How can we use this?
If you are asking this question then the answer would be: you can not use it. Point.
Topic: The first successful Zero-Knowledge Contingent Payment (Read 2456 times)
ZKCP + CLTV
I am happy to announce the first successful Zero-Knowledge Contingent Payment (ZKCP) on the Bitcoin network.
ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.
Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.
An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.
The transfer involved two transactions:
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae
Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.
Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
Cool.ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.
Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.
An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.
The transfer involved two transactions:
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae
Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.
Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
Shared on Blockchain.hk.
solution to a 16x16 Sudoku puzzle for 0.10 BTC....good idea
Have to start with something. Seems much better than a solution to a tic-tac-toe problem.Just keep in mind it is the "hello world" to show this concept actually works
I hope there will be reference verifies and easy to follow examples for more practical things, like privkey swap for BTC
hint, hint
James
P.S. before you start posting that to swap a privkey is silly, consider a 2of2 msig where you already have the other half
solution to a 16x16 Sudoku puzzle for 0.10 BTC....good idea
How could an mp3 recording be verified to be what it is supposed to be?
If you hash the file you can post the hash, and retain the file. Anyone you send the file can verify it by using the same hash on it and comparing the result with the advertised one.
Who sends first? the BTC or the mp3? Either way, your method requires trusting the other party.
That is why ZKP is a significant breakthrough, just at the impractical "only for lab" stage. Just need to identify the 100 largest data markets that have verifiable deliverables and code up the 100 verifiers.
The next step is to identify the top such markets. Maybe its just me, but I dont see a large market for solutions to simple games, when you can run computers to do bruteforce searches for most all games. Seems the big markets for this would be when there are cryptographically verifiable deliverables tied to real world things, like deed and titles.
Then you can do an official closing for a real estate deal without any escrow company in the middle taking the percents, and neither side at risk of non-delivery. As I said before, this is "hello world", but from that everything can be built
James
How could an mp3 recording be verified to be what it is supposed to be?
If you hash the file you can post the hash, and retain the file. Anyone you send the file can verify it by using the same hash on it and comparing the result with the advertised one.
How could an mp3 recording be verified to be what it is supposed to be?
If you hash the file you can post the hash, and retain the file. Anyone you send the file can verify it by using the same hash on it and comparing the result with the advertised one.
Very cool.
Brilliant.
Well played.
Well played.
This is huge!
To improve efficiency, Pedersen Commitment(i.e. g^Ex*h^r) or exponentiation g^Ex (so 1-2 exponentiations in a finite group) could be used instead of SHA256.
Con: new opcode is needed
Pros: efficiency, and PC / exponent could be proven itself in ZK in a very efficient way via Sigma protocols(can't imagine an useful example though).
To improve efficiency, Pedersen Commitment(i.e. g^Ex*h^r) or exponentiation g^Ex (so 1-2 exponentiations in a finite group) could be used instead of SHA256.
Con: new opcode is needed
Pros: efficiency, and PC / exponent could be proven itself in ZK in a very efficient way via Sigma protocols(can't imagine an useful example though).
How can we use this?
A trustless sudoku solutions market can now be created.For each class of problem, there needs to be a custom verifier and also a defined format for the proposed solutions, so the custom verifiers will know how exactly to verify it.
At the abstract level, it is very cool
At the practical level, it is just the "hello world"
Now we just need dozens of verifiers for the top dozens of information markets that can be automatically verified.
Maybe it is possible to verify the chemical properties of complex molecules with a simulator. If so, then that simulator combined with specific required properties to evaluate true/false and you would have a trustless way to get a copy of the chemical formula with said properties. But not sure if thre is a way to detect something is a "cure for cancer" via simulation.
Keep in mind, you only get a copy as there is no known way (to me) to prove that you have destroyed all copies. Still in spite of the practical issues, it is the first atomic trade of bitcoin for information that I know of.
James
In the context of your Sudoku puzzle, what is the proof and how does that proof prove that the sender knows the solution without actually telling the receiver what it is. Can you give an example?
It is "standard" ZKP, code is at https://github.com/zcash/pay-to-sudokuwithout all the math, the idea is that there is a program, which is converted to a circuit which can be implemented out of crypto operations so what you end up with is a blackbox that outputs true or false
no information leaks outside the blackbox, other than true or false
so all you need is a validation program for each class of data being exchanged that can evaluate the solution and determine if it works or not.
triggering a bitcoin payment based on the true or false output and we get the announced sudoku result.
James
How can we use this?
In the context of your Sudoku puzzle, what is the proof and how does that proof prove that the sender knows the solution without actually telling the receiver what it is. Can you give an example?
Im wondering though, does this mean a transaction can be proven to have been made without releasing details of the transaction?
That would be a separate thing.From what I can tell, this method allows to exchange bitcoins for any digital info that you can write a custom verifier for. As such, it would be possible to trade solutions to verifiable problems without disclosing the solution to the other party, so it is indeed quite a feat.
Now we just need a zillion different verifiers. Unfortunately I dont see how to make verifiers for most classes of things, especially anything with any subjective aspects. How could an mp3 recording be verified to be what it is supposed to be? You couldnt code the verifier to compare signals, well you could but if you could and already have the signal, then why would you pay for another copy?
However within the scope of verifiable things, ie crypto payments, validity of privkey, etc. it appears to be quite useful and would solve some otherwise sticky wickets.
James
Im wondering though, does this mean a transaction can be proven to have been made without releasing details of the transaction?
Do you have example code for how the sudoku was verified in zero knowledge? If you are using libsnark, I assume it is in C, which is perfect for me.
Linked near the bottom of the article now. The client is a mixture of rust and C++.Quote
However each content type will need to have a libsnark circuit derived from C code. How to verify subjective things? I guess that is a problem for another day. Could it be verified that what is being delivered is a valid privkey? If that privkey had utxo in a 2of2 multisig where the buyer controlled the other privkey, then I think it enables guaranteed atomic swaps.
Sure it could, but there are other ways to do atomic swaps that are likely much more efficient.Quote
The main question is when will this hit mainnet?
Its on mainnet _now_. The transactions today were done on mainnet. Nothing new was needed in Bitcoin for this.I am happy to announce the first successful Zero-Knowledge Contingent Payment (ZKCP) on the Bitcoin network.
ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.
Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.
An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.
The transfer involved two transactions:
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae
Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.
Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
Do you have example code for how the sudoku was verified in zero knowledge? If you are using libsnark, I assume it is in C, which is perfect for me.ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.
Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.
An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.
The transfer involved two transactions:
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae
Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.
Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
To paraphrase this, it looks like transactions can be done where both he payment is assured and the deliverable is assured, without any chance of gun fights. Totally decoupling the payment from the content.
However each content type will need to have a libsnark circuit derived from C code. How to verify subjective things? I guess that is a problem for another day. Could it be verified that what is being delivered is a valid privkey? If that privkey had utxo in a 2of2 multisig where the buyer controlled the other privkey, then I think it enables guaranteed atomic swaps.
The main question is when will this hit mainnet?
James
I am happy to announce the first successful Zero-Knowledge Contingent Payment (ZKCP) on the Bitcoin network.
ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.
Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.
An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.
The transfer involved two transactions:
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae
Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.
Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.
Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.
An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.
In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.
The transfer involved two transactions:
8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae
Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.
Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
Jump to: