Why Choosing Garbled Circuits

Unlike the gcEVM, most of the privacy-preserving solutions feature a proprietary execution environments (i.e., not EVM) and/or proprietary programming language (see Partisia, Secret, Oasis, Aztec, Starkware). As a result, they forfeit much of the extensive ecosystem and tooling that has evolved around the EVM standard.

Opting for a garbled-circuit-based MPC aligns with several critical metrics:

Modularity

The garbled-circuit-based solution is structured into two independent phases, termed 'Garbling' and 'Evaluation'. The Garbling phase involves significant computation by the network nodes (the `garblers') and is conducted 'offline' in a pre-processing stage, producing a garbled circuit—a secure container for data processing. This phase continually generates garbled circuits for subsequent use during the Evaluation phase, where actual transactions are processed (runtime).

The Evaluation phase is executed by the network nodes in an exceedingly efficient manner. This modular approach is elegant and establishes a 'privacy supply chain'.

Security

Amidst various encryption schemes, the gcEVM aspires to align with industry standards right from the start, rather than introducing a proprietary, yet to be standardized encryption and zero-knowledge schemes.

The gcEVM employs encryption schemes already widely adopted by the world's most secure systems, which involves standardized symmetric-key schemes for encryption (the AES-CTR), enhancing adoption today by eliminating the need for prolonged standardization processes of new schemes.

Contrary to other MPC methods, garbled-circuits facilitate an efficient integration of these encryption schemes within a circuit that can be securely evaluated in a distributed manner. Furthermore, efficient garbling schemes (e.g., Original Yao and Half-Gates) depend on standardized symmetric cryptographic primitives for their security, thereby enhancing trust. These primitives are also available in versions with longer key lengths, positioning them as post-quantum ready.

Privacy and public auditability

In recent years, numerous initiatives have sought to enhance on-chain privacy via powerful zero-knowledge proof techniques (ZKP). While ZKP allows data owners to verify the correctness of statements about their data without revealing the data itself, it falls short in scenarios involving multiple data owners who wish to collaborate based on their private data (aka private shared state). This is vital for a range of blockchain applications, from dynamic identity systems and DeFi applications like AMM to portfolio management, social trading, auctions, governance, and more.

Our approach to on-chain privacy is driven by a secure MPC (Multi Party Computation) protocol, where users' private data is encrypted before being incorporated in their transactions. Here, any process (smart contract) with either a public or private logic, can be applied to the data without disclosing anything unless having the end-user's consent. A special requirement that may be crucial in many settings is ensuring that computations—even on ciphertexts—are publicly auditable, thereby mitigating the risk of manipulation or funds theft through `silent collusion' among all parties. In practical terms, any state-transition is deemed invalid if it fails public audit.

Garbled circuits pose a natural candidate to satisfy that requirement, as the garbled circuits themselves are public, and it only remains for the auditor to ensure that the input labels are obtained faithfully.

Performance

With the objective of optimizing real-time transaction processing involving private data, having pre-prepared garbled circuits enables nodes participating in the Evaluation phase to achieve a high transaction throughput. The low-latency characteristic of garbled-circuit-based MPC ensures that the number of communication rounds between nodes is constant and does not depend on the number of parties involved or the complexity of the transaction. Crucially, the technologies underpinning both the Garbling and Evaluation phases are ready for implementation on current devices (including mobile), without the need for specialized hardware or awaiting significant advancements in research.

Leveraging the offline-online model of garbled circuits in its basic form is not feasible because transactions (and thus the confidential computing workload) arrive spontaneously from end-users, necessitating real-time garbling. To address this challenge, we propose a framework where garblers, without knowledge of future transactions, produce garbled circuits for atomic operations (e.g., ADD256, MULT256, LEQ256) during an offline phase. Then, once transactions are finalized, evaluators quickly stitch these pre-garbled circuits together in a constant number of rounds. This approach yields a constant-round protocol capable of handling an entire transaction (or even a block), despite the fact that the transaction details are unknown a priori.

End-user experience

Maintaining an unaltered security experience (as highlighted above), submitting private data to the network resembles sending data over a TLS channel, employing a symmetric-key encryption scheme. This means devices today are already equipped to interact with the network using standard protocols and widely known software libraries. This compatibility extends to software operating on personal computers, web browsers, smartphones, smart sensors, and potentially any IoT device.

In comparison, authenticated encryption in fhEVM requires a substantial zero-knowledge proof of knowledge (ZKPoK) of the ciphertext, computed on the end-user’s device, to guard against “ciphertext theft attacks” arising from the malleability of FHE. By contrast, gcEVM implements authenticated encryption through conventional symmetric key encryption and signature schemes.

Summary

The holistic approach to on-chain privacy underscores our approach to ensuring security, privacy, efficiency, and a user-centric experience, through a garbled-circuit-based protocol.