7. CoinSwap
back to table of contents
Gregory Maxwell16 in the following thread first introduced CoinSwap:
https://bitcointalk.org/index.php?topic=321228.0
CoinSwap will protect transaction information between the payer and recipient. CoinSwap allows the parties involved to make transactions by involving a guarantee that makes no party can steal bitcoin from other parties. In CoinSwap, a third party needed as a liaison between payer and recipient, and also some transactions must make in the CoinSwap scheme. Some transaction methods used in CoinSwap include 2-of-2 escrow and hash-locked transactions.
CoinSwap Protocol:
In this protocol, all parties assumed to have private communications channels.
The CoinSwap protocol can be explained as follows:
Alice acts as a payer,
Bob as the recipient of the payment,
and Carol as an intermediary (escrow).
This protocol divided into 3 phases, namely phase 0, phase 1, and phase 2.
Етап 0. Налаштування ескроу та повернення коштів за ними після закінчення терміну дії.
Фаза 1. Робить так, що якщо Боб отримає гроші, то Керол не зможе їх не отримати.
Етап 2. Просто видає ескроу безпосередньо, тому що всі задоволені тим, що шахрайство неможливе.
Alice Carol Bob
=====================================================================================
0.Computes TX_0: 2of2{A,C} |Computes TX_1: 2of2{C,B} | \
1.Send TX_0 TXID ------------> | |
2. |Send TX_1 TXID ------------> |
3. |Computes TX_0 locked refund |Computes TX_1 locked refund|
4. <------------ Send TX_0_refund | | Phase 0
5. | <------------ Send TX_1_refund. |
6.Announces TX_0 to network |Announces TX_1 to network | |
7. | | |
8.****** Network confirms TX_0: Alice pays according to 2 of {Alice, Carol} ******|
9.****** Network confirms TX_1: Carol pays according to 2 of {Carol, Bob} ******/
A. | |Selects secret value X \
B. | |Computes HX = H(X) |
C. | <------------ Send HX |
D. <----------------------------------------- Send HX |
E.Computes TX_2: TX_0>Carol+X | | | Phase 1
F.Send TX_2 ------------> | |
G. | Computes TX_3: TX_1>Bob+X | |
H. | Send TX_3 ------------> |
I. | <------------ Send X /
J. | Computes TX_4: TX_1>Bob | \
K. | Send TX_4 ------------> |
L. | |Signs and announces TX_4 |
M.****** Network confirms TX_4: Carol pays Bob via 2 of {Carol, Bob} ******|
N.Computes TX_5: TX_0>Carol | | | Phase 3
O.Send TX_5 ------------> | |
P. |Signs and announces TX_5 | |
Q.****** Network confirms TX_5: Alice pays Carol via 2 of {Alice, Carol} ******/
=====================================================================================
CoinSwap Protocol Diagram.16
Phase 0
In phase 0, there is the process of making an escrow transaction among the participants. Alice makes an escrow transaction TX_0 which is a 2-of-2 escrow between Alice and Carol using Alice's bitcoin. This transaction can be read as:
'Alice will pay a certain amount of bitcoin to Carol if Alice and Carol agree.'
Then, Carol also makes a TX_1 transaction, which is a 2-of-2 escrow between Carol and Bob by using Carol's bitcoin. This transaction can be read as: 'Carol will pay a certain amount of bitcoin to Bob if Carol and Bob agree.'
To secure this phase, Carol makes a TX_0 refund with a specific time limit, which will make Alice get back the bitcoin paid to Carol if something happens in the future.
Just like Alice, Carol also makes TX_1_refund, which will make Carol get back the bitcoin paid to Bob if something happens in the future. Transactions TX_0_refund and TX_1_refund are not sent to the network by Alice or Carol. Transactions sent to the bitcoin network at this stage are TX_0 and TX_1.
Phase 1
Phase 1 prepares transaction guarantees for all participants involved. It means that if Bob takes coins from Carol, Carol can also make payments from Alice. A hash-locked transaction scheme supports this scheme.
In this scheme, Bob chooses the secret keyword X, then calculates the HX value, which is the hash value of X with the formula HX=H(X) and sends HX to Alice and Carol. Alice creates a new transaction TX_2 that will take coins from TX_0 using Carol's signature and X value and pay it to Carol's address. Just like Alice, Carol makes a new transaction with a TX_3 hash-locked transaction scheme that will take coins from TX_1 using Bob's signature and X value and pay it to Bob.
In this phase, if Bob cheats and picks up coins using TX_3, then Carol can take payments using TX_2 because the value of X can be known when Bob uses TX_3 and publishes it to the Bitcoin network.
Phase 2
If TX_2 and TX_3 not sent to the Bitcoin network, then phase 2 can be continued. In this phase, Bob tells Carol the value of X, and Carol makes a new transaction TX_4 that takes coins from TX_1 using Bob's signature. Bob can use the TX_4 transaction to get payment. Just like that, Alice made a TX_5 transaction that would take coins from TX_0 using Carol's signature and paid to Carol. Carol can send TX_5 transactions to the bitcoin network to get paid.
If this protocol is complete, only TX_4 and TX_5 transactions using TX_0 and TX_1 are sent to the Bitcoin network, while other transactions are deleted and not sent to the Bitcoin network.
CoinSwap is an example of the Zero Knowledge Contingent Payment method17 that has the following features:
1. Hash-locked transaction
2. Time-locked transaction
3. 2-of-2 escrow transaction
In CoinSwap, every step of the protocol must follow the right order to produce a safe and guaranteed transaction without a trusted party.
Reference:
16. gmaxwell, CoinSwap: Transaction graph disjoint trustless trading
17. Bitcoin Wiki. (2011, September 28, 2015), Zero Knowledge Contingent Payment
- Dimaz A.W. & Oscar D., Blockchain dari Bitcoin untuk Dunia, pages 105-107, 2017: Jasakom
- Other references look at post #1