 |
April 29, 2013, 08:34:24 PM |
|
I'm not a cryptographer so take this with a pinch of salt.
Roughly speaking I'm proposing a protocol that is analogous to tearing a banknote in half and handing half to the seller.
Suppose that Alice wants to buy goods from Bob but that neither entirely trusts the other. The parties each select a secret random number less than the degree of the bitcoin underlying field. The parties go through the elliptic curve Diffie-Helman key agreement protocol using the bitcoin elliptic curve, and their secret random numbers. They also agree on a random value for k.
The exchanged key together with k forms a bitcoin public key known to both parties from which a bitcoin address can be generated, but neither party on his own can find the corresponding private key. Alice deposits bitcoins into the address. When Bob sees that the payment has been made into the address he hands over the goods. Once Alice has the goods she passes Bob her secret which enables Bob to generate the private key (it's just the product of the two secrets modulo the prime), and transfer the bitcoins to his own wallet.
After Alice deposits the bitcoins, Bob could try to blackmail her. After Bob has handed over the goods, Alice could try to blackmail him. However, neither party can gain anything without the other's cooperation. If a small positive reward is available for successful completion of the protocol, such as is available through a reputation system, or even because the trade is mutually beneficial, and if neither party appears desperate, then blackmail is unlikely. If a permanent blackmail happens, then the bitcoins are lost forever.
|
