From joemphilips at gmail.com Mon Feb 8 10:02:16 2021 From: joemphilips at gmail.com (Joe Miyamoto Philips) Date: Mon, 8 Feb 2021 19:02:16 +0900 Subject: [Lightning-dev] Pay-for-Elgamal-decryption-key and its application to Anonymous Credentials Message-ID: (I have replied without changing the subject line so I will reply again. sorry for spamming) > But I see the advantage of your idea. If a malicious credential server is able to identify you somehow at the point of payment then they might want > to selectively steal your money while being honest with everyone else. > In your scheme, if you pay you get the credential and then since it is anonymous it can't be distinguished from others when you go to claim whatever it entails. > Is this the idea? Yes, And in case of a trustful exchange with LN, the malicious server does not even have to distinguish a user. The server can just choose one private channel that is connected to itself and decides to be dishonest to it. The victim has no way to prove that he did NOT receive a credential after payment. Even if the server acts completely honestly, the user may claim that they did not receive the credentials after payment. Other entities have no way to tell if the user has been fooled or they are just trying to undermine the reputation of the service. (In the case of credential presentation, it is easy to check if the server is acting honestly. Just run the blind-show protocol and check if the server acts expectedly. The blind-show can be run by anyone and the server has no way to distinguish which credential they received.) Thus I think making an exchange atomic in this way is necessary for a commercial application.