[Lightning-dev] Escrow Over Lightning?

ZmnSCPxj ZmnSCPxj at protonmail.com
Thu Feb 11 06:00:58 UTC 2021


Good morning Nadav and Andres,

Thank you for bringing up this topic again.

Let me provide a new twist to this old idea.

This is the entire logic of the contract to the seller:

   SELLER && (BUYER || ESCROW)

Now, a big issue is that simple `&&` is trivial for PTLCs, it is the `||` which is difficult and requires ECDH and proof that the ECDH was done correctly.

But we can observe the De Morgan Theorem:

   A || B <=> !(!A && !B)

So how about we *invert* the logic?

So what we do is, we make *two* payments of the same amount:

* Seller -> Buyer , claimable by BUYER && ESCROW key.
* Buyer  -> Seller, claimable by SELLER key.

So the ritual is this:

* Seller -> Buyer claimable by BUYER && ESCROW.
* Buyer -> Seller claimable by SELLER.
* Seller hands over item.
* Buyer judges whether to accept, or complain to Escrow.

Now let us consider our cases:

* Buyer is satisfied with the product.
  * Buyer fails the Seller->Buyer payment after seller claims the Buyer->Seller payment, so Seller is paid and has no more obligations.
* Buyer is dissastisfied and wants the Escrow to judge:
  * Escrow judges Buyer is right: Escrow reveals ESCROW key to Buyer, who then clawbacks the payment to the seller.
  * Escrow judges Seller is right: Escrow deletes ESCROW privkey ("not ESCROW"), and the Seller->Buyer payment eventually times out, ending the obligation of the Seller.

The "reverse" payment is effectively the inversion of logic by the De Morgan theorem, and the "normal case" (buyer ultimately pays seller) has the Escrow not revealing the privkey.
In addition, in the case where Buyer is satisfied (i.e. both Buyer and Seller agree the trade is beneficial) the Escrow is never involved (the Escrow might have a timeout for the temporary ESCROW keypair, which it will eventually delete; since all payments on LN need a timeout anyway, this is fine) and thus does not know about the trade, except that some trade was requested (since it must provide a temporary ESCROW pubkey).

This even provides a simple BUYER + ESCROW keypair that gives the seller a proof-of-refund, and of course the simple SELLER gives the buyer a proof-of-payment as well.
It only just requires twice as much Bitcoins getting locked.

Thoughts?

Regards,
ZmnSCPxj


More information about the Lightning-dev mailing list