From lloyd.fourn at gmail.com  Wed Sep 25 23:38:57 2019
From: lloyd.fourn at gmail.com (Lloyd Fournier)
Date: Thu, 26 Sep 2019 09:38:57 +1000
Subject: [Lightning-dev] Selling timestamps (via payment points and
 scalars + Pedersen commitments ) [try2]
In-Reply-To: <20190925192958.tt7k3lkvyr6elv4k@erisian.com.au>
References: <CAHoOKg+69EbucDMHwVXk3ak_qiNo-3s5mzh=rhwbD0n+t=cgOw@mail.gmail.com>
	<CAHoOKgLSX=c=yriNmiu+TN6J8ZVS-_Ex1+CnRQiNQ7ZvzeVYPQ@mail.gmail.com>
	<20190925094312.iu43ij5k4r4viyol@erisian.com.au>
	<_MpLAUdyzQPsMnVOswO5Eux8XUxCbJIiBIDEp4gwni9ru8r4Lj0bKD5oM3W0mvphadyx23kIXDT_hzma-NkIUrRYKwch4qplLHALx9qVxcw=@protonmail.com>
	<20190925192958.tt7k3lkvyr6elv4k@erisian.com.au>
Message-ID: <CAH5Bsr0W=nWN+iy0HfbJvcnmYoBbyTLH1R=uaKb9NZ+b3BS5aA@mail.gmail.com>

This is a nice scheme.

Pedersen commitments + pay to point seems to be the most practical way to
do it but you can generalise this paying for a decommitment idea to any
commitment scheme. For example, you could do this in a payment channel with
hashes if we had something like OP_CAT. e.g HTLC unlocks based on whether
you can provide an r such that H(r || x) == C.

> Unfortunately that zkp already proves that C was generated based on x, so
you get your timestamp for free. Ooops. :(

I haven't studied zkp for circuits in general but I guess the
non-interactive proofs are fiat-shamir transformations of an interactive
protocol. Maybe you could just use the interactive zero knowledge protocol
which doesn't have the side effect of the verifier with a proof they can
give to others.

LL

On Thu, Sep 26, 2019 at 5:30 AM Anthony Towns <aj at erisian.com.au> wrote:

> On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:
> > > Since it's off chain, you could also provide R and C and a zero
> knowledge
> > > proof that you know an r such that:
> > > R = SHA256( r )
> > > C = SHA256( x || r )
>
> > > in which case you could do it with lightning as it exists today.
> > I can insist on paying only if the server reveals an `r` that matches
> some known `R` such that `R = SHA256(r)`, as currently in Lightning network.
> > However, how would I prove, knowing only `R` and `x`, and that there
> exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?
>
> If you know x and r, you can generate C and R and a zero knowledge proof
> of the relationship between x,C,R that doesn't reveal r (eg, I think
> you could do that with bulletproofs). Unfortunately that zkp already
> proves that C was generated based on x, so you get your timestamp for
> free. Ooops. :(
>
> Cheers,
> aj
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190926/16f52927/attachment.html>