Double Blind Comparisons using Groups with Infeasible Inversion

Double Blind Comparison is a new cryptographic primitive that allows a user who is in possession of a ciphertext to determine if the corresponding plaintext is identical to the plaintext for a different ciphertext held by a different user, but only if both users co-operate. Neither user knows anything about the plaintexts corresponding to either ciphertext, and neither user learns anything about the plaintexts as a result of the comparison, other than whether the two plaintexts are identical. Neither user can determine whether the plaintexts are equal without the other user’s co-operation. Double Blind Comparisons have potential application in Anonymous Credentials and the Database Aggregation Problem. This paper shows how Double Blind Comparisons can be implemented using a Strong Associative One-Way Function (SAOWF). Proof of security is given, making an additional assumption that the SAOWF is implemented on a Group with Infeasible Inversion (GII), whose existence was postulated by Hohenberger and Molnar.

💡 Research Summary

The paper introduces a novel cryptographic primitive called Double Blind Comparison (DBC), which enables two parties who each hold a ciphertext to determine whether the underlying plaintexts are identical, but only if they cooperate. Unlike traditional Secure Multi‑Party Computation (SMPC), neither participant knows the secret they are comparing, so the equality test does not reveal the secret itself. The authors propose implementing DBC using a Strong Associative One‑Way Function (SAOWF). A SAOWF is a binary function that is associative, total, and “strong” in the sense that given either input together with the output it is infeasible to find the other input; the function need not be weakly one‑way.

To instantiate a SAOWF, the paper relies on a Group with Infeasible Inversion (GII), a mathematical structure first postulated by Hohenberger and Molnar. A GII is a standard group where computing the inverse of a randomly chosen element is computationally hard. Lemma 1 shows that any SAOWF defined over a group automatically yields a GII, and Lemma 2 proves the converse: the group operation of a GII is itself a SAOWF. Thus, the existence of a GII provides the necessary foundation for a concrete SAOWF.

The protocol involves three roles: a Submitter (Alice), a Comparer (Bob), and a semi‑trusted Central Authority (Ted). During setup, Ted chooses a public message γ and distributes random group elements to Alice and Bob. Alice selects a private key α, Bob selects β, and each forms a “left‑encrypted” or “right‑encrypted” ciphertext by combining γ, their private key, and a random group element. The ciphertexts have the forms L = γ·α·g and R = γ·β·h, where “·” denotes the group operation.

When Alice wishes to compare, she picks a fresh random r, computes L·r, and sends it to Bob. Bob performs the analogous operation with his own ciphertext, obtaining a value that can be directly compared with Alice’s transmitted value. If the two results are equal, the underlying plaintexts are the same; otherwise they differ. The comparison succeeds only if both parties follow the protocol, because each side needs the other’s secret key to complete the computation. The protocol works for both abelian and non‑abelian groups; in the non‑abelian case participants may hold both left‑ and right‑encrypted versions of the same plaintext.

Security analysis is organized around five properties:

1. False Positives – The probability that two different plaintexts accidentally produce matching ciphertexts is negligible, essentially the inverse of the group size.
2. False Negatives – When the same plaintext is used, the protocol will almost certainly output equality; the chance of a mismatch is negligible.
3. Unrecoverability – Given any ciphertext, an adversary cannot recover the underlying plaintext or the private key because the SAOWF’s strong one‑way property makes inversion infeasible.
4. Linkability (1) – Even if the central authority knows the plaintext γ, without the participants’ secret keys it cannot determine whether a given ciphertext encrypts γ.
5. Linkability (2) – Possession of only one side’s ciphertext (left or right) does not allow any party to decide equality; both secret keys are required.

All proofs assume a probabilistic polynomial‑time (PPT) adversary and show that any advantage over random guessing is negligible. The analysis explicitly uses the hardness of inversion in the underlying GII to argue that any attempt to solve the strong one‑way equations would break the GII assumption.

The paper acknowledges that the existence of GIIs is still an open problem, but points to candidate constructions such as braid‑group‑based schemes. It also notes that SAOWFs have been previously used for key agreement and digital signatures, and that DBC extends their utility to privacy‑preserving equality testing.

Potential applications include anonymous credential systems, where a user can prove possession of a credential without revealing its contents, and the database aggregation problem, where multiple databases need to discover overlapping records without exposing the records themselves. By providing a primitive that reveals only “equal/not‑equal” information while keeping the underlying data hidden, DBC fills a gap not addressed by SMPC or traditional zero‑knowledge proofs.

In conclusion, the authors present a theoretically sound construction of Double Blind Comparison based on SAOWFs and GIIs, supply rigorous security proofs, and outline realistic scenarios where the primitive could be deployed. Future work is directed toward finding concrete, efficient GII instantiations and integrating DBC into larger privacy‑preserving protocols.