Bitcoin Forum
February 24, 2017, 03:08:46 PM *
News: Latest stable version of Bitcoin Core: 0.13.2  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Adding public keys for safer exchanges  (Read 1400 times)
grondilu
Legendary
*
Offline Offline

Activity: 1134


View Profile
December 29, 2011, 02:05:15 PM
 #1

(I have few possibilities to read the bitcoin forum so maybe somebody has already thought of this and I apologize if it is the case.  If not, please feel free to continue reading Smiley  )

As you know Satoshi imagined a solution to offer some protection against moral risk in transactions.  It basically consists in special transactions whose outputs are reedemable not with one private key, but with two.  Thus it is possible for Alice to send some bitcoins to Bob so that Alice will never be able to get her bitcoins back, but Bob will not be able to get them either unless Alice finaly agrees.

I believe it is the best we can do against these kinds of risks, without using a third party.

However, it is kind of low-level since it relies on a specific feature of the bitcoin protocol.  I have no idea about how to actually do it, for instance.

I think it is possible to do exactly this with a higher level method.

So, let's assume Alice wants to sell Bob 10 BTC against 30 USD via bank wire.  Alice and Bob do not trust each other so none of them is willing to pay first.

Here is the idea.

Both Alice and Bob generate a new random bitcoin address on their computer.  Those keys are basically secret exponants in the secp256k1 elliptic curve.  They also compute the corresponding public points, which are two 256 bits numbers.

Alice:
Code:
my $key = new Bitcoin::PrivateKey label => "10BTC for Bob";
my $point = $key->public_point;
Bob:
Code:
my $key = new Bitcoin::PrivateKey label => "10BTC expected from Alice";
my $point = $key->public_point;

They both exchange their public points, on IRC for instance:

Alice>  Ok Bob, here is my public point:  435ab6e5......5f54,  b87f566......90cd
Bob>  Ok, here's mine :  123fe.....32a,   32aa54....cc54

Now they compute the sum of these points, and get the corresponding bitcoin address

Alice:
Code:
my $pointsum = EC::add $point, $bobpoint;
print new Bitcoin::Address $pointsum;

Bob:
Code:
my $pointsum = EC::add $point, $alicepoint;
print new Bitcoin::Address $pointsum;

They check they get the same bitcoin address, and then Alice sends 10 BTC to this address.

At this point, none of them is capable of reedeming those 10BTC, but obviously they can check that they are in the blockchain with bitcoinexplorer or something.

Once Bob aknowledges that the bitcoins are buried enough in the blockchain, he can initiate the 30USD bank wire.

Two or three days later, Alice aknowledges that she received the 30USD.  Now she communicates the secret exponant she generated.

Bob now knows both secret exponents.  Thus he can compute the secret exponant of the exchange key:

Code:
my $exchange_key = new Bitcoin::PrivateKey +($key + $alice_key) % secp256k1->{generator}{order};

With this key, Bob can redeem the 10BTC.

Had Alice refused to reveal the private key, Bob would have been screwed, but Alice would not get any real benefit for that, as the 10BTC would be lost in the blockchain for ever.

Am I wrong somewhere?
1487948926
Hero Member
*
Offline Offline

Posts: 1487948926

View Profile Personal Message (Offline)

Ignore
1487948926
Reply with quote  #2

1487948926
Report to moderator
1487948926
Hero Member
*
Offline Offline

Posts: 1487948926

View Profile Personal Message (Offline)

Ignore
1487948926
Reply with quote  #2

1487948926
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1487948926
Hero Member
*
Offline Offline

Posts: 1487948926

View Profile Personal Message (Offline)

Ignore
1487948926
Reply with quote  #2

1487948926
Report to moderator
1487948926
Hero Member
*
Offline Offline

Posts: 1487948926

View Profile Personal Message (Offline)

Ignore
1487948926
Reply with quote  #2

1487948926
Report to moderator
1487948926
Hero Member
*
Offline Offline

Posts: 1487948926

View Profile Personal Message (Offline)

Ignore
1487948926
Reply with quote  #2

1487948926
Report to moderator
genjix
Legendary
*
expert
Offline Offline

Activity: 1246


View Profile
December 29, 2011, 02:24:18 PM
 #2

you mean a diffie hellman key exchange?
grondilu
Legendary
*
Offline Offline

Activity: 1134


View Profile
December 29, 2011, 02:28:34 PM
 #3

you mean a diffie hellman key exchange?

Ok I confess I don't know about that.  I'll check it out.
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
December 30, 2011, 01:53:30 PM
 #4

Something on that line was proposed by Satoshi: https://bitcointalk.org/?topic=750

I guess it's only missing some user-friendly implementation.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
December 30, 2011, 02:02:14 PM
 #5

its not diffie-hellmann. but yes it would work.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
December 30, 2011, 02:18:07 PM
 #6

Something on that line was proposed by Satoshi: https://bitcointalk.org/?topic=750

I guess it's only missing some user-friendly implementation.

wow, satoshi was on to something more in that thread...

"...Imagine someone stole something from you.  You can't get it back, but if you could, if it had a kill switch that could be remote triggered, would you do it?  Would it be a good thing for thieves to know that everything you own has a kill switch and if they steal it, it'll be useless to them, although you still lose it too?  If they give it back, you can re-activate it..."

i can't stop imagining things based on such a feature, could be possible to have it on day in the Bitcoin software ?
he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
December 30, 2011, 03:58:37 PM
 #7

he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

Grondilu just did Wink
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
December 30, 2011, 04:02:37 PM
 #8

he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

Grondilu just did Wink
yes but its have been know for a lot of time...

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
jimrandomh
Jr. Member
*
Offline Offline

Activity: 43


View Profile
December 30, 2011, 08:39:13 PM
 #9

This is multi-key escrow. I believe the blockchain supports it now, with current clients, although there's no GUI support. Ideally you'd use three keys: Alice's key, Bob's key, and a third-party judge's key, such that two of the keys together could release the funds. That way, an anonymous sender couldn't break his agreement and use the threat of withholding funds as leverage.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
December 30, 2011, 08:41:27 PM
 #10

This is multi-key escrow. I believe the blockchain supports it now, with current clients, although there's no GUI support. Ideally you'd use three keys: Alice's key, Bob's key, and a third-party judge's key, such that two of the keys together could release the funds. That way, an anonymous sender couldn't break his agreement and use the threat of withholding funds as leverage.
no because he have nothing to gain from it.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
December 30, 2011, 08:44:24 PM
 #11

he was proposing a new way of doing escrow transactions, more p2p, but he didn't give any technical details though.

Grondilu just did Wink
yes but its have been know for a lot of time...

nice to know, could have been his way of telling us that we have to work some things out by ourselves ?
dunno, epic character this satoshi btw   Smiley

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 30, 2011, 09:06:18 PM
 #12

This has been discussed... conclusion is that multiplication would be better than addition, because addition has a security flaw (unless both Alice and Bob commit to their keys beforehand).

The flaw is: if Bob knows Alice's public key, then instead of generating a keypair and giving Alice the public key, he generates a keypair and gives Alice the result of his public key minus Alice's public key.  Alice adds them together, sends bitcoins to the sum address, and Bob steals them because he knows the private key of the sum.

Multiplication would work better because it can't be undone the same way addition can be undone with subtraction.  Or, if Alice and Bob committed to their keys before sharing them, this wouldn't be possible, because the thief needs to base his/her key on the other person's key.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
grondilu
Legendary
*
Offline Offline

Activity: 1134


View Profile
December 31, 2011, 11:01:25 AM
 #13

Multiplication would work better because it can't be undone the same way addition can be undone with subtraction. Or, if Alice and Bob committed to their keys before sharing them, this wouldn't be possible, because the thief needs to base his/her key on the other person's key.

Ok, so multiplication it is.  I'll try to improve the friendlyness of my Perl library.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!