I suggest calling this an "airgapped payment". The minimum things we need to turn on in script to make this useful would also be very handy for improved security for cross chain payments.... on the order of no more than 400 bytes plus the size of a regular transaction, assuming the block size is not increased.
This is pretty viable... and though I don't think additions to script are that exciting (because people hardly use what we have.
) ... the use-cases enabling hash tree verification would enable are pretty interesting for such a simple change.
However,
I had previously showed how to use hash-locking to do cross-chain trades without this functionality, and I believe I can do the same to this protocol:
Here is a hash-locked version of an air-gapped payment protocol which would work today.
Alice wants to pay Bob without a publicly visible connection between them, or even without Bob learning anything about Alice's coins.
Carol offers to help, but Alice and Bob do not trust Carol and Carol does not trust Alice or Bob. In fact they all don't trust each other. At all. (I mean, look around Bitcoin talk, would you trust anyone here?)
Bob picks a secret value X and computes its hash H(X)=HX tells the hash to Alice and Carol.
Alice puts funds into an escrow which can be redeemed:
- By Alice + Carol (normal)
- By Carol if Carol provides HX, X, Q such that HX==H(X) and H(HX+Q) == value specified in the escrow payment.
Before announcing this transaction, Alice has carol write her a nlocktimed alice+carol refund, so if Carol is a dead-beat Alice will get her funds back eventually.
Alice tells carol Q. And Carol is convinced that she can redeem this transaction without Alice's help if only she also knew X.
After that escrow payment is confirmed Carol then pays to Bob with a hash-locked transaction which can be redeemed:
- Bob + Carol (refund)
- Bob + he must provide X such that H(X) == the prior disclosed HX
Like above, Carol has Bob help him write a nlocktimed refund before she announces this transaction.
Tada. Bob redeems it and discloses X.
If Alice doesn't do the release, Carol will redeem via disclosing Q, which will link the transactions because then anyone can look for all the signature+hash transactions and find the HX+Q one. Otherwise no one learns the correspondence, not even Bob, since he doesn't know Q.