Bitcoin Forum
June 09, 2023, 12:40:38 PM
 News: Latest Bitcoin Core release: 25.0 [Torrent]
 Home Help Search Login Register More
 Pages: [1]
 Author Topic: [Idea]Secure escrow service  (Read 680 times)
rabit (OP)
Member

Offline

Activity: 62
Merit: 10

 June 29, 2013, 10:26:28 AM

Situation: Person 1 and person 2 want to make a trade including a BTC transaction from person 1 to person 2 but they dont trust each other so they choose some person 3 to act as an escrow. Unfortunately they also dont trust person 3  to not steal the BTC. The following scheme based on Shamir´s Secret Sharing makes it impossible for the escrow to steal the BTC and also has the advantage that there is minimal work for the escrow if there is no dispute.

Scheme: Let G be the generator for the ECDSA group used in Bitcoin.
Person 1 and 2 create two public/private key pairs (ni,ni*G) and (ai,ai*G) (i=1,2) and then they make the public keys ni*G and ai*G public.
Then person 1 and person 2 sends xi=ai+ni to the escrow in private and yi=2*ai+ni to the other person also in private.

The funds are send to the address (n1+n2)*G.

Now if person 1 is happy with the trade, he sends n1 to person 2 and person 2 can claim the BTC by using the private key: n1+n2 .
If there is a dispute, the escrow can decide who gets the BTC. If the escrow decides that person 1 can have the funds, then he sends x2 to person 1 and person 1 can claim the BTC by using the private key n1 + (2*x2-y2). Similar if the escrow decides that person 2 should have the BTC, then he sends x1 to person 2 and person 2 can claim the BTC with the private key (2*x1-y1)+n2 .

Before the BTC are send to the address (n1+n2)*G, everyone should verify the data which he got by using the following equations ( ai*G and ni*G are both public so this can be used for verification):
xi*G=ai*G + ni*G
yi*G = 2*ai*G + ni*G

"You Asked For Change, We Gave You Coins" -- casascius
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1686314438
Hero Member

Offline

Posts: 1686314438

Ignore
 1686314438

1686314438
 Report to moderator
1686314438
Hero Member

Offline

Posts: 1686314438

Ignore
 1686314438

1686314438
 Report to moderator
Kluge
Donator
Legendary

Offline

Activity: 1218
Merit: 1015

 June 29, 2013, 10:36:48 AM

rabit (OP)
Member

Offline

Activity: 62
Merit: 10

 June 29, 2013, 10:49:56 AM

I guess this is the same scheme?
escrow.ms
Legendary

Offline

Activity: 1274
Merit: 1004

 June 29, 2013, 10:54:33 AM

I guess this is the same scheme?

It was used here
https://bitcointalk.org/index.php?topic=135914.msg1454959#msg1454959
rabit (OP)
Member

Offline

Activity: 62
Merit: 10

 June 29, 2013, 11:12:24 AMLast edit: June 29, 2013, 02:17:26 PM by rabit

OK thanks, i think mine is still a little bit different.
The scheme from casascius is a 2-of-3 scheme, mine is a little bit different as the escrow needs more than one data point to be able to claim the funds and here the escrow also doesnt have to generate any data.
 Pages: [1]