This requirement enables the second-party to implement access controls, throttling, audit logging and or other security measures.
This thereby solves the problem of the password being low-entropy, and therefore vulnerable to cracking via brute force.
[6] It fills a similar purpose as key stretching, but password-hardening adds significantly more entropy.
With PAKE, however, the user's password is not sent to the server, preventing it from falling into an eavesdropper's hands.
[7][8][9][10] Recently, OPRFs have been applied to password-based key exchange to back up encrypted chat histories in WhatsApp[11] and Facebook Messenger.
[13] A CAPTCHA or "Completely Automated Public Turing test to tell Computers and Humans Apart.
Lately, mechanisms for running CAPTCHA tests have been centralized to services such as a Google and CloudFlare, but this can come at the expense of user privacy.
Recently, CloudFlare developed a privacy-preserving technology called "Privacy Pass"[15] This technology is based on OPRFs, and enables the client's browser to obtain passes from CloudFlare and then present them to bypass CAPTCHA tests.
A password manager is software or a service that holds potentially many different account credentials on behalf of the user.
[16] It uses two devices (such as the user's laptop and phone) which collaborate to compute a password for a given account (as identified by the username and website's domain name).
A downside of this approach is that the user always needs access to both devices whenever they want to log in to any of their accounts.
For example, methods from asymmetric cryptography, including elliptic curve point multiplication, Diffie–Hellman modular exponentiation over a prime, or an RSA signature calculation.
The essential idea is that the first-party (the client), must cryptographically blind the input prior sending it to the second-party.
The following is pseudocode for the calculations performed by the client and server using an elliptic curve based OPRF.
Notes: Because the elliptic curve point multiplication is computationally difficult to invert (like the discrete logarithm problem, the client cannot feasibly learn the server's secret from the response it produces.
A client or third party in possession of a quantum computer could solve for the server's secret knowing the result it produced for a given input.
Many applications require the ability of the first-party to verify the OPRF output was computed correctly.
Specifically, a P-OPRF is any function with the following properties: The use case for this is when the server needs to implement specific throttling or access controls on the exposed input (E), for example, (E) could be a file path, or user name, for which the server enforces access controls, and only services requests when the requesting user is authorized.
[24] Finding efficient post-quantum secure implementations of OPRFs is an area of active research.