Viewpoint | How cryptography provides guarantees for solvency

Author: Eli Ben Sasson

Translation & Proofreading: Zhou Wei & Min Min

Source: Ethereum fans

With the help of technology, anyone can independently verify whether a cryptocurrency business can continue to grow healthily and no longer need to rely on a professional auditor.

This article was first published on CoinCenter on September 19, 2018 .

-rawpixel by Unsplash's photo –

Since cryptocurrency exchanges have been the hardest hit by hackers, several of the industry's leading exchanges have to perform solvency audits on a regular basis, convincing customers and regulators that the exchanges are profitable, or have “full reserves”. . This process consumes a lot of manpower and financial resources and is extremely vulnerable to abuse. This paper describes a way to better address solvency audits and other financial reporting issues, which requires the use of blockchain and computational integrity zero-knowledge proof techniques .

Mt. Gox hacked and its consequences


Mt. Gox was the largest bitcoin exchange at the time and handled more than 70% of Bitcoin transactions. However, in the first quarter of 2014, rumors about its solvency began to spread widely. In the second quarter of 2014, the exchange suddenly closed and declared bankruptcy, and previous rumors were confirmed. why? Because they lost 850,000 bitcoins. a bolt from the blue. At today's prices, these bitcoins are worth $5.8 billion. Whether it’s an employee’s self-stealing, an external hacking attack, or a combination of both, it’s still unsolved, but one thing is clear: in a few months, the exchange’s funds It slowly flows to the external account address, and the customer has been kept in the dark.

How is such a large sum of money stolen without knowing it? In the face of the fast-growing Bitcoin transaction volume and amount, Mt. Gox is clearly unprepared and does not have sufficient time to enhance its operational security. Part of the reason is that the public chain is irreversible – once the transaction takes place on the chain, it is almost impossible to tamper with the transaction on the chain unless it causes great damage to the entire system. However, if there is a way to allow customers to monitor the solvency of the exchange, they can find the problem earlier and avoid the crisis.

Due to the impact of this incident (and some small exchanges were also hacked at the time), several leading cryptocurrency exchanges in the industry began to invite external auditors to regularly conduct solvency audits on behalf of regulators and customers . During the audit, the exchange will prove to the auditor that it has more assets controlled by the key than the customer. The auditor must prepare a balance sheet, publish the exchange's solvency floor in a public forum, and declare: "As of today, the exchange is in a profitable state." (Please note that the solvency audit checks Whether the exchange has a full reserve , but the method we will discuss next can be used for part of the reserve solvency audit based on the requirements for commercial banks.)

The shortcomings of manual solvency audit


This solvency audit has some drawbacks. On the one hand, it needs to consume human and financial resources; on the other hand, it does not have operational security, because the multi-billion dollar cryptographic assets are controlled by keys, information about the use of keys will be disclosed to the outside Personnel (auditor); the most worrying thing is that the attacked exchange can remove some of the debt to the customer from the balance sheet to cover up the facts. After all, it is difficult for auditors to know if every debt is registered in the books, so they can only choose to trust the exchange.

Precautions for solvency audit


Based on the above questions, what kind of goals should the solvency audit achieve? First, the trade secrets of the exchange should be avoided. Second, each customer should be able to verify that the exchange will credit their liabilities to the balance sheet for solvency audits, thereby increasing transparency and strengthening public oversight. Third, this process should not be performed by any external auditor, reducing expenses and reducing the likelihood of attack; in other words, we need a self-auditing process that is performed independently by cryptocurrency exchanges. Finally, even if no outsiders are involved in the audit, it is possible to prevent fraudulent transactions from being made by rogue transactions. Wait, is the privacy mentioned in the first goal not contradicting the transparency mentioned in the second goal? Does the self-audit mentioned in the third goal contradict the soundness mentioned in the fourth goal? Can I achieve these goals at the same time? Surprisingly, the answer is yes; we will explain next.

Encrypted envelopes, blockchains, and computational integrity


Regardless of privacy issues, regulators can simply and violently require the exchange to disclose a detailed balance sheet. In this way, public supervision can be used to prevent exchanges from making false accounts by missing liabilities, because those customers who are missing debts can cause a sensation. It is a pity that this simple solution does not work because of the protection of privacy.

A second attempt to solve this problem is for the regulator to require the exchange to privately display a detailed balance sheet to the customer, such as sending a monthly report to each customer. Even without considering the issue of private business information disclosure, insolvent exchanges have the means to deceive customers, that is, each customer sees their liabilities on the balance sheet, but deletes other customers. Liabilities, in order to create an illusion of profit. If you want to prevent this behavior, you need customers to disclose their (confidential) financial data, which obviously does not work. Therefore, our next option is to require the exchange to issue a unique public “anchor” for each (monthly) balance sheet and then provide personalized information to each customer. In this way, the customer can use this public anchor to verify the information he has received. In addition, this anchor will “bind” the exchange to the balance sheet without compromising the financial privacy of the exchange.

Indeed, the exchange has access to all private data—keys, assets, customer accounts, and liabilities to customers—and puts them in a sealed small envelope and places them where the company can't tamper. This envelope is the "anchor point" mentioned above for obtaining a balance sheet. Now, the exchange will use a new cryptographic tool (explained below) to simulate a trusted auditor, giving it access to the contents of the envelope. The magic of these tools is that honest exchanges can use them to provide credible proof to each customer without revealing the contents of the envelope. It is difficult for rogue exchanges to use them to create credible certificates for balance sheets that do not meet the information in the envelope. This “self-auditing” capability is the result of a powerful combination of blockchain and zero-knowledge proof .

A promised solution for encrypting envelopes


Digital simulation solutions derived from the concept of encrypted envelopes have been used safely by computers for decades. Cryptologists call it cryptographic commitments. Regardless of the size of the original data, it usually becomes very small after being converted into a cryptographic envelope (commitment), with only 32 characters.

Fortunately, with decentralized blockchain technology, we can put the exchange's encrypted envelopes in a tamper-proof place. At the heart of the blockchain technology pioneered by Nakamoto is the creation of a public ledger that is not controlled by any party and is irreversible. This irreversibility is achieved through powerful computing requirements and economic incentives. Indeed, the Bitcoin blockchain has become a trusted timestamp service. Therefore, after the exchange puts the customer data necessary for the personalized solvency audit into the encrypted envelope (commitment), the envelope can be saved in a safe and effective manner. The only downside is how to prove to the regulator and the public that the data in the envelope is valid and does not reveal any other information that may infringe the privacy of the customer. This is where the zero-knowledge proof comes into play.

Zero knowledge proof as a trusted auditor


To make an extreme analogy, zero-knowledge (ZK) proof is like a grocery receipt. Each proof is a string of characters (like a receipt) that is used to guarantee computational integrity . That is, this proof will allow us (the verifier) ​​to believe that the final calculation is correct. The grocery receipt will convince us that the total amount we need to pay is correct, and the zero-knowledge proof (the enhanced version) is strong enough to handle any calculations and convinces us that the calculations are correct. In addition, the zero-knowledge proof guarantees privacy, which means that the proof (string) does not leak the input value. It is similar to the grocery receipt: 1. only shows the total amount; 2. does not show the price and quantity of individual items; 3. convinced the customer that the amount payable is correct. Finally, some zero-knowledge proofs are very effective: it takes less than a second to test them on a smartphone, even if the calculation process is lengthy and cumbersome; you can treat the zero-knowledge proof as a receipt with millions of items, just blinking Time will be checked.

Now summarizing our approach to solvency audit issues, we can achieve the four goals mentioned above (privacy, transparency, self-audit, soundness). It consists of three steps. The first two steps are easily implemented by the prior art; the third step is achieved using the emerging zero-knowledge proof:

  1. The exchange puts all the data that should have been provided to the trusted auditor in an encrypted envelope to prove that it is solvable to each customer. These data include all keys under the control of the exchange, all assets, and liabilities to customers. Again, the encrypted envelope is very short (only 32 characters) and does not reveal any information to the person viewing it.
  2. The exchange publishes the encrypted envelope (all 32 characters) to the blockchain, such as Bitcoin.
  3. The exchange will read the contents of the encrypted envelope and generate a unique proof of solvency zero knowledge (ie "receipt") for each customer . This calculation yields two common outputs (all inputs are "deleted" to protect privacy), namely: 1. One-bit data indicating whether the exchange is in a profitable or losing state, and 2. Account balance for a particular customer.
The certificate is privately protected, which means that the customer knows nothing about the information in the encrypted envelope (except for their own account information). The magic of zero-knowledge proof is that they are “proofs” expressed in mathematical language: true propositions can be proved, and true propositions can be proved. Therefore, an exchange that is in a loss state cannot deceive the customer to say that it is profitable, nor can it deceive the customer by changing the account information of the customer in the envelope. The transaction has all and only one solution: to prove that the information it provides is correct and to conduct a personalized solvency audit.

The status quo of zero-knowledge proof technology


Zero knowledge was proved in the mid-1980s. In the past few years, this technology has developed by leaps and bounds and has been used in the commercial field. There are now three excellent zero-knowledge proof systems: ZK-SNARK (used by cryptocurrencies such as Zcash), ZK-STARK (commercialized by StarkWare and sponsored by the Ethereum Foundation) and Bulletproofs (developed by Monerocoin) .

to sum up


The above-mentioned three-step process for achieving a personalized solvency audit can be applied to any other type of financial statements (including income, equity, and cash flow statements). Since the beginning of human records, financial statements have existed for thousands of years, dating back to the time when the transcript was born. Billing techniques have evolved from clay sheets from 4,000 years ago to paper to digitally signed documents. So far, if you want to make sure it's correct, either choose to trust the publisher of the financial statement or trust the external (human) auditor who provides the guarantee. Combining blockchain technology, commitment programs, and the most important zero-knowledge proofs, it is possible to truly achieve trust-free in the future, and from the public's standpoint, the public will conduct transparent and democratic audits.
Extended reading
  • Privacy-protected Bitcoin exchange reimbursement certificate [Dagher, Bunz, Bonneau, Clark, Boneh; ACM CCS 2015]
  • zkLedger: Distributed book audit based on privacy protection [Narula, Vasquez, Virza; NSDI 2018]