Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection

  • Stanisław Jarecki
  • Xiaomin Liu
Conference paper

DOI: 10.1007/978-3-642-00457-5_34

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5444)
Cite this paper as:
Jarecki S., Liu X. (2009) Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection. In: Reingold O. (eds) Theory of Cryptography. TCC 2009. Lecture Notes in Computer Science, vol 5444. Springer, Berlin, Heidelberg

Abstract

An Oblivious Pseudorandom Function (OPRF) [15] is a two-party protocol between sender S and receiver R for securely computing a pseudorandom function fk(·) on key k contributed by S and input x contributed by R, in such a way that receiver R learns only the value fk(x) while sender S learns nothing from the interaction. In other words, an OPRF protocol for PRF fk(·) is a secure computation for functionality \(\mathcal F_{\mathsf{OPRF}}:(k,x)\rightarrow(\perp,f_k(x))\).

We propose an OPRF protocol on committed inputs which requires only O(1) modular exponentiations, and has a constant number of communication rounds (two in ROM). Our protocol is secure in the CRS model under the Composite Decisional Residuosity (CDR) assumption, while the PRF itself is secure on a polynomially-sized domain under the Decisional q-Diffie-Hellman Inversion assumption on a group of composite order, where q is the size of the PRF domain, and it has a useful feature that fk is an injection for every k.

practical OPRF protocol for an injective PRF, even limited to a polynomially-sized domain, is a versatile tool with many uses in secure protocol design. We show that our OPRF implies a new practical fully-simulatable adaptive (and committed) OT protocol secure without ROM. In another example, this oblivious PRF construction implies the first secure computation protocol of set intersection on committed data with computational cost of O(N) exponentiations where N is the maximum size of both data sets.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Stanisław Jarecki
    • 1
  • Xiaomin Liu
    • 1
  1. 1.University of CaliforniaIrvine

Personalised recommendations