Good morning Christian and Corne,

Another idea to consider, is techniques like ZKCP and ZKCSP, which provide 
atomic access to information in exchange for monetary compensation.  Ensuring 
atomicity of the exchange can be done by providing the information encrypted, a 
hash of the encryption key, and proofs that the encrypted data is the one 
desired and that the data was encrypted with the given key; the 
proof-of-payment is the encryption key, and possession of the encryption key is 
sufficient to gain access to the information, with no need to bring in legal 

(admittedly, ZKCP and ZKCSP are dependent on new cryptography...)

(also, AMP currently cannot provide a proof-of-payment, unlike current payment 
routing that has proof-of-payment, but that is an eventual design goal that 
would enable use of ZKC(S)P on-Lightning, assuming we eventually find out that 
zk-SNARKs and so on are something we can trust)


Sent with ProtonMail Secure Email.

-------- Original Message --------
 On February 13, 2018 2:05 AM, Christian Decker <> 

>Honestly I don't get why we are complicating this so much. We have a
> system that allows atomic multipath payments using a single secret, and
> future decorrelation mechanisms allow us to vary the secret in such a
> way that multiple paths cannot be collated, why introduce a whole set of
> problems by giving away the atomicity? The same goes for the overpaying
> and trusting the recipient to only claim the owed amount, there is no
> need for this. Just pay the exact amount, by deriving secrets from the
> main secret and make the derivation reproducible by intermediate hops.
> Having proof-of-payment be presentable in a court is a nice feature, but
> it doesn't mean we need to abandon all guarantees we have worked so hard
> to establish in LN.
> Corné Plooy via Lightning-dev
>>I was thinking that, for that use case, a different signed invoice could
>> be formulated, stating
>> - several payment hashes with their corresponding amounts
>> - the obligation of signer to deliver Z if all corresponding payment
>> keys are shown
>> - some terms to handle the case where only a part of the payments was
>> successful, e.g. an obligation to refund
>>The third item is a bit problematic: in order to distinguish this case
>> from a complete success, the payee would have to prove absence of
>> successful transactions, which is hard. Absence of successful
>> transactions can only be declared by the payer, so in order to reliably
>> settle without going to court first, the payer should sign a
>> declaration stating that certain transactions were canceled and that the
>> other ones should be refunded. This can be another invoice.
>>So, the original invoice states:
>> - several payment hashes with their corresponding amounts
>> - if all corresponding payment keys are shown: the obligation of <payee>
>> to deliver Z, UNLESS stated otherwise by an invoice signed by <payer>
>>-- signed by <payee>
>>But if a payment partially fails, it can be refunded cooperatively with
>> an invoice created by payer:
>> - declares which of the original payments were successful (with payment
>> keys) and which were not
>> - replaces the obligation of <payee> to deliver Z with an obligation to
>> refund the successful transactions
>> - several payment hashes with their corresponding amounts
>> - if all corresponding payment keys are shown: cancel the obligation of
>> <payee> to refund
>>-- signed by <payer>
>>Maybe this can be repeated iteratively if necessary; hopefully the
>> not-yet-settled amount will converge to zero.
>>Important advantage: this only requires changes to the invoice format,
>> not to the network protocol.
>>The point is: in this use case, the court is apparently the final point
>> of settlement for invoices, just like the blockchain is for the other
>> channels in the route. IANAL, but I think the "scripting language"
>> accepted by courts is quite flexible, and you can use that to enforce
>> atomicity. With the construction described above, you can either refund
>> cooperatively (and collect evidence that refund has happened), or, if
>> that fails, go to court to enforce settlement there.
>>Op 12-02-18 om 10:23 schreef Christian Decker:
>>>CJP writes:
>>>>Can you give a use case for this?
>>>>Usually, especially in the common case that a payment is done in
>>>> exchange for some non-cryptographic asset (e.g. physical goods), there
>>>> already is some kind of trust between payer and payee. So, if a payment
>>>> is split non-atomically into smaller transactions, and only a part
>>>> succeeds, presumably they can cooperatively figure out some way to
>>>> settle the situation.
>>>> The scenario that is commonly used in these cases is a merchant that
>>>> provides a signed invoice "if you pay me X with payment_hash Y I will
>>>> deliver Z". Now the user performs the payment, learns the payment_key
>>>> matching the payment_hash, but the merchant refuses to deliver, claiming
>>>> it didn't get the payment. Now the user can go to a court, present the
>>>> invoice signed by the merchant, and the proof-of-payment, and force the
>>>> merchant to honor its commitment.
>>>Lightning-dev mailing list
>>Lightning-dev mailing list
>Lightning-dev mailing list

Lightning-dev mailing list

Reply via email to