Skip to main content

Escrow Protocols for Cryptocurrencies: How to Buy Physical Goods Using Bitcoin

  • Conference paper
Financial Cryptography and Data Security (FC 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10322))

Included in the following conference series:


We consider the problem of buying physical goods with cryptocurrencies. There is an inherent circular dependency: should be the buyer trust the seller and pay before receiving the goods or should the seller trust the buyer and ship the goods before receiving payment? This dilemma is addressed in practice using a third party escrow service. However, we show that naive escrow protocols introduce both privacy and security issues. We formalize the escrow problem and present a suite of schemes with improved security and privacy properties. Our schemes are compatible with Bitcoin and similar blockchain-based cryptocurrencies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


  1. 1.

    There may be other desirable features that can be categorized as security properties that are out of the scope of this work.

  2. 2.

    See for example

  3. 3.

    The zero knowledge proof proves that a ciphertext encrypts the discrete log of a known value for a known base. For details of how to construct this proof see Camenisch et al. [21]. Gennaro et al. demonstrates that these proofs work with ECDSA and Bitcoin keys [26].


  1. Bitcoin wiki: Atomic cross-chain trading. Accessed 14 Nov 2016

  2. Bitcoin wiki: Elliptic Curve Digital Signature Algorithm. Accessed 11 Feb 2014

  3. Bitcoin wiki: Secp265k1. Accessed 01 Nov 2016

  4. Bitcoin wiki: Transactions. Accessed 01 Nov 2016

  5. Monero Loses Darknet Market in Apparent Exit Scam. Accessed 14 Nov 2016

  6. Stealth payments. Accessed 14 Nov 2016

  7. Open bazaar protocol (2016).

  8. Andresen, G.: Github: Proposal: open up IsStandard for P2SH transactions. Accessed 16 Feb 2017

  9. Andrew, M.: Bitcoin forum post: Alt chains and atomic transfers

    Google Scholar 

  10. Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, Ł.: Fair two-party computations via bitcoin deposits. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014. LNCS, vol. 8438, pp. 105–121. Springer, Heidelberg (2014).

    Chapter  Google Scholar 

  11. Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multi-party computations on bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 443–458. IEEE (2014)

    Google Scholar 

  12. Asokan, N., Schunter, M., Waidner, M.: Optimistic protocols for fair exchange. In: Proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 7–17. ACM (1997)

    Google Scholar 

  13. Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 591–606. Springer, Heidelberg (1998).

    Chapter  Google Scholar 

  14. Zhou, J., Gollmann, D.: Certified electronic mail. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 160–171. Springer, Heidelberg (1996).

    Chapter  Google Scholar 

  15. Banasik, W., Dziembowski, S., Malinowski, D.: Efficient zero-knowledge contingent payments in cryptocurrencies without scripts. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 261–280. Springer, Cham (2016).

    Chapter  Google Scholar 

  16. Bao, F., Deng, R.H., Mao, W.: Efficient and practical fair exchange protocols with off-line TTP. In: Proceedings of the 1998 IEEE Symposium on Security and Privacy, pp. 77–85. IEEE (1998)

    Google Scholar 

  17. Bentov, I., Kumaresan, R.: How to use bitcoin to design fair protocols. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 421–439. Springer, Heidelberg (2014).

    Chapter  Google Scholar 

  18. Blum, M.: Three Applications of the Oblivious Transfer: Part I: Coin Flipping by Telephone; Part II: How to Exchange Secrets; Part III: How to Send Certified Electronic Mail. University of California, Berkeley (1981)

    Google Scholar 

  19. Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: Sok: research perspectives and challenges for bitcoin and cryptocurrencies. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 104–121. IEEE (2015)

    Google Scholar 

  20. Cachin, C., Camenisch, J.: Optimistic fair secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 93–111. Springer, Heidelberg (2000).

    Chapter  Google Scholar 

  21. Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003).

    Chapter  Google Scholar 

  22. Christin, N.: Traveling the silk road: a measurement analysis of a large anonymous online marketplace. In: Proceedings of the 22nd International Conference on World Wide Web, pp. 213–224. International World Wide Web Conferences Steering Committee (2013)

    Google Scholar 

  23. Danezis, G., Meiklejohn, S.: Centrally banked cryptocurrencies. arXiv preprint arXiv:1505.06895 (2015)

  24. Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th Annual Symposium on Foundations of Computer Science, pp. 427–438. IEEE (1987)

    Google Scholar 

  25. Garay, J.A., Jakobsson, M., MacKenzie, P.: Abuse-free optimistic contract signing. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 449–466. Springer, Heidelberg (1999).

    Chapter  Google Scholar 

  26. Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016).

    Chapter  MATH  Google Scholar 

  27. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996).

    Chapter  Google Scholar 

  28. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999).

    Chapter  Google Scholar 

  29. Goldreich, O.: Secure multi-party computation. Manuscript. Preliminary version (1998)

    Google Scholar 

  30. Jakobsson, M.: Ripping Coins for a Fair Exchange. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 220–230. Springer, Heidelberg (1995).

    Chapter  Google Scholar 

  31. Juels, A., Kosba, A., Shi, E.: The ring of gyges: using smart contracts for crime. Aries 40, 54 (2015)

    Google Scholar 

  32. Küpçü, A., Lysyanskaya, A.: Usable optimistic fair exchange. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 252–267. Springer, Heidelberg (2010).

    Chapter  Google Scholar 

  33. Lindell, A.Y.: Legally-enforceable fairness in secure two-party computation. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 121–137. Springer, Heidelberg (2008).

    Chapter  Google Scholar 

  34. MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. Int. J. Inf. Secur. 2(3–4), 218–239 (2004)

    Article  MATH  Google Scholar 

  35. Maxwell, G.: The first successful zero-knowledge contingent payment

    Google Scholar 

  36. Maxwell, G.: Zero knowledge contingent payment

    Google Scholar 

  37. Micali, S.: Simple and fast optimistic protocols for fair electronic exchange. In: Proceedings of the Twenty-second Annual Symposium on Principles of Distributed Computing, pp. 12–19

    Google Scholar 

  38. Moore, T., Christin, N.: Beware the middleman: empirical analysis of bitcoin-exchange risk. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 25–33. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  39. Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments. Technical report

    Google Scholar 

  40. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  41. Wuille, P.: Bip 32: Hierarchical deterministic wallets. Accessed 14 Nov 2016

Download references


We would like to thank Andrew Miler and Washington Sanchez for useful discussions and feedback.

Steven Goldfeder is supported by the NSF Graduate Research Fellowship under grant number DGE 1148900. Rosario Gennaro is supported by NSF Grant 1545759. Arvind Narayanan is supported by NSF Grant CNS-1421689.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Steven Goldfeder .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Goldfeder, S., Bonneau, J., Gennaro, R., Narayanan, A. (2017). Escrow Protocols for Cryptocurrencies: How to Buy Physical Goods Using Bitcoin. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham.

Download citation

  • DOI:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70971-0

  • Online ISBN: 978-3-319-70972-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics