Bitcoin Forum
April 26, 2017, 01:59:20 AM
 Welcome, Guest. Please login or register. 1 Hour 1 Day 1 Week 1 Month Forever Login with username, password and session length
 News: Latest stable version of Bitcoin Core: 0.14.1  [Torrent]. (New!)
 Home Help Search Donate Login Register
 Pages: [1]
 Author Topic: Adding public keys for safer exchanges  (Read 1421 times)
grondilu
Legendary

Offline

Activity: 1134

 December 29, 2011, 02:05:15 PM

(I have few possibilities to read the bitcoin forum so maybe somebody has already thought of this and I apologize if it is the case.  If not, please feel free to continue reading  )

As you know Satoshi imagined a solution to offer some protection against moral risk in transactions.  It basically consists in special transactions whose outputs are reedemable not with one private key, but with two.  Thus it is possible for Alice to send some bitcoins to Bob so that Alice will never be able to get her bitcoins back, but Bob will not be able to get them either unless Alice finaly agrees.

I believe it is the best we can do against these kinds of risks, without using a third party.

However, it is kind of low-level since it relies on a specific feature of the bitcoin protocol.  I have no idea about how to actually do it, for instance.

I think it is possible to do exactly this with a higher level method.

So, let's assume Alice wants to sell Bob 10 BTC against 30 USD via bank wire.  Alice and Bob do not trust each other so none of them is willing to pay first.

Here is the idea.

Both Alice and Bob generate a new random bitcoin address on their computer.  Those keys are basically secret exponants in the secp256k1 elliptic curve.  They also compute the corresponding public points, which are two 256 bits numbers.

Alice:
Code:
my \$key = new Bitcoin::PrivateKey label => "10BTC for Bob";
my \$point = \$key->public_point;
Bob:
Code:
my \$key = new Bitcoin::PrivateKey label => "10BTC expected from Alice";
my \$point = \$key->public_point;

They both exchange their public points, on IRC for instance:

Alice>  Ok Bob, here is my public point:  435ab6e5......5f54,  b87f566......90cd
Bob>  Ok, here's mine :  123fe.....32a,   32aa54....cc54

Now they compute the sum of these points, and get the corresponding bitcoin address

Alice:
Code:
my \$pointsum = EC::add \$point, \$bobpoint;
print new Bitcoin::Address \$pointsum;

Bob:
Code:
my \$pointsum = EC::add \$point, \$alicepoint;
print new Bitcoin::Address \$pointsum;

They check they get the same bitcoin address, and then Alice sends 10 BTC to this address.

At this point, none of them is capable of reedeming those 10BTC, but obviously they can check that they are in the blockchain with bitcoinexplorer or something.

Once Bob aknowledges that the bitcoins are buried enough in the blockchain, he can initiate the 30USD bank wire.

Two or three days later, Alice aknowledges that she received the 30USD.  Now she communicates the secret exponant she generated.

Bob now knows both secret exponents.  Thus he can compute the secret exponant of the exchange key:

Code:
my \$exchange_key = new Bitcoin::PrivateKey +(\$key + \$alice_key) % secp256k1->{generator}{order};

With this key, Bob can redeem the 10BTC.

Had Alice refused to reveal the private key, Bob would have been screwed, but Alice would not get any real benefit for that, as the 10BTC would be lost in the blockchain for ever.

Am I wrong somewhere?
1493171960
Hero Member

Offline

Posts: 1493171960

Ignore
 1493171960

1493171960
 Report to moderator
1493171960
Hero Member

Offline

Posts: 1493171960

Ignore
 1493171960

1493171960
 Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1493171960
Hero Member

Offline

Posts: 1493171960

Ignore
 1493171960

1493171960
 Report to moderator
1493171960
Hero Member

Offline

Posts: 1493171960

Ignore
 1493171960

1493171960
 Report to moderator
genjix
Legendary

Offline

Activity: 1246

 December 29, 2011, 02:24:18 PM

you mean a diffie hellman key exchange?
grondilu
Legendary

Offline

Activity: 1134

 December 29, 2011, 02:28:34 PM

you mean a diffie hellman key exchange?

Ok I confess I don't know about that.  I'll check it out.
Hero Member

Offline

Activity: 616

 December 30, 2011, 01:53:30 PM

Something on that line was proposed by Satoshi: https://bitcointalk.org/?topic=750

I guess it's only missing some user-friendly implementation.
kokjo
Legendary

Offline

Activity: 1050

You are WRONG!

 December 30, 2011, 02:02:14 PM

its not diffie-hellmann. but yes it would work.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
paraipan
Legendary

Offline

Activity: 924

Firstbits: 1pirata

 December 30, 2011, 02:18:07 PM

Something on that line was proposed by Satoshi: https://bitcointalk.org/?topic=750

I guess it's only missing some user-friendly implementation.

wow, satoshi was on to something more in that thread...

"...Imagine someone stole something from you.  You can't get it back, but if you could, if it had a kill switch that could be remote triggered, would you do it?  Would it be a good thing for thieves to know that everything you own has a kill switch and if they steal it, it'll be useless to them, although you still lose it too?  If they give it back, you can re-activate it..."

i can't stop imagining things based on such a feature, could be possible to have it on day in the Bitcoin software ?
he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
Hero Member

Offline

Activity: 616

 December 30, 2011, 03:58:37 PM

he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

Grondilu just did
kokjo
Legendary

Offline

Activity: 1050

You are WRONG!

 December 30, 2011, 04:02:37 PM

he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

Grondilu just did
yes but its have been know for a lot of time...

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jimrandomh
Jr. Member

Offline

Activity: 43

 December 30, 2011, 08:39:13 PM

This is multi-key escrow. I believe the blockchain supports it now, with current clients, although there's no GUI support. Ideally you'd use three keys: Alice's key, Bob's key, and a third-party judge's key, such that two of the keys together could release the funds. That way, an anonymous sender couldn't break his agreement and use the threat of withholding funds as leverage.
kokjo
Legendary

Offline

Activity: 1050

You are WRONG!

 December 30, 2011, 08:41:27 PM

This is multi-key escrow. I believe the blockchain supports it now, with current clients, although there's no GUI support. Ideally you'd use three keys: Alice's key, Bob's key, and a third-party judge's key, such that two of the keys together could release the funds. That way, an anonymous sender couldn't break his agreement and use the threat of withholding funds as leverage.
no because he have nothing to gain from it.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
paraipan
Legendary

Offline

Activity: 924

Firstbits: 1pirata

 December 30, 2011, 08:44:24 PM

he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

Grondilu just did
yes but its have been know for a lot of time...

nice to know, could have been his way of telling us that we have to work some things out by ourselves ?
dunno, epic character this satoshi btw

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
casascius
Mike Caldwell
VIP
Legendary

Online

Activity: 1344

The Casascius 1oz 10BTC Silver Round (w/ Gold B)

 December 30, 2011, 09:06:18 PM

This has been discussed... conclusion is that multiplication would be better than addition, because addition has a security flaw (unless both Alice and Bob commit to their keys beforehand).

The flaw is: if Bob knows Alice's public key, then instead of generating a keypair and giving Alice the public key, he generates a keypair and gives Alice the result of his public key minus Alice's public key.  Alice adds them together, sends bitcoins to the sum address, and Bob steals them because he knows the private key of the sum.

Multiplication would work better because it can't be undone the same way addition can be undone with subtraction.  Or, if Alice and Bob committed to their keys before sharing them, this wouldn't be possible, because the thief needs to base his/her key on the other person's key.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
grondilu
Legendary

Offline

Activity: 1134

 December 31, 2011, 11:01:25 AM

Multiplication would work better because it can't be undone the same way addition can be undone with subtraction. Or, if Alice and Bob committed to their keys before sharing them, this wouldn't be possible, because the thief needs to base his/her key on the other person's key.

Ok, so multiplication it is.  I'll try to improve the friendlyness of my Perl library.
 Pages: [1]
 « previous topic next topic »