IACR News item: 20 October 2025
Cruz Barnum, Mohammad Hajiabadi, David Heath, Jake Januzelli, Namar Kumar, Mike Rosulek
ePrint Report
Oblivious Pseudorandom Function (OPRF) protocols can be categorized into two variants: chosen-key OPRFs -- where the server provides the PRF key $k$ as an input -- and ephemeral-key OPRFs -- where the functionality randomly samples $k$ on behalf of the server. Ephemeral-key OPRFs can be constructed from simple cryptography, such as black-box OT and a random oracle. Chosen-key OPRFs, on the other hand, are only known by employing one of the following (more expensive) approaches:
- Express the underlying PRF as a circuit, then use generic MPC techniques to evaluate it in a non-black-box manner.
- Base the underlying PRF on some specific public-key assumption, such as RSA or DDH, then build a custom protocol that achieves obliviousness by leveraging the PRF's algebraic structure.
Thus, there exists a qualitative gap between known instantiations of these two OPRF variants, in terms of both assumptions and efficiency.
We show that this gap is inherent. In particular, one might hope for an OPRF with all of the following characteristics: the protocol (1) is chosen-key, (2) supports domains of super-polynomial size, and (3) is constructed from "simple" cryptography, such as the minimal assumption of OT, plus a random oracle. We show that no such protocol can exist.
Let $\Pi$ be any chosen-key OPRF protocol defined in terms of a PRF $F$, where $F$ is defined with respect to (only) a random oracle. This restriction on $F$ rules out the above approaches of either using a PRF in a non-black-box way or basing the underlying PRF itself on public-key cryptography. While $F$ is restricted in its use of cryptography, the protocol $\Pi$ is not: $\Pi$ may use arbitrary cryptography, e.g., OT, FHE, iO, etc. We show that each invocation of any such $\Pi$ necessarily leaks information about the server's key $k$. After a bounded number of queries, an adversarial client can effectively recover $k$, breaking server privacy.
To complement our negative result, we provide a matching positive result: we construct a chosen-key OPRF from black-box OT and RO, where server privacy holds for some bounded number of queries $n$. This protocol's underlying PRF is constructed from a $(n+1)$-wise independent hash function and RO; the server's key $k$ has length scaling linearly in $n$ which, by our lower bound, is optimal. Thus, our two results tightly (i.e., up to $\mathrm{poly}(\lambda)$ factors) characterize (im)possibility for chosen-key OPRFs, unless one uses non-black-box cryptography or a public-key-style PRF.
We show that this gap is inherent. In particular, one might hope for an OPRF with all of the following characteristics: the protocol (1) is chosen-key, (2) supports domains of super-polynomial size, and (3) is constructed from "simple" cryptography, such as the minimal assumption of OT, plus a random oracle. We show that no such protocol can exist.
Let $\Pi$ be any chosen-key OPRF protocol defined in terms of a PRF $F$, where $F$ is defined with respect to (only) a random oracle. This restriction on $F$ rules out the above approaches of either using a PRF in a non-black-box way or basing the underlying PRF itself on public-key cryptography. While $F$ is restricted in its use of cryptography, the protocol $\Pi$ is not: $\Pi$ may use arbitrary cryptography, e.g., OT, FHE, iO, etc. We show that each invocation of any such $\Pi$ necessarily leaks information about the server's key $k$. After a bounded number of queries, an adversarial client can effectively recover $k$, breaking server privacy.
To complement our negative result, we provide a matching positive result: we construct a chosen-key OPRF from black-box OT and RO, where server privacy holds for some bounded number of queries $n$. This protocol's underlying PRF is constructed from a $(n+1)$-wise independent hash function and RO; the server's key $k$ has length scaling linearly in $n$ which, by our lower bound, is optimal. Thus, our two results tightly (i.e., up to $\mathrm{poly}(\lambda)$ factors) characterize (im)possibility for chosen-key OPRFs, unless one uses non-black-box cryptography or a public-key-style PRF.
Additional news items may be found on the IACR news page.