Escrow Protocols for Cryptocurrencies: How to Buy Physical Goods Using Bitcoin

We consider the problem of buying physical goods with cryptocurrencies. There is an inherent circular dependency: should be the buyer trust the seller and pay before receiving the goods or should the seller trust the buyer and ship the goods before receiving payment? This dilemma is addressed in practice using a third party escrow service. However, we show that naive escrow protocols introduce both privacy and security issues. We formalize the escrow problem and present a suite of schemes with improved security and privacy properties. Our schemes are compatible with Bitcoin and similar blockchain-based cryptocurrencies.

[1]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[2]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[3]  Markus Jakobsson,et al.  Ripping Coins For a Fair Exchange , 1995, EUROCRYPT.

[4]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[5]  Robert H. Deng,et al.  Efficient and practical fair exchange protocols with off-line TTP , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[6]  Zhan Bang,et al.  Certified Electronic Mail with Perfect Confidentiality , 1999 .

[7]  Markus Jakobsson,et al.  Abuse-Free Optimistic Contract Signing , 1999, CRYPTO.

[8]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[9]  Jan Camenisch,et al.  Optimistic Fair Secure Computation , 2000, CRYPTO.

[10]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..

[11]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[12]  Silvio Micali,et al.  Simple and fast optimistic protocols for fair electronic exchange , 2003, PODC '03.

[13]  Michael K. Reiter,et al.  Two-party generation of DSA signatures , 2004, International Journal of Information Security.

[14]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[15]  Andrew Y. Lindell Legally-Enforceable Fairness in Secure Two-Party Computation , 2008, CT-RSA.

[16]  Alptekin Küpçü,et al.  Usable optimistic fair exchange , 2010, Comput. Networks.

[17]  Marina Blanton,et al.  Secure Multiparty Computation , 2011, Encyclopedia of Cryptography and Security.

[18]  Amit Sahai,et al.  Secure Multi-Party Computation , 2013 .

[19]  Tyler Moore,et al.  Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk , 2013, Financial Cryptography.

[20]  Nicolas Christin,et al.  Traveling the silk road: a measurement analysis of a large anonymous online marketplace , 2012, WWW.

[21]  Marcin Andrychowicz,et al.  Secure Multiparty Computations on Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[22]  Marcin Andrychowicz,et al.  Fair Two-Party Computations via Bitcoin Deposits , 2014, Financial Cryptography Workshops.

[23]  Iddo Bentov,et al.  How to Use Bitcoin to Design Fair Protocols , 2014, CRYPTO.

[24]  The Ring of Gyges : Using Smart Contracts for Crime , 2015 .

[25]  Jeremy Clark,et al.  SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies , 2015, 2015 IEEE Symposium on Security and Privacy.

[26]  George Danezis,et al.  Centrally Banked Cryptocurrencies , 2015, NDSS.

[27]  Stefan Dziembowski,et al.  Efficient Zero-Knowledge Contingent Payments in Cryptocurrencies Without Scripts , 2016, ESORICS.

[28]  Arvind Narayanan,et al.  Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security , 2016, ACNS.