I've realised that one important piece of information is missing in our whitepapers: the proof of delivery.
To put you into context: when author creates a new content package, as part of the registration, she encrypts this content. This encryption/decryption key can't be, for obvious reasons, sent to the network as it is. So the author splits the key into several parts (called key particles), and send them to different seeders. In order to re-create the decryption key, the seeders must cooperate, and deliver their particles to the consumer. The particles are in both cases sent over the network encrypted with public keys of the receivers.
Since the particles are sent encrypted, how to prove that the seeder has sent to the consumer REALLY the particle - and not some random data? Here comes one of our zero-knowledge proofs - the proof of delivery.
The basic schema is as follows:
- Seeders and Customers generate key pairs
(h, x)using El-Gamal schema in groupGand generatorg. The public partshare published in operations “ready_to_publish” and “request_to_buy" so everybody can see them - Author encrypts key particle
Kto some seeder using seeders public keyh_seedand sends out, as part of content publishing, this ciphertext:c1=(g^r1, K*h_seed^r1) = (C_1, D_1)for a randomr1. - Seeder decrypts
Kand stores it. - Later, after receiving request to buy, the seeder encrypts
Kagain using public key of the customerh_cusinto this ciphertext:c2=(g^r2, K*h_cus^r2) = (C_2, D_2)for a random r2. - Also, publisher generates two random members of the group
b1andb2. Then he provides a ZKP in the form of tuple(g^b1, g^b2, g^(r1*b1)/h_cus^b2, x_seed*hash+b1, r2*hash+b2) = (A1, A2, A3, A4, A4). - Miners verify proof from the publisher by checking that
a.g^A4 == h_seed^hash * A1, akag^(x_seed * hash + b1) == h_seed^hash * g^b2
b.g^A5 == C_2^hash * A2, akag^(r2*hash+b2) == (g^r2)^hash * g^b2
c.(D2^x * C1 ^ A4) / (D1^x * h_cus^A5 ) == A3.