In a fair exchange protocol, two parties either both honour an exchange (such as a contract), or neither of them do. It is known that deterministic fair exchange is impossible without a trusted third party (Even and Yacobi 1980). But under the Bitcoin protocol, a validated blockchain acts as a trusted third party.
Current State of the Art
The Bitcoin Wiki (2014) includes a page on ‘Atomic cross-chain trading’ which describes a protocol where two parties own coins in different cryptocurrencies and want to exchange them without having to trust a third party or centralised exchange. There also exists a BIP (Bitcoin Improvement Proposal), entitled Atomic Cross Chain Transfers (Tiernan, 2014), that describes the method. Others have hinted that by combining secrets, a more symmetric solution is possible. We demonstrate how it can be achieved in Bitcoin.
The objective is to implement a fair exchange protocol under the Bitcoin protocol.
The proposed protocol offers all the benefits of the atomic cross-chain trading protocol, i.e. it enables two parties to conduct a fair exchange using separate transactions and no third party, and is both atomic and secure. At the same time, the proposed protocol is perfectly symmetric.
The proposed invention describes the first known implementation of a symmetric fair exchange protocol on the Bitcoin blockchain.
The locking and unlocking scripts are described below in pseudocode. It is inherent that the scripting language supports the described algorithm.
Alice and Bob wish to trade entities of value, such as bitcoin, other currencies, contracts, goods, or services. They have agreed that Alice shall give Bob e1, and Bob shall give Alice e2. Let H(x) be the OP_HASH160 Bitcoin-script hash of x. Note also that in the Bitcoin script, as used here, a non-zero locktime indicates the earliest time that the transaction may be added to the blockchain and in practice is expressed in Unix time (the number of seconds that have elapsed since 00:00:00 UTC Jan 1, 1970), whilst a zero locktime is interpreted as no locktime (for immediate broadcast). The protocol is described in Table 1, and the transactions are given in full in the appendix.
Such a system can be used to exchange secrets used in media and DRM.
Bitcoin Wiki webpage (2014): Atomic cross-chain trading, http://en.bitcoin.it/wiki/Atomic_cross-chain_trading.
Even, S. Yacobi, Y.: Relations among public key signature systems, Technical Report CS0175. Technion, Haifa (1980).