Published on: 2019-09-26T16:51:47+00:00
Recently, Konstantin Ketterer proposed a solution for timestamping data using Bitcoin's blockchain. The system involves sending a hash of the message to a timestamping server, which calculates a Pedersen commit and builds a merkle tree with other commits. A valid transaction containing the merkle root is then published to the Bitcoin blockchain. After a certain number of blocks, the user can confirm that the commitment is part of the blockchain. To prove payment, a lightning payment with C - x*H = r*G as the payment point is sent to the timestamping server.However, there already exist scalable timestamping services like OpenTimestamps, which use giant merkle trees built every second to amortize the cost of BTC transactions across all timestamps worldwide, eliminating the need to charge for timestamps. Additionally, Andrew Poelstra has created a pull request to add secp256k1 commitments to OpenTimestamps, which could be useful for implementing Konstantin's proposed system.The discussion also explores the idea of paying for decommitment using the Pedersen commitments and pay-to-point approach, as well as the possibility of using payment channels with hashes. The concept of HTLC unlocks based on providing an r such that H(r || x) == C is introduced. However, it is noted that the zero-knowledge proof already proves that C was generated based on x, making the timestamp unnecessary.In another conversation, ZmnSCPxj suggests using a zero-knowledge proof that proves the relationship between x, C, and R without revealing the secret r. They discuss the challenge of proving that C = SHA256(x || r) knowing only R and x. It is suggested that generating C and R along with a generic zkp of the relationship between x, C, and R without revealing r could be a potential solution. They also mention that lightning payments are essentially zero-knowledge contingent payments.Another discussion explores using Lightning Network to pay for a server, with the suggestion of providing R and C along with a zero-knowledge proof that one knows an r such that R = SHA256(r) and C = SHA256(x || r). It is noted that currently in Lightning network, payment is only made if the server reveals an r that matches some known R such that R = SHA256(r). The challenge is then posed of proving, knowing only R and x, that C = SHA256(x || r). The use of bulletproofs is suggested for generating a zero-knowledge proof, but it is also noted that this proof already proves that C was generated based on x, making the timestamp unnecessary.The proposed solution involves buying a place in a Merkle tree "risk-free" by sending a hash x of a message to the timestamping server, which calculates a Pedersen commit, builds a Merkle tree with other commits, and publishes it in the Bitcoin blockchain. After confirmation of commitment C, payment can be made using a lightning payment with C - xH = rG as the payment point. However, it is mentioned that Lightning does not yet support payment points/scalars. The concept of fixed and floating users is introduced, where fixed users pay a subscription fee and are placed relatively high in the Merkle tree, while floating users are placed low in the Merkle tree and are essentially free money. It is suggested that some up-front fee should be charged to prevent spamming with things to timestamp that will never be paid for. A zero-knowledge proof is proposed where R = SHA256(r) and C = SHA256(x || r), but it is unclear how to prove this operation knowing only R and x.In summary, Konstantin Ketterer proposes a solution for timestamping data on the Bitcoin blockchain using a Pedersen commit. However, scalable timestamping services like OpenTimestamps already exist, and there are discussions around paying for decommitment and using zero-knowledge proofs to prove the relationship between x, C, and R. The use of Lightning Network for payment is also explored, along with the challenges of proving certain operations knowing only R and x.
Updated on: 2023-07-31T21:56:01.380413+00:00