[drog]

This protocol has some downsides - if you share the link with large adversarial group (e.g. your school) they can brute force your crush name and it’s basically no different then embarrassingly shouting out your crush name in public and it has problems with canonical names.

Instead we can alter it and fix this problems: Bob will find out his crush’s public key, encrypt "you are my crush" message to it and post it with his own signature to public bulletin (blockchain can be good shelling point). When crush decrypts message they will see proper string, while everyone else will see gibberish.

- to solve problems with key distribution we can use "identity based encryption". it requires trusted third party (e.g. school administrators) but it solves problem for key generation of participants. With identity encryption bob can encrypt message to some canonical identity such as school email. Owner of that email can prove it’s identity to the third party and receive corresponding private key.

[scubbo]

> blockchain can be good shelling point

I can absolutely guarantee that the school generation would not naturally gravitate to the blockchain as a source for social interaction, since it's not (yet) running social media. I'm assuming TikTok (if it's common to post your own videos and not just consume?) or Snapchat (or whatever came next, that's probably old enough to be uncool by now I guess?)

EDIT: I just saw the suggestion that school administrators be identity providers for a crush-admission website. OK, now I'm _sure_ this must be satire. Well played.

[drog]

Thanks to other people pointing out, I now see that there is still a fundamental problem — crush can see that you appointed them to be your crush without liking you back, and the solution is that: 1) everobody precommits to your crush set in advance 2) users use mpc protocol that will ensure that your crush reveals if both of you precommitted to each other. (I guess it's similar to "Yao millionaire problem" where two parties calculate "x < y" without revealing x and y. but you calculate "x == y" where x and y is values that you committed to previously and you dont reveal x and y)

Previous variant does not need any blockchain because you can just embed encrypted message to the web page similarly to the original hash variant (really it's the same as sending private message to your crush) but MPC variant probably needs blockhain because that's a perfect way to publicly precommit to something.

Note: there is still the possibility that you can precommit to "x is my crush" without x being your real crash to lure out if you are crush of x.

P.S. I think that's a good illustration of a service that can't be done without crypto and have similar properties.

[SirZimzim]

This guarantees the crush will never see their message.

[Godel_unicode]

And then someone will guess that the school administrators password is “StudentsSucks2022” and steal all the private keys they left in their documents folder.

[drog]

You are correct, but I think "identity based encryption" protocols can run in MPC mode. Multiple parties will generate distributed secret that will be used to generate private keys. Anyone can easily generate public key for any identity (e.g. email) for the given "key generator" setup using public data of this setup. But for a user to get their private key, they need to assemble secrets by proving their identity to multiple independent parties - you have to hack every one of them to restore the private key of user.