Proving Bitcoin Solvency
-
Upload
duongkhanh -
Category
Documents
-
view
216 -
download
1
Transcript of Proving Bitcoin Solvency
![Page 1: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/1.jpg)
Proving Bitcoin Solvency
Dan BonehStanford University
Joint work with Gaby Dagher, Benedikt Bunz, Joe Bonneau, and Jeremy Clark
Fujitsu, Oct. 11, 2016
![Page 2: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/2.jpg)
… but first: Computer Security at Stanford
Alex Aikensoftware analysis
Dan Bonehapplied Crypto, web security
David Dillverification andsecure Voting
Dawson Englerstatic analysis
David MazièresOp. Systems
Phil LevisIoT Security
John Mitchellprotocol design,
online ed.
Mendel RosenblumVM’s in security
![Page 3: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/3.jpg)
Security events at Stanford
• Annual security workshop//forum.stanford.edu/events/2016security.php
• Security seminar//crypto.stanford.edu/seclab/sem.html
• Computer security courses//seclab.stanford.edu/
• Stanford Advanced Computer Security Certificate//scpd.stanford.edu/computerSecurity/
![Page 4: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/4.jpg)
New Bitcoin course
Courses:
• CS55N (freshmen seminar): ten ideas in computer security
• CS155: Computer Security
• CS251: Blockchain technologies: Bitcoin and friends
• CS255: Intro to Crypto
• CS259: Security analysis of network protocols
• CS355: Graduate course in cryptography
Stanford Advanced Computer Security Certificatehttp://scpd.stanford.edu/computerSecurity/
![Page 5: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/5.jpg)
New Bitcoin course
Courses:
• CS55N (freshmen seminar): ten ideas in computer security
• CS155: Computer Security
• CS251: Blockchain technologies: Bitcoin and friends
• CS255: Intro to Crypto
• CS259: Security analysis of network protocols
• CS355: Graduate course in cryptography
Stanford Advanced Computer Security Certificatehttp://scpd.stanford.edu/computerSecurity/
Try our homeworks and projects
![Page 6: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/6.jpg)
Online Courses
//www.coursera.org/learn/crypto
Course open to the public
![Page 7: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/7.jpg)
Proving Bitcoin Solvency
Dan BonehStanford University
Joint work with Gaby Dagher, Benedikt Bunz, Joe Bonneau, and Jeremy Clark
![Page 8: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/8.jpg)
Bitcoin: first successful crypto currency
$ 9.8B
![Page 9: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/9.jpg)
More than a currency: the blockchain
Non-currency applications:
• Document management --- ensuring freshness
• Asset management
……
![Page 10: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/10.jpg)
Solvency trouble
![Page 11: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/11.jpg)
Solvency trouble
Mt. Gox:lost roughly US$450MSubsequent price crash
~50% have failed![Moore, Christin 2013]
Solvency trouble
![Page 12: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/12.jpg)
Bitcoin: ensuring solvencyThe problem: a Bitcoin “exchange” has:• obligations to customers, and• assets that it holds (knows secret key for assets)
Goal: prove assets ≥ obligations (solvency)without revealing any info about assets or obligations(i.e., a zero-knowledge proof)
Dagher-Bunz-Bonneau-Clark-Boneh (ACM CCS 2015) :
an efficient zero-knowledge protocol for this problem
Running protocol daily would have detected Mt. Gox troubles early
![Page 13: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/13.jpg)
How?Sub-protocol 1: create commitment O to total obligations:• Commitment is binding, but reveals nothing about obligations• Every user is given a secret key that lets it verify that its account
balance is (uniquely) included in total sum
Sub-protocol 2: create commitment A to total assets:• Let pk1, …, pkn be public keys (addresses) on the block chain• The exchange knows sk for a subset of these addresses• Exchange proves:
sum of balances for which it knows sk is value(A)
nothing is revealed about which addresses the exchange owns
Sub-protocol 3: prove value(A) ≥ value(O)
![Page 14: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/14.jpg)
Experiments
![Page 15: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/15.jpg)
Deployment
• Open source
• Supporting cold storage:
• An exchange stores the bulk of its assets in cold storage⇒ cannot use assets in a daily solvency proof
• Solution: valet key (“blinding” of secret key)sufficient for proof of solvency, but not to spend funds
![Page 16: Proving Bitcoin Solvency](https://reader031.fdocuments.us/reader031/viewer/2022030323/58a1a3361a28ab9b4d8c4257/html5/thumbnails/16.jpg)
THE END