Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection

An Oblivious Pseudorandom Function (OPRF) [15] is a two-party protocol between sender S and receiver R for securely computing a pseudorandom function fk(·) on key k contributed by S and input x contributed by R, in such a way that receiver R learns only the value fk(x) while sender S learns nothing from the interaction. In other words, an OPRF protocol for PRF fk(·) is a secure computation for functionality FOPRF : (k, x)→ (⊥, fk(x)). We propose an OPRF protocol on committed inputs which requires only O(1) modular exponentiations, and has a constant number of communication rounds (two in ROM). Our protocol is secure in the CRS model under the Composite Decisional Residuosity (CDR) assumption, while the PRF itself is secure on a polynomially-sized domain under the Decisional q-Diffie-Hellman Inversion assumption on a group of composite order, where q is the size of the PRF domain, and it has a useful feature that fk is an injection for every k. A practical OPRF protocol for an injective PRF, even limited to a polynomiallysized domain, is a versatile tool with many uses in secure protocol design. We show that our OPRF implies a new practical fully-simulatable adaptive (and committed) OT protocol secure without ROM. In another example, this oblivious PRF construction implies the first secure computation protocol of set intersection on committed data with computational cost of O(N) exponentiations where N is the maximum size of both data sets.