[CFRG] [Technical Errata Reported] RFC9497 (7925)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 07 May 2024 13:34 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 092A4C14CE33; Tue, 7 May 2024 06:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.649
X-Spam-Level:
X-Spam-Status: No, score=-6.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrFj1Jk5FKc8; Tue, 7 May 2024 06:34:23 -0700 (PDT)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 209B8C14F60B; Tue, 7 May 2024 06:34:23 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id E6D1F1996069; Tue, 7 May 2024 06:34:22 -0700 (PDT)
To: alex.davidson92@gmail.com, armfazh@cloudflare.com, nicholas.sullivan+ietf@gmail.com, caw@heapingbits.net, irsg@irtf.org, cfrg@irtf.org
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240507133422.E6D1F1996069@rfcpa.amsl.com>
Date: Tue, 07 May 2024 06:34:22 -0700
Message-ID-Hash: WD52APVPTEOYGUBFIKLHKNJXSW7LK6GR
X-Message-ID-Hash: WD52APVPTEOYGUBFIKLHKNJXSW7LK6GR
X-MailFrom: wwwrun@rfcpa.amsl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] [Technical Errata Reported] RFC9497 (7925)
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MILD6L4bCJyfhi4_BDr5nV9prqE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
The following errata report has been submitted for RFC9497, "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7925 -------------------------------------- Type: Technical Reported by: Stefan Santesson <stefan@aaa-sec.com> Section: 4.3 Original Text ------------- HashToScalar(): Use hash_to_field from [RFC9380] using L = 48, expand_message_xmd with SHA-256, DST = "HashToScalar-" || contextString, and a prime modulus equal to Group.Order(). Corrected Text -------------- HashToScalar(): Compute uniform_bytes using expand_message = expand_message_xmd, DST = "HashToScalar-" || contextString, and an output length of 48 bytes, interpret uniform_bytes as a 384-bit integer in little-endian order, and reduce the integer modulo Group.Order(). Notes ----- It is incorrect to refer to the hash_to_filed operation of RFC 9380 because the implementation of hash_to_field, as described in section 5.2 of RFC 9380 reduces the result integer mod Field order (not Group order). 7. e_j = OS2IP(tv) mod p Where p is the characteristic of field F. The current text imply that the existing hash_to_field implementation for P-256 can be used. But using this will cause a false result due to the mod field order operation. The a better, and accurate way to describe this is by using the same explanation as for other curve types and specify the use of expand_message_xmd directly modulus Group.Order(). Instructions: ------------- This erratum is currently posted as "Reported". (If it is spam, it will be removed shortly by the RFC Production Center.) Please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party will log in to change the status and edit the report, if necessary. -------------------------------------- RFC9497 (draft-irtf-cfrg-voprf-21) -------------------------------------- Title : Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups Publication Date : December 2023 Author(s) : A. Davidson, A. Faz-Hernandez, N. Sullivan, C. A. Wood Category : INFORMATIONAL Source : Crypto Forum Research Group Stream : IRTF Verifying Party : IRSG
- [CFRG] [Technical Errata Reported] RFC9497 (7925) RFC Errata System
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Jack Grigg
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Jack Grigg
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Stefan Santesson
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Stefan Santesson