Another idea how to mitigate the blackmail attack due tx malleability would be to create a 3of3 MultiSig and delete the 3rd key directly after signing. So there is no possibility that this transaction can be changed in favor of the blackmailer.
Of course it will not help against unintendedly changed transactions (not sure if that is a real risk with malleability as well?).
And the key deletion cannot be proven, so that is a weak point as well (but maybe more theoretical).
Here is the idea presented in the old version of our P2P Fiat-BTC exchange paper. In the current version (
https://docs.google.com/document/d/1d3EiWZdaM89-P6MVhS53unXv2-pDpSFsN3W4kCGXKgY) we don't need that anymore as blackmail prevention is covered by using arbitrators).
"...To solve that we could use a 3of3 Multisig for the deposit. Bob creates a 3rd key, use that for creating the 3of3 Multisig address for the deposit tx, and immediately creates the payout/refund tx and sign the input with the 3rd. key and DELETE that key afterwards.
That way he created the ONE AND ONLY possible spending tx. This 3rd temporary key serves only for protecting the predefined output setting. As it is destroyed after the initial tx creation, there is no way to change the output distribution with a modified tx.
The prove for key deletion is impossible but if Bob is honest he has no incentive to keep the key and Alice is in the more powerful Blackmail position. Even if he silently keep the key he can deny it. The software will do that all for the traders and only hacks or manipulated software could work around that. There will be probably not many people who cheat the system to keep the key secretly, and therefore the blackmailer has a very low probability to really hit another cheater who is capable to change the tx."
See in full context here:
https://docs.google.com/document/d/1pofc0j8FHLwZbK-ANJan7lD01Q5usy9XbA1wPn0FAKA/edit#heading=h.950d4t4cwl3qFull credit for the 3rd key deletion idea goes to dansmith!
EDIT:
I asked at IRC bitcoin-wizards and it seems that malleability can happen also without malicious intention, so the above proposal will not be sufficient.
Manfred_Karrer:I have a question regarding malleability: Can malleability happen without malicious intention? Like due different implementation or optimization?
stonecoldpat: i remember being told that it can
stonecoldpat: that it just happens from time to time
Ademan: Manfred_Karrer: yes it can, but it requires some sort of intention
Ademan: I recall gmaxwell mentioning nodes that would re-canonicalize transactions before relaying them, not sure if that was a hypothetical or not though
maaku: Ademan Manfred_Karrer: transactions can be mutated without any mallicious intention
maaku: especially if they are non-canonical to start with
maaku: it's not hard to imagine someone running custom code accidentally re-serializing transactions during relay in a way that makes them canonical or otherwise does not preserve round-trip serialization
