[Lightning-dev] Pay-for-Elgamal-decryption-key and its application to Anonymous Credentials

[Joe Miyamoto Philips]

(I have replied without changing the subject line  byte mistake so I will reply
again. sorry for spamming)

> But I see the advantage of your idea. If a malicious credential server is able to identify you somehow at the point of payment then they might want
> to selectively steal your money while being honest with everyone else.
> In your scheme, if you pay you get the credential and then since it is anonymous it can't be distinguished from others when you go to claim whatever it entails.
> Is this the idea?

Yes, And in case of a trustful exchange with LN, the malicious server does
not even have to distinguish a user. The server can just choose one private
channel that is connected to itself and decides to be dishonest to it.
The victim has no way to prove that he did NOT receive a credential after
payment.

Even if the server acts completely honestly, the user may claim that
they did not receive the credentials after payment. Other entities
have no way to tell if the user has been fooled or they are just
trying to undermine the reputation of the service.
(In the case of credential presentation, it is easy to check if the
server is acting honestly. Just run the blind-show protocol and check
if the server acts expectedly. The blind-show can be run by anyone and
the server has no way to distinguish which credential they received.)

Thus I think making an exchange atomic in this way is necessary for a
commercial application.