Oblivious Pseudorandom Functions

Nick Sullivan from Cloudflare always has his finger on the pulse of cybersecurity, and announced today that the RFC 9497 has just been published [here]:

Introduction

In our digital world, we give away too many of our secrets, especially when we just have to prove the knowledge of something rather than actually revealing it. In many of the systems we use, we could just prove things in an oblivious way, and where we could pass a secret but in a blinded form.

With this, a server does not discover our password and does not discover the identifier that a server holds on us. But, can we also provide proof back that the right password has been used? Well, with Verifiable Oblivious Pseudorandom Functions (VOPRF), we can generate a random secret based on a key generated on the server (Alice), and which is based on Bob’s secret:

Initially, Bob generates his secret, and the blinds it. This blind value is then sent to Alice, and then who uses her private key to produce proof values…