Then they sign some challenge string, that is some random string of bits that was

generated by some impartial party and they sign that challenge string with

the very same private key that was used to validate that payment-to-self transaction.

That proves that someone who knew that private

key was participating in this proof of reserve.

Now strictly speaking, that's not a proof that the party who's claiming to

own the reserve owns it, all this proves is that whoever does own

that 100,000 bitcoins is willing to cooperate in this process.

But nonetheless, this looks like a proof.

This looks something like a proof that somebody controls or

knows someone who controls the given amount of money.

So the first piece is to prove how much reserve you have,

and the second piece is to prove how many demand deposits the group holds.

And if you can prove those two things, then somebody can simply divide those two

numbers and that is what your fractional reserve is.

One more thing to note before we go on and

talk about how you prove how many demand deposits you hold, that is the tricky

part, is that in proving how much reserve you are holding, you could under claim.

That is the organization might have 150,000 bitcoins, but

choose to make a payment to self of only a 100,000.

And so this proof of reserve doesn't prove that this is all you have, but

it does prove that you have at least that much, okay.

Now how do you prove how many demand deposits you hold?

In order to do, that we're going to use a trick that relates to the Merkle trees

that we talked about in lecture one.

And if you recall, a Merkle tree is a binary tree that's built with hash

pointers so that each one of these pointers not only says where we can get

a piece of information, but also what the cryptographic hash of that information is.

Now we're going to add to each one of these hashpointers another a field

or attribute.

So we're gonna add to each hashpointer a total value,

that is a total monetary value in bitcoins

of all of the things that are underneath that hash pointer in the trees.

So for example, this hashpointer here would be tagged

with the total value in this entire left sub-tree.

Now down here at the bottom, we're going to have one item for each user, for

each user's or customer's account and we're gonna combine these up the tree so

that each node, the hashpointer coming out of it

will be labelled with the sum of the values on the two hashpointers down below.

So that will be a valid total for the subtree.

So that's so we could construct that structure and

then the exchange that wants to do the proof of reserve

can cryptographically sign the root hashpointer here, which is making a claim

that this is a valid tree and that everybody is down here, okay.