Some people may have seen my service Reality Keys, which can perform a role a bit like an External State Oracle as described previously by Mike Hearn and others. (I like to think of it as a Certificate Authority for propositions, doing for facts what Verisign do for identities.) You register a possible outcome with us, we publish a public key for "yes" and another for "no", and once the outcome happens or fails to happen, we publish the appropriate private key.

A few people have been asking for advice on the best way to use our keys to make m-of-n contracts, where each party locks up their stake in a transaction, then the winner gets their private key from Reality Keys and uses it to release the funds. Peter Todd suggested what seems like a very nice way to do this without needing non-standard transactions or refund transactions. I've had a go at implementing it and it seems to work, but I don't know enough about this to distinguish the ECC bit of it from magic, so I'm wondering if people who do understand it could comment on whether it's a safe thing to be doing.

What I'm trying to do here is to combine the public key of each party with the public key of the outcome they're representing, eg I make a public key with:

 <alice-pub> + <reality-key-yes-pub>

...and another with:

 <bob-pub> + <reality-key-no-pub>

That goes into a 1/2 P2SH address (in the simplest possible case), which is spendable by one of Alice or Bob after the outcome occurs with either:

 <alice-priv> + <reality-key-yes-priv>

...or

 <bob-priv> + <reality-key-no-priv>

I'm making the transaction with add_pubkeys, then spending it with add_privkeys, both from:

What's worrying my superstitious mind is that knowing <reality-key-no-pub> before he has to produce <bob-pub>, I'm wondering if there's something Bob could do with <bob-pub> to intentionally weaken the resulting (<bob-pub> + <reality-key-no-pub>) so that he could sign a transaction with it without needing to know <reality-key-no-priv>.

My example script (and specifically the bit that's scaring me) is here:

PS. I hope I'm not too far off-topic. Peter Todd suggested it might be worth talking about here as it potentially has implications for other protocols. If people prefer to respond at bitcointalk instead, we've been discussing it here: