summaryrefslogtreecommitdiff
path: root/8b/58db87a0a0d0cd3b2ec2fad32f4bbb324b342f
blob: 93fc633e2206c8f2c73f5e5abf4b1fc652ef2e33 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <edmund.edgar@gmail.com>) id 1WKfaK-0003Fp-6g
	for bitcoin-development@lists.sourceforge.net;
	Tue, 04 Mar 2014 03:00:00 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.192.194 as permitted sender)
	client-ip=209.85.192.194; envelope-from=edmund.edgar@gmail.com;
	helo=mail-pd0-f194.google.com; 
Received: from mail-pd0-f194.google.com ([209.85.192.194])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1WKfaE-0003Rp-6j
	for bitcoin-development@lists.sourceforge.net;
	Tue, 04 Mar 2014 03:00:00 +0000
Received: by mail-pd0-f194.google.com with SMTP id fp1so2415451pdb.1
	for <bitcoin-development@lists.sourceforge.net>;
	Mon, 03 Mar 2014 18:59:48 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.68.131.202 with SMTP id oo10mr23058428pbb.35.1393901988224; 
	Mon, 03 Mar 2014 18:59:48 -0800 (PST)
Sender: edmund.edgar@gmail.com
Received: by 10.68.80.72 with HTTP; Mon, 3 Mar 2014 18:59:48 -0800 (PST)
Date: Tue, 4 Mar 2014 11:59:48 +0900
X-Google-Sender-Auth: mSXbOG0yCJa_ODPb4SYRADuFrMM
Message-ID: <CA+su7OWD8dyPLK_AHZdXJ-zeJ81CsLFrKkZo+L-byfLWYsKBPw@mail.gmail.com>
From: Edmund Edgar <ed@realitykeys.com>
To: bitcoin-development@lists.sourceforge.net
Content-Type: multipart/alternative; boundary=001a11c3611cdc260b04f3bf184f
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [209.85.192.194 listed in list.dnswl.org]
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(edmund.edgar[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WKfaE-0003Rp-6j
Subject: [Bitcoin-development] Is this a safe thing to be doing with ECC
	addition? (Oracle protocol)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 03:00:00 -0000

--001a11c3611cdc260b04f3bf184f
Content-Type: text/plain; charset=UTF-8

Some people may have seen my service Reality Keys, which can perform a role
a bit like an External State Oracle as described previously by Mike Hearn
and others. (I like to think of it as a Certificate Authority for
propositions, doing for facts what Verisign do for identities.) You
register a possible outcome with us, we publish a public key for "yes" and
another for "no", and once the outcome happens or fails to happen, we
publish the appropriate private key.

A few people have been asking for advice on the best way to use our keys to
make m-of-n contracts, where each party locks up their stake in a
transaction, then the winner gets their private key from Reality Keys and
uses it to release the funds. Peter Todd suggested what seems like a very
nice way to do this without needing non-standard transactions or refund
transactions. I've had a go at implementing it and it seems to work, but I
don't know enough about this to distinguish the ECC bit of it from magic,
so I'm wondering if people who do understand it could comment on whether
it's a safe thing to be doing.

What I'm trying to do here is to combine the public key of each party with
the public key of the outcome they're representing, eg I make a public key
with:
 <alice-pub> + <reality-key-yes-pub>
...and another with:
 <bob-pub> + <reality-key-no-pub>

That goes into a 1/2 P2SH address (in the simplest possible case), which is
spendable by one of Alice or Bob after the outcome occurs with either:
 <alice-priv> + <reality-key-yes-priv>
...or
 <bob-priv> + <reality-key-no-priv>

I'm making the transaction with add_pubkeys, then spending it with
add_privkeys, both from:
https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173

What's worrying my superstitious mind is that knowing <reality-key-no-pub>
before he has to produce <bob-pub>, I'm wondering if there's something Bob
could do with <bob-pub> to intentionally weaken the resulting (<bob-pub> +
<reality-key-no-pub>) so that he could sign a transaction with it without
needing to know <reality-key-no-priv>.

My example script (and specifically the bit that's scaring me) is here:
https://github.com/edmundedgar/realitykeys-examples/blob/master/realitykeysdemo.py#L247

PS. I hope I'm not too far off-topic. Peter Todd suggested it might be
worth talking about here as it potentially has implications for other
protocols. If people prefer to respond at bitcointalk instead, we've been
discussing it here:
https://bitcointalk.org/index.php?topic=260898.60

-- 
Edmund Edgar
Founder, Social Minds Inc (KK)
Twitter: @edmundedgar
Linked In: edmundedgar
Skype: edmundedgar
http://www.socialminds.jp

Reality Keys
@realitykeys
ed@realitykeys.com
https://www.realitykeys.com

--001a11c3611cdc260b04f3bf184f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Some people may have seen my service Reality Keys, wh=
ich can perform a role a bit like an External State Oracle as described pre=
viously by Mike Hearn and others. (I like to think of it as a Certificate A=
uthority for propositions, doing for facts what Verisign do for identities.=
) You register a possible outcome with us, we publish a public key for &quo=
t;yes&quot; and another for &quot;no&quot;, and once the outcome happens or=
 fails to happen, we publish the appropriate private key.<br>
</div><div><br></div><div>A few people have been asking for advice on the b=
est way to use our keys to make m-of-n contracts, where each party locks up=
 their stake in a transaction, then the winner gets their private key from =
Reality Keys and uses it to release the funds. Peter Todd suggested what se=
ems like a very nice way to do this without needing non-standard transactio=
ns or refund transactions. I&#39;ve had a go at implementing it and it seem=
s to work, but I don&#39;t know enough about this to distinguish the ECC bi=
t of it from magic, so I&#39;m wondering if people who do understand it cou=
ld comment on whether it&#39;s a safe thing to be doing.</div>
<div><br></div><div>What I&#39;m trying to do here is to combine the public=
 key of each party with the public key of the outcome they&#39;re represent=
ing, eg I make a public key with:</div><div>=C2=A0&lt;alice-pub&gt; + &lt;r=
eality-key-yes-pub&gt;</div>
<div>...and another with:</div><div>=C2=A0&lt;bob-pub&gt; + &lt;reality-key=
-no-pub&gt;</div><div><br></div><div>That goes into a 1/2 P2SH address (in =
the simplest possible case), which is spendable by one of Alice or Bob afte=
r the outcome occurs with either:</div>
<div>=C2=A0&lt;alice-priv&gt; + &lt;reality-key-yes-priv&gt;</div><div>...o=
r</div><div>=C2=A0&lt;bob-priv&gt; + &lt;reality-key-no-priv&gt;</div><div>=
<br></div><div>I&#39;m making the transaction with add_pubkeys, then spendi=
ng it with add_privkeys, both from:</div>
<div><a href=3D"https://github.com/vbuterin/pybitcointools/blob/master/pybi=
tcointools/main.py#L173">https://github.com/vbuterin/pybitcointools/blob/ma=
ster/pybitcointools/main.py#L173</a></div><div><br></div><div>What&#39;s wo=
rrying my superstitious mind is that knowing &lt;reality-key-no-pub&gt; bef=
ore he has to produce &lt;bob-pub&gt;, I&#39;m wondering if there&#39;s som=
ething Bob could do with &lt;bob-pub&gt; to intentionally weaken the result=
ing (&lt;bob-pub&gt; + &lt;reality-key-no-pub&gt;) so that he could sign a =
transaction with it without needing to know &lt;reality-key-no-priv&gt;.</d=
iv>
<div><br></div><div>My example script (and specifically the bit that&#39;s =
scaring me) is here:</div><div><a href=3D"https://github.com/edmundedgar/re=
alitykeys-examples/blob/master/realitykeysdemo.py#L247">https://github.com/=
edmundedgar/realitykeys-examples/blob/master/realitykeysdemo.py#L247</a></d=
iv>
<div><br></div><div>PS. I hope I&#39;m not too far off-topic. Peter Todd su=
ggested it might be worth talking about here as it potentially has implicat=
ions for other protocols. If people prefer to respond at bitcointalk instea=
d, we&#39;ve been discussing it here:</div>
<div><a href=3D"https://bitcointalk.org/index.php?topic=3D260898.60">https:=
//bitcointalk.org/index.php?topic=3D260898.60</a></div><div><br></div><div =
dir=3D"ltr"><div>--=C2=A0</div><div>Edmund Edgar</div><div>Founder, Social =
Minds Inc (KK)</div>
<div>Twitter: @edmundedgar</div><div>Linked In: edmundedgar</div><div>Skype=
: edmundedgar</div><div><a href=3D"http://www.socialminds.jp" target=3D"_bl=
ank">http://www.socialminds.jp</a></div><div><br></div><div>Reality Keys</d=
iv>
<div>@realitykeys</div><div><a href=3D"mailto:ed@realitykeys.com" target=3D=
"_blank">ed@realitykeys.com</a></div><div><a href=3D"https://www.realitykey=
s.com" target=3D"_blank">https://www.realitykeys.com</a></div></div>
</div>

--001a11c3611cdc260b04f3bf184f--