Verifying reserves while keeping privacy intact

13 replies 370 views
DarkSeedSenior Member
Posts: 209 · Reputation: 1423
#1Apr 10, 2017, 11:32 AM
So, I've been looking into the criticisms aimed at Bitcoin proxies, like the well-known MSTR run by Michael Saylor. A key argument against them is that they don't provide proof of reserves using public addresses. These companies get audited by top-tier regulators, with KPMG and others involved, and there's no way they'd risk their reputation by faking figures. Personally, I think that's not an issue, but I'd really like a method to cryptographically confirm that the funds actually exist. So, here’s my question: could we, with some smart engineering, come up with a way to create a hash or something from a valid public key that's unique to the amount of BTC held (or a combination of keys that total a certain value) in such a way that it can be verified without revealing the public keys? Is anyone out there working on this? It would be super useful. I totally get the concerns about MSTR's addresses being out there and as a shareholder you probably don't want that info floating around, but at the same time, it would provide reassurance and might help draw in investors who are hesitant but want to dip their toes in through proxies.
6 Reply Quote Share
fox100Senior Member
Posts: 165 · Reputation: 1050
#2Apr 10, 2017, 11:47 AM
Sure, google provisions (maybe add the word bitcoin). And taproot was specifically constructed so that solvency proofs could be more private and efficient. I wouldn't actually put that much stock in professional auditors.  Having deal now for a few years with a skilled conman in court and his professional support, it's clearly possible to get "reputable" professionals to attach their name to all kinds of sketchy shit.  The conartist just needs to put up a maze and tire them out, and give them enough 'proof' that they'll have plausible deniability when it goes wrong.  It's only any better when there is a long history of failures such that the auditor knows a reasonable bare minimum that will be considered competent for them, and we're not there for cryptocurrency (and even if we were it's still a weak guarantee). So for example, I saw Wright fool professionals by simply making a pile of backdated accounting records and pointing people to addresses in block explorers.  The professionals aren't going to do document forensics to figure out the docs were backdated.  They're not going to think carefully that an amount paid TO an address with your taxid in it doesn't mean you own that address, and so on. The question you have to ask is if the auditors report is wrong will they got to prison? Will they suffer financial ruin?  The answer is no, heck they could even be *complicit* and it's very unlikely that they'll ever suffer serious consequences. And so while better than nothing you shouldn't stake *your* own ruin on them being right.  They will catch accidental screwups but they will miss massive fraud. Wright even got a reputable big name audit/accounting firm BDO to back him up in Norway, -- and of course big name accounting firms have been part of basically every huge company fraud.
3 Reply Quote Share
mr_gasMember
Posts: 24 · Reputation: 174
#3Apr 10, 2017, 01:39 PM
It is possible to prove that you own a UTXO of certain amount without revealing UTXO details using one of these methods: 1. Anonymous usage tokens from curve trees 2. taproot-ringsig   3. OutputZero
2 Reply Quote Share
DarkSeedSenior Member
Posts: 209 · Reputation: 1423
#4Apr 11, 2017, 07:49 AM
I have been looking for that but I only found technical papers, im not sure if there is a free or commercial grade, user ready thing where you can buy a service and use it for yourself, your company or corporation. I know Strategy is looking for this product, and they are testing different things. I was wondering what would be the best way to go for a company that holds 550k BTC which is no joke. As far trusting auditors, I know even big firms like KPGM have been in corrupt cases and so on, so yes, ideally Strategy should move to some cryptographic solution where people can go and freely check the funds are real, but there has to be way to do this without putting people in danger by revealing their public addresses, it's just a matter of finding out how. Without having looking into this, could any of it be implemented in a nice web interface where people can request proof of funds of your company and then you get back the results showing the BTC is indeed there, or you need to do some convoluted things? Since this is aimed for the general public to check funds of a company, not to generate your own cryptographic proof only, it has to be well presented to the average joe.
6 Reply Quote Share
sam.bullSenior Member
Posts: 390 · Reputation: 1323
#5Apr 11, 2017, 09:07 PM
I asked something similar before though in an already thread so the input was low. That's what many people thought about FTX. As long as there are humans they can be bribed All they have to do is weigh the risk and bribe with their supposed losing face. He talked about using ZKP which can help hide the addresses but counters it's effectiveness as not being able to account for debt. So it would have to be used beside traditional auditing to account for liabilities. Giving is past history of 2001, people are losing faith and him stating he should be trusted because he has been doing this more than 25 years Isn't valid enough. So There are methods to obscure the address but they are quite complex.
4 Reply Quote Share
greglaserFull Member
Posts: 180 · Reputation: 542
#6Apr 12, 2017, 02:53 AM
They don't publish their addresses and hired KPMG for their audits report and I know KPMG is a big audits company. Even there is small probability that KMPG did something shady in collaboration with Strategy with potentiality of destroy their reputation, you can not trust either Strategy or KPMG. I am not an expert in this audits field and it is my thinking on it only, that could be wrong. If you don't know the Biggest failure in audits history with Enron collapse. Strategy's Bitcoin holding. https://x.com/arkham/status/1927786538869334095 https://intel.arkm.com/explorer/entity/microstrategy
3 Reply Quote Share
DarkSeedSenior Member
Posts: 209 · Reputation: 1423
#7Apr 12, 2017, 04:31 AM
I know about Arkham's registry of the (supposedly) Strategy addresses, but they are not official, they just extrapolated sales announced by Saylor on x and then they looked for similar amounts and time references and they have come up with those. In any case there are like 100k missing coins. At some point Strategy will come up with a solution to try to get this FUD about fake coins being reported to an end. As far as KPGM's, if you look it up there are some reports of corruption but this must have been some small branch or isolated cases. This would be an huge collusion of a company that is on the spotlight with one of the biggest audit firms. It would be suicidal for both parties to not get everything right. I think the risk of corruption here is very low but in Bitcoin we want max certainty, it's "don't trust, verify" after all, but I also understand Saylor having second thoughts at disclosing the addresses for security. It's one of those things.
3 Reply Quote Share
nick23Member
Posts: 36 · Reputation: 140
#8Apr 12, 2017, 05:25 AM
Yeah, I see where you're coming from and it is a valid concern. I mean, MSTR is audited under serious regulatory standards, and like you pointed out, firms like KPMG don’t just throw their name behind fake figures. But still, this is Bitcoin we’re talking about and a lot of us value the ability to verify things ourselves without having to rely on anyone. From a technical angle, I do believe there are practical way to approach this. It’s actually possible to build something that proves Bitcoin holdings without giving up sensitive public addresses. One idea I have come across is using Merkle proofs. The basic approach would be to hash together all the Bitcoin holding addresses into a Merkle tree, where each leaf is something like a hash of address + balance. Then, instead of revealing every wallet, they would just publish the Merkle root, and use that as a reference point. To prove holdings, they could share a proof path from a few leaves or even just the total up to the root. If the company signs the root with a known key, it adds that extra layer of validation. So, investors or anyone doing due diligence could verify it cryptographically, without seeing every wallet in play. We’re not quite there yet in terms of having a trustless, clean, and shareholder friendly system like that, but the pieces are definitely there. It just needs someone to put it all together in a way that balances privacy, security, and transparency. When that happens and I think it will seriously strengthen confidence around public BTC holdings like MSTR
0 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#9Apr 12, 2017, 09:13 AM
I looked at some of them, and the answer is no. Probably the answer will always be no because you need to have access to the keys. A web interface can be made for making requests but why would you need that when you can contact the companies in many other ways? In any case you are not going to be able to set up a system for getting responses on demand like that. I'll give you a specific example, for OutputZero it says: To have a live connection to a key and generate proofs on demand would be extremely dangerous even for a small amount of Bitcoin like holding 1. What companies can do instead is to provide quarterly proofs or on some schedule like that. Someone just needs to set a trend going with these things, with a few companies doing it regularly and it would move mountains I believe. I'm pretty sure that most people are not aware of any of these tools, or that you can even prove something like this without revealing information about it.
2 Reply Quote Share
mr_gasMember
Posts: 24 · Reputation: 174
#10Apr 12, 2017, 02:23 PM
Yes it is possible.
4 Reply Quote Share
alpha100Full Member
Posts: 102 · Reputation: 448
#11Apr 12, 2017, 05:46 PM
Arthur Anderson was one of the Big 5 top auditing firms in the US until it was discovered to be involved in cooking the books for Enron and Worldcom in one of the greatest financial frauds in history. The firm went bankrupt and never recovered from the scandal. So you can't trust anyone no matter how reputable they may be. Google AI says it is possible using merkle trees.
3 Reply Quote Share
byte2019Senior Member
Posts: 270 · Reputation: 1836
#12Apr 12, 2017, 09:12 PM
Clarification: real users said, that it is possible, and a lot of AIs just repeat their content. But as usual, there is some hallucination in that. Which means, that the proof is incomplete, and this is how you can tell, if something is just some AI hallucination, or if it was written by a real human. AI can tell you, that you can just verify some hash, without looking into hashed content. Real cryptographer would tell you instead, how to verify the data behind that hash, without having to reveal it. Also, if you would be really interested about the details, then you would visit the links, which were shared by real humans:
2 Reply Quote Share
alpha100Full Member
Posts: 102 · Reputation: 448
#13Apr 15, 2017, 03:48 AM
Yes but AI can help explain or translate the highly technical language in a way non-coders can grasp. I should warn you I'm not a coder so I rarely visit the technical discussion part of the forum. Taking a handful of courses on UNIX,LINUX, computer networking in college is the extent of my technical knowledge. And I probably forgot a lot of it by now. I run a bitcoin node on an old spare computer but that doesn't require much if any coding knowledge. Incomplete, yes. But there may be other means to link the transaction to the identity of sender or receiver. Maybe that's better than nothing but I could be completely wrong. I appreciate the technical links but I would have to run it through AI before having any hope of understanding it.
1 Reply Quote Share
byte2019Senior Member
Posts: 270 · Reputation: 1836
#14Apr 15, 2017, 05:23 AM
I know, I'm sorry. I guess I just read too many users, who trusted AI too much. A good exercise to test AI is to ask about things you know, because then, it is easier to spot, how models can hallucinate. When it comes to the merkle tree, then you have only transaction hash there. By checking that hash alone, you only know, that a given transaction was included, but you don't know any details about inputs, outputs, or anything else. You don't even know in that case, if hashed data is even a transaction, and not something completely different (for example block header). Well, it's better than nothing, because if you have some merkle tree, and you can check, that a given hash was properly included in a block, then you know, that someone put a lot of Proof of Work to make it. But still, there were fake or invalid blocks, so even if it is better than nothing, I would still be careful, to call it "a proof". There are many things, which are based on simple concepts. For example: when it comes to "ringsig", then you probably heard about "Ring Signatures" in the context of Monero. Here, it is very similar, but just applied on secp256k1, instead of Curve25519. And because the proof is not executed on-chain, but just verified outside, it can use a lot of features, which don't have to be fully covered by consensus rules, so there is a lot of freedom, when it comes to implementing such models.
0 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics