How to construct a permutation (shuffle) oblivious pseudorandom function?

Question

We know that OPRF is a two-party protocol, where Alice inputs $X = {x_1, ..., x_n}$, Bob has no input, and after executing the OPRF protocol, Alice gets $F_k(x_i)$, and Bob receives a pseudorandom key $K$.

I wonder if it is possible to construct a permutation(shuffle) OPRF, where Alice inputs $X$, Bob inputs a random permutation $\pi$, and after the protocol ends, Alice gets $F_k(x_{(\pi(i))})$, and Bob receives the pseudorandom key $K$.

Are there any works that implement such a protocol now? Or are there any similar works that achieve the goal with it?

Answer 1

I believe this can be achieved through standard composition of oblivious PRF (OPRF) and secure two-party composition (2PC). Namely, let $F_1(X, \bot) := (f_k(X), k)$ be the functionality of OPRF, and let $F_2(Y, \pi) := (\pi(Y), \bot)$ be the functionality of permutation. Then, the desired protocol is just to realize the functionality $G(X, \pi) := F_1(F_2(X, \pi), \bot)$. That can be achieved by any generic 2PC.

Of course, we may want to achieve efficiency better than generic 2PC. I guess it is not hard if we can open and modify a given OPRF protocol.

Answer 2

The classic Diffie-Hellman-based protocol for PSI cardinality (from Huberman, Franklin, Hogg) implements exactly this functionality and is quite simple to understand.

The PRF is $F(k,x) = H(x)^k$ where $H$ is a random oracle with output in a cyclic group where DDH holds.

The protocol for obliviously computing this PRF is:

• Alice has $X = \{x_1, \ldots, x_n\}$. She picks random exponent $a$ and sends $H(x_1)^a, \ldots, H(x_n)^a$ to Bob.

• Bob raises each of these to the $k$ power, shuffles them, and sends the results back to Alice.

• Alice now has a random permutation of $\{ H(x_i)^{ak} \}$, and she can raise each to the $a^{-1}$ power.

This protocol is secure against passive adversaries. If you want it to be secure against active adversaries, you would probably add some ZK proof of shuffle. For that, I suggest taking a look at De Cristofaro, Gasti, Tsudik (edit: I thought this paper did active security, but I guess not --- I will try to find the right reference).