📅 Original date posted:2019-09-25
📝 Original message:
On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:
> > Since it's off chain, you could also provide R and C and a zero knowledge
> > proof that you know an r such that:
> > R = SHA256( r )
> > C = SHA256( x || r )
> > in which case you could do it with lightning as it exists today.
> I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network.
> However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?
If you know x and r, you can generate C and R and a zero knowledge proof
of the relationship between x,C,R that doesn't reveal r (eg, I think
you could do that with bulletproofs). Unfortunately that zkp already
proves that C was generated based on x, so you get your timestamp for
free. Ooops. :(
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:56:13
in reply to nevent1q…w78q
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:56:13Event JSON
{
"id": "9cf8e87cf51661a4986ee5d5afb93147b0733cfdbc3f14b8b0e04de97a357122",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686315373,
"kind": 1,
"tags": [
[
"e",
"39efde6806fdfb20d8434cb7038e8f7c108d8c9a14314efec707fcd0202de9a7",
"",
"root"
],
[
"e",
"2be1796fcdb2397d468a00034f90d8989ac69dc48d549fd253f8987019727bbc",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2019-09-25\n📝 Original message:\nOn Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:\n\u003e \u003e Since it's off chain, you could also provide R and C and a zero knowledge\n\u003e \u003e proof that you know an r such that:\n\u003e \u003e R = SHA256( r )\n\u003e \u003e C = SHA256( x || r )\n\n\u003e \u003e in which case you could do it with lightning as it exists today.\n\u003e I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network.\n\u003e However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?\n\nIf you know x and r, you can generate C and R and a zero knowledge proof\nof the relationship between x,C,R that doesn't reveal r (eg, I think\nyou could do that with bulletproofs). Unfortunately that zkp already\nproves that C was generated based on x, so you get your timestamp for\nfree. Ooops. :(\n\nCheers,\naj",
"sig": "47ff9bb3f8ec1d2fa2654d81d654e39c162cf6b72ca37c7e5cb292118e9b13f8ed56d6ff12b8388c4398efe36f2d4b50a332aac9b8609cefc08bfa1d9a9b9f15"
}