Dynamic Pricing for Non-fungible Resources
Public blockchains implement a fee mechanism to allocate scarce computational resources across competing transactions. Most existing fee market designs utilize a joint, fungible unit of account (e.g., gas in Ethereum) to price otherwise non-fungible resources such as bandwidth, computation, and storage, by hardcoding their relative prices. Fixing the relative price of each resource in this way inhibits granular price discovery, limiting scalability and opening up the possibility of denial-of-service attacks.
  • Theo Diamandis,
  • Alex Evans,
  • Tarun Chitra,
  • Guillermo Angeris
  • Basics
 08.16.22
Optimal Routing for Constant Function Market Makers
We consider the problem of optimally executing an order involving multiple cryptoassets, sometimes called tokens, on a network of multiple constant function market makers (CFMMs). When we ignore the fixed cost associated with executing an order on a CFMM, this optimal routing problem can be cast as a convex optimization problem, which is computationally tractable. When we include the fixed costs, the optimal routing problem is a mixed-integer convex problem, which can be solved using (sometimes slow) global optimization methods, or approximately solved using various heuristics based on convex optimization. The optimal routing problem includes as a special case the problem of identifying an arbitrage present in a network of CFMMs, or certifying that none exists.
  • Guillermo Angeris,
  • Tarun Chitra,
  • Alex Evans,
  • Stephen Boyd
  • MEV
 12.01.21
Replicating Monotonic Payoffs Without Oracles
In this paper, we show that any monotonic payoff can be replicated using only liquidity provider shares in constant function market makers (CFMMs), without the need for additional collateral or oracles. Such payoffs include cash-or-nothing calls and capped calls, among many others, and we give an explicit method for finding a trading function matching these payoffs. For example, this method provides an easy way to show that the trading function for maintaining a portfolio where 50% of the portfolio is allocated in one asset and 50% in the other is exactly the constant product market maker (e.g., Uniswap) from first principles. We additionally provide a simple formula for the total earnings of an arbitrageur who is arbitraging against these CFMMs.
  • Guillermo Angeris,
  • Alex Evans,
  • Tarun Chitra
  • DeFi
 09.01.21
Constant Function Market Makers: Multi-Asset Trades via Convex Optimization
The rise of Ethereum and other blockchains that support smart contracts has led to the creation of decentralized exchanges (DEXs), such as Uniswap, Balancer, Curve, mStable, and SushiSwap, which enable agents to trade cryptocurrencies without trusting a centralized authority. While traditional exchanges use order books to match and execute trades, DEXs are typically organized as constant function market makers (CFMMs). CFMMs accept and reject proposed trades based on the evaluation of a function that depends on the proposed trade and the current reserves of the DEX. For trades that involve only two assets, CFMMs are easy to understand, via two functions that give the quantity of one asset that must be tendered to receive a given quantity of the other, and vice versa. When more than two assets are being exchanged, it is harder to understand the landscape of possible trades. We observe that various problems of choosing a multi-asset trade can be formulated as convex optimization problems, and can therefore be reliably and efficiently solved.
  • Guillermo Angeris,
  • Akshay Agrawal,
  • Alex Evans,
  • Tarun Chitra,
  • Stephen Boyd
  • Basics,
  • DeFi
 07.01.21
Replicating Market Makers
We present a method for constructing Constant Function Market Makers (CFMMs) whose portfolio value functions match a desired payoff. More specifically, we show that the space of concave, nonnegative, nondecreasing, 1-homogeneous payoff functions and the space of convex CFMMs are equivalent; in other words, every CFMM has a concave, nonnegative, nondecreasing, 1-homogeneous payoff function, and every payoff function with these properties has a corresponding convex CFMM. We demonstrate a simple method for recovering a CFMM trading function that produces this desired payoff. This method uses only basic tools from convex analysis and is intimately related to Fenchel conjugacy. We demonstrate our result by constructing trading functions corresponding to basic payoffs, as well as standard financial derivatives such as options and swaps.
  • Guillermo Angeris,
  • Alex Evans,
  • Tarun Chitra
  • DeFi
 03.01.21
A Note on Privacy in Constant Function Market Makers
Constant function market makers (CFMMs) such as Uniswap, Balancer, Curve, and mStable, among many others, make up some of the largest decentralized exchanges on Ethereum and other blockchains. Because all transactions are public in current implementations, a natural next question is if there exist similar decentralized exchanges which are privacy-preserving; i.e., if a transaction’s quantities are hidden from the public view, then an adversary cannot correctly reconstruct the traded quantities from other public information. In this note, we show that privacy is impossible with the usual implementations of CFMMs under most reasonable models of an adversary and provide some mitigating strategies.
  • Guillermo Angeris,
  • Alex Evans,
  • Tarun Chitra
  • Privacy
 02.01.21
Optimal Fees for Geometric Mean Market Makers
Constant Function Market Makers (CFMMs) are a family of automated market makers that enable censorship-resistant decentralized exchange on public blockchains. Arbitrage trades have been shown to align the prices reported by CFMMs with those of external markets. These trades impose costs on Liquidity Providers (LPs) who supply reserves to CFMMs. Trading fees have been proposed as a mechanism for compensating LPs for arbitrage losses. However, large fees reduce the accuracy of the prices reported by CFMMs and can cause reserves to deviate from desirable asset compositions. CFMM designers are therefore faced with the problem of how to optimally select fees to attract liquidity. We develop a framework for determining the value to LPs of supplying liquidity to a CFMM with fees when the underlying process follows a general diffusion. Focusing on a popular class of CFMMs which we call Geometric Mean Market Makers (G3Ms), our approach also allows one to select optimal fees for maximizing LP value. We illustrate our methodology by showing that an LP with mean-variance utility will prefer a G3M over all alternative trading strategies as fees approach zero.
  • Guillermo Angeris,
  • Tarun Chitra,
  • Alex Evans,
  • Stephen Boyd
  • DeFi
 01.04.21
Liquidity Provider Returns in Geometric Mean Markets
Geometric mean market makers (G3Ms), such as Uniswap and Balancer, comprise a popular class of automated market makers (AMMs) defined by the following rule: the reserves of the AMM before and after each trade must have the same (weighted) geometric mean. This paper extends several results known for constant-weight G3Ms to the general case of G3Ms with time-varying and potentially stochastic weights. These results include the returns and no-arbitrage prices of liquidity pool (LP) shares that investors receive for supplying liquidity to G3Ms. Using these expressions, we show how to create G3Ms whose LP shares replicate the payoffs of financial derivatives. The resulting hedges are model-independent and exact for derivative contracts whose payoff functions satisfy an elasticity constraint. These strategies allow LP shares to replicate various trading strategies and financial contracts, including standard options. G3Ms are thus shown to be capable of recreating a variety of active trading strategies through passive positions in LP shares.
  • Alex Evans
  • DeFi
 06.01.20
Back

Chosen-Instance Attack

  • Privacy,
  • Research
 12.04.24

How succinct proofs leak information

What happens when a succinct proof does not have the zero-knowledge property? There is a common misconception that “succinct proofs are too short to leak information about the witness”. This is wrong and in the interest of privacy it is very important that we challenge this belief. The Zeitgeist puzzle at ZK Hack V was based on the themes discussed here.

In this post I’ll present what I am calling a “chosen-instance attack”. Reminiscent of chosen-plaintext attacks for encryption schemes, a chosen-instance attack is a concrete procedure that allows an adversary to steal private inputs from an honest SNARK prover. As we will see in this article, the adversary will request multiple proofs from the prover for instances that are distinct but share the same witness. Given the prover’s responses, the adversary can interpolate a polynomial that encodes the witness. Beyond the technical description of the attack, we’ll also discuss how this scenario can arise very naturally in deployed systems.

Throughout, I’ll assume that readers have some familiarity with succinct proofs, including notions such as “$\mathsf{NP}$ relations”, “instance”, “witness”, “SNARK” and “IOP”/”polyIOP”. As a quick primer, you can read “$\mathsf{NP}$ relation” to mean circuit, “instance” to mean public inputs, “witness” to mean private inputs and intermediate computation steps/wires; “SNARKs” are our beloved succinct proofs and “IOP”/”polyIOP” are their primary building blocks. For a more complete introduction, I suggest you either check out the Introduction to ZK JargonModule 1 of the ZK Whiteboard Sessions or the Chiesa and Yogev textbook [CY24].

Threat model

We focus on non-interactive proof (or argument) systems and consider the following threat model. An adversary $\mathcal{A}$ knows the public inputs to a circuit and interacts with an honest prover $P$ who knows all the other wire values (private inputs and any intermediate computation steps). The adversary can adaptively request proofs from the prover for any public inputs of its choosing. Eventually, the adversary must output the prover’s secret wire values.

Restating the above formally: for any $\mathsf{NP}$ relation $\mathcal{R}$, the prover is given an instance-witness pair $(x,w) \in \mathcal{R}$ and the adversary is given $x$. The adversary is adaptive and has black-box oracle access1 to the honest prover’s output function. The chosen-instance attack is successful if $\mathcal{A}$ outputs $w$ with better than negligible probability. The threat model is illustrated in Figure 1 below.

Figure 1: the chosen-instance attack threat model.

This setting is very common in the wild. For example, in applications that require client-side proofs, the user’s device is the honest prover and the application server can act as the adversary. This is the setting we chose for the ZK Hack puzzle. Alternatively, we could imagine an untrusted server that produces proofs to convince clients of its honesty. A malicious client could try to extract secrets from the server by choosing the statements the server will prove.

Leaky primitives

IOPs. Most modern SNARKs are built from interactive oracle proofs (IOP) or their polynomial variants (polyIOP). The general pattern is the following:

  • Round 1: the prover sends an oracle that, in the honest case, is a polynomial encoding the witness2.
  • Round $i$: the prover sends a “helper” oracle that will allow the verifier to reduce the task of checking properties of the witness to a simpler task.
  • Final round: the verifier queries the witness and helper oracles in one or more random points.

This construction leaks at least one evaluation of the witness polynomial by default. If the witness is encoded into a degree d polynomial, then an adversary can collect $d+1$ proofs and use the evaluations to interpolate and recover the full witness polynomial! It is also common for IOPs to check constraints across $k$ adjacent values of the witness polynomial(s). To do so, these protocols require the prover to open $k$ witness values, cutting the number of proofs from $d+1$ to $\frac{d+1}{k}$.

Compilation using polynomial commitments. The generic IOP above is usually compiled into a SNARK in one of the two following ways. The first is to commit to messages using a polynomial commitment scheme and make the protocol non-interactive using the Fiat-Shamir transform. This yields most of our elliptic curve SNARKs and is a process that does not usually leak further witness evaluations3.

Compilation using IOPPs and Merkle trees. The second method is to engage in an additional protocol attesting that the prover’s messages are “close” to polynomials. This is known as an IOP of Proximity (IOPP); popular examples include FRI [BBHR18] and STIR [ACFY24] amongst many others. The combined protocol (IOP + IOPP) is compiled into a SNARK by running the BCS compiler [BCS16]: we commit to each message with a Merkle tree and make the protocol non-interactive using the Fiat-Shamir transform. This yields most of our hash-based SNARKs. The IOPP compilation method leaks additional evaluations of the witness polynomial. Indeed, known IOPPs require the verifier to repeatedly open values of the oracles being tested. Depending on the security regime and chosen parameters, we usually perform between 20 and 50 openings per proof.

Non-interactive proofs

As we have seen, the interactive building blocks for our SNARKs leak evaluations of the witness polynomial. Extracting the prover’s witness in the interactive setting is relatively easy: run the protocol honestly acting as the verifier and make sure that the evaluation points are distinct in every run. After enough runs, interpolate the witness polynomial.

In the non-interactive setting, things are not so simple. Since we have applied the Fiat-Shamir transform, the verifier’s messages — and therefore evaluation points — are computed deterministically from a hash of the instance and previous prover messages. For a fixed instance-witness pair $(x,w)$, an honest prover will always return the same fixed proof, preventing the adversary from obtained multiple evaluations of the witness polynomial.

The solution is to request proofs for many instances $x_1, x_2, \dots, x_n$ such that these instances are all satisfied by the same witness $w$. Depending on the $\mathsf{NP}$ relation, this might not be possible. In the next section, I’ll argue that this condition is naturally met by very common circuits. For now, let’s assume that there exists such a set of instances.

A direct consequence of using different instances is that the verifier messages derived from the hash function will be different in each execution. This will yield distinct evaluation points across proofs as required! However, in doing so we have complicated the adversary’s task. Indeed, in some arithmetizations the prover’s first message is a polynomial that depends on both the witness and the instance. If we use different instances, the prover’s first message will be different every time; seemingly thwarting our interpolation attack.

Fortunately for our attack, there exists a mathematical trick that allows the adversary to separate the witness-part of the polynomial from the instance-part of the polynomial. The idea is to interpret the combined instance-witness polynomial $\tilde z$ as the sum of two polynomials: the first is an adversary-known polynomial $\tilde x$ that depends only on the instance, the second is a polynomial $\tilde w$ that depends only on the witness. Given an evaluation $\tilde z(p)$ of the combined polynomial at a point $p$, the adversary can evaluate $\tilde x(p)$ and compute $\tilde w(p) = \tilde z (p) − \tilde x (p)$. The trick is illustrated below for an R1CS instance-witness polynomial but can equally be applied to a column of a PLONKish or AIR table.

Figure 2: an illustration of the instance removal trick for an R1CS-formatted instance-witness polynomial $\tilde z$.

Having recovered at least one evaluation of the witness polynomial per proof, the attack can proceed as before: collect enough proofs and interpolate the witness.

Chosen-instance attacks in the wild

At first, it might seem like the attack we described requires a very contrived circuit: there needs to be many instances that are satisfied by the same witness. Furthermore, the adversary starts with only one of those instance; how does it produce more instances that are satisfied by the fixed witness?

It turns out that many circuits exhibit these properties, in particular when “nonces” or “nullifiers” are involved. When dealing with non-interactive proofs, applications must be careful not to allow proofs to be re-used. For example, if Alice produces a proof that her account balance is above 32 ETH, application designers will want to make sure that she cannot spend some ETH and still present the old proof. This is often done by associating a unique public number (nonce) to the proof. When the proof is verified, the public nonce gets added to a log and the proof is marked as “consumed”. If the same proof is presented once again, the verifier will recognize that the nonce was already added to the log, and therefore that the proof should not be accepted again.

This “nullifying” mechanism is great to reject attempts at replaying a proof, but makes it very natural for a prover to prove many different instances with a single witness. Indeed, instead of checking that the public inputs $x$ and witness $w$ satisfy the circuit, we now have public inputs $(x, \mathsf{nonce})$ and witness $w$. The adversary can keep a fixed $x$ and cycle through many values of $\mathsf{nonce}$; meanwhile the prover is stuck using its fixed witness.

Conclusion

While it is true that a single succinct proof is too short to leak the full witness, it is not true that succinct proofs are enough to guarantee privacy. Most of our succinct proofs leak information correlated to private inputs. As a consequence, even a single proof can act as a unique fingerprint for the witness. This is especially true when the proof contains a commitment to the witness.

In some settings — in particular when using nonces to prevent replay attacks — the leakage can be exploited to mount the chosen-instance attack we described above and fully recover the witness. The attack works against any circuit for which many instances are satisfied by a single witness. It is particularly effective against SNARKs that rely on IOPs of Proximity (e.g., FRI, STIR) since these SNARKs leak a bigger number of evaluations per proof.

The chosen-instance attack is only one idea of how to exploit such leaks; there are surely more that are known, and many more that are yet unknown! Therefore, I’ll conclude this article with a final word of warning at the risk of sounding like a broken record: if a system’s proofs are not zero-knowledge, then the system does not guarantee privacy.

References

[ACFY24] Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, and Eylon Yogev (2024). STIR: Reed-Solomon Proximity Testing with Fewer Queries. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14929. Springer, Cham. https://doi.org/10.1007/978-3-031-68403-6_12

[BBHR18] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. Fast Reed-Solomon Interactive Oracle Proofs of Proximity. In 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018). Leibniz International Proceedings in Informatics (LIPIcs), Volume 107, pp. 14:1-14:17, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2018). https://doi.org/10.4230/LIPIcs.ICALP.2018.14

[BCS16] Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner (2016). Interactive Oracle Proofs. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9986. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53644-5_2

[CY24] Alessandro Chiesa, and Eylon Yogev (2024). Building Cryptographic Proofs from Hash Functions. Published online https://snargsbook.org

Footnotes

  1. 1 “Black-box” means that the adversary cannot observe the prover’s program description nor see its internal variables. 
  2. 2 In some IOPs the witness is encoded in more than one polynomial (e.g. Plonk/AIR). The attack procedure will work in the same way for this case, making sure to apply it to each of the witness polynomials. 
  3. 3 For computationally bounded adversaries, assuming that the elliptic curve discrete logarithm problem is hard. 

Share
Contents