From ZmnSCPxj at protonmail.com Wed Sep 25 23:21:10 2019 From: ZmnSCPxj at protonmail.com (ZmnSCPxj) Date: Wed, 25 Sep 2019 23:21:10 +0000 Subject: [Lightning-dev] Selling timestamps (via payment points and scalars + Pedersen commitments ) [try2] In-Reply-To: <20190925192958.tt7k3lkvyr6elv4k@erisian.com.au> References: <20190925094312.iu43ij5k4r4viyol@erisian.com.au> <_MpLAUdyzQPsMnVOswO5Eux8XUxCbJIiBIDEp4gwni9ru8r4Lj0bKD5oM3W0mvphadyx23kIXDT_hzma-NkIUrRYKwch4qplLHALx9qVxcw=@protonmail.com> <20190925192958.tt7k3lkvyr6elv4k@erisian.com.au> Message-ID: Good morning aj, > On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote: > > > > Since it's off chain, you could also provide R and C and a zero knowledge > > > proof that you know an r such that: > > > R = SHA256( r ) > > > C = SHA256( x || r ) > > > > in which case you could do it with lightning as it exists today. > > > I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network. > > > However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`? > > If you know x and r, you can generate C and R and a zero knowledge proof > of the relationship between x,C,R that doesn't reveal r (eg, I think > you could do that with bulletproofs). Ah, yes, a generic zkp should work indeed. > Unfortunately that zkp already > proves that C was generated based on x, so you get your timestamp for > free. Ooops. :( Yes, the "existence-proof-of-a-proof-of-X is a proof-of-X". Perhaps relevant? http://stevengoldfeder.com/papers/ZKCSP.pdf Lightning payments are essentially zero-knowledge contingent payments already. Regards, ZmnSCPxj