Oblivious Pseudorandom Function

Last updated

An Oblivious Pseudorandom Function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that an OPRF is cooperatively computed by two parties. [1]

Contents

Formal Definition

Specifically, an OPRF is any function with the following properties:

The function is called an Oblivious Pseudorandom Function, because the second-party is oblivious to the function's output. This party learns no new information from participating in the calculation of the result.

However, because it is only the second-party that holds the secret, the first-party must involve the second-party to calculate the output of the Pseudorandom Function (PRF). This requirement enables the second-party to implement access controls, throttling, and or other security measures.

History

While conventional Pseudorandom Functions computed by a single party were first described in 1986 [2] , it was not until 2004 that the first two-party Oblivious Pseudorandom Function was described in the literature. [3] The term "Oblivious Pseudorandom Function" was coined the next year in 2005 by some of the same authors. [4]

Applications

OPRFs have many useful applications in cryptography and information security.

These include password-based key derivation, password-based key agreement, password-hardening, untraceable CAPTCHAs, password management, homomorphic key management, and private set intersection. [1] [5]

An OPRF can be viewed as a special case of homomorphic encryption, as it enables another party to compute a function over an encrypted input and produce a result (which remains encrypted) and thereby it learns nothing about what it computed.

Password-Based Key Derivation

Most forms of password-based key derivation suffer from the fact that passwords usually contain a small amount of randomness (or entropy) compared to full-length 128- or 256-bit encryption keys. This makes keys derived from passwords vulnerable to brute-force attacks.

However, this threat can be mitigated by using the output of an OPRF that takes the password as input.

If the secret key used in the OPRF is high-entropy, then the output of the OPRF will also be high-entropy. This thereby solves the problem of the password being low-entropy, and therefore vulnerable to cracking via brute force.

This technique is called Password-Hardening. [6] It fills a similar purpose as key stretching, but password-hardening adds significantly more entropy.

Further, since each attempt at guessing a password that is hardened in this way requires interaction with a server, it prevents an offline attack, and thus enables the user or system administrator to be alerted to any password-cracking attempt.

The recovered key may then be used for authentication (e.g. performing a PKI-based authentication using a digital certificate and private key, or may be used to decrypt sensitive content, such as an encrypted file or crypto wallet.

Password-Authenticated Key Exchange

For protocols such as TLS, a password can be used as the basis of a key agreement protocol, to establish temporary session keys or and mutually authenticate the client and server. In the TLS protocol, this system is called a Password-Authenticated Key Exchange or PAKE.

But in its most basic implementations, the server learns the user's password during the course of the PAKE authentication. If the server is compromised, this exposes the user's password which can compromise the security of the user.

To overcome this, various 'augmented forms' of PAKE incorporate an Oblivious Pseudorandom Function so that the server never sees the user's password during the authentication, but nevertheless it is able to authenticate the client is in possession of the correct password. This is done by assuming only the client that knows the correct password, can use the OPRF to derive the correct key.

An example of an augmented PAKE that uses an OPRF in this way is OPAQUE . [7] [8] [9] [10]

Recently, password-based keys have been used for secure backing up of encrypted chat histories in Facebook messenger. [11] [12] A similar usage is planned to be used in Signal Messenger. [13]

Untraceable CAPTCHAs

A CAPTCHA or "Completely Automated Public Turing test to tell Computers and Humans Apart." [14] is a mechanism to prevent automated robots or (bots) from accessing websites. Lately, mechanisms for running CAPTCHA tests have been centralized to services such as a Google and CloudFlare, but this can come at the expense of user privacy.

Recently, CloudFlare developed a privacy-preserving technology called "Privacy Pass" [15] This technology is based on OPRFs, and enables the client's browser to obtain passes from CloudFlare and then present them to bypass CAPTCHA tests. Due to the fact that the CloudFlare service is oblivious to which passes were provided to which users, there is no way it can correlate users with the websites they visit. This prevents tracking of the user, and thereby preserves the user's privacy.

An Improved Password Manager

A password manager is software or a service that holds potentially many different passwords on behalf of the a single user.

Access to the password manager, is thus highly sensitive. If it is a service, and that service is attacked, it could expose many of that user's passwords to the attacker.

By using an OPRF, however, passwords for an individual site can be derived from a single master password, without the service being in a position to learn either the user's master password, nor any of the derived passwords produced from it.

An OPRF is used by the Password Monitor in Microsoft Edge [16] .

A Homomorphic Key Management System

Similarly to securing passwords managed by a password manager, an OPRF can be used to enhance the security of a key management system.

For example, an OPRF enables a key-management system to issue cryptographic keys to authenticated and authorized users, without ever seeing, learning, or being in a position to learn, any of the keys it provides to users [17] .

Private Set Intersection

Private set intersection is a cryptographic technique that enables two or more parties to compare their private sets to determine which entries they share in common, but without disclosing any entires which they do not hold in common.

For example, private set intersection could be used by two users of a social network to determine which friends they have in common, without revealing the identities of friends they do not have in common. To do this, they could share the outputs of an OPRF applied to the friend's identity (e.g., the friend's phone number or e-mail address).

The output of the OPRF cannot be inverted to determine the identity of the user, and since the OPRF may be rate-limited, it will prevent a brute-force attack (e.g., iterating over all possible phone numbers). [18]

Implementations

There are various mathematical functions that can serve as the basis to implement an OPRF.

For example, methods from asymmetric cryptography, including Elliptic Curve point multiplication, Diffie-Hellman modular exponentiation over a prime, or an RSA signature calculation.

EC and Conventional Diffie-Hellman

Elliptic Curves and prime order fields can be used to implement an OPRF. The essential idea is that the first-party (the client), must cryptographically blind the input prior sending it to the second-party.

This blinding can be viewed as a form of encryption that survives the computation performed by the second-party. Therefore the first-party can decrypt what it receives from the second-party to "unblind" it, and thereby receive the same result it would have received had the input not been blinded.

When the second-party receives the blinded input, it performs a computation on it using a secret. The result of this computation must not reveal the secret.

For example, the second-party may perform a point multiplication of a point on an elliptic curve. Or it may perform a modular exponentiation modulo a large prime.

The first-party, upon receipt of the result, and with knowledge of the blinding-factor, computes a function that removes the blinding factor's influence on the result returned by the second-party. This 'unblinds' the result, revealing the output of the OPRF, (or an intermediate result which is then used by the client to compute the output of the OPRF, for example, by hashing this intermediate result).

Sample OPRF Protocol

The following is pseudocode for the calculations performed by the client and server using an Elliptic Curve based OPRF.

Client-side calculation

The following code represents calculations performed by the client, or the first-party.

byte[]computeOPRF(byte[]input){// Apply point-hashing algorithm // For example, as described in RFC 9380ECPointhashedPoint=hashToPoint(input);// Generate a random blinding factorScalarb=randomScalar();// Blind the input via a curve multiply ECPointblindedInput=ECMultiply(hashedPoint,b);// Send request to server to obtain response ECPointserverResponse=sendRequest(blindedInput);// Compute multiplicative inverse of bScalarinverse=modInverse(b);// Unblind the response to produce the result ECPointresult=ECMultiply(serverResponse,inverse);// Hash the unblinded result to complete OPRF calculation returnhash(result);

Notes:

The client computes the multiplicative inverse of the blinding factor. This enables it to reverse the effect of the blinding factor on the result, and obtain the result the server would have returned had the client not blinded the input.

As a final step, to complete the OPRF, the client performs a one-way hash on the result to ensure the OPRF output is uniform, completely pseudorandom, and non-invertible.

Server-side calculation

The following code represents calculations performed by the server, or the second-party.

The server receives the blinded input value from the client, and may perform authentication, access control, request throttling, or other security measures before processing the request. It then uses it's own secret, to compute:

ECPointprocessRequest(ECPointblindedInput,Scalarsecret){// Apply secret to compute the response ECPointresponse=ECMultiply(blindedInput,secret);returnresponse;}

It then returns the response, which is the blinded output, to the client.

Notes:

Because the elliptic curve point multiplication is computationally difficult to invert (like the discrete logarithm problem, the client cannot feasibly learn the server's secret from the response it produces.

Note, however, that this function is vulnerable to attacks by quantum computers. A client or third party in possession of a quantum computer could solve for the server's secret knowing the result it produced for a given input.

RSA Blind Signatures

When the output of a blind signature scheme is deterministic, it can be used as the basis of building an OPRF, e.g. simply by hashing the resulting signature.

This is because due to the blinding, the party computing the blind signature learns neither the input (what is being signed) nor the output (the resulting digital signature).

Extensions

The OPRF construction can be extended in various ways. These include: partially-oblivious, theshold-secure, and post-quantum secure versions.

Partially-Oblivious PRF

One modification to an OPRF is called a Partially-Oblivious PRF, or P-OPRF.

Specifically, a P-OPRF is any function with the following properties:

The use case for this is when the server needs to implement specific throttling or access controls on the exposed input (E), for example, (E) could be a file path, or user name, for which the server enforeces access controls, and only services requests when the requesting user is authorized.

Such a scheme is used by the "Pythia PRF Service". [19]

Threshold Implementations

For even greater security, it is possible to thresholdize the server, such that the secret (S) is not held by any individual server, and so the compromise of any single server, or set of servers below some defined threshold, will not expose the secret.

This can be done by having each server be a shareholder in a secret sharing scheme. Instead of using it's secret to compute the result, each server uses it's share of the secret to perform the computation.

The client then takes some subset of the server's computed results, and combines them, for example by computing a protocol known as interpolation in the exponent. This recovers the same result as had the client interacted with a single server which has the full secret.

This algorithm is used in various distributed cryptographic protocols. [20]

Post-Quantum Secure Implementations

Finding efficient post-quantum secure implementations of OPRFs is an area of active research. [21]

"With the exception of OPRFs based on symmetric primitives, all known efficient OPRF constructions rely on discrete-log- or factoring-type hardness assumptions. These assumptions are known to fall with the rise of quantum computers." [1]

Two possible exceptions are lattice-based OPRFs [22] and isogeny-based OPRFs [23] , but more research is required to improve their efficiency.

See also

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications hash algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.

Articles related to cryptography include:

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

<span class="mw-page-title-main">Key derivation function</span> Function that derives secret keys from a secret value

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

The Secure Remote Password protocol (SRP) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

In cryptography, PBKDF1 and PBKDF2 are key derivation functions with a sliding computational cost, used to reduce vulnerability to brute-force attacks.

In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.

In cryptography, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as part of SMTP Authentication and for the authentication of POP and IMAP users, as well as in applications implementing LDAP, XMPP, BEEP, and other protocols.

In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish between a function chosen randomly from the PRF family and a random oracle. Pseudorandom functions are vital tools in the construction of cryptographic primitives, especially secure encryption schemes.

Distributed key generation (DKG) is a cryptographic process in which multiple parties contribute to the calculation of a shared public and private key set. Unlike most public key encryption models, distributed key generation does not rely on Trusted Third Parties. Instead, the participation of a threshold of honest parties determines whether a key pair can be computed successfully. Distributed key generation prevents single parties from having access to a private key. The involvement of many parties requires Distributed key generation to ensure secrecy in the presence of malicious contributions to the key calculation.

A hash chain is the successive application of a cryptographic hash function to a piece of data. In computer security, a hash chain is a method used to produce many one-time keys from a single key or password. For non-repudiation, a hash function can be applied successively to additional pieces of data in order to record the chronology of data's existence.

SipHash is an add–rotate–xor (ARX) based family of pseudorandom functions created by Jean-Philippe Aumasson and Daniel J. Bernstein in 2012, in response to a spate of "hash flooding" denial-of-service attacks (HashDoS) in late 2011.

In cryptography, server-based signatures are digital signatures in which a publicly available server participates in the signature creation process. This is in contrast to conventional digital signatures that are based on public-key cryptography and public-key infrastructure. With that, they assume that signers use their personal trusted computing bases for generating signatures without any communication with servers.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like LDAP, HTTP, SMTP, POP3, IMAP and JMAP (e-mail), XMPP (chat), or MongoDB and PostgreSQL (databases). For XMPP, supporting it is mandatory.

In cryptography, a pepper is a secret added to an input such as a password during hashing with a cryptographic hash function. This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module. Note that the National Institute of Standards and Technology refers to this value as a secret key rather than a pepper. A pepper is similar in concept to a salt or an encryption key. It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret.

References

  1. 1 2 3 Casacuberta, Sílvia; Hesse, Julia; Lehmann, Anja (2022). "SoK: Oblivious Pseudorandom Functions". Cryptology ePrint Archive. Paper 2022/302.
  2. Goldreich, Oded; Goldwasser, Shafi; Micali, Silvio (1986). "How to construct random functions" (PDF). Journal of the ACM (JACM). 33 (4): 792-807. doi:10.1145/6490.6503.
  3. Naor, Moni; Reingold, Omer (2004). "Number-theoretic constructions of efficient pseudo-random functions". Journal of the ACM. 51 (2): 231–262. doi:10.1145/972639.972643.
  4. Freedman, Michael; Ishai, Yuval; Pinkas, Benny; Reingold, Omer (2005). Keyword Search and Oblivious Pseudorandom Functions. Lecture Notes in Computer Science. Vol. TCC 2005. pp. 303–324. doi:10.1007/978-3-540-30576-7_17. ISBN   978-3-540-24573-5.{{cite book}}: |journal= ignored (help)
  5. Krawczyk, Hugo. "Oblivious Pseudorandom Functions and Some (Magical) Applications" (PDF). Columbia University. Retrieved 31 January 2024.
  6. Ford, W.; Kaliski, B. S. (2000). "Server-assisted generation of a strong secret from a password". Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000). pp. 176–180. doi:10.1109/ENABL.2000.883724. ISBN   0-7695-0798-0. S2CID   1977743.
  7. Krawczyk, Hugo; Lewi, Kevin; Wood, Christopher (5 February 2021). "The OPAQUE Asymmetric PAKE Protocol (Draft)". Internet Engineering Task Force.
  8. Tatiana Bradley (2020-12-08). "OPAQUE: The Best Passwords Never Leave your Device". The Cloudflare Blog.
  9. Bourdrez, Daniel; Krawczyk, Hugo; Lewi, Kevin; Wood, Christopher A. (2022-07-06). "The OPAQUE Asymmetric PAKE Protocol (Internet Draft)". IETF.
  10. Matthew Green. "Let’s talk about PAKE". 2018.
  11. Lewi, Kevin; Millican, Jon; Raghunathan, Ananth; Roy, Arnab (2022). "Oblivious Revocable Functions and Encrypted Indexing". Cryptology ePrint Archive. Paper 2022/1044.
  12. "The Labyrinth Encrypted Message Storage Protocol" (PDF). https://engineering.fb.com/ . Meta. Retrieved 30 January 2024.{{cite web}}: External link in |website= (help)
  13. "Technology Preview for secure value recovery". https://signal.org/ . Signal Foundation.{{cite web}}: External link in |website= (help)
  14. "What is CAPTCHA?". Google Support. Google Inc. Archived from the original on 6 August 2020. Retrieved 2022-09-09. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a [...]
  15. Sullivan, Nick (9 November 2017). "Cloudflare supports Privacy Pass". CloudFlare. CloudFlare.com. Retrieved 30 January 2024.
  16. Lauter, Kristin; Kannepalli, Sreekanth; Laine, Kim; Cruz Moreno, Radames (January 1, 2021). "Password Monitor: Safeguarding passwords in Microsoft Edge". Microsoft Research Blog. Retrieved January 1, 2021.
  17. Jarecki, Stanislaw; Krawczyk, Hugo; Resch, Jason (2019). "Updatable Oblivious Key Management for Storage Systems". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Vol. November 2019. pp. 379–393. doi:10.1145/3319535.3363196. ISBN   978-1-4503-6747-9 . Retrieved Jan 27, 2024.
  18. Chase, Melissa; Miao, Peihan (Aug 2020). "Private Set Intersection in the Internet Setting from Lightweight Oblivious PRF". IACR in CRYPTO 2020. Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference (Proceedings Part III): 34–63. doi:10.1007/978-3-030-56877-1_2.
  19. Everspaugh, Adam; Chaterjee, Rahul; Scott, Samuel; Juels, Ari; Ristenpart, Thomas (2015). "The Pythia PRF Service". 24th USENIX Security Symposium (USENIX Security 15): 547–562. ISBN   978-1-939133-11-3.
  20. Cachin, Christian; Krawczyk, Hugo; Rabin, Tal; Stathakopoulou, Chrysoula; Resch, Jason (14 March 2019). "Platform for Robust Threshold Cryptography". NIST Computer Security Resource Center. NIST.gov. Retrieved 27 January 2024.
  21. Boneh, Dan; Ishai, Yuval; Passelègue, Alain; Sahai, Amit; Wu, David (2018). "Exploring Crypto Dark Matter: New Simple PRF Candidates and Their Applications". Cryptology ePrint Archive. Paper 2018/1218.
  22. Albrecht, Martin; Davidson, Alex; Deo, Amit; Smart, Nigel (2019). "Round-optimal Verifiable Oblivious Pseudorandom Functions From Ideal Lattices". Cryptology ePrint Archive. Paper 2019/1271.
  23. Boneh, Dan; Kogan, Dmitry; Woo, Katharine (2020). "Oblivious Pseudorandom Functions from Isogenies". Advances in Cryptology – ASIACRYPT 2020. Lecture Notes in Computer Science. Vol. ASIACRYPT 2020: 26th International Conference on the Theory and Application of Cryptology and Information Security. pp. 520–550. doi:10.1007/978-3-030-64834-3_18. ISBN   978-3-030-64833-6. S2CID   228085090.{{cite book}}: |journal= ignored (help)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.