[Lightning-dev] Selling Signatures: Another Reason to Move to Payment Points

Nadav Kohen nadav at suredbits.com
Wed Jul 17 15:37:19 UTC 2019

Hi All,

I recently posted a proposal here for a scheme through which a trusted data
provider can utilize the Lightning Network to privately sell data where
data is received atomically with purchase.

I've more recently been thinking about situations where a party, that is
*not* trusted, is attempting to sell its signature to a known message. One
example of a situation where this would be useful is if someone is trying
to offer a DLC-like Option contract where they are essentially
collateralizing themselves in a funding transaction and then selling their
signatures to Contract Execution Transactions (CETs). In this example, we
must ensure that the buyer of the signatures pays if and only if they
receive valid signatures for the CETs which are known.

I believe that this is achievable in a relatively straightforward way if we
were to use ZmnSCPxj's proposed payment points with scalars (as opposed to
payment hashes with pre-images). The (Schnorr) signature seller could give
the buyer their one-time public key, `R = k*G`, through which the buyer
could compute the payment point whose scalar is the seller's signature:
`sig*G = R + h(m, R)*A` where `A` is the seller's public key. Using this
value as the payment point, the buyer could be assured that they pay if and
only if they receive `sig` from the seller, where `sig` is the desired
valid signature of `m`!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190717/95c848fb/attachment.html>

More information about the Lightning-dev mailing list