(I have few possibilities to read the bitcoin forum so maybe somebody has already thought of this and I apologize if it is the case. If not, please feel free to continue reading
)
As you know Satoshi imagined a solution to offer some protection against moral risk in transactions. It basically consists in special transactions whose outputs are reedemable not with one private key, but with two. Thus it is possible for Alice to send some bitcoins to Bob so that Alice will never be able to get her bitcoins back, but Bob will not be able to get them either unless Alice finaly agrees.
I believe it is the best we can do against these kinds of risks, without using a third party.
However, it is kind of low-level since it relies on a specific feature of the bitcoin protocol. I have no idea about how to
actually do it, for instance.
I think it is possible to do exactly this with a higher level method.
So, let's assume Alice wants to sell Bob 10 BTC against 30 USD via bank wire. Alice and Bob do not trust each other so none of them is willing to pay first.
Here is the idea.
Both Alice and Bob generate a new random bitcoin address on their computer. Those keys are basically secret exponants in the secp256k1 elliptic curve. They also compute the corresponding public points, which are two 256 bits numbers.
Alice:
my $key = new Bitcoin::PrivateKey label => "10BTC for Bob";
my $point = $key->public_point;
Bob:
my $key = new Bitcoin::PrivateKey label => "10BTC expected from Alice";
my $point = $key->public_point;
They both exchange their
public points, on IRC for instance:
Alice> Ok Bob, here is my public point: 435ab6e5......5f54, b87f566......90cd
Bob> Ok, here's mine : 123fe.....32a, 32aa54....cc54
Now they compute the sum of these points, and get the corresponding bitcoin address
Alice:
my $pointsum = EC::add $point, $bobpoint;
print new Bitcoin::Address $pointsum;
Bob:
my $pointsum = EC::add $point, $alicepoint;
print new Bitcoin::Address $pointsum;
They check they get the same bitcoin address, and then Alice sends 10 BTC to this address.
At this point, none of them is capable of reedeming those 10BTC, but obviously they can check that they are in the blockchain with bitcoinexplorer or something.
Once Bob aknowledges that the bitcoins are buried enough in the blockchain, he can initiate the 30USD bank wire.
Two or three days later, Alice aknowledges that she received the 30USD. Now she communicates the secret exponant she generated.
Bob now knows both secret exponents. Thus he can compute the secret exponant of the exchange key:
my $exchange_key = new Bitcoin::PrivateKey +($key + $alice_key) % secp256k1->{generator}{order};
With this key, Bob can redeem the 10BTC.
Had Alice refused to reveal the private key, Bob would have been screwed, but Alice would not get any real benefit for that, as the 10BTC would be lost in the blockchain for ever.
Am I wrong somewhere?
