Skip to main content

Shepherd writeup

Technical Summary
This document is dedicated to Oblivious Pseudorandom Functions (OPRFs), which
allow to compute the output of a PRF by a client and a server in a way that the
server does not learn anything about the client's input during the evaluation.
The security properties provided by variants of OPRF protocols (OPRF itself and
Verifiable OPRF, VOPRF) are defined and instantiations of OPRFs are defined for
prime-order groups, applying to finite fields of prime-order and also elliptic
curve settings. This document is a product of the Crypto Forum Research Group
(CFRG) in the IRTF.

Research Group Summary
After adopting the document it was presented in CFRG meetings at IETF 109, IETF
110, IETF 111, IETF 112 and at the interim meeting in July 2020. There was a
Research Group Last Call for the draft in 2022 (October-November). There were
no major concerns raised during the RGLC. Several minor concerns raised during
the RGLC were addressed by the authors. The authors have answered the questions
raised during the Research Group Last Call, no questions have remained
unanswered. Crypto Review Panel review was solicited in August 2022. The review
was provided by Julia Hesse. Comments from that review were addressed in -13
and -14.

Document Quality
There are at least ten implementations for various variants:
JavaScript/TypeScript implementations for OPRF [1] and VOPRF [2], Go
implementations for OPRF [3], VOPRF [4], an implementation in CIRCL [5], Rust
implementations for OPRF [6] and VOPRF [7], reference implementations for
Sage/Python [8], C implementations [9] and [10] (BoringSSL). All authors of the
document have confirmed that they are not aware of any IPRs related to the

Stanislav Smyshlyaev is the Document Shepherd.
Colin Perkins is the IRTF Chair.