Paper 2018/733

Threshold Partially-Oblivious PRFs with Applications to Key Management

Stanislaw Jarecki, Hugo Krawczyk, and Jason Resch


An Oblivious PRF (OPRF) is a protocol between a server holding a key to a PRF and a user holding an input. At the end of the interaction, the user learns the output of the OPRF on its input and nothing else. The server learns nothing, including nothing about the user's input or the function's output. OPRFs have found many applications in multiple areas of cryptography. Everspaugh et al. (Usenix 2015) introduced Partially Oblivious PRF (pOPRF) in which the OPRF accepts an additional non-secret input that can be chosen by the server itself, and showed applications in the setting of password hardening protocols. We further investigate pOPRFs showing new constructions, including distributed multi-server schemes, and new applications. We build simple pOPRFs from regular OPRFs, in particular obtaining very efficient DH-based pOPRFs, and provide (n,t)-threshold implementation of such schemes. We apply these schemes to build Oblivious Key Management Systems (KMS) as a much more secure alternative to traditional wrapping-based KMS. The new system hides keys and object identifiers from the KMS, offers unconditional security for key transport, enables forward security, provides key verifiability, reduces storage, and more. Further, we show how to provide all these features in a distributed threshold implementation that additionally protects the service against server compromise. Finally, we extend the scheme to a threshold Oblivious KMS with updatable encryption so that upon the periodic change of OPRF keys by the server, an efficient update procedure allows a client of the KMS service to non-interactively update all its encrypted data to be decryptable only by the new key. Our techniques improve on the efficiency and security of several recent works on updatable encryption from Crypto and Eurocrypt. We report on an implementation of the above schemes and their performance, showing their practicality and readiness for use in real-world systems. In particular, our pOPRF constructions achieve speeds of over an order of magnitude relative to previous pOPRF schemes.

Note: Part of the material in this report (excluding partially-oblivious PRFs) is expanded in eprint report 2019/1275.

Available format(s)
Cryptographic protocols
Publication info
Oblivious PRFKey Management
Contact author(s)
hugo @ ee technion ac il
2019-11-05: last of 2 revisions
2018-08-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Stanislaw Jarecki and Hugo Krawczyk and Jason Resch},
      title = {Threshold Partially-Oblivious PRFs with Applications to Key Management},
      howpublished = {Cryptology ePrint Archive, Paper 2018/733},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.