Tyagi et al. present a modified variant of the 2HashDH-based OPRF that enables so-called "partially-oblivious" evaluation. Abstractly, this means that the OPRF protocol has two types of PRF inputs:
Private input, typically provided by the clients, that is hidden from the server during evaluation.
Public input, input by client and server, that is visible to both client and server during the protocol.
Running this partially-oblivious variant with "empty" public input is functionally the same as the design today, wherein there is no public input. Thus, this type of extension seems useful for enabling a wider set of applications, especially Privacy Pass and OPAQUE.
As an added benefit, one consequence of this variant is that it requires multiplicative blinding, which should simplify choices available to implementers and other applications using the OPRF. (See #241 for discussion around the considerations introduced by allowing multiple blinding variants.)
claucece
commented
3 years ago
Tyagi et al. present a modified variant of the 2HashDH-based OPRF that enables so-called "partially-oblivious" evaluation. Abstractly, this means that the OPRF protocol has two types of PRF inputs:
Running this partially-oblivious variant with "empty" public input is functionally the same as the design today, wherein there is no public input. Thus, this type of extension seems useful for enabling a wider set of applications, especially Privacy Pass and OPAQUE.
As an added benefit, one consequence of this variant is that it requires multiplicative blinding, which should simplify choices available to implementers and other applications using the OPRF. (See #241 for discussion around the considerations introduced by allowing multiple blinding variants.)