digital signatures, secure key exchange and anonymous communication. These advancements were not just theoretical; they were driven by pressing practical concerns and lead to further questions:

Data Protection: How do we store personal information safely
Anonymous communications: How do we create communication systems without revealing identities.
Electronic Payments: How do we create a digital payments system with privacy.

Yao's garbled circuits also deserve special attention as they introduced a novel approach to secure computation:

Circuit Garbling: The function is converted into a boolean circuit and "garbled" by encrypting the truth tables
Oblivious Transfer: Enables secure input sharing between parties
Evaluation: The garbled circuit can be evaluated without revealing intermediate values
Applications: Used in modern privacy-preserving machine learning, secure auctions, and private set intersection

As I was reading further into these publications and David Chaum’s work, this quote stood out to me.

New and more serious dangers derive from computerised pattern recognition techniques: even a small group using them and tapping into data gathered in everyday consumer transactions could secretly conduct mass surveillance, inferring individuals’ lifestyles, activities, and associations. The automation of payment and other consumer transactions is expanding these dangers to an unprecedented extent”

And fast forward 4 decades and our data has/continues to be sold to the bigger corporations for various motives. Our communication platforms are heavily monitored and company CEOs like Pavel Durov are being arrested due to Telegram’s lack of moderation and for creating a breeding ground for fraud and other criminal activity.

The electronic payments question seems to have advanced in the form of Bitcoin and the wider blockchain ecosystem which is a huge light to the darkness but we can do better as a collective. The wider PET ecosystem and web3 are exploring to see if we can further extend this and solve private data protection, storage and communication.

Evolution of PETs

So where is the industry at with the evolution of PET technology?

I would compare the stage of PET evolution to Charmander -→ Charizard:

1980s - 2000s Research and discovery
2000s - 2020s: Focused on optimizing protocols. First work on languages and compilers.
Present: Production Ready PET usage.

So now let’s dive into the different types of PETs.

Multi-party computation (MPC)

MPC involves cryptography that distributes a computation across multiple parties where no individual party can see the other parties’ data. This allows for collaborative computation on sensitive data without revealing the raw inputs. The principles of MPC ensure privacy + computation. Privacy refers to no party knowing the other’s input and computation being the information is pieced correctly.

The most common example/problem used to explain MPC is the Millionaires Problem. Two millionaires, Alice (a) and Bob (b), are interested to know which of them is richer ( a > b) but don’t want to reveal their figures. [ADD MORE]

MPC protocols typically use different techniques (possibly in combination) to achieve these goals:

Secret Sharing: Information is split into shares, where each share alone is meaningless, but when combined, reconstruct the original data. Common methods include:
- Shamir's Secret Sharing: Uses polynomial interpolation to split secrets.
- Additive Secret Sharing: Splits a secret into random shares that sum to the original value.
Garbled Circuits: A method where one party creates an encrypted version of a boolean circuit representing the computation, while the other party evaluates it without learning intermediate values.
Oblivious Transfer: A protocol where a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to which piece was transferred.
Threshold Cryptography: Cryptographic operations that require multiple parties to cooperate, preventing any single party from having full control.

With relation to the web3 / crypto ecosystem, MPC is a complement to how blockchains currently operate. Blockchain allows for transparency and in the easiest terms, an open ledger / growing spreadsheet of transactions but everything is out in the open. MPC augments this with privacy preserving features with the concept of “secretizing” layers of the blockchain.

Please note, I have intentionally sectioned MPC Wallet infrastructure as a subcategory of MPC Wallets. More information can be found here.

Fully Homomorphic Encryption (FHE)

Homomorphic encryption is a type of encryption that allows computations to be performed on encrypted data without decrypting it first. This allows sensitive data to be processed and analyzed while remaining encrypted, ensuring privacy and security. In the current landscape, data is often transmitted between various parties, such as users, services, and cloud servers. During this process, the data needs to be decrypted, which exposes the raw data and makes it vulnerable to potential unauthorized access, breaches, or misuse. It's during computation that data needs to be decrypted. Data can be transferred in encrypted form using https.

The historic of FHE is as follows as:

1970s: RSA Breakthrough: Researchers discovered RSA ciphertexts were malleable, allowing operations on encrypted data to create new valid ciphertexts without decryption
Early Progress: Development of Partially Homomorphic Encryption (PHE) schemes like ElGamal and Paillier, enabling specific operations on encrypted data
2004: LWE Innovation: Oded Regev introduced Learning With Errors (LWE) problem, creating a secure foundation for encryption using controlled noise as a security feature
2008: Gentry's Breakthrough: Craig Gentry solved the noise management challenge during encrypted computations through bootstrapping - cleaning up noise while data stays encrypted
Present Day: Advanced systems now combine leveled homomorphic encryption with bootstrapping for efficiency, following: encrypt -> (level operations -> bootstrapping) repeated as needed -> decrypt

This has now evolved to several several types of homomorphic encryption:

Partially Homomorphic Encryption (PHE): Limited set of homomorphic operations, such as addition or multiplication, but not both simultaneously.
Somewhat Homomorphic Encryption (SHE): Supports both addition and multiplication but for a limited number of operations.
Leveled Fully Homomorphic Encryption (LHE): Supports additions and multiplications for a larger number of operations that is configurable during the key generation process (more operations can be supported by making the ciphertexts longer).
Fully Homomorphic Encryption (FHE): Unlimited number of homomorphic operations (both addition and multiplication)
Fully Homomorphic Encryption (FHE) + Levels: FHE + predetermined number of operations to be performed before the noise becomes too large (Levels) which results in unlimited FHE operations with better performance.

We can take the example of patient healthcare data that needs to be analyzed by a research institution. With FHE, the research institution can perform the analysis with the encrypted patient data whilst protecting the medical information in the process.

Key features of FHE include:

Computation on Encrypted Data: Allows for statistical analysis, machine learning, and data aggregation while maintaining complete encryption of the underlying data.
Privacy: Data remains encrypted during processing, protecting it from unauthorized access and maintaining the confidentiality of individuals or entities associated with the data.
Semantic Security: A cryptographic property ensuring that no partial information about the plaintext can be reliably extracted from the ciphertext, even with access to auxiliary information. For example, if an attacker knows a ciphertext contains either "yes" or "no", they cannot determine which one it is with probability better than random guessing.
Noise Management: Ability to control and reduce the accumulation of noise during homomorphic operations, ensuring that the ciphertext remains decryptable after multiple computations. This is crucial as each operation introduces mathematical "noise" that must be managed to maintain correctness.

In the context of web3, FHE provides enhanced privacy, security and computation on top of blockchains. Sensitive data can be securely stored and processed on-chain, enabling privacy-preserving smart contracts and dApps.

Trusted Execution Environments (TEEs)

TEEs offer a secure hardware environment/enclave where an application can store and use private information. They are an isolated execution environment of a computer that allows for generating digital signatures and performing sensitive computations. It is even isolated from the main OS to ensure this protection. The cryptographic keys and code are hosted in the TEE and it stays in the TEE which reduces the attack vector of exposure.

Key features of TEEs include:

Secure Boot: Ensures that only authorized software can run in the TEE, verifying the integrity of the code before execution.
Memory Encryption: All data stored in the TEE's memory is encrypted, protecting against physical attacks and cold boot attacks.
Secure I/O: Provides a protected path for input and output, preventing eavesdropping on sensitive data like passwords or biometric information.
Attestation: Allows the TEE to prove its identity and the integrity of its software to remote parties, enabling trust in distributed systems.
Secure Storage: Offers encrypted storage for sensitive data, with keys that are bound to the specific hardware and cannot be extracted.

Intel SGX (Software Guard Extensions) is the most popular solution in the blockchain space. It uses the above features to provide confidentiality, integrity and attestation. This can then be applied for things such as:

Private key protection
Execute confidential smart contracts
Privacy-preserving oracles
Secure off-chai n computations

It's worth noting that while TEEs provide strong security guarantees, manufacturers could create back doors so there still needs to be further research on open source TEE initiatives.

Zero Knowledge (ZK)

Zero Knowledge (ZK) is a cryptographic technique that allows one party to prove something to another without revealing any additional information. This is useful in scenarios like authentication, verifying credentials, and private computations. For example, you can prove that you meet a certain condition (like having a specific nationality) without revealing any of the details behind it.

Key features of ZK:

Completeness: Statement is true and honest verifier will accept
Soundness: If Statement is false, no cheating can occur
Zero Knowledge: Verifier knows nothing except truth of statement

Types of ZK:

ZK-SNARKs: Succinct and non-interactive proofs that are efficient but require a trusted setup.
ZK-STARKs: Transparent and scalable proofs that don’t require a trusted setup, offering better security at the cost of larger proof sizes.
Bulletproofs: Compact proofs optimized for range proofs and confidential transactions, balancing efficiency with privacy.

In Web3, ZK helps power privacy-preserving transactions by allowing the validation of actions—such as transferring assets—without exposing sensitive data like sender, recipient, or transaction amounts. It also enables secure, private voting systems, auctions, and identity verification.

Note: the ZK ecosystem is quite large and there are some projects I may not have been aware of. Also my weakest section so feel free to provide further context.

Differences of PETs

Great, you’ve understood the overview of different PETs and how they interplay with the web3 ecosystem but how do they differentiate?

I will use the example of a Decentralized Exchange + respective versions using MPC, FHE, TEE and ZK.

MPCDex:

Would be able to enable private order matching without revealing individual orders
Encrypt order amongst multiple nodes
Orders are matched
Computation is revealed but orders remain private
Benefits
- Works great in decentralizing the computation and complex order logic.
Challenges
- Multiple rounds of communication and
- Requires pre-processing which might slow down the online MPC computation

FHEDex

Submit homomorphically encrypted orders and DEX matches computation on encrypted orders
Results returned to users who can decrypt the matching orders
Benefits
- Privacy does not depend on node collusion assumptions
Challenges
- May be quite computationally complex

TEEDex

Users encrypt order with enclave public key
Enclave decrypts and processes in protected environment
Results are released outside of enclave
Benefits
- Pretty fast in computation
Challenges
- Relies on hardware manufacturer trust
- Potential side channel attacks

ZKDex

*Note: Pure ZK proofs alone can't perform this cross-user comparison while maintaining privacy*

Instead of revealing the order details, users submit an encrypted order along with a ZK proof of the order's validity. The DEX executes the trade by verifying the proof, without disclosing any sensitive information about the order.

Benefits
- Privacy Guarantees
- Profs can be verified on-chain
Challenges
- Generating proofs might be computationally intensive
- Large trader logic could add computational overhead

A table summary of it is below:

Note: This is not a complete accurate comparison but serves as a guide for comparisons.

Interoperability of PETs

So do these systems work independently of each other or can they complement each other?

How to Win Friends and TEE-Influence People

This is a question that comes up a lot when using PET technologies. There are benefits but also challenges that come from incorporating different approaches. Borrowed from Ethan Buchman’s talk from Modular Summit + AdenDRInWeb3’s thread on different PET comparisons, there are several combinations that are being explored in the space:

TEE + ZKP: Efficient verification of secure enclave computations
TEE + MPC: High-bandwidth, secure multi-party systems
FHE + MPC: Enhanced security for MPC protocols
Others…

This is a part that I would like to research and understand better. If we can explore different combinations without compromising too many tradeoffs, this will strengthen the adoption for PETs.

Future of PETs

PETs are awesome and are leading the path for a privacy preserving future. Further progress in each category will continue to happen and there will be a combination of these PETs as they progress. They work great independently but will most likely borrow from one another to get more efficient. I find this quote I came across from AdenDRInWeb3 on X, a good summary for this:

The future of privacy tech lies not in a single solution, but in a versatile toolkit addressing diverse challenges. Interdisciplinary collaboration may yield the most promising advances…

We need to live in a world but our data is not compromised and held together by integrity and privacy. Cryptography solves this via PETs.

Hopefully you enjoyed this piece and let me know if you have any feedback. I’m reachable via X/Twitter.

Thank you to Miguel + Jose for their reviews on this.