A decentralized file hosting protocol in which clients pay per request.

sats4files.md

Sats4Files: Decentralized File Hosting based on Lightning

A decentralized file hosting protocol in which clients pay per request. Client and server perform a fair exchange of coins against files, using a Lightning payment combined with a proof of encryption. This document describes a naive system which is probably too slow, however it intends to spark a discussion about which proof systems could make it practical, because that could allow to decentralize the web.

Sats4Files Problem

A “Sats4Files protocol” allows users to request data from servers, and upon receiving the encrypted data, they can pay for the decryption key, e.g., via Lightning. The exchange is atomic, ensuring that the user only receives the data if they pay for it, and the seller only gets paid if they deliver the data.

Proof of Encryption

Servers respond to client requests with a zero-knowledge proof, which expresses

1. file_encrypted is encrypted with the preimage of sha256_hash
2. the decrypted file hashes to file_id

File Transfer Protocol

Servers can sell files via Lightning using a proof of encryption.

1. Client requests file_id
2. Server sends the encrypted file_encrypted, a proof of encryption with sha256_hash, and the corresponding Lightning invoice
3. Client pays that invoice to buy from the server the preimage of sha256_hash to decrypt file_encrypted and obtain file.

Limitations and Optimizations

The bottleneck of this protocol is the time the server needs to prove a response.

• The server has to generate a new proof of encryption for every client for every request. Otherwise, a malicious client could bypass the payment by downloading the encrypted file and reusing an old key. Also in Lightning it's not secure to sell the same preimage twice.
• A malicious client could drain server resources by requesting many encrypted files without ever paying to decrypt them. IP limits might be sufficient to mitigate this attack. Clients could also be required to somehow "sign up" in the blockchain to mitigate sybil attacks.
• We can choose freely the encryption algorithm and the hash function computing file_id, so we can choose them proof-friendly.
• Proving a SHA256 preimage is expensive. Probably, it would be much cheaper to use PTLCs instead of HTLCs, because often it's cheaper to prove a discrete logarithm than a hash preimage. However, it takes probably another one or two years until PTLCs will be rolled out on Lightning.
• Assuming we had PTLCs. Then, to minimize the size of the proof's circuit, it probably makes sense to use the field of secp256k1 as base field of the proof system.
• Maybe it is possible to generate a proof of encryption once for key_A and then somehow "reblind" it, to become a proof of encryption with key_B. Perhaps that is cheaper than proving it for every user from scratch.
• While a server is idle it can pre-generate proofs for popular files to serve them instantly during high demand.

Research Questions

• Which proof system could make this system practical? E.g. proving times of less than a second?
• Can we use Bulletproofs as described here in section "Further Applications"?

Related Work

See also this solution and this optimized solution.

• The first successful Zero-Knowledge Contingent Payment
• Zero-Knowledge Contingent Payments Revisited: Attacks and Payments for Services
• LSAT: Lightning Service Authentication Token
• FileBounty: Fair Data Exchange
• FairSwap: How to fairly exchange digital goods
• Verifiable encryption of discrete logarithms

Sats per branch, the new standard.

This is the scheme to address speed problem which was designed for paying API requests using Lightning: LNP-BP/LNPBPs#24