Hacker News new | comments | show | ask | jobs | submit login
Gmaxwell's “prove how (non)-fractional your Bitcoin reserves are” scheme (iwilcox.me.uk)
114 points by sillysaurus2 on Feb 21, 2014 | hide | past | web | favorite | 76 comments

The developer is Gregory Maxwell, aka nullc. Here's a very interesting thread in which he proposes that the bitcoin community should demand that every bitcoin exchange (and every other type of service which can hold bitcoin on your behalf, like webwallets) continually prove that they are not fractional reserve. In other words, proof that if every user of the service simultaneously tries to withdraw all of their bitcoin, then the service would be able to honor all withdraw requests: http://www.reddit.com/r/Bitcoin/comments/1yj5b5/unverified_p...

"I think that as a community we should start demanding these services continually prove that they are not fractional reserve. We cannot effectively eliminate the need for trust in these sorts of services, but we can certainly confine the exposure and eliminate a lot of this drama. With Bitcoin it's technically possible to prove an entity controls enough coin to cover its obligations— and even to do so in ways that don't leak other business information, and so we should. But this isn't something specific about MTGox, it's something we should demand from all services holding large amounts of third party Bitcoins. I wouldn't even suggest MTGox should do it first, rather— it sounds like a great move for their competition to differentiate themselves."

Here's the takeaway:

"This would leak the total holdings, and some small amount of data about the number of accounts and distribution of their funds, but far far less than all the account balances. Importantly, though— it could be implemented in a few hundred lines of python."

In case anyone from Coinbase is reading: you have a unique opportunity to be the first webwallet service to implement this, and thereby make the entire bitcoin community instantly fall in love with you. It would also set a minimum standard of quality for webwallet services in general, which would add a lot of value to the bitcoin ecosystem. It seems like this might be a pretty big business opportunity.

> The developer is Gregory Maxwell, aka nullc.

This guy seems to be everywhere! He's a prolific Wikipedia contributor (administrator + many thousands of edits), and was also the guy behind the dump of a ton of pre-1923 JSTOR documents to the Pirate Bay, which in part helped pressure JSTOR to un-paywall its old/PD articles (http://arstechnica.com/tech-policy/2011/07/swartz-supporter-...).

The guy was amazing on Wikipedia.

Say you were a shady Bitcoin banker with 5000 BTC in deposits, and you wanted to steal 1000 while still looking like you're on the up-and-up by implementing this idea.

First, you announce that you only have 4000 BTC in deposits. Then you build this tree, and at the very bottom layer you add a node with a -1000 balance. You pair that node with your (or a conspirator's) real node holding more than 1000 so that any node above yours (read: everyone else) sees a positive balance at every point in the tree. Everyone can verify they're in the tree, the numbers add up to what you claimed publicly, but you're now successfully running a fractional reserve! And the only way to uncover such a scheme would be to publish all of the balances for every account.

Am I missing something?

Edit for clarity: the node you pair with is your own, so that no real user sees the negative sum.

Suppose the balance sheet is:

    [ -1000, 1000, 2000, 2000 ]
The Merkle tree is:

    [ -1000, 1000, 2000, 2000 ]
    [ 0, 4000 ]
    [ 4000 ]
You actually owe 5000 BTC, but it seems like you owe 4000 BTC. Seems so far so good. The problem is, what happens if you try to take advantage of this opportunity.

Case 1: other people withdraw first.

    [ -1000, 1000, 0, 0 ]
    [ 0, 0 ]
    [ 0 ]
Nobody knows that anything nefarious has gone on. However, everyone else has successfully gotten their money out so you've actually defrauded no one.

Case 2: you withdraw first.

    [ -1000, 0, 2000, 2000 ]
    [ -1000, 4000 ]
    [ 3000 ]
Now, the other 2 users actually can see that something is wrong, because the Merkle branch will have a -1000 BTC node sticking out.

So in theory, as long as there exist users who don't check their Merkle branches, and those users are identifiable, it probably is possible to run a slight fractional reserve undetected. So the protocol is suboptimal. But it's not really "broken". I do wonder if it can be improved though, perhaps with some kind of ZKP protocol.

Oh sure, you can sum and compare the balances under ZKP and even hide the total amount. But the problem is that as soon as you invoke a ZKP for general computation you take into the realm of barely practical moon math.

... And you still don't fix the problem that balances which are unchecked can be diverted.

In the IRC log I posted I went on to suggest that a service could have a rule that _permitted_ them to take your balance if you don't check it periodically— e.g. they could just withdraw it into their own pocket. You could prove you checked it (or that you tried and they wouldn't let you). By doing so you'd actually create a real incentive for people to check, though I suspect boobytrapped balances wouldn't be very welcome.

Regardless— it still confines the extent of fraud that is possible.

One way to defeat the "hide the negative balances inside a subtree of technologically clueless grandmas" attack might be to generate the tree using some easily verifiable deterministic algorithm (ie. alphabetic order of hashes of some user data), and perhaps even have several trees. It's not perfect, but it could help reduce the problems, although perhaps at the expense of some additional privacy.

> And you still don't fix the problem that balances which are unchecked can be diverted.

Okay, I'll admit I might be missing something here; what do you mean by that? The exchange isn't storing each user's bitcoins separately; that requires one TX per user to maintain anyway. It should be storing them all under a single HD wallet and publicly releasing the MPK, so users can take the MPK and use it to verify that the exchange actually has 5000 BTC, the Merkle root says 5000 BTC, and their Merkle branch is correct. The exchange can't spend "unchecked bitcoins" or "checked bitcoins"; they're all just bitcoins under the same HD wallet, and spending any of them would trigger an alarm.

> > And you still don't fix the problem that balances which are unchecked can be diverted.

> Okay, I'll admit I might be missing something here; what do you mean by that?

Say Alice _never_ logs in anymore and the site has noticed this. The site can just go "oh Alice, her balance in now 0" and go and gamble away those coins— sure, their holdings go down, but so do their obligations. Since Alice never logs in anyone, she's not going to protest that her coins are all gone.

Ah okay, that makes sense. You're completely right that that's not really solvable in general.

Unless, of course, we finally switch over to a public/private key based login system and each user's balance sheet is composed of a set of authorized/signed deposits, trades and withdrawals (ie. a full blockchain, but centralized and "mined" only by the exchange's server). I wonder what possibilities that kind of setup would open.

Go read that IRC log. :)

Not to discredit the very capable developers discussing this, but in the interest for giving credit where credit is due, didn't Peter Todd suggest this back in his Bitcoin 2013 presentation on off-chain transactions? I seem to remember him explaining something similar on a rooftop patio in Toronto last spring after a Bitcoin Toronto meetup.

EDIT: http://www.youtube.com/watch?v=4d3LA8KpdMQ#t=6m45s

I believe this was most extensively discussed as part of a long chat that Peter Todd was a part of, so no surprise that you've seen him talk about it. Off-chain banks stuff has been a long term pet interest of his.

In that discussion we applied a merkel-sum tree data-structure— a pet datastructure that I'd previously proposed for making compact proofs of blockchain invalidity in Bitcoin (in order to make a future bitcoin world where no one runs full nodes safe from inflation and theft by miners)— to PT's bank fraud proofing application.

You may find the log interesting: https://people.xiph.org/~greg/bitcoin-wizards-fraud-proof.lo...

Search for "auditable off-chain transactions" and "Merkle-sum-tree"

(I left in a lot of unrelated stuff since it makes the meandering conversation make a bit more sense. Though a lot of this continues a long running dialog about cryptographic-wankery that has been going on for years)

Ultimately these schemes require the use of a jamming free broadcast network of some kind... otherwise they run into the same problems certificate transparency has where you can substitute the commitment on the fly. Fortunately, Bitcoin provides a global consensus mechanism which could be used to directly attach the commitment to the coins being spoken for.

I'm pretty sure I remember either Gregory Maxwell or Andrew Miller suggesting it to me first, and I think it might be the latter's idea originally. (at least in the Bitcoin space) Andrew has done a lot of work on "merkelizing" data structures: http://www.cs.umd.edu/~amiller/gpads/

If anyone is interesting in helping, I'm going to spend my evening trying to implement this here: https://github.com/ConceptPending/proveit

My email is in my profile, and I'm happy to Skype chat with anyone who wants to help.

The basic implementation is now complete.

I'll flesh it out a bit better tomorrow.

Or, just use a system like we use on Bitalo, where fractional reserves are impossible because of use of multi-signature Bitcoin addresses, which means funds are specifically tied to user wallets and exchange operators cannot use them without user's signing all transactions by himself.

This requires one transaction per trade, effectively.

While systems like that have many applications— and should be used where they can, they aren't a replacement for large scale markets like MTGox or for ultra-low-cost instant payment systems.

The blockchain can't handle the transaction volume of currency exchanges; that just won't work.

Wait, the blockchain can't handle the transaction volume of the trades happening today?

What happens as businesses (overstock, etc) start accepting bitcoin? Will bitcoin never be able to handle to volume of an amazon or walmart?

Exchanges don't trade on the blockchain, only deposits and withdrawls are on chain. Off chain transactions make up the bulk of transactions as the blockchain can currenly only handle around 7 transactions a second which is about twice as much as it's actually being pushed so there's still room to breath.

The same applies to overstock, coinbase is doing their transaction processing and it's likely most of those are off chain as well as coinbase is a broker and has plenty of coin and dollars in house and is likely where purchasers in the US got their coin anyway as well is also likely being the users online wallet; they settle up daily with an exchange to keep their supply at necessary levels.

Bitcoin isn't ready for mass adoption yet; the infrastructure is still being put into place and the 7 transaction limit has to be removed and exceeded by quite a bit to grow the point of being able to handle large volume kind of stuff. In the meantime, and probably even after, off chain transactions will likely be how most scale is achieved.

I don't think we are anywhere near the blocks being half full, lots are less than 100kB except for Eligius. Is there anywhere displaying this metric?

I wasn't trying to put a hard number on it; I said about half because that's the number I keep hearing repeated when discussions occur.


Lots of other interesting charts there. In any case, it doesn't really matter as to the main point that exchanges don't do on block trading, the volume would be far too great for what the network can handle.

Exactly, this is specifically where that feature is designed for: it makes you your own arbiter of what an exchange wants to do with your money.

It's not clear that day traders are willing to pay the fees to put their transactions on the blockchain.

They are paying much higher fees for trading on "normal" exchanges. Transaction fee is only 0.0001 BTC, normally you pay WAY more for trading on Mt. Gox/Bitstamp.

At first I was worried of what would happen if the exchange introduced fake nodes with negative balances at the bottom of the tree, but there would be no way for them to hide that without the first real customer up to the root finding out (there would have to be a negative node that he/she could see). This sounds like a great idea!

Unless the negative valued customer and the surrounding customers never logged in... But thats a limitation of the scheme that can't be avoided. If a user never logs in you could just steal just their balance (and correctly set it to zero).

You also must make sure that all customers are seeing the same root, and that you can't do funny business like constantly update it to swap out which customers you're robbing. (e.g. it should be a daily or weekly updated thing).

You've got a point, the root of the tree could be made available to the main charting sites.. or even weekly written into the blockchain.

As for the negative values, I wasn't thinking of robbing anyone, but just pretending you are solvent when really you're not. I'm not sure I see what you mean by "swap out which customers you're robbing", could you expand?

E.g. say you have two customers with a balance of 100. You report the total is 100— so 100 BTC has gone missing.

When customer A logs in you give them one root and show them their balance (and B has a balance of 0). When customer B logs in— oops balances just update— you show them a new root, and in that one B has a balance of 100.

So you need to pin the commitments strongly enough so that the prover can't swap them out at will.

Thanks, I get it now. Hadn't thought of that.

Of course, if many people were connected at the same time, this would quickly become perilous gymnastics for the exchange.

The big problem with this is convincing businesses to publicize their total customer deposits, which is extremely interesting information to competitors.

Though it could be a good way for new/small exchanges to differentiate themselves and gain trust of the community, which could force larger and larger exchanges to do the same until it's common practice (as mentioned has happened with provably-fair gambling sites)

Fractional reserve? I don't like that. It's like building a house of cards or a ponzi scheme. You shouldn't be able to say you have 10x of the value you actually have.

Right? Banks making loans? It's preposterous.

Sigh. It's a fallacy that making loans implies fractional reserves as normally understood.

Banks can still make loans simply by offering certificates of deposit. This is the above-board way of loaning out people's money -- you make it absolutely clear that taking it out early has a cost, because the money is locked up in (hopefully) profitable ventures.

Would that be less profitable for the banks? Not really -- they would just adjust their prices to compensate, by charging fees on idle money that's instantly redeemable.

And if you let a secondary market for CDs flower, customers can still get good liquidity. Just in a way that's better subject to market discipline.

What you are saying is that you would replace interest bearing savings accounts with fee charging "idle money" accounts, and that if you want to earn any interest on your savings you have to lock it up for a fixed term.

That doesn't really sound like a better alternative.

You may think it sounds better after a few more rounds of banking crises. TANSTAFL.

Traditional paradigms of banking might have to change when each person can be his or her own bank.

Fractional reserve is sort of a misappropriated term as applied to bitcoin exchanges. Such exchanges aren't making loans, so where would the money be going? There's no good reason for them not to have 100% of the funds in reserve.

Some of them offer margin trading which is a loan.

This proposal doesn't prevent loans and fractional reserve or whatever schemes people may want. What it does is makes it much harder to fail to disclose the truth of the matter.

What kinds of terms people choose to transact under is their own business— but all the better when we can be more confident those terms are being followed.

Full reserve banks are possible. You just have to maturity match everything, meaning every loan of term t has a matching deposit with a maturity of t. Deposits in demand accounts could not be lended.

I have no idea whether this is a good idea or if it would work as a business.

The retail markets have voted overwhelmingly for interest bearing demand deposit accounts. I'm not sure if a fee-based DDA is available anywhere but it certainly is not popular in the US where we get "free" deposit insurance.

That's sort of the idea behind securitized mortgages, except once the bank makes the loan the bank leaves the picture (except perhaps as a custodian responsible for payment collection sometimes.) This is one reason securitization of mortgages led to lower interest rates and was generally considered a good thing for a while.

In the alternative scenario, economists describe loaning from demand deposits (at a higher interest rate) with a phrase like "the bank is selling liquidity".

Full Reserve banks don't make loans?

Fractional Reserve banks enable you to have your money and be loaned out at the same time(thereby stretching the money supply like an elastic rubber band).

Full Reserve banks ONLY loan out money which was specifically deposited to them for the purposes of being able to be loaned out.

You're mistaken if you think full reserve banking somehow doesn't "stretch" the money supply. Let's say I deposit $10K in a "full reserve" bank. The bank then loans it to someone who buys a car. The car dealer goes back to the bank and deposits the proceeds of the sale. Another fella comes in for a loan and the bank gives him dealer's $10K. He then goes to buy a car. Now there are 2 cars bought with "my" $10K. And this can go on ad infinitum. So there is nothing superior about full reserve banking. The only thing you're doing is preventing me from getting my money unless the guy who took the loan pays it back. That will surely incentivize people to keep their money in a bank.

What you get is interest fit allowing your part of their reserve to be used for loans. It's why certificates of deposit have a higher interest rate at /r/ActualMoney banks.

And that is the entire purpose of the proposal.

Not sure if joking

You do realize that modern finance depends on this notion?

For example, Banks need no more than 10% of a loan as cash on hand.

> You do realize that modern finance depends on this notion?

Modern finance also causes some very serious societal problems, in my opinion.

We're using the word "modern" extremely broadly in this context. Fractional reserve banking goes back to what, the early Renaissance? Did the economies of the Middle Ages really serve people better than our economies do today?

Correlation does not equal causation.

And arguably, the invention of dual-entry accounting in the early Renaissance -- a self-auditing system similar in many ways to nullc's proposal -- played a much bigger part in the beginning of modern economic development than did fractional reserve banking.

This is the exact same answer you used to get in the old days, back when real communists actually existed, and you'd ask one of them why there were no communist countries with anything like a functional economy. "Correlation does not equal causation, comrade! Just because those troubled countries are all communist does not mean that it is communism that is the cause of their troubles."

I'm just sayin', theory is nice and all, but examples from real practice are more interesting. Fractional reserve banking has been widely in use for hundreds of years in countries which have prospered far more than the general run of humanity has. Show me a capitalist economy that (1) outlawed fractional reserve banking and (2) functions better in some tangible way than the rest of the developed world, and you've got an argument more compelling than a chapter from a textbook of Austrian economics.

Your argument against correlation doesn't equal causation is...communism? That's quite a red herring. For the record, and it shouldn't matter, but I learned about correlation doesn't equal causation in an epidemiology class, and I've always associated it with rational thought.

>and you've got an argument more compelling than a chapter from a textbook of Austrian economics.

Another ad hominem.

And you didn't even address my point about double-entry accounting, which shares a striking similarity in some ways to this proposal. Way to mount an effective argument.

Alternatively, a fractional reserve institution can offer interest on accounts which might entice some people to accept the risk of a bank run. Given the popularity of some explicit ponzi schemes in the past month, It seems fairly clear there are plenty of folks who would accept those terms.

What bitcoin exchanges do HN readers trust?

I've been using http://coinmkt.com

I regrettably used MtGox.com. I'm kicking myself now.

If you want to buy coins to use I'd go with Coinbase at least to get started. If you want to day trade Kraken looks really promising if they are supported in your jurisdiction. Bitstamp has a decent track record though their local give me pause. Coinsetter is also pretty well put together if all you want to do is pair trade but you can't do true exchange on there.

I've tried coinmkt but I don't like it. Their fees aren't great their deposit and withdrawal methods are limited and there are fees on deposits and withdrawals at least there were when I gave it a try.

>Bitstamp has a decent track record though their local[e] give me pause.

I'd say Bitstamp has a very good track record, and what's wrong with Slovenia? It's probably about on the level of the Czech Republic in terms of economic freedom, development, level of corruption (relatively low), output, business practices, etc. Would doing business with a Czech company make you nervous?

In business culture, Slovenia looks toward Germany more than toward the former Eastern Block (of which it was never a part).

I mean, Bitstamp's owners are public people. I feel pretty confident that they're not going to run off with their depositors money. Is there something else that you're concerned about?

But I agree, if you want to just buy coins, Coinbase is a good start. And Kraken is looking very good, too, particularly if you're a serious trader (that's who they appear to target).

I don't disagree my reservation is more about having to do an international wire transfer to get money in and out of Bitstmap. Also since they are outside of the US you are going to have to submit FBAR paperwork to the US government if your account with them ever gets over 10k at any time during the year. In the unlikely chance something did go wrong legal remedies would be more difficult since they are outside the US.

Ah, ok. So it's more because they're outside of the U.S. (your jurisdiction). That makes reasonable.

I thought the "locale" comment was about Slovenia, a country that not many people are informed about and unfairly associate with former Eastern Block crime syndicates.

And yes, the international wire fees do add up. Do any U.S. exchanges currency offer ACH?

Coinbase is ACH, CampBX took personal Checks up until 3 weeks ago. My primary bank offers wires within the US but not internationally. Doing wires is just a headache you typically have to call the bank on the phone and it just doesn't give me a confident feeling in general.

I would be a little cautious with Coinbase. There was a recent post on HN[1] in which someone had a 5 figure transaction be approved on the site, but never received his funds. The slow response from Coinbase wasn't too encouraging, but the more troubling issue is that a large sum of money like that can just appear in the system without anyone noticing. It indicates that their level of accounting and auditing isn't up to the standards of even most brick and mortar businesses let alone a financial institution.

[1] - https://news.ycombinator.com/item?id=6929705

I've never had a problem with them and it looks like that customers issue was resolved. All exchanges have problems esp with the huge growth in customer base they are experiencing. The thing that sets them apart is how they deal with them.

Coinbase. They've got $31m in combined funding from Y-Combinator and Andreesen Horowitz, among others. I like to place my bets where veteran investors have some cash and reputation on the line.

Part of the problem is leaving funds laying around in exchanges, when it's trivial to transfer to your own wallet (though admittedly non-trivial to secure it, it's a tradeoff).

If you quickly transfer in, exchange, and transfer out you don't need quite as much trust.

Bitstamp have proved their good intentions and competence. They also have the most to lose at this point as the market leader. Had zero problems with transfers from there, very quick support replies, seem to be in good relations with their bank. I trust them. Karaken also look promising, but it's a new exchange.

Anyway, best bet is to use several exchanges to take advantage of arbitrage opportunities and to distribute the risk.

I've used coinmkt more and more in the past week. I like them, seem to still be working things out, but if you trade multiple currencies they're a good bet. Being based in the USA doesn't hurt either.

This doesn't give you a way to validate your dollar deposits. In other words a dishonest exchange operator could misappropriate your dollar deposits and this scheme wouldn't tell you anything about it.

Yup. This is an example of how Bitcoin is superior to USD— USD is not so readily subject to cryptographic proof. :)

You could use it to show that USD obligations jive with third party audits, insurance, or accounts in a bank if you could get the bank to produce signed attestations... though the trust isn't eliminated there, just shuffled around.

The hash-tree scheme described here would work equally well for non-Bitcoin currencies, if I'm understanding it correctly. The only thing missing is the ability to prove ownership of the actual funds backing that tree. So what you're really complaining about is that there are no banks that offer digitally-signed attestation of account balances.

>no banks that offer digitally-signed attestation of account balances.

Why is this? Seriously, that alone could prevent so much fraud and misuse of funds. Every public company could have a digitally-signed bank balance, updated in real time.

Because then any guy with a laptop and coding skills could use the API to set up almost any kind of fiat currency-based money services or currency exchange business, and we can't have people doing that without million-dollar MSB/MT licenses!

Can't all of this information be found in the block chain if you know the addresses the exchanges are using?

No. In theory if you know all the addresses you know how many coins they have— but to know the exchange is not fractional you must also know something about its obligations.

It turns out that MtGox used all the deposits to buy Magic cards. They now have the world's most excellent cube. We all should have seen this coming.


already pleading it to brazilian exchanges.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact