Where is the probability in PCP here?

[stefanwouldgo]

I believe that there is some confusion about the proposed PCP (maybe it's just me, though). First, I feel that since the HTLC-settlement-tx must be pre-signed by Bob, Bob needs to generate the keypair for de-/encryption at the beginning of the process, not at a later stage as suggested by the sequence diagram.

Furthermore, after this is done, in the scheme as proposed, Bob could now simply throw away all the parts that are not "selected" by the "randomness" from the data/key.

Thus, I believe that the randomness needs to be supplied by Alice at the "download time". Then, Bob cannot cheat, but since he has the original file, he can easily prove knowledge.

[dr-orlovsky]

Yes, this has also to be added into the spec. This design was explained here: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-August/017280.html

Now, we need to aviod situation where by selecting the encryption/decryption pair Bob knows which part of the data he needs to provide Alice in PCP proof, and can discard the rest of the data. This can be mitigated by requiring that the data have to be encrypted using EC multiplication with some factor provided by Alice at the request time.