# Gavin Andresen
# 2012-10-04 19:02:44
# https://bitcointalk.org/index.php?topic=115084.msg1245562#msg1245562

@s{quotedtext}
@s{quotedtext}
 @p{brk}
If you held a pre-signed transaction that sends the funds back to you with a lockTime of 1 Jan 2013 that would work. @p{par}

Lets see... thinking out loud... @p{par}

Start by asking the exchange for a brand-new public key to use for their half of the 2-of-2 transaction. Call the send-coins-into-2-of-2 transaction "F" (for Fund). @p{par}

You create and sign that transaction, but don't broadcast it yet. @p{par}

Use it's transaction id to create a second, one-input-two-signature, lockTime=1/1/2013 transaction that refunds the coins to you.  Call that "R" (for Refund). @p{par}

Send R to the exchange and ask them to sign it using that brand-new public key they gave you. The exchange checks the lockTime and then returns R and the signature to you. You check the signature, and if it is good, broadcast F (and keep the half-signed R someplace safe). @p{par}

If 1/1/2013 rolls around and you want your coins back, you sign your half of R and broadcast it. @p{par}


@p{hrule}
 @p{brk}
I'd have to think a little harder than I want to right now about whether or not signing R knowing only txid==HASH(F) opens up the exchange to attacks. I can't think of any, but the exchange providing a signature when it doesn't know the details of exactly what it is signing makes me nervous. @p{par}

You could send the unsigned R and the signed-but-not-broadcast F to the exchange and trust that the exchange will not broadcast F unless they agree to sign R. @p{par}


@p{hrule}
I think holding on to pre-signed-but-not-broadcast-yet transactions is a technique "we" don't think about enough. @p{brk}