Let the client have public and private keys $k_{pub}, k_{prv}$ of a secure FHE (Fully Homomorphic Encryption). Now clients want to check that their password $pwd$ is on the breach list or not.
As stated on the MS site, to prevent the user from querying dictionary attacks on the server, they use hash $H$ of the form Oblivious Pseudo-Random Function (OPRF). The client calculates $h(pwd)$ then uses their public key and encrypts as $ = E(k_{pub},h(pwd))$. Now the client sends the $(c,k_{pub})$ to the server.
Now, the server, for each breached password $p_i$ calculates $c_i = E(h(p_i), k_{pub})$. Using the FHE equality circuit $C$ they compare each breached password's hash and the user's to get the result. Note that this result is encrypted and only the client can decrypt it. Now instead of sending each value to the user, they execute OR operation on the result to get only one value $v$.
The value $v$ sent back to the user and the user decrypt the single bit $b \stackrel{?}{=} D(k_{prv},v)$. If the $b=0$ mean not in the breach list, if $b=1$ mean it is on the breach list.
###Client
c = FHE_encrypt(k_pub, h(pwd)
send c to the server
###server
Encrypt each password on the list
for each p in breachedList
c[i] = FHE_Encrypt(k_pub, p)
###Calcualte the equality of the ciphertext
for i in sizeof breachedList
eq[i] = FHE_Equality_Circuit(k_pub, c[i], c)
v = E(k_prv, 0)
###Combine the results to reduce the bandwidth
###Not to reduce the dep a binary tree calculation must be preferred.
for i in sizeof breachedList
v = FHE_OR_Circuit(k_pub, v, eq[i])
return v
Client
b = FHE_Decrypt(k_prv,v)
if b = 1
print ( "Change your password immediaately, it is on the breach list")
else
print ( "Your password is not on the breach list")
