User:Casascius/Escrow scheme draft
This is a draft for a three-party or four-party scheme that enables an escrow transaction using nothing more than standard (non-multi-signature) Bitcoin transactions. This proposal contemplates the following features:
- One shared Bitcoin address for the entire transaction
- All parties to the transaction can verify that the Bitcoin address belongs to the transaction they're participating in, and not one made up or taken from someone's own personal wallet
- Escrow agent can control the disposition of the funds but cannot take the funds
- Releasing the funds remains possible even if the escrow agent disappears
The proposal contemplates up to four roles, defined as follows:
- B - Beneficiary Bob - Bob is the person providing the goods or services, and who will receive control the proceeds of the transaction if there is no dispute and the goods or services are delivered as promised.
- A - Alternate Beneficiary Alice (or Customer Alice): Alice is the person who will receive the proceeds of the transaction if either the Bob or the Escrow Agent decide that the funds should not go to the Beneficiary. Alice might or might not be the customer who is paying into the escrow transaction. If Alice is the customer, then allowing the funds to go to Alice constitutes a refund. If Alice is not the customer, then Alice is an alternate beneficiary who may be granted access to the funds by the Escrow Agent in the event they determine it should not go to Bob, and might be a person more able to settle a dispute than anyone else.
- E - Escrow Agent Eddie - This person gets the power to award control of the funds to either Alice or Bob if the two of them cannot agree who amongst themselves should get the funds.
- C - Customer Charlie (optional) - If Charlie is a party to the transaction, then Charlie is the person paying into the escrow account with no hope of receiving a refund. Charlie has the power to grant the proceeds of the funds to Bob or Alice, but only if the Eddie doesn't do it first. Charlie can also verify, with the help of a tool, that he is paying into an account under the control of Bob, Alice, and Eddie, rather than into someone's personal wallet.
How the scheme works
Initiation of Proposal
First, any of the parties (other than Customer Charlie) can initiate an escrow transaction proposal. The second party creates a proposal that references the first. The third party creates an acceptance.
A proposal or acceptance is a Base58-encoded string whose prefix specifies who created the record and to whom it should be given. The parties can initiate and accept in any order, with one exception: the escrow agent must be first or second.
The prefixes for the strings are always four characters, that follow this format:
- First character: who created the string (B, A, or E)
- Second character: whether this is a Proposal (P), Seconding (S), Acceptance (A), or Confirmation (C)
- Third character: the number 4
- Fourth character: the intended recipient of the string (B, A, E, or C).
As an example, if someone creates a proposal and selects that they intend to be the Escrow Agent, then their client will generate two strings: one starting with EP4A and the other starting with EP4B.
Initiation involves generating cryptographic key(s), and creating two Base58-encoded records containing the applicable keys (public or private) and signaling the party's intentions. One record is given to each other party.
If a prospective Escrow Agent initiates a proposal, he generates two private keys we'll call x and y. He emits two records with prefixes EP4A and EP4B.
- EP4A contains private key x and public key Gy.
- EP4B contains private key y and public key Gx.
- Both records contain a 32-bit proposal identifier (which is the first 32 bits of RIPEMD160(SHA256(Gxy))).
If a prospective Beneficiary initiates a proposal, he generates a private key we'll call b. He emits two records with prefixes BP4A and BP4E.
- BP4A contains private key b.
- BP4E contains public key Gb.
- Both records contain a 32-bit proposal identifier, the first 32 bits of RIPEMD160(SHA256(Gb)).
If a prospective Alternate Beneficiary, or Customer who is also an Alternate Beneficiary, initiates a proposal, she generates a private key we'll call a. She emits two records with prefixes AP4B and AP4E.
- AP4B contains private key a.
- AP4E contains public key Ga.
- Both records contain a 32-bit proposal identifier, the first 32 bits of RIPEMD160(SHA256(Ga)).
Intermediate acceptance and secondary proposal
A party who receives an initial proposal as described above may Second the proposal and become the second party, producing an Acceptance record for the proposing party, and a Seconding record for the remaining party.
Proposals can be created and accepted by the parties in any order, except the escrow agent cannot be last.
If a prospective Escrow Agent seconds an initial proposal from a Beneficiary, then he generates private keys x and y, and emits an Acceptance record with prefix EA4B and a Seconding record with prefix ES4A.
- EA4B contains private key y and public key Gx.
- ES4A contains private key x and public key Gy.
- Both records use the same 32-bit proposal identifier that came from the Beneficiary, which is a hash based on Gb.
- The proposal record has bits set indicating that it is also the acceptance of a proposal by a prospective Beneficiary.
If a prospective Escrow Agent accepts an initial proposal from an Alternate Beneficiary / Customer who is also an Alternate Beneficiary, the same method is employed as described above, except swap all a and b, and swap all x and y as applicable.
If a prospective Beneficiary accepts an initial proposal created by an Escrow Agent, then he generates private key b, and emits an acceptance record BA4E and a secondary proposal record with prefix BP4A.
- BA4E contains public keys Gb and Gab.
- BP4A contains private key b.
- Both records use the same 32-bit proposal identifier that came from the Escrow Agent, which is a hash based on Gxy.
If a prospective Alternate Beneficiary accepts an initial proposal created by an Escrow Agent, follow the same procedure for a Beneficiary, swapping a and b, and x and y.
Final acceptance
A party in a position to issue a final acceptance will have received two proposals with identical proposal identifiers. That party should generate its own private key(s) as defined in the other stages, and emit acceptance records for the benefit of the first two parties. It is at this point that the accepting party knows the Bitcoin address for the entire arrangement.
- If the final acceptance happens by an Escrow Agent, he knows Gab, x, and y, and can calculate the Bitcoin address as (Gab)xy.
- If the final acceptance happens by a Beneficiary or Alternate Beneficiary, he/she knows or can calculate Gxy and knows a and b. He or she can calculate the Bitcoin address as (Gxy)ab.
Upon final acceptance, each party is in a position to issue a confirmation record for the benefit of Charlie the paying-only customer. This confirmation permits Charlie to ensure he is paying an address that is participating in an escrow scheme.
If confirmation is needed, each party shall issue one. Charlie will need three records in order to receive a satisfactory confirmation.
- The Escrow Agent provides a confirmation record