07.05.2018 — Encryption and security

Our goal is to make RepuX protocol to be fully decentralised, however there are few blockers that stands in our way, of which the biggest one is security. We are not the only ones that are struggling with this problem. All similar blockchain projects are having the same problem — security in a decentralised file exchange.

We have been looking into many white papers and had talks with many of the other project’s founders and they are either not touching this subject or trying to avoid it or stated straight that they will be using hybrid solution with a centralized vault. And the reason behind it is simple — there is no single solution that solves that problem at this moment!

Why is security so important, especially in the decentralized environment? It is because

storing data on a decentralized storage means that data are distributed across many nodes (computers) who are owned by unknown users. This approach requires us to encrypt data before they are uploaded to the decentralized storage.

The issue we are looking for a solution is not whether encrypt data or not, as it is obvious because we’ll be dealing with very sensitive data, but how to implement this.

There are several aspects we take into consideration:

• Sellers would like to be certain their confidential data is securely stored and that the data is disclosed only to users who bought it or gave explicit access to it
• Encoding data takes computational time — especially asynchronous,this should be done once but then if the password leaks out in the public, everyone will have access to the file since file systems such as ipfs run on public nodes. There is no way to delete files remotely.
• Even more on file deletion — to be compliant with regulations around the globe like the new GDPR act in European Union, we have to have a way to make the file inaccessible for future downloads and list users who downloaded it.
• Once the file is put on the storage it should be partially reusable — meaning it shouldn’t be entirely encoded for one particular buyer as transfer and storage costs money

So by having many requirements that sometimes contradicts each other we developed our custom solution. As we believe the whole blockchain ideology is about the decentralisation, we ditched the idea of a centralised vault. We’re aiming at the solution we call “seller present” — because once the transaction is closed the seller has to do the encryption again.

To make it hassle free we’ve limited the effort needed by him just to some simple operations that can be done even on mobile phone — so whenever there is a need for the seller’s attention he’ll get a push message or if his phone is pre-authorised, this could be done automatically and no keys / passwords will be exposed either to RepuX or to the storage nodes.

We’re considering it as a core of our system for the first version that we’ll have as part of the first iteration of our product. We’ll keep you posted on our progress so stay tuned.

Ola & Marcin