Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups

Document Type Replaced Internet-Draft (cfrg RG)
Authors Alex Davidson  , Nick Sullivan  , Christopher Wood 
Last updated 2019-07-03 (latest revision 2019-03-11)
Replaced by draft-irtf-cfrg-voprf
Stream Internet Research Task Force (IRTF)
Intended RFC status (None)
Expired & archived
plain text pdf htmlized bibtex
Stream IRTF state Replaced
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state Replaced by draft-irtf-cfrg-voprf
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


An Oblivious Pseudorandom Function (OPRF) is a two-party protocol for computing the output of a PRF. One party (the server) holds the PRF secret key, and the other (the client) holds the PRF input. The 'obliviousness' property ensures that the server does not learn anything about the client's input during the evaluation. The client should also not learn anything about the server's secret PRF key. Optionally, OPRFs can also satisfy a notion 'verifiability' (VOPRF). In this setting, the client can verify that the server's output is indeed the result of evaluating the underlying PRF with just a public key. This document specifies OPRF and VOPRF constructions instantiated within prime-order groups, including elliptic curves.


Alex Davidson (adavidson@cloudflare.com)
Nick Sullivan (nick@cloudflare.com)
Christopher Wood (cawood@apple.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)