casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1064





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1064The Casascius 1oz 10BTC Silver Round (w/ Gold B) Do-it-yourself Escrow with two-factor address utility December 07, 2012, 01:30:14 AM

Last edit: December 07, 2012, 02:28:21 AM by casascius #1



https://bitcointalk.org/index.php?topic=129399.msg1383296#msg1383296



The way it works, is the person who is paying uses my utility to turn their Passphrase into an Intermediate Code. They give it to the payee.



The Payee uses the Intermediate Code to generate an encrypted Bitcoin address. The Payee also gives the "confirmation code" (appears on the printed Coin Inserts report) back to the payer. The payer should be able to reproduce the same bitcoin address via the confirmation code and his passphrase. The confirmation code also ensures that the payer will be paying an address that must have come from the passphrase, rather than one the payee got from his own wallet.



The payer pays. Nobody can access the funds.



When the payer wants to release the funds, he gives the payee the passphrase. If the payee wants to send the funds back, he gives the payer his private key. If nobody gives the other their part, the funds are permanently locked up.



The concept is nothing new, but now that it's wrapped into a point-and-click utility, it's suddenly more reachable.



What do you think?



Point-and-click two-factor escrow is also a plausible way to do collateral. Imagine someone set up a trading platform or exchange where settling trades was done primarily on the honor system and the exchange held one factor of a two-factor collateral arrangement as a backstop. It looks like somebody has figured out a way to use the two-factor feature of my Bitcoin Address Utility to do an escrow transaction.The way it works, is the person who is paying uses my utility to turn their Passphrase into an Intermediate Code. They give it to the payee.The Payee uses the Intermediate Code to generate an encrypted Bitcoin address. The Payee also gives the "confirmation code" (appears on the printed Coin Inserts report) back to the payer. The payer should be able to reproduce the same bitcoin address via the confirmation code and his passphrase. The confirmation code also ensures that the payer will be paying an address that must have come from the passphrase, rather than one the payee got from his own wallet.The payer pays. Nobody can access the funds.When the payer wants to release the funds, he gives the payee the passphrase. If the payee wants to send the funds back, he gives the payer his private key. If nobody gives the other their part, the funds are permanently locked up.The concept is nothing new, but now that it's wrapped into a point-and-click utility, it's suddenly more reachable.What do you think?Point-and-click two-factor escrow is also a plausible way to do collateral. Imagine someone set up a trading platform or exchange where settling trades was done primarily on the honor system and the exchange held one factor of a two-factor collateral arrangement as a backstop. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

HostFat

Legendary



Offline



Activity: 3416

Merit: 1105





I support freedom of choice







StaffLegendaryActivity: 3416Merit: 1105I support freedom of choice Re: Do-it-yourself Escrow with two-factor address utility December 07, 2012, 03:56:22 PM #3

I'll check later and I'll make an easy guide for my italian colleagues



Are you going to add some features on this topic in the near future? Good!I'll check later and I'll make an easy guide for my italian colleaguesAre you going to add some features on this topic in the near future? NON DO ASSISTENZA PRIVATA

Fjordbit



Offline



Activity: 588

Merit: 500



firstbits.com/1kznfw







Hero MemberActivity: 588Merit: 500firstbits.com/1kznfw Re: Do-it-yourself Escrow with two-factor address utility December 07, 2012, 06:45:51 PM #5 This essentially requires some kind of resolution between the two partners. However



- a seller could be a scammer just looking to grief "buyers".

- a buyer, once receiving the item, could random the locked up coins for a discount. The seller has no leverage here.



I'm not too keen on this and doubt I would agree to it. 2-of-3 transactions are where it's at.

Spaceman_Spiff



Offline



Activity: 1638

Merit: 1000





₪``Campaign Manager´´₪







LegendaryActivity: 1638Merit: 1000₪``Campaign Manager´´₪ Re: Do-it-yourself Escrow with two-factor address utility December 07, 2012, 07:20:17 PM #6 Quote from: Fjordbit on December 07, 2012, 06:45:51 PM This essentially requires some kind of resolution between the two partners. However



- a seller could be a scammer just looking to grief "buyers".

- a buyer, once receiving the item, could random the locked up coins for a discount. The seller has no leverage here.



I'm not too keen on this and doubt I would agree to it. 2-of-3 transactions are where it's at.



What are 2-of-3 transactions?

Is it a system in which the buyer and/or seller have to deposit some money that will be transferred back to them upon completion of a mutually satisfied transaction? Because such a system would make sense to me.



I have seen the term "m-of-n transactions" before on this forum, is this a more generalised term?



Although I am not yet technically literate enough, do-it-yourself escrow seems like an awesome idea. Thanks Casascius! What are 2-of-3 transactions?Is it a system in which the buyer and/or seller have to deposit some money that will be transferred back to them upon completion of a mutually satisfied transaction? Because such a system would make sense to me.I have seen the term "m-of-n transactions" before on this forum, is this a more generalised term?Although I am not yet technically literate enough, do-it-yourself escrow seems like an awesome idea. Thanks Casascius!

Fjordbit



Offline



Activity: 588

Merit: 500



firstbits.com/1kznfw







Hero MemberActivity: 588Merit: 500firstbits.com/1kznfw Re: Do-it-yourself Escrow with two-factor address utility December 07, 2012, 10:12:01 PM #8 Quote from: Spaceman_Spiff on December 07, 2012, 07:20:17 PM What are 2-of-3 transactions?

Is it a system in which the buyer and/or seller have to deposit some money that will be transferred back to them upon completion of a mutually satisfied transaction? Because such a system would make sense to me.



I have seen the term "m-of-n transactions" before on this forum, is this a more generalised term?



Although I am not yet technically literate enough, do-it-yourself escrow seems like an awesome idea. Thanks Casascius!



Yeah, Yeah, m-of-n is the generic term, meaning you need m parties of the original n parties to be able to spend the coins. In a 2-of-3, you could have the buyer, the seller, and an arbiter as the 3 people who participate in the transaction. They sign it in such a way that two of those are needed to spend the coin to the final destination (the sellers wallet). In most cases, if the buyer an seller agree, then they would just sign it and the arbiter would never even be involved. If there was a problem, however, the arbiter would make a ruling and with the buyer spend it back to the buyer, or with the seller spend it to the seller. This would require trust in the judgement and integrity of the arbiter, but is does allow two people with relatively low reputation to leverage the reputation of a well known third party.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1064





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1064The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: Do-it-yourself Escrow with two-factor address utility December 07, 2012, 11:07:56 PM #10 Quote from: Fjordbit on December 07, 2012, 10:12:01 PM

Yeah, m-of-n is the generic term, meaning you need m parties of the original n parties to be able to spend the coins. In a 2-of-3, you could have the buyer, the seller, and an arbiter as the 3 people who participate in the transaction. They sign it in such a way that two of those are needed to spend the coin to the final destination (the sellers wallet). In most cases, if the buyer an seller agree, then they would just sign it and the arbiter would never even be involved. If there was a problem, however, the arbiter would make a ruling and with the buyer spend it back to the buyer, or with the seller spend it to the seller. This would require trust in the judgement and integrity of the arbiter, but is does allow two people with relatively low reputation to leverage the reputation of a well known third party.

My utility indeed has an m-of-n screen, but it was written for one person to create redundant access to their bitcoins without putting them in any single place. I never wrote it with the intention for it to be used as an escrow tool, and the person who generates the m-of-n ends up with the private key.



It would be interesting to come up with a shared m-of-n scheme where nobody knows the private key but everyone can confirm they control part of a bitcoin address. That might prevent a situation where somebody denies their counterparty a legitimate payment just to be a jerk, forcing their coins to be unusable. My utility indeed has an m-of-n screen, but it was written for one person to create redundant access to their bitcoins without putting them in any single place. I never wrote it with the intention for it to be used as an escrow tool, and the person who generates the m-of-n ends up with the private key.It would be interesting to come up with a shared m-of-n scheme where nobody knows the private key but everyone can confirm they control part of a bitcoin address. That might prevent a situation where somebody denies their counterparty a legitimate payment just to be a jerk, forcing their coins to be unusable. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1064





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1064The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: Do-it-yourself Escrow with two-factor address utility December 07, 2012, 11:36:46 PM

Last edit: December 08, 2012, 12:21:29 AM by casascius #11 Random idea:



What if I ran a dispute mediation service where I as a third party always maintained the ability to release the funds, so I could settle a dispute, but where the parties wouldn't need my help unless there was one? For example, if I had a website where I gave out keyparts that let me join the dispute, but which wouldn't get in the way of the parties doing business. The parties wouldn't rely on my continued existence unless they were in a stalemate and needed dispute settlement.



Imagine: Alice wants to send an escrow transaction to Bob. I'm Eddie the hands-off escrow agent.



Alice makes up a private key a. Bob makes up a private key b. I the escrow agent make two private keys, x and y.



Alice and Bob ask for my services. I give Alice x and Gy. I give Bob y and Gx. So they both can calculate Gxy.



For those not familiar with the EC math, let me simplify it: pretend it's algebra, and G is a pre-defined constant with one special property: it's impossible to divide by G. The rest are just regular numbers. Gxy just means G times x times y. Someone who knows Gx can't get x from it. Further, G times anything can be made into a bitcoin address, and the "anything" becomes the private key. If G itself were made into a bitcoin address, its private key would be the number 1.



Anyway, Alice and Bob's private keys a and b are for Alice and Bob's safety from me. They exchange them with one another. Alice stays safe from Bob by him not knowing x, and Bob stays safe from Alice by her not knowing y.



Alice and Bob both calculate the bitcoin address for (Gxy)ab. Nobody has access to the funds. The private key is xyab. Alice knows abx and needs y, Bob knows aby and needs x, and I only know x and y.



Alice can give the funds to Bob by giving him x.



Bob can give the funds to Alice by giving her y.



If Alice and Bob refuse to cooperate and ask me to settle their dispute, I know both x and y, and can settle it in Alice's favor by giving her y, or in Bob's favor by telling him x.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

SlaveInDebt



Offline



Activity: 699

Merit: 500





Your Minion







Hero MemberActivity: 699Merit: 500Your Minion Re: Do-it-yourself Escrow with two-factor address utility December 08, 2012, 02:00:43 AM #12 they will make a great holiday gift. Plus I can't wait to try and pay my tab with them. Good work, I fell better about paying 0.15btc for your coinsthey will make a great holiday gift. Plus I can't wait to try and pay my tab with them. "A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain." - Mark Twain

luv2drnkbr



Offline



Activity: 794

Merit: 1001









Hero MemberActivity: 794Merit: 1001 Re: Do-it-yourself Escrow with two-factor address utility December 08, 2012, 04:57:54 AM #14 Quote from: mrvision on December 08, 2012, 02:16:09 AM Quote from: Rudd-O on December 07, 2012, 10:19:00 PM Whoa. Gamechanger right there.

Hello my old friend.

Here you are:

https://raw.github.com/gist/3966071/1f6cfa4208bc82ee5039876b4f065a705ce64df7/TwoOfThree.sh

Hello my old friend.Here you are:

I'm not proficient enough to read that, but it has me very excited because I at least think I know sort of what I'm looking at. Oh boy oh boy oh boy.



In the mean time, it occurs to me 3rd party escrow can be done in this manner: Alice has password used to create intermediate passphrase. Bob uses phrase to make encrypted private key. Bob then uses secret sharing to split the encrypted key up into 3 parts and gives Alice one part, Charlie (3rd party escrow) one part, and then Bob throws out the 3rd part since he already has the encrypted private key. Alice also gives Charlie the password.



Now Alice has the password and 1 of 2 shares necessary to get the encrypted private key. As does Charlie. Bob has the entire encrypted private key but no password. Any two out of the three of them can now work together to unlock the unencrypted private key.



The only problem I have with that is that Alice and Charlie can't verify that the shares they have will actually reveal the encrypted private key until it's too late (i.e. Bob screws Alice and so Alice and Charlie attempt to get the key, but Bob has simply spited them and the funds are now lost).



Also, Mike's utility does not split up encrypted private keys into m-of-n shares. I'm not proficient enough to read that, but it has me very excited because I at least think I know sort of what I'm looking at. Oh boy oh boy oh boy.In the mean time, it occurs to me 3rd party escrow can be done in this manner: Alice has password used to create intermediate passphrase. Bob uses phrase to make encrypted private key. Bob then uses secret sharing to split the encrypted key up into 3 parts and gives Alice one part, Charlie (3rd party escrow) one part, and then Bob throws out the 3rd part since he already has the encrypted private key. Alice also gives Charlie the password.Now Alice has the password and 1 of 2 shares necessary to get the encrypted private key. As does Charlie. Bob has the entire encrypted private key but no password. Any two out of the three of them can now work together to unlock the unencrypted private key.The only problem I have with that is that Alice and Charlie can't verify that the shares they have will actually reveal the encrypted private key until it's too late (i.e. Bob screws Alice and so Alice and Charlie attempt to get the key, but Bob has simply spited them and the funds are now lost).Also, Mike's utility does not split up encrypted private keys into m-of-n shares. Contact | PGP (1PLzd0NATe2R3dD1TrANd0mAct50fP1zzA Verify ) | WOT

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1064





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1064The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: Do-it-yourself Escrow with two-factor address utility December 08, 2012, 05:20:35 AM #16 Quote from: justusranvier on December 08, 2012, 05:09:16 AM I thought the inclusion of multisig feature already implemented everything necessary to do escrow.



Other than the point and click UI for someone to actually do it (afaik) Other than the point and click UI for someone to actually do it (afaik) Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.