syntactically modified to realize the adaptive OPRF functionality FOPRF
defined in Fig. 3 in Section 3. Recall that the FOPRF functionality we show in
Section 3 is a revision of the (static) OPRF functionality defined in [31], but it is also a revision of the earlier version of the adaptive OPRF functionality which appeared in the conference version of this paper [33]. The protocol shown below is essentially the same as in [31] and requires the same One-More Diffie-Hellman assumption [5, 31] for security. The only differences between 2HashDH in Fig. 13 and in [31] are syntactic: First, we eliminate the user’s “input-output caching” mechanism used in [31]. Second, the protocol in Fig. 13 outputs the OPRF protocol prefix, namely the U-to-S message a, to both U
andS instances. As explained in Section 3 outputting these protocol transcript prefixes provides a better “glue” which a higher-level protocol can use to compose OPRF with some other protocol, as protocol OPRF-AKE of Section 5 does by composing OPRF with AKE.
Modifications in the Proof of [31].The proof of Lemma 1 is very similar to the proof of security given in [31], so we only briefly discuss how our modifications toFOPRF influence the security proof. The ideal-world adversary, i.e., simulator SIM, is shown in Fig. 14. Fig. 14 denotes functionalityFOPRF as F for brevity,
and it makes the following notational assumptions: (1)F’s initialization message (Init,S,sid) fixes the identifierSand session IDsid for the rest of the simulation, and all messages to and fromF and all its internal records are implicitly tagged with sid; (2) If S is corrupted then SIM acts as if S was compromised from the very beginning; (3) The identifier S of the server for which F sends the initialization message (Init,S,sid) is encoded as a different binary string than any integer value; (4) There is integer N s.t. the number of hash function H0 18For example, the simulator shown in [31] reacts to the real-world adversary’s local computation of hash function H2(x, v), v 6= H1(x)k where k is the key of serverS, with three messages to the functionality: (Eval,sid,S0, x) for arbitraryS0, (SndrComplete,sid, p) for a unique indexpassociated with an adversarial “public key”yps.t. (g, yp, H1(x), v) is a DDH tuple, and (RcvComplete,sid, p).
Components: Hash functionsH(·,·),H0(·) with ranges{0,1}`andG, respectively. FunctionsH, H0are specific to the OPRF instance initialized for auniquesession IDsid, and they should be implemented by foldingsid into their inputs.
Initialization: On input (Init,sid),Spicksk←RZq and stores (sid, k). Server Compromise: On (Compromise,sid,S) from the adversary, reveal keyk. Offline Evaluation
– On input (OfflineEval,sid,S, x) forsid matching record (sid, k),Soutputs (OfflineEval,sid, y) fory=H(x,(H0(x))k).
Online Evaluation
– On input (Eval,sid,ssid,S0, x),Upicksr←RZq, records (sid,ssid, r), sends (ssid, a) fora=H0(x)r toS0
, and outputs (Prefix,ssid, a).
– On input (SndrComplete,sid,ssid0) and message (ssid, a) fromUs.t.a∈G, Sretrieves pair (sid, k) with matchingsid, aborts if such pair is not found, else sends (ssid, b) forb=aktoUand outputs (Prefix,ssid0, a).
– On message (ssid, b) s.t.b∈G,Uretrieves tuple (sid,ssid, r), aborts if tuple
not found, else outputs (Eval,sid,ssid, y) fory=H(x, b1/r).
Fig. 13: Adaptive OPRF Protocol DH-OPRF
queries made by the real-world adversaryA is upper-bounded byN/2, and the number of online OPRF evaluation sub-sessions started byZvia commandEval
to some honest userUis also upper-bounded byN/2.
Lemma 1. The DH-OPRF protocol shown in Fig. 13 realizes functionality FOPRF of Fig. 3 under the One-More Diffie Hellman assumption in ROM.
Using these assumptions, the simulator acts in a similar way as the one shown in [31]: SIMpicks a random key k as S does, and uses it by computing b = ak for every incoming message a ∈
Gin SndrComplete. SIMembeds a
discrete-log trapdoor in everyH0output, settingH0(x) :=grfor randomr, and recording this choice ashH0, x, ri.SIMsimilarly embeds a discrete-log trapdoor in OPRF messages a sent on behalf of any honest U session (sid,ssid,U), by setting a←gr for randomr, and recording this choice ashssid,U, ri.SIMalso keeps track of all Random Function indexes which are evaluted by adversaryA either offline, throughH queries, or online, throughA’s responsesb to userU’s message a. Each function is equated with its “public key” z =gk. First, SIM
records the honest S’s function this way as hF,0, k, zi for z = gk, identifying
this function with index “0”. Secondly, every time A queries H on new point (x, u), SIM checks if there is record hF, i,·, z0i and hH0, x, ri s.t. z0 = u1/r,
because this is equivalent to DL(H0(x), u) = DL(g, z0). If this holds for i 6= 0 then A offline evaluates some adversarial function of its choice, hence in that
case SIM sends (OfflineEval,sid, i, x) to F and embeds value Fsid,i(x)
returned by F into H(x, u). If this holds for i = 0 and S is not compromised then A must be completing some OPRF instance as the user, hence in that case SIM sends (Eval,sid,ssid0,⊥, x) and (RcvComplete,sid,ssid0,SIM,S) to F for some fresh ssid0 value. If F does not return any answer this means that F ticket counter is 0, and that this local computation of Fsid,S(x) by A
violated the security properties of FOPRF, in which case SIM halts, and the
simulation obviously diverges from the real world execution. Otherwise SIM
embeds valueFsid,S(x) returned byF intoH(x, u).
1. Pickr1, . . . , rN←RZq. Setg1:=gr1, . . . , gN :=grN, andJ:= 1 andI:= 1. 2. On (Init,S,sid) fromF pickk←Zq and recordhF,0, k, z=gki.
3. On (Compromise,sid) from A, declare S as compromised, retrieve tuple hF,0, k, zi, send (Compromise,sid) toF, and send (sid, k) toA.
4. OnA’s fresh queryxtoH0, setH0(x)←gJ, recordhH0, x, rJi, and setJ++. 5. On (Eval,sid,ssid,U,S0) fromF, seta ←gJ, respond withprfx=a to F, send (sid,ssid, a) toAasU’s message toS0, recordhssid,U, rJi, and setJ++. 6. On (SndrComplete,sid,S) fromFand message (sid,ssid, a) (wherea∈G)
fromAsent on behalf of some user to serverS, respond withprfx=ato F, retrievehF,0, k, zi, and send (sid,ssid, b) forb=ak toAasS’s response. 7. On message (sid,ssid, b) (whereb∈G) fromAsent on behalf of some server
to userU, retrieve recordshssid,U, riandhF, i,·, z0iforz0=b1/r.
If there is no recordhF, i,·, z0i, seti:=I, recordhF, i,⊥, z0i, and setI++. In either case send (RcvComplete,sid,ssid,U, i) toF.
8. OnA’s fresh query (x, u) toH, retrieve recordhH0, x, ri. If there is no such record, then pickH(x, u)←R{0,1}`. Otherwise do the following:
(1) If recordhF,0, k, zisatisfies thatz=u1/r then
i. IfSiscompromised, send (OfflineEval,sid,S, x) toF, and onF’s response (OfflineEval,sid, y) setH(x, u) :=y.
ii. If S is not compromised, pick a fresh identifier ssid∗ and send (Eval,sid,ssid∗,⊥, x) and (RcvComplete,sid,ssid∗,SIM,S) toF. IfF ignores the last message then outputhaltand abort.
Else onF’s response (Eval,sid,ssid∗, y) setH(x, u) :=y.
(2) Else, if there is tuplehF, i,⊥, u1/rifori6= 0 then send (OfflineEval,sid, i, x) toF, and onF’s response (OfflineEval,sid, y) setH(x, u) :=y. (3) Else, recordhF, i,⊥, u1/rifori=I, send (OfflineEval,sid, i, x) to F,
and onF’s response (OfflineEval,sid, y) setH(x, u) :=yand setI++.
Fig. 14: SimulatorSIMfor Protocol DH-OPRF (withFOPRFdenoted asF)
Finally, if (x, u) query toH0does not match any recorded functionhF, i,·, z0i s.t. z0 = u1/r, then SIM defines a new function hF, i0,⊥, z0i for fresh index i0 andz0 =u1/r. SIMinterprets A’s OPRF responses b to messagesa=gr which SIMsends on behalf of some honest userUin a similar way: Note that ifa=gr
U on this OPRF interaction with the public key z0 = b1/r. As in the case of
responding to H queries, SIMfirst checks if there exists recordhF, i,·, z0i, and otherwise it creates a new recordhF, i0,⊥, z0ifor freshi0.
The only non-syntactic changes in the argument that under OMDH assumption this simulation presents the same view as in the real execution, compared to the simimlar argument given in [31], is that (1) A may at any time compromise server S for a specific sid and learn key k; and (2) that if some user session (sid,ssidu,U) and some server session (sid,ssids,S) output
the same prefixes prfx = a, then this interaction does not increase the ticket counter, and does not count to the pool of OPRF interactions whichAcan use to computeFsid,S(x) on some inputx.
Regarding (1), note that after server compromiseAcan compute the server’s function on any argument, butSIMcan detect that by catchingH query on (x, v) forv= (H0(x))k, and can simulate this by sending (
OfflineEval,sid,S, x) to
FOPRF. Furthermore, note that event halt may only occur if server S is not
marked compromised at that time; hence the argument which upper-bounds Pr[halt] given in [31] is not affected by this change because it assumes that S
is not compromised at the time. Regarding (2), it is easy to see that if Awho forwards to some server session the message a =gr sent by SIM on behalf of
some honest userUsession, the security reduction can respond to such message with b = zr, where z is the OMDH challenge public key z = gk. Therefore
the reduction will not need to query the One-More Diffie-Hellman oracle (·)k
on all such S sessions, and thus these sessions will not increase the number of argumentsxon which adversary Acan compute u= (H0(x))k, by queryingH on (x, u), without breaking the OMDH assumption.