User:Casascius/Escrow scheme draft

From Bitcoin Wiki
Revision as of 02:49, 8 December 2012 by Casascius (talk | contribs)
Jump to: navigation, search

This is a draft for a three-party or four-party scheme that enables an escrow transaction using nothing more than standard (non-multi-signature) Bitcoin transactions. This proposal contemplates the following features:

  1. One shared Bitcoin address for the entire transaction
  2. All parties to the transaction can verify that the Bitcoin address belongs to the transaction they're participating in, and not one made up or taken from someone's own personal wallet
  3. Escrow agent can control the disposition of the funds but cannot take the funds
  4. Releasing the funds remains possible even if the escrow agent disappears

The proposal contemplates up to four roles, defined as follows:

  • B - Beneficiary Bob - Bob is the person providing the goods or services, and who will receive control the proceeds of the transaction if there is no dispute and the goods or services are delivered as promised.
  • A - Alternate Beneficiary Alice (or Customer Alice): Alice is the person who will receive the proceeds of the transaction if either the Bob or the Escrow Agent decide that the funds should not go to the Beneficiary. Alice might or might not be the customer who is paying into the escrow transaction. If Alice is the customer, then allowing the funds to go to Alice constitutes a refund. If Alice is not the customer, then Alice is an alternate beneficiary who may be granted access to the funds by the Escrow Agent in the event they determine it should not go to Bob, and might be a person more able to settle a dispute than anyone else.
  • E - Escrow Agent Eddie - This person gets the power to award control of the funds to either Alice or Bob if the two of them cannot agree who amongst themselves should get the funds.
  • C - Customer Charlie (optional) - If Charlie is a party to the transaction, then Charlie is the person paying into the escrow account with no hope of receiving a refund. Charlie has the power to grant the proceeds of the funds to Bob or Alice, but only if the Eddie doesn't do it first. Charlie can also verify, with the help of a tool, that he is paying into an account under the control of Bob, Alice, and Eddie, rather than into someone's personal wallet.

How the scheme works

Initiation of Proposal

First, any of the parties (other than Customer Charlie) can initiate an escrow transaction proposal. The second party creates a proposal that references the first. The third party creates an acceptance.

A proposal or acceptance is a Base58-encoded string whose prefix specifies who created the record and to whom it should be given. The parties can initiate and accept in any order, with one exception: the escrow agent must be first or second.

The prefixes for the strings are always four characters, that follow this format:

  • First character: who created the string (B, A, or E)
  • Second character: whether this is a Proposal (P) or Acceptance (A)
  • Third character: the number 4
  • Fourth character: the intended recipient of the string (B, A, E, or C).

As an example, if someone creates a proposal and selects that they intend to be the Escrow Agent, then their client will generate two strings: one starting with EP4A and the other starting with EP4B.

Initiation involves generating cryptographic key(s), and creating two Base58-encoded records containing the applicable keys (public or private) and signaling the party's intentions. One record is given to each other party.

If a prospective Escrow Agent initiates a proposal, he generates two private keys we'll call x and y. He emits two records with prefixes EP4A and EP4B.

  • EP4A contains private key x and public key Gy.
  • EP4B contains private key y and public key Gx.
  • Both records contain a 32-bit proposal identifier (which is the first 32 bits of RIPEMD160(SHA256(Gxy))).

If a prospective Beneficiary initiates a proposal, he generates a private key we'll call b. He emits two records with prefixes BP4A and BP4E.

  • BP4A contains private key b.
  • BP4E contains public key Gb.
  • Both records contain a 32-bit proposal identifier, the first 32 bits of RIPEMD160(SHA256(Gb)).

If a prospective Alternate Beneficiary, or Customer who is also an Alternate Beneficiary, initiates a proposal, she generates a private key we'll call a. She emits two records with prefixes AP4B and AP4E.

  • AP4B contains private key a.
  • AP4E contains public key Ga.
  • Both records contain a 32-bit proposal identifier, the first 32 bits of RIPEMD160(SHA256(Ga)).

Intermediate acceptance and proposal