Oleg Andreev



Software designer with focus on user experience and security.

Author of Gitbox version control app.

Author of CoreBitcoin, an implementation of Bitcoin in Objective-C.

Lead developer of FunGolf GPS, golfer's personal assistant on iOS.

If you want to learn about Bitcoin, start with my Bitcoin FAQ or guide for journalists. I can give you an interview or provide technical and long-term economical consulting.
I am not interested in trading, mining or building fiat-to-btc exchanges.

If you like my articles, send some love here: 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo

Contracts without trust or third parties

EDIT: The up-to date version of this idea is presented here: http://oleganza.com/bitcoin-epita-2014.pdf Scripts are slightly different and take into account transaction malleability.

This is a very powerful idea for our troubled times. I hope you will enjoy it as much as I do.

Our usual relationships are with those who have made some investment. Your friends demonstrated they prefer to keep friendship going, so you can trust them. Your local bakery demonstrated investment in their setup, employees and advertising and they want to earn that money back. So you can trust them with your money. Apple has invested billions of dollars in producing iPhones, so you send them your money via online store without worrying that they might take it an run. It also works the other way around: if you have an investment in your reputation, you may ask for payment up front and people will give it to you.

For some relationships this does not work. Sometimes you want to buy something on Ebay from a guy like you. You both don’t know each other, you have no interest in building Ebay reputation, but you wish you could safely come together and exchange stuff. Or, you are a freelance designer making a website for some small business in another country. Both of you have little ways to influence each others’ reputation. And if you have a disagreement, no one except you could reliably judge who was right or wrong.

Historically, this was solved in two ways: either by meeting in a crowded place in person for immediate exchange, or by going to a third party. Both approaches are very limited and unsatisfactory. In-person exchange bears high risk of being robbed on a way home and it does not work well with some kinds of services or across the ocean. Third party escrow is better, but it is very limited. It’s very cheap for a scammer to create many identities on Ebay and successfully cheat 5-10% of the time. Profit for scammer, loss for everyone else who now pays 5-10% premium. Also, escrow cannot be an expert in everything. If you have a complex or not very well defined contract (like in any intellectual job), you would never find a reputable agency to solve your problem (or, it would be too expensive). Usually, that would be a second party itself. For instance, a design studio.

So how would we solve it for two strangers?

Lets think. We negotiate fairly well when we maintain a status quo. For instance, before making a contract, we discuss the details and can walk away being friends because we don’t lose anything but the time spent negotiating (and that time is expended by both parties, so both have incentive to finish it sooner than later). But whenever one gets an advance, it may be enough of incentive to run away without finishing the job. Another example: if we are friends and enjoy long-term relationship, we may expect that small advances on anyone’s part are not enough to break the relationship.

Notice a pattern here?

The value of the deal should be noticeably smaller than an investment at risk.

Obviously, when none of us made any investment, we should make one. But since it is just one deal, we don’t want to make sacrifices unilaterally. We want that both of us make an investment which can be paid back to both of us at once when the deal is successfully finished.

(If you have followed my blog for some time, you already know what technology we will talk about.)

Bitcoin allows not only moving money from a person to a person securely, without risk of reversal, but it also allows expressing sophisticated contracts using its scripting language and digital signatures.

Bitcoin is the only technology that makes this possible:

  1. Two parties independently lock some amount of money in a single Bitcoin transaction without meeting in person or trusting anyone.
  2. This money can be unlocked only when both agree with that. If at least one party does not want to unlock the deposit, another party cannot do anything about it.
  3. Both parties can unlock deposit only atomically, for both of them. No one can unlock just for himself.
  4. No one else has access to the deposits and neither party can access other party’s money.

This scheme is inspired by NashX, though they are acting as a third party that we try to avoid.

The cost of the procedure is 2 small exchanges of data over the internet (no encryption required), 1-2 hours of wait time till the transaction is included in the Bitcoin blockchain (not every miner includes non-standard transactions) and a small transaction fee around 5-10 cents at current prices (110 USD/BTC), regardless of the amount in question.

How will it work? Both parties should have a fancy wallet application that automates transaction creation (we are working on that). Alice and Bob agree on the amount to be locked (typically 200-300% of the value at stake). Lets say the amount is 2 BTC. Then, Alice sends to Bob a public key and a hash of her random secret number. Bob constructs a transaction with this data and his own public key and a hash of his random number. Transaction has two outputs: one for Bob with 2 BTC and another one for Alice with 2 BTC. Bob signs his part of the transaction with appropriate amount in the input and sends it to Alice to sign hers. Alice checks that Bob has specified all amounts and included her public key and her random number hash accurately. If the transaction is correct, Alice adds her 2 BTC in the input and signs it. Transaction is never valid until both parties sign it and the sum of the inputs matches the sum of outputs (or slightly more to allow a mining fee). Once signed, Alice sends this transaction to Bitcoin network and both parties wait till it gets included in the blockchain. I will show the scrips in detail below, but before doing that, lets do some analysis.

Once transaction is in the blockchain, both Alice and Bob are 2 BTC short while the value of their contract is, say, 1 BTC.

They can still negotiate on equal grounds, but now the money at risk is higher than any advance payment anyone does. If Alice sends Bob some good before receiving a payment, Bob cannot be sure that Alice would agree to unlock the deposit if Bob does not pay her. Bob has more to lose than just 1 BTC to pay her. So he pays. When both Alice and Bob get what they want, they unlock the money and the deal is over.

Of course, strictly speaking, the victim will lose less if he/she agrees to unlock the funds no matter what, but the same logic applies to personal relationships or to two businesses with equal investments. No one can be sure if the other party wouldn’t want to wait indefinitely till the conflict is resolved or destroy the investment. To know if this scheme actually works, we have to try it and see how people behave. If everyone is always perfectly rational, then people either would never steal from each other, or always steal and agree to unlock deposits and never use such scheme again. But the real life is more complex.

We can see that both parties need to have more bitcoins locked than will be moved during the contract. This may not be acceptable in some cases. For instance, when buying an expensive house. (Cannot really put 2 houses in the escrow.) But for some expensive contracts it can still work. A contract can be broken down into 10 steps when after each step the payment is made. Then, the amount of money to be locked needs to match 1/10 of the whole price.

Now, lets see how to do that. For simplicity, lets say we have no problem of “change” (when extra money from one input is sent back to its owner using additional output script). Then transaction has two inputs and two outputs.

Each input signs the whole transaction, except for another input (using SIGHASH_ANYONECANPAY modifier) to allow another party to sign their input independently without extra round-trip.

Output scripts are symmetrical and prepared at once by one of the parties. Each output sends a predefined amount of bitcoins.

AlicePK CHECKSIGVERIFY SHA256 HashA EQUALVERIFY SHA256 HashB EQUALVERIFY

BobPK CHECKSIGVERIFY SHA256 HashA EQUALVERIFY SHA256 HashB EQUALVERIFY

Note: please find the discussion and minor improvement to the scheme here: https://bitcointalk.org/index.php?topic=273539.0

AlicePK and BobPK are their public keys (to ensure the ownership). HashA is a SHA256 hash of Alice’s secret number. HashB is a SHA256 hash of Bob’s secret number.

Each script checks that the future transaction is signed by a proper key and that both numbers are provided: number B and number A. To redeem such a script, one would need to know both numbers. Let’s say Alice and Bob finished their business and Alice sends her number to Bob. Bob does not need to send his number to Alice because he would have to reveal it in the blockchain anyway when he tries to redeem his output. Alice then can see his number and redeem her output too. If one party is not satisfied yet, they just hold their secret number to themselves.

This scheme also allows partial unlock. If both want to reclaim 80% of the deposit, they can simply create another transaction for 20% of the amount and then unlock the first one.

This scheme was never tried before, but can be very useful in many circumstances. Examples:

  1. Selling things in person for cash. If both parties lock 3x the price and unlock it only when both get home, there is little incentive to steal the cash (or the good) in a dark alley.

  2. Selling anything to strangers over the internet without Ebay. One party sends a product by mail. When it’s received, buyer sends back the payment (via Bitcoin, Western Union, PayPal or wire transfer).

  3. Not well-defined contracts with freelancers. Customer does not really know what he wants and how to do a website, so he with freelancer lock in some amount and then have mutual interest to be nice to each other and resolve problems using common sense.

  4. Airbnb without airbnb: the amount is unlocked when the apartment turned out to be what was ordered and the payment is done in full. The website now only needs to put up pictures and ratings and take a fee for that.

The possibilities are endless. The same idea can apply to a group of people to agree with another group of people on something. E.g. a “social contract” where a group of neighbours hire several guards to protect their district.

The cost of such transaction is very low. There is no counter-party risk, it allows one to remain anonymous, time to register is measured in minutes and the cost is less than a dollar. If it becomes popular, more miners will include it in the blockchain, so it will become even faster and cheaper.

I myself plan to add support for such transactions in my future wallet application for OS X and iOS. I have opened a part of it called CoreBitcoin and will build on top of it. Others may try the same or similar ideas in their own applications and services. If it turns out to be useful, we can come up with a standard way to express such contracts so even more people can use them easily.

Now, what crazy idea would you build on top of Bitcoin?

PS. David Friedman responded: http://daviddfriedman.blogspot.fr/2013/08/a-bilateral-hostage-via-bitcoin.html