The developer is Gregory Maxwell, aka nullc. Here's a very interesting thread in which he proposes that the bitcoin community should demand that every bitcoin exchange (and every other type of service which can hold bitcoin on your behalf, like webwallets) continually prove that they are not fractional reserve. In other words, proof that if every user of the service simultaneously tries to withdraw all of their bitcoin, then the service would be able to honor all withdraw requests: http://www.reddit.com/r/Bitcoin/comments/1yj5b5/unverified_p...
"I think that as a community we should start demanding these services continually prove that they are not fractional reserve. We cannot effectively eliminate the need for trust in these sorts of services, but we can certainly confine the exposure and eliminate a lot of this drama. With Bitcoin it's technically possible to prove an entity controls enough coin to cover its obligations— and even to do so in ways that don't leak other business information, and so we should. But this isn't something specific about MTGox, it's something we should demand from all services holding large amounts of third party Bitcoins. I wouldn't even suggest MTGox should do it first, rather— it sounds like a great move for their competition to differentiate themselves."
Here's the takeaway:
"This would leak the total holdings, and some small amount of data about the number of accounts and distribution of their funds, but far far less than all the account balances. Importantly, though— it could be implemented in a few hundred lines of python."
In case anyone from Coinbase is reading: you have a unique opportunity to be the first webwallet service to implement this, and thereby make the entire bitcoin community instantly fall in love with you. It would also set a minimum standard of quality for webwallet services in general, which would add a lot of value to the bitcoin ecosystem. It seems like this might be a pretty big business opportunity.
This guy seems to be everywhere! He's a prolific Wikipedia contributor (administrator + many thousands of edits), and was also the guy behind the dump of a ton of pre-1923 JSTOR documents to the Pirate Bay, which in part helped pressure JSTOR to un-paywall its old/PD articles (http://arstechnica.com/tech-policy/2011/07/swartz-supporter-...).
Say you were a shady Bitcoin banker with 5000 BTC in deposits, and you wanted to steal 1000 while still looking like you're on the up-and-up by implementing this idea.
First, you announce that you only have 4000 BTC in deposits. Then you build this tree, and at the very bottom layer you add a node with a -1000 balance. You pair that node with your (or a conspirator's) real node holding more than 1000 so that any node above yours (read: everyone else) sees a positive balance at every point in the tree. Everyone can verify they're in the tree, the numbers add up to what you claimed publicly, but you're now successfully running a fractional reserve! And the only way to uncover such a scheme would be to publish all of the balances for every account.
Am I missing something?
Edit for clarity: the node you pair with is your own, so that no real user sees the negative sum.
You actually owe 5000 BTC, but it seems like you owe 4000 BTC. Seems so far so good. The problem is, what happens if you try to take advantage of this opportunity.
Case 1: other people withdraw first.
[ -1000, 1000, 0, 0 ]
[ 0, 0 ]
[ 0 ]
Nobody knows that anything nefarious has gone on. However, everyone else has successfully gotten their money out so you've actually defrauded no one.
Case 2: you withdraw first.
[ -1000, 0, 2000, 2000 ]
[ -1000, 4000 ]
[ 3000 ]
Now, the other 2 users actually can see that something is wrong, because the Merkle branch will have a -1000 BTC node sticking out.
So in theory, as long as there exist users who don't check their Merkle branches, and those users are identifiable, it probably is possible to run a slight fractional reserve undetected. So the protocol is suboptimal. But it's not really "broken". I do wonder if it can be improved though, perhaps with some kind of ZKP protocol.
Not to discredit the very capable developers discussing this, but in the interest for giving credit where credit is due, didn't Peter Todd suggest this back in his Bitcoin 2013 presentation on off-chain transactions? I seem to remember him explaining something similar on a rooftop patio in Toronto last spring after a Bitcoin Toronto meetup.
I believe this was most extensively discussed as part of a long chat that Peter Todd was a part of, so no surprise that you've seen him talk about it. Off-chain banks stuff has been a long term pet interest of his.
In that discussion we applied a merkel-sum tree data-structure— a pet datastructure that I'd previously proposed for making compact proofs of blockchain invalidity in Bitcoin (in order to make a future bitcoin world where no one runs full nodes safe from inflation and theft by miners)— to PT's bank fraud proofing application.
Search for "auditable off-chain transactions" and "Merkle-sum-tree"
(I left in a lot of unrelated stuff since it makes the meandering conversation make a bit more sense. Though a lot of this continues a long running dialog about cryptographic-wankery that has been going on for years)
Ultimately these schemes require the use of a jamming free broadcast network of some kind... otherwise they run into the same problems certificate transparency has where you can substitute the commitment on the fly. Fortunately, Bitcoin provides a global consensus mechanism which could be used to directly attach the commitment to the coins being spoken for.
I'm pretty sure I remember either Gregory Maxwell or Andrew Miller suggesting it to me first, and I think it might be the latter's idea originally. (at least in the Bitcoin space) Andrew has done a lot of work on "merkelizing" data structures: http://www.cs.umd.edu/~amiller/gpads/
Or, just use a system like we use on Bitalo, where fractional reserves are impossible because of use of multi-signature Bitcoin addresses, which means funds are specifically tied to user wallets and exchange operators cannot use them without user's signing all transactions by himself.
This requires one transaction per trade, effectively.
While systems like that have many applications— and should be used where they can, they aren't a replacement for large scale markets like MTGox or for ultra-low-cost instant payment systems.
At first I was worried of what would happen if the exchange introduced fake nodes with negative balances at the bottom of the tree, but there would be no way for them to hide that without the first real customer up to the root finding out (there would have to be a negative node that he/she could see). This sounds like a great idea!
Unless the negative valued customer and the surrounding customers never logged in... But thats a limitation of the scheme that can't be avoided. If a user never logs in you could just steal just their balance (and correctly set it to zero).
You also must make sure that all customers are seeing the same root, and that you can't do funny business like constantly update it to swap out which customers you're robbing. (e.g. it should be a daily or weekly updated thing).
The big problem with this is convincing businesses to publicize their total customer deposits, which is extremely interesting information to competitors.
Though it could be a good way for new/small exchanges to differentiate themselves and gain trust of the community, which could force larger and larger exchanges to do the same until it's common practice (as mentioned has happened with provably-fair gambling sites)
Fractional reserve? I don't like that. It's like building a house of cards or a ponzi scheme. You shouldn't be able to say you have 10x of the value you actually have.
Alternatively, a fractional reserve institution can offer interest on accounts which might entice some people to accept the risk of a bank run. Given the popularity of some explicit ponzi schemes in the past month, It seems fairly clear there are plenty of folks who would accept those terms.
If you want to buy coins to use I'd go with Coinbase at least to get started. If you want to day trade Kraken looks really promising if they are supported in your jurisdiction. Bitstamp has a decent track record though their local give me pause. Coinsetter is also pretty well put together if all you want to do is pair trade but you can't do true exchange on there.
I've tried coinmkt but I don't like it. Their fees aren't great their deposit and withdrawal methods are limited and there are fees on deposits and withdrawals at least there were when I gave it a try.
Coinbase. They've got $31m in combined funding from Y-Combinator and Andreesen Horowitz, among others. I like to place my bets where veteran investors have some cash and reputation on the line.
Part of the problem is leaving funds laying around in exchanges, when it's trivial to transfer to your own wallet (though admittedly non-trivial to secure it, it's a tradeoff).
If you quickly transfer in, exchange, and transfer out you don't need quite as much trust.
Bitstamp have proved their good intentions and competence. They also have the most to lose at this point as the market leader. Had zero problems with transfers from there, very quick support replies, seem to be in good relations with their bank. I trust them. Karaken also look promising, but it's a new exchange.
Anyway, best bet is to use several exchanges to take advantage of arbitrage opportunities and to distribute the risk.
I've used coinmkt more and more in the past week. I like them, seem to still be working things out, but if you trade multiple currencies they're a good bet. Being based in the USA doesn't hurt either.
This doesn't give you a way to validate your dollar deposits. In other words a dishonest exchange operator could misappropriate your dollar deposits and this scheme wouldn't tell you anything about it.
Yup. This is an example of how Bitcoin is superior to USD— USD is not so readily subject to cryptographic proof. :)
You could use it to show that USD obligations jive with third party audits, insurance, or accounts in a bank if you could get the bank to produce signed attestations... though the trust isn't eliminated there, just shuffled around.
The hash-tree scheme described here would work equally well for non-Bitcoin currencies, if I'm understanding it correctly. The only thing missing is the ability to prove ownership of the actual funds backing that tree. So what you're really complaining about is that there are no banks that offer digitally-signed attestation of account balances.
No. In theory if you know all the addresses you know how many coins they have— but to know the exchange is not fractional you must also know something about its obligations.
sillysaurus2|12 years ago
"I think that as a community we should start demanding these services continually prove that they are not fractional reserve. We cannot effectively eliminate the need for trust in these sorts of services, but we can certainly confine the exposure and eliminate a lot of this drama. With Bitcoin it's technically possible to prove an entity controls enough coin to cover its obligations— and even to do so in ways that don't leak other business information, and so we should. But this isn't something specific about MTGox, it's something we should demand from all services holding large amounts of third party Bitcoins. I wouldn't even suggest MTGox should do it first, rather— it sounds like a great move for their competition to differentiate themselves."
Here's the takeaway:
"This would leak the total holdings, and some small amount of data about the number of accounts and distribution of their funds, but far far less than all the account balances. Importantly, though— it could be implemented in a few hundred lines of python."
In case anyone from Coinbase is reading: you have a unique opportunity to be the first webwallet service to implement this, and thereby make the entire bitcoin community instantly fall in love with you. It would also set a minimum standard of quality for webwallet services in general, which would add a lot of value to the bitcoin ecosystem. It seems like this might be a pretty big business opportunity.
mjn|12 years ago
This guy seems to be everywhere! He's a prolific Wikipedia contributor (administrator + many thousands of edits), and was also the guy behind the dump of a ton of pre-1923 JSTOR documents to the Pirate Bay, which in part helped pressure JSTOR to un-paywall its old/PD articles (http://arstechnica.com/tech-policy/2011/07/swartz-supporter-...).
aston|12 years ago
First, you announce that you only have 4000 BTC in deposits. Then you build this tree, and at the very bottom layer you add a node with a -1000 balance. You pair that node with your (or a conspirator's) real node holding more than 1000 so that any node above yours (read: everyone else) sees a positive balance at every point in the tree. Everyone can verify they're in the tree, the numbers add up to what you claimed publicly, but you're now successfully running a fractional reserve! And the only way to uncover such a scheme would be to publish all of the balances for every account.
Am I missing something?
Edit for clarity: the node you pair with is your own, so that no real user sees the negative sum.
vbuterin|12 years ago
Case 1: other people withdraw first.
Nobody knows that anything nefarious has gone on. However, everyone else has successfully gotten their money out so you've actually defrauded no one.Case 2: you withdraw first.
Now, the other 2 users actually can see that something is wrong, because the Merkle branch will have a -1000 BTC node sticking out.So in theory, as long as there exist users who don't check their Merkle branches, and those users are identifiable, it probably is possible to run a slight fractional reserve undetected. So the protocol is suboptimal. But it's not really "broken". I do wonder if it can be improved though, perhaps with some kind of ZKP protocol.
tlrobinson|12 years ago
unknown|12 years ago
[deleted]
patcon|12 years ago
EDIT: http://www.youtube.com/watch?v=4d3LA8KpdMQ#t=6m45s
nullc|12 years ago
In that discussion we applied a merkel-sum tree data-structure— a pet datastructure that I'd previously proposed for making compact proofs of blockchain invalidity in Bitcoin (in order to make a future bitcoin world where no one runs full nodes safe from inflation and theft by miners)— to PT's bank fraud proofing application.
You may find the log interesting: https://people.xiph.org/~greg/bitcoin-wizards-fraud-proof.lo...
Search for "auditable off-chain transactions" and "Merkle-sum-tree"
(I left in a lot of unrelated stuff since it makes the meandering conversation make a bit more sense. Though a lot of this continues a long running dialog about cryptographic-wankery that has been going on for years)
Ultimately these schemes require the use of a jamming free broadcast network of some kind... otherwise they run into the same problems certificate transparency has where you can substitute the commitment on the fly. Fortunately, Bitcoin provides a global consensus mechanism which could be used to directly attach the commitment to the coins being spoken for.
petertodd|12 years ago
Sambdala|12 years ago
My email is in my profile, and I'm happy to Skype chat with anyone who wants to help.
Sambdala|12 years ago
I'll flesh it out a bit better tomorrow.
M4v3R|12 years ago
nullc|12 years ago
While systems like that have many applications— and should be used where they can, they aren't a replacement for large scale markets like MTGox or for ultra-low-cost instant payment systems.
gnaritas|12 years ago
stingraycharles|12 years ago
wmf|12 years ago
infruset|12 years ago
nullc|12 years ago
You also must make sure that all customers are seeing the same root, and that you can't do funny business like constantly update it to swap out which customers you're robbing. (e.g. it should be a daily or weekly updated thing).
tlrobinson|12 years ago
Though it could be a good way for new/small exchanges to differentiate themselves and gain trust of the community, which could force larger and larger exchanges to do the same until it's common practice (as mentioned has happened with provably-fair gambling sites)
higherpurpose|12 years ago
minimax|12 years ago
jeremyjh|12 years ago
hayksaakian|12 years ago
You do realize that modern finance depends on this notion?
For example, Banks need no more than 10% of a loan as cash on hand.
Coffeewine|12 years ago
kumarski|12 years ago
I've been using http://coinmkt.com
I regrettably used MtGox.com. I'm kicking myself now.
pmorici|12 years ago
I've tried coinmkt but I don't like it. Their fees aren't great their deposit and withdrawal methods are limited and there are fees on deposits and withdrawals at least there were when I gave it a try.
roymurdock|12 years ago
tlrobinson|12 years ago
If you quickly transfer in, exchange, and transfer out you don't need quite as much trust.
oznathan|12 years ago
Anyway, best bet is to use several exchanges to take advantage of arbitrage opportunities and to distribute the risk.
Himself|12 years ago
minimax|12 years ago
nullc|12 years ago
You could use it to show that USD obligations jive with third party audits, insurance, or accounts in a bank if you could get the bank to produce signed attestations... though the trust isn't eliminated there, just shuffled around.
teraflop|12 years ago
unknown|12 years ago
[deleted]
snake_plissken|12 years ago
nullc|12 years ago
jrockway|12 years ago
pedrohrcunha|12 years ago
already pleading it to brazilian exchanges.