So I've been curious about uses for the two-party escrow mechanism enabled by multisignature transactions and P2SH. I'm interested in replacing
Contracts example 7 with something that doesn't require nLockTime or transaction versioning.
As I understand it, a two-party escrow mechanism would work as follows for minimized-trust transactions:
1. Alice wants to buy a widget worth X BTC from Bob
2. Alice creates two public keys, A1 and A2. Bob creates two public keys, B1 and B2
3. Together, Alice and Bob create a 2-of-2 multisignature address C1 from A1 and B1
4. Alice signs a partial transaction T1 with an input of 2X BTC and an output of 3X BTC to C1 and passes it to Bob
5. Bob adds an input of X BTC to T1, signs it, and broadcasts T1 to the network
5a. The result is that Alice paid 2X BTC and Bob paid X BTC to the address, so they both have a stake in agreeing about how to release the money and griefing/fraud are prevented by both Alice and Bob by making those actions more expensive than playing honestly. In addition, both Alice and Bob are protected from fraud in the initial transaction as T1 is invalid unless both inputs are valid unspent outputs from previous transactions.
6. Bob sends Alice the widget
7. Upon receipt of the widget, Alice signs a transaction T2 from C1 paying 2X BTC to Bob at key B2 and X BTC back to herself at key A2 and passes T2 to Bob
8. Bob signs T2 and broadcasts it to the network, receiving his payment and "security deposit" and sending Alice's "security deposit" back to her
In the event that Alice and Bob can't agree on who should get how much money based on partial/complete nonperformance of the contract, they can both pick an arbitrator Trent, who generates three public keys, R1, R2 and R3. A new 3-of-4 multisignature address is created for A1, B1, R1 and R2 so that Trent can only spend the money with agreement of either Alice or Bob, and this turns into a third-party escrow situation if the parties desire. Eventually, some amount is sent to A2, some to B2 and some to R3.
Would this work in rapidly-adjusted microtransactions as well? For example:
1. Alice wants to buy about 100MB of transfer from a Wi-Fi access point operated by Bob and pay .0001 BTC per 10kB
2. Alice and Bob create a transaction T1 to C1 as in previous steps 1-5, with Alice paying in 2 BTC and Bob paying in 1 BTC
3. Alice signs a transaction T2 from C1 with 1.0001 BTC going to Bob at key B2 and 1.9999 BTC going back to herself at key A2, sending T2 to Bob who does not broadcast it
4. Alice continues to use 10kB of bandwidth at a time, signing a new version of T2 each time with an ever-increasing amount going to Bob and ever-decreasing amount going back to her
5. Alice notifies Bob when she is done, at which point Bob stops providing services to Alice and signs and broadcasts T2, thereby completing the exchange
This would enable such rapidly-adjusted microtransactions without relying on transaction versions or nLockTime, which means they're practical as soon as P2SH is available on the network.
I would like to know whether this would actually work as I described it, as I have some other ideas relying on transactions like this.
Edit: Changed Trent's keys from T1, T2, T3 to R1, R2, R3 so they aren't confused with transactions T1 and T2.