Can offline transactions be guaranteed?

[dperfect]

I apologize for posting this in two places, but I wan't getting much response on the Newbies board (https://bitcointalk.org/index.php?topic=389719.0) and figured this may be a more appropriate place to ask...

I'm trying to better understand the potential for contracts as described here: https://en.bitcoin.it/wiki/Contracts. I have a fairly basic understanding of the blockchain and the algorithms operating under the hood, and I've read the original Satoshi paper on Bitcoin.

The possibility for creating low-trust contracts is really interesting to me, but I'm having a hard time understanding the process described in a few of the examples on the wiki.


The question:

What prevents someone from spending the coins included in a partially-fulfilled contract (such as the inheritance contract from example #4) before it's broadcast and verified on the network?

To quote the wiki (example 4 - using external state):

[The old man] creates a transaction with a lock time of the grandson's 18th birthday that pays the coins to another key owned by the grandson, signs it, and gives it to him - but does not broadcast it. This takes care of the 18th birthday condition. If the date passes, the grandson broadcasts the transaction and claims the coins.

If I'm the grandson, what guarantee do I have that by the time my 18th birthday rolls around, those coins will not have already been spent elsewhere? The same question applies to the "pledged" transactions sent to the entrepreneur in example 3 (before the full amount is received and the final transaction is broadcast).

Am I missing something here?

[1715431335]

1715431335

[1715431335]

1715431335

[Abdussamad]

[The old man] creates a transaction with a lock time of the grandson's 18th birthday that pays the coins to another key owned by the grandson, signs it, and gives it to him - but does not broadcast it. This takes care of the 18th birthday condition. If the date passes, the grandson broadcasts the transaction and claims the coins.

If I'm the grandson, what guarantee do I have that by the time my 18th birthday rolls around, those coins will not have already been spent elsewhere?

To spend coins you need the private key of the address that last received those coins. In this case it is the private key owned by the grand father. The only way those coins can be spent before the 18th birthday is if the grandfather spends them in his lifetime or his private key is made public after his death and somebody else spends the coins.

[cp1]

If a transaction is not broadcast there is nothing preventing those chips from being spent.

[dperfect]

To spend coins you need the private key of the address that last received those coins. In this case it is the private key owned by the grand father. The only way those coins can be spent before the 18th birthday is if the grandfather spends them in his lifetime or his private key is made public after his death and somebody else spends the coins.

Understood. Is there no way for the grandson to be guaranteed that his grandfather did not (intentionally or unintentionally) spend those coins before his death and before the grandson tries to claim his inheritance?

In this particular example, you really have to rely on trust that the grandfather isn't going to spend those beforehand, right? If that's the case, then doesn't that kind of undermine the low-trust objective of these types of contracts?

I imagine other scenarios where this kind of contract would really lose a lot of its value if the coins cannot be guaranteed unspent at the time of broadcast on the network...

[DeathAndTaxes]

Well in that scenario the grandfather could spend the coins however using multi-sig one could "lock the coins"

Create multi-sig address P2SH which requires 2 of 2 signatures to spend. Grandfather sends the coins to the address.   Grandfather half signs a locktime tx to grandsons address,  grandson half signs completing the tx.

Outcome:
Coins are secure in address which both grandfather and grandson need to sign to create a new/alternative tx.  Grandson has a valid signed tx but it can't be included in a block until he turns 18 (well roughly it is based on block time).

[cp1]

Yes, your example is pretty much the same as leaving a will. I can will you $10 million, but I can change my will or spend all the money before I die.  But if I place it in an irrevocable trust (time lock multi Sig), then you're ok.

[dperfect]

OK, awesome - thanks for the info! That makes sense (I didn't realize you could combine multi-sig with a time lock). Very cool!

[Abdussamad]

Understood. Is there no way for the grandson to be guaranteed that his grandfather did not (intentionally or unintentionally) spend those coins before his death and before the son tries to claim his inheritance?

Yeah, all transactions are public information. The grandson has the signed transaction so he can run that through a raw transaction decoder and it will tell him the source inputs. Look up the inputs on the blockchain (for example using an explorer like blockchain.info) and he'll know whether they've been spent already or not.

Also when he broadcasts the transaction it will be rejected if the inputs have already been spent.

In this particular example, you really have to rely on trust that the grandfather isn't going to spend those beforehand, right? If that's the case, then doesn't that kind of undermine the low-trust objective of these types of contracts?

I imagine other scenarios where this kind of contract would really lose a lot of its value if the coins cannot be guaranteed unspent at the time of broadcast on the network...

Well you are thinking of another scenario. Perhaps escrow? If that is what you have in mind look up multi-signature transactions. Also some sites like bit2factor.org let you do it now without multisig.

In this particular scenario (grandfather-grandson) one would assume the two parties are willing participants and trust and probably even love each other.

BTW nlocktime isn't supported yet. Maybe in the future.

[dperfect]

Well you are thinking of another scenario. Perhaps escrow? If that is what you have in mind look up multi-signature transactions. Also some sites like bit2factor.org let you do it now without multisig.

In this particular scenario (grandfather-grandson) one would assume the two parties are willing participants and trust and probably even love each other.

BTW nlocktime isn't supported yet. Maybe in the future.

Thanks for the explanation (and yes, I agree - in the grandfather/grandson scenario, trust hopefully isn't so much of an issue). I appreciate the answers 

[kjj]

BTW nlocktime isn't supported yet. Maybe in the future.

Yes it is.  See the two IsFinal() functions in main.h, and the many calls to them in main.h, main.cpp, rpcwallet.cpp, wallet.h and wallet.cpp.

What isn't implemented is transaction replacement.