Abstract
Oblivious Pseudorandom Function (OPRF) is a protocol between a client holding input x and a server holding key k for a PRF F. At the end, the client learns \(F_k(x)\) and nothing else while the server learns nothing. OPRF’s have found diverse applications as components of larger protocols, and the currently most efficient instantiation, with security proven in the UC model, is \(F_k(x)=H_2(x,(H_1(x))^k)\) computed using so-called exponential blinding, i.e. the client sends \(a=(H_1(x))^r\) for random r, the server responds \(b=a^k\), which the client unblinds as \(v=b^{1/r}\) to compute \(F_k(x)=H_2(x,v)\).
However, this protocol requires two variable-base exponentiations on the client, while a more efficient multiplicative blinding scheme replaces one or both client exponentiations with fixed-base exponentiation, leading to the decrease of the client’s computational cost by a factor between two to six, depending on pre-computation.
We analyze the security of the above OPRF with multiplicative blinding, showing surprising weaknesses that offer attack avenues which are not present using exponential blinding. We characterize the security of this OPRF implementation as a “Correlated OPRF” functionality, a relaxation of UC OPRF functionality used in prior work.
On the positive side, we show that the Correlated OPRF suffices for the security of OPAQUE, the asymmetric PAKE protocol, hence allowing OPAQUE the computational advantages of multiplicative blinding. Unfortunately, we also show examples of other OPRF applications which become insecure when using such blinding. The conclusion is that usage of multiplicative blinding for \(F_k(x)\) defined as above, in settings where correct value \(g^k\) (needed for multiplicative blinding) is not authenticated, and OPRF inputs are of low entropy, must be carefully analyzed, or avoided all together. We complete the picture by showing a simple and safe alternative definition of function \(F_k(x)\) which offers (full) UC OPRF security using either form of blinding.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In the context of additive groups, “multiplicative” would be replaced with “additive” and “exponential” with “scalar-multiplicative”. A less confusing terminology could refer to these as fixed-base and var-base blindings, respectively.
- 2.
For example, in a password protocol such as OPAQUE [17], a user can cache values z corresponding to servers it accesses frequently, e.g., Google, Facebook, etc.
- 3.
The potential insecurity of multiplicative blinding as UC OPRF was pointed out in [17], which left its security analysis as an open question.
- 4.
Note that an honest server’s response \((b,z)=(a^k,g^k)\) corresponds to \(\delta =1\) and the evaluated function \(F_{(1,z)}\) is identical to the intended function \(F_k\).
- 5.
The correlation between functions \(F_{(\delta _1,z_1)}\) and \(F_{(\delta _2,z_2)}\) would now require that \(z_1 = z_2\), hence \(k_1 = k_2\), in which case Eq. (3) holds only if \(\delta _1 = \delta _2\), hence \((\delta _1,z_1)=(\delta _2,z_2)\).
- 6.
Another way for \(\text{2HashDH }\) to realize UC OPRF with multiplicative blinding, is to add to a zero-knowledge proof that (g, z, a, b) is a DDH tuple, but this would void the performance benefit of .
- 7.
As in the adaptive version of UC OPRF \(\mathcal {F}_{\mathsf {OPRF}}\) [17], we allow server \(\mathsf {S}\) to be adaptively compromised, via call \(\textsc {Compromise}\) from \(\mathcal {A^*}\), which models a leakage of the private state of \(\mathsf {S}\), including its PRF key and all its authentication tokens. One consequence of server compromise is that \(\textsc {RcvComplete}\) will no longer check that \(\mathsf {tx}>0\).
- 8.
Observe that \(v=bz^{-r}=(h_{x'})^{k-k'}(h_x g^r)^{k'}(g^{k'})^{-r}=h_{x'}^k(h_{x'}/h_x)^{k'}\), hence \(v=(h_x)^k\) iff \(h_x=h_{x'}\). Using the terminology of Eq. (2), \(\mathsf {C}\) computes \(y'=F_{(\delta ,z)}(x)\) for \(F_{(\delta ,z)}\) which is correlated with \(F_k\) on \(x'\), hence \(y'=F_k(x)\) iff \(x=x'\).
References
Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: ACM Conference on Computer and Communications Security — CCS 2011. ACM (2011)
Boyen, X.: HPAKE: password authentication secure against cross-site user impersonation. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 279–298. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10433-6_19
Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 200–207. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_18
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: IEEE Symposium on Foundations of Computer Science - FOCS 2001, pp. 136–145. IEEE (2001)
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7
Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G., Valsorda, F.: Privacy pass: bypassing internet challenges anonymously. In: Privacy Enhancing Technologies Symposium - PETS 2018, pp. 164–180. Sciendo (2019)
Ford, W., Kaliski, B.S.: Server-assisted generation of a strong secret from a password. In: IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises - WET ICE 2000, pp. 176–180. IEEE (2000)
Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_17
Haase, B., Labrique, B.: AuCPace: efficient verifier-based PAKE protocol tailored for the IIoT. In: CHES (2019)
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_13
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (Or: how to protect your bitcoin wallet online). In: IEEE European Symposium on Security and Privacy - EuroS&P 2016, pp. 276–291. IEEE (2016)
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: TOPPSS: cost-minimal password-protected secret sharing based on threshold OPRF. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 39–58. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_3
Jarecki, S., Krawczyk, H., Resch, J.: Updatable oblivious key management for storage systems. In: ACM Conference on Computer and Communications Security — CCS 2019. ACM (2019)
Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 177–188. ACM (2016)
Jarecki, S., Krawczyk, H., Xu, J.: On the (In)Security of the Diffie-Hellman oblivious PRF with multiplicative blinding. IACR Cryptology ePrint Archive 2021:273
Jarecki, S., Krawczyk, H., Xu. J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. IACR Cryptology ePrint Archive 2018:163
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Jarecki, S., Liu, X.: Fast secure computation of set intersection. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 418–435. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_26
Krawczyk, H.: SIGMA: The ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Krawczyk, H., The OPAQUE asymmetric PAKE protocol, May 2020. https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque
Krawczyk, H., Lewi, K., Wood, C.A.: The OPAQUE asymmetric PAKE protocol, November 2020. https://tools.ietf.org/html/draft-irtf-cfrg-opaque
Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_23
Shirvanian, M., Saxena, N., Jarecki, S., Krawczyk, H.: Building and studying a password store that perfectly hides passwords from itself. IEEE Trans. Dependable Secure Comput. 16, 5 (2019)
Sullivan, N.: Exported authenticators in TLS, May 2020. https://tools.ietf.org/html/draft-ietf-tls-exported-authenticator
Sullivan, N., Krawczyk, H., Friel, O., Barnes, R.: Usage of OPAQUE with TLS 1.3, March 2019. https://tools.ietf.org/html/draft-sullivan-tls-opaque
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Jarecki, S., Krawczyk, H., Xu, J. (2021). On the (In)Security of the Diffie-Hellman Oblivious PRF with Multiplicative Blinding. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham. https://doi.org/10.1007/978-3-030-75248-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-75248-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75247-7
Online ISBN: 978-3-030-75248-4
eBook Packages: Computer ScienceComputer Science (R0)