Gold OPRF: Post-Quantum Oblivious Power Residue PRF

Yibin Yang; Fabrice Benhamouda; Shai Halevi; Hugo Krawczyk; Tal Rabin

Paper 2024/1955

Gold OPRF: Post-Quantum Oblivious Power Residue PRF

Yibin Yang

, Georgia Institute of Technology

Fabrice Benhamouda

, Amazon Web Services

Shai Halevi

, Amazon Web Services

Hugo Krawczyk

, Amazon Web Services

Tal Rabin

, Amazon Web Services

Abstract

We propose plausible post-quantum (PQ) oblivious pseudorandom functions (OPRFs) based on the Power Residue PRF (Damgård CRYPTO’88), a generalization of the Legendre PRF. For security parameter $\lambda$, we consider the PRF $\mathsf{Gold}_k(x)$ that maps an integer $x$ modulo a public prime $p = 2^\lambda\cdot g + 1$ to the element $(k + x)^g \bmod p$, where $g$ is public and $\log g \approx 2\lambda$. At the core of our constructions are efficient novel methods for evaluating $\mathsf{Gold}$ within two-party computation ($\mathsf{2PC}\text{-}\mathsf{Gold}$), achieving different security requirements. Here, the server $\mathcal{P}_s$ holds the PRF key $k$ whereas the client $\mathcal{P}_c$ holds the PRF input $x$, and they jointly evaluate $\mathsf{Gold}$ in 2PC. $\mathsf{2PC}\text{-}\mathsf{Gold}$ uses standard Vector Oblivious Linear Evaluation (VOLE) correlations and is information-theoretic and constant-round in the (V)OLE-hybrid model. We show: • For a semi-honest $\mathcal{P}_s$ and a malicious $\mathcal{P}_c$: a $\mathsf{2PC}\text{-}\mathsf{Gold}$ that just uses a single (V)OLE correlation, and has a communication complexity of $3$ field elements ($2$ field elements if we only require a uniformly sampled key) and a computational complexity of $\mathcal{O}(\lambda)$ field operations. We refer to this as half-malicious security. • For malicious $\mathcal{P}_s$ and $\mathcal{P}_c$: a $\mathsf{2PC}\text{-}\mathsf{Gold}$ that just uses $\frac{\lambda}{4} + \mathcal{O}(1)$ VOLE correlations, and has a communication complexity of $\frac{\lambda}{4} + \mathcal{O}(1)$ field elements and a computational complexity of $\mathcal{O}(\lambda)$ field operations. These constructions support additional features and extensions, e.g., batched evaluations with better amortized costs where $\mathcal{P}_c$ repeatedly evaluates the PRF under the same key. Furthermore, we extend $\mathsf{2PC}\text{-}\mathsf{Gold}$ to Verifiable OPRFs and use the methodology from Beullens et al. (ePrint’24) to obtain strong OPRF security in the universally composable setting. All the protocols are efficient in practice. We implemented $\mathsf{2PC}\text{-}\mathsf{Gold}$—with (PQ) VOLEs—and benchmarked them. For example, our half-malicious (resp. malicious) $n$-batched PQ OPRFs incur about $100$B (resp. $1.9$KB) of amortized communication for $\lambda = 128$ and large enough $n$.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: Oblivious Pseudorandom Function Post-Quantum OPRF Legendre/Power Residue PRF
Contact author(s): yyang811 @ gatech edu
fabrice benhamouda @ gmail com
shai halevi @ gmail com
hugokraw @ gmail com
talr @ seas upenn edu
History: 2024-12-06: approved; 2024-12-02: received; See all versions
Short URL: https://ia.cr/2024/1955
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1955,
      author = {Yibin Yang and Fabrice Benhamouda and Shai Halevi and Hugo Krawczyk and Tal Rabin},
      title = {Gold {OPRF}: Post-Quantum Oblivious Power Residue {PRF}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1955},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1955}
}