Author: Lloyd Fournier 2020-12-20 04:53:41
Published on: 2020-12-20T04:53:41+00:00
The email conversation between ZmnSCPxj and LL discusses the possibility of using Zero-Knowledge Contingent Payments (ZKCP) to prove the discrete log equivalence in a payment scheme. ZmnSCPxj suggests that a ZKCP on the payment point and scalar could be used to gate part of the proof, without the selling node operator revealing the scalar 'z'. However, LL argues that if a secure conditional payment for the proof can be created, it would always prove the existence of the proof, regardless of whether or not payment is made. The example provided by ZmnSCPxj shows that a mere ZKCP may not always be enough to prove what is needed. LL later concedes that ZmnSCPxj's argument is correct, and that it is indeed possible to construct ZKCP payments where the messages sent by the prover up until the point where they claim payment, could have been simulated by someone who doesn't know the witness. LL refers to a similar argument they made regarding the security of their protocol for buying an opening of a Pedersen commitment with Bitcoin, and provides a link to the document explaining it.
Updated on: 2023-06-03T03:27:29.091305+00:00