
Gmaxwell's “prove how (non)-fractional your Bitcoin reserves are” scheme - sillysaurus2
https://iwilcox.me.uk/v/nofrac
======
sillysaurus2
The developer is Gregory Maxwell, aka nullc. Here's a very interesting thread
in which he proposes that the bitcoin community should demand that every
bitcoin exchange (and every other type of service which can hold bitcoin on
your behalf, like webwallets) continually prove that they are not fractional
reserve. In other words, proof that if every user of the service
simultaneously tries to withdraw all of their bitcoin, then the service would
be able to honor all withdraw requests:
[http://www.reddit.com/r/Bitcoin/comments/1yj5b5/unverified_p...](http://www.reddit.com/r/Bitcoin/comments/1yj5b5/unverified_pastebin_gmaxwell_irc_log_mtgox_was/cfkze3p?context=1)

 _" I think that as a community we should start demanding these services
continually prove that they are not fractional reserve. We cannot effectively
eliminate the need for trust in these sorts of services, but we can certainly
confine the exposure and eliminate a lot of this drama. With Bitcoin it's
technically possible to prove an entity controls enough coin to cover its
obligations— and even to do so in ways that don't leak other business
information, and so we should. But this isn't something specific about MTGox,
it's something we should demand from all services holding large amounts of
third party Bitcoins. I wouldn't even suggest MTGox should do it first,
rather— it sounds like a great move for their competition to differentiate
themselves."_

Here's the takeaway:

 _" This would leak the total holdings, and some small amount of data about
the number of accounts and distribution of their funds, but far far less than
all the account balances. Importantly, though— it could be implemented in a
few hundred lines of python."_

In case anyone from Coinbase is reading: you have a unique opportunity to be
the first webwallet service to implement this, and thereby make the entire
bitcoin community instantly fall in love with you. It would also set a minimum
standard of quality for webwallet services in general, which would add a lot
of value to the bitcoin ecosystem. It seems like this might be a pretty big
business opportunity.

~~~
mjn
> The developer is Gregory Maxwell, aka nullc.

This guy seems to be everywhere! He's a prolific Wikipedia contributor
(administrator + many thousands of edits), and was also the guy behind the
dump of a ton of pre-1923 JSTOR documents to the Pirate Bay, which in part
helped pressure JSTOR to un-paywall its old/PD articles
([http://arstechnica.com/tech-policy/2011/07/swartz-
supporter-...](http://arstechnica.com/tech-policy/2011/07/swartz-supporter-
dumps-18592-jstor-docs-on-the-pirate-bay/)).

~~~
chris_wot
The guy was amazing on Wikipedia.

------
aston
Say you were a shady Bitcoin banker with 5000 BTC in deposits, and you wanted
to steal 1000 while still looking like you're on the up-and-up by implementing
this idea.

First, you announce that you only have 4000 BTC in deposits. Then you build
this tree, and at the very bottom layer you add a node with a -1000 balance.
You pair that node with your (or a conspirator's) real node holding more than
1000 so that any node above yours (read: everyone else) sees a positive
balance at every point in the tree. Everyone can verify they're in the tree,
the numbers add up to what you claimed publicly, but you're now successfully
running a fractional reserve! And the only way to uncover such a scheme would
be to publish all of the balances for every account.

Am I missing something?

Edit for clarity: the node you pair with is your own, so that no real user
sees the negative sum.

~~~
vbuterin
Suppose the balance sheet is:

    
    
        [ -1000, 1000, 2000, 2000 ]
    

The Merkle tree is:

    
    
        [ -1000, 1000, 2000, 2000 ]
        [ 0, 4000 ]
        [ 4000 ]
    

You actually owe 5000 BTC, but it seems like you owe 4000 BTC. Seems so far so
good. The problem is, what happens if you try to take advantage of this
opportunity.

Case 1: other people withdraw first.

    
    
        [ -1000, 1000, 0, 0 ]
        [ 0, 0 ]
        [ 0 ]
    

Nobody knows that anything nefarious has gone on. However, everyone else has
successfully gotten their money out so you've actually defrauded no one.

Case 2: you withdraw first.

    
    
        [ -1000, 0, 2000, 2000 ]
        [ -1000, 4000 ]
        [ 3000 ]
    

Now, the other 2 users actually can see that something is wrong, because the
Merkle branch will have a -1000 BTC node sticking out.

So in theory, as long as there exist users who don't check their Merkle
branches, and those users are identifiable, it probably is possible to run a
slight fractional reserve undetected. So the protocol is suboptimal. But it's
not really "broken". I do wonder if it can be improved though, perhaps with
some kind of ZKP protocol.

~~~
nullc
Oh sure, you can sum and compare the balances under ZKP and even hide the
total amount. But the problem is that as soon as you invoke a ZKP for general
computation you take into the realm of barely practical moon math.

... And you still don't fix the problem that balances which are unchecked can
be diverted.

In the IRC log I posted I went on to suggest that a service could have a rule
that _permitted_ them to take your balance if you don't check it periodically—
e.g. they could just withdraw it into their own pocket. You could prove you
checked it (or that you tried and they wouldn't let you). By doing so you'd
actually create a real incentive for people to check, though I suspect
boobytrapped balances wouldn't be very welcome.

Regardless— it still confines the extent of fraud that is possible.

~~~
vbuterin
One way to defeat the "hide the negative balances inside a subtree of
technologically clueless grandmas" attack might be to generate the tree using
some easily verifiable deterministic algorithm (ie. alphabetic order of hashes
of some user data), and perhaps even have several trees. It's not perfect, but
it could help reduce the problems, although perhaps at the expense of some
additional privacy.

> And you still don't fix the problem that balances which are unchecked can be
> diverted.

Okay, I'll admit I might be missing something here; what do you mean by that?
The exchange isn't storing each user's bitcoins separately; that requires one
TX per user to maintain anyway. It should be storing them all under a single
HD wallet and publicly releasing the MPK, so users can take the MPK and use it
to verify that the exchange actually has 5000 BTC, the Merkle root says 5000
BTC, and their Merkle branch is correct. The exchange can't spend "unchecked
bitcoins" or "checked bitcoins"; they're all just bitcoins under the same HD
wallet, and spending any of them would trigger an alarm.

~~~
nullc
> > And you still don't fix the problem that balances which are unchecked can
> be diverted.

> Okay, I'll admit I might be missing something here; what do you mean by
> that?

Say Alice _never_ logs in anymore and the site has noticed this. The site can
just go "oh Alice, her balance in now 0" and go and gamble away those coins—
sure, their holdings go down, but so do their obligations. Since Alice never
logs in anyone, she's not going to protest that her coins are all gone.

~~~
vbuterin
Ah okay, that makes sense. You're completely right that that's not really
solvable in general.

Unless, of course, we finally switch over to a public/private key based login
system and each user's balance sheet is composed of a set of authorized/signed
deposits, trades and withdrawals (ie. a full blockchain, but centralized and
"mined" only by the exchange's server). I wonder what possibilities that kind
of setup would open.

~~~
nullc
Go read that IRC log. :)

------
patcon
Not to discredit the very capable developers discussing this, but in the
interest for giving credit where credit is due, didn't Peter Todd suggest this
back in his Bitcoin 2013 presentation on off-chain transactions? I seem to
remember him explaining something similar on a rooftop patio in Toronto last
spring after a Bitcoin Toronto meetup.

EDIT:
[http://www.youtube.com/watch?v=4d3LA8KpdMQ#t=6m45s](http://www.youtube.com/watch?v=4d3LA8KpdMQ#t=6m45s)

~~~
nullc
I believe this was most extensively discussed as part of a long chat that
Peter Todd was a part of, so no surprise that you've seen him talk about it.
Off-chain banks stuff has been a long term pet interest of his.

In that discussion we applied a merkel-sum tree data-structure— a pet
datastructure that I'd previously proposed for making compact proofs of
blockchain invalidity in Bitcoin (in order to make a future bitcoin world
where no one runs full nodes safe from inflation and theft by miners)— to PT's
bank fraud proofing application.

You may find the log interesting: [https://people.xiph.org/~greg/bitcoin-
wizards-fraud-proof.lo...](https://people.xiph.org/~greg/bitcoin-wizards-
fraud-proof.log.txt)

Search for "auditable off-chain transactions" and "Merkle-sum-tree"

(I left in a lot of unrelated stuff since it makes the meandering conversation
make a bit more sense. Though a lot of this continues a long running dialog
about cryptographic-wankery that has been going on for years)

Ultimately these schemes require the use of a jamming free broadcast network
of some kind... otherwise they run into the same problems certificate
transparency has where you can substitute the commitment on the fly.
Fortunately, Bitcoin provides a global consensus mechanism which could be used
to directly attach the commitment to the coins being spoken for.

------
Sambdala
If anyone is interesting in helping, I'm going to spend my evening trying to
implement this here:
[https://github.com/ConceptPending/proveit](https://github.com/ConceptPending/proveit)

My email is in my profile, and I'm happy to Skype chat with anyone who wants
to help.

~~~
Sambdala
The basic implementation is now complete.

I'll flesh it out a bit better tomorrow.

------
M4v3R
Or, just use a system like we use on Bitalo, where fractional reserves are
impossible because of use of multi-signature Bitcoin addresses, which means
funds are specifically tied to user wallets and exchange operators cannot use
them without user's signing all transactions by himself.

~~~
gnaritas
The blockchain can't handle the transaction volume of currency exchanges; that
just won't work.

~~~
mynewwork
Wait, the blockchain can't handle the transaction volume of the trades
happening today?

What happens as businesses (overstock, etc) start accepting bitcoin? Will
bitcoin never be able to handle to volume of an amazon or walmart?

~~~
gnaritas
Exchanges don't trade on the blockchain, only deposits and withdrawls are on
chain. Off chain transactions make up the bulk of transactions as the
blockchain can currenly only handle around 7 transactions a second which is
about twice as much as it's actually being pushed so there's still room to
breath.

The same applies to overstock, coinbase is doing their transaction processing
and it's likely most of those are off chain as well as coinbase is a broker
and has plenty of coin and dollars in house and is likely where purchasers in
the US got their coin anyway as well is also likely being the users online
wallet; they settle up daily with an exchange to keep their supply at
necessary levels.

Bitcoin isn't ready for mass adoption yet; the infrastructure is still being
put into place and the 7 transaction limit has to be removed and exceeded by
quite a bit to grow the point of being able to handle large volume kind of
stuff. In the meantime, and probably even after, off chain transactions will
likely be how most scale is achieved.

~~~
nwh
I don't think we are anywhere near the blocks being half full, lots are less
than 100kB except for Eligius. Is there anywhere displaying this metric?

~~~
gnaritas
I wasn't trying to put a hard number on it; I said about half because that's
the number I keep hearing repeated when discussions occur.

[https://blockchain.info/charts/n-transactions-per-
block](https://blockchain.info/charts/n-transactions-per-block)

Lots of other interesting charts there. In any case, it doesn't really matter
as to the main point that exchanges don't do on block trading, the volume
would be far too great for what the network can handle.

------
infruset
At first I was worried of what would happen if the exchange introduced fake
nodes with negative balances at the bottom of the tree, but there would be no
way for them to hide that without the first real customer up to the root
finding out (there would have to be a negative node that he/she could see).
This sounds like a great idea!

~~~
nullc
Unless the negative valued customer and the surrounding customers never logged
in... But thats a limitation of the scheme that can't be avoided. If a user
never logs in you could just steal just their balance (and correctly set it to
zero).

You also must make sure that all customers are seeing the same root, and that
you can't do funny business like constantly update it to swap out which
customers you're robbing. (e.g. it should be a daily or weekly updated thing).

~~~
infruset
You've got a point, the root of the tree could be made available to the main
charting sites.. or even weekly written into the blockchain.

As for the negative values, I wasn't thinking of robbing anyone, but just
pretending you are solvent when really you're not. I'm not sure I see what you
mean by "swap out which customers you're robbing", could you expand?

~~~
nullc
E.g. say you have two customers with a balance of 100. You report the total is
100— so 100 BTC has gone missing.

When customer A logs in you give them one root and show them their balance
(and B has a balance of 0). When customer B logs in— oops balances just
update— you show them a new root, and in that one B has a balance of 100.

So you need to pin the commitments strongly enough so that the prover can't
swap them out at will.

~~~
infruset
Thanks, I get it now. Hadn't thought of that.

Of course, if many people were connected at the same time, this would quickly
become perilous gymnastics for the exchange.

------
tlrobinson
The big problem with this is convincing businesses to publicize their total
customer deposits, which is extremely interesting information to competitors.

Though it could be a good way for new/small exchanges to differentiate
themselves and gain trust of the community, which could force larger and
larger exchanges to do the same until it's common practice (as mentioned has
happened with provably-fair gambling sites)

------
higherpurpose
Fractional reserve? I don't like that. It's like building a house of cards or
a ponzi scheme. You shouldn't be able to say you have 10x of the value you
actually have.

~~~
minimax
Right? Banks making loans? It's _preposterous_.

~~~
dmm
Full reserve banks are possible. You just have to maturity match everything,
meaning every loan of term t has a matching deposit with a maturity of t.
Deposits in demand accounts could not be lended.

I have no idea whether this is a good idea or if it would work as a business.

~~~
fennecfoxen
That's sort of the idea behind securitized mortgages, except once the bank
makes the loan the bank leaves the picture (except perhaps as a custodian
responsible for payment collection sometimes.) This is one reason
securitization of mortgages led to lower interest rates and was generally
considered a good thing for a while.

In the alternative scenario, economists describe loaning from demand deposits
(at a higher interest rate) with a phrase like "the bank is selling
liquidity".

------
kumarski
What bitcoin exchanges do HN readers trust?

I've been using [http://coinmkt.com](http://coinmkt.com)

I regrettably used MtGox.com. I'm kicking myself now.

~~~
pmorici
If you want to buy coins to use I'd go with Coinbase at least to get started.
If you want to day trade Kraken looks really promising if they are supported
in your jurisdiction. Bitstamp has a decent track record though their local
give me pause. Coinsetter is also pretty well put together if all you want to
do is pair trade but you can't do true exchange on there.

I've tried coinmkt but I don't like it. Their fees aren't great their deposit
and withdrawal methods are limited and there are fees on deposits and
withdrawals at least there were when I gave it a try.

~~~
jnbiche
>Bitstamp has a decent track record though their local[e] give me pause.

I'd say Bitstamp has a very good track record, and what's wrong with Slovenia?
It's probably about on the level of the Czech Republic in terms of economic
freedom, development, level of corruption (relatively low), output, business
practices, etc. Would doing business with a Czech company make you nervous?

In business culture, Slovenia looks toward Germany more than toward the former
Eastern Block (of which it was never a part).

I mean, Bitstamp's owners are public people. I feel pretty confident that
they're not going to run off with their depositors money. Is there something
else that you're concerned about?

But I agree, if you want to just buy coins, Coinbase is a good start. And
Kraken is looking very good, too, particularly if you're a serious trader
(that's who they appear to target).

~~~
pmorici
I don't disagree my reservation is more about having to do an international
wire transfer to get money in and out of Bitstmap. Also since they are outside
of the US you are going to have to submit FBAR paperwork to the US government
if your account with them ever gets over 10k at any time during the year. In
the unlikely chance something did go wrong legal remedies would be more
difficult since they are outside the US.

~~~
jnbiche
Ah, ok. So it's more because they're outside of the U.S. (your jurisdiction).
That makes reasonable.

I thought the "locale" comment was about Slovenia, a country that not many
people are informed about and unfairly associate with former Eastern Block
crime syndicates.

And yes, the international wire fees do add up. Do any U.S. exchanges currency
offer ACH?

~~~
pmorici
Coinbase is ACH, CampBX took personal Checks up until 3 weeks ago. My primary
bank offers wires within the US but not internationally. Doing wires is just a
headache you typically have to call the bank on the phone and it just doesn't
give me a confident feeling in general.

------
minimax
This doesn't give you a way to validate your dollar deposits. In other words a
dishonest exchange operator could misappropriate your dollar deposits and this
scheme wouldn't tell you anything about it.

~~~
teraflop
The hash-tree scheme described here would work equally well for non-Bitcoin
currencies, if I'm understanding it correctly. The only thing missing is the
ability to prove ownership of the actual funds backing that tree. So what
you're really complaining about is that there are no banks that offer
digitally-signed attestation of account balances.

~~~
jnbiche
>no banks that offer digitally-signed attestation of account balances.

Why is this? Seriously, that alone could prevent so much fraud and misuse of
funds. Every public company could have a digitally-signed bank balance,
updated in real time.

~~~
vbuterin
Because then any guy with a laptop and coding skills could use the API to set
up almost any kind of fiat currency-based money services or currency exchange
business, and we can't have people doing that without million-dollar MSB/MT
licenses!

------
snake_plissken
Can't all of this information be found in the block chain if you know the
addresses the exchanges are using?

~~~
nullc
No. In theory if you know all the addresses you know how many coins they have—
but to know the exchange is not fractional you must also know something about
its obligations.

------
jrockway
It turns out that MtGox used all the deposits to buy Magic cards. They now
have the world's most excellent cube. We all should have seen this coming.

------
pedrohrcunha
sweet!

already pleading it to brazilian exchanges.

