Protocol
How TrustDrop Protects File Exchange
TrustDrop solves the fairness problem in digital file sales: the buyer does not want to pay before receiving a recoverable file, and the seller does not want to release the file before payment is locked.
The Problem
In a normal file sale, a malicious seller can take payment and deliver nothing, deliver the wrong file, deliver corrupted encrypted data, or provide key material that cannot decrypt the file. TrustDrop makes those failure modes visible to the protocol before the seller can settle the payment.
The Basic Structure
The buyer's payment is first locked in an exchange channel. The seller then has to complete a delivery path that the contract can verify. The contract does not inspect a large file directly; instead, it verifies two zk proofs generated by two separate SP1 guest programs.
VSS: Valid Key Material
VSS handles the key-sharing side of the exchange. During purchase, the buyer submits a commitment related to the buyer's purchase secret. During fulfillment, the seller submits encrypted key material that should let this buyer recover the asset key.
The VSS zk program checks that the seller's encrypted key material is consistent with the buyer's commitment and the sale's data key commitment. This prevents a seller from submitting random bytes that look like a key package on-chain but do not actually help the buyer decrypt the file.
VDD: Recoverable Delivery
VDD handles the delivery side of the exchange. It checks the seller's claim that the encrypted file stored for delivery is tied to the file listed in the sale. This prevents settlement with unrelated encrypted bytes or a corrupted delivery.
The current VDD design uses the structure of erasure-coded data together with ChaCha20-style stream encryption. Erasure coding is linear over byte data, and ChaCha20 encryption is an XOR with a keystream, so the encoded plaintext, encoded keystream, and encoded ciphertext preserve the same XOR relation. This is the homomorphism VDD uses for efficient checking.
With erasure coding, the buyer does not need every original storage piece to recover the file; enough valid encoded pieces are sufficient. The proof samples a small part of the encoded/encrypted structure. If the seller has damaged or replaced enough data to stop recovery, the chance of escaping these checks drops quickly.
In this document, availability means recoverability: the buyer can recover the complete file from the delivered encrypted data and the key material. It does not merely mean that a storage server returned some bytes.
Settlement
Settlement is only the final step after the protocol has the required evidence: the buyer has valid key material, and the delivered encrypted data is tied to the sale with high recoverability confidence. The seller does not get paid just for claiming delivery.