Proof of Assets for Crypto Custodians by Jake Craige

Proof of Assets
For Crypto Custodians
@jakecraige
Crypto Engineering
May 10, 2019

Prove what?
• We have access to the private keys
which control our funds
• We have more assets than liabilities
(customer balances)

Terminology
! Crypto Custodian
! Proof of Reserves (or Assets)
! Proof of Liabilities
! Proof of Solvency

History
2008 20192013 2014 2015 20182009-2012 2016-2017
Bitcoin Whitepaper
October 2008

History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Bitcoin Whitepaper
October 2008

History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008

History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
Provisions Paper
August 2015

History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
Provisions Paper
August 2015
MProve Paper
December 2018

History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
Provisions Paper
August 2015
MProve Paper
December 2018
Proof of Reserves
February 2019

Our Options
• Public Audit
• Blockstream Proof of Reserves
• Provisions: Proof of Solvency

Public Audit
• Proof of Reserves
• Sign a message with every address that has a balance
• Send messages to auditor
• Auditor verifies signature and balance on chain
• Proof of Liabilities
• Provide list of all customer identifiers and balances
• Proof of Solvency
• Auditor verifies sum of reserves is greater or equal to liabilities and publishes report

Maxwell Proof of Liabilities
• Proposed in 2013 from Greg Maxwell & Peter Todd
• Allows custodians to build a proof that includes all customer balances where the
customer can validate they are included in the proof.

Proof of Reserves
• Proposal and tool released on February 4, 2019 by Blockstream
• BIP-127: Simple Proof-of-Reserves Transactions
• An unspendable transaction is the proof
• Bitcoin Only

Proof of Reserves
tx hash: abc
amount: 1
tx hash: def
amount: 2
Unspent Outputs

Proof of Reserves
tx hash: abc
amount: 1
tx hash: def
amount: 2
Unspent Outputs
prev hash: abc
amount: 1
prev hash: def
amount: 2
Inputs Outputs

Proof of Reserves
tx hash: abc
amount: 1
tx hash: def
amount: 2
Unspent Outputs
prev hash: abc
amount: 1
prev hash: def
amount: 2
Inputs
amount: 3
Outputs

Proof of Reserves
tx hash: abc
amount: 1
tx hash: def
amount: 2
Unspent Outputs
prev hash: abc
amount: 1
prev hash: def
amount: 2
Inputs
amount: 3
prev hash: hash
amount: 0
Outputs
SHA-256("Proof-of-Reserves: Custom Message")

Proof of Reserves
• BIP defines a standard that can be interoperable across wallets
• No privacy. All outputs you own are revealed.
• No proof of liabilities. The specification only covers reserves.*
• Proof size is O(n) in the number of inputs
*You could combine this with Maxwell’s Proof of Liabilities to have this

Provisions: Proof of Solvency
• Paper published October 26, 2015 by Dagher et al
• No production implementations
• Uses ZK-proofs for privacy
• Usable for any asset

• Proof of Assets
• Proof of Liabilities
• Proof of Solvency
•
• Optional
• Proof of Non-Collusion
• Proof of Surplus
Zassets − Zliabilitities = 0

Provisions: Proof of Assets
• Commitment to each public key and balance
• Uses an anonymity set for privacy
• Uses interactive sigma proofs
• Made non-interactive with Fiat-Shamir transform
• Proof size is O(n) in the number of public keys

ZK commitment to balance and knowledge of private key

Generators g, h ∈ 𝔾

y = gx
Public Key

y = gx
s ∈ {0,1}
Public Key
Knowledge of Private Key

b = gbal(y)
y = gx
s ∈ {0,1}
Public Key
Balance Commitment

b = gbal(y)
p = bs
⋅ hv
y = gx
s ∈ {0,1}
v ←$ ℤq
Public Key
Balance Commitment
Pedersen Commitment

b = gbal(y)
p = bs
⋅ hv
y = gx
s ∈ {0,1}
v ←$ ℤq
Public Key
Balance Commitment
Pedersen Commitment
Published Values y, p

Interactive Sigma Proof
Prover
Verifier
Prover
Verifier
Verification of balance commitment

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
Prover
Verifier
Prover
Verifier

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
Prover
Verifier
Prover
Verifier

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
Prover
Verifier
Prover
Verifier

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
Prover
Verifier
Prover
Verifier

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1brs ⋅ hrv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Prover
Verifier
Prover
Verifier
p = bs
⋅ hv

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Prover
Verifier
Prover
Verifier
p = bs
⋅ hv

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
= bcs
⋅ hcv
⋅ a1
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Prover
Verifier
Prover
Verifier
p = bs
⋅ hv

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
= bcs
⋅ hcv
⋅ a1
= bcs
⋅ hcv
⋅ bu1 ⋅ hu2
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Prover
Verifier
Prover
Verifier
p = bs
⋅ hv

a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
= bcs
⋅ hcv
⋅ a1
= bcs
⋅ hcv
⋅ bu1 ⋅ hu2
= bu1+cs
⋅ hu2+cv
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
bu1+cs
⋅ hu2+cv
Prover
Verifier
Prover
Verifier
p = bs
⋅ hv

Provisions: Proof of Liabilities
• Commitment to each customer identifier and balance with range
proof for positive amounts
• Customer requests secret values from custodian and can verify
their balance is in the proof.
• Auditor* checks that sum of customer commitments is accurate
• Proof size is O(n) in the number of customers
*Can be anyone but likely some service due to the size of the proof

ZK commitment to balance

Account Balance = ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
BinBalance Balance

Account Balance
Binary Commitment to Bits zk = gxk ⋅ hrk
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
rk ←$ ℤq R =
b−1
∑
k=0
rk ⋅ 2k

Account Balance
Binary Commitment to Bits zk = gxk ⋅ hrk
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
Commitment to Balance z =
b−1
∏
k=1
z(2k)
k
rk ←$ ℤq R =
b−1
∑
k=0
rk ⋅ 2k

Account Balance
Binary Commitment to Bits
Customer Identifier
zk = gxk ⋅ hrk
CID = H(username||n)
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
b−1
∏
k=1
z(2k)
k
rk ←$ ℤq
n ←$ {0,1}512
R =
b−1
∑
k=0
rk ⋅ 2k

Account Balance
Binary Commitment to Bits
Published Values
Customer Identifier
zk = gxk ⋅ hrk
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
b−1
∏
k=1
z(2k)
k
rk ←$ ℤq
n ←$ {0,1}512
⟨CID, z0, …, zb−q⟩
R =
b−1
∑
k=0
rk ⋅ 2k

Customer verification of balance commitment
Request from prover (R, v, Balance)

Request from prover
Compute CID and
verify it is in published data
(R, v, Balance)

Request from prover
Compute CID and
(R, v, Balance)
Compute balance
commitment
zc = gBalance
⋅ hR

Request from prover
Compute CID and
(R, v, Balance)
Compute balance
commitment
zc = gBalance
⋅ hR
Calculate prover
commitment
zp =
b−1
∏
k=0
z(2k
)
k

Request from prover
Compute CID and
(R, v, Balance)
Compute balance
commitment
zc = gBalance
⋅ hR
Calculate prover
commitment
zp =
b−1
∏
k=0
z(2k
)
k
Verify equality zc = zp

(R, v, Balance)
zc = gBalance
⋅ hR
zp =
b−1
∏
k=0
z(2k
)
k
zc = zp
= zp
Verification
Known = R, v, balance, zk, …, zb−1
zc

(R, v, Balance)
zc = gBalance
⋅ hR
zp =
b−1
∏
k=0
z(2k
)
k
zc = zp
= zp
Verification
gBalance
hR =
b−1
∏
k=0
z(2k
)
k
zc

(R, v, Balance)
zc = gBalance
⋅ hR
zp =
b−1
∏
k=0
z(2k
)
k
zc = zp
= zp
Verification
gBalance
hR =
b−1
∏
k=0
z(2k
)
k
=
∏
(gxk ⋅ hrk)(2k
)
=
∏
gxk⋅2k
⋅ hrk⋅2k
zc

(R, v, Balance)
zc = gBalance
⋅ hR
zp =
b−1
∏
k=0
z(2k
)
k
zc = zp
= zp
Verification
gBalance
hR =
b−1
∏
k=0
z(2k
)
k
=
∏
(gxk ⋅ hrk)(2k
)
=
∏
gxk⋅2k
⋅ hrk⋅2k
= g∑
b−1
k=0
xk⋅2k
⋅ h∑
b−1
k=0
rk⋅2k
zc

(R, v, Balance)
zc = gBalance
⋅ hR
zp =
b−1
∏
k=0
z(2k
)
k
zc = zp
= zp
Verification
gBalance
hR =
b−1
∏
k=0
z(2k
)
k
=
∏
(gxk ⋅ hrk)(2k
)
=
∏
gxk⋅2k
⋅ hrk⋅2k
= g∑
b−1
k=0
xk⋅2k
⋅ h∑
b−1
k=0
rk⋅2k
= gBalance
hR
zc

ZAssets ⋅ ZLiabilitities
−1
= ZAssets−Liabilities = 0
ZK commitment to total assets

=
n
∏
i=1
pi
Assets =
n
∑
i=1
si ⋅ bal(yi)Zassets

=
n
∏
i=1
pi
Assets =
n
∑
i=1
si ⋅ bal(yi)
=
∏
bsi
i
⋅ hvi =
∏
gbal(yi)⋅si ⋅ hvi
Zassets

=
n
∏
i=1
pi
Assets =
n
∑
i=1
si ⋅ bal(yi)
= gAssets
h∑
n
i=1
vi
=
∏
bsi
i
⋅ hvi =
∏
gbal(yi)⋅si ⋅ hvi
Zassets

ZK commitment to total liabilities
=
c
∏
i=1
zi
Liabilities =
c
∑
i=1
BalanceiZliabilities

=
c
∏
i=1
zi
=
c
∏
i=1
gBalanceihRi
Liabilities =
c
∑
i=1
BalanceiZliabilities

=
c
∏
i=1
zi
=
c
∏
i=1
gBalanceihRi
Liabilities =
c
∑
i=1
Balancei
= g∑
c
i=1
Balanceih∑
c
i=1
Ri
Zliabilities

=
c
∏
i=1
zi
=
c
∏
i=1
gBalanceihRi
Liabilities =
c
∑
i=1
Balancei
= g∑
c
i=1
Balanceih∑
c
i=1
Ri
= gLiabilities
h∑
c
i=1
Ri
Zliabilities

−1
= ZAssets−Liabilities
ZK commitment to assets - liabilities

−1
= gAssets
⋅ h∑
c
i=1
vi ⋅ (gLiabilities
h∑
c
i=1
Ri)−1

−1
= gAssets−Liabilities
⋅ h∑
c
i=1
vi−∑
c
i=1
Ri
= g0
⋅ h∑
c
i=1
vi−∑
c
i=1
Ri
= gAssets
⋅ h∑
c
i=1
vi ⋅ (gLiabilities
h∑
c
i=1
Ri)−1

= g0
⋅ hsumv−sumr

= g0
⋅ hsumv−sumr
= hsumv−sumr = hexcessZSolvencyProver creates proof of knowledge

= g0
⋅ hsumv−sumr
Verifier checks proof of knowledge … Schnorr Proof Verification

= g0
⋅ hsumv−sumr
ZvSolvency =
c
∏
i=1
zi −
n
∏
i=1
pi
Verifier computes solvency

= g0
⋅ hsumv−sumr
ZvSolvency =
c
∏
i=1
zi −
n
∏
i=1
pi
Verifier computes solvency
Verifier verifies prover computation
ZSolvency = ZvSolvency

Provisions: Summary
• Scales linearly with respect to the proof size, construction and verification time.
Protocol is easily parallelizable.
• Does not reveal any information about addresses, total assets or customer
balances.
• If the public key has not been published on chain by including it in the
anonymity set you would reveal it.
• Generation & verification requires balance at a block hash oracle
• No proposed standard that would be interoperable across companies

Open Questions
• Committing to an address instead of public key
• Proving cold storage assets
• Optimizing proof size, generation and verification

Thanks!
Jake Craige // @jakecraige
We’re hiring! coinbase.com/careers
• Maxwell Proof of Liabilities
• https://web.archive.org/web/20171124195504/https://iwilcox.me.uk/2014/proving-bitcoin-reserves
• Proof of Reserves
• https://blockstream.com/2019/02/04/en-standardizing-bitcoin-proof-of-reserves/
• Provisions
• https://eprint.iacr.org/2015/1008
• Demo Site: https://provisions.glitch.me
• Rust Implementation: https://github.com/jakecraige/provisions
• MProve
• https://eprint.iacr.org/2018/1210

Proof of Assets for Crypto Custodians by Jake Craige

Recomendados

Recomendados

Más contenido relacionado

Último

Último (20)

Destacado

Destacado (20)

Proof of Assets for Crypto Custodians by Jake Craige