📅 Original date posted:2019-09-25 📝 Original message: Good morning aj, > On ...

ZmnSCPxj [ARCHIVE] /

npub1g5z…ms3l

2023-06-09 12:56:13

in reply to nevent1q…lpw0

📅 Original date posted:2019-09-25
📝 Original message:
Good morning aj,

> On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:
>
> > > Since it's off chain, you could also provide R and C and a zero knowledge
> > > proof that you know an r such that:
> > > R = SHA256( r )
> > > C = SHA256( x || r )
>
> > > in which case you could do it with lightning as it exists today.
> > > I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network.
> > > However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?
>
> If you know x and r, you can generate C and R and a zero knowledge proof
> of the relationship between x,C,R that doesn't reveal r (eg, I think
> you could do that with bulletproofs).

Ah, yes, a generic zkp should work indeed.

> Unfortunately that zkp already
> proves that C was generated based on x, so you get your timestamp for
> free. Ooops. :(

Yes, the "existence-proof-of-a-proof-of-X is a proof-of-X".

Perhaps relevant? http://stevengoldfeder.com/papers/ZKCSP.pdf
Lightning payments are essentially zero-knowledge contingent payments already.

Regards,
ZmnSCPxj

Author Public Key

npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3l

Show more details

Published at

2023-06-09 12:56:13

Kind type

1 Short Text Note

Event JSON

{ "id": "d5e7dce07ef6c351940fa57145ed208ce49f5c2d9d0aa9cfa162b2992087f9a0", "pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861", "created_at": 1686315373, "kind": 1, "tags": [ [ "e", "39efde6806fdfb20d8434cb7038e8f7c108d8c9a14314efec707fcd0202de9a7", "", "root" ], [ "e", "9cf8e87cf51661a4986ee5d5afb93147b0733cfdbc3f14b8b0e04de97a357122", "", "reply" ], [ "p", "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab" ] ], "content": "📅 Original date posted:2019-09-25\n📝 Original message:\nGood morning aj,\n\n\u003e On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:\n\u003e\n\u003e \u003e \u003e Since it's off chain, you could also provide R and C and a zero knowledge\n\u003e \u003e \u003e proof that you know an r such that:\n\u003e \u003e \u003e R = SHA256( r )\n\u003e \u003e \u003e C = SHA256( x || r )\n\u003e\n\u003e \u003e \u003e in which case you could do it with lightning as it exists today.\n\u003e \u003e \u003e I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network.\n\u003e \u003e \u003e However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?\n\u003e\n\u003e If you know x and r, you can generate C and R and a zero knowledge proof\n\u003e of the relationship between x,C,R that doesn't reveal r (eg, I think\n\u003e you could do that with bulletproofs).\n\nAh, yes, a generic zkp should work indeed.\n\n\u003e Unfortunately that zkp already\n\u003e proves that C was generated based on x, so you get your timestamp for\n\u003e free. Ooops. :(\n\nYes, the \"existence-proof-of-a-proof-of-X is a proof-of-X\".\n\nPerhaps relevant? http://stevengoldfeder.com/papers/ZKCSP.pdf\nLightning payments are essentially zero-knowledge contingent payments already.\n\nRegards,\nZmnSCPxj", "sig": "5f2bb08cd0e650340b4081cf9fcc23c75fe0aff0fe5e3082626abce0d5438fcae6a2dcf7dd5f1816f06e6e5d67c337a8e399c99470487aed6da5893f388e4dca" }