Paper 2021/864

A Fast and Simple Partially Oblivious PRF, with Applications

Nirvan Tyagi, Sofı́a Celi, Thomas Ristenpart, Nick Sullivan, Stefano Tessaro, and Christopher A. Wood


We build the first construction of a partially oblivious pseudorandom function (POPRF) that does not rely on bilinear pairings. Our construction can be viewed as combining elements of the 2HashDH OPRF of Jarecki, Kiayias, and Krawczyk with the Dodis-Yampolskiy PRF. We analyze our POPRF’s security in the random oracle model via reduction to a new one-more gap strong Diffie-Hellman inversion assumption. The most significant technical challenge is establishing confidence in the new assumption, which requires new proof techniques that enable us to show that its hardness is implied by the $q$-DL assumption in the algebraic group model. Our new construction is as fast as the current, standards-track OPRF 2HashDH protocol, yet provides a new degree of flexibility useful in a variety of applications. We show how POPRFs can be used to prevent token hoarding attacks against Privacy Pass, reduce key management complexity in the OPAQUE password authenticated key exchange protocol, and ensure stronger security for password breach alerting services.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
verifiable oblivious pseudorandom functionsDiffie-Hellman inversionanonymous tokensblind signatures
Contact author(s)
nirvan tyagi @ gmail com
2021-10-06: revised
2021-06-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nirvan Tyagi and Sofı́a Celi and Thomas Ristenpart and Nick Sullivan and Stefano Tessaro and Christopher A.  Wood},
      title = {A Fast and Simple Partially Oblivious PRF, with Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2021/864},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.