Oblivious Pseudorandom Functions (OPRFs)

Updated 8 December 2025

OPRFs are defined as two-party protocols that allow a client to obtain F_K(x) without revealing its input while the server keeps the secret key K.
Implementations include RSA-based and DDH-based constructions that use blinding to ensure correctness, obliviousness, and pseudorandomness.
Extensions like Blocklisted OPRFs support privacy-preserving checks in federated authentication, secure password registration, and malware detection.

An Oblivious Pseudorandom Function (OPRF) is a two-party cryptographic primitive in which a client and a server jointly compute a keyed pseudorandom function $F_K(x)$ —the client receives the output for its private input $x$ , while the server holds the secret key $K$ , but neither party learns anything more about the other's secret than what is inherent in the function output. OPRFs form a foundational building block for privacy-preserving protocols, enabling applications such as federated authentication, secure password registration, and blacklisting with input privacy maintained throughout. Their rigorous security stems from cryptographic assumptions such as the RSA inversion assumption or the Decisional Diffie-Hellman (DDH) problem, coupled with blinding techniques and, in advanced variants, privacy-preserving set intersection and embedding strategies (Buccafurri et al., 1 Dec 2025, Zhang et al., 21 Jul 2025).

1. Formal Definition and Properties

Let $\{F_K : D \to R\}_K$ denote a family of keyed functions, parameterized by server-generated key $K \leftarrow KeyGen(1^\lambda)$ . An OPRF protocol operates between a client input $x \in D$ and a server holding $K$ , satisfying three core guarantees:

Correctness: Upon completion, the client obtains output $y = F_K(x)$ .
Obliviousness: The server learns nothing about $x$ ; the client learns nothing about $K$ beyond what is implied by $y$ .
Pseudorandomness: $F_K(x)$ is computationally indistinguishable from uniform to the client, assuming an honest server.

This is formally realized by protocols decomposing into the sequence:

Client: Compute $(X, r) \leftarrow Blind(x)$ and send $X$ to server.
Server: $Y \leftarrow Eval_K(X)$ and send $Y$ to client.
Client: $y \leftarrow Unblind(Y, r)$ to obtain $F_K(x)$ .

Correct protocol execution ensures that $y = F_K(x)$ and the above security properties hold even if one party is malicious (Buccafurri et al., 1 Dec 2025, Zhang et al., 21 Jul 2025).

2. Concrete Constructions

RSA-Based OPRF

A standard OPRF construction uses RSA blind signatures. The server (central service) possesses an RSA key $(N, e, d)$ with $N = pq$ , $ed \equiv 1 \bmod \varphi(N)$ . Hash functions $H, H'$ are modeled as random oracles. The PRF is defined as:

$F_K(x) = H'(x^{d} \bmod N)$

Protocol steps:

Client picks $r \leftarrow \mathbb{Z}_N^*$ , computes $X = H(x) \cdot r^e \bmod N$ ; sends $X$ to server.
Server computes $Y = X^d \bmod N$ ; returns $Y$ .
Client computes $y = Y \cdot r^{-1} \bmod N$ ; output is $F_K(x) = H'(y)$ .

In some applications, the outer hash $H'$ may be omitted and the domain-specific $y = (H(x))^d$ used directly (Buccafurri et al., 1 Dec 2025).

DDH-Based OPRF (Naor–Pinkas)

With cyclic group $G$ of prime order $p$ (DDH-hard), and hash $H : X \rightarrow G$ :

Client chooses random $r \in \mathbb{Z}_p$ , sends $T = H(x)^r$ .
Server computes $U = T^k = H(x)^{rk}$ for secret $k$ .
Client unblinds: $y = U^{r^{-1}} = H(x)^k$ .
Final output: $PRF_k(x) = \mathcal{KDF}(y)$ using a key-derivation function $\mathcal{KDF}$ (Zhang et al., 21 Jul 2025).

Security requires the DDH assumption, random oracle modeling, and blinding to protect $x$ .

3. Extensions: Blocklisted OPRFs (B-OPRF)

Blocklisted OPRFs (B-OPRFs) generalize OPRFs to allow the server to enforce a blocklist $B \subseteq X$ (possibly “fuzzy,” via metric embedding). The evaluation only succeeds if $x \notin B$ ; otherwise, the process aborts without revealing $PRF_K(x)$ (Zhang et al., 21 Jul 2025).

The architecture involves:

Metric-space embedding: Transform $x$ to $z = Emb_e(x)$ (embedding key $e$ ), compute $\text{blocked}_{B,T}(z) = \exists b \in B : d(z, Emb(b)) \leq T$ .
Two-phase protocol:
- Explicit check: OPRF-based embedding and private distance-aware set intersection. Abort if too close to $B$ .
- Commit token: Upon passing, compute $t = z + h$ ( $h = Hash(x||z||e)$ ), then OPRF on $t$ gives output; $S$ stores $(t,k)$ .
- Implicit check: For subsequent queries, $C$ recomputes $t$ , $S$ allows efficient evaluation bypassing set intersection.
Security: The client’s chance to evade blocklisting combines unpredictability of the permutation, PRF security, and false accept/reject rates parameterized by the blocklist embedding (Zhang et al., 21 Jul 2025).

4. Domain-Specific and Privacy-Preserving Transformations

To enforce unlinkability across federated authentication domains, a domain-specific exponent $t_i$ is used by each identity provider (IdP):

Each $IdP_i$ applies $t_i$ to the blinded input, yielding $X_i = [Blind(x)]^{t_i} \bmod N$ .
CTS computes $Y_i = X_i^d \bmod N$ .
IdP retrieves $PID_i = Y_i \cdot (r^{t_i})^{-1} \bmod N = (H(UPI))^{d t_i} \bmod N$ .

This transformation ensures that each IdP derives a pseudonymous identifier specific to its own domain, with no raw user identifier or possibility for cross-domain linkage, while still enabling global duplicate-registration checks (Buccafurri et al., 1 Dec 2025).

5. Security Analysis

The core security rests on established cryptographic assumptions:

RSA inversion (for RSA-based OPRF): Given $(N,e)$ and $u \in \mathbb{Z}_N^*$ , inverting $u^d$ is computationally infeasible.
Random Oracle Model: $H$ and $H'$ (or $\mathcal{KDF}$ ) behave as ideal random functions.
DDH (for group-based OPRF): The indistinguishability of $H(x)^k$ from random group elements.

Obliviousness for the input arises from the one-wayness of blinding (e.g., $X = H(x) r^e$ masks $x$ ), and pseudorandomness follows from standard reduction arguments. In B-OPRFs, cheating probabilities are bounded by the unpredictability of embedding permutations and the blocklist embedding’s statistical parameters. The security of embedding and blocklist checks is ensured through the use of additional OPRF/VOLE wrappers and cryptographic hashing that hides intermediate values (Buccafurri et al., 1 Dec 2025, Zhang et al., 21 Jul 2025).

6. Efficiency and Practical Implementations

The computational and communication overhead of OPRF protocols is well-understood and practical:

Actor	Computation	Communication
Client (IdP)	1 hash, 1 $r \leftarrow \mathbb{Z}_N^*$ , 2 exponentiations, 1 inversion	$\|N\|$ -bit value to server; receives $\|N\|$ -bit result
Server (CTS)	1 exponentiation	$\|N\|$ -bit response

For $2048$-bit RSA, evaluation time is in the low-millisecond range. OPRF-based blocklisting incurs higher cost due to private set intersection, but supports efficient repeat evaluations via token caching, reducing repeated cost to $O(d)$ . In password-blocklisting experiments with $|B| \sim 3 \times 10^5$ (embedded to $E \sim 1,500$ ), explicit check latency is $1.42$ s and subsequent implicit check is $11$ ms; communication is correspondingly $5.6$ MB and $21$ KB. For blocklisted MACs in malware applications with $n \sim 1,000$ , explicit check is $41.3$ s and $102$ MB, implicit check just $4.7$ s and $49$ KB (Buccafurri et al., 1 Dec 2025, Zhang et al., 21 Jul 2025).

7. Applications and Protocol Flows

Federated Authentication

The privacy-preserving protocol for federated identity relies on OPRF for blinded registration and duplicate-enrollment detection while resisting cross-domain correlation. Each enrollment proceeds as:

User submits UPI to IdP.
IdP blinds UPI, applies domain exponent, and transmits to CTS.
CTS evaluates OPRF, returns result for unblinding.
IdP derives pseudonymous domain identifier and proves key possession.
CTS stores (PID, status) and issues a blind signature token (Buccafurri et al., 1 Dec 2025).

Blocklisting in PAKE and Executable MACs

B-OPRFs enable privacy-preserving password blocklisting in augmented PAKE and blocklisted MAC computation for malware-free executables:

PAKE blocklisting: Input is checked against both exact and near matches of known weak passwords (edit distance $\leq 1$ ); explicit check requires set intersection, implicit (repeat) check is fast.
Executable MAC: Inputs are compared to blocklisted malware embeddings using PSI, with communication and latency improvements over monolithic approaches (Zhang et al., 21 Jul 2025).

These demonstrations highlight OPRFs’ adaptability to stringent privacy and efficiency requirements in diverse privacy-preserving distributed systems.

Markdown Report Issue Upgrade to Chat

References (2)

A Privacy-Preserving Information-Sharing Protocol for Federated Authentication (2025)

Blocklisted Oblivious Pseudorandom Functions (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Oblivious Pseudorandom Functions (OPRFs).