Oblivious pseudorandom function


An oblivious pseudorandom function is a cryptographic function, similar to a keyed-hash function, but with the distinction that in an OPRF two parties cooperate to securely compute a pseudorandom function.

Definition

Specifically, an OPRF is a pseudorandom function with the following properties:
  • The parties compute: O = OPRF
  • The first party, knows the input and learns the output but does not learn the secret
  • The second party, knows the secret, but does not learn either the input, nor the output.
  • The function has the same security properties as any pseudorandom function. Specifically it shall be hard to distinguish the output from true randomness.
The function is called an oblivious pseudorandom function, because the second party is oblivious to the function's output. This party learns no new information from participating in the calculation of the result.
However, because it is only the second party that holds the secret, the first party must involve the second party to calculate the output of the pseudorandom function. This requirement enables the second party to implement access controls, throttling, audit logging and other security measures.

History

While conventional pseudorandom functions computed by a single party were first formalized in 1986, it was not until 1997 that the first two-party oblivious pseudorandom function was described in the literature, but the term "oblivious pseudorandom function" was not coined until 2005 by some of the same authors.

Applications

OPRFs have many useful applications in cryptography and information security.
These include password-based key derivation, password-based key agreement, password-hardening, untraceable CAPTCHAs, password management, homomorphic key management, and private set intersection.
An OPRF can be viewed as a special case of homomorphic encryption, as it enables another party to compute a function over an encrypted input and produce a result and therefore it learns nothing about what it computed.

Password-based key derivation

Most forms of password-based key derivation suffer from the fact that passwords usually contain a small amount of randomness compared to full-length 128- or 256-bit encryption keys. This makes keys derived from passwords vulnerable to brute-force attacks.
However, this threat can be mitigated by using the output of an OPRF that takes the password as input.
If the secret key used in the OPRF is high-entropy, then the output of the OPRF will also be high-entropy. This thereby solves the problem of the password being low-entropy, and therefore vulnerable to cracking via brute force.
This technique is called password hardening. It fills a similar purpose as key stretching, but password hardening adds significantly more entropy.
Further, since each attempt at guessing a password that is hardened in this way requires interaction with a server, it prevents an offline attack, and thus enables the user or system administrator to be alerted to any password-cracking attempt.
The recovered key may then be used for authentication, or may be used to decrypt sensitive content, such as an encrypted file or crypto wallet.

Password-authenticated key exchange

A password can be used as the basis of a key agreement protocol, to establish temporary session keys and mutually authenticate the client and server. This is known as a password-authenticated key exchange or PAKE.
In basic authentication, the server learns the user's password during the course of the authentication. If the server is compromised, this exposes the user's password which compromises the security of the user.
With PAKE, however, the user's password is not sent to the server, preventing it from falling into an eavesdropper's hands. It can be seen as an authentication via a zero-knowledge password proof.
Various 'augmented forms' of PAKE incorporate an oblivious pseudorandom function so that the server never sees the user's password during the authentication, but nevertheless it is able to authenticate the client is in possession of the correct password. This is done by assuming only the client that knows the correct password can use the OPRF to derive the correct key.
An example of an augmented PAKE that uses an OPRF in this way is OPAQUE.
Recently, OPRFs have been applied to password-based key exchange to back up encrypted chat histories in WhatsApp and Facebook Messenger. A similar use case is planned to be added in Signal Messenger.

Untraceable CAPTCHAs

A CAPTCHA or "Completely Automated Public Turing test to tell Computers and Humans Apart" is a mechanism to prevent automated robots or from accessing websites. Lately, mechanisms for running CAPTCHA tests have been centralized to services such as Google and CloudFlare, but this can come at the expense of user privacy.
Recently, CloudFlare developed a privacy-preserving technology called "Privacy Pass". This technology is based on OPRFs, and enables the client's browser to obtain passes from CloudFlare and then present them to bypass CAPTCHA tests. Due to the fact that the CloudFlare service is oblivious to which passes were provided to which users, there is no way it can correlate users with the websites they visit. This prevents tracking of the user, and thereby preserves the user's privacy.

An improved password manager

A password manager is software or a service that holds potentially many different account credentials on behalf of the user. Access to the password manager is thus highly sensitive: an attack could expose many credentials to the attacker.
The first proposal for a password manager based on OPRFs was SPHINX. It uses two devices which collaborate to compute a password for a given account. Because the user's two devices exchange values according to an OPRF protocol, intercepting the connection between them does not reveal anything about the password or the internal values each device used to compute it. Requiring two devices to compute any password also ensures that a compromise of either device does not allow the attacker to compute any of the passwords. A downside of this approach is that the user always needs access to both devices whenever they want to log in to any of their accounts.
An OPRF is used by the Password Monitor in Microsoft Edge to allow querying a server for whether a credential is known to be compromised, without needing to reveal this credential to the server.

A homomorphic key-management system

Similarly to securing passwords managed by a password manager, an OPRF can be used to enhance the security of a key-management system.
For example, an OPRF enables a key-management system to issue cryptographic keys to authenticated and authorized users, without ever seeing, learning, or being in a position to learn, any of the keys it provides to users.

Private set intersection

is a cryptographic technique that enables two or more parties to compare their private sets to determine which entries they share in common, but without disclosing any entries which they do not hold in common.
For example, private set intersection could be used by two users of a social network to determine which friends they have in common, without revealing the identities of friends they do not have in common. To do this, they could share the outputs of an OPRF applied to the friend's identity.
The output of the OPRF cannot be inverted to determine the identity of the user, and since the OPRF may be rate-limited, it will prevent a brute-force attack.

Implementations

There are various mathematical functions that can serve as the basis to implement an OPRF.
For example, methods from asymmetric cryptography, including elliptic curve point multiplication, Diffie–Hellman modular exponentiation over a prime, or an RSA signature calculation.

EC and conventional Diffie–Hellman

Elliptic curves and prime order fields can be used to implement an OPRF. The essential idea is that the first party, must cryptographically blind the input prior sending it to the second party.
This blinding can be viewed as a form of encryption that survives the computation performed by the second party. Therefore, the first party can decrypt what it receives from the second party to "unblind" it, and thereby receive the same result it would have received had the input not been blinded.
When the second party receives the blinded input, it performs a computation on it using a secret. The result of this computation must not reveal the secret.
For example, the second party may perform a point multiplication of a point on an elliptic curve. Or it may perform a modular exponentiation modulo a large prime.
The first party, upon receipt of the result, and with knowledge of the blinding-factor, computes a function that removes the blinding factor's influence on the result returned by the second party. This 'unblinds' the result, revealing the output of the OPRF.

Sample OPRF protocol

The following is pseudocode for the calculations performed by the client and server using an elliptic-curve–based OPRF.
Client-side calculation
The following code represents calculations performed by the client, or the first party.

byte computeOPRF

Notes:
The client computes the multiplicative inverse of the blinding factor. This enables it to reverse the effect of the blinding factor on the result, and obtain the result the server would have returned had the client not blinded the input.
As a final step, to complete the OPRF, the client performs a one-way hash on the result to ensure the OPRF output is uniform, completely pseudorandom, and non-invertible.
Server-side calculation
The following code represents calculations performed by the server, or the second party.
The server receives the blinded input value from the client, and may perform authentication, access control, request throttling, or other security measures before processing the request. It then uses its own secret to compute:

ECPoint processRequest

It then returns the response, which is the blinded output, to the client.
Notes:
Because the elliptic curve point multiplication is computationally difficult to invert (like the discrete logarithm problem, the client cannot feasibly learn the server's secret from the response it produces.
Note, however, that this function is vulnerable to attacks by quantum computers. A client or third party in possession of a quantum computer could solve for the server's secret knowing the result it produced for a given input.