Theprivate password checker.
Services like "Have I Been Pwned?" let you check whether your password has recently appeared in a breach. However, in performing the check, they learn information about your password.
The Blyss password checker uses homomorphic encryption to keep your password completely private. Nobody can learn any information about your password, not even our servers.
You can see the code used for this demo, and read the paper outlining the scheme we use, "DoublePIR". Our implementation has not yet been security reviewed, so please treat this tool with appropriate caution.
The client starts by hashing the password. If we sent this directly to the server, it could learn the password.
The breached passwords are stored on the server in a large (8 GB) hash table. Each row of the table contains all of the password hashes starting with some hash prefix, like
....To check if a password is in the hash table, the client must:
- Download the rowcorresponding
to the password's hash prefix from the server. - Check if the password is in the downloaded row.
It's important that the server not learn which row we retrieve, since this would reveal information about our password.
Hash table
00...01...10...11...The client uses homomorphic encryption to retrieve the desired row, completely privately.
The client encrypts a big "one-hot" vector of bits. Specifically, the bits are allexcept for a singlecorresponding to the row it is trying to retrieve.
0
1
The client sends the encrypted bits to the server. Just like with normal encryption, to the server, the encrypted bits just look like random garbage; only the client knows which one is an encrypted 1.
The magic of homomorphic encryption is that, even though the encrypted bits look like garbage to the server, it can still do something useful with them. Let's see how.
One-hot vector of bits
0
0
0
0
Encrypted bits
Server
The server has the full hash table, and receives a vector of homomorphically encrypted bits.
Homomorphic encryption lets the server multiply the encrypted bits by data in the table!
The result still looks like garbage to the server, but the client can decrypt it and get the result of the multiplication.
Hash table
Encrypted bits
Encrypted row
Client
Finally, the client decrypts the encrypted row, and checks if their password is present in the row.
If the password is present, it has appeared in a data breach before, and you should stop using it.
Encrypted row
Decrypted row