From ZmnSCPxj at protonmail.com  Sat Dec 19 07:48:21 2020
From: ZmnSCPxj at protonmail.com (ZmnSCPxj)
Date: Sat, 19 Dec 2020 07:48:21 +0000
Subject: [Lightning-dev] Covert channel recovery with Oblivious
	Signatures
In-Reply-To: <CAH5Bsr1FtUhAmM96QSFoM_UVGiWw3G9nd+fmLMPZ2939sqOVBw@mail.gmail.com>
References: <CAH5Bsr1dmtKrJNpC5ZzcZChsPiGiaDi7CkcOp8hN3PYtQRRhfw@mail.gmail.com>
 <GMjoLiJYyMwSBNdfiyfChsWybEYH05SKpmcjKsTNG1qXJyUWbcMJ_Z3orrajvvF3BvZYK6ILM6EJXkPUzXBZ-r7gDQqOT7Z3f8wKJBd67a8=@protonmail.com>
 <CAH5Bsr0pU4NBTRo1O7B_r20KBs6R--UNtPUiYtUHZnYYYqr=9Q@mail.gmail.com>
 <i0wgenzxXFxdTQta4dLmpiziNMiGVsYBgKBOxnAp9nPKe_-zoZhI_wpfBhlncBxH6hw7dwR9rFDkA4kRXjG06Q2yA_KyLN1DEjWtRLYFm1E=@protonmail.com>
 <CAH5Bsr0i78_TNS-X4YZsVD-3+arB+eWECj06bg82jc3DLmbXKw@mail.gmail.com>
 <CAH5Bsr1FtUhAmM96QSFoM_UVGiWw3G9nd+fmLMPZ2939sqOVBw@mail.gmail.com>
Message-ID: <uTu00q-giDX8V-8Vk4Cf1ayUysOEUPNrv4sYjfQ-RF1qI3egG3k9DQxZa3sk9vQq1h7OfB7n-IWqZZplEAKWZjHD-LQ0sRcUwMUGHSVoe-w=@protonmail.com>

Good morning LL,

> > I suspect part of the proof-of-discrete-log-equivalance can be gated as well by a ZKCP on payment point+scalar the proof is provided only on payment.
> > The selling node operator does not even need to reveal `z`.
>
> Actually no -- the fact that you were able to create a secure conditional payment for the proof would always prove the proof existed.
> You wouldn't need to pay for the proof then!

That depends on the proof.

For example, one pay-for-proof scheme would be somebody to provide you an `(R, S)` for a public key `P = p * G`,  where `S = s * G` (i.e. a signature, or a proof that you know `p` where `P = p * G`), and it would not prove anything until you pay for the scalar `s` and the prover can provide `s`, since `S` is computable from public information that anyone can have.
So it really depends on what you want to prove; a mere ZKCP is not always enough.

Regards,
ZmnSCPxj

PS I am dabbling in BTRFS now though, so ---