Request for Comments on Audit Protocol

[earonesty]

Although this does not address liabilities, that is not a chief concern.   By implementing an interim standard for publishing reserve balances, we can quickly placate the investor community on the health of major exchanges:

http://www.reddit.com/r/Bitcoin/comments/1z72wz/btce_et_al_should_publish_their_reserve_balance/


LOCATION:

Code:

https://<site>/dcx/balance.json

CONTENT:

Code:

{
"time" : "<RFC 3339 time>",
"nonce" : "<unique nonce>",
"reserve" : [
        { "addr" : "1x.........",
          "sig"  : "<signature of nonce for address>"
        },
        { "addr" : "1b.........",
          "sig"  : "<signature of nonce for address>"
        },
        ....
    ]
}

Obviously this doesn't address:

• Fiat balances
• Liabilities

These issues can only be properly addressed with audits, since most exchanges don't use BTC protocol internally.  

However, following an audit, the ratio of average volume to liability can be expected to remain fairly stable, providing a public health metric that will give immediate relieve to the current climate of skepticism.  

[1713466172]

1713466172

[1713466172]

1713466172

[1713466172]

1713466172

[1713466172]

1713466172

[1713466172]

1713466172

[benjyz]

good idea. much more should be done in this area. however there are several very hard problems though. proof of balance is not worth very much if an attacker can remove all coins in minutes. so if 500M$ evaporate without noticing, there is the question how to create accounts which are more secure by default. could one create an address which has different features? an address which is sealed so that only a certain percentage can be withdrawn? a multi-signature address? everything depends on the security mechanism.

[earonesty]

good idea. much more should be done in this area. however there are several very hard problems though. proof of balance is not worth very much if an attacker can remove all coins in minutes. so if 500M$ evaporate without noticing, there is the question how to create accounts which are more secure by default. could one create an address which has different features? an address which is sealed so that only a certain percentage can be withdrawn? a multi-signature address? everything depends on the security mechanism.

I agree.  If someone's storing all their reserves on one machine, in one wallet, with one password... well, then you've got a problem.  And there's very little they can do to prove they aren't doing that.

But right now, a temporary measure is needed.   

We need to know that these large exchanges aren't running fractional reserves.   Mt. Gox insisted, repeatedly, that 90% of its assets were in cold storage.   But it never published keys and sigs.   And so we find out now that maybe they were making that all up.   People asked for keys and sigs to prove it... but they "demurred" on those requests...because "nobody else" was doing it.

If the Bitcoin Foundation came out with a "BIP" for this... even a simple thing like a standard JSON format and a requirement for SSL, that would be enough for the community to say... hey... there's a standard... why don't you adhere to it.

IMO, the first exchange to go transparent on reserves will see a flood of new business.

[benjyz]

yes, this is going in the right direction. its about much more than audits/proof of balance. lets don't forget that the US seized some of MtGox's assets. so even if you have a self-regulated exchange, you still have the very large factor of jurisdiction. every exchange runs the risk of attack by the government. what I would like to see is an effort for creating potential avenues for exchanges, i.e. a legal conduit. what do I mean by that? a registered corporation in some well chosen location, which is an umbrella for exchanges. or at least some concerted effort to create a legal strategy for exchanges.

the fiat exchanges will be probably get attacked more and more. they should cooperate and provide services to bitcoin users. and also cooperate in terms of performance standards, insider trading prevention, etc. proving cold storage would be desirable, but that requires some kind of audit process IMO, i.e. somebody looking over the shoulder and testifying. what for instance if you lose the keys? how do you prove you own the keys? with MtGox you had 2 famous Bitcoiners claiming everything was okay, and later saying: sorry I was wrong. that's not good enough. coming up with a solution is not just a question of cryptography. but this RFC would be a start. see also gmaxwell's idea about trees which could be BIP'ed. https://iwilcox.me.uk/2014/nofrac-orig

[itod]

It's already being invented, it's called HD (hierarchical deterministic) wallets:
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

TLDR; It lets you see the balance of your branch of keys (could be the whole exchange for instance) without giving any more information than necessary, like the balances of other users, etc. Few exchanges committed to implement them, will be here very soon.

[grau]

The protocol as suggested does not prove that one has access to the funds, only that one had at some time point.

The data signed should include something that can not be known in advance. e.g. the highest block hash at the time point of the signature.

[itod]

The protocol as suggested does not prove that one has access to the funds, only that one had at some time point.

Are you sure?

Audits: M

In case an auditor needs full access to the list of incoming and outgoing payments, one can share the master public extended key. This will allow the auditor to see all transactions from and to the wallet, in all accounts, but not a single secret key.

I understand it differently.

[grau]

The protocol as suggested does not prove that one has access to the funds, only that one had at some time point.

Are you sure?

Yes, insolvency can be also caused by not having access to keys one had earlier. I heard such a story recently somewhere. It was a well known exchange wasn't it?

[olalonde]

I've implemented something very similar here: https://github.com/olalonde/bitcoin-asset-proof

Also see Blind Solvency Proof scheme: https://bitcointalk.org/index.php?topic=493475.0

[benjyz]

The protocol as suggested does not prove that one has access to the funds, only that one had at some time point.

The data signed should include something that can not be known in advance. e.g. the highest block hash at the time point of the signature.

Even then: I can sign something and then one second later remove all coins. So the only thing people then know is that funds are lost. What one really wants is an account with limited outputs. Basically a fund like structure.

[grau]

The protocol as suggested does not prove that one has access to the funds, only that one had at some time point.

The data signed should include something that can not be known in advance. e.g. the highest block hash at the time point of the signature.

Even then: I can sign something and then one second later remove all coins. So the only thing people then know is that funds are lost. What one really wants is an account with limited outputs. Basically a fund like structure.

Obviously a proof of holdings is pointless if funds are no longer on that key. Such document can not substitute what the block chain says, only supplement it.

Holding funds on multi-signature P2SH addresses (as e.g. https://bullionbitcoin.com does) enables the individual proof of controlling keys without bringing them together at a single storage.

[Parliament]

Code:

         "sig"  : "<signature of nonce for address>"

This sounds like a terrible idea. You're basically prohibiting major exchanges from having any form of cold storage... All private keys have to be accessible at all times for this to work.

[justusranvier]

You need proof of assets and proof of liabilities for effort to be worth anything at all.

Proof of assets is the easy part - Bitcoin is an unimpeachable asset ledger.

It's the other half of the equation that's at all interested from a problem solving point of view. In order to prove how many btc the exchange owes their customers, you need a form of unimpeachable liability accounting. That exists and it's called Open-Transactions.

Combine Open-Transaction's liability accounting with the multisig features in the Bitcoin blockchain and you get exchanges that can neither lie about balances nor steal from their customers.

http://bitcoinism.blogspot.com/2013/12/voting-pools-how-to-stop-plague-of.html

[benjyz]

Good debate. It goes in the right direction. the original proposal is a good idea in that it combines accounting with URL's. The ecosystem needs a framework like this, and it will be a lot of difficult work. Some now say that all you need is proof of balance (aantonop, gmaxwell), and that this can be done today. This overlooks many factors which matter a great deal. Unfortunately as usual the understanding of the underlying economic problems is superficial at best and ignorant at worst. So I appreciate this thread and the discussion in that it raises some of the right questions. There should be something like RFC's/best procedures for exchanges, which is something I'm working on.

You need proof of assets and proof of liabilities for effort to be worth anything at all.

Not only that. You need proof of accessibility to those holding the claims. The assets are worthless if the keys are lost.
And then you need a priority system. If there is negative equity - who gets assets first - equity holders, depositors, employees? All of the structures exist in the fiat world and have evolved over a very long time.

It's the other half of the equation that's at all interested from a problem solving point of view. In order to prove how many btc the exchange owes their customers, you need a form of unimpeachable liability accounting. That exists and it's called Open-Transactions.

I've looked at this, and don't understand why so many continue to make these claims. As far as I'm aware of this system is not in production. And from the underlying economics it is flawed IMO, as quite a few projects in this area. what does statement even mean - "unimpeachable liability accounting"? It's the same thing Ripple. Anyone brodcasting "I own 1000$" does not make it true. That's why we have accounting in the first place, so that financial statements are difficult to forge. Bank statements are difficult to forge, because of many checks and balances. Some guy running a server, does not (yet) imply those checks and balances. MtGox claimed: "we do cold storage". turns out that is not true.

Open-Transactions allows users to issue and manipulate digital assets.
Any issuer can sign and distribute new currency contracts in order to create new digital asset types.

Only the FED, ECB, BoE, BoJ, ... issue currency. Which means that going from fiat to BTC one needs bank integration. fiat exchanges have to interoperate with fiat banks.

[apetersson]

this is an important topic.

without having read the full spec, i have to comment the following:

1) make liabilty proofs decoupled from asset proofs
liabilty (user balances) can and should be updated in real-time, while cold storage signatures can be updated manually each time the cold storage is accessed, or even less frequently. this does not protect against "losing the keys" but i cannot see how you can have a millisecond accurate proof when we are talking about cold storage.

2) it would be enough to sign+publish an HD wallet pubkey for the cold storage. a smart application could be checking the proofs by expanding the keys with a known lookahead window.

3) the asset proofs must include unique identification for an exchange, otherwise the exchanges

4) the liability proofs must include user email/id in a meaningful schema (part of the spec?)

5) the spec could also provide a target of cold storage funds (90% 98% etc) - the signed cold storage should typically be slightly lower than the stated liabilities, except if you commingle fees there.

Mycelium would love to see this implemented on exchanges, and we would implement an independent audit client, since our software already provides some of the needed infrastructure to query addresses.

[justusranvier]

Not only that. You need proof of accessibility to those holding the claims. The assets are worthless if the keys are lost.

Correct

I've looked at this, and don't understand why so many continue to make these claims. As far as I'm aware of this system is not in production. And from the underlying economics it is flawed IMO, as quite a few projects in this area. what does statement even mean - "unimpeachable liability accounting"? It's the same thing Ripple. Anyone brodcasting "I own 1000$" does not make it true. That's why we have accounting in the first place, so that financial statements are difficult to forge. Bank statements are difficult to forge, because of many checks and balances. Some guy running a server, does not (yet) imply those checks and balances. MtGox claimed: "we do cold storage". turns out that is not true.

The Open-Transactions server and libraries exist today. The voting pool feature is still being coded by FellowTraveler and Yamamushi.