Bitcoin Forum
September 24, 2018, 04:55:23 AM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: The first successful Zero-Knowledge Contingent Payment  (Read 2378 times)
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2506
Merit: 1503



View Profile
February 26, 2016, 10:40:35 PM
 #1

I am happy to announce the first successful Zero-Knowledge Contingent Payment (ZKCP) on the Bitcoin network.

ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.

Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.

An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.

In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.

The transfer involved two transactions:

    8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
    200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae

Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.


Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/

Bitcoin will not be compromised
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537764923
Hero Member
*
Offline Offline

Posts: 1537764923

View Profile Personal Message (Offline)

Ignore
1537764923
Reply with quote  #2

1537764923
Report to moderator
1537764923
Hero Member
*
Offline Offline

Posts: 1537764923

View Profile Personal Message (Offline)

Ignore
1537764923
Reply with quote  #2

1537764923
Report to moderator
1537764923
Hero Member
*
Offline Offline

Posts: 1537764923

View Profile Personal Message (Offline)

Ignore
1537764923
Reply with quote  #2

1537764923
Report to moderator
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
February 27, 2016, 12:05:41 AM
 #2

I am happy to announce the first successful Zero-Knowledge Contingent Payment (ZKCP) on the Bitcoin network.

ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.

Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.

An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.

In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.

The transfer involved two transactions:

    8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
    200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae

Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.


Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
Do you have example code for how the sudoku was verified in zero knowledge? If you are using libsnark, I assume it is in C, which is perfect for me.

To paraphrase this, it looks like transactions can be done where both he payment is assured and the deliverable is assured, without any chance of gun fights. Totally decoupling the payment from the content.

However each content type will need to have a libsnark circuit derived from C code. How to verify subjective things? I guess that is a problem for another day. Could it be verified that what is being delivered is a valid privkey? If that privkey had utxo in a 2of2 multisig where the buyer controlled the other privkey, then I think it enables guaranteed atomic swaps.

The main question is when will this hit mainnet?

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2506
Merit: 1503



View Profile
February 27, 2016, 12:50:16 AM
 #3

Do you have example code for how the sudoku was verified in zero knowledge? If you are using libsnark, I assume it is in C, which is perfect for me.
Linked near the bottom of the article now. The client is a mixture of rust and C++.

Quote
However each content type will need to have a libsnark circuit derived from C code. How to verify subjective things? I guess that is a problem for another day. Could it be verified that what is being delivered is a valid privkey? If that privkey had utxo in a 2of2 multisig where the buyer controlled the other privkey, then I think it enables guaranteed atomic swaps.
Sure it could, but there are other ways to do atomic swaps that are likely much more efficient.

Quote
The main question is when will this hit mainnet?
Its on mainnet _now_. The transactions today were done on mainnet. Nothing new was needed in Bitcoin for this.

Bitcoin will not be compromised
plorph
Member
**
Offline Offline

Activity: 80
Merit: 10


View Profile
February 27, 2016, 04:42:40 AM
 #4

Im wondering though, does this mean a transaction can be proven to have been made without releasing details of the transaction?

puh-lorph
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
February 27, 2016, 04:52:00 AM
 #5

Im wondering though, does this mean a transaction can be proven to have been made without releasing details of the transaction?
That would be a separate thing.

From what I can tell, this method allows to exchange bitcoins for any digital info that you can write a custom verifier for. As such, it would be possible to trade solutions to verifiable problems without disclosing the solution to the other party, so it is indeed quite a feat.

Now we just need a zillion different verifiers. Unfortunately I dont see how to make verifiers for most classes of things, especially anything with any subjective aspects. How could an mp3 recording be verified to be what it is supposed to be? You couldnt code the verifier to compare signals, well you could but if you could and already have the signal, then why would you pay for another copy?

However within the scope of verifiable things, ie crypto payments, validity of privkey, etc. it appears to be quite useful and would solve some otherwise sticky wickets.

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1654


3F1Y9yquzvY6RWvKbw2n2zeo9V5mvBhADU


View Profile WWW
February 28, 2016, 03:13:09 AM
 #6

In the context of your Sudoku puzzle, what is the proof and how does that proof prove that the sender knows the solution without actually telling the receiver what it is. Can you give an example?

WhatsBitcoin
Hero Member
*****
Offline Offline

Activity: 574
Merit: 502



View Profile
February 28, 2016, 04:56:05 AM
 #7

How can we use this?

Get sick. Get well.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
February 28, 2016, 05:02:11 AM
 #8

In the context of your Sudoku puzzle, what is the proof and how does that proof prove that the sender knows the solution without actually telling the receiver what it is. Can you give an example?
It is "standard" ZKP, code is at https://github.com/zcash/pay-to-sudoku

without all the math, the idea is that there is a program, which is converted to a circuit which can be implemented out of crypto operations so what you end up with is a blackbox that outputs true or false

no information leaks outside the blackbox, other than true or false

so all you need is a validation program for each class of data being exchanged that can evaluate the solution and determine if it works or not.

triggering a bitcoin payment based on the true or false output and we get the announced sudoku result.

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
February 28, 2016, 05:08:19 AM
 #9

How can we use this?
A trustless sudoku solutions market can now be created.

For each class of problem, there needs to be a custom verifier and also a defined format for the proposed solutions, so the custom verifiers will know how exactly to verify it.

At the abstract level, it is very cool
At the practical level, it is just the "hello world"

Now we just need dozens of verifiers for the top dozens of information markets that can be automatically verified.

Maybe it is possible to verify the chemical properties of complex molecules with a simulator. If so, then that simulator combined with specific required properties to evaluate true/false and you would have a trustless way to get a copy of the chemical formula with said properties. But not sure if thre is a way to detect something is a "cure for cancer" via simulation.

Keep in mind, you only get a copy as there is no known way (to me) to prove that you have destroyed all copies. Still in spite of the practical issues, it is the first atomic trade of bitcoin for information that I know of.

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
kushti
Full Member
***
Offline Offline

Activity: 191
Merit: 100


View Profile
February 28, 2016, 02:30:52 PM
 #10

This is huge!

To improve efficiency, Pedersen Commitment(i.e. g^Ex*h^r) or exponentiation g^Ex (so 1-2 exponentiations in a finite group) could be used instead of SHA256.

Con: new opcode is needed
Pros: efficiency, and PC / exponent could be proven itself in ZK in a very efficient way via Sigma protocols(can't imagine an useful example though).

Ergo Platform. Part-time IOHK Research. Previously Nxt core dev / SmartContract.com cofounder.
spartacusrex
Hero Member
*****
Offline Offline

Activity: 662
Merit: 506



View Profile
February 28, 2016, 11:18:11 PM
 #11

Brilliant.

Well played.

ABISprotocol
Sr. Member
****
Offline Offline

Activity: 278
Merit: 250

ABISprotocol on Gist


View Profile WWW
February 29, 2016, 02:28:11 AM
 #12

Very cool.

ABISprotocol (Github/Gist)
http://abis.io
Le Happy Merchant
Hero Member
*****
Offline Offline

Activity: 634
Merit: 500



View Profile
February 29, 2016, 03:44:52 AM
 #13

How could an mp3 recording be verified to be what it is supposed to be?

If you hash the file you can post the hash, and retain the file. Anyone you send the file can verify it by using the same hash on it and comparing the result with the advertised one.

achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1654


3F1Y9yquzvY6RWvKbw2n2zeo9V5mvBhADU


View Profile WWW
February 29, 2016, 03:50:04 AM
 #14

How could an mp3 recording be verified to be what it is supposed to be?

If you hash the file you can post the hash, and retain the file. Anyone you send the file can verify it by using the same hash on it and comparing the result with the advertised one.
But that isn't a Zero-knowledge proof. The proof is the data itself, not some subset of the data which proves the data is legit but does not reveal the data itself.

jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
February 29, 2016, 03:58:39 AM
 #15

How could an mp3 recording be verified to be what it is supposed to be?

If you hash the file you can post the hash, and retain the file. Anyone you send the file can verify it by using the same hash on it and comparing the result with the advertised one.
That is a commitment, but no way to verify until after the file is received.

Who sends first? the BTC or the mp3? Either way, your method requires trusting the other party.

That is why ZKP is a significant breakthrough, just at the impractical "only for lab" stage. Just need to identify the 100 largest data markets that have verifiable deliverables and code up the 100 verifiers.

The next step is to identify the top such markets. Maybe its just me, but I dont see a large market for solutions to simple games, when you can run computers to do bruteforce searches for most all games. Seems the big markets for this would be when there are cryptographically verifiable deliverables tied to real world things, like deed and titles.

Then you can do an official closing for a real estate deal without any escrow company in the middle taking the percents, and neither side at risk of non-delivery. As I said before, this is "hello world", but from that everything can be built

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
septian44
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250



View Profile
February 29, 2016, 04:45:25 AM
 #16

solution to a 16x16 Sudoku puzzle for 0.10 BTC....good idea
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
February 29, 2016, 04:49:46 AM
 #17

solution to a 16x16 Sudoku puzzle for 0.10 BTC....good idea
Have to start with something. Seems much better than a solution to a tic-tac-toe problem.

Just keep in mind it is the "hello world" to show this concept actually works

I hope there will be reference verifies and easy to follow examples for more practical things, like privkey swap for BTC

hint, hint

James

P.S. before you start posting that to swap a privkey is silly, consider a 2of2 msig where you already have the other half

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
allwelder
Legendary
*
Offline Offline

Activity: 1386
Merit: 1000



View Profile
March 01, 2016, 01:33:41 PM
 #18

I am happy to announce the first successful Zero-Knowledge Contingent Payment (ZKCP) on the Bitcoin network.

ZKCP is a transaction protocol that allows a buyer to purchase information from a seller using Bitcoin in a manner which is private, scalable, secure, and which doesn’t require trusting anyone: the expected information is transferred if and only if the payment is made. The buyer and seller do not need to trust each other or depend on arbitration by a third party.

Imagine a movie-style “briefcase swap” (one party with a briefcase full of cash, another containing secret documents), but without the potential scenario of one of the cases being filled with shredded newspaper and the resulting exciting chase scene.

An example application would be the owners of a particular make of e-book reader cooperating to purchase the DRM master keys from a failing manufacturer, so that they could load their own documents on their readers after the vendor’s servers go offline. This type of sale is inherently irreversible, potentially crosses multiple jurisdictions, and involves parties whose financial stability is uncertain–meaning that both parties either take a great deal of risk or have to make difficult arrangement. Using a ZKCP avoids the significant transactional costs involved in a sale which can otherwise easily go wrong.

In today’s transaction I purchased a solution to a 16x16 Sudoku puzzle for 0.10 BTC from Sean Bowe, a member of the Zcash team, as part of a demonstration performed live at Financial Cryptography 2016 in Barbados. I played my part in the transaction remotely from California.

The transfer involved two transactions:

    8e5df5f792ac4e98cca87f10aba7947337684a5a0a7333ab897fb9c9d616ba9e
    200554139d1e3fe6e499f6ffb0b6e01e706eb8c897293a7f6a26d25e39623fae

Almost all of the engineering work behind this ZKCP implementation was done by Sean Bowe, with support from Pieter Wuille, myself, and Madars Virza.


Read more, including technical details and links to the software at https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
Cool.
Shared on Blockchain.hk.

            ▄▄████▄▄
        ▄▄██████████████▄▄
      ███████████████████████▄▄
      ▀▀█████████████████████████
██▄▄       ▀▀█████████████████████
██████▄▄        ▀█████████████████
███████████▄▄       ▀▀████████████
███████████████▄▄        ▀████████
████████████████████▄▄       ▀▀███
 ▀▀██████████████████████▄▄
     ▀▀██████████████████████▄▄
▄▄        ▀██████████████████████▄
████▄▄        ▀▀██████████████████
█████████▄▄        ▀▀█████████████
█████████████▄▄        ▀▀█████████
██████████████████▄▄        ▀▀████
▀██████████████████████▄▄
  ▀▀████████████████████████
      ▀▀█████████████████▀▀
           ▀▀███████▀▀



.SEMUX
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
  Semux uses .100% original codebase.
  Superfast with .30 seconds instant finality.
  Tested .5000 tx per block. on open network
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
█ █
coins101
Legendary
*
Offline Offline

Activity: 1442
Merit: 1000



View Profile
March 01, 2016, 02:15:27 PM
 #19

ZKCP + CLTV

amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1000


View Profile
March 01, 2016, 02:36:10 PM
 #20

How can we use this?
If you are asking this question then the answer would be: you can not use it. Point.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!