{"type":"rich","version":"1.0","title":"Anthony Towns [ARCHIVE] wrote","author_name":"Anthony Towns [ARCHIVE] (npub17r…x9l2h)","author_url":"https://yabu.me/npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2h","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2019-09-25\n📝 Original message:\nOn Wed, Sep 25, 2019 at 11:01:28AM +0200, Konstantin Ketterer wrote:\n\u003e Motivation: If I had to timestamp multiple messages I could simply aggregate\n\u003e them in a merkle tree and pay relatively low fees per message. However, if I\n\u003e only need to timestamp something once in a while I need to rely on free\n\u003e services or pay high fees.\n\nMaybe model the timestamping service as having fixed and floating users,\nin which case the fixed users pay a subscription fee that covers the costs\nand get placed relatively high in the merkle tree, while the floating\nusers are placed low in the merkle tree and are basically free money?\n\nYour merkle tree might then have 2**N-1 fixed slots, all at height N,\nthen 2**K floating slots, all at height N+K, but you don't need to charge\nthe floating slots anything up front, because your fixed costs are all\npaid for by subscription income from the fixed slots.\n\nYou might still want to charge some up front fee to prevent people\nspamming you with things to timestamp that they're never going to pay\nfor though.\n\n\u003e Solution: buy a place in a merkle tree \"risk-free\"\n\u003e 1. send hash x of my message (or the merkle root of another tree) to the\n\u003e timstamping server\n\u003e 2. server calculates Pedersen commit: C = x*H + r*G, hashes it, builds merkle\n\u003e tree with other commits in it and publishes a valid transaction containing the\n\u003e merkle root to the Bitcoin blockchain\n\u003e 3. after a certain number of block confirmations and with the given proof I can\n\u003e confirm that the commitment C is indeed part of the Bitcoin blockchain\n\u003e 4. I now have to send a lightning payment with C - x*H = r*G as the payment\n\u003e point  to the timestamping server and as a proof of payment the server must\n\u003e reveal r to receive the money.\n\nNice.\n\nSince it's off chain, you could also provide R and C and a zero knowledge\nproof that you know an r such that:\n\n   R = SHA256( r )\n   C = SHA256( x || r )\n\nin which case you could do it with lightning as it exists today.\n\nCheers,\naj"}