[bisq-contrib] Extended MultiSig for arbitrators
Mats-Erik Pistol
meapistol at gmail.com
Sat Feb 10 12:10:03 UTC 2018
Not sure I understand.
You want two keys (buyer-seller) if everything goes OK and three keys (arbiter-arbiter-trader) if there is a dispute?
This sounds a bit like homomorphic encryption where given f(x) and f(y) it is possible compute f(z) which is the encrypted image of z = x + y without knowing f. f stands for encryption so only the person with the private key can compute the inverse function f^-1. It can even be done for multiplication but addition is far more easy.
In short it might be possible and would be a beautiful high tech addition to Bisq. I am bad at homomorphic encryption but I am sure Eyal (and maybe Grazcoin) does it in his (their) sleep.
-mep
> On 10 Feb 2018, at 03:55, Manfred Karrer <mk at nucleo.io> wrote:
>
> It would increase security against a fraudulent arbitrator if we could add more required keys in the MultiSig deposit transaction, but just extending the n-of-m scheme does not work.
> E.g. if we use a 2-of-4 Multisig with the keys of the 2 traders and 2 instead of just 1 arbitrator the 2 arbitrators could collude and steal the funds.
>
> What if we use Elliptic curve math (I am total layman to that) and create the 3rd key in our 2-of-3 MS by adding up 2 (or even more) keys?
> Adding 2 public keys to get the 3rd pubKey for creating the MultiSig transaction and when doing the payout the private keys of both arbitrators are required and need to by added up to calculate the privKey required for the payout transaction.
>
> That way the arbitrator who is doing the actual dispute work would be unable to steal a traders funds (in case he would be the counter party trader himself and thus have 2 keys accessible) as he would need the 2nd arbitrator.
>
> Maybe the 2nd key holder could be even an oracle (http://www.oraclize.it have some interesting ideas) with some time constraints built in (e.g. that a fraudulent arbitrator cannot make more payout transactions in a certain time frame, thus limiting possible damage as the defrauded trader will ring the alarm bells before the arbitrator could repeat his scam).
>
> All just a rough idea and maybe there is a big flaw in it as I am not really familiar with EC math. Also nothing urgent atm but might be an interesting approach once we improve out arbitration system.
>
> Maybe someone who has experience with EC math could give his/her opinion about it?
>
> Br,
> Manfred
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.bisq.network/pipermail/bisq-contrib/attachments/20180210/0fccef1c/attachment.sig>
More information about the bisq-contrib
mailing list