Context :
Alice has some content (C) and published its hash (Chash) publically. She wants to send C to Bob in a way it's visible only to Bob. This can be done by encrypting (Cenc) in using his Public Key (PubKeyBob). And Bob can decrypt it using his private key and compute the hash to see it matches Chash.
We have Eve who plays the role of an Escrow. Bob pays for the C, which is held by Eve. Now Alice needs to prove to Eve that the Cenc is decryptable by Bob and when decrypted, will yield C. Eve shouldn't get to know C at any point.
Current Idea :
We assume Alice sends the right Cenc , encrypted using PubKeyBob (which is a one time use keypair, used only for this transaction). Bob is happy to see that the decrypted content's hash is the same as Chash and thus is the same content. If Alice had sent the wrong content, or haven't encrypted C properly, Bob discloses his Private Key (PriKeyBob) to Eve. Now Eve can verify the dispute claim by decrypting Cenc using PriKeyBob and verify if matches with Chash. If it doesn't match, Eve would refund Bob.
Problem :
This works if Bob is honest and rises disputes only if it's actually true. But if Bob raises a false dispute, Eve will get to know C. This is acceptable as it's always possible for Bob to share C with Eve regardless. But is there a better strategy for this transaction to take place? Can Alice prove to Eve that Cenc is a valid one (in a zero-knowledge manner) without ever requiring Bob to raise a dispute?
