[Lightning-dev] Selling Signatures: Another Reason to Move to Payment Points

Wed Jul 17 16:56:05 UTC 2019

Hi Lloyd,

Glad you like it :) And to address your concern, I think that although
certainly it is possible for oracles to sell options contracts, it is also
possible to have a more decentralized setup with normal DLC oracles (that
can be used for all kinds of things as all they do is schnorr sign messages
with pre-commited R values), and then have the CETs be 3-of-3 multisig
outputs. In this way the oracle is still not learning about the contract,
just like normal DLCs.

Best,
Nadav

On Wed, Jul 17, 2019 at 11:23 AM Lloyd Fournier <lloyd.fourn at gmail.com>
wrote:

> Hi Nadav,
>
> This is cool idea. I always imagined oracles would either give their DLC
> signatures away for free or work via a subscription model.
>
> The downside to this proposal is that the seller of the signature knows
> which signature they're selling and therefore learns what kind of contract
> the buyer must be involved in.
>
> LL
>
>
> On Thu, Jul 18, 2019 at 1:37 AM Nadav Kohen <nadav at suredbits.com> wrote:
>
>> Hi All,
>>
>> I recently posted a proposal here for a scheme through which a trusted
>> data provider can utilize the Lightning Network to privately sell data
>> where data is received atomically with purchase.
>>
>> I've more recently been thinking about situations where a party, that is
>> *not* trusted, is attempting to sell its signature to a known message. One
>> example of a situation where this would be useful is if someone is trying
>> to offer a DLC-like Option contract where they are essentially
>> collateralizing themselves in a funding transaction and then selling their
>> signatures to Contract Execution Transactions (CETs). In this example, we
>> must ensure that the buyer of the signatures pays if and only if they
>> receive valid signatures for the CETs which are known.
>>
>> I believe that this is achievable in a relatively straightforward way if
>> we were to use ZmnSCPxj's proposed payment points with scalars (as opposed
>> to payment hashes with pre-images). The (Schnorr) signature seller could
>> give the buyer their one-time public key, `R = k*G`, through which the
>> buyer could compute the payment point whose scalar is the seller's
>> signature: `sig*G = R + h(m, R)*A` where `A` is the seller's public key.
>> Using this value as the payment point, the buyer could be assured that they
>> pay if and only if they receive `sig` from the seller, where `sig` is the
>> desired valid signature of `m`!
>>
>> Best,
>> Nadav
>> _______________________________________________
>> Lightning-dev mailing list
>> Lightning-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190717/3c637967/attachment.html>