I’m trying to design a security scheme that involves a shared secret but isn’t a traditional account password situation. The server would store a set of “keys”, each of which has a blob of data associated with it. In order for anyone to access the data for a given key, all they need to know is the plaintext name of the key. So if Alice creates data using “pineapple” as the key, Bob can ask the server for the data for the key “pineapple” and the server will return the data.
It’s completely intentional that Bob could share the secret word to other people, or for people to randomly guess “pineapple” and accidentally get the data. I only want to avoid someone being able to brute force very large numbers of keys for common dictionary words easily. I would like none of the plaintext data to ever be sent to the server, so that the people running the server could not spy on the user data or even know what the plaintext keys are. And ideally if the server was compromised, it would take a long time to brute force each of the plaintext keys and/or decrypt the corresponding data.
My idea for how this could work, is that if Alice wants to create new data, their client takes the key “pineapple” and runs a very slow hash algorithm on it, eventually creating the corresponding hash code for pineapple. Then their client encrypts the data package with “pineapple” as well using some sort of encryption method that is difficult to brute force. Alice would then send both to the server, which would check to see that the hash doesn’t already exist, and then store the hash/data pair. Later, Bob could repeat the same process of creating a hash code for pineapple, then ask the server for the data for that hash, and finally decrypt the returned data using pineapple as the key. The process of creating the initial hash would be slow, but both Alice and Bob could store it locally in their client so it would only have to be done once per key.
Is there any better way of doing this? Are there slow hash algorithms that don’t involve using a salt, which would prevent Alice and Bob from figuring out the same secure hash code without communicating with each other? Is there some way of using a salt but still using this general method where the server never sees any plaintext? Are there security concerns with this sort of scheme that I’m not considering?