Score:0

How to prove knowledge of a secret and allow the receiver to deduplicate it?

ug flag

Consider the following scenario:

We have two agents, A and B.

B needs to prove that they know a secret to A, without sharing the actual secret.

e.g.: A needs a way to de-duplicate the secrets they receive from B, but they don't need to know the actual secrets. (and B does not want them to know)

Think of it like sharing a hash of that secret, except: it's a very small, low entropy source (there's about 1 billion possible values). This means that a simple hash would be vulnerable to a dictionary attack.

Now, B could add a hidden "salt" to each secret they share and then hash it, and that would make it harder for A to do a dictionary attack. As far as I can tell, this would "solve" the problem for the 1-1 case.

However, let's now introduce a third agent, C. C is sending the same type of secrets to A. B and C cannot share their secrets between each other.

C can end up sending "duplicates" of secrets that B has, even though they don't know what B has on their end.

A, of course, now needs to de-duplicate not only the secrets from B, but also from C.

The hidden salt won't work anymore because now C would need to know the salt to be able to generate the same hashes. Otherwise A would not be able to de-duplicate between keys from B and C. Having a shared salt however means that C could do a dictionary attack on B or vice-versa.

Can A, B and C reach an agreement where B and C can share their "proofs" with A, in a way that A can de-duplicate them, but no one can reveal each other's secrets?

If so, can this be generalized to any number of consumers/producers?

Being far from an expert in cryptography (I only really know the very basics), I'm not sure if I'm using the proper terms here. Let me know if I can clarify any of it. Also, this is not homework or anything like it - while it was motivated by a concrete problem that I read recently, this is mostly just curiosity. A rough explanation on why it isn't possible (in the case that it is not) would most definitely be sufficient for me. Same for a brief description of a known algorithm, even if just the name - with proper direction I can do some research myself.

(Just to be clear if it already isn't: A, B and C do not trust each other)

(Contrived) example

Alice and Bob want to sell stamps to a stamp collector. Think of a stamp as being a 7-character string with only lowercase characters, and the stamp collector can't just fabricate them itself.

The stamp collector will buy any stamp that they currently do not have. However, it won't buy the stamp right away: it will wait to see how many sellers have it, so it can buy the stamp at the lowest price.

So before sending the actual stamp, Alice (or Bob) have to send a "bid" to the collector, so it can check if they already have the stamp, or if someone else offered it. They can't send the actual stamp with that bid, or the collector would just have it for free, which is no fun for anyone. The collector needs to know "which" stamp the bid is for, even if they don't know the actual 7-character string - or it won't be able to compare bids.

knaccc avatar
es flag
B and C would need to put some trust in A, because A would be able to reveal to B or C if B and C share any duplicates with one another. If B shared one value at a time with A, B could be informed by A as soon as A notices that particular value is shared by C. Perhaps if you explained the concrete problem it might be easier to fully understand the trust constraints.
Cássio Renan avatar
ug flag
B or C cannot trust A at all, or each other. I'm not sure the (once) concrete problem would add anything TBH. Like I said, it motivated the question, but it's not really the problem I'm trying to solve or think about.
knaccc avatar
es flag
Are you saying that a requirement is that A will not be able to collude with B to inform B which of the B's blinded values B has in common with C? So therefore it should be impossible for B to send blinded values to A one by one, so that A can inform B as soon as a duplicate is observed? Are you also saying that further "agents" should not be able to participate without the permission of all existing agents, to prevent a variant of such collusion?
kelalaka avatar
in flag
Are you looking for the [convergent encryption](https://crypto.stackexchange.com/q/729/18298)?
Cássio Renan avatar
ug flag
@knaccc no, that is not a requirement. In theory B and C are not even aware of each other (they only comunicate with A and no one else)
Cássio Renan avatar
ug flag
@kelalaka From the accepted answer, it seems that the one of the requirements is that the "file" to be encrypted is sufficiently long. Ony of the limitations of this question is that the secret is small (otherwise a good hash of the secret would be enough, as dictionary attacks would no longer be a problem)
Cássio Renan avatar
ug flag
From my last comment I guess "proof" is not a good description - As I don't really care if one "agent" sents a "fake" hash to A - thus I'm not really interested in a proof, but rather some form if unique identifification/token. I'll try to come up with a better term and improve the question.
Cássio Renan avatar
ug flag
@knaccc I added an example, I think it summarizes well the restrictions. Let me know if that works!
knaccc avatar
es flag
If unlimited agents can contact A without approval from any existing agent, then A could participate as an agent and check every possible combination to see if any other agents have offered that secret. Therefore you'd need to have a mechanism to limit the number of items that agents can offer to A, where each agent will commit to and only be willing to announce their blinded list at the same time that a provably limited number of other agents are offering a provably limited number of offers. Since you've not given the actual use case, I have no idea whether this would be acceptable or not.
Cássio Renan avatar
ug flag
No, I think you gave a very good point here. My initial thought was "why would A want to check that against himself? They theoretically already know what other agents have offered, even if they don't know the secret" but then it hit me - any such arrangement would have to allow A to just brute force in the way you describe and have the secrets anyway.
Cássio Renan avatar
ug flag
In the stamp example the collector could just "sell" all possible stamps to itself and then it would know every stamp of the other sellers by abusing the de-duplication mechanism. I guess that's my answer.
knaccc avatar
es flag
There is a way that A could check with each agent to see if each agent has anything that A doesn't already have. This could be done without the agent discovering what secrets A has, and without the agent revealing any of the secrets they have (other than those that A already has). The agent could limit the number of items that A checks, to avoid being brute forced. Unfortunately this does not allow A to see if more than one agent has the same secret that A does not have.
Cássio Renan avatar
ug flag
Nah, that wouldn't work in the scenario I'm thinking. Think of "A", or the stamp collector, as if it were an API that the others hit. It can't happen the other way around. In any case, after your last comment I'm pretty confident the arrangement, by its nature, just can't provide the guarantee of secrecy for the "stamps", along with the deduplication mechanism. Thank you very much, sir!
Cássio Renan avatar
ug flag
Or in other words, "keeping the stamps a secret" and "being able to dedupe the stamps from different sources" are conflicting requirements, when the number of possible stamps is small enough to brute-force.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.