From lloyd.fourn at gmail.com Sun Dec 20 04:53:41 2020 From: lloyd.fourn at gmail.com (Lloyd Fournier) Date: Sun, 20 Dec 2020 15:53:41 +1100 Subject: [Lightning-dev] Covert channel recovery with Oblivious Signatures In-Reply-To: References: Message-ID: On Sat, Dec 19, 2020 at 6:48 PM ZmnSCPxj wrote: > Good morning LL, > > > > I suspect part of the proof-of-discrete-log-equivalance can be gated > as well by a ZKCP on payment point+scalar the proof is provided only on > payment. > > > The selling node operator does not even need to reveal `z`. > > > > Actually no -- the fact that you were able to create a secure > conditional payment for the proof would always prove the proof existed. > > You wouldn't need to pay for the proof then! > > That depends on the proof. > > For example, one pay-for-proof scheme would be somebody to provide you an > `(R, S)` for a public key `P = p * G`, where `S = s * G` (i.e. a > signature, or a proof that you know `p` where `P = p * G`), and it would > not prove anything until you pay for the scalar `s` and the prover can > provide `s`, since `S` is computable from public information that anyone > can have. > So it really depends on what you want to prove; a mere ZKCP is not always > enough. > > Regards, > ZmnSCPxj > > PS I am dabbling in BTRFS now though, so --- > You're right. I stand corrected. It is possible to construct ZKCP payments where the messages sent by the prover up until the point the prover claims the payment (and reveals the witness) could have been simulated by someone who doesn't know the witness. You give a good example of this. After thinking about your post I recalled that I used a similar argument about the security of my protocol for buying an opening of a Pedersen commitment with Bitcoin [1]. [1] https://github.com/LLFourn/buying-pedersen-commitment/blob/master/main.pdf LL -------------- next part -------------- An HTML attachment was scrubbed... URL: