Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Plaintext-Scale Fair Data Exchange

Majid Khabbazian

TL;DR

This work tackles the scalability challenge of atomic, pay-per-file data exchange (FDE) by reengineering the cryptographic backbone to achieve plaintext-scale performance. It introduces two VECK-based implementations, VECK^+_{EL} and VECK^{\star}_{EL}, which drastically reduce client-side verification from linear in file size to $O(\lambda)$ and cut communication overhead toward near-plaintext levels, while preserving the on-chain footprint. VECK^+_{EL} achieves $O(\lambda)$ verification via Reed–Solomon sampling on an extended codeword, trading modest redundancy for fixed verification cost; VECK^{\star}_{EL} removes bulk public-key work through a hash-derived symmetric mask and a file-size-independent zk-SNARK that proves consistency on a small sample, yielding ~10 s prover times and ~0.1 s verification times for reasonable $R$. The paper also shows a fully off-chain deployment path over the Lightning Network by tying the VECK decryption key to an HTLC with a compact SNARK, reducing costs to under $0.01$ and latency to a few seconds. Together, these results make FDE practical for large datasets, with verification decoupled from file length, substantially reduced bandwidth, and a realistic pathway to on-chain/off-chain integration and real-world use.

Abstract

The Fair Data Exchange (FDE) protocol (CCS'24) achieves atomic, pay-per-file exchange with a constant on-chain footprint, but existing implementations do not scale: proof verification can take hours even for files of only tens of megabytes. In this work, we present two FDE implementations: VECKplus and VECKstar. VECKplus reduces client-side verification to O(lambda) -- independent of file size -- where lambda is the security parameter. VECKplus brings verification time to approximately 1 s on a commodity desktop for any file size. VECKplus also significantly reduces proof generation time by limiting expensive range proofs to a Theta(lambda)-sized subset of the file. This improvement is especially beneficial for large files, even though proof generation and encryption are already precomputable and highly parallelizable on the server: for a 32 MiB file, for instance, proof generation time drops from approximately 6,295 s to approximately 4.8 s (approximately 1,300x speed-up). As in the existing ElGamal implementation, however, VECKplus retains exponential ElGamal over the full file. Consequently, the client must perform ElGamal decryption and download ciphertexts that are at least 10x the plaintext size. We address both drawbacks in the second implementation, VECKstar: we replace bulk ElGamal encryption with a fast, hash-derived mask and confine public-key work to a Theta(lambda) sample tied together with a file-size-independent zk-SNARK, adding less than 0.1 s to verification in our prototype. Importantly, this also reduces the communication overhead from at least 10x to less than 50%. Together, these changes yield plaintext-scale performance. Finally, we bridge Bitcoin's secp256k1 and BLS12-381 with a file-size-independent zk-SNARK to run FDE fully off-chain over the Lightning Network, reducing fees from approximately USD 10 to less than USD 0.01 and payment latency to a few seconds.

Plaintext-Scale Fair Data Exchange

TL;DR

This work tackles the scalability challenge of atomic, pay-per-file data exchange (FDE) by reengineering the cryptographic backbone to achieve plaintext-scale performance. It introduces two VECK-based implementations, VECK^+_{EL} and VECK^{\star}_{EL}, which drastically reduce client-side verification from linear in file size to and cut communication overhead toward near-plaintext levels, while preserving the on-chain footprint. VECK^+_{EL} achieves verification via Reed–Solomon sampling on an extended codeword, trading modest redundancy for fixed verification cost; VECK^{\star}_{EL} removes bulk public-key work through a hash-derived symmetric mask and a file-size-independent zk-SNARK that proves consistency on a small sample, yielding ~10 s prover times and ~0.1 s verification times for reasonable . The paper also shows a fully off-chain deployment path over the Lightning Network by tying the VECK decryption key to an HTLC with a compact SNARK, reducing costs to under and latency to a few seconds. Together, these results make FDE practical for large datasets, with verification decoupled from file length, substantially reduced bandwidth, and a realistic pathway to on-chain/off-chain integration and real-world use.

Abstract

The Fair Data Exchange (FDE) protocol (CCS'24) achieves atomic, pay-per-file exchange with a constant on-chain footprint, but existing implementations do not scale: proof verification can take hours even for files of only tens of megabytes. In this work, we present two FDE implementations: VECKplus and VECKstar. VECKplus reduces client-side verification to O(lambda) -- independent of file size -- where lambda is the security parameter. VECKplus brings verification time to approximately 1 s on a commodity desktop for any file size. VECKplus also significantly reduces proof generation time by limiting expensive range proofs to a Theta(lambda)-sized subset of the file. This improvement is especially beneficial for large files, even though proof generation and encryption are already precomputable and highly parallelizable on the server: for a 32 MiB file, for instance, proof generation time drops from approximately 6,295 s to approximately 4.8 s (approximately 1,300x speed-up). As in the existing ElGamal implementation, however, VECKplus retains exponential ElGamal over the full file. Consequently, the client must perform ElGamal decryption and download ciphertexts that are at least 10x the plaintext size. We address both drawbacks in the second implementation, VECKstar: we replace bulk ElGamal encryption with a fast, hash-derived mask and confine public-key work to a Theta(lambda) sample tied together with a file-size-independent zk-SNARK, adding less than 0.1 s to verification in our prototype. Importantly, this also reduces the communication overhead from at least 10x to less than 50%. Together, these changes yield plaintext-scale performance. Finally, we bridge Bitcoin's secp256k1 and BLS12-381 with a file-size-independent zk-SNARK to run FDE fully off-chain over the Lightning Network, reducing fees from approximately USD 10 to less than USD 0.01 and payment latency to a few seconds.

Paper Structure

This paper contains 27 sections, 5 theorems, 22 equations, 2 figures.

Table of Contents

  1. Introduction
  2. Background
  3. Notation and Definitions
  4. KZG Polynomial Commitments
  5. FDE Protocol
  6. Verifiable Encryption under Committed Key (VECK)
  7. Reed--Solomon Codes: High-Level Intuition
  8. High-Level Overview of Our VECK Constructions
  9. Proposed FDE Implementations
  10. Common Notation and Definitions
  11. FDE via $\mathsf{VECK^+_{EL}}$
  12. Protocol outline.
  13. Fiat--Shamir subset derivation.
  14. Fiat--Shamir subset derivation.
  15. $\mathsf{\mathsf{VECK^+_{EL}}}$: case $S=[\ell]$ (client requests the entire data set).
  16. ...and 12 more sections

Key Result

lemma 1

Let $k:=\ell{+}1$ and $m=\lceil \beta k\rceil$ for some $\beta>1$. Let $C\subseteq[m]$ be any set of corrupted positions with $|C|>t:=\lfloor (m-k)/2\rfloor$. Let $S_R\subseteq[m]$ be a uniformly random subset of size $R$. Then In particular, to ensure $\Pr\![S_R\cap C=\emptyset]\le 2^{-\lambda}$ it suffices to choose

Figures (2)

  • Figure 1: Proof verification and generation times in $\mathsf{VECK^+_{EL}}$ and $\mathsf{VECK_{EL}}$.
  • Figure 2: SNARK proof ($\pi_Z$) generation and verification times.

Theorems & Definitions (10)

  • lemma 1: Redundancy vs. sample size
  • proof
  • theorem 1: Security of $\mathsf{VECK^+_{EL}}$
  • proof
  • theorem 2: Verification cost for full retrieval
  • proof
  • theorem 3: Security of $\mathsf{VECK^{\star}_{EL}}$
  • proof
  • theorem 4: Cost of $\mathsf{VECK^{\star}_{EL}}$ for full retrieval
  • proof