Giving up control of your keys to a crypto custodian comes with a lot of risk, you have to trust that they continue to have access to your funds and are representing your balance accurately. With new research from the past few years, these institutions now have options available on how they can prove this, potentially in zero-knowledge, to their customers.
Join Jake Craige, a Senior Engineer the Coinbase Crypto Engineering team to cover two protocols: Proof of Reserves and Provisions: Proof of Solvency. We’ll cover how they work, the trade-offs they have, and how practical they are (or are not) for institutions to implement today.
6. History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Bitcoin Whitepaper
October 2008
7. History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
8. History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
Provisions Paper
August 2015
9. History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
Provisions Paper
August 2015
MProve Paper
December 2018
10. History
2008 20192013 2014 2015 20182009-2012 2016-2017
Maxwell & Todd
discuss on IRC
March 2013
Wilcox publishes
details on blog
May 2013
Mt. Gox suspends
withdrawals
February 2014
Bitcoin Whitepaper
October 2008
Provisions Paper
August 2015
MProve Paper
December 2018
Proof of Reserves
February 2019
11. Our Options
• Public Audit
• Blockstream Proof of Reserves
• Provisions: Proof of Solvency
13. Public Audit
• Proof of Reserves
• Sign a message with every address that has a balance
• Send messages to auditor
• Auditor verifies signature and balance on chain
• Proof of Liabilities
• Provide list of all customer identifiers and balances
• Proof of Solvency
• Auditor verifies sum of reserves is greater or equal to liabilities and publishes report
15. Maxwell Proof of Liabilities
• Proposed in 2013 from Greg Maxwell & Peter Todd
• Allows custodians to build a proof that includes all customer balances where the
customer can validate they are included in the proof.
18. Proof of Reserves
• Proposal and tool released on February 4, 2019 by Blockstream
• BIP-127: Simple Proof-of-Reserves Transactions
• An unspendable transaction is the proof
• Bitcoin Only
23. Proof of Reserves
• BIP defines a standard that can be interoperable across wallets
• No privacy. All outputs you own are revealed.
• No proof of liabilities. The specification only covers reserves.*
• Proof size is O(n) in the number of inputs
*You could combine this with Maxwell’s Proof of Liabilities to have this
25. Provisions: Proof of Solvency
• Paper published October 26, 2015 by Dagher et al
• No production implementations
• Uses ZK-proofs for privacy
• Usable for any asset
26. Provisions: Proof of Solvency
• Proof of Assets
• Proof of Liabilities
• Proof of Solvency
•
• Optional
• Proof of Non-Collusion
• Proof of Surplus
Zassets − Zliabilitities = 0
27. Provisions: Proof of Assets
• Commitment to each public key and balance
• Uses an anonymity set for privacy
• Uses interactive sigma proofs
• Made non-interactive with Fiat-Shamir transform
• Proof size is O(n) in the number of public keys
28. Provisions: Proof of Assets
ZK commitment to balance and knowledge of private key
29. Provisions: Proof of Assets
ZK commitment to balance and knowledge of private key
Generators g, h ∈ 𝔾
30. Provisions: Proof of Assets
y = gx
ZK commitment to balance and knowledge of private key
Public Key
Generators g, h ∈ 𝔾
31. Provisions: Proof of Assets
y = gx
s ∈ {0,1}
ZK commitment to balance and knowledge of private key
Public Key
Knowledge of Private Key
Generators g, h ∈ 𝔾
32. Provisions: Proof of Assets
b = gbal(y)
y = gx
s ∈ {0,1}
ZK commitment to balance and knowledge of private key
Public Key
Knowledge of Private Key
Balance Commitment
Generators g, h ∈ 𝔾
33. Provisions: Proof of Assets
b = gbal(y)
p = bs
⋅ hv
y = gx
s ∈ {0,1}
v ←$ ℤq
ZK commitment to balance and knowledge of private key
Public Key
Knowledge of Private Key
Balance Commitment
Pedersen Commitment
Generators g, h ∈ 𝔾
34. Provisions: Proof of Assets
b = gbal(y)
p = bs
⋅ hv
y = gx
s ∈ {0,1}
v ←$ ℤq
ZK commitment to balance and knowledge of private key
Public Key
Knowledge of Private Key
Balance Commitment
Pedersen Commitment
Generators g, h ∈ 𝔾
Published Values y, p
36. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
Interactive Sigma Proof
Prover
Provisions: Proof of Assets
Verification of balance commitment
Verifier
Prover
Verifier
37. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
Interactive Sigma Proof
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
Prover
Verifier
38. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
Interactive Sigma Proof
Prover
Verifier
Prover
Provisions: Proof of Assets
Verification of balance commitment
Verifier
39. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
Interactive Sigma Proof
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
40. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1brs ⋅ hrv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p
41. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p
42. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p
43. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
= bcs
⋅ hcv
⋅ a1
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p
44. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
= bcs
⋅ hcv
⋅ a1
= bcs
⋅ hcv
⋅ bu1 ⋅ hu2
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p
45. a1 = bu1 ⋅ hu2 u1, u2 ←$ ℤq
c ←$ ℤq
rs = u1 + c ⋅ s rv = u2 + c ⋅ v
brs ⋅ hrv = pc
⋅ a1
= pc
⋅ a1
= pc
⋅ a1
= (bs
⋅ hv
)c
⋅ a1
= bcs
⋅ hcv
⋅ a1
= bcs
⋅ hcv
⋅ bu1 ⋅ hu2
= bu1+cs
⋅ hu2+cv
brs ⋅ hrv
bu1+cs
⋅ hu2+cv
bu1+cs
⋅ hu2+cv
Interactive Sigma Proof Verification
Prover
Verifier
Prover
Verifier
Provisions: Proof of Assets
Verification of balance commitment
p = bs
⋅ hv
Known = b, a1, c, rs, rv, p
46. Provisions: Proof of Liabilities
• Commitment to each customer identifier and balance with range
proof for positive amounts
• Customer requests secret values from custodian and can verify
their balance is in the proof.
• Auditor* checks that sum of customer commitments is accurate
• Proof size is O(n) in the number of customers
*Can be anyone but likely some service due to the size of the proof
49. Provisions: Proof of Liabilities
ZK commitment to balance
Account Balance
Binary Commitment to Bits zk = gxk ⋅ hrk
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
rk ←$ ℤq R =
b−1
∑
k=0
rk ⋅ 2k
50. Provisions: Proof of Liabilities
ZK commitment to balance
Account Balance
Binary Commitment to Bits zk = gxk ⋅ hrk
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
Commitment to Balance z =
b−1
∏
k=1
z(2k)
k
rk ←$ ℤq R =
b−1
∑
k=0
rk ⋅ 2k
51. Provisions: Proof of Liabilities
ZK commitment to balance
Account Balance
Binary Commitment to Bits
Customer Identifier
zk = gxk ⋅ hrk
CID = H(username||n)
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
Commitment to Balance z =
b−1
∏
k=1
z(2k)
k
rk ←$ ℤq
n ←$ {0,1}512
R =
b−1
∑
k=0
rk ⋅ 2k
52. Provisions: Proof of Liabilities
ZK commitment to balance
Account Balance
Binary Commitment to Bits
Published Values
Customer Identifier
zk = gxk ⋅ hrk
CID = H(username||n)
= ⟨x0, x1, …, xb−1⟩ =
b−1
∑
k=0
xk ⋅ 2k
for each bit
BinBalance Balance
xk
Commitment to Balance z =
b−1
∏
k=1
z(2k)
k
rk ←$ ℤq
n ←$ {0,1}512
⟨CID, z0, …, zb−q⟩
R =
b−1
∑
k=0
rk ⋅ 2k
53. Provisions: Proof of Liabilities
Customer verification of balance commitment
Request from prover (R, v, Balance)
54. Provisions: Proof of Liabilities
Customer verification of balance commitment
Request from prover
Compute CID and
verify it is in published data
(R, v, Balance)
CID = H(username||n)
55. Provisions: Proof of Liabilities
Customer verification of balance commitment
Request from prover
Compute CID and
verify it is in published data
(R, v, Balance)
CID = H(username||n)
Compute balance
commitment
zc = gBalance
⋅ hR
56. Provisions: Proof of Liabilities
Customer verification of balance commitment
Request from prover
Compute CID and
verify it is in published data
(R, v, Balance)
CID = H(username||n)
Compute balance
commitment
zc = gBalance
⋅ hR
Calculate prover
commitment
zp =
b−1
∏
k=0
z(2k
)
k
57. Provisions: Proof of Liabilities
Customer verification of balance commitment
Request from prover
Compute CID and
verify it is in published data
(R, v, Balance)
CID = H(username||n)
Compute balance
commitment
zc = gBalance
⋅ hR
Calculate prover
commitment
zp =
b−1
∏
k=0
z(2k
)
k
Verify equality zc = zp
64. Provisions: Proof of Solvency
=
n
∏
i=1
pi
ZK commitment to total assets
Assets =
n
∑
i=1
si ⋅ bal(yi)Zassets
65. Provisions: Proof of Solvency
=
n
∏
i=1
pi
ZK commitment to total assets
Assets =
n
∑
i=1
si ⋅ bal(yi)
=
∏
bsi
i
⋅ hvi =
∏
gbal(yi)⋅si ⋅ hvi
Zassets
66. Provisions: Proof of Solvency
=
n
∏
i=1
pi
ZK commitment to total assets
Assets =
n
∑
i=1
si ⋅ bal(yi)
= gAssets
h∑
n
i=1
vi
=
∏
bsi
i
⋅ hvi =
∏
gbal(yi)⋅si ⋅ hvi
Zassets
67. Provisions: Proof of Solvency
ZK commitment to total liabilities
=
c
∏
i=1
zi
Liabilities =
c
∑
i=1
BalanceiZliabilities
68. Provisions: Proof of Solvency
ZK commitment to total liabilities
=
c
∏
i=1
zi
=
c
∏
i=1
gBalanceihRi
Liabilities =
c
∑
i=1
BalanceiZliabilities
69. Provisions: Proof of Solvency
ZK commitment to total liabilities
=
c
∏
i=1
zi
=
c
∏
i=1
gBalanceihRi
Liabilities =
c
∑
i=1
Balancei
= g∑
c
i=1
Balanceih∑
c
i=1
Ri
Zliabilities
70. Provisions: Proof of Solvency
ZK commitment to total liabilities
=
c
∏
i=1
zi
=
c
∏
i=1
gBalanceihRi
Liabilities =
c
∑
i=1
Balancei
= g∑
c
i=1
Balanceih∑
c
i=1
Ri
= gLiabilities
h∑
c
i=1
Ri
Zliabilities
71. ZAssets ⋅ ZLiabilitities
−1
= ZAssets−Liabilities
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
72. ZAssets ⋅ ZLiabilitities
−1
= ZAssets−Liabilities
= gAssets
⋅ h∑
c
i=1
vi ⋅ (gLiabilities
h∑
c
i=1
Ri)−1
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
73. ZAssets ⋅ ZLiabilitities
−1
= ZAssets−Liabilities
= gAssets−Liabilities
⋅ h∑
c
i=1
vi−∑
c
i=1
Ri
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
= g0
⋅ h∑
c
i=1
vi−∑
c
i=1
Ri
= gAssets
⋅ h∑
c
i=1
vi ⋅ (gLiabilities
h∑
c
i=1
Ri)−1
75. = g0
⋅ hsumv−sumr
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
= hsumv−sumr = hexcessZSolvencyProver creates proof of knowledge
76. = g0
⋅ hsumv−sumr
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
= hsumv−sumr = hexcessZSolvencyProver creates proof of knowledge
Verifier checks proof of knowledge … Schnorr Proof Verification
77. = g0
⋅ hsumv−sumr
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
ZvSolvency =
c
∏
i=1
zi −
n
∏
i=1
pi
= hsumv−sumr = hexcessZSolvencyProver creates proof of knowledge
Verifier computes solvency
Verifier checks proof of knowledge … Schnorr Proof Verification
78. = g0
⋅ hsumv−sumr
Provisions: Proof of Solvency
ZK commitment to assets - liabilities
ZvSolvency =
c
∏
i=1
zi −
n
∏
i=1
pi
= hsumv−sumr = hexcessZSolvencyProver creates proof of knowledge
Verifier computes solvency
Verifier verifies prover computation
ZSolvency = ZvSolvency
Verifier checks proof of knowledge … Schnorr Proof Verification
79. Provisions: Summary
• Scales linearly with respect to the proof size, construction and verification time.
Protocol is easily parallelizable.
• Does not reveal any information about addresses, total assets or customer
balances.
• If the public key has not been published on chain by including it in the
anonymity set you would reveal it.
• Generation & verification requires balance at a block hash oracle
• No proposed standard that would be interoperable across companies
80. Open Questions
• Committing to an address instead of public key
• Proving cold storage assets
• Optimizing proof size, generation and verification