Part Two: A Cryptographic Marketplace on the Web

We’re working hard to bring you the most secure marketplace that crypto has seen.

Unlike other marketplaces, LocalEthereum is the first to use a completely in-browser crypto setup to encrypt and sign messages and create smart contracts directly between users over encrypted channels.

This post will focus on the technical workings of LocalEthereum. While the platform will be user-friendly and require no technical knowledge; users can trade with piece of mind knowing that security and self-custody has come first at every stage of development.

Crypto in your browser

When users make an account, although they only enter a username and password, the password is never actually uploaded — it’s only used as the passphrase to unlock the securely generated 256-bit account key. To prevent brute-force attacks, the password is first “stretched” thoroughly using PBKDF2 to derive something much safer, and encrypted private keys are protected by two-factor authentication.

The cryptography behind LocalEthereum’s messages is adapted from Open Whisper System’s Signal Protocol, which is a trusted open source standard endorsed by Edward Snowden and used by Whatsapp, Facebook and Google Allo.

Each trade is protected by end-to-end encryption using a shared secret key that never touches the Internet. The way this works is through an asynchronous key exchange protocol called Elliptic curve Diffie–Hellman (ECDH) which allows users to derive the same shared secret using one party’s private key and the other’s public key.

So that the secret keys are fully disposable (and so LocalEthereum has perfect forward secrecy), the ECDH agreement uses one-time temporary keys called a pre-keys, that have been generated and signed in advance. For more on this, check out Open Whisper Systems’ “Forward Secrecy for Asynchronous Messages”.

In the case of a dispute, any party can volunteer the secret key to a trusted arbitrator, who’ll then be able to decrypt the past messages and work with both parties to make a fair decision. In ordinary trades, the secret key is erased — effectively erasing the message history forever.

All ether that is used on LocalEthereum is stored in a wallet that is derived from the user’s offline private key. Trades are completely peer-to-peer and ether is sent directly from user to user. This means that no one (not even our staff) can touch your ether nor read your messages.

As the ethereum ecosystem matures, LocalEthereum plans to move the remaining parts of the system into the decentralized web. Our entire website will be hosted on ethereum’s swarm to ensure zero downtime and perfect security. Arbitrators will be selected via a smart contract, which means anyone will be able to work for LocalEthereum, making it an unstoppable decentralized autonomous organization.

Within next two weeks, we’re going to release our roadmap. If you haven’t already, be sure to check out “Part One: The Frustration of Buying and Selling Ether” and join the waiting list for the next update.