Plaintext-Scale Fair Data Exchange

The Fair Data Exchange (FDE) protocol (CCS'24) achieves atomic, pay-per-file exchange with a constant on-chain footprint, but existing implementations do not scale: proof verification can take hours even for files of only tens of megabytes. In this work, we present two FDE implementations: VECKplus and VECKstar. VECKplus reduces client-side verification to O(lambda) -- independent of file size -- where lambda is the security parameter. VECKplus brings verification time to approximately 1 s on a commodity desktop for any file size. VECKplus also significantly reduces proof generation time by limiting expensive range proofs to a Theta(lambda)-sized subset of the file. This improvement is especially beneficial for large files, even though proof generation and encryption are already precomputable and highly parallelizable on the server: for a 32 MiB file, for instance, proof generation time drops from approximately 6,295 s to approximately 4.8 s (approximately 1,300x speed-up). As in the existing ElGamal implementation, however, VECKplus retains exponential ElGamal over the full file. Consequently, the client must perform ElGamal decryption and download ciphertexts that are at least 10x the plaintext size. We address both drawbacks in the second implementation, VECKstar: we replace bulk ElGamal encryption with a fast, hash-derived mask and confine public-key work to a Theta(lambda) sample tied together with a file-size-independent zk-SNARK, adding less than 0.1 s to verification in our prototype. Importantly, this also reduces the communication overhead from at least 10x to less than 50%. Together, these changes yield plaintext-scale performance. Finally, we bridge Bitcoin's secp256k1 and BLS12-381 with a file-size-independent zk-SNARK to run FDE fully off-chain over the Lightning Network, reducing fees from approximately USD 10 to less than USD 0.01 and payment latency to a few seconds.