Papers
Topics
Authors
Recent
Search
2000 character limit reached

Oblivious Pseudorandom Function (OPRF)

Updated 7 July 2026
  • OPRF is a two-party cryptographic protocol where a client obtains a pseudorandom function evaluation while the server keeps its secret key hidden.
  • It employs blinding and algebraic operations (such as modular exponentiation and group exponentiation) to ensure pseudorandomness and oblivious evaluation.
  • OPRF underpins various applications like federated authentication, private set intersection, and privacy-preserving ad measurement, and it is extended in multiparty and policy-enforcement systems.

Searching arXiv for recent and foundational papers on OPRFs and closely related variants to ground the article. An Oblivious Pseudorandom Function (OPRF) is a two-party protocol in which a client holding an input xx and a server holding a secret key kk evaluate a pseudorandom function so that the client learns Fk(x)F_k(x), the server learns nothing about xx, and the client learns nothing about kk. In the formulations used across recent systems papers, the core guarantees are pseudorandomness of the keyed function and obliviousness of the evaluation transcript; these guarantees make OPRFs a recurring primitive in private set intersection, credential disclosure, federated identity enrollment, and policy-gated function evaluation (Zhang et al., 21 Jul 2025, Onofri et al., 12 Apr 2026).

1. Definition and security objectives

The standard OPRF abstraction is presented as a protocol between a client with input ww and a server with secret PRF key $k_{\PRF}$, where the client obtains $\PRF[k_{\PRF}](w)$ without revealing ww to the server and without learning $k_{\PRF}$ (Zhang et al., 21 Jul 2025). In the same line, the generic definition used in COD-ssi states that the client holds kk0, the server holds kk1, the client learns kk2, the server learns nothing about kk3, and the client learns nothing about kk4 (Onofri et al., 12 Apr 2026).

The security goals recur with slightly different emphases across the literature. In the standard presentation, pseudorandomness means that kk5 is indistinguishable from a random function to efficient adversaries without the key, while obliviousness means that the server learns nothing about the client input and the client learns nothing about the server key (Zhang et al., 21 Jul 2025). In the federated-authentication construction, the RSA instantiation is described as giving the client an output that is computationally indistinguishable from a random function output, assuming the server is honest; the same paper identifies blindness, input privacy, unlinkability across domains, and data minimization as the relevant security properties (Buccafurri et al., 1 Dec 2025).

These formulations also delimit what OPRFs are not. An OPRF is not merely “oblivious evaluation” in the generic sense, and it is not equivalent to arbitrary function evaluation on encrypted data. A closely related 2015 primitive, “oblivious lookup tables,” is explicitly described as not being an OPRF construction in the standard sense: it does not define a PRF, does not use a secret function key in the OPRF sense, and computes kk6 rather than revealing kk7 to the client (Rass et al., 2015).

2. Canonical algebraic constructions

Two concrete OPRF instantiations appear prominently in the supplied literature: an RSA-based OPRF and a discrete-log-based 2HashDH or HashedDH construction.

In the RSA formulation used for federated authentication, the base OPRF is defined as

kk8

with oblivious evaluation

kk9

The same paper specializes the input to Fk(x)F_k(x)0 and then introduces a domain-specific pseudonymous identifier

Fk(x)F_k(x)1

where Fk(x)F_k(x)2 is the CTS secret exponent and Fk(x)F_k(x)3 is the IdP’s private exponent. The first-enrollment flow is stated explicitly: the IdP hashes Fk(x)F_k(x)4, blinds Fk(x)F_k(x)5, applies its domain exponent Fk(x)F_k(x)6, the CTS exponentiates with Fk(x)F_k(x)7, and the IdP unblinds to recover Fk(x)F_k(x)8 (Buccafurri et al., 1 Dec 2025).

In COD-ssi, the adopted OPRF is 2HashDH. Given a group Fk(x)F_k(x)9, input xx0, secret key xx1, and hash functions

xx2

the protocol is: xx3

xx4

xx5

xx6

Hence

xx7

COD-ssi then instantiates claim-specific keys as

xx8

with xx9 the committed claim digest and kk0 a fresh presentation master secret (Onofri et al., 12 Apr 2026).

Across both constructions, the recurrent algebraic pattern is the same: the client blinds or randomizes a function of the input, the server applies the secret-key transformation, and the client removes the blinding and derives the usable PRF value. In the RSA case, the algebra is modular exponentiation with multiplicative blinding; in the 2HashDH case, it is exponentiation in a group followed by hashing (Buccafurri et al., 1 Dec 2025, Onofri et al., 12 Apr 2026).

3. Composition inside larger protocols

Recent work treats the OPRF not as a standalone primitive but as the cryptographic engine inside more elaborate privacy-preserving workflows.

In federated authentication, the OPRF is the bridge between independently operated Identity Providers and a Central Trusted Service. After successful KYC, the IdP derives a domain-specific pseudonym kk1 through blinded OPRF evaluation, and the CTS stores only kk2 or kk3. Token issuance is defined as

kk4

binding the pseudonym to a user public key after proof of possession. When a user lacks a valid token, the protocol performs a cooperative blind global check: the CTS forwards a blinded value to each IdP, each IdP returns a domain-transformed value, the originating IdP reconstructs each kk5, and the CTS checks whether any reconstructed identifier appears in the registry with status ok (Buccafurri et al., 1 Dec 2025).

In COD-ssi, the OPRF is used only between Holder and Verifier during presentation and verification; the Issuer is not involved. The Holder chooses a fresh presentation master secret kk6, computes kk7 for each claim digest kk8, and encrypts the randomized claim payload kk9 by AEAD: ww0 The encrypted claim set is

ww1

During verification, the Verifier validates the standard SSI artifacts, selects at most ww2 claims, runs OPRF queries for those claim digests, obtains the corresponding keys, decrypts only those ciphertexts, and checks the commitments (Onofri et al., 12 Apr 2026).

In PrivacyGo, the OPRF-derived values are matching tags rather than final outputs. The protocol uses a distributed, blindable, and reversed OPRF-like functionality, denoted ww3, so that equal identifiers map to equal hidden tags under the same key without revealing the raw identifiers. The paper stresses that the tags are only the matching layer: the downstream output is either a sum of payloads over matched rows or secret shares or ciphertexts of matched payloads, depending on the variant (Du et al., 26 Jun 2025).

Taken together, these protocols suggest a common systems pattern: OPRF evaluation is rarely the endpoint. It is composed with registries, AEAD-protected payloads, token issuance, challenge-response proofs, or downstream aggregation logic, and its role is to produce privacy-preserving handles that other protocol stages can consume.

4. Variant families and generalized functionalities

Several papers extend the standard OPRF interface in orthogonal directions: policy-gated evaluation, reversible or updatable evaluation, secret-shared outputs, programmability, and multiparty sequencing.

A blocklisted OPRF (B-OPRF) augments the standard interface by letting the server maintain a blocklist ww4 and releasing the OPRF output only when the client input is not blocklisted. The design has an explicit check phase, which may abort with ww5, and an implicit check phase for repeated evaluations on the same input after a successful explicit check. Its policy predicate is defined over a metric embedding: ww6 The paper further defines embedding-induced rates

ww7

The explicit phase computes and binds an embedding of the hidden input; the implicit phase later reuses the stored state to obtain ww8 much more cheaply (Zhang et al., 21 Jul 2025).

PrivacyGo introduces a reversed OPRF organization and blind key rotation. The reversed use is motivated by computing a function over the intersection rather than revealing the intersection itself. Blind key rotation transforms an existing evaluation ww9 into $k_{\PRF}$0 under a fresh shared key without revealing the linkage between the old and new tags. The correctness sketch in the HashDH construction is

$k_{\PRF}$1

which is the PRF evaluation under the new key $k_{\PRF}$2 (Du et al., 26 Jun 2025).

The fuzzy-PSI work generalizes OPRFs toward secret-shared and programmable outputs. Its so-OPRF functionality takes receiver queries $k_{\PRF}$3, sender key $k_{\PRF}$4, computes $k_{\PRF}$5, and outputs additive shares $k_{\PRF}$6 such that

$k_{\PRF}$7

Its so-OPPRF functionality lets the sender program selected pairs $k_{\PRF}$8 so that a random function $k_{\PRF}$9 satisfies $\PRF[k_{\PRF}](w)$0 on programmed points and remains pseudorandom elsewhere, again with secret-shared outputs. The same paper also defines si-OPRF, in which both the key and the inputs are secret-shared between the parties (Yang et al., 16 Apr 2026).

A different generalization appears in ring-topology multiparty PSI. The multi-point sequential OPRF (MP-SOPRF) is sequential, multi-party, and multi-point: state is propagated hop by hop through a ring, the first party obtains OPRF values for its own elements, and the last party obtains the effective PRF key material. The paper states the effective OPRF form as

$\PRF[k_{\PRF}](w)$1

and uses equality between the first and last party’s endpoint values as the test for global intersection membership (Feng et al., 31 May 2025).

5. Application domains

The supplied papers place OPRFs in several application domains, each emphasizing a different aspect of the primitive.

In federated authentication, the OPRF enables duplicate or fraudulent enrollment detection across Identity Providers without revealing users’ personal identifiers and without enabling cross-domain correlation. The CTS stores only pseudonymous identifiers and a status flag, while domain-specific exponents ensure that the same $\PRF[k_{\PRF}](w)$2 does not yield directly comparable identifiers across domains (Buccafurri et al., 1 Dec 2025).

In Self-Sovereign Identity, OPRFs support claim-oblivious disclosure. COD-ssi uses an OPRF-derived key per claim so that the Holder can publish encrypted claim blobs upfront and the Verifier can later obtain only the keys for the claims it wants, without revealing which claims those are to the Holder. The paper formalizes confidentiality, authenticity and integrity, obliviousness of disclosure, and issuer verifiability; it also reports a JavaScript prototype over secp256k1 with SHA3-512 and AES-GCM. The reported per-claim costs include claim hashing or verification below $\PRF[k_{\PRF}](w)$3 ms, encryption about $\PRF[k_{\PRF}](w)$4 ms, decryption about $\PRF[k_{\PRF}](w)$5 ms, OPRF request on the Verifier side about $\PRF[k_{\PRF}](w)$6 ms, and OPRF response on the Holder side about $\PRF[k_{\PRF}](w)$7 ms. The OPRF query and response sizes reach about $\PRF[k_{\PRF}](w)$8 MB for 1024 claims in the worst-case benchmark (Onofri et al., 12 Apr 2026).

In privacy-preserving ad measurement, OPRF-style tags implement multidimensional private user profile matching. PrivacyGo combines reversed OPRFs, distributed keys, blind key rotation, and a differential-privacy layer that obfuscates intersection sizes. The DDH-based send command for $\PRF[k_{\PRF}](w)$9 is reported as 185.61s and 31.52MB communication; the update for ww0 is 163.06s and 41.92MB. End to end, the DDH-based waterfall matching handles two million records across three ID columns in about 2 minutes with 8 threads over a 100Mbps link (Du et al., 26 Jun 2025).

In fuzzy PSI, the OPRF-related contribution is the so-OPPRF primitive, which replaces homomorphic-encryption-heavy mechanisms with OKVS, so-OPRF, si-OPRF, OT, PEQT, B2A, prefix decomposition, and MPC-friendly PRFs. The paper reports that its protocols achieve a speedup of ww1 in running time and a reduction of ww2 in communication cost compared to Gao et al., and a speedup of ww3 in running time and a reduction of ww4 in communication cost compared to Dang et al. In one highlighted setting, ww5, the proposed protocol is about ww6 faster than Dang et al. and ww7 faster than Gao et al. (Yang et al., 16 Apr 2026).

In multiparty PSI, MP-SOPRF enables a ring-topology design rather than star or mesh. The paper reports that the resulting protocol achieves a reduction of 74.8% in communication and a 6% to 287% improvement in computational efficiency (Feng et al., 31 May 2025).

In policy enforcement, B-OPRF is instantiated for password blocklisting in augmented password-authenticated key exchange, especially OPAQUE, and for MACing executables that are not similar to ones on a blocklist of known malware. In both examples, the OPRF output is released only after the hidden input passes an approximate similarity test under an embedding-based policy (Zhang et al., 21 Jul 2025).

6. Boundaries, adjacent primitives, and open problems

Several recurring misconceptions are corrected by the supplied works. First, OPRFs are not limited to private set intersection. The same abstraction appears in federated identity registration, SSI disclosure, privacy-preserving ad measurement, password policy enforcement, malware-related MACing, fuzzy PSI, and ring-topology multiparty PSI (Buccafurri et al., 1 Dec 2025, Onofri et al., 12 Apr 2026, Du et al., 26 Jun 2025, Zhang et al., 21 Jul 2025, Yang et al., 16 Apr 2026, Feng et al., 31 May 2025). Second, not every oblivious evaluation primitive is an OPRF. “Oblivious lookup tables” are explicitly described as conceptually adjacent but not an OPRF, because they use a public lookup-table encoding of a known function ww8, do not use a secret PRF key in the OPRF sense, and return an encrypted output ww9 rather than a clear OPRF value (Rass et al., 2015).

The literature also exposes several open issues and model limitations. The federated-authentication construction states that a full cryptographic proof under stronger adversarial models remains future work; it also identifies revocation of compromised tokens as an unresolved challenge, especially if revocation itself must avoid new correlation channels, and notes scalability concerns for cooperative checks in large federations (Buccafurri et al., 1 Dec 2025). COD-ssi formalizes security under a UC-secure 2HashDH OPRF in the ROM and AES-GCM assumptions, but it explicitly identifies a caveat: the scheme is secure under a compliant Holder during VP creation, yet a malicious Holder during VP creation can manipulate $k_{\PRF}$0, creating a selective-failure leak. The paper suggests issuer-assisted VP generation, trusted wallet or enclave support, and zero-knowledge proofs of correct encryption as mitigations, but none is implemented in the proof of concept (Onofri et al., 12 Apr 2026).

Other systems adopt narrower adversarial models. PrivacyGo’s security is stated against semi-honest or honest-but-curious adversaries in the $k_{\PRF}$1-hybrid model, with differential privacy used separately to hide intersection size rather than relying on the OPRF layer alone (Du et al., 26 Jun 2025). The so-OPPRF construction is proved against semi-honest adversaries in the $k_{\PRF}$2-hybrid model, assuming OKVS correctness, double obliviousness, and independence (Yang et al., 16 Apr 2026). MP-SOPRF-based MPSI is also semi-honest secure and assumes that the leader does not collude with assistants; the proof relies on a $k_{\PRF}$3-party $k_{\PRF}$4-Hamming correlation robust hash function in addition to a PRF and collision resistance (Feng et al., 31 May 2025). B-OPRF, meanwhile, deliberately weakens exact membership checking into an embedding-based policy with explicit $k_{\PRF}$5 and $k_{\PRF}$6 terms, so approximate blocking behavior is part of the primitive definition rather than an implementation artifact (Zhang et al., 21 Jul 2025).

A plausible implication is that contemporary OPRF research is less about a single canonical protocol than about a family of keyed oblivious-evaluation interfaces. Standard OPRFs remain the baseline, but recent work systematically modifies the output interface, admissibility conditions, key structure, and party structure to fit domain-specific requirements: unlinkable pseudonym derivation, claim-specific decryption, updatable matching tags, secret-shared programmable outputs, or ring-sequential intersection tests.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Oblivious Pseudorandom Function (OPRF).