Topic: Do-it-yourself Escrow with two-factor address utility (Read 11991 times)

Go to Tools >> Two-Factor Bitcoin Tools >> Key Combiner.

You'll need a fresh empty bitcoin address that you don't care about, as will your trading partner.  You give them your hex public key (found via the address utility), and they give you their hex public key.  You put your hex PRIVATE key in "Input Key 1" and their PUBLIC hex key in Input 2.  Make sure EC Multiplication is checked, which it is by default, and hit combine.  This will generate a bitcoin address at the bottom.  When they put *their private hex key* and *your PUBLIC hex key* in the respective inputs on their software, they will arrive at the same bitcoin address as you did.  You can both verify that the same address was generated.

Then to get the private key of that address you two created, you simple need to enter the private hex key of both your and your partner's address.  So either they give their private key to you, or you give your private key to them.

Voila!  No escrow, but you can both verify the faux-escrow address and know for sure the other party cannot access it.

What are your suggested prices?

If either of the 2 people is the escrow agent, then he will have both Invitation codes and can claim the BTC for himself?

Of course - just have either of the two people be the escrow agent.

The only drawback is if the payer and payee fail to agree, the only alternative is nobody gets the funds.  That advantage could be used by the payer to extort something from the payee beyond the goods he has already received.

If the Mycelium wallet had this functionality as a payable pro feature how much would you be willing to pay for it?

Can this tool be used without the escrow part?
Just 2 people: payer sends the BTC to some address and they can only be released when payer and payee agree on it.

Any news about this topic?

Ya no this is an entirely different thing unrelated to multisig

Thank you Casascius for releasing this!  This is a very powerful tool!

Interesting - looking forward to seeing where this develops

Casascius "accidentally" makes a two party escrow utility that will change the nature of commerce. Incredible! Now we need it gussied-up a bit and we have us a killer app.

I should have been more clear.


Does the procedure you described represent what needs to be done to generate a 2 of 3 multisig key, or is it something that users only need to do until good UI tools for using multisig keys exist in the clients?

Yup.  It's not point and click in the main client, and I don't know enough to do it any other way.  So for me, Mike's utility is what I'm using.

Other than the point and click UI for someone to actually do it (afaik)

I thought the inclusion of multisig feature already implemented everything necessary to do escrow.

I'm not proficient enough to read that, but it has me very excited because I at least think I know sort of what I'm looking at.  Oh boy oh boy oh boy.

In the mean time, it occurs to me 3rd party escrow can be done in this manner:  Alice has password used to create intermediate passphrase.  Bob uses phrase to make encrypted private key.  Bob then uses secret sharing to split the encrypted key up into 3 parts and gives Alice one part, Charlie (3rd party escrow) one part, and then Bob throws out the 3rd part since he already has the encrypted private key.  Alice also gives Charlie the password.

Now Alice has the password and 1 of 2 shares necessary to get the encrypted private key.  As does Charlie.  Bob has the entire encrypted private key but no password.  Any two out of the three of them can now work together to unlock the unencrypted private key.

The only problem I have with that is that Alice and Charlie can't verify that the shares they have will actually reveal the encrypted private key until it's too late (i.e. Bob screws Alice and so Alice and Charlie attempt to get the key, but Bob has simply spited them and the funds are now lost).

Also, Mike's utility does not split up encrypted private keys into m-of-n shares.

Hello my old friend.
Here you are:
https://raw.github.com/gist/3966071/1f6cfa4208bc82ee5039876b4f065a705ce64df7/TwoOfThree.sh

Good work, I fell better about paying 0.15btc for your coins  they will make a great holiday gift. Plus I can't wait to try and pay my tab with them.

Random idea:

What if I ran a dispute mediation service where I as a third party always maintained the ability to release the funds, so I could settle a dispute, but where the parties wouldn't need my help unless there was one?  For example, if I had a website where I gave out keyparts that let me join the dispute, but which wouldn't get in the way of the parties doing business.  The parties wouldn't rely on my continued existence unless they were in a stalemate and needed dispute settlement.

Imagine:  Alice wants to send an escrow transaction to Bob.  I'm Eddie the hands-off escrow agent.

Alice makes up a private key a.  Bob makes up a private key b.  I the escrow agent make two private keys, x and y.

Alice and Bob ask for my services.  I give Alice x and Gy.  I give Bob y and Gx.  So they both can calculate Gxy.

For those not familiar with the EC math, let me simplify it: pretend it's algebra, and G is a pre-defined constant with one special property: it's impossible to divide by G.  The rest are just regular numbers.  Gxy just means G times x times y.  Someone who knows Gx can't get x from it.  Further, G times anything can be made into a bitcoin address, and the "anything" becomes the private key.  If G itself were made into a bitcoin address, its private key would be the number 1.

Anyway, Alice and Bob's private keys a and b are for Alice and Bob's safety from me.  They exchange them with one another.  Alice stays safe from Bob by him not knowing x, and Bob stays safe from Alice by her not knowing y.

Alice and Bob both calculate the bitcoin address for (Gxy)ab.  Nobody has access to the funds.  The private key is xyab.  Alice knows abx and needs y, Bob knows aby and needs x, and I only know x and y.

Alice can give the funds to Bob by giving him x.

Bob can give the funds to Alice by giving her y.

If Alice and Bob refuse to cooperate and ask me to settle their dispute, I know both x and y, and can settle it in Alice's favor by giving her y, or in Bob's favor by telling him x.

My utility indeed has an m-of-n screen, but it was written for one person to create redundant access to their bitcoins without putting them in any single place.  I never wrote it with the intention for it to be used as an escrow tool, and the person who generates the m-of-n ends up with the private key.

It would be interesting to come up with a shared m-of-n scheme where nobody knows the private key but everyone can confirm they control part of a bitcoin address.  That might prevent a situation where somebody denies their counterparty a legitimate payment just to be a jerk, forcing their coins to be unusable.