This blog is about my musings and thoughts. I hope you find it useful, at most, and entertaining, at least.

Date: 2013-12-20

Tags: P2pox crypto P2P escrow

**Problem:** Party A and Party B would like to perform two mutual transactions (Transaction 1: A -> B ; Transaction 2: B -> A). The parties require that neither Transaction 1 or Transaction 2 be completed without the other also being completed.

**Solution:** If the mutual transactions take place in a Bitcoin-like system, the transactions could be split such that:

- Transaction 1α: A -> P
_{1} - Transaction 2α: B -> P
_{2} - Transaction 1β: P
_{1}-> B - Transaction 2β: P
_{2}-> A

Where P_{1} and P_{2} are address computer by:

- A chooses a
_{1}and a_{2}randomly - B chooses b
_{1}and b_{2}randomly - Using a Secure Multiparty Function Evaluation, A and B compute the public address and key from a private key of a
_{1}*b_{1}, without revealing the private key. This is P_{1}. - Using a Secure Multiparty Function Evaluation, A and B compute the public address and key from a private key of a
_{2}*b_{2}, without revealing the private key. This is P_{2}.

Once both parties are satisfied that the transaction has been completed, a Multi-Party Fair Exchange Protocol is used to allow A and B to swap a_{2} and b_{1}. This will only succeed if both parties end with the swapped values.

At this point, B has the private key for P_{1} and A has the private key for P_{2}, allowing them to perform Transaction 1β and Transaction 2β, respectively.

The problem then comes if the swap isn’t performed, leading to a state where what is paid into Transaction 1α and 2α are lost forever. To remedy this situation, two more transactions are created and published:

- Transaction 1α
^{*}: P_{1}-> A - Transaction 2α
^{*}: P_{2}-> B

which are locked for a pre-determined amount of time. When the time comes, if the transactions haven’t been withdrawn by the entity with the private key, the transaction will be (should be) invalid because P_{1} and P_{2} should have no funds in them.

If the swap hasn’t happened, and noöne has the private keys, how can Transaction 1α^{\*} and 2α^{\*} be formed? A Secure Multi-Party Function evaluation! The SMFE can compute the signature needed without revealing the private keys to A or B.