{"type":"rich","version":"1.0","title":"Anthony Towns [ARCHIVE] wrote","author_name":"Anthony Towns [ARCHIVE] (npub17r…x9l2h)","author_url":"https://yabu.me/npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2h","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2019-09-25\n📝 Original message:\nOn Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote:\n\u003e \u003e Since it's off chain, you could also provide R and C and a zero knowledge\n\u003e \u003e proof that you know an r such that:\n\u003e \u003e R = SHA256( r )\n\u003e \u003e C = SHA256( x || r )\n\n\u003e \u003e in which case you could do it with lightning as it exists today.\n\u003e I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network.\n\u003e However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`?\n\nIf you know x and r, you can generate C and R and a zero knowledge proof\nof the relationship between x,C,R that doesn't reveal r (eg, I think\nyou could do that with bulletproofs). Unfortunately that zkp already\nproves that C was generated based on x, so you get your timestamp for\nfree. Ooops. :(\n\nCheers,\naj"}