Transcription of Phala Network: A Con dential Smart Contract Network Based ...
1 Phala Network : A Confidential Smart ContractNetwork Based on PolkadotHang YinShunfan ZhouJun JiangOctober 17, 20191 IntroductionNowadays the security of the permissionless blockchain is typically guaranteedby state replication over consensus algorithms. Though this approach workswell for blockchain, it also means that everything on the blockchain ispublic,which brings a problem: confidential information cannot be handled by theblockchain. The lack of confidentiality greatly limits the usage of blockchain inprocessing sensitive business and user data. For example, stock traders usuallydo not want to reveal their positions or order history. What s more, all of theprivacy-related DApps on the Ethereum cannot comply with the General DataProtection Regulation and thus will be prevented in European methodologies have been proposed to address the privacy and Zcash implemented private transaction by ring signature [13] andzk-SNARK [11] technology, but their methods can only provide privacy for cryp-tocurrencies and are hard to be extended to general-purpose Smart (Multi-Party Computing)
2 Can theoretically run arbitrary programs with-out revealing intermediate states to the participants, with the expense of a per-formance overhead of 106times [9], which makes it impractical for real worlduse new approach is to utilize special hardware, , Trusted Execution En-vironment (TEE) [8]. TEE is a special area in some processors that provides ahigher level of security including isolated execution, code integration, and stateconfidentiality. Naive TEE as a computing platform has several shortages, suchas the lack of a reliable time source and availability [9] fixed these problems by introducing a TEE-blockchain hybridarchitecture and implemented a high performance confidential Smart contractplatform.
3 However, contracts in Ekiden are isolated, which means the contractscannot interoperate with each other, let alone external blockchains. Interoper-ability is a keystone of modern Smart contracts. For example, 8 of the top 10contracts in Ethereum, the largest Smart Contract platform in the world, relyon functions invocations or money transferring to at least one other interoperability, contracts cannot read information or call functionsfrom other Smart contracts. What s more, the use of self-defined tokens, one1 SGX EnclaveCodeUsersRA QuoteRA Quotesigned by IntelTLSF igure 1: Intel SGX remote attestation the most common cases in Smart Contract usages, is unachievable if all thecontracts cannot access the token this paper, we present Phala Network , a novel cross-chain interoperableconfidential Smart Contract Network as a Polkadot parachain [10].
4 We intro-duce anEvent Sourcing / Command Query Responsibility Segregation[4, 3]architecture into a TEE-blockchain hybrid system to achieve cross- Contract andcross-chain interoperability for confidential Smart contracts. We further de-signed a Libra-Polkadot bridge to implement a privacy-preserving Libra Coinby confidential Intel SGX: A TEE ImplementationIntel SGX [6] is a popular implementation of TEE. It runs code inside a special Enclave so that the execution of the code is deterministic, , not affectedby other processes or underlying operating system, and the intermediate statesis not leaked. In a properly set up system, Intel SGX can defend the attacksfrom the OS layer and hardware ensure the execution is finished as expected inside an enclave, a proofcan be generated according to a protocol calledRemote Attestation.
5 Thehardware can generate anattestation quotebased on the details of hardware,firmware, the code being executed inside the enclave, and other user-defineddata produced by the code. The quote is signed by the trusted hardware withcredentials embedded during the production , the generated attestation quote is sent to the Intel Remote AttestationService. Intel will sign the quote iff the signing credentials are valid. As eachcredential is uniquely bound to an Intel CPU unit, fake attestation quotes will2never pass the Remote Attestation Service , the attestation quote signed by Intel serves as the proof of a success-ful execution. It proves that specific code has been run inside an SGX enclaveand produces certain output, which implies the confidentiality and the correct-ness of the execution.
6 The proof can be published and validated by anyone withgeneric SGX and the Remote Attestation protocol is the foundation of confiden-tial Contract . Except for Intel SGX, there are also alternative implementationchoices like AMD SEV [1] and ARM TrustZone [2]. Event Sourcing and CQRSE vent Sourcing is a software design pattern. Instead of storing the latest state ofthe data, the events causing state transition are recorded in an append-only events are timestamped and can be replayed to reconstruct the state of anytime. Since the events are timestamped, the state of the system is Query Responsibility Segregation (CQRS) is a design pattern bywhich the read operations and write operations are handled separately.
7 In aCQRS and Event Sourcing combined system, the write operations are recordedas the events and the read operations can be served by the current view of thestate. This pattern make a system easy to scale up and avoid native CPU performance and better security, each confidential contractis bound to only a single or a small set of TEEs as the executor. By this design,the Contract state is isolated from each other without consistency guarantee. Itbecomes a trouble for cross- Contract and even cross-chain it s hard to keep a strong consistency over the states, contracts canstill communicate by passing messages to each other on the premise that statetransition is still deterministic. In an Event Sourcing / CQRS design, the com-mands can be initiated from users or contracts and are timestamped on theblockchain strictly.
8 It guarantees the global state is deterministic and thereforeenables message passing between contracts. Message passing is a primitive toimplement higher level interoperability like Contract invocation and token trans-ferring. The read-only operations are not timestamped for better Confidential ContractPhala Network aims to build a platform for general-purpose privacy-preservingTuring-Complete Smart contracts. The basic requirements for such a platformcould be as follows. the existing blockchains for Smart contracts, PhalaNetwork avoids the leakage of any input, output, or intermediate state of con-fidential Contract . Only authorized queries to the Contract will be answered. Code can verify that an output is produced by a specificsmart Contract published on the State can verify that an execution happened at acertain blockchain height, which implies the output of the execution is subjectto a certain chain state.
9 Must not be a single point of failure such as disconnec-tion of the miner. can interoperate with each other and existing TEE solutions, , Intel SGX, can only prevent the leakageof sensitive information during the execution ofisolatedprograms, and provideno guarantee on availability or verification of input data. Thus it requires acarefully-designed infrastructure to integrate TEE into blockchain to meet therequirements are going to introduce the design of Phala Network and how it fulfillsthe above requirements in the following Abstraction of Confidential ContractA typical Smart Contract can be regarded as a state machine of a current statesnand a state transition functionf, which takes input eventenand last statesn 1to produce the latest statesn:sn=f(sn 1, en)Since the state transition process happens inside the enclave, any of itsintermediate states remains invisible to outside.
10 We can further encrypt thereached state and input event to prevent the attackers from inferring the internalstate of Contract with event the cipher ofsnandcenbe the cipher ofen, the state transitionfunction of a confidential contractpcan be represented as:csn=p(csn 1, cen)(1)p(csn 1, cen) = Enc(f(Dec(csn 1),Dec(cen)))(2)where Enc and Dec can be carefully-chosen symmetric encryption and de-cryption functions subject to the the existing Smart Contract , a confidential Contract doesn t exposeany information outside the enclave by default. To answer authorized queries,we introduce a query functionqwhich takes the current encrypted statecsn,query parametersparasand user s identityI(usually a pubkey) as input andreturns the responser:r=q(csn, paras, I)The confidential Contract must first validate the identity of the user andthen respond to her query.