Isn't this project only zkHE?

[samlaf]

Looks like an awesome project that I need to understand better. As a starting question, isn't this just homomorphic (not fully) encryption though? You use the cupcake library which only supports additions (not multiplications).

[emilianobonassi]

thanks for interest @samlaf

yep, the original goal was to show a PoC for making FHE verifiable with zk using something like zamah but was too heavy that day

so i fallback on a simple version of HE i.e. cupcake

there are recent advancements, below some pointers:

• https://github.com/hashcloak/fhe_risc0_zkvm by @hashcloak from @ewynx using fhe.rs by @tlepoint and @samtay
• https://github.com/risc0/risc0/discussions/714
• https://succinct.xyz/

i like these topics so happy to collab. what are you looking to build?

[emilianobonassi]

btw, i think zk and fhe could be good techs to explore for MEV related challenges/proposals like inclusion proofs, mempool encryption, pbs

[samlaf]

Thanks for the links! FHE is still very new to me, but def interested in exploring more. I don't understand what "making FHE verifiable with zk". I always assumed the opposite was needed: that fhe requires zk proofs that the input it is about to compute on was correctly encrypted (and doesn't contain data that would break my server's data structure, say by forcing double payment or something).

I'd be curious to know how you think fhe/zk can help with mempool encryption.

One problem I'm interested in solving is doing private DAS (aka having a network of nodes being able to do DAS on a server that holds the data, without leaking metadata such as ip address so that the server could selectively disclose information to only the light nodes that it desires, and hence manipulate the network). Typical approaches to this problem are "put a mixnet in front of DAS", but I've recently stumbled upon the idea of Private Information Retrieval (eg https://www.youtube.com/watch?v=1cd4t9OL0iM&list=PLuhRWgmPaHtSEv2DM9J7nSvN7dnVFMM6q&index=140&t=1339s), which seems like it could be used here. It seems like there's also an HE/FHE solution lurking in the background (or TEE with ORAM), but I'd be curious for any thoughts on this.

[emilianobonassi]

Yep, that's another guarantee you can add.

The TLDR for wrapping an FHE with zk is this thread

Re mempool encryption, fhe on mempool means you can hide block content but be sure you exec the ordering/inclusion as intended. Btw still an open problem, zk can tackle from a different perspective like delayed inclusion with commitment e.g. you ask to be included providing a proof for the block without providing it but providing only at late stage but cannot cheat because you committed to with zk. Would love to hear yours.

Re private DAS, that's pretty interesting, PIR is a good tech. I found Blyss this summer during zk conf in Paris, I recommend to take a look. On the other end, probably you can map DAS to some data science problem, so I would look also to OpenMined

Don't know at all TEE with ORAM, do you have any good pointers?

[samlaf]

Ah makes total sense. So the zkp I was talking about was for client to prove the authenticity of the input data its sending, whereas the zkp you're talking about is for the server to prove the authenticity of the output it's sending back (that it was calculated properly). Kind of sounds like the reverse of "two-way" tls sessions for some reason haha. In tls sessions server always authenticates itself to client, and only two-way tls sessions have the client also authenticate itself. Here with fhe servers it seems like its the opposite. The client always has to authenticate its input to the server, and sometimes, the user might also want a zkp to authenticate the output (if it doesn't have some other way to authenticate it).

Is it fair also to say that with TEE you get privacy + authenticity, whereas FHE only gives privacy, and you need to combine it with zkps to get authenticity? zk by itself, when used for scalability (some external server is computing something for you) loses the privacy feature.

I guess by fhe mempool, you just mean fhevm right? Like what zama is building? Because there are schemes for threshold encrypted mempool which give you "fair" ordering guarantees, and they don't require FHE at all: you threshold decrypt the txs after having committed to them, and only then execute them. See for eg shutter network.

Will look at those references, thanks!

for tee and oram, see for eg

• https://medium.com/@dsl_uiuc/tee-rollups-fixing-access-patterns-in-tee-based-smart-contracts-with-off-chain-computing-b2f3acfe335f
• https://signal.org/blog/building-faster-oram/ (I was really surprised when I learned that signal uses TEEs and oram!)