Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf

Hugo Krawczyk <> Wed, 29 May 2019 03:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 19B901200FB for <>; Tue, 28 May 2019 20:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id voDimEYWNNZj for <>; Tue, 28 May 2019 20:14:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 710C9120105 for <>; Tue, 28 May 2019 20:14:49 -0700 (PDT)
Received: by with SMTP id i63so1247373ita.3 for <>; Tue, 28 May 2019 20:14:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4yhptblpJXRYFJgtaBylLQej3zz+jGbMO+DTUmmyneQ=; b=PPZDbrNsXj1whzl9j8kforK0GWqR5mnKDi/4353LRg4TkOJ5s0WQ7+WVuxdlih3W+Z tEaYoByH/jsYuouyEASsOjljq9t43FBaAlaexlEhoUi4cx2+7isKmUr0739Jo2GhjZOL Wlbt+ptGo1gDjqPH7RCigE05yHjMiKiqfC55pAq1beA8kCkTe+jPqxDYYZxN53fb1vY+ 8ERbcXd6TvTY53wIYQByo3qN11Muinu4t3T9byGXtkcvvilH8p95cPU7kOFj/yfTQ3X2 geEiXMEkSHiib15meg7SzYrqWiuEyQaf8Fz/jZmjEVvXCBhPp2unOsw8+tBuWZ6cS3U8 /ekg==
X-Gm-Message-State: APjAAAXiODXH2jO5k9Qu4C83j7joYCnWufhSotbI/xQ8YRH1hhiLaC1P deSxOJ4Zp8jraHfDxyhYwo1ugMsXIGUzKSwc9bI=
X-Google-Smtp-Source: APXvYqy+JUGAL3EwtUp2c5IMsZ9PLXPWLAXAXgBMEatlwn1LSjyqwTAdvS0QJb5SOwkJDKOVVKfp7fmIHRSSXZyAt7U=
X-Received: by 2002:a05:660c:7c3:: with SMTP id e3mr994152itl.24.1559099688579; Tue, 28 May 2019 20:14:48 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Hugo Krawczyk <>
Date: Tue, 28 May 2019 23:14:24 -0400
Message-ID: <>
To: David Wong <>
Cc: Alex Davidson <>, CFRG <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000001b77c80589fe2f4c"
Archived-At: <>
Subject: Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 May 2019 03:14:55 -0000

On Mon, May 27, 2019 at 7:15 PM David Wong <>

> On May 20, 2019, at 1:54 PM, Hugo Krawczyk <> wrote:
> Hi David, to use a V-OPRF the client needs to store the public key Y=kG
> corresponding to the server's OPRF key k. In the OPAQUE setting we do not
> assume that the user carries any public key with her. The only information
> the user carries is the password (and account information where to login).
> This makes OPAQUE immune to PKI failures.
> Hugo
> Hey Hugo,
> thank you for providing an answer to my question! Why are we assuming that
> the user does not carry the server’s public key? For some mobile client
> code, the application should be able to pin the server’s public key. For
> web, I’m not sure how this can be done besides using a PKI indeed.

It is fine if the user, for a given application, needs to carry a public
key. What I was saying is that OPAQUE does not require to do so. Just
having the password and basic account information is sufficient for OPAQUE
to work securely.

Also, what are the consequences of not being able to verify the server’s
> operation? Intuitively it sounds like the server can target users and force
> them to use a weak key.

In OPAQUE, if the user connects to the wrong server (by mistake, by
misconfiguration, by attack, or whatever reason), the password is not at
risk. The server will learn *nothing* about the password and a channel will
not be established since the server will not be able to authenticate to the
user (OPAQUE creates a mutually authenticated channel that only the user
with the correct password and the server with whom the account and password
were initially established can pass authentication).


> David