📅 Original date posted:2018-11-05
📝 Original message:
On Mon, Nov 05, 2018 at 01:05:17AM +0000, ZmnSCPxj via Lightning-dev wrote:
> > And it just doesn't work unless you give over uniquely identifying
> > information. AJ posts to r/bitcoin demonstrating payment, demanding his
> > goods. Sock puppet says "No, I'm the AJ in Australia" and cut & pastes
> > the same proof.
> Technically speaking, all that AJ in Australia needs to show is that he or she knows, the private key behind the public key that is indicated on the invoice.
Interesting. I think what you're saying is that with secp256k1 preimages
(with decorrelation), if you have the payment hash Q, then the payment
preimage q (Q=q*G) is only known to the payee and the payer (and not
any intermediaries thanks to decorrelation), so if you see a statement
m="This invoice has been paid but not delivered as at 2018-11-05"
signed by "Q" (so, some s,R s.t. s*G = R + H(Q,R,m)*Q) then that means
either the payee signed it, in which case there's no dispute, or the
payer signed it... And that's publicly verifiable with only the original
invoice information (ie "Q").
(I don't think there's any need for multiple rounds of signatures)
FWIW, I don't see reddit as a particularly viable "court"; there's
no way for reddit to tell who's actually right in a dispute, eg if I
say blockstream didn't send stickers I paid for, and blockstream says
they did; ie there's no need for a sock puppet in the above scenario,
blockstream can just say "according to our records you signed for
delivery, stop whinging". (And if we both agree that it did or didn't
arrive, there's no need to post cryptographic proofs to reddit afaics)
I think there's maybe four sorts of "proof of payment" people might
desire:
0) no proof: "completely" deniable payments (donations?)
1) shared secret: ability to prove directly to the payee that an
invoice was paid (what we have now)
2) signed payment: ability to prove to a different business unit of
the payee that payment was made, so that you can keep all the
secrets in the payment-handling part, and have the service-delivery
part not be at risk for losing all your money
3) third-party verifiable: so you can associate a payment with real
world identity information, and take them to court (or reddit) as a
contract dispute; needs PKI infrastructure so you can be confident
the pubkey maps to the real world people you think it does, etc
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:52:06
in reply to nevent1q…32tp
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:52:06Event JSON
{
"id": "061d0e0c8d7a1dbf87bbb1d2d87c3dd92e5723cdb2e5edac85768201c73871b8",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686315126,
"kind": 1,
"tags": [
[
"e",
"e7c4f764fcc0b51f5e943dfe8efd409779c7c6f87908c1f1f9f5d90c707fd321",
"",
"root"
],
[
"e",
"cb5a52a215dfa2af5f6ca3bdbc26f6dc025aebbf3535868e1214d87367b4f1e6",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2018-11-05\n📝 Original message:\nOn Mon, Nov 05, 2018 at 01:05:17AM +0000, ZmnSCPxj via Lightning-dev wrote:\n\u003e \u003e And it just doesn't work unless you give over uniquely identifying\n\u003e \u003e information. AJ posts to r/bitcoin demonstrating payment, demanding his\n\u003e \u003e goods. Sock puppet says \"No, I'm the AJ in Australia\" and cut \u0026 pastes\n\u003e \u003e the same proof.\n\u003e Technically speaking, all that AJ in Australia needs to show is that he or she knows, the private key behind the public key that is indicated on the invoice.\n\nInteresting. I think what you're saying is that with secp256k1 preimages\n(with decorrelation), if you have the payment hash Q, then the payment\npreimage q (Q=q*G) is only known to the payee and the payer (and not\nany intermediaries thanks to decorrelation), so if you see a statement\n\n m=\"This invoice has been paid but not delivered as at 2018-11-05\"\n\nsigned by \"Q\" (so, some s,R s.t. s*G = R + H(Q,R,m)*Q) then that means\neither the payee signed it, in which case there's no dispute, or the\npayer signed it... And that's publicly verifiable with only the original\ninvoice information (ie \"Q\").\n\n(I don't think there's any need for multiple rounds of signatures)\n\n\nFWIW, I don't see reddit as a particularly viable \"court\"; there's\nno way for reddit to tell who's actually right in a dispute, eg if I\nsay blockstream didn't send stickers I paid for, and blockstream says\nthey did; ie there's no need for a sock puppet in the above scenario,\nblockstream can just say \"according to our records you signed for\ndelivery, stop whinging\". (And if we both agree that it did or didn't\narrive, there's no need to post cryptographic proofs to reddit afaics)\n\nI think there's maybe four sorts of \"proof of payment\" people might\ndesire:\n\n 0) no proof: \"completely\" deniable payments (donations?)\n\n 1) shared secret: ability to prove directly to the payee that an\n invoice was paid (what we have now)\n\n 2) signed payment: ability to prove to a different business unit of\n the payee that payment was made, so that you can keep all the \n secrets in the payment-handling part, and have the service-delivery\n part not be at risk for losing all your money\n\n 3) third-party verifiable: so you can associate a payment with real\n world identity information, and take them to court (or reddit) as a\n contract dispute; needs PKI infrastructure so you can be confident\n the pubkey maps to the real world people you think it does, etc\n\nCheers,\naj",
"sig": "26c6481c70aac9536cc46bc58b1f901ce2fc6ffb06a3b10f0f187ea515dd2b4bd8db8d0b368078059afb6536bb2d0e77b05110e7980169687c2b6304046b1b39"
}