I've just released a new, highly experimental
market. Among other features, it implements stealth-style multisig for escrow. The protocol is that:
- Buyer, seller, and escrow agent all broadcast base public keys.
- When buyer wants to place an order:
- Buyer generates a 256-bit nonce.
- Buyer computes sha256 of all order details (nonce, products ordered, shipping address, etc.). This hash uniquely identifies the order to all parties.
- Buyer computes e = sha256(nonce||orderHash), and adds e*G to each public key in the usual stealth way.
I think this has the properties that:
- The buyer can't place two orders with different hashes but identical payment addresses. This means that the seller doesn't need to keep any records to avoid getting tricked into shipping twice in exchange for one payment.
- No one except the buyer and seller for a particular transaction can find the payment in the blockchain. The escrow agent can't until the buyer or seller deliberately involves him.
Am I right? And is anyone doing this already? If the buyer and seller already can communicate privately off-blockchain (as they typically can, since they need to send addresses, tracking numbers, etc.), then why would anyone use BIP32-style keys instead of this?
Also, semi-Bitcoin-related: I've implemented a
slight variation of ECIES on secp256k1 to support multiparty. I don't think I screwed it up, but any review is appreciated.
