rich1.0Anthony Towns [ARCHIVE] (npub17r…x9l2h)https://yabu.me/npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hnjumphttps://yabu.me📅 Original date posted:2019-09-25 📝 Original message: On Wed, Sep 25, 2019 at 11:01:28AM +0200, Konstantin Ketterer wrote: > Motivation: If I had to timestamp multiple messages I could simply aggregate > them in a merkle tree and pay relatively low fees per message. However, if I > only need to timestamp something once in a while I need to rely on free > services or pay high fees. Maybe model the timestamping service as having fixed and floating users, in which case the fixed users pay a subscription fee that covers the costs and get placed relatively high in the merkle tree, while the floating users are placed low in the merkle tree and are basically free money? Your merkle tree might then have 2**N-1 fixed slots, all at height N, then 2**K floating slots, all at height N+K, but you don't need to charge the floating slots anything up front, because your fixed costs are all paid for by subscription income from the fixed slots. You might still want to charge some up front fee to prevent people spamming you with things to timestamp that they're never going to pay for though. > Solution: buy a place in a merkle tree "risk-free" > 1. send hash x of my message (or the merkle root of another tree) to the > timstamping server > 2. server calculates Pedersen commit: C = x*H + r*G, hashes it, builds merkle > tree with other commits in it and publishes a valid transaction containing the > merkle root to the Bitcoin blockchain > 3. after a certain number of block confirmations and with the given proof I can > confirm that the commitment C is indeed part of the Bitcoin blockchain > 4. I now have to send a lightning payment with C - x*H = r*G as the payment > point  to the timestamping server and as a proof of payment the server must > reveal r to receive the money. Nice. Since it's off chain, you could also provide R and C and a zero knowledge proof that you know an r such that: R = SHA256( r ) C = SHA256( x || r ) in which case you could do it with lightning as it exists today. Cheers, aj