[orblivion]

The nonce is good for privacy, preventing rainbow tables etc stuff right? Could still brute force if it's a small file maybe? Unless the nonce is hashed but not put on the blockchain directly, so the user can choose when to use the proof. But then the user has to save the nonce, which is precarious.

Also: it occurred to me a while ago that Archive.org etc really need something like this before generative AI gets too good. They wouldn't need to prove all of their documents if that's cost prohibitive. They could make a Merkle tree and prove the tip periodically.

[mankins]

Right the nonce–the "dibs code"–is there so that you can't just copy a known sha256 and claim it as your own. You have to at minimum have the file, and to prove you have it one way is to come up with some random data and hash that random data + the actual data. Then others can do the same to show that it indeed matches. Once a nonce is used it can't be re-used for the same reasons.

The AI use case is an interesting one.