pseudorandom-function oracle-Diffie-Hellman (PRF-ODH) assumption

PRF-ODH:

The PRF-ODH assumption basically says that the function value $PRF(g^{uv},x^{\ast })$ for a DH key $g^{uv}$ looks random, even if given $g^u$ and $g^v$ and if seeing related values $PRF(S^u,x)$ and/or $PRF(T^v,x)$ for chosen values $S,T,x$.

Active adversary can submit a modified value $S$ instead of $g^v$ to the client, then it can obtain a related key $PRF(S^u,...)$ on the clients’ side. The server’ session key is still $PRF(g^{uv},...)$. The PRF-ODH assumption guarantees now that the server’s key is still fresh.

Simple authentication of transmissions cannot remedy the above problem. Since the adversary could use a corrupted server’s key to achieve authenticaiton. Then the Diffie–Hellman keys in the executions would still be non-trivially related. This happens especially if keys are used in multiple sessions.

[CRYPTO 2017] PRF-ODH: Relations, Instantiations, and Impossibility Results