Bitcoin Forum
August 24, 2019, 05:07:48 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Contracts without trust and third parties  (Read 5972 times)
oleganza
Full Member
***
Offline Offline

Activity: 200
Merit: 100


Software design and user experience.


View Profile WWW
August 14, 2013, 02:14:37 PM
Last edit: August 15, 2013, 08:25:28 PM by oleganza
 #1

Hey, I've written on my idea how to make contracts with people who don't really know each other with low cost, no third party.

Ideas based on NashX.com service. Special thanks to Mike Hearn for "Contracts" page on the wiki.

http://blog.oleganza.com/post/58240549599/contracts-without-trust-and-without-a-third-party

TLDR:

1. Two parties independently lock some amount of money in a single Bitcoin transaction without meeting in person or trusting anyone.
2. This money can be unlocked only when both agree with that. If at least one party does not want to unlock the deposit, another party cannot do anything about it.
3. Both parties can unlock deposit only atomically, for both of them. No one can unlock just for himself.
4. No one else has access to the deposits and neither party can access other party’s money.

Output scripts:

txout1: AlicePubkey CHECKSIGVERIFY SHA256 HashA EQUALVERIFY SHA256 HashB EQUALVERIFY

txout2: BobPubkey CHECKSIGVERIFY SHA256 HashA EQUALVERIFY SHA256 HashB EQUALVERIFY

HashA, HashB are hashes of the secret numbers of each participant. Numbers are revealed when they want to unlock the money.

Amount of deposit should be 200-300% of the price. E.g. if the deal is about 1 BTC worth of merchandise, the deposit should be at least 2 BTC.

NashX ask seller for smaller deposit (100%) because he sends first, but this doesn't seem "fair" for many people. So lets have 300% each, so it does not really matter who sends first. Parties can negotiate how much they lock up, of course.

Ideas?

Bitcoin analytics: blog.oleganza.com / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
1566666468
Hero Member
*
Offline Offline

Posts: 1566666468

View Profile Personal Message (Offline)

Ignore
1566666468
Reply with quote  #2

1566666468
Report to moderator
1566666468
Hero Member
*
Offline Offline

Posts: 1566666468

View Profile Personal Message (Offline)

Ignore
1566666468
Reply with quote  #2

1566666468
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1566666468
Hero Member
*
Offline Offline

Posts: 1566666468

View Profile Personal Message (Offline)

Ignore
1566666468
Reply with quote  #2

1566666468
Report to moderator
1566666468
Hero Member
*
Offline Offline

Posts: 1566666468

View Profile Personal Message (Offline)

Ignore
1566666468
Reply with quote  #2

1566666468
Report to moderator
1566666468
Hero Member
*
Offline Offline

Posts: 1566666468

View Profile Personal Message (Offline)

Ignore
1566666468
Reply with quote  #2

1566666468
Report to moderator
hathmill
Full Member
***
Offline Offline

Activity: 186
Merit: 100



View Profile
August 14, 2013, 04:39:52 PM
 #2

This is great! Oh and probably a floor or a cost to this transaction to prevent spam attacks.
oleganza
Full Member
***
Offline Offline

Activity: 200
Merit: 100


Software design and user experience.


View Profile WWW
August 14, 2013, 05:18:12 PM
 #3

I just got a feedback from a friend of mine. This is an attack that can be fixed.

When Bob sends his secret number to Alice, Alice now can use funds anytime. She can put this money into "long-term savings" because she is 100% sure she can refund them. And Bob would have to wait.

To avoid this problem, both parties can create a "destruction" transaction that spends all funds to 00000000000000000000000000000000000. This transaction would be signed by both of them, can be released by any of them any time (it may have a short lockTime to let people cool down) and will be invalid once any party spends their output.

The scripts will be like this:

txout1:
IF
  AlicePubkey CHECKSIGVERIFY SHA256 HashA EQUALVERIFY HashB EQUALVERIFY
ELSE
  AlicePubkey CHECKSIGVERIFY BobPubkey CHECKSIGVERIFY
END

txout2:
IF
  BobPubkey CHECKSIGVERIFY SHA256 HashA EQUALVERIFY HashB EQUALVERIFY
ELSE
  AlicePubkey CHECKSIGVERIFY BobPubkey CHECKSIGVERIFY
END

When this transaction is signed by both parties, Alice and Bob would construct and sign another transaction that spends these two outputs to a predefined invalid address. Once a person sees that deposit is in blockchain and he has a valid destruction tx, he begins executing his part of the deal. If any party decides to play bad, the other guy may threaten to destroy all funds. This solves the problem of non-releasing secret numbers for undefined period of time.

I'll update my blog post soon.


Bitcoin analytics: blog.oleganza.com / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
Elwar
Legendary
*
Offline Offline

Activity: 2842
Merit: 1442


Viva Ut Vivas


View Profile WWW
August 14, 2013, 05:28:41 PM
 #4

The Bitcoin scripts all require that you have your bitcoin client running.

And if person A is not satisfied and person B feels that they are in the right, person A has all of the power and can deny person B from ever getting the funds. Or person A could be person B's competitor and purposefully withhold funds.

It does help as far as a blanket send with no intermediary, but I believe a thriving Bitcoin escrow services industry will help things quite a bit.

First seastead company actually selling seasteads: Ocean Builders https://ocean.builders  Of course we accept bitcoin.
Seastead talk at http://seasteadtalk.org
oleganza
Full Member
***
Offline Offline

Activity: 200
Merit: 100


Software design and user experience.


View Profile WWW
August 14, 2013, 05:36:54 PM
 #5

As I mentioned in the article, escrows need to be experts. That's not very cheap or possible in many typical cases. And some things are not possible to prove to an escrow or anyone.

Bitcoin analytics: blog.oleganza.com / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1002

Let's talk governance, lipstick, and pigs.


View Profile
August 14, 2013, 05:56:01 PM
 #6

FYI, this was also discussed:
https://bitcointalk.org/index.php?topic=75481.msg835859#msg835859
https://bitcointalk.org/index.php?topic=98827.msg1081648#msg1081648
https://bitcointalk.org/index.php?topic=70074.msg811194#msg811194

one of my crazier notions:
https://bitcointalk.org/index.php?topic=99566.msg1088647#msg1088647
I'm working on something even more insane atm.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
oleganza
Full Member
***
Offline Offline

Activity: 200
Merit: 100


Software design and user experience.


View Profile WWW
August 14, 2013, 09:30:24 PM
 #7

Thanks for the links.

I've replied to your post about statistical escrow. What's this "even more insane" something of yours? :-)

Bitcoin analytics: blog.oleganza.com / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1002

Let's talk governance, lipstick, and pigs.


View Profile
August 14, 2013, 11:13:35 PM
 #8

Thanks for the links.

I've replied to your post about statistical escrow. What's this "even more insane" something of yours? :-)
I'm experimenting on testnet with multisig transactions. I'm trying to nest them. Hopefully, I'll have a working example to show in Austin this weekend. When I try to explain it on IRC, I get blank stares and guffaws. I'll just muddle through the protocol. It works on paper, but until I can show it on the blockchain, it is just a crazy notion.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2702
Merit: 1011



View Profile
November 16, 2013, 10:45:19 PM
 #9

Thanks for the links.

I've replied to your post about statistical escrow. What's this "even more insane" something of yours? :-)
I'm experimenting on testnet with multisig transactions. I'm trying to nest them. Hopefully, I'll have a working example to show in Austin this weekend. When I try to explain it on IRC, I get blank stares and guffaws. I'll just muddle through the protocol. It works on paper, but until I can show it on the blockchain, it is just a crazy notion.

so... how did this go?

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Rupture
Full Member
***
Offline Offline

Activity: 182
Merit: 100


View Profile
November 17, 2013, 07:56:44 AM
 #10

Escrow is really the only way currently
schone
Newbie
*
Offline Offline

Activity: 20
Merit: 0


View Profile
December 09, 2013, 11:27:48 PM
 #11

I'm relatively new to contracts but I want to make sure I understand the idea.

Will the spending inputs scriptSig contains <aliceNumber><bobNumber><signature> ?

Thank you,
-schone
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1002

Let's talk governance, lipstick, and pigs.


View Profile
December 11, 2013, 05:05:05 AM
 #12

Thanks for the links.

I've replied to your post about statistical escrow. What's this "even more insane" something of yours? :-)
I'm experimenting on testnet with multisig transactions. I'm trying to nest them. Hopefully, I'll have a working example to show in Austin this weekend. When I try to explain it on IRC, I get blank stares and guffaws. I'll just muddle through the protocol. It works on paper, but until I can show it on the blockchain, it is just a crazy notion.

so... how did this go?
I misunderstood how the keys are handled with multisig. The keys are hashed to create the inputs. I would need to re-use one key from a transaction to link to another. Essentially creating a logic path of outputs to be used as inputs for other multisig transactions. It could possibly still be done, but would require some extremely complex math to fit the nested transactions together as a multi-level multi-sig transaction. The idea would basically create a decentralized credit union where depositors would secure funds and allow loans as groups. But that is overthinking it a bit now.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!