A company wants to poll employees about their view of the company (by using a web system, say). They would like to do it anonymously, but they don't want people filling out forms more than once. An intern in the company suggested the following.
Each employee has a certain identification number that only the employee himself knows. The electronic form asks for a one-way function image of that number (which we'll call just a "hash" of the number), which the user can easily provide. Then the user fills out the form. The information provided is of course associated with the hash, but since the hash function is one-way, nobody knows how to find the pre-image.
A well-intentioned manager says --- it won't work. Managers in the company can discover what the hashes are because they have access to these numbers that identify employees. For instance, if a manager wants to know who filled out a certain form, he just needs to compute the hash of each employee and figure out which one filled out the form.
The intern then replies --- we can solve this problem with a Bloom filter. We won't associate the hash with the form filled out. We will merely use the hash (provided by the user) to see whether that person really is an employee in the company. If the user really is an employee, we accept the form and so the information is totally anonymous. Otherwise, we ignore the form. We ask the IT department to build a Bloom filter of all employees (private) numbers and the data structured is handed to the programmers that will build the web system. Now the web system can check whether a user is certainly not an employee and there's a small probability that a true employee will be detected as non-employee. If we use a cryptographic hash function as the hash function of the Bloom filter, then the probability an employee will be detected as a non-employee is the probability that someone can find a second pre-image, which we may consider it virtually zero.
Problems with the idea. It seems the idea just shifts the problem to the programmers who build the web system. The programmers could easily grab the hash and keep it to themselves to find out the opinion of everyone who filled out the form.
Question. The idea seemed nice, though. Can we help it to survive? What does it take to do this poll properly?
Not a duplicate? The problem seems easier than decentralized voting because we are not asking the poll to be decentralized. Or are we?
