Let's say client side has a secret password $\pi$. The server has a series of indices $0..n-1$ and a salt associated value $s_i$ for all $i \in \{0,n-1\}$ call it set $S=\{s_i |
i \in \{0,n-1\}\}$ for each client. Client wishes to compute an OPRF function $f(\pi,s)$ such that he does not learn $s$ and the server does not learn anything. This is basically what OPAQUE does for $f(\pi,s)=H(\pi,H'(\pi)^s)$ where $H'$ hashes to a sub group element. Because the server only ever sees the blinded $H'(\pi)$ which is a random group element, it can simulate its view and no matter how many query client does, it never learns $s$.
But I need to take it one step further and require that it allows logging in anonymously. That is I need a function $g(i,\pi,S)=f(\pi,s_i)$ such that server does not learn anything about either $i$ or $\pi$ and client does not learn anything else about $S$ or about any other elements in $S$. Least not $f(\pi,s_j)$ for another $j$ that allows one to target multiple accounts at the same time with brute force/dictionary attacks.
One way of doing this for the same function as in OPAQUE is using OPAQUE along with oblivious transfer. Client does not need to send many values at a time but simply using OT here means that the server has to do perform it's end of calculation of $f(\pi,s_i)$ for each $i$ i.e $n$ exponentiations/scalar multiplications and needs to send $n$ cipher texts each time a client tries to login. And this is outside the computations involved with OT itself. After all, OT can be used to transfer arbitrary messages not just compute some functions so $n$ cipher texts in general case is justified. But this would be impractical here.
So, does anyone knows of any work about this or is doing anything which can achieve this more efficiently in constant or at least sublinear time of number of clients to be practical.It may be something that uses some accumulator in $S$ which can be precomputed or something. It does not have to be same function as in OPAQUE, anything with above properties works.
EDIT: I am not suggesting performing full OPAQUE anonymously, which since it holds encrypted client ID private DH key and server public DH key requires OT to perform anonymously. But doing only the calculation of OPRF part anonymously and perform rest of key exchange separately.