[Lightning-dev] Selling timestamps (via payment points and scalars + Pedersen commitments ) [try2]
Anthony Towns
aj at erisian.com.au
Wed Sep 25 19:29:58 UTC 2019
On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:
> > Since it's off chain, you could also provide R and C and a zero knowledge
> > proof that you know an r such that:
> > R = SHA256( r )
> > C = SHA256( x || r )
> > in which case you could do it with lightning as it exists today.
> I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network.
> However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?
If you know x and r, you can generate C and R and a zero knowledge proof
of the relationship between x,C,R that doesn't reveal r (eg, I think
you could do that with bulletproofs). Unfortunately that zkp already
proves that C was generated based on x, so you get your timestamp for
free. Ooops. :(
Cheers,
aj
More information about the Lightning-dev
mailing list