Revelio Talk - HackMD

# Revelio ### A MimbleWimble Proof of Reserves Protocol Saravanan Vijayakumaran IIT Bombay [@sarva_v](https://twitter.com/sarva_v) --- <blockquote> Mimblewimble, which prevents your opponent from accurately casting their next spell. </blockquote> <div style="text-align: right">Gilderoy Lockhart</div> --- ### Brief History of MW and Grin <span> Aug 2016  </span> : <span>Tom Elvis Jedusor posted MW whitepaper on #bitcoin-wizards </span> <span> Oct 2016  </span> : <span>Andrew Poelstra released precise description </span> <span>Nov 2016  </span> : <span>Ignotus Peverell announced Grin </span> <span>Jan 2019  </span> : <span>Grin Mainnet launched </span> Note: - Jedusor is the anagram of Voldemort in French - https://github.com/mimblewimble/docs/wiki/A-Brief-History-of-MimbleWimble-White-Paper - https://medium.com/beam-mw/a-short-history-of-mimblewimble-from-hogwarts-to-mobile-wallets-2514a21debb - Ignotus is the wizard who invented the invisibility cloak. Announcement was on bitcoin-wizards - Mainnet launched on Jan 15, 2019 --- ### Grin #### No this, no that  ``` no addresses no airdrops no visible amounts no mining tax no transaction history no masternodes no reward changes no middlemen no fixed supply no partnerships no trusted setup no room for spam no ring signatures no staking no moon math no drama no hashcash no ASIC aversion no ICO no premine no instamine ``` <div style="font-size: small"><a href="https://github.com/mimblewimble/docs/wiki/No-this,-no-that">https://github.com/mimblewimble/docs/wiki/No-this,-no-that</a></div> <span>:astonished: No addresses? </span> --- ### Grin UTXOs - Each UTXO has a Pedersen commitment $$ C = kG + vH $$ + $G$ and $H$ are fixed points on the elliptic curve  + Discrete logarithm of $H$ wrt to $G$ is unknown  + $v$ = amount  + $k$ = blinding factor (a.k.a. secret key)  - Output ownership = Knowledge of $k, v$ values --- ### Cryptocurrency Exchanges - Convenience - On-off ramps, wallets - Allow trading - Risks - Get hacked all the time - Exit scams - Fractional reserve exchanges - Proof of solvency is a partial solution - Proof of liabilities - Proof of reserves --- ### Proof of Solvency - Exchanges prove their reserves exceed liabilities - Exchange generates two Pedersen commitments - $C_{\text{liabilities}}$ to $v_l$, the total liability amount  $$ C_{\text{liabilities}} = k_l G + v_l H $$ - $C_{\text{reserves}}$ to $v_r$, the total reserves amount $$ C_{\text{reserves}} = k_r G + v_r H $$ - Exchange proves $C_{\text{reserves}} - C_{\text{liabilities}}$ commits to a non-negative amount (in right range) - Proof of reserves protocol = $C_{\text{reserves}}$ generation --- ### Simple Proof of Reserves for Grin - Let UTXO set be $\mathcal{C}_{\text{unspent}}$. - Exchange reveals that it owns $\mathcal{C}_{\text{own}} \subset \mathcal{C}_{\text{unspent}}$. - The commitment to the total reserves is $$ \mathcal{C}_{\text{reserves}} = \sum_{C \in \mathcal{C}_{\text{own}} } C $$ - Exchange gives ZKPoK of $k_r$ and $v_r$ such that $$ C_{\text{reserves}} = k_r G + v_r H $$ - No privacy, exchange may not want to reveal its UTXOs Note: If exchange does not own even one $C$ in claimed $\mathcal{C}_{\text{own}}$, it cannot generate the ZKPoK --- ### <span>Almost</span> Revelio - Exchange reveals $\mathcal{C}_{\text{anon}} = \{C_1, C_2, \ldots, C_N\}$ such that $$ \mathcal{C}_{\text{own}} \subset \mathcal{C}_{\text{anon}} \subset \mathcal{C}_{\text{unspent}} $$ - For each $C_i = k_iG + v_iH$, exchange defines $$ I_i = \begin{cases} x_iG + v_iH & \text{ if } C_i \in \mathcal{C}_{\text{own}} \\ y_iG & \text{ if } C_i \notin \mathcal{C}_{\text{own}} \end{cases} $$ - Exchange gives ZKPoK that each $I_i$ has one of the two forms - Exchange claims $C_{\text{reserves}} = \sum_{i=1}^N I_i$ is a commitment to its total reserves --- ### Almost Revelio: The Good <span>Exchange cannot inflate reserves.</span> <span>Why so?</span> - For each $C_i = k_iG+v_iH \in \mathcal{C}_{\text{anon}}$, exchange gives ZKPoK of the form \begin{align*} \text{PoK} & \left\{ (\alpha, \beta, \gamma, \delta) \mid \right. \\ & \left( C_i =\alpha G + \beta H \ \wedge\ I_i = \delta G + \beta H \right) \\ & \left. \vee \left( I_i = \gamma G \right) \right\}. \end{align*} - $C_{\text{reserves}} = \sum_{i=1}^N I_i$. --- ### Almost Revelio: The Bad <span>Multiple exchanges can share UTXOs</span> - For each $C_i = k_iG+v_iH \in \mathcal{C}_{\text{anon}}$, exchange gives ZKPoK of the form \begin{align*} \text{PoK} & \left\{ (\alpha, \beta, \gamma, \delta) \mid \right. \\ & \left( C_i =\alpha G + \beta H \ \wedge\ I_i = \delta G + \beta H \right) \\ & \left. \vee \left( I_i = \gamma G \right) \right\}. \end{align*} - Different exchanges can choose different $\delta$s --- ### Revelio ![Vidyut Potter](https://i.imgur.com/ve0eWa9.png =400x) <div style="font-size: large"><a href="https://www.instagram.com/p/BqkwHJCFLRe/">Image credit: artventuretales instagram</a></div> Note: When Revelio is used directly on a person, it removes magical disguises. Used to reveal concealed objects, messages, invisible things, and passages --- ### Revelio - Exchange reveals $\mathcal{C}_{\text{anon}} = \{C_1, C_2, \ldots, C_N\}$. - Let $G' \neq G$ be a point with unknown discrete log - For each $C_i = k_iG + v_iH$, exchange defines $$ I_i = \begin{cases} k_iG' + v_iH & \text{ if } C_i \in \mathcal{C}_{\text{own}}, \\ y_iG' & \text{ if } C_i \notin \mathcal{C}_{\text{own}}, \end{cases} $$ - Exchange gives ZKPoK that each $I_i$ has one of the two forms - $C_{\text{reserves}} = \sum_{i=1}^N I_i$. --- ### Revelio: The Good - Exchange cannot inflate reserves - Multiple exchanges cannot collude by sharing UTXOs - For each $C_i = k_iG+v_iH \in \mathcal{C}_{\text{anon}}$, exchange gives ZKPoK of the form \begin{align*} \text{PoK} & \left\{ (\alpha, \beta, \gamma) \mid \right. \\ & \left( C_i =\alpha G + \beta H \ \wedge\ I_i = \alpha G' + \beta H \right) \\ & \left. \vee \left( I_i = \gamma G' \right) \right\}. \end{align*} - The $I_i$s for <span>$\mathcal{C}_{\text{own}}$ </span> are a deterministic function of $C_i$. --- ### Revelio: One More Detail - Before review $$ I_i = \begin{cases} k_iG' + v_iH & \text{ if } C_i \in \mathcal{C}_{\text{own}}, \\ \color{red}{y_i}G' & \text{ if } C_i \notin \mathcal{C}_{\text{own}}, \end{cases} $$ - After review $$ I_i = \begin{cases} k_iG' + v_iH & \text{ if } C_i \in \mathcal{C}_{\text{own}}, \\ \color{red}{\mathcal{H}\left( k_{\text{exch}}, C_i \right)}G' & \text{ if } C_i \notin \mathcal{C}_{\text{own}}, \end{cases} $$ - $\mathcal{H}$ = Scalar-valued hash function - $k_{\text{exch}}$ = Exchange's long term secret key - :pray: Reviewer 1 --- ### Revelio: The Bad - Collusion can be detected _only_ if all the exchanges generate proofs from same blockchain state - Need a cryptographic method to enforce this --- ### Performance ![](https://i.imgur.com/1tqiLmR.png) --- ![](https://i.imgur.com/cNjQUQp.png) <blockquote> ... it would be funny to change the abstract to say "We reveal Revelio". </blockquote> <div style="text-align: right"> Reviewer 2</div> --- ![](https://i.imgur.com/p5lNDqU.jpg =700x) Note: https://imgflip.com/i/33yywt --- :page_facing_up: [https://eprint.iacr.org/2019/684](https://eprint.iacr.org/2019/684) :computer: [https://github.com/avras/revelio](https://github.com/avras/revelio) [@sarva_v](https://twitter.com/sarva_v) ![](https://i.imgur.com/MW9t3Ml.png)