A marketplace that uses Shamir's Secret Sharing to avoid holding customer funds?

Wikipedia article for those who are unfamiliar with SSSS.

Idea: a bitcoin address is generated by the customer, then split into 3 pieces with a recreation threshold of 2 pieces. One piece is given to the market website, a different piece is given to the vendor, and the customer keeps the last piece.

If the vendor delivers and the customer is responsible: The customer either sends the vendor the third piece or uses a site function to have a second piece sent to the vendor.

If the vendor delivers and the customer fails to send the vendor the second piece after a certain time frame: The site releases the second key to the vendor who can then transfer the funds out of that address.

If the vendor delivers, but the site is unavailable for any reason: The customer can deliver the second key to the vendor on their own.

If the vendor scams the customer: The site and customer both withhold their parts of the private key, and the vendor is stuck with a meaningless piece of the key.

Here's an example use of this, for those who don't entirely understand.

Here is the private key:

5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS

The address associated with this key is

1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

Here is the private key, split into three pieces:

1-ee59b76235fe56394c41bbe69cb4702d9bb3dcb64640562a20b2d66be018dd02d50aae5e40401c4936c15ea82bc7b666d34c07
2-ab694149e8b59fc80dd9d216a6ce9cb1462d64a47a70d5ff618b720d8d9c0e19f2bf3f059385dfb7c9d8fe84ef87ff547e03b5
3-9786ecaf5c73276732ae0ab94f18c73af2a70caa6e60ab4c5e9c11d056e040ef102c4fccdd39611d9cd06160ac47c7ba1ac6d9

Key 1 would be held by the customer, key 2 would be given to the server, and key 3 would be given directly to the vendor in such a way that the server wouldn't be able to see it. If you have two of the three keys, you can recreate the full private key. If you only have 1, then it's useless until you have the third one.

So, what does /r/darknetmarkets think?


Comments


[1 Points] gwern:

  1. how is this better than multi-sig?
  2. Bitcoin addresses aren't that long. Are keys 1/3 the length brute-forceable?


[1 Points] sconces:

Isn't this just multi-sig?


[1 Points] Hashbangg:

How do you verify the customer supplied address contains the BTC required? It seems like the customer could easily supply a bunk wallet address and scam the vendor.

The trust needs to work both ways.


[1 Points] darknetsolutions:

What happens if the customer refuses to release it even if the delivery is successful?