SlideShare a Scribd company logo

Protocols for Provable Solvency

Philippe Camacho, Ph.D.
Philippe Camacho, Ph.D.

In this presentation we introduce a way to provide privacy to the Maxwell-Todd's construction by using commiments and zero-knowledge proofs.

Science
1 of 27
Download to read offline
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Secure Protocols for Provable Solvency v0.5 Philippe Camacho (philippe.camacho@gmail.com) Coin4ce.com June 16th, 2014 Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Who am I? PhD en Cryptology, University of Chile, Chile. Worked on cryptographic hash functions with special properties, in particular cryptographic accumulators. Phd Thesis : http://users.dcc.uchile.cl/˜pcamacho/papers/phdthesis.pdf List of publications http://www.informatik.uni-trier.de/˜ley/pers/hd/c/Camacho:Philippe Slideshare presentations: http://www.slideshare.net/philippecamacho/presentations CTO of Coin4ce.com since mid 2013. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Acknowledgements This work has been made while being at Coin4ce.com / Comprabitcoin.com. I owe many thanks to Darren Camas, Austin Delonge and Adam Stradling for their support and feedback. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Motivation Catastrophic events like the MtGox bankruptcy have raised the need for an automated, fully transparent and externally verifiable way to check the solvency of financial institutions. This presentation introduces an overview of previously proposed protocols that can help to automate part of the process of auditing the solvency of financial institutions. We show that it is possible in practice to maintain the business data (amounts owed/owned) private while still allowing to verify the solvency of some financial institution. For this purpose we use two main cryptographic tools: commitments and zero-knowledge proofs. Feedback and questions welcome at philippe.camacho@gmail.com. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion The Problem A Financial Institution (FI) usually keeps its database private. Its database might not reflect the reality of its assets anyway. In this situation, manual auditing is the only option. However it’s slow and implies trusting the entity performing the audit. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Why Bitcoin changes the Scenario With Bitcoin it’s simple to prove you own a given amount of coins: 1 Pick the address you claim to own. 2 Get a random (not controlled by you) message: data from the blockchain can serve this purpose. 3 Sign this message with the private key corresponding to your bitcoin address. 4 The amount of BTC for this address is available in the blockchain. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Building Blocks Merkle Trees Secure Broadcast Channel Commitments and Zero-Knowledge Proofs Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Merkle Trees [9] g = H(e||f ) e = H(a||b) a b f = H(c||d) c d Figure 1 : Merkle tree for sequence (a, b, c, d). The hash function induced by the tree and a collision-resistant hash function H takes the set (a, b, c, d) as input and returns the root hash value g as output. A proof that a belongs to the sequence is composed by the nodes containing values (b, f ) (underlined) which are the siblings of the nodes on the path from a to the root g. Checking the proof consists of computing e′ = H(a||b), then computing g′ = H(e′||f ) and finally checking that g = g′. A Merkle Tree [9] is a cryptographic data-structure that enables to Hash a sequence of values. Prove that a specific value belongs to this sequence by giving the hash of this sequence and a short cryptographic proof. It works as follows: Put the values of the sequence at the leaves of a balanced binary tree. Compute each internal node value by hashing the value of the left child concatenated with the right child. The value at the root is the hash of the sequence. To prove that an element at a leaf belongs to the sequence: Provide the siblings of the nodes on the path from this leaf to the root. Using these nodes recompute the hash value at the root and check it is the same as the one provided initially (see Figure 1). Efficiency: The size and the time to check the cryptographic proof is logarithmic in the size of the set. Security: If the hash function used is collision-resistant, then it is hard to compute a fake cryptographic proof for an element that does not belong to the sequence. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Secure Broadcast Channel A Secure Broadcast Channel (SBC) guarantees the following: One can post messages. Everyone sees exactly the same messages in the same order. No one can delete messages. Hey! Bitcoin is a SBC :) It’s quite an important tool, it can be used for example in electronic-voting protocols [5]. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Commitments A commitment is a tool that allows to delay the disclosure of some information. It works basically as follows: Alice chooses some message M and computes a commitment C = Comm(M, r), where r, the randomness is used to hide the information of M. When the context is clear we will write C = Comm(M) instead of C = Comm(M, r). Alice sends C to Bob. Then Bob can tell Alice to open the commitment C. Alice will give the message M and r to Bob Bob can check that indeed C = Comm(M, r). There are two main security properties for commitments Given only C = Comm(M, r) one does not learn anything about M. It’s impossible for Alice to open the commitment C to another message M′ = M. Commitments are useful to implement apparently contradictory requirements where one needs to prove something about some value, but wants to keep this value secret at the same time. Some commitments [10] have interesting algebraic properties that we will exploit for the protocol described in section 3 (see next slide). Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Pedersen Commitments[10] Their security relies on the discrete logarithm problem. Intuitively this means that given some group element X = gd where g is some generator, it is hard to compute d, the discrete logarithm. Operations Setup: consider a group G and two random elements g, h ∈ G Comm(M, r) = CM = gM hr where M is the message and r the randomness of the commitment. Open(CM , M, r): returns (M, r). Verify(CM , M, r): checks that CM = gM hr . Security (intuition) The commitment CM = Comm(M, r) does not leak any information about M as it’s indistinguishable from a random message (due to the randomness r). It’s hard to open CM = Comm(M, r) to (M′, r′) where M′ = M because due to the discrete logarithm problem the messages in exponents M, r are somehow “locked” in their respective base g, h. For rigorous definitions and proofs see http://bit.ly/1e4gSxu Homomorphic property Given CM = Comm(M, r) and CN = Comm(N, r′) whe have that CM · CN = gM hr · gN hr′ = gM+N hr+r′ = Comm(M + N, r + r′) Basically, multiplying the commitments relative to messages M, N one obtains the commitment of message M + N. We use this trick in order to compute the sum of owed/owned amounts without disclosing these amounts. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Proving two Commitments Encode the same Value with ZKPoK In our construction we need to do the following: Given Comm(M, r) and Comm(M′, r′) prove that M = M′ without opening the commitments. For this we need another tool, Zero-Knowledge Proofs of Knowledge (ZKPoK). This consists of letting the prover convince a verifier that he knows (M, r) such that CM = Comm(M, r) = gM hr . Using ZKPoK proving our statement can be done as follows: Compute V = Comm(M,r) Comm(M,r′) = gM−M hr−r′ = hr−r′ Compute a ZKPoK of the discrete logarithm of V with respect to the base h. See [4] for references on ZKPoK and techniques to prove more involved statements. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Proving a Commitment Encodes a Value in a Specific Range A simple technique [7] (see also [2] Section 1.2.1) does the trick: Decompose the committed number in a product of k commitments where each commitment corresponds to a bit. Then prove each commitment encodes a bit. Multiply these commitments together and check you obtain a commitment of the number you want to test. It’s not optimal but when the range is short, as in our case, it is efficient enough. The size of the proof is proportional to the number of bits required to encode the range (51 in our case). More sophisticated and efficient proofs have been proposed [3]. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Preliminaries All the information produced by FI is published on a secure broadcast channel SBC. This information may be signed by FI in case the SBC is shared with other participants. We consider two types of protocols Accounting Declaration protocols: the FI declares how much money it owes to its customers. Asset Declaration protocols: the FI declares how much money it owns. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Maxwell-Todd Protocol [12],[8] Description1: Periodically (once a day, week or month for example) the FI publishes a value that represents the list of accounts with their respective balances for each client. The value is computed by using a Merkle-Tree where Each leaf contains a pair (id, X) where id is the identifier of the customer and X the current balance for his account. Each internal node value N is computed recursively as follows N = H(X + Y ||L||R) where X is the amount of the left child, Y the amount of the right child, L the (hash) value of the left child and R the (hash) value of the right child. The hash value for the root node is the one that is published. It is the responsibility of the Customer to check that his account balance belongs to the tree by asking for the corresponding cryptographic proof (siblings node from the leaf to the root) to the FI. Discussion: User must check his account for each update of the root value. However it is risky in practice for the FI to try to lie on some user’s account balance as it might be detected. The amount in each node must be positive. It is the responsibility of the user to check that as well. The total amount owed is public. The root hash value must be published in the SBC otherwise different hash values (and thus user’s account declaration) could be published to different groups of people. 1 A more detailed description is available at [14]. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Privacy-Protecting Proof of Reserves without the Moon-Math and without the backup angst [13] Peter Todd addresses the problem of privacy (for user and FI) with the following idea The FI commits2 each deposit address to a domain name and the nonce relative to the user This technique allows to Keep FI’s and user’s respective balance private Avoid the key reuse attack (assign same bitcoin addresses to different users) Some practical challenges arise This solution forces a specific administration of bitcoin addresses for the FI. Also this solution depends on the specific implementation of Bitcoin (in particular the way Bitcoin addresses are computed). 2 In this case hash functions are used, not commitments. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Adding privacy to Maxwell-Todd’s protocol One of the limitations of Maxwell-Todd’s protocol is that it forces the FI to reveal the total amount it owes to its customers. We show (see [11] for a generalization of this technique.) here how to allow this amount to be kept private while at the same time enabling the users to check that their account is present in the Merkle-Tree. Idea: Replace the amount X stored in each node by the commitment of this amount Comm(X) Instead of computing Z = X + Y the amount of the parent node, multiply the commitments of the left child and right child. That is compute Comm(Z) = Comm(X) · Comm(Y ). The homomorphic property ensures that indeed Z = X + Y . Check using ZKP that each amount is in the range [0, Z] where Z = 21 · 106 · 108 is the total amount of satoshis. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Example A = H(B||C||Comm(65)); Comm(65) B = H(D||E||Comm(30)); Comm(30) D = ID1||Comm(10) E = ID2||Comm(20) C = H(F||G||Comm(35)); Comm(35) F = ID3||Comm(15) G = ID4||Comm(20) Figure 2 : Providing privacy to Maxwell-Todd’s tree using commitments: Here we replace the amounts by the commitments of the amounts. For a node N, given the commitments CL = Comm(X) and CR = Comm(Y ) of the left and right child respectively, computing the commitment of the node consists of multiplying these commitments. That is CN = CL · CR = Comm(X) · Comm(Y ) = Comm(X + Y ). Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Discussion The commitments do not leak any information about the amounts. Yet all the necessary relationships can be checked. Now what do we do with this commitment? We can compare it to another commitment that will contain for example the total asset of the FI. For example, in case of fiat money, the bank could compute another commitment containing the FI’s balance in USD and sign it so that people can check the information is legitimate. Then the FI can prove with ZKP that the two amounts included in each commitment are equal. In the case when the FI needs to prove the size of its assets in bitcoins we will use the protocol described in section 2 to compute this commitment. Compared to Todd’s solution [13] our solution allows to have two separate protocols for Accounting and Asset declaration. This can be useful for example in the case where assets are in fiat money. On the other side Todd’s solution offers better privacy than our protocol related to asset declaration (see next: section 2). Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Coin Ownership Protocol Already mentioned in the introduction. An implementation can be found at [6]. COIN OWNERSHIP 1 Pick the address you claim to own 2 Get a random (not controlled by you) message: data from the blockchain can serve this purpose 3 Sign this message with the private key corresponding to your bitcoin address 4 The amount of BTC for this address is available in the Blockchain By being able to compute a signature on a random message the owner of the bitcoin address proves he is able to transfer funds from this address to another. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Adding privacy How do you prove you have a given amount of bitcoins without leaking this amount? Initial Idea3 Use a private Maxwell-Todd tree where the leaves are composed by The bitcoin addresses the FI claims to own. The amount available at these addresses. The Merkle-tree must be such that the addresses are ordered in ascending order so that no address is duplicated (that would inflate artificially the total value of the assets). Users must check that the neighbour leaf (can be on the left or on the right) satisfies the condition. This might create the need to compute two branches of the Merkle tree. Again the FI could lie (by duplicating some bitcoin addresses) but it exposes itself to be detected in case of fraud. Choose a random leaf and ask the FI to open the commitment containing the address A and the balance B at the leaf. Run COIN OWNERSHIP on address A. Check on the Blockchain that the amount B is correct. 3 This is only an idea. As mentioned next it needs to be refined in order to work. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Example A = H(B||C||Comm(65)); Comm(65) B = H(D||E||Comm(30)); Comm(30) D = BTC1||Comm(10) E = BTC2||Comm(20) C = H(F||G||Comm(35)); Comm(35) F = BTC3||Comm(15) G = BTC4||Comm(20) Figure 3 : Proving the size of assets with random sampling. This is the same construction as in Figure 2 but we replace the user ID by the bitcoin address BTC1, BTC2, .... Note that we must have BTC1 < BTC2 < BTC3 in order to avoid the duplication of bitcoin addresses. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Discussion The main problem of this solution is that the more checks we do, the more we reveal about the bitcoin addresses owned by FI and thus the total amount of bitcoins owed. So we need somehow to choose between privacy (of the FI) and increasing the odds to catch a malicious FI. Some ideas for future research Use zk-SNARKS as in Zerocash [1] to prove (without revealing it!) that a bitcoin address is controlled by the FI. The we also need to prove that this address has the right amount of BTC binded to it. This could be done using accumulators that would store the list of pairs (address,balance) of the blockchain and then checking in zero-knowledge that this address belongs to the table represented by the accumulator. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Open problems Privacy for asset declaration without imposing any condition on bitcoin address management like in [13]. Our solution is only partial as it is based on statistical sampling. Key rental attack. In [13] is proposed a way to prevent reusing keys internally or between institutions, yet nothing prevent anyone to rent addresses to others in order to simulate solvency. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Thank you! Please send me feedback, questions at philippe.camacho@gmail.com Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion [1] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. 2014. [2] Fabrice Boudot. Efficient Proofs that a Committed Number Lies in an Interval. In Bart Preneel, editor, EUROCRYPT, volume 1807 of Lecture Notes in Computer Science, Berlin, Heidelberg, May 2000. Springer Berlin Heidelberg. [3] Jan Camenisch, Rafik Chaabouni, and Abhi Shelat. Efficient Protocols for Set Membership and Range Proofs. In ASIACRYPT ’08: Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security, pages 234–252, Berlin, Heidelberg, 2008. Springer-Verlag. [4] Jan Camenisch and Markus Stadler. Proof Systems for General Statements about Discrete Logarithms. Technical report, 1997. [5] Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers. A Secure and Optimally Efficient Multi-Authority Election Scheme. In Walter Fumy, editor, EUROCRYPT, volume 1233 of LNCS, pages 103–118. Springer Berlin / Heidelberg, July 1997. [6] Olivier Lalonde. bitcoin-asset-proof. https://github.com/olalonde/bitcoin-asset-proof, 2014. [7] Wenbo Mao. Guaranteed correct sharing of integer factorization with off-line shareholders. In Hideki Imai and Yuliang Zheng, editors, Public Key Cryptography, volume 1431 of Lecture Notes in Computer Science, Berlin/Heidelberg, 1998. Springer-Verlag. [8] Greg Maxwell. IRC transcript of gmaxwell describing his prove-how-(non)-fractional-your-Bitcoin-reserves-are scheme. https://iwilcox.me.uk/2014/nofrac-orig, 2014. [9] Ralph C. Merkle. A Digital Signature Based on a Conventional Encryption Function. Philippe Camacho Secure Protocols for Provable Solvency
Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion In Carl Pomerance, editor, CRYPTO, volume 293 of LNCS, pages 369–378. Springer Berlin / Heidelberg, August 1987. [10] Torben Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In J. Feigenbaum, editor, CRYPTO, volume 576 of LNCS, pages 129–140. Springer Berlin / Heidelberg, 1991. [11] Brian Thompson, Stuart Haber, William G. Horne, Tomas Sander, and Danfeng Yao. Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases. In Ian Goldberg and Mikhail J. Atallah, editors, Privacy Enhancing Technologies, volume 5672 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009. [12] Peter Todd. Peter Todd’s talk (Bitcoin Conference). http://youtu.be/4d3LA8KpdMQ?t=6m33s, 2013. [13] Peter Todd. Privacy-Protecting Proof of Reserves without the Moon-Math and without the backup angst. http://sourceforge.net/p/bitcoin/mailman/bitcoin-development/thread/20140325220507.GB4846@tilt/, 2014. [14] Zak Wilcox. Proving your Bitcoin reserves. https://iwilcox.me.uk/2014/proving-bitcoin-reserves, 2014. Philippe Camacho Secure Protocols for Provable Solvency

Recommended

Elgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyElgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyNorth Cap University (NCU) Formely ITM University
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYJyothishmathi Institute of Technology and Science Karimnagar
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryptionCysinfo Cyber Security Community
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
Google authentication
Google authenticationGoogle authentication
Google authenticationNexThoughts Technologies
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
The Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeThe Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeSSIMeetup
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 

Recommended

Elgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyElgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyNorth Cap University (NCU) Formely ITM University
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYJyothishmathi Institute of Technology and Science Karimnagar
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryptionCysinfo Cyber Security Community
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?CheapSSLsecurity
 
Google authentication
Google authenticationGoogle authentication
Google authenticationNexThoughts Technologies
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
The Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeThe Hyperledger Indy Public Blockchain Node
The Hyperledger Indy Public Blockchain NodeSSIMeetup
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's DeveloperProduct School
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyKelly Bresnahan
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVipin Tejwani
 
Cryptography and Network Lecture Notes
Cryptography and Network Lecture NotesCryptography and Network Lecture Notes
Cryptography and Network Lecture NotesFellowBuddy.com
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryptionNamit Sinha
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
HMAC authentication
HMAC authenticationHMAC authentication
HMAC authenticationSiu Tin
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bankArthyR3
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeHyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeSSIMeetup
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalSantanu Das Saan
 
Introduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsIntroduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsTechracers
 
Bitcoin: La moneda del Futuro
Bitcoin: La moneda del FuturoBitcoin: La moneda del Futuro
Bitcoin: La moneda del FuturoEduardo Muñoz Woo
 
Introducción a Bitcoin
Introducción a BitcoinIntroducción a Bitcoin
Introducción a BitcoinPhilippe Camacho, Ph.D.
 

More Related Content

What's hot

Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's DeveloperProduct School
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyKelly Bresnahan
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVipin Tejwani
 
Cryptography and Network Lecture Notes
Cryptography and Network Lecture NotesCryptography and Network Lecture Notes
Cryptography and Network Lecture NotesFellowBuddy.com
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryptionNamit Sinha
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
HMAC authentication
HMAC authenticationHMAC authentication
HMAC authenticationSiu Tin
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bankArthyR3
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeHyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeSSIMeetup
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalSantanu Das Saan
 
Introduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsIntroduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsTechracers
 

What's hot (20)

Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Cryptography and Network Lecture Notes
Cryptography and Network Lecture NotesCryptography and Network Lecture Notes
Cryptography and Network Lecture Notes
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
HMAC authentication
HMAC authenticationHMAC authentication
HMAC authentication
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Cyber forensics question bank
Cyber forensics question bankCyber forensics question bank
Cyber forensics question bank
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan GeorgeHyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing final
 
Introduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart ContractsIntroduction to Blockchain and Smart Contracts
Introduction to Blockchain and Smart Contracts
 

Viewers also liked

AirBit Club - Spanish Presentation
AirBit Club - Spanish PresentationAirBit Club - Spanish Presentation
AirBit Club - Spanish PresentationAirbitclub Brasil
 
AirBit Club Espanol Presentacion y Plan de compensacion
AirBit Club Espanol Presentacion y Plan de compensacionAirBit Club Espanol Presentacion y Plan de compensacion
AirBit Club Espanol Presentacion y Plan de compensacionairbitclub
 
Presentación de negocio oficial en Español - AirBit Club ®
Presentación de negocio oficial en Español - AirBit Club ® Presentación de negocio oficial en Español - AirBit Club ®
Presentación de negocio oficial en Español - AirBit Club ® Airbitclub Brasil
 
Presentación bitcoin slideshare
Presentación bitcoin slidesharePresentación bitcoin slideshare
Presentación bitcoin slideshareDavid Sánchez
 
Presentación sobre Bitcoin
Presentación sobre BitcoinPresentación sobre Bitcoin
Presentación sobre BitcoinCEU
 

Viewers also liked (9)

Bitcoin: La moneda del Futuro
Bitcoin: La moneda del FuturoBitcoin: La moneda del Futuro
Bitcoin: La moneda del Futuro
 
Introducción a Bitcoin
Introducción a BitcoinIntroducción a Bitcoin
Introducción a Bitcoin
 
AirBit Club - Spanish Presentation
AirBit Club - Spanish PresentationAirBit Club - Spanish Presentation
AirBit Club - Spanish Presentation
 
Más allá del dinero: Bitcoin
Más allá del dinero: BitcoinMás allá del dinero: Bitcoin
Más allá del dinero: Bitcoin
 
AirBit Club Espanol Presentacion y Plan de compensacion
AirBit Club Espanol Presentacion y Plan de compensacionAirBit Club Espanol Presentacion y Plan de compensacion
AirBit Club Espanol Presentacion y Plan de compensacion
 
Presentación de negocio oficial en Español - AirBit Club ®
Presentación de negocio oficial en Español - AirBit Club ® Presentación de negocio oficial en Español - AirBit Club ®
Presentación de negocio oficial en Español - AirBit Club ®
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Presentación bitcoin slideshare
Presentación bitcoin slidesharePresentación bitcoin slideshare
Presentación bitcoin slideshare
 
Presentación sobre Bitcoin
Presentación sobre BitcoinPresentación sobre Bitcoin
Presentación sobre Bitcoin
 

Similar to Protocols for Provable Solvency

Testimonianza di Alessandro Tommasi presentation biosig
Testimonianza di Alessandro Tommasi presentation biosigTestimonianza di Alessandro Tommasi presentation biosig
Testimonianza di Alessandro Tommasi presentation biosiglaboratoridalbasso
 
A New Key Agreement Protocol Using BDP and CSP in Non Commutative Groups
A New Key Agreement Protocol Using BDP and CSP in Non Commutative GroupsA New Key Agreement Protocol Using BDP and CSP in Non Commutative Groups
A New Key Agreement Protocol Using BDP and CSP in Non Commutative GroupsEswar Publications
 
Error control techniques for video communications
Error control techniques for video communications Error control techniques for video communications
Error control techniques for video communications Shubhi Singh chauhan
 
Essay On Cryptography
Essay On CryptographyEssay On Cryptography
Essay On CryptographyHaley Johnson
 
No Memory for Contracts
No Memory for ContractsNo Memory for Contracts
No Memory for ContractsKevlin Henney
 
Survey on Error Control Coding Techniques
Survey on Error Control Coding TechniquesSurvey on Error Control Coding Techniques
Survey on Error Control Coding TechniquesIJTET Journal
 
How to avoid bugs using modern C++
How to avoid bugs using modern C++How to avoid bugs using modern C++
How to avoid bugs using modern C++PVS-Studio
 
Brief Introduction to Error Correction Coding
Brief Introduction to Error Correction CodingBrief Introduction to Error Correction Coding
Brief Introduction to Error Correction CodingBen Miller
 
Secrecy and Authenticity Properties of the Lightning Network Protocol
Secrecy and Authenticity Properties of the Lightning Network ProtocolSecrecy and Authenticity Properties of the Lightning Network Protocol
Secrecy and Authenticity Properties of the Lightning Network ProtocolHans Hyttel
 
Blockchain and Smart Contract Simulation
Blockchain and Smart Contract SimulationBlockchain and Smart Contract Simulation
Blockchain and Smart Contract SimulationJun Furuse
 
2010 bristol q1_formal-property-checkers
2010 bristol q1_formal-property-checkers2010 bristol q1_formal-property-checkers
2010 bristol q1_formal-property-checkersObsidian Software
 
A few approaches to cope with crash/byzantine failures in communication netwo...
A few approaches to cope with crash/byzantine failures in communication netwo...A few approaches to cope with crash/byzantine failures in communication netwo...
A few approaches to cope with crash/byzantine failures in communication netwo...Feliciano Colella
 
Using a Formal Property Checker for Simulation Coverage Closure
Using a Formal Property Checker for Simulation Coverage Closure Using a Formal Property Checker for Simulation Coverage Closure
Using a Formal Property Checker for Simulation Coverage Closure DVClub
 
cscript_controller.pdf
cscript_controller.pdfcscript_controller.pdf
cscript_controller.pdfVcTrn1
 
Iot hub agent
Iot hub agentIot hub agent
Iot hub agentrtfmpliz1
 

Similar to Protocols for Provable Solvency (20)

Testimonianza di Alessandro Tommasi presentation biosig
Testimonianza di Alessandro Tommasi presentation biosigTestimonianza di Alessandro Tommasi presentation biosig
Testimonianza di Alessandro Tommasi presentation biosig
 
Nt1330 Unit 4 Dthm Paper
Nt1330 Unit 4 Dthm PaperNt1330 Unit 4 Dthm Paper
Nt1330 Unit 4 Dthm Paper
 
A New Key Agreement Protocol Using BDP and CSP in Non Commutative Groups
A New Key Agreement Protocol Using BDP and CSP in Non Commutative GroupsA New Key Agreement Protocol Using BDP and CSP in Non Commutative Groups
A New Key Agreement Protocol Using BDP and CSP in Non Commutative Groups
 
Error control techniques for video communications
Error control techniques for video communications Error control techniques for video communications
Error control techniques for video communications
 
LDPC Encoding and Hamming Encoding
LDPC Encoding and Hamming EncodingLDPC Encoding and Hamming Encoding
LDPC Encoding and Hamming Encoding
 
Essay On Cryptography
Essay On CryptographyEssay On Cryptography
Essay On Cryptography
 
No Memory for Contracts
No Memory for ContractsNo Memory for Contracts
No Memory for Contracts
 
Survey on Error Control Coding Techniques
Survey on Error Control Coding TechniquesSurvey on Error Control Coding Techniques
Survey on Error Control Coding Techniques
 
How to avoid bugs using modern C++
How to avoid bugs using modern C++How to avoid bugs using modern C++
How to avoid bugs using modern C++
 
Brief Introduction to Error Correction Coding
Brief Introduction to Error Correction CodingBrief Introduction to Error Correction Coding
Brief Introduction to Error Correction Coding
 
Secrecy and Authenticity Properties of the Lightning Network Protocol
Secrecy and Authenticity Properties of the Lightning Network ProtocolSecrecy and Authenticity Properties of the Lightning Network Protocol
Secrecy and Authenticity Properties of the Lightning Network Protocol
 
Blockchain and Smart Contract Simulation
Blockchain and Smart Contract SimulationBlockchain and Smart Contract Simulation
Blockchain and Smart Contract Simulation
 
Lecture12
Lecture12Lecture12
Lecture12
 
2010 bristol q1_formal-property-checkers
2010 bristol q1_formal-property-checkers2010 bristol q1_formal-property-checkers
2010 bristol q1_formal-property-checkers
 
A few approaches to cope with crash/byzantine failures in communication netwo...
A few approaches to cope with crash/byzantine failures in communication netwo...A few approaches to cope with crash/byzantine failures in communication netwo...
A few approaches to cope with crash/byzantine failures in communication netwo...
 
9X5u87KWa267pP7aGX3K
9X5u87KWa267pP7aGX3K9X5u87KWa267pP7aGX3K
9X5u87KWa267pP7aGX3K
 
C04922125
C04922125C04922125
C04922125
 
Using a Formal Property Checker for Simulation Coverage Closure
Using a Formal Property Checker for Simulation Coverage Closure Using a Formal Property Checker for Simulation Coverage Closure
Using a Formal Property Checker for Simulation Coverage Closure
 
cscript_controller.pdf
cscript_controller.pdfcscript_controller.pdf
cscript_controller.pdf
 
Iot hub agent
Iot hub agentIot hub agent
Iot hub agent
 

More from Philippe Camacho, Ph.D.

Blockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldBlockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldPhilippe Camacho, Ph.D.
 
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesBitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesPhilippe Camacho, Ph.D.
 
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Philippe Camacho, Ph.D.
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPhilippe Camacho, Ph.D.
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyPhilippe Camacho, Ph.D.
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho, Ph.D.
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesPhilippe Camacho, Ph.D.
 
Strong Accumulators From Collision-Resistant Hashing
Strong Accumulators From Collision-Resistant HashingStrong Accumulators From Collision-Resistant Hashing
Strong Accumulators From Collision-Resistant HashingPhilippe Camacho, Ph.D.
 

More from Philippe Camacho, Ph.D. (20)

Blockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new worldBlockchain: 12 predictions for a new world
Blockchain: 12 predictions for a new world
 
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y OportunidadesBitcoin, Blockchain y más allá: Riesgos y Oportunidades
Bitcoin, Blockchain y más allá: Riesgos y Oportunidades
 
Analyzing Bitcoin Security
Analyzing Bitcoin SecurityAnalyzing Bitcoin Security
Analyzing Bitcoin Security
 
Smart contracts
Smart contractsSmart contracts
Smart contracts
 
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
Cuando las maquinas deciden por nosotros: introducción a los contratos inteli...
 
Bitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojasBitcoin y (in)seguridad: 5 paradojas
Bitcoin y (in)seguridad: 5 paradojas
 
No más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescateNo más Madoff: Satoshi al rescate
No más Madoff: Satoshi al rescate
 
How to explain bitcoin to your mother
How to explain bitcoin to your motherHow to explain bitcoin to your mother
How to explain bitcoin to your mother
 
Predicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant HashingPredicate-Preserving Collision-Resistant Hashing
Predicate-Preserving Collision-Resistant Hashing
 
Cuidatusbitcoins
CuidatusbitcoinsCuidatusbitcoins
Cuidatusbitcoins
 
Fair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third PartyFair Exchange of Short Signatures without Trusted Third Party
Fair Exchange of Short Signatures without Trusted Third Party
 
Foaf+ssl
Foaf+sslFoaf+ssl
Foaf+ssl
 
Agilidad al rescate
Agilidad al rescateAgilidad al rescate
Agilidad al rescate
 
XPDay2009: Nameaction
XPDay2009: NameactionXPDay2009: Nameaction
XPDay2009: Nameaction
 
On the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic AccumulatorsOn the Impossibility of Batch Update for Cryptographic Accumulators
On the Impossibility of Batch Update for Cryptographic Accumulators
 
Short Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed TreesShort Transitive Signatures For Directed Trees
Short Transitive Signatures For Directed Trees
 
Strong Accumulators From Collision-Resistant Hashing
Strong Accumulators From Collision-Resistant HashingStrong Accumulators From Collision-Resistant Hashing
Strong Accumulators From Collision-Resistant Hashing
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
Agile daychile2010
Agile daychile2010Agile daychile2010
Agile daychile2010
 
Agiles2010
Agiles2010Agiles2010
Agiles2010
 

Recently uploaded

Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTSérgio Sacani
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsAArockiyaNisha
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxRajatChauhan518211
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeSatoshi NAKAHIRA
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfSumit Kumar yadav
 
Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Nistarini College, Purulia (W.B) India
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCEPRINCE C P
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfSumit Kumar yadav
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfSumit Kumar yadav
 
Broad bean, Lima Bean, Jack bean, Ullucus.pptx
Broad bean, Lima Bean, Jack bean, Ullucus.pptxBroad bean, Lima Bean, Jack bean, Ullucus.pptx
Broad bean, Lima Bean, Jack bean, Ullucus.pptxjana861314
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...ssifa0344
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxAleenaTreesaSaji
 

Recently uploaded (20)

Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptx
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real time
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C P
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdf
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 
Broad bean, Lima Bean, Jack bean, Ullucus.pptx
Broad bean, Lima Bean, Jack bean, Ullucus.pptxBroad bean, Lima Bean, Jack bean, Ullucus.pptx
Broad bean, Lima Bean, Jack bean, Ullucus.pptx
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptx
 

Protocols for Provable Solvency

  • 1. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Secure Protocols for Provable Solvency v0.5 Philippe Camacho (philippe.camacho@gmail.com) Coin4ce.com June 16th, 2014 Philippe Camacho Secure Protocols for Provable Solvency
  • 2. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Who am I? PhD en Cryptology, University of Chile, Chile. Worked on cryptographic hash functions with special properties, in particular cryptographic accumulators. Phd Thesis : http://users.dcc.uchile.cl/˜pcamacho/papers/phdthesis.pdf List of publications http://www.informatik.uni-trier.de/˜ley/pers/hd/c/Camacho:Philippe Slideshare presentations: http://www.slideshare.net/philippecamacho/presentations CTO of Coin4ce.com since mid 2013. Philippe Camacho Secure Protocols for Provable Solvency
  • 3. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Acknowledgements This work has been made while being at Coin4ce.com / Comprabitcoin.com. I owe many thanks to Darren Camas, Austin Delonge and Adam Stradling for their support and feedback. Philippe Camacho Secure Protocols for Provable Solvency
  • 4. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Motivation Catastrophic events like the MtGox bankruptcy have raised the need for an automated, fully transparent and externally verifiable way to check the solvency of financial institutions. This presentation introduces an overview of previously proposed protocols that can help to automate part of the process of auditing the solvency of financial institutions. We show that it is possible in practice to maintain the business data (amounts owed/owned) private while still allowing to verify the solvency of some financial institution. For this purpose we use two main cryptographic tools: commitments and zero-knowledge proofs. Feedback and questions welcome at philippe.camacho@gmail.com. Philippe Camacho Secure Protocols for Provable Solvency
  • 5. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion The Problem A Financial Institution (FI) usually keeps its database private. Its database might not reflect the reality of its assets anyway. In this situation, manual auditing is the only option. However it’s slow and implies trusting the entity performing the audit. Philippe Camacho Secure Protocols for Provable Solvency
  • 6. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Why Bitcoin changes the Scenario With Bitcoin it’s simple to prove you own a given amount of coins: 1 Pick the address you claim to own. 2 Get a random (not controlled by you) message: data from the blockchain can serve this purpose. 3 Sign this message with the private key corresponding to your bitcoin address. 4 The amount of BTC for this address is available in the blockchain. Philippe Camacho Secure Protocols for Provable Solvency
  • 7. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Building Blocks Merkle Trees Secure Broadcast Channel Commitments and Zero-Knowledge Proofs Philippe Camacho Secure Protocols for Provable Solvency
  • 8. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Merkle Trees [9] g = H(e||f ) e = H(a||b) a b f = H(c||d) c d Figure 1 : Merkle tree for sequence (a, b, c, d). The hash function induced by the tree and a collision-resistant hash function H takes the set (a, b, c, d) as input and returns the root hash value g as output. A proof that a belongs to the sequence is composed by the nodes containing values (b, f ) (underlined) which are the siblings of the nodes on the path from a to the root g. Checking the proof consists of computing e′ = H(a||b), then computing g′ = H(e′||f ) and finally checking that g = g′. A Merkle Tree [9] is a cryptographic data-structure that enables to Hash a sequence of values. Prove that a specific value belongs to this sequence by giving the hash of this sequence and a short cryptographic proof. It works as follows: Put the values of the sequence at the leaves of a balanced binary tree. Compute each internal node value by hashing the value of the left child concatenated with the right child. The value at the root is the hash of the sequence. To prove that an element at a leaf belongs to the sequence: Provide the siblings of the nodes on the path from this leaf to the root. Using these nodes recompute the hash value at the root and check it is the same as the one provided initially (see Figure 1). Efficiency: The size and the time to check the cryptographic proof is logarithmic in the size of the set. Security: If the hash function used is collision-resistant, then it is hard to compute a fake cryptographic proof for an element that does not belong to the sequence. Philippe Camacho Secure Protocols for Provable Solvency
  • 9. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Secure Broadcast Channel A Secure Broadcast Channel (SBC) guarantees the following: One can post messages. Everyone sees exactly the same messages in the same order. No one can delete messages. Hey! Bitcoin is a SBC :) It’s quite an important tool, it can be used for example in electronic-voting protocols [5]. Philippe Camacho Secure Protocols for Provable Solvency
  • 10. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Commitments A commitment is a tool that allows to delay the disclosure of some information. It works basically as follows: Alice chooses some message M and computes a commitment C = Comm(M, r), where r, the randomness is used to hide the information of M. When the context is clear we will write C = Comm(M) instead of C = Comm(M, r). Alice sends C to Bob. Then Bob can tell Alice to open the commitment C. Alice will give the message M and r to Bob Bob can check that indeed C = Comm(M, r). There are two main security properties for commitments Given only C = Comm(M, r) one does not learn anything about M. It’s impossible for Alice to open the commitment C to another message M′ = M. Commitments are useful to implement apparently contradictory requirements where one needs to prove something about some value, but wants to keep this value secret at the same time. Some commitments [10] have interesting algebraic properties that we will exploit for the protocol described in section 3 (see next slide). Philippe Camacho Secure Protocols for Provable Solvency
  • 11. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Pedersen Commitments[10] Their security relies on the discrete logarithm problem. Intuitively this means that given some group element X = gd where g is some generator, it is hard to compute d, the discrete logarithm. Operations Setup: consider a group G and two random elements g, h ∈ G Comm(M, r) = CM = gM hr where M is the message and r the randomness of the commitment. Open(CM , M, r): returns (M, r). Verify(CM , M, r): checks that CM = gM hr . Security (intuition) The commitment CM = Comm(M, r) does not leak any information about M as it’s indistinguishable from a random message (due to the randomness r). It’s hard to open CM = Comm(M, r) to (M′, r′) where M′ = M because due to the discrete logarithm problem the messages in exponents M, r are somehow “locked” in their respective base g, h. For rigorous definitions and proofs see http://bit.ly/1e4gSxu Homomorphic property Given CM = Comm(M, r) and CN = Comm(N, r′) whe have that CM · CN = gM hr · gN hr′ = gM+N hr+r′ = Comm(M + N, r + r′) Basically, multiplying the commitments relative to messages M, N one obtains the commitment of message M + N. We use this trick in order to compute the sum of owed/owned amounts without disclosing these amounts. Philippe Camacho Secure Protocols for Provable Solvency
  • 12. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Proving two Commitments Encode the same Value with ZKPoK In our construction we need to do the following: Given Comm(M, r) and Comm(M′, r′) prove that M = M′ without opening the commitments. For this we need another tool, Zero-Knowledge Proofs of Knowledge (ZKPoK). This consists of letting the prover convince a verifier that he knows (M, r) such that CM = Comm(M, r) = gM hr . Using ZKPoK proving our statement can be done as follows: Compute V = Comm(M,r) Comm(M,r′) = gM−M hr−r′ = hr−r′ Compute a ZKPoK of the discrete logarithm of V with respect to the base h. See [4] for references on ZKPoK and techniques to prove more involved statements. Philippe Camacho Secure Protocols for Provable Solvency
  • 13. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Merkle Trees Secure Broadcast Channel Commitments Proving a Commitment Encodes a Value in a Specific Range A simple technique [7] (see also [2] Section 1.2.1) does the trick: Decompose the committed number in a product of k commitments where each commitment corresponds to a bit. Then prove each commitment encodes a bit. Multiply these commitments together and check you obtain a commitment of the number you want to test. It’s not optimal but when the range is short, as in our case, it is efficient enough. The size of the proof is proportional to the number of bits required to encode the range (51 in our case). More sophisticated and efficient proofs have been proposed [3]. Philippe Camacho Secure Protocols for Provable Solvency
  • 14. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Preliminaries All the information produced by FI is published on a secure broadcast channel SBC. This information may be signed by FI in case the SBC is shared with other participants. We consider two types of protocols Accounting Declaration protocols: the FI declares how much money it owes to its customers. Asset Declaration protocols: the FI declares how much money it owns. Philippe Camacho Secure Protocols for Provable Solvency
  • 15. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Maxwell-Todd Protocol [12],[8] Description1: Periodically (once a day, week or month for example) the FI publishes a value that represents the list of accounts with their respective balances for each client. The value is computed by using a Merkle-Tree where Each leaf contains a pair (id, X) where id is the identifier of the customer and X the current balance for his account. Each internal node value N is computed recursively as follows N = H(X + Y ||L||R) where X is the amount of the left child, Y the amount of the right child, L the (hash) value of the left child and R the (hash) value of the right child. The hash value for the root node is the one that is published. It is the responsibility of the Customer to check that his account balance belongs to the tree by asking for the corresponding cryptographic proof (siblings node from the leaf to the root) to the FI. Discussion: User must check his account for each update of the root value. However it is risky in practice for the FI to try to lie on some user’s account balance as it might be detected. The amount in each node must be positive. It is the responsibility of the user to check that as well. The total amount owed is public. The root hash value must be published in the SBC otherwise different hash values (and thus user’s account declaration) could be published to different groups of people. 1 A more detailed description is available at [14]. Philippe Camacho Secure Protocols for Provable Solvency
  • 16. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Privacy-Protecting Proof of Reserves without the Moon-Math and without the backup angst [13] Peter Todd addresses the problem of privacy (for user and FI) with the following idea The FI commits2 each deposit address to a domain name and the nonce relative to the user This technique allows to Keep FI’s and user’s respective balance private Avoid the key reuse attack (assign same bitcoin addresses to different users) Some practical challenges arise This solution forces a specific administration of bitcoin addresses for the FI. Also this solution depends on the specific implementation of Bitcoin (in particular the way Bitcoin addresses are computed). 2 In this case hash functions are used, not commitments. Philippe Camacho Secure Protocols for Provable Solvency
  • 17. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Adding privacy to Maxwell-Todd’s protocol One of the limitations of Maxwell-Todd’s protocol is that it forces the FI to reveal the total amount it owes to its customers. We show (see [11] for a generalization of this technique.) here how to allow this amount to be kept private while at the same time enabling the users to check that their account is present in the Merkle-Tree. Idea: Replace the amount X stored in each node by the commitment of this amount Comm(X) Instead of computing Z = X + Y the amount of the parent node, multiply the commitments of the left child and right child. That is compute Comm(Z) = Comm(X) · Comm(Y ). The homomorphic property ensures that indeed Z = X + Y . Check using ZKP that each amount is in the range [0, Z] where Z = 21 · 106 · 108 is the total amount of satoshis. Philippe Camacho Secure Protocols for Provable Solvency
  • 18. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Example A = H(B||C||Comm(65)); Comm(65) B = H(D||E||Comm(30)); Comm(30) D = ID1||Comm(10) E = ID2||Comm(20) C = H(F||G||Comm(35)); Comm(35) F = ID3||Comm(15) G = ID4||Comm(20) Figure 2 : Providing privacy to Maxwell-Todd’s tree using commitments: Here we replace the amounts by the commitments of the amounts. For a node N, given the commitments CL = Comm(X) and CR = Comm(Y ) of the left and right child respectively, computing the commitment of the node consists of multiplying these commitments. That is CN = CL · CR = Comm(X) · Comm(Y ) = Comm(X + Y ). Philippe Camacho Secure Protocols for Provable Solvency
  • 19. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Maxwell-Todd Protocol Todd Privacy-Preserving Protocol Improving the Privacy of Maxwell-Todd Protocol Discussion The commitments do not leak any information about the amounts. Yet all the necessary relationships can be checked. Now what do we do with this commitment? We can compare it to another commitment that will contain for example the total asset of the FI. For example, in case of fiat money, the bank could compute another commitment containing the FI’s balance in USD and sign it so that people can check the information is legitimate. Then the FI can prove with ZKP that the two amounts included in each commitment are equal. In the case when the FI needs to prove the size of its assets in bitcoins we will use the protocol described in section 2 to compute this commitment. Compared to Todd’s solution [13] our solution allows to have two separate protocols for Accounting and Asset declaration. This can be useful for example in the case where assets are in fiat money. On the other side Todd’s solution offers better privacy than our protocol related to asset declaration (see next: section 2). Philippe Camacho Secure Protocols for Provable Solvency
  • 20. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Coin Ownership Protocol Already mentioned in the introduction. An implementation can be found at [6]. COIN OWNERSHIP 1 Pick the address you claim to own 2 Get a random (not controlled by you) message: data from the blockchain can serve this purpose 3 Sign this message with the private key corresponding to your bitcoin address 4 The amount of BTC for this address is available in the Blockchain By being able to compute a signature on a random message the owner of the bitcoin address proves he is able to transfer funds from this address to another. Philippe Camacho Secure Protocols for Provable Solvency
  • 21. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Adding privacy How do you prove you have a given amount of bitcoins without leaking this amount? Initial Idea3 Use a private Maxwell-Todd tree where the leaves are composed by The bitcoin addresses the FI claims to own. The amount available at these addresses. The Merkle-tree must be such that the addresses are ordered in ascending order so that no address is duplicated (that would inflate artificially the total value of the assets). Users must check that the neighbour leaf (can be on the left or on the right) satisfies the condition. This might create the need to compute two branches of the Merkle tree. Again the FI could lie (by duplicating some bitcoin addresses) but it exposes itself to be detected in case of fraud. Choose a random leaf and ask the FI to open the commitment containing the address A and the balance B at the leaf. Run COIN OWNERSHIP on address A. Check on the Blockchain that the amount B is correct. 3 This is only an idea. As mentioned next it needs to be refined in order to work. Philippe Camacho Secure Protocols for Provable Solvency
  • 22. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Example A = H(B||C||Comm(65)); Comm(65) B = H(D||E||Comm(30)); Comm(30) D = BTC1||Comm(10) E = BTC2||Comm(20) C = H(F||G||Comm(35)); Comm(35) F = BTC3||Comm(15) G = BTC4||Comm(20) Figure 3 : Proving the size of assets with random sampling. This is the same construction as in Figure 2 but we replace the user ID by the bitcoin address BTC1, BTC2, .... Note that we must have BTC1 < BTC2 < BTC3 in order to avoid the duplication of bitcoin addresses. Philippe Camacho Secure Protocols for Provable Solvency
  • 23. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Basic Coin Ownership Protocol Towards more privacy: random sampling Discussion The main problem of this solution is that the more checks we do, the more we reveal about the bitcoin addresses owned by FI and thus the total amount of bitcoins owed. So we need somehow to choose between privacy (of the FI) and increasing the odds to catch a malicious FI. Some ideas for future research Use zk-SNARKS as in Zerocash [1] to prove (without revealing it!) that a bitcoin address is controlled by the FI. The we also need to prove that this address has the right amount of BTC binded to it. This could be done using accumulators that would store the list of pairs (address,balance) of the blockchain and then checking in zero-knowledge that this address belongs to the table represented by the accumulator. Philippe Camacho Secure Protocols for Provable Solvency
  • 24. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Open problems Privacy for asset declaration without imposing any condition on bitcoin address management like in [13]. Our solution is only partial as it is based on statistical sampling. Key rental attack. In [13] is proposed a way to prevent reusing keys internally or between institutions, yet nothing prevent anyone to rent addresses to others in order to simulate solvency. Philippe Camacho Secure Protocols for Provable Solvency
  • 25. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion Thank you! Please send me feedback, questions at philippe.camacho@gmail.com Philippe Camacho Secure Protocols for Provable Solvency
  • 26. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion [1] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. 2014. [2] Fabrice Boudot. Efficient Proofs that a Committed Number Lies in an Interval. In Bart Preneel, editor, EUROCRYPT, volume 1807 of Lecture Notes in Computer Science, Berlin, Heidelberg, May 2000. Springer Berlin Heidelberg. [3] Jan Camenisch, Rafik Chaabouni, and Abhi Shelat. Efficient Protocols for Set Membership and Range Proofs. In ASIACRYPT ’08: Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security, pages 234–252, Berlin, Heidelberg, 2008. Springer-Verlag. [4] Jan Camenisch and Markus Stadler. Proof Systems for General Statements about Discrete Logarithms. Technical report, 1997. [5] Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers. A Secure and Optimally Efficient Multi-Authority Election Scheme. In Walter Fumy, editor, EUROCRYPT, volume 1233 of LNCS, pages 103–118. Springer Berlin / Heidelberg, July 1997. [6] Olivier Lalonde. bitcoin-asset-proof. https://github.com/olalonde/bitcoin-asset-proof, 2014. [7] Wenbo Mao. Guaranteed correct sharing of integer factorization with off-line shareholders. In Hideki Imai and Yuliang Zheng, editors, Public Key Cryptography, volume 1431 of Lecture Notes in Computer Science, Berlin/Heidelberg, 1998. Springer-Verlag. [8] Greg Maxwell. IRC transcript of gmaxwell describing his prove-how-(non)-fractional-your-Bitcoin-reserves-are scheme. https://iwilcox.me.uk/2014/nofrac-orig, 2014. [9] Ralph C. Merkle. A Digital Signature Based on a Conventional Encryption Function. Philippe Camacho Secure Protocols for Provable Solvency
  • 27. Introduction The Problem Building blocks Preliminaries Protocols for Accounting Declaration Protocols for Asset Declaration Open problems Conclusion In Carl Pomerance, editor, CRYPTO, volume 293 of LNCS, pages 369–378. Springer Berlin / Heidelberg, August 1987. [10] Torben Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In J. Feigenbaum, editor, CRYPTO, volume 576 of LNCS, pages 129–140. Springer Berlin / Heidelberg, 1991. [11] Brian Thompson, Stuart Haber, William G. Horne, Tomas Sander, and Danfeng Yao. Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases. In Ian Goldberg and Mikhail J. Atallah, editors, Privacy Enhancing Technologies, volume 5672 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009. [12] Peter Todd. Peter Todd’s talk (Bitcoin Conference). http://youtu.be/4d3LA8KpdMQ?t=6m33s, 2013. [13] Peter Todd. Privacy-Protecting Proof of Reserves without the Moon-Math and without the backup angst. http://sourceforge.net/p/bitcoin/mailman/bitcoin-development/thread/20140325220507.GB4846@tilt/, 2014. [14] Zak Wilcox. Proving your Bitcoin reserves. https://iwilcox.me.uk/2014/proving-bitcoin-reserves, 2014. Philippe Camacho Secure Protocols for Provable Solvency