[Lightning-dev] Selling timestamps (via payment points and scalars + Pedersen commitments ) [try2]

Konstantin Ketterer ketterer.konstantin at gmail.com
Wed Sep 25 09:01:28 UTC 2019

*Disclaimer*: I have just finished Highschool and I'm only learning a bit
in my free time.This may be fundamentally broken ;)

*Motivation*: If I had to timestamp multiple messages I could simply
aggregate them in a merkle tree and pay relatively low fees per message.
However, if I only need to timestamp something once in a while I need to
rely on free services or pay high fees.

*Solution*: buy a place in a merkle tree "risk-free"

1. send hash x of my message (or the merkle root of another tree) to the
timstamping server
2. server calculates Pedersen commit: C = x*H + r*G, hashes it, builds
merkle tree with other commits in it and publishes a valid transaction
containing the merkle root to the Bitcoin blockchain
3. after a certain number of block confirmations and with the given proof I
can confirm that the commitment C is indeed part of the Bitcoin blockchain
4. I now have to send a lightning payment with C - x*H = r*G as the payment
point  to the timestamping server and as a proof of payment the server must
reveal r to receive the money.

--> With both r and x I have a valid Pedersen commitment.

This introduces an additional security assumption to Bitcoin timestamps but
if the discrete logarithm is broken Bitcoin has bigger problems than broken

This scheme essentially shifts the risk of a timestamping service from the
buyer to the seller who now has to pay the onchain transaction fee upfront.
Hence, the seller will most likely charge a small fee upfront just like
some submarineswap providers do.

Konstantin Ketterer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20190925/8d6502f0/attachment.html>

More information about the Lightning-dev mailing list