I wanted to relay an interesting related link that Melvin PMed me:  https://petertodd.org/2016/commitments-and-single-use-seals

@Aronesty
Thanks, that system looks interesting, I'll have a closer look!

@Voskuil
I think we must disagree on at least one fundamental point. I'm finding myself disagreeing with most of what you're saying.

> If perfect is not possible, it’s not possible. It reduces to trust, which is the status quo.

Let not perfect be the enemy of good. Trust cannot be eliminated. Perfection cannot be achieved. However trust can be reduced further than it exists today, and we can clearly make things better than they are now. Are you really saying that if its not perfect, its worthless?

> All “users” need to simultaneously share their individual and temporary audits with each other (ie publicly).

This is not the case. In both the mechanism I briefly described and Peter Todd's mechanism from Melvin's link (top of this message), users need not share any information with other users unless that information is "my balance doesn't match the record". It doesn't even need to be in a timely manner if these records are committed to the blockchain - one could theoretically look back years and compare their personal records to the records published by the custodian, and then tell the community about it if they don't match. All that is required is that a critical mass of users verify their balance (ideally using software that regularly checks automatically). 

> It is not hard to spot price inflation

I don't know why you think that's the case. Inflation is today vehemently argued about. Are high real estate prices indications of inflation? What about recovering stock prices? Is inflation temporary or will we expect it to last more long term? If one company is inflating perceived supply, this would almost certainly not show up as significant economy-wide inflation. And if the majority of companies are doing it, how can you stop it if you don't have any idea which ones are doing it? I do think spotting the inflation in any kind of timely manner is indeed hard. 

> Stopping or avoiding it is the actual issue. No “proof” of reserve can do this.

I of course agree that proof of reserves cannot stop inflation/insolvency. I disagree with the idea that this is the "actual" issue - which seems to imply to me that its the only issue that matters. Even if we can't stop a company from promising more coins than they have in reserves, we can limit how long these events happen for - and how big these bubbles can get. Don't you agree that would be very helpful, if it were it possible (which it seems you think it isn't)? 

> The federal reserve was clearly insolvent from its early days, as that was its purpose.

Do you have a source as evidence that it was widely understood that the Fed was insolvent from its early days? I really don't think it was seen as the purpose by the vast majority of people in the US. People were lead to believe every dollar was backed by a unique chunk of gold. Had it been possible to do a kind of proof of reserves (or estimate of reserves) as we're talking about, it would have been clear much earlier that the Fed was doing a lot of shinanigans. I think that would have been very useful information for the public back then. Perhaps they wouldn't have been able to do anything about the Fed (or maybe they would have). But people can certainly pull their money out of companies that can't show solvency. 

> Nonsense, any business can fail, regardless of temporal cash reserves.

I agree that any business can fail. But a bank that pretends it can serve cash on demand is not a normal business, and cash reserves absolutely relate to their ability to survive as a bank. Its honestly confusing to me how you could think otherwise. Also, calling my thoughts "nonsense" is rude, please check yourself, Eric. 

> it's hardly an improvement over holding your own keys.

No one is claiming that proof of reserves is "an improvement" over holding your own keys. Clearly holding your own keys is ideal. However, not everyone is comfortable with that. The fact of the matter is that many will choose a custodial wallet, for better or worse. PoR attempts to make thing on the "better" side than the "worse" side. 

On Tue, Jul 6, 2021 at 9:39 AM Erik Aronesty <erik@q32.com> wrote:
you should check out some of the earlier work done here:

https://github.com/olalonde/proof-of-solvency#assets-proof

to be honest, if any exchange supported that proof, it would be more
than enough.

there's really no way to prevent a smash-and-grab, but this does
prevent a slow-leak


On Mon, Jul 5, 2021 at 5:10 PM Billy Tetrud via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> I had the idea recently for proof of reserves done in a way that can be used to verify reserves are sufficient on an ongoing basis. I'm curious if there are any current approaches out there to proof of reserves that are similar.
>
> The idea is to have users create actual private keys using a seed in pretty much the normal way. Users would generate a public key from this seed to represent their account, and would give the public key to the custodian to represent their account in a public record of account balances.
>
> When a user's account is credited, the custodian would update a map of addresses (created from the public key of each account) to balances - this map could be structured into a merkle tree in the usual "merkle approach". The custodian would also store funds on one or more HD wallets (each with many addresses) and create a proof that they own each HD wallet. The proof could be as simple as a single signature created with the xpub for the wallet, which would be sufficient for proving ownership over the whole list/tree of addresses.
>
> These two structures (the map and the HD wallet) would be combined and hashed, and the hash published in an on chain transaction (possibly along with a URI where the full data can be found), on something like a daily basis. Software for each user could continuously validate that their account has a balance that matches what it's supposed to have, and could also verify that owned addresses have funds that have at least as many coins as promised to accounts. If these things aren't verifiable (either because the balances total to more than the HD wallet contains, or because of data unavailability), people can raise hell about it.
>
> To give user's additional proving ability, a receipt system could be added. Users could request a receipt for any balance update. Eg the user would create a message with a timestamp, their custodial "address", and the new balance. The user would sign this receipt and send it to the custodian, who would also sign it and send it back. This way, if something goes wrong, a user can use this signed receipt to show that the custodian did in fact promise a new updated balance at a particular time (which would cover the case that the custodian records the wrong value in their map). Conversely, the receipt would be useful to honest custodians as well, since they could show the user's signed receipt request in the case a user is trying to lie about what balance they should have. There is still the case that the custodian simply refuses to return a signed receipt, in which case the user's only recourse is to yell about it immediately and demand a receipt or a refund.
>
> Why record it on chain? Doing that gives a clear record of proof of reserves that can be verified later by anyone in the future. It prevents a custodian from being able to change history when it suits them (by creating a new records with false timestamps in the past). Many of these records could be aggregated together and recorded in the same transaction (with a single hash), so a single transaction per day could record the records of all participating custodians. If all custodians are using a standard system, one can cross verify that addresses claimed by one custodian aren't also claimed by another custodian.
>
> Even tho the user is responsible for their keys in order to properly verify, losing the keys isn't that big of a deal, since they could simply create a new seed and give a new public key to the custodian - who would have other identifying information they could use to validate that they own the account. So it places less responsibility on the user, while still introducing people, in a light-weight way, to self custody of keys.
>
> Having a record like this every day would reduce the possibility of shenanigans like taking a short term loan of a large amount of cryptocurrency. Sure, they could take a 10 minute loan once per day, but it would also be possible to trace on-chain transactions so you could tell if such a thing was going on. I wonder if there would be some way to include the ability to prove balances held on the lightning network, but I suspect that isn't generally possible.
>
> In any case, I'm curious what people think of this kind of thing, and if systems with similar properties are already out there.
>
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev