[Lightning-dev] BOLT11 In the World of Scriptless Scripts

Anthony Towns aj at erisian.com.au
Mon Nov 5 02:18:04 UTC 2018

On Mon, Nov 05, 2018 at 01:05:17AM +0000, ZmnSCPxj via Lightning-dev wrote:
> > And it just doesn't work unless you give over uniquely identifying
> > information. AJ posts to r/bitcoin demonstrating payment, demanding his
> > goods. Sock puppet says "No, I'm the AJ in Australia" and cut & pastes
> > the same proof.
> Technically speaking, all that AJ in Australia needs to show is that he or she knows, the private key behind the public key that is indicated on the invoice.

Interesting. I think what you're saying is that with secp256k1 preimages
(with decorrelation), if you have the payment hash Q, then the payment
preimage q (Q=q*G) is only known to the payee and the payer (and not
any intermediaries thanks to decorrelation), so if you see a statement

  m="This invoice has been paid but not delivered as at 2018-11-05"

signed by "Q" (so, some s,R s.t. s*G = R + H(Q,R,m)*Q) then that means
either the payee signed it, in which case there's no dispute, or the
payer signed it... And that's publicly verifiable with only the original
invoice information (ie "Q").

(I don't think there's any need for multiple rounds of signatures)

FWIW, I don't see reddit as a particularly viable "court"; there's
no way for reddit to tell who's actually right in a dispute, eg if I
say blockstream didn't send stickers I paid for, and blockstream says
they did; ie there's no need for a sock puppet in the above scenario,
blockstream can just say "according to our records you signed for
delivery, stop whinging". (And if we both agree that it did or didn't
arrive, there's no need to post cryptographic proofs to reddit afaics)

I think there's maybe four sorts of "proof of payment" people might

  0) no proof: "completely" deniable payments (donations?)

  1) shared secret: ability to prove directly to the payee that an
     invoice was paid (what we have now)

  2) signed payment: ability to prove to a different business unit of
     the payee that payment was made, so that you can keep all the 
     secrets in the payment-handling part, and have the service-delivery
     part not be at risk for losing all your money

  3) third-party verifiable: so you can associate a payment with real
     world identity information, and take them to court (or reddit) as a
     contract dispute; needs PKI infrastructure so you can be confident
     the pubkey maps to the real world people you think it does, etc


More information about the Lightning-dev mailing list