Content deleted Content added
m Disambiguating links to Messenger (link changed to Facebook Messenger) using DisamAssist. |
Altered template type. Add: url, chapter-url-access, chapter-url, isbn, volume, date, series, chapter, title. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this tool. Report bugs. | #UCB_Gadget |
||
| (2 intermediate revisions by 2 users not shown) | |||
Line 16:
== History ==
While conventional [[Pseudorandom function family|pseudorandom functions]] computed by a single party were first formalized in 1986,<ref>{{cite journal |last1=Goldreich |first1=Oded |last2=Goldwasser |first2=Shafi |last3=Micali |first3=Silvio |title=How to construct random functions |journal=Journal of the ACM |date=1986 |volume=33 |issue=4 |pages=792–807 |doi=10.1145/6490.6503 |url=https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Pseudo%20Randomness/How%20To%20Construct%20Random%20Functions.pdf}}</ref> it was not until 1997 that the [[Naor–Reingold pseudorandom function|first two-party oblivious pseudorandom function]] was described in the literature,<ref>{{cite journal |last1=Naor |first1=Moni |last2=Reingold |first2=Omer |title=Number-theoretic constructions of efficient pseudo-random functions |journal=Journal of the ACM |date=2004 |volume=51 |issue=2 |pages=231–262 |doi=10.1145/972639.972643 |url=https://dl.acm.org/doi/10.1145/972639.972643|url-access=subscription }}</ref> but the term "oblivious pseudorandom function" was not coined until 2005 by some of the same authors.<ref>{{cite book |last1=Freedman |first1=Michael |last2=Ishai |first2=Yuval |last3=Pinkas |first3=Benny |last4=Reingold |first4=Omer |title=Theory of Cryptography |chapter=Keyword Search and Oblivious Pseudorandom Functions
== Applications ==
Line 32:
If the secret key used in the OPRF is high-entropy, then the output of the OPRF will also be high-entropy. This thereby solves the problem of the password being low-entropy, and therefore vulnerable to [[Password cracking|cracking]] via [[brute-force attack|brute force]].
This technique is called ''password hardening''.<ref>{{cite book |last1=Ford |first1=W. |last2=Kaliski |first2=B. S. |chapter=Server-assisted generation of a strong secret from a password |title=Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000)|date=2000 |pages=176–180 |doi=10.1109/ENABL.2000.883724 |isbn=0-7695-0798-0 |s2cid=1977743
Further, since each attempt at guessing a password that is hardened in this way requires interaction with a server, it prevents an [[offline attack]], and thus enables the user or system administrator to be alerted to any password-cracking attempt.
Line 55:
</ref>
Recently, OPRFs have been applied to password-based key exchange to [[back up]] encrypted chat histories in [[WhatsApp]]<ref>{{cite book |last1=Davies |first1=Gareth T. |last2=Faller |first2=Sebastian |last3=Gellert |first3=Kai |last4=Handirk |first4=Tobias |last5=Hesse |first5=Julia |last6=Horváth |first6=Máté |last7=Jager |first7=Tibor |title=Advances in Cryptology – CRYPTO 2023 |chapter=Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol |series=Lecture Notes in Computer Science
=== Untraceable CAPTCHAs ===
Line 65:
A [[password manager]] is software or a service that holds potentially many different account credentials on behalf of the user. Access to the password manager is thus highly sensitive: an attack could expose many credentials to the attacker.
The first proposal for a password manager based on OPRFs was SPHINX.<ref>{{cite book |last1=Shirvanian |first1=Maliheh |last2=Jarecki |first2=Stanislaw |last3=Krawczykz |first3=Hugo |last4=Saxena |first4=Nitesh |chapter=SPHINX: A Password Store that Perfectly Hides Passwords from Itself |title=2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS) |date=2017 |pages=1094–1104 |doi=10.1109/ICDCS.2017.64 |isbn=978-1-5386-1792-2 |s2cid=4781641
An OPRF is used by the Password Monitor in [[Microsoft Edge]] to allow querying a server for whether a credential (which the user saved in the browser) is known to be compromised, without needing to reveal this credential to the server.<ref>{{Cite web|last1=Lauter|first1=Kristin|last2=Kannepalli|first2=Sreekanth|last3=Laine|first3=Kim|last4=Cruz Moreno|first4=Radames|date=January 1, 2021|title=Password Monitor: Safeguarding passwords in Microsoft Edge|url=https://www.microsoft.com/en-us/research/blog/password-monitor-safeguarding-passwords-in-microsoft-edge/|access-date=January 1, 2021|website=Microsoft Research Blog}}</ref>
Line 75:
=== Private set intersection ===
[[Private set intersection]] is a cryptographic technique that enables two or more parties to compare their private sets to determine which entries they share in common, but without disclosing any
For example, private set intersection could be used by two users of a social network to determine which friends they have in common, without revealing the identities of friends they do not have in common. To do this, they could share the outputs of an OPRF applied to the friend's identity (e.g., the friend's phone number or e-mail address).
The output of the OPRF cannot be inverted to determine the identity of the user, and since the OPRF may be [[Rate limiting|rate-limited]], it will prevent a brute-force attack (e.g., iterating over all possible phone numbers).<ref>{{cite
== Implementations ==
Line 169:
Fortunately, most OPRFs support verifiability. For example, when using [[RSA (cryptosystem)|RSA]] blind signatures as the underlying construction, the client can, with the public key, verify the correctness of the resulting [[digital signature]].
When using OPRFs based on [[elliptic curve]] or [[Diffie–Hellman]], knowing the public key ''y = g<sup>x</sup>'' it is possible to use a second request to the OPRF server to create a [[zero-knowledge proof]] of correctness for the previous result.<ref>{{cite book |last1=Jarecki |first1=Stanislaw |last2=Kiayias |first2=Aggelos |last3=Krawczyk |first3=Hugo |title=Advances in Cryptology – ASIACRYPT 2014 |chapter=Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model |series=Lecture Notes in Computer Science
=== Partially oblivious PRF ===
Line 201:
constructions rely on discrete-log- or factoring-type hardness assumptions. These assumptions are known to fall with the rise of quantum computers."<ref name="oprf"/></blockquote>
Two possible exceptions are [[Lattice-based cryptography|lattice-based]] OPRFs<ref>{{cite journal |last1=Albrecht |first1=Martin |last2=Davidson |first2=Alex |last3=Deo |first3=Amit |last4=Smart |first4=Nigel |title=Round-optimal Verifiable Oblivious Pseudorandom Functions From Ideal Lattices |journal=Cryptology ePrint Archive |date=2019 |volume=Paper 2019/1271 |url=https://eprint.iacr.org/2019/1271}}</ref> and [[Supersingular isogeny key exchange|isogeny-based]] OPRFs,<ref>{{cite book |last1=Boneh |first1=Dan |last2=Kogan |first2=Dmitry |last3=Woo |first3=Katharine |title=Advances in Cryptology – ASIACRYPT 2020 |chapter=Oblivious Pseudorandom Functions from Isogenies |series=Lecture Notes in Computer Science
A more secure, but less efficient approach to realize a post-quantum–secure OPRF is to use a [[secure two-party computation]] protocol to compute a PRF using a [[symmetric cryptography|symmetric-key]] construction, such as [[Advanced encryption standard|AES]] or [[HMAC]].
| |||