rich1.0Anthony Towns [ARCHIVE] (npub17r…x9l2h)https://yabu.me/npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hnjumphttps://yabu.me📅 Original date posted:2019-09-25 📝 Original message: On Wed, Sep 25, 2019 at 01:30:39PM +0000, ZmnSCPxj wrote: > > Since it's off chain, you could also provide R and C and a zero knowledge > > proof that you know an r such that: > > R = SHA256( r ) > > C = SHA256( x || r ) > > in which case you could do it with lightning as it exists today. > I can insist on paying only if the server reveals an `r` that matches some known `R` such that `R = SHA256(r)`, as currently in Lightning network. > However, how would I prove, knowing only `R` and `x`, and that there exists some `r` such that `R = SHA256(r)`, that `C = SHA256(x || r)`? If you know x and r, you can generate C and R and a zero knowledge proof of the relationship between x,C,R that doesn't reveal r (eg, I think you could do that with bulletproofs). Unfortunately that zkp already proves that C was generated based on x, so you get your timestamp for free. Ooops. :( Cheers, aj