Theory of Cryptography

Volume 5444 of the series Lecture Notes in Computer Science pp 577-594

Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection

  • Stanisław JareckiAffiliated withUniversity of California
  • , Xiaomin LiuAffiliated withUniversity of California


An Oblivious Pseudorandom Function (OPRF) [15] is a two-party protocol between sender S and receiver R for securely computing a pseudorandom function f k (·) on key k contributed by S and input x contributed by R, in such a way that receiver R learns only the value f k (x) while sender S learns nothing from the interaction. In other words, an OPRF protocol for PRF f k (·) is a secure computation for functionality \(\mathcal F_{\mathsf{OPRF}}:(k,x)\rightarrow(\perp,f_k(x))\).

We propose an OPRF protocol on committed inputs which requires only O(1) modular exponentiations, and has a constant number of communication rounds (two in ROM). Our protocol is secure in the CRS model under the Composite Decisional Residuosity (CDR) assumption, while the PRF itself is secure on a polynomially-sized domain under the Decisional q-Diffie-Hellman Inversion assumption on a group of composite order, where q is the size of the PRF domain, and it has a useful feature that f k is an injection for every k.

practical OPRF protocol for an injective PRF, even limited to a polynomially-sized domain, is a versatile tool with many uses in secure protocol design. We show that our OPRF implies a new practical fully-simulatable adaptive (and committed) OT protocol secure without ROM. In another example, this oblivious PRF construction implies the first secure computation protocol of set intersection on committed data with computational cost of O(N) exponentiations where N is the maximum size of both data sets.