<div dir="ltr"><div>That is very interesting.<br><br></div><div>There has been some recent discussion about atomic cross chain transfers between Bitcoin and legacy altcoins. For this purpose a legacy altcoin is one that has strict IsStandard() rules and none of the advanced script opcodes.<br><br></div><div>It has a requirement that Bob sends Alice a pair [hash_of_bob_private_key, bob_public_key]. Bob has to prove that the hash is actually the result of hashing the private key that matches bob_public_key.<br><br></div><div>This can be achieved with a cut-and-choose scheme. It uses a fee so that an attacker loses money on average. It is vulnerable to an attacker who doesn't mind losing money as long as the target loses money too.<br><br></div><div>Bob would have to prove that he has an x such that<br><br></div><div>xG = <bob_public_key><br></div><div>hash(x) = hash_of_bob_private_key<br><br></div><div>Is the scheme fast enough such that an elliptic curve multiply would be feasible? You mention 20 seconds for 5 SHA256 operations, so I am guessing no?<br></div><div><br></div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 26, 2016 at 11:06 PM, Sergio Demian Lerner via bitcoin-dev <span dir="ltr"><<a href="mailto:bitcoin-dev@lists.linuxfoundation.org" target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Congratulations!<br></div></div><br>It a property of the SKCP system that the person who performed the trusted setup cannot extract any information from a proof?<br><br></div>In other words, is it proven hard to obtain information from a proof by the buyer? <br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 26, 2016 at 6:42 PM, Gregory Maxwell via bitcoin-dev <span dir="ltr"><<a href="mailto:bitcoin-dev@lists.linuxfoundation.org" target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am happy to announce the first successful Zero-Knowledge Contingent<br>
Payment (ZKCP) on the Bitcoin network.<br>
<br>
ZKCP is a transaction protocol that allows a buyer to purchase<br>
information from a seller using Bitcoin in a manner which is private,<br>
scalable, secure, and which doesn’t require trusting anyone: the<br>
expected information is transferred if and only if the payment is<br>
made. The buyer and seller do not need to trust each other or depend<br>
on arbitration by a third party.<br>
<br>
Imagine a movie-style “briefcase swap” (one party with a briefcase<br>
full of cash, another containing secret documents), but without the<br>
potential scenario of one of the cases being filled with shredded<br>
newspaper and the resulting exciting chase scene.<br>
<br>
An example application would be the owners of a particular make of<br>
e-book reader cooperating to purchase the DRM master keys from a<br>
failing manufacturer, so that they could load their own documents on<br>
their readers after the vendor’s servers go offline. This type of sale<br>
is inherently irreversible, potentially crosses multiple<br>
jurisdictions, and involves parties whose financial stability is<br>
uncertain–meaning that both parties either take a great deal of risk<br>
or have to make difficult arrangement. Using a ZKCP avoids the<br>
significant transactional costs involved in a sale which can otherwise<br>
easily go wrong.<br>
<br>
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle<br>
for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a<br>
demonstration performed live at Financial Cryptography 2016 in<br>
Barbados. I played my part in the transaction remotely from<br>
California.<br>
<br>
The transfer involved two transactions:<br>
<br>
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e<br>
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae<br>
<br>
Almost all of the engineering work behind this ZKCP implementation was<br>
done by Sean Bowe, with support from Pieter Wuille, myself, and Madars<br>
Virza.<br>
<br>
<br>
Read more, including technical details at<br>
<a href="https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/" rel="noreferrer" target="_blank">https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/</a><br>
<br>
[I hope to have a ZKCP sudoku buying faucet up shortly. :) ]<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href="mailto:bitcoin-dev@lists.linuxfoundation.org" target="_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" rel="noreferrer" target="_blank">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" rel="noreferrer" target="_blank">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
<br></blockquote></div><br></div>