From lloyd.fourn at gmail.com Wed Sep 25 23:38:57 2019 From: lloyd.fourn at gmail.com (Lloyd Fournier) Date: Thu, 26 Sep 2019 09:38:57 +1000 Subject: [Lightning-dev] Selling timestamps (via payment points and scalars + Pedersen commitments ) [try2] In-Reply-To: <20190925192958.tt7k3lkvyr6elv4k@erisian.com.au> References: <CAHoOKg+69EbucDMHwVXk3ak_qiNo-3s5mzh=rhwbD0n+t=cgOw@mail.gmail.com> <CAHoOKgLSX=c=yriNmiu+TN6J8ZVS-_Ex1+CnRQiNQ7ZvzeVYPQ@mail.gmail.com> <20190925094312.iu43ij5k4r4viyol@erisian.com.au> <_MpLAUdyzQPsMnVOswO5Eux8XUxCbJIiBIDEp4gwni9ru8r4Lj0bKD5oM3W0mvphadyx23kIXDT_hzma-NkIUrRYKwch4qplLHALx9qVxcw=@protonmail.com> <20190925192958.tt7k3lkvyr6elv4k@erisian.com.au> Message-ID: <CAH5Bsr0W=nWN+iy0HfbJvcnmYoBbyTLH1R=uaKb9NZ+b3BS5aA@mail.gmail.com> This is a nice scheme. Pedersen commitments + pay to point seems to be the most practical way to do it but you can generalise this paying for a decommitment idea to any commitment scheme. For example, you could do this in a payment channel with hashes if we had something like OP_CAT. e.g HTLC unlocks based on whether you can provide an r such that H(r || x) == C. > Unfortunately that zkp already proves that C was generated based on x, so you get your timestamp for free. Ooops. :( I haven't studied zkp for circuits in general but I guess the non-interactive proofs are fiat-shamir transformations of an interactive protocol. Maybe you could just use the interactive zero knowledge protocol which doesn't have the side effect of the verifier with a proof they can give to others. LL On Thu, Sep 26, 2019 at 5:30 AM Anthony Towns <aj at erisian.com.au> wrote: > On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote: > > > Since it's off chain, you could also provide R and C and a zero > knowledge > > > proof that you know an r such that: > > > R = SHA256( r ) > > > C = SHA256( x || r ) > > > > in which case you could do it with lightning as it exists today. > > I can insist on paying only if the server reveals an `r` that matches > some known `R` such that `R = SHA256(r)`, as currently in Lightning network. > > However, how would I prove, knowing only `R` and `x`, and that there > exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`? > > If you know x and r, you can generate C and R and a zero knowledge proof > of the relationship between x,C,R that doesn't reveal r (eg, I think > you could do that with bulletproofs). Unfortunately that zkp already > proves that C was generated based on x, so you get your timestamp for > free. Ooops. :( > > Cheers, > aj > > _______________________________________________ > Lightning-dev mailing list > Lightning-dev at lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190926/16f52927/attachment.html>