downto
find out mutual likes, without revealing unrequited likes to anyone. (previously hosted at downto.xyz)
privacy
threat model: when submitting preferences, the server is honest. however, the server may be compromised at any point in the future. the database may be compromised at any point.
protocol
- we establish a public key directory when a user verifies their email.
- for each pair of users i and j, we store an encrypted secret string
$k_{ij} || r_{ij}$ , as well as an unencrypted string$f(k_{ij} || r_{ij})$ where$f$ is a one-way function (in our case, SHA-256). - for each person
$l$ that user$i$ likes, the user computes$h = hash(l || i) \xor k$ or$h = hash(i || l) \xor k$ , depending on the alphabetical ordering of$l$ and$i$ . - user
$i$ submits to the server a list of tuples$(h, r, i, l)$ , one for each person$l$ that they like. - the server compares
$h$ to its current set of like identifiers. if there's not a match,$h$ is added to the set. - if
$h$ is in the set already, the server verifies that$f(h \xor hash(l || i) || r)$ is equal to the stored value of$f$ for$i$ and$l$ . - if it is, there is a match! the server sends an email to
$i$ and to$l$ , and then discards$r$ ,$i$ and$l$ .
to prevent knowledge of who has used the website, all tables are filled with random keys in the beginning. this requires us to modify the protocol above slightly, by storing two versions of
to prove security, one would use the fact that