#Bifubao’s Proof of Reserves
##What are reserves?
Reserves refers to the funds held by a business. If a business holds funds on behalf of its customers, and its reserve ratio is 100%, this means that it holds 100% of its customer’s funds in reserve. If its reserve ratio is 10%, that means the business only holds 10%, and 90% of the funds are used elsewhere. This is the mechanism used by many banks - depositors give cash to the bank to hold, and the bank lends out a certain percentage while keeping enough in reserve to satisfy withdrawal requests.
##Why does an off-chain wallet need to prove reserves?
In Bifubao’s case, our reserves refer to the bitcoins that Bifubao holds on behalf of our users. Our wallet is off-chain, which means that we hold bitcoins for you, with the data being stored on our database. This has many benefits, but one downside is that it is typically difficult to prove that the platform holds the funds that they say they do. This situation was pronounced in the case of Mt. Gox, and since its demise the bitcoin community has demanded accountability from exchanges and wallets that handle bitcoin deposits in an off-chain manner.
##Method of Proof
The easiest method of proof is to publish a flat list of all user accounts, total deposits, and the platform’s deposit addresses. However, this method exposes a great deal of company information. The Merkle Tree technique makes it difficult for a company to falsify data while protecting privacy (although some information is necessarily revealed).
##How We Implement Proof of Reserves
Our implementation is based on a method using Merkle Trees as proposed by Bitcoin developer Greg Maxwell, and as detailed here, with a few modifications. Using this method, a company would be able to prove to a user that its data was taken into account in calculating the total amount of funds held.
To protect user identities, we can’t very well directly publish a list of our user’s email addresses or ids along with their bitcoin holders. Instead, we create a hash using each user’s user_id. Combining the user_id with their balance and nonce makes the resulting hash value even harder to trace. The user_ids should be unique and immutable, so as to decrease the odds of two users choosing the same user_id. In pseudocode, this would look something like the following:
hash_value = HASH(user_id + nonce + balance). Because we only display a hash digest, users can rest assured that their personal information won’t be exposed as part of this proof. Besides calculating a unique user_id for each user, we additionally calculate a new nonce each time.
This method exposes some of Bifubao’s data. Users can see the total amount of bitcoins on our system and can estimate the total number of users on our system. However, we believe it is worth the tradeoff to verify to our users that we are operating transparently. We are also opening up our source code for the community to inspect.
We build up the Merkle Tree by first obtaining the relevant data in our database, and then iteratively running the algorithm to construct the tree to the root node.
|User Email/ Mobile Phone||Nonce||Balance (Satoshi)|
The hash of the user node is calculated according to this algorithm:
We concatenate the
user_id and the
nonce to get the
uid in the code below:
After constructing the hashes of all of the user nodes, we sort them according to the hash results.
Two adjacent nodes are added together to make a parent node. If the number of nodes is odd, we construct a padding node.
The balance of the parent node is the sum of the balances of the child nodes.
To build the merkle tree, we recursively use the algorithm above until we get to the root node.
###Cold Storage Addresses
Our proof of reserves would not be complete without proving our control of assets. Below are our cold storage addresses, where you can see how much we hold in reserve. Because we hold some bitcoins in our hot wallet, the number indicated in the sum of the two addresses below will not be equal to the amount calculated above, but you can use the data to be sure that we at least hold a large percentage of user funds.
To prove we control these addresses, we’ve signed a message using their corresponding private keys:
- Source Code: https://github.com/bifubao/proof_of_reserves
- prove-how-(non)-fractional-your-Bitcoin-reserves-are scheme https://iwilcox.me.uk/2014/nofrac-orig]
- Proving Your Bitcoin Reserves https://iwilcox.me.uk/2014/proving-bitcoin-reserves]
- Pictures courtesy of Zak Wilcox at the above sites.