HoneyBadgerMPC is a robust MPC-based confidentiality layer for blockchains.
Compared to other blockchain privacy techniques, like zero knowledge proofs, the main appeal of HoneyBadgerMPC is that it is much more flexible --- MPC can be used to write arbitrary smart contracts that compute on secret data, while providing availability, integrity, and confidentiality guarantees. While there are many MPC implementations, HoneyBadgerMPC is uniquely suited for blockchain integration because of its focus on robustness --- it is the first MPC toolkit to provide guaranteed output in spite of Byzantine faults.
HoneyBadgerMPC is a research prototype, and is best used for prototyping, proofs of concept, and benchmarking experiments. As a library, HoneyBadgerMPC provides a python-based programming environment for writing custom MPC programs. The programs can be run in several ways:
apps/tutorial/
for a walkthrough that explains some sample MPC programs and shows how to run in different modesSecure Multiparty Computation (MPC) is about computing on secret-shared data. For each piece of confidential data x
, each of the n
server nodes stores a different share [x]
. Any t
of the servers can be compromised without revealing any information about the confidential data. However, as long as n-t
parties are runnng correctly, they can work together to perform arbitrary computations and disclose only the outputs, leaking no additional information about the inputs.
The HoneyBadgerMPC protocol is based on known MPC techniques, carefully selected to achieve the robustness goals. HoneyBadgerMPC consists of three main phases:
[r]
. A client retrieves shares of this mask from the servers and reconstructs r
, and then publishes their masked message (m+r)
. The servers obtain their share of the input as [m] := (m+r)-[r]
.Our programming model is mainly inspired by Viff. In fact our codebase began as a rewrite of Viff, porting it to Python3/asyncio
rather than Python2/Twisted
.
The programming model is based on Python mixins, which extend a Share
that represents a pipelined MPC computation.
To reach agreement on the published inputs, we make use of either the built-in asynchronous broadcast protocol (a port of HoneyBadgerBFT), or else an external blockchain service (See Fabric Integration and Ethereum Integration).
mpc.py
, batch_reconstruction.py
, taskprogramrunner.py
, reed_solomon.py
Our share reconstruction implementation is aggressively batched, and uses C++ and the NTL library for performance.The bottleneck operation in MPC is generally batch reconstruction of secret-shared values. Here the batch operations are implemented in C++ using the NTL library, and wrapped using Cython. We implement both FFT-based (quasilinear) and matrix based (superlinear). (TODO: link to benchmarks about FFT vs matrix mul)
RanDouSha
[BH08]. See offline_randousha.py
For more detail on the HoneyBadgerMPC components, see docs/subprotocols.rst.
Compared to oher MPC toolkit implementations (http://www.multipartycomputation.com/mpc-software, https://github.com/rdragos/awesome-mpc#software), HoneyBadgerMPC is unique in that it focuses on robustness.
In a network of n
server nodes, assuming at most t<n/3
are compromised, then HonyeBadgerMPC provides confidentiality, integrity, and availability guarantees. In MPC terminology, it is asynchronous, provides active security, has linear communication overhead, and guarantees output delivery.
Other MPC toolkits, such as SCALE-MAMBA, Viff, EMP, SPDZ, and others, do not provide guaranteed output delivery, and so if even a single node crashes they stop providing output at all.
Linear communication overhead is about scaling to large network sizes. HoneyBadgerMPC implements aggressive batching and amortization, so as more server nodes are added, the communication cost per server approaches a constant).
So far, one of the main ways to provide privacy for blockchains is to use commitments and zero knowledge proofs. As an alternative, the main advantage of MPC is that it can provide better availability guarantees. With commitments, there is usually a sngle party (the prover) who knows the witness. This becomes a problem when writing general smart contract applications, like auctions or mixers. If the prover aborts the protocol, then the committed data is inaccessible. In MPC, the secret data is stored as secret shares on the server nodes, so if any 1/3 of the server nodes fail, the data is still available.
As an illustration of the use of HoneyBadgerMPC, we include a mixnet application called AsynchroMix.
AsynchroMix provides an anonymous communication service. Compared to alternative mixnet protocols, such as CoinJoin and PathShuffle, the main benefit of AsynchroMix is its robustness - any t
of the servers can fail and the system will still produce guaranteed output.
AsynchroMix explanation is coming soon... TODO
HoneyBadgerMPC is designed to be a useful starting point for other research prototypes involving cryptography and MPC.
We parameterize HoneyBadgerMPC with a finite field based on the BLS12-381 pairing-friendly elliptic curve (the same one used in Zcash Sapling).
The codebase comes with a python wrapper for the rust-based implementation of BLS12-381
(see betterpairing.py
).
This is used to provide constant size polynomial commitments (see the hbavss.py
).
HoneyBadgerMPC also includes an MPC implementation of MiMC
symmetric cryptography (honeybadgermpc/progs/mimc.py
), and the JubJub
elliptic curve for public key cryptography (honeybadgermpc/progs/jubjub.py
).
HoneyBadgerMPC is designed to be linked up with external (transparent) blockchain so it can provide a privacy-preserving extension. The following integration ideas have been explored so far:
apps/asynchromix/asynchromix.py
contains an example web3
(Ethereum) ropsten integration. Run it with python apps/asynchromix/asynchromix.py
. The HoneyBadgerMPC library documentation is under the docs/ directory.
This is an open project we welcome contributions from others. See CONTRIBUTING.md to get started!
See CHANGELOG.md for credits to individual contributors. Work on HoneyBadgerMPC has been funded in part by grants from: