Hacker News new | past | comments | ask | show | jobs | submit login

[deleted]



> Preventing the oracles from colluding to prematurely release the keys, or not release the keys at all, is a harder problem.

No, the harder problem is knowing the "encrypted" data is something other than a directory of the sellers favorite goat-porn. A cut and choose proof could be used, but non-interactive ones require a lot of samples to have good security... and revealing a lot of sample images is something the seller doesn't want to do here.

To put that in concrete terms: Say I claim have a million nudes of Elmo which you'd like to purchase. I give you an encrypted copy of them. You pick some number at random, and I reveal the keys. You decrypt and get find all of them to be fine examples of the promised images of Elmo in all Elmo's glory. You are now convinced that it is likely that the rest of the images are similar— since your selection was uniform you can use simple combinitorics to how likely I would have been to get away with various levels of fraud. "That tickles"

To make this protocol non-interactive with a fiat-shamir transform— I hash the encrypted pictures and use the hash to select which ones I reveal. This requires many more examples to achieve security because I could have been secretly grinding one of the images until the hash picked the few passing examples I had. (There are, however, ways too boost the security by inserting an expensive process— like giving away Bitcoins— into the inner loop).

It's likely not reasonable for a collection of just a few dozen images, even with strengthening, however.

For machine decidable things— say a DRM master key— other approaches are possible (https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment) but since no one is likely to turn up a program that decides nudes of one celebrity vs another, about the best you could do is a non-interactive cut and choose selective reveal over _pixels_, and use compressed sensing techniques to build low res images to decide if the rest of the pixels are worth paying for. If you're happy with that, then at least theoretically, the ZKCP approach lets you pay for the keys for the rest of the pixels with no risk of being stood up and no third parties.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: