Oblivious pseudorandom function: Difference between revisions

▲Specifically, an OPRF is any function with the following properties:

▲While conventional [[Pseudorandom_function_family|Pseudorandom Functions]] computed by a single party were first described in 1986<ref>{{cite journal |last1=Goldreich |first1=Oded |last2=Goldwasser |first2=Shafi |last3=Micali |first3=Silvio |title=How to construct random functions |journal=Journal of the ACM (JACM) |date=1986 |volume=33 |issue=4 |page=792-807 |doi=10.1145/6490.6503 |url=https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Pseudo%20Randomness/How%20To%20Construct%20Random%20Functions.pdf}}</ref>, it was not until 2004 that the first two-party Oblivious Pseudorandom Function was described in the literature.<ref>{{cite journal |last1=Naor |first1=Moni |last2=Reingold |first2=Omer |title=Number-theoretic constructions of efficient pseudo-random functions |journal=Journal of the ACM |date=2004 |volume=51 |issue=2 |pages=231–262 |doi=10.1145/972639.972643 |url=https://dl.acm.org/doi/10.1145/972639.972643}}</ref> The term "Oblivious Pseudorandom Function" was coined the next year in 2005 by some of the same authors.<ref>{{cite book |last1=Freedman |first1=Michael |last2=Ishai |first2=Yuval |last3=Pinkas |first3=Benny |last4=Reingold |first4=Omer |title=Keyword Search and Oblivious Pseudorandom Functions |journal=Theory of Cryptography Conference |series=Lecture Notes in Computer Science |date=2005 |volume=TCC 2005 |pages=303–324 |doi=10.1007/978-3-540-30576-7_17 |isbn=978-3-540-24573-5 |url=https://link.springer.com/chapter/10.1007/978-3-540-30576-7_17}}</ref>

▲Most forms of password-based key derivation suffer from the fact that passwords usually contain a [[Password_strength|small amount of randomness]] (or entropy) compared to full-length 128- or 256-bit encryption keys. This makes keys derived from passwords vulnerable to [[brute-force attack]]s.

▲For protocols such as [[Transport Layer Security|TLS]], a [[password]] can be used as the basis of a [[key agreement]] protocol, to establish temporary session keys or and mutually authenticate the client and server. In the TLS protocol, this system is called a ''Password-Authenticated Key Exchange'' or [[PAKE]].

▲But in its most basic implementations, the server learns the user's password during the course of the PAKE authentication. If the server is compromised, this exposes the user's password which can compromise the security of the user.

▲A CAPTCHA or "Completely Automated Public [[Turing test]] to tell Computers and Humans Apart."<ref>{{Cite web |title=What is CAPTCHA? |url=https://support.google.com/a/answer/1217728 |url-status=live |archive-url=https://web.archive.org/web/20200806173938/https://support.google.com/a/answer/1217728 |archive-date=6 August 2020 |access-date=2022-09-09 |website=Google Support |publisher=Google Inc. |quote=CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a [...]}}</ref> is a mechanism to prevent automated robots or ([[Internet_bot|bots]]) from accessing websites. Lately, mechanisms for running CAPTCHA tests have been centralized to services such as a [[Google]] and [[CloudFlare]], but this can come at the expense of user privacy.

▲Recently, CloudFlare developed a privacy-preserving technology called "Privacy Pass"<ref>{{cite web |last1=Sullivan |first1=Nick |title=Cloudflare supports Privacy Pass |url=https://blog.cloudflare.com/cloudflare-supports-privacy-pass/ |website=CloudFlare |date=9 November 2017 |publisher=CloudFlare.com |access-date=30 January 2024}}</ref> This technology is based on OPRFs, and enables the client's browser to obtain passes from CloudFlare and then present them to bypass CAPTCHA tests. Due to the fact that the CloudFlare service is oblivious to which passes were provided to which users, there is no way it can correlate users with the websites they visit. This prevents tracking of the user, and thereby preserves the user's privacy.

▲A [[password manager]] is software or a service that holds potentially many different passwords on behalf of the a single user.

▲An OPRF is used by the Password Monitor in [[Microsoft Edge]]<ref>{{Cite web|last1=Lauter|first1=Kristin|last2=Kannepalli|first2=Sreekanth|last3=Laine|first3=Kim|last4=Cruz Moreno|first4=Radames|date=January 1, 2021|title=Password Monitor: Safeguarding passwords in Microsoft Edge|url=https://www.microsoft.com/en-us/research/blog/password-monitor-safeguarding-passwords-in-microsoft-edge/|archive-url=|archive-date=|access-date=January 1, 2021|website=Microsoft Research Blog}}</ref>.

▲=== A homomorphic key management system ===

▲Similarly to securing passwords managed by a password manager, an OPRF can be used to enhance the security of a [[key management system]].

▲For example, an OPRF enables a key-management system to issue [[Key_(cryptography)|cryptographic keys]] to authenticated and authorized users, without ever seeing, learning, or being in a position to learn, any of the keys it provides to users<ref>{{cite book |last1=Jarecki |first1=Stanislaw |last2=Krawczyk |first2=Hugo |last3=Resch |first3=Jason |chapter=Updatable Oblivious Key Management for Storage Systems |date=2019 |title=Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security |volume=November 2019 |pages=379–393 |doi=10.1145/3319535.3363196 |isbn=978-1-4503-6747-9 |chapter-url=https://dl.acm.org/doi/10.1145/3319535.3363196 |access-date=Jan 27, 2024}}</ref>.

▲[[Private set intersection]] is a cryptographic technique that enables two or more parties to compare their private sets to determine which entries they share in common, but without disclosing any entires which they do not hold in common.

▲Elliptic Curves and prime order fields can be used to implement an OPRF. The essential idea is that the first-party (the client), must cryptographically ''[[Blinding_(cryptography)|blind]]'' the input prior sending it to the second-party.

▲This blinding can be viewed as a form of [[encryption]] that survives the computation performed by the second-party. Therefore the first-party can [[decrypt]] what it receives from the second-party to "unblind" it, and thereby receive the same result it would have received had the input not been blinded.

▲When the second-party receives the blinded input, it performs a computation on it using a [[Key_(cryptography)|secret]]. The result of this computation must not reveal the secret.

▲For example, the second-party may perform a [[Elliptic_curve_point_multiplication|point multiplication]] of a point on an elliptic curve. Or it may perform a [[modular exponentiation]] modulo a large [[prime]].

▲The first-party, upon receipt of the result, and with knowledge of the blinding-factor, computes a function that removes the blinding factor's influence on the result returned by the second-party. This 'unblinds' the result, revealing the output of the OPRF, (or an intermediate result which is then used by the client to compute the output of the OPRF, for example, by hashing this intermediate result).

▲The following is [[pseudocode]] for the calculations performed by the client and server using an elliptic curve based OPRF.

▲The following code represents calculations performed by the client, or the first-party.

▲The following code represents calculations performed by the server, or the second-party.

▲The server receives the ''blinded input'' value from the client, and may perform authentication, access control, request throttling, or other security measures before processing the request. It then uses it's own secret, to compute:

▲The OPRF construction can be extended in various ways. These include: verifiable, partially-oblivious, threshold-secure, and post-quantum secure versions.

▲Many applications require the ability of the first-party to verify the OPRF output was computed correctly. For example, when using the output as a key to encrypt data. If the wrong value is computed, that encrypted data may be lost forever.

▲Fortunately, most OPRFs support verifiability. For example, when using [[RSA]] blind signatures as the underlying construction, the client can, with the public key, verify the correctness of the resulting [[digital signature]].

▲=== Partially-oblivious PRF ===

▲One modification to an OPRF is called a partially-oblivious PRF, or P-OPRF.

▲For even greater security, it is possible to [[Threshold_cryptosystem|thresholdize the server]], such that the secret ('''S''') is not held by any individual server, and so the compromise of any single server, or set of servers below some defined threshold, will not expose the secret.

▲This can be done by having each server be a shareholder in a [[Secret_sharing|secret sharing scheme]]. Instead of using it's secret to compute the result, each server uses it's ''share'' of the secret to perform the computation.

▲The client then takes some subset of the server's computed results, and combines them, for example by computing a protocol known as ''interpolation in the exponent''. This recovers the same result as had the client interacted with a single server which has the full secret.

▲Finding efficient [[Post-quantum_cryptography|post-quantum]] secure implementations of OPRFs is an area of active research.<ref>{{cite journal |last1=Boneh |first1=Dan |last2=Ishai |first2=Yuval |last3=Passelègue |first3=Alain |last4=Sahai |first4=Amit |last5=Wu |first5=David |title=Exploring Crypto Dark Matter: New Simple PRF Candidates and Their Applications |journal=Cryptology ePrint Archive |date=2018 |volume=Paper 2018/1218 |url=https://eprint.iacr.org/2018/1218}}</ref>