Provisions Privacy-preserving proofs of solvency for Bitcoin - - PowerPoint PPT Presentation

provisions
SMART_READER_LITE
LIVE PREVIEW

Provisions Privacy-preserving proofs of solvency for Bitcoin - - PowerPoint PPT Presentation

Feb 13, 2023 476 likes •769 views

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016 eprint.iacr.org/2015/1008.pdf github.com/bbuenz/provisions Jeremy Clark Dan Boneh Gaby Dagher Benedikt Bnz Joseph Bonneau Many users use Bitcoin

slide-1
SLIDE 1

Provisions

Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

eprint.iacr.org/2015/1008.pdf github.com/bbuenz/provisions

Dan Boneh Jeremy Clark Benedikt Bünz Joseph Bonneau Gaby Dagher

slide-2
SLIDE 2

Many users use Bitcoin via exchanges

Alice EXCHANGE Bitcoin network

slide-3
SLIDE 3

Exchanges look a lot like online banks

slide-4
SLIDE 4

Exchanges have a shaky track record

~50% have failed! [Moore, Christin 2013]

  • Mt. Gox:

lost roughly US$450M Subsequent price crash

slide-5
SLIDE 5

Goal: prove solvency

USERS BITCOIN ADDRESSES Alice bA Bob bB Charlie bC ... TOTAL LIABILITIES bA + bb + bc+... K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Bitcoin network Solvency ⇔ Total Liabilities ≤ Total Assets full reserve

slide-6
SLIDE 6

Proofs of solvency have limitations

  • Proof of solvency is a snapshot
  • Proof of solvency ≠ willingness to pay
slide-7
SLIDE 7

Approach #1: publish everything

USERS Alice bA Bob bB Charlie bC ... TOTAL LIABILITIES bA + bb + bc+... K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Bitcoin network BITCOIN ADDRESSES

slide-8
SLIDE 8

Approach #2: trusted auditor

USERS Alice bA Bob bB Charlie bC ... TOTAL LIABILITIES bA + bb + bc+... K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Bitcoin network BITCOIN ADDRESSES

Looks good to me!

slide-9
SLIDE 9

Solution #3a: Maxwell protocol [2013]

Alice: bA Bob: bB Carol: bC David: bD h, bA h, bB h, bC h, bD H H H H h, bA+bB H, + h, bA+bB H, + h, bA+bB+bC+bD H, + (total liabilities) Inclusion proof for Alice

slide-10
SLIDE 10

Solution #3b: public proof of assets

slide-11
SLIDE 11

Maxwell protocol considered too leaky

“Maxwell’s proposal would have required bitcoin companies to reveal all of their balance-containing addresses. This method would result in the public knowledge of exchanges’

  • r wallet providers’ bitcoin wallets and total holdings,

information that is commercially sensitive and presents potential security risks to companies and users.”

slide-12
SLIDE 12

Improving on Maxwell’s privacy goals

Maxwell protocol reveals: We reveal:

  • Total liabilities

  • Some info about account sizes

  • Total assets

  • Addresses in use

Non-goal: completely conceal number of users

slide-13
SLIDE 13

Provisions at a high level

USERS Bitcoin network BITCOIN ADDRESSES Alice bA Bob bB Charlie bC ... TOTAL LIABILITIES bA + bb + bc+... K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Proof-of-assets Proof-of-liabilities commit(liabilities) Anonymity set commit(assets) Proof-of-solvency commit(assets - liabilities) = commit(0)

slide-14
SLIDE 14

Provisions proof-of-liabilities

Alice bA

Commit

Bob bB

Commit

[commit(Bob),commit(bB)]

Carol bC

Commit

[commit(Carol),commit(bC)]

· ∑icommit(bi)=commit(liabilities)

Public proof Inclusion proof for Alice

[commit(Alice),commit(bA)]

Homomorphic Pedersen commitments

slide-15
SLIDE 15

Provisions proof-of-liabilities

Alice bA

Commit

Bob bB

Commit

[commit(Bob),commit(bB)]

Carol bC

Commit

[commit(Carol),commit(bC)]

· ∑icommit(bi)=commit(liabilities)

Public proof

[commit(Alice),commit(bA)]

2256- x Nobody

⟹ range proof needed for each committed balance

Range proof: 0 ≤ bA ≤ 251 Range proof: 0 ≤ bB ≤ 251 Range proof: 0 ≤ bC ≤ 251

What if a fake user causes an overflow?

slide-16
SLIDE 16

Size of proof-of-liabilities

  • Proof size is Θ(m∙n) for n users, m bits precision
  • ∼9kB/user at 51 bits (31 bits should be enough)
  • easily parallelizable
  • incrementally updatable
slide-17
SLIDE 17

Provisions at a high level

USERS Bitcoin network BITCOIN ADDRESSES Alice bA Bob bB Charlie bC ... TOTAL LIABILITIES bA + bb + bc+... K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Proof-of-assets Proof-of-liabilities commit(liabilities) Anonymity set commit(assets) Proof-of-solvency commit(assets - liabilities) = commit(0)

slide-18
SLIDE 18

Provisions proof-of-assets

Bitcoin network BITCOIN ADDRESSES K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Anonymity set

+

NIZKPK:

  • exchange knows private keys for a subset of Bitcoin addresses -

total value at these addresses is committed to by Zassets = commit(assets)

(Zassets)

slide-19
SLIDE 19

Provisions proof-of-assets

Anonymity addresses private key address public balance k1 K1 b1 ? K2 b2 k3 K3 b3 ? K4 b4 ? K5 b5 k6 K6 b6

slide-20
SLIDE 20

Provisions proof-of-assets

commitments to 0

private key address public balance committed balance k1 K1 b1 commit(b1) ? K2 b2 commit(0) k3 K3 b3 commit(b3) ? K4 b4 commit(0) ? K5 b5 commit(0) k6 K6 b6 commit(b6)

slide-21
SLIDE 21

private key address public balance committed balance per-address proof k1 K1 b1 p1=commit(b1) ... ? K2 b2 p2=commit(0) ... k3 K3 b3 p3=commit(b3) ... ? K4 b4 p4=commit(0) ... ? K5 b5 p5=commit(0) ... k6 K6 b6 p6=commit(b6) ...

Provisions proof-of-assets

“Either I know ki and pi is a commitment to bi OR pi is a commitment to 0”

Public proof

∑i pi

=commit(assets)

slide-22
SLIDE 22

Size of proof-of-assets

  • Proof size is Θ(N) for N addresses in anonymity set
  • ∼350 bytes/address

○ 1 public key ○ 2 elements of G, ○ 8 elements of Zq

  • easily parallelizable
slide-23
SLIDE 23

Completing the proof of solvency

USERS Bitcoin network BITCOIN ADDRESSES Alice bA Bob bB Charlie bC ... TOTAL LIABILITIES bA + bb + bc+... K1 b1 K2 b2 K3 b3 ... TOTAL ASSETS b1 + b2+ b3+... Proof-of-assets Proof-of-liabilities commit(liabilities) Anonymity set Proof-of-solvency commit(assets)

commit(balance) = commit(assets)-commit(liabilities)

slide-24
SLIDE 24

Finishing the proof of solvency in style

Given: commit(balance)=commit(assets)-commit(liabilities)

  • pen commit(balance)
  • range proof that commit

(balance) is small ⟹ reveals surplus ⟹ proof that surplus exists

slide-25
SLIDE 25

Extension: Valet keys

Keys are stored offline Extension:

  • replace gx for every key with gxr
  • Prove knowledge of each gxr to the base gx
  • xr is the valet key, safe to export
slide-26
SLIDE 26

Provisions is practical

  • 150 MB asset proof with maximal anonymity set
  • 17 GB proof of liabilities for 2 Million users (Coinbase)
  • Computes in ~ 1 hour on 1 machine
  • Auditors check entire proof (~ 1 hour)
  • Users verify inclusion (~ free)
slide-27
SLIDE 27

Limitation: non-public public keys

  • Provisions requires public keys for entire anonymity set
  • Most bitcoin addresses are H(PubKey)

○ Public key revealed after first spend ○ Majority are one-time use...

  • About 430k/1.3M addresses can be used in Provisions

⟹ SNARKs could be used to build a more powerful solvency proof.

slide-28
SLIDE 28

Thanks! buenz@cs.stanford.edu Paper: eprint.iacr.org/2015/1008.pdf Reference implementation: github.com/bbuenz/provisions