Fidelity-bonded banks: decentralized, auditable, private, off-chain payments

[Peter Todd]

By the way, IBMs trusted computing system is pretty much a dead end these days, it's very hard to obtain the hardware. It was never that good anyway, you had to sign consulting contracts to get the SDKs and other things. Intel/AMD have a much better system and I think x86 PC based remote attestation is the way to go for a lot of reasons. See the XMHF project (trustvisor).

The Intel/AMD stuff isn't secure though yet. While the IBM stuff really does bring the security to the level where your attackers need immense resources, because memory isn't encrypted PC-based trusted computing is still vulnerable to attackers with just a few thousand dollars worth of equipment. There is pressure to make the PC stuff secure for cloud computing, so it remains an open question what is the right approach.

Anyway, implementing trusted computing is the last step for any of this stuff; I don't want to have to solely rely on it.

Could you run a Chaum bank on the darknet? I don't think so. Even if the bank has put up a fidelity bond, the temptation to engage in fractional reserve banking would be immense, and could result in a lot of profit before the inevitable bank run. You can't really tell if this is happening because the coins you deposit are expected to be constantly moving as other people cash out their blinded tokens. I don't fully understand the time locking proposal for this reason - the blinded tokens only have value if you can turn them back into Bitcoins again, and that inherently means that your deposit can't be frozen or locked in any way.

Who says banks can engage in fractional reserve banking? You can force chaum-token redemption to be recorded in audit logs, and those logs prevent them from getting away with that. The logs themselves can be made public, and making them public still doesn't reveal anything.

Incidentally, this is why I mentioned above that there are probably good technical reasons why even off-chian chuam transactions would still require fees: you want to ensure that proving fraud is cheap, which means keeping the size of the proofs down. I expect that there would be some period in which all tokens are expected to be turned over for a given set of deposit addresses, which limits the total size of any given audit log. Because fidelity bonds themselves are only useful if fraud can be proven, I expect new bonds to get purchased over time to "start fresh".

As for time locking: I expect the tokens to themselves be Bitcoin transactions in some fashion, albeit locked so they can't be used immediately. But that discussion is out of the scope of this forum I think; I'm writing up tech specs like I did for fidelity bonds.

From a first glance, this proposal sounds very similar to what the OpenTransactions project has implemented. (see the highlighted parts above)

OpenTransactions is basically a toolkit, and yes, I do plan to do more work studying it to determine what aspects of their ideas are applicable to fidelity-bonded banks, and equally maybe they're do the same for fidelity bonds.

Aha, can you walk me through what you think ten years ago would look like? Let's say the year 2000:

Quote:

I bought a new Gateway desktop in 2000 It had windows ME.
10 GB hard drive, 860 processor. Also at that time I was on dial up.
Boy, you talk about speed. I didn't have it.

Small hard-drives were a huge issue 10 years ago. I can't see people buying multiple harddrives, just to experiment with this new-fangled "Bitcoin thing" The block size would have probably been set to something more like 100KiB, and a year or two in this exactly discussion would already be happening.

[tvbcof]

...
Look at it this way: if Bitcoin became the world's currency, it would need to support something like a hundred thousand transactions every second. You're just not going to have a decentralized system at that scale.

Ten years ago, even Bitcoin at it's current scale would be impossible without a lot of centralization. Unfortunately Moores law is already sputtering, so we're probably not going to get the far faster computers we all want in the future.

A situation where the very kernel of (what I call an) accounting system was light weight and higlhy distributed is very compelling to me.  The second layer may be heavy and centralized.  This is regretable and there will be fraud and abuse, but shutting such an overall system down becomes a possibly unwinnable game of whack-a-mole.

I've never put much faith in Moore's law.  The equipment accessible to me (in private life) is closer to what I used a decade ago than it is distant.  Come what may of Moore's law, I don't expect general accessibility to mirror the developments very closely.  Particularly if general accessibility poses a threat.

Anyway, regardless of who is right, if people don't work on alternatives like Trustbits now, we won't have any options at all in the future.

Garzik, Maxwell, an now ~retep are individuals who I find unusually credible.  I'll be following the work of these persons closely and potentially lending support as my resources allow.

[acoindr]

Small hard-drives were a huge issue 10 years ago. I can't see people buying multiple harddrives, just to experiment with this new-fangled "Bitcoin thing" The block size would have probably been set to something more like 100KiB, and a year or two in this exactly discussion would already be happening.

Right, but couldn't companies do it and give people pay access? In other words, right now the issue is about ability to run full nodes from home. The argument is that would then need to be handled by larger external sources. My question is can't that still be called decentralized, as in distribution of hardware powering the currency?

[markm]

I, in my capacity as Digitalis Data Services (see WHOIS knotwork.com and WHOIS knotwork.net) run the Digitalis Open Transactions server:

https://bitcointalk.org/index.php?topic=53329.0

I also run the OTdemo Open Transactions server, which allows anyone to issue assets.

Open Transactions already does Chaumian blinded tokens, however creation of "mints" for each asset as the asset is created is not automatic currently thus assets people make up for themselves to issue on the OTdemo server do NOT have the ability to mint Chaumain blinded cash tokens for their asset; currently creating the mints for them would require my intervention.

My policy for blockchain based coins such as BBQcoins, DeVCoins, and suchlike* is intended to be more like e-gold or Pecunix than like MtGox or Vircurex: stone-cold wallets, I hope never to have to dig coins out of cold storage because they are there to back tokens and tokens exist to be used. Unless I am closing down the business I expect to continue to need tokens thus to continue to leave the coins in the cold vault in order to continue to have full one to one correspondence between the number of tokens and number of coins regardless of whether I own the tokens (having not sold them yet or having bought them back) or someone else owns the tokens.

Thus I perforce must operate at more-than-100% reserve, as any "hot wallet" funds must be over and above - distinct from - the coins the tokens represent.

I also hope, like e-gold (not sure exactly how Pecunix works) that selling these tokens to end-users and buying them back from end-users will be done by others; e-gold called such others market-makers. Those market-makers apparently could ship physical gold to e-gold's vault facilities and maybe also order bars of gold shipped out to them, but Joe Sixpack never sees/touches gold, he buys and sells tokens from and to those market-makers. (He could buy the tokens with coins or gold though I guess if the market-maker offered such options, or sell them back for coins or gold, etc.)

As to this "trusted computing", I am not sure which brands Open Transactions might incorporate soonest, currently interfaces to that kind of hardware are not yet at the top of to-do lists I think.

-MarkM-

...

* "Suchlike": I hear some similar coins seem to claim to be money; I hear money has regulatory problems. Other than such problems, such similar coin types are technically pretty much interchangeable / compatible. Should some particular flavour be problematic, other flavours abound. Currently none have been proven problematic as far as I am aware. Thus currently my server supports a number of such assets, see http://galaxies.mygamesonline.org/digitalisassets.html

[Meatpile]

Regardless of where the funds go the bank adds the number on the receipt to a list of spent receipts; that way the receipt can only be used once

Pretty big silly burden on that bank to have to keep copies of every signature it has ever payed out just incase someone tries to double claim anytime in the future

Edit. Added quote, i was refering to the original idea not open transactions.

[markm]

Pretty big silly burden on that bank to have to keep copies of every signature it has ever payed out just incase someone tries to double claim anytime in the future

That is another profit-centre for the server: mints last X time and new ones are made every X/2 time, for example on my server cash lasts 6 months and new mints are made every 3 months.

Nice clients would automatically refresh your cash for you so you would not need to remember to.

But if it did expire, thanks you just paid for the service.

-MarkM-

[Zeilap]

What happens if the bank suddenly shuts down?

Of course, only the bank can give you your Bitcoins back. However Bitcoin itself has a feature called time-locked transactions. This allows the bank to give you a Bitcoin transaction that won't be valid for some time period, perhaps 6 months, that lets you get your deposit with them back. If the bank suddenly shuts down you'll be able to get your money back after that time. Of course, it'd be better to get it back immediately, but this isn't really any different to how the legal system takes a few months to clean up after a bank failure, except in this case whether or not you get your funds back is governed by math rather than humans.

Have I got this correct?
When I make a deposit and the bank gives me a receipt for the same amount, the receipt itself is a time-locked transaction repaying me the amount I deposited?
At a later date, either
 - the transaction is now unlocked, (and at the same time becomes invalid as a receipt) and I broadcast the transaction myself to redeem my deposit, or
 - I (or whoever I've transferred it to) deposits the receipt in return for funds/another receipt


Another question: who looks after the fidelity bonds and what's to stop them from running off with the money or simply sabotaging the system by refusing to release the bond when the bank shuts down?

[markm]

The project lead of Open Transsctions plans that bitcoin's multi-signature transactions system could be used to allow coins to be locked up in m-of-n style, where you could have n custodians and any m of them must sign any transaction that tries to move the coins.

Not sure how bitcoin is coming along with m-of-n transactions though.

-MarkM-

[johnyj]

Great, although I feel the solution is still quite complex, off-chain transaction is definitely the right direction, it maintains the highest trust because of integrity of bitcoin protocol, provide unlimited scalability and network resource saving, and provide needed transparency at retail level (charge back/dispute)

Actually I doubt that people are really going to use bitcoin to do daily spending, fiat money serve the purpose quite well, no need to duplicate that effort. Bitcoin just need more and better exchanges at each country: Daily tranactions - fiat, long term saving - bitcoin

[mobile4ever]

What keeps the bank manager, or someone else from replacing the whole machine?

The one I am talking about is the IBM example you gave. Could they just unplug the original and replace it with an alternative? You said the hardware could not be replaced:

...the software keeps the keys to the funds safe, and the hardware makes sure the software can't be changed without everyone knowing

...but the whole machine, could it be replaced?

[markm]

What keeps the bank manager, or someone else from replacing the whole machine?

The one I am talking about is the IBM example you gave. Could they just unplug the original and replace it with an alternative? You said the hardware could not be replaced:

...the software keeps the keys to the funds safe, and the hardware makes sure the software can't be changed without everyone knowing

...but the whole machine, could it be replaced?

Unlikely, because you would not be likely to know what private-key to engrave/burn/store into your replacement chip/emulator.

-MarkM-

[Severian]

Trustbits

I like the concept. A decentralized trust protocol.

I'm assuming that the devices you mention take the place of keyservers in this scheme?

I'm not a coder by any stretch but am very advanced in breaking things if you need a semi-pro luser for testing. Let me know what I can do to assist. The more efforts at off-chain transactions means continued improvement of these still new toolsets.

[jl2012]

Could you run a Chaum bank on the darknet? I don't think so. Even if the bank has put up a fidelity bond, the temptation to engage in fractional reserve banking would be immense, and could result in a lot of profit before the inevitable bank run. You can't really tell if this is happening because the coins you deposit are expected to be constantly moving as other people cash out their blinded tokens. I don't fully understand the time locking proposal for this reason - the blinded tokens only have value if you can turn them back into Bitcoins again, and that inherently means that your deposit can't be frozen or locked in any way.

I think it's possible to run on darknet. The fidelity bond, trusted computing, and transaction fee make sure the operator honest. It's at least better than Silk Road.

[jl2012]

Small hard-drives were a huge issue 10 years ago. I can't see people buying multiple harddrives, just to experiment with this new-fangled "Bitcoin thing" The block size would have probably been set to something more like 100KiB, and a year or two in this exactly discussion would already be happening.

If bitcoin was invented in 1996, the block size limit would have been set to 10KB. This is exactly why the 1MB hard-limit is arbitrary and is not intended to be kept constant forever.

[notig]

I say that if people want to work on off the chain systems... that's all great and dandy. But don't FORCE us to use them. By refusing to raise the block size limit you aren't letting the free market decide what it wants to use on top of bitcoin. You are forcing it to use whatever there is. And there might not be anything except for........ other cryptocurrencies.

Anyway, regardless of who is right, if people don't work on alternatives like Trustbits now, we won't have any options at all in the future.

[finway]

Only one question: is this bank doing 100% reserve?

[markm]

I say that if people want to work on off the chain systems... that's all great and dandy. But don't FORCE us to use them. By refusing to raise the block size limit you aren't letting the free market decide what it wants to use on top of bitcoin. You are forcing it to use whatever there is. And there might not be anything except for........ other cryptocurrencies.

That is absurd. One could equally well say by failing to use the block size we already have you aren't sending the market the "more size needed" signal.

"Damn, stuck with vast amounts of unsold inventory, should I restock? Maybe order larger quantity than last time around even?"

-MarkM-

[notig]

I say that if people want to work on off the chain systems... that's all great and dandy. But don't FORCE us to use them. By refusing to raise the block size limit you aren't letting the free market decide what it wants to use on top of bitcoin. You are forcing it to use whatever there is. And there might not be anything except for........ other cryptocurrencies.

That is absurd. One could equally well say by failing to use the block size we already have you aren't sending the market the "more size needed" signal.

"Damn, stuck with vast amounts of unsold inventory, should I restock? Maybe order larger quantity than last time around even?"

-MarkM-

if it's absurd.. then what does this mean?

The way I see it, we have 2-3 years before the blocksize becomes a serious issue, and if people start working on off-chain transaction projects now, we'll have plenty of good options by that time

obviously he is saying the blocksize becomes a serious issue down the road... not now. Is that absurd as well? because it's basically what I said.
If you make the bitcoin network incapable of scaling and you don't work on an off the chain system like this thread is about then "we have no options"

[markm]

if it's absurd.. then what does this mean?

The way I see it, we have 2-3 years before the blocksize becomes a serious issue, and if people start working on off-chain transaction projects now, we'll have plenty of good options by that time

Good question. Maybe its a prediction / assumption that we'll be stuck with excess inventory for a couple more years?

Exchange rates are falling though, so maybe the sky really is falling?

Oh wait, are they falling, really? Or just wobbling on their continued journey upward?

-MarkM-

[solex]

retep, I just want to say that I am impressed by the amount of thought going in to off-chain systems like this. It is far easier to criticize detail than to put together such a structured concept. I hope that they become a reality as an available service one day.