 |
June 29, 2013, 10:26:28 AM |
|
Situation: Person 1 and person 2 want to make a trade including a BTC transaction from person 1 to person 2 but they dont trust each other so they choose some person 3 to act as an escrow. Unfortunately they also dont trust person 3 to not steal the BTC. The following scheme based on Shamir´s Secret Sharing makes it impossible for the escrow to steal the BTC and also has the advantage that there is minimal work for the escrow if there is no dispute.
Scheme: Let G be the generator for the ECDSA group used in Bitcoin.
Person 1 and 2 create two public/private key pairs (ni,ni*G) and (ai,ai*G) (i=1,2) and then they make the public keys ni*G and ai*G public.
Then person 1 and person 2 sends xi=ai+ni to the escrow in private and yi=2*ai+ni to the other person also in private.
The funds are send to the address (n1+n2)*G.
Now if person 1 is happy with the trade, he sends n1 to person 2 and person 2 can claim the BTC by using the private key: n1+n2 .
If there is a dispute, the escrow can decide who gets the BTC. If the escrow decides that person 1 can have the funds, then he sends x2 to person 1 and person 1 can claim the BTC by using the private key n1 + (2*x2-y2). Similar if the escrow decides that person 2 should have the BTC, then he sends x1 to person 2 and person 2 can claim the BTC with the private key (2*x1-y1)+n2 .
Before the BTC are send to the address (n1+n2)*G, everyone should verify the data which he got by using the following equations ( ai*G and ni*G are both public so this can be used for verification):
xi*G=ai*G + ni*G
yi*G = 2*ai*G + ni*G
|
