Skip to main content

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups

Document Type Replaced Internet-Draft (cfrg RG)
Expired & archived
Authors Alex Davidson , Nick Sullivan , Christopher A. Wood
Last updated 2019-07-03 (Latest revision 2019-03-11)
Replaced by draft-irtf-cfrg-voprf
RFC stream Internet Research Task Force (IRTF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream IRTF state Replaced
Consensus boilerplate Unknown
Document shepherd (None)
IESG IESG state Replaced by draft-irtf-cfrg-voprf
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


An Oblivious Pseudorandom Function (OPRF) is a two-party protocol for computing the output of a PRF. One party (the server) holds the PRF secret key, and the other (the client) holds the PRF input. The 'obliviousness' property ensures that the server does not learn anything about the client's input during the evaluation. The client should also not learn anything about the server's secret PRF key. Optionally, OPRFs can also satisfy a notion 'verifiability' (VOPRF). In this setting, the client can verify that the server's output is indeed the result of evaluating the underlying PRF with just a public key. This document specifies OPRF and VOPRF constructions instantiated within prime-order groups, including elliptic curves.


Alex Davidson
Nick Sullivan
Christopher A. Wood

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)