I know that when the domain of the set is very small, we can enumerate the elements in the set, and in that case, a simple hash-based method is not secure. However, when the domain is very large, such as when the size of the set is exponential, it becomes difficult to use enumeration to find which elements are in the intersection. So why is there still a need to construct OPRF?
Asked
Active
Viewed 490 times
2 Answers
4
Even when it is not possible to identify the element, the list of hashes provides any adversary with the ability to check any guess that they might have. This is knowledge that an adversary would not otherwise have.
Daniel S
- 29,316
- 1
- 33
- 73
2
In almost all aspects of cryptography, we define security in a scenario where the adversary chooses the honest parties' inputs. Just think about security definitions for encryption: A ciphertext should look like random junk, even to an adversary who chose the plaintext.
A PSI protocol should not reveal to me that you have item $x$, if I don't include $x$ in my set, even if I chose your input.
Mikero
- 14,908
- 2
- 35
- 58