Pages:
Author

Topic: Do-it-yourself Escrow with two-factor address utility (Read 11998 times)

hero member
Activity: 793
Merit: 1026
Can this tool be used without the escrow part?
Just 2 people: payer sends the BTC to some address and they can only be released when payer and payee agree on it.

Of course - just have either of the two people be the escrow agent.

The only drawback is if the payer and payee fail to agree, the only alternative is nobody gets the funds.  That advantage could be used by the payer to extort something from the payee beyond the goods he has already received.

If either of the 2 people is the escrow agent, then he will have both Invitation codes and can claim the BTC for himself?

Go to Tools >> Two-Factor Bitcoin Tools >> Key Combiner.

You'll need a fresh empty bitcoin address that you don't care about, as will your trading partner.  You give them your hex public key (found via the address utility), and they give you their hex public key.  You put your hex PRIVATE key in "Input Key 1" and their PUBLIC hex key in Input 2.  Make sure EC Multiplication is checked, which it is by default, and hit combine.  This will generate a bitcoin address at the bottom.  When they put *their private hex key* and *your PUBLIC hex key* in the respective inputs on their software, they will arrive at the same bitcoin address as you did.  You can both verify that the same address was generated.

Then to get the private key of that address you two created, you simple need to enter the private hex key of both your and your partner's address.  So either they give their private key to you, or you give your private key to them.

Voila!  No escrow, but you can both verify the faux-escrow address and know for sure the other party cannot access it.
legendary
Activity: 1064
Merit: 1000
If the Mycelium wallet had this functionality as a payable pro feature how much would you be willing to pay for it?

What are your suggested prices?
hero member
Activity: 812
Merit: 502
Can this tool be used without the escrow part?
Just 2 people: payer sends the BTC to some address and they can only be released when payer and payee agree on it.

Of course - just have either of the two people be the escrow agent.

The only drawback is if the payer and payee fail to agree, the only alternative is nobody gets the funds.  That advantage could be used by the payer to extort something from the payee beyond the goods he has already received.

If either of the 2 people is the escrow agent, then he will have both Invitation codes and can claim the BTC for himself?
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Can this tool be used without the escrow part?
Just 2 people: payer sends the BTC to some address and they can only be released when payer and payee agree on it.

Of course - just have either of the two people be the escrow agent.

The only drawback is if the payer and payee fail to agree, the only alternative is nobody gets the funds.  That advantage could be used by the payer to extort something from the payee beyond the goods he has already received.
Jan
legendary
Activity: 1043
Merit: 1002
If the Mycelium wallet had this functionality as a payable pro feature how much would you be willing to pay for it?
hero member
Activity: 812
Merit: 502
Can this tool be used without the escrow part?
Just 2 people: payer sends the BTC to some address and they can only be released when payer and payee agree on it.
staff
Activity: 4270
Merit: 1209
I support freedom of choice
Any news about this topic?
hero member
Activity: 793
Merit: 1026
Does the procedure you described represent what needs to be done to generate a 2 of 3 multisig key, or is it something that users only need to do until good UI tools for using multisig keys exist in the clients?

Ya no this is an entirely different thing unrelated to multisig
legendary
Activity: 1190
Merit: 1000
www.bitcointrading.com
Thank you Casascius for releasing this!  This is a very powerful tool!
legendary
Activity: 1288
Merit: 1000
Enabling the maximal migration
Interesting - looking forward to seeing where this develops
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
Casascius "accidentally" makes a two party escrow utility that will change the nature of commerce. Incredible! Now we need it gussied-up a bit and we have us a killer app.
legendary
Activity: 1400
Merit: 1013
I thought the inclusion of multisig feature already implemented everything necessary to do escrow.

Other than the point and click UI for someone to actually do it (afaik)

Yup.  It's not point and click in the main client, and I don't know enough to do it any other way.  So for me, Mike's utility is what I'm using.
I should have been more clear.

In the mean time, it occurs to me 3rd party escrow can be done in this manner:  Alice has password used to create intermediate passphrase.  Bob uses phrase to make encrypted private key.  Bob then uses secret sharing to split the encrypted key up into 3 parts and gives Alice one part, Charlie (3rd party escrow) one part, and then Bob throws out the 3rd part since he already has the encrypted private key.  Alice also gives Charlie the password.

Now Alice has the password and 1 of 2 shares necessary to get the encrypted private key.  As does Charlie.  Bob has the entire encrypted private key but no password.  Any two out of the three of them can now work together to unlock the unencrypted private key.

The only problem I have with that is that Alice and Charlie can't verify that the shares they have will actually reveal the encrypted private key until it's too late (i.e. Bob screws Alice and so Alice and Charlie attempt to get the key, but Bob has simply spited them and the funds are now lost).

Does the procedure you described represent what needs to be done to generate a 2 of 3 multisig key, or is it something that users only need to do until good UI tools for using multisig keys exist in the clients?
hero member
Activity: 793
Merit: 1026
I thought the inclusion of multisig feature already implemented everything necessary to do escrow.

Other than the point and click UI for someone to actually do it (afaik)

Yup.  It's not point and click in the main client, and I don't know enough to do it any other way.  So for me, Mike's utility is what I'm using.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
I thought the inclusion of multisig feature already implemented everything necessary to do escrow.

Other than the point and click UI for someone to actually do it (afaik)
legendary
Activity: 1400
Merit: 1013
I thought the inclusion of multisig feature already implemented everything necessary to do escrow.
hero member
Activity: 793
Merit: 1026

I'm not proficient enough to read that, but it has me very excited because I at least think I know sort of what I'm looking at.  Oh boy oh boy oh boy.

In the mean time, it occurs to me 3rd party escrow can be done in this manner:  Alice has password used to create intermediate passphrase.  Bob uses phrase to make encrypted private key.  Bob then uses secret sharing to split the encrypted key up into 3 parts and gives Alice one part, Charlie (3rd party escrow) one part, and then Bob throws out the 3rd part since he already has the encrypted private key.  Alice also gives Charlie the password.

Now Alice has the password and 1 of 2 shares necessary to get the encrypted private key.  As does Charlie.  Bob has the entire encrypted private key but no password.  Any two out of the three of them can now work together to unlock the unencrypted private key.

The only problem I have with that is that Alice and Charlie can't verify that the shares they have will actually reveal the encrypted private key until it's too late (i.e. Bob screws Alice and so Alice and Charlie attempt to get the key, but Bob has simply spited them and the funds are now lost).

Also, Mike's utility does not split up encrypted private keys into m-of-n shares.
hero member
Activity: 699
Merit: 500
Your Minion
Good work, I fell better about paying 0.15btc for your coins  Grin they will make a great holiday gift. Plus I can't wait to try and pay my tab with them.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Random idea:

What if I ran a dispute mediation service where I as a third party always maintained the ability to release the funds, so I could settle a dispute, but where the parties wouldn't need my help unless there was one?  For example, if I had a website where I gave out keyparts that let me join the dispute, but which wouldn't get in the way of the parties doing business.  The parties wouldn't rely on my continued existence unless they were in a stalemate and needed dispute settlement.

Imagine:  Alice wants to send an escrow transaction to Bob.  I'm Eddie the hands-off escrow agent.

Alice makes up a private key a.  Bob makes up a private key b.  I the escrow agent make two private keys, x and y.

Alice and Bob ask for my services.  I give Alice x and Gy.  I give Bob y and Gx.  So they both can calculate Gxy.

For those not familiar with the EC math, let me simplify it: pretend it's algebra, and G is a pre-defined constant with one special property: it's impossible to divide by G.  The rest are just regular numbers.  Gxy just means G times x times y.  Someone who knows Gx can't get x from it.  Further, G times anything can be made into a bitcoin address, and the "anything" becomes the private key.  If G itself were made into a bitcoin address, its private key would be the number 1.

Anyway, Alice and Bob's private keys a and b are for Alice and Bob's safety from me.  They exchange them with one another.  Alice stays safe from Bob by him not knowing x, and Bob stays safe from Alice by her not knowing y.

Alice and Bob both calculate the bitcoin address for (Gxy)ab.  Nobody has access to the funds.  The private key is xyab.  Alice knows abx and needs y, Bob knows aby and needs x, and I only know x and y.

Alice can give the funds to Bob by giving him x.

Bob can give the funds to Alice by giving her y.

If Alice and Bob refuse to cooperate and ask me to settle their dispute, I know both x and y, and can settle it in Alice's favor by giving her y, or in Bob's favor by telling him x.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Yeah, m-of-n is the generic term, meaning you need m parties of the original n parties to be able to spend the coins. In a 2-of-3, you could have the buyer, the seller, and an arbiter as the 3 people who participate in the transaction. They sign it in such a way that two of those are needed to spend the coin to the final destination (the sellers wallet). In most cases, if the buyer an seller agree, then they would just sign it and the arbiter would never even be involved. If there was a problem, however, the arbiter would make a ruling and with the buyer spend it back to the buyer, or with the seller spend it to the seller. This would require trust in the judgement and integrity of the arbiter, but is does allow two people with relatively low reputation to leverage the reputation of a well known third party.

My utility indeed has an m-of-n screen, but it was written for one person to create redundant access to their bitcoins without putting them in any single place.  I never wrote it with the intention for it to be used as an escrow tool, and the person who generates the m-of-n ends up with the private key.

It would be interesting to come up with a shared m-of-n scheme where nobody knows the private key but everyone can confirm they control part of a bitcoin address.  That might prevent a situation where somebody denies their counterparty a legitimate payment just to be a jerk, forcing their coins to be unusable.
Pages:
Jump to: