Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [oprf]

7 questions
3
votes
1 answer

Is the user's password revealed to a curious server in the OPAQUE PAKE?

If the server is honest-but-curious, it can attempt to guess the user’s password $\mathsf{pw}$ by computing $\mathsf{rw} = H(\mathsf{pw}, H'(\mathsf{pw})^s)$,where $s$ is the server's OPRF key. Then, with this guessed value of $\mathsf{rw}$, the…
frost.crystal
  • 75
  • 4
1
vote
1 answer

Anonymous PAKE using two party computation

Let's say client side has a secret password $\pi$. The server has a series of indices $0..n-1$ and a salt associated value $s_i$ for all $i \in \{0,n-1\}$ call it set $S=\{s_i | i \in \{0,n-1\}\}$ for each client. Client wishes to compute an OPRF…
Manish Adhikari
  • 661
  • 5
  • 13
1
vote
2 answers

Why is naive hash based Private Set Intersection insecure?

I know that when the domain of the set is very small, we can enumerate the elements in the set, and in that case, a simple hash-based method is not secure. However, when the domain is very large, such as when the size of the set is exponential, it…
Rui T.
  • 119
  • 7
1
vote
1 answer

OPRF based on symmetric encryption

We need to use OPRF(oblivious pseudo random function) on very large sets. Unfortunately most of algorithms use elliptic curves and so this algorithms are very slow. Does exist some relaxation of oprf(like the function is random only on generic…
Galois group
  • 187
  • 1
  • 10
1
vote
2 answers

How to construct a permutation (shuffle) oblivious pseudorandom function?

We know that OPRF is a two-party protocol, where Alice inputs $X = {x_1, ..., x_n}$, Bob has no input, and after executing the OPRF protocol, Alice gets $F_k(x_i)$, and Bob receives a pseudorandom key $K$. I wonder if it is possible to construct a…
song
  • 11
  • 2
0
votes
0 answers

OPRF and HashToGroup security

In OPRF protocol client needs to deterministically map an array of bytes x to an element of Group, namely an elliptic curve point. I know that it's insecure to replace HashToCurve with scalar multiplication but in case of OPRF we use blinding after…
John dow
  • 149
  • 8
0
votes
0 answers

Could ECDH-OPRF-PSI support private information retrieval?

Alice:has $x=(x_1,x_2,...x_m)$ Bob: has $(y_1,m_1),...,(y_n,m_n)$ For this, Alice wants to get some message from Bob, but does not want bob to know which one she gets Bob generate random $a \in Z_q$,$cid_i=H(y_i^b),c_i=AES_{enc}(y_i^b, m_i),\forall…
haoxuan li
  • 21
  • 3