Re: [Cfrg] I-D Action: draft-irtf-cfrg-voprf-03.txt

Alex Davidson <> Mon, 09 March 2020 18:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 01B933A12A2; Mon, 9 Mar 2020 11:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pWhqjWOBAhpp; Mon, 9 Mar 2020 11:05:59 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::a2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 64EC93A12A1; Mon, 9 Mar 2020 11:05:59 -0700 (PDT)
Received: by with SMTP id w4so2807295vkd.5; Mon, 09 Mar 2020 11:05:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DGHkk9birGmkltWvJIX9UDcSfuMWmuGVpMJHN/mNJMk=; b=H8d4r9ZoszZHfW65bfb6i0PFzKzUkiY4GOgSbMF99YfEklIBr7QVo5T0zkOVPi4y9k Gc7SviYjdzK0nZim6sfQT8HcrFYfoQMDiGdJp1BA+4VIrdztVROds/onZQPkhuGkqpnF DhglWegdO5zNwxy11HTQCPR/G0ql2S3oQURDCL6mndJDrjaNK/w2vIJ1m1I3LJDgIw/h e36NANed6vwoF3YBequYb8Yln06K49Rt2+2k7pgjr7RyDElVpka152Vp1FJp61537PT4 yWKNPdSmgcbYIQfhwV1ZVZZ029wn+oAcDpVHQpvL8vHEN02nTSr3oKgsALavaGl++c2t 2BEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DGHkk9birGmkltWvJIX9UDcSfuMWmuGVpMJHN/mNJMk=; b=AwMd6CDv/alS9MtsZfhfb66XR01yembuylVVZA0KPnXuaTDMGjHst91NU8fgD5osrT DryD0pf0Rao+HxbAa/9vZWgzpg3VdEF1B7iwraSUyfK02g92g1lfQaMXD+KkU7uW2FMx F8mr8A5+6/f8Mx2X3v6Uj5AU8CZNdamVbeauuLliahsdFrqHmBInGvWqumhZS2O0f3lu eKsqRphUQs+VfFVnTCwvuVxzEGc6vKSgqy4p2cWTG52Mw06BkvR3xmnF0+Hso0qWiyN4 L4/D1auDvM/tbdRKo3xIdouI21RtpPJpgZpWd6xJ5S9oBW+JmmLojAdCEPycyAXt1/Kl EGFw==
X-Gm-Message-State: ANhLgQ3KPZucQKFE6YugWJzZdz+W+WJvL+e6mawk5Pnt4Kt2i+XJr/Y6 pgfTAT9FNsCh1cAGcjq3EF+MFcU0WIpkRZ+IsrQBFgE=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vvVmiuL82H4Qd5QOwQL/ATdbh1+RgTau34c+7U1?= =?utf-8?q?3FnIgjjHBsHc4wctCISl8khzAhk1sZ4ssNuu9EGHiBZaaTE=3D?=
X-Received: by 2002:a1f:dbc3:: with SMTP id s186mr6198345vkg.89.1583777157907; Mon, 09 Mar 2020 11:05:57 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Alex Davidson <>
Date: Mon, 9 Mar 2020 18:05:46 +0000
Message-ID: <>
Content-Type: multipart/alternative; boundary="000000000000e687f005a06fdae2"
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-voprf-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Mar 2020 18:06:02 -0000

Dear CFRG,

This change to the OPRF draft includes minor clarifications plus the
following changes.

   - We now certify public key during VerifiableFinalize as per advice from
   Hugo Krawczyk (
   - Added text discussing how to perform domain separation for the OPRF
   - Make prime-order group assumptions explicit.
   - Changes to algorithms that accept batched inputs as they were not
   previously clear.
   - Changes to construction of batched DLEQ proofs.
   - Updated ciphersuites to be consistent with hash-to-curve and added
   OPRF specific ciphersuites.

In addition, we're currently working on a number of proof-of-concept
implementations of the primitive at
to demonstrate working examples of the protocol that follow the latest
version of the draft. The current implementations that we have are written
in Go and Rust. Contributions to these implementations, or of new
implementations in different languages, would be very welcome!

There is also a new draft detailing the Privacy Pass protocol that
explicitly uses the VOPRF protocol in this draft as a dependency: There is a BoF
event planned at IETF 107 for privacy-pass that will discuss whether to
form a working group around the protocol.

Looking forward to hearing your comments,
Alex, Nick & Chris

On Mon, Mar 9, 2020 at 2:25 PM <> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Crypto Forum RG of the IRTF.
>         Title           : Oblivious Pseudorandom Functions (OPRFs) using
> Prime-Order Groups
>         Authors         : Alex Davidson
>                           Nick Sullivan
>                           Christopher A. Wood
>         Filename        : draft-irtf-cfrg-voprf-03.txt
>         Pages           : 40
>         Date            : 2020-03-09
> Abstract:
>    An Oblivious Pseudorandom Function (OPRF) is a two-party protocol for
>    computing the output of a PRF.  One party (the server) holds the PRF
>    secret key, and the other (the client) holds the PRF input.  The
>    'obliviousness' property ensures that the server does not learn
>    anything about the client's input during the evaluation.  The client
>    should also not learn anything about the server's secret PRF key.
>    Optionally, OPRFs can also satisfy a notion 'verifiability' (VOPRF).
>    In this setting, the client can verify that the server's output is
>    indeed the result of evaluating the underlying PRF with just a public
>    key.  This document specifies OPRF and VOPRF constructions
>    instantiated within prime-order groups, including elliptic curves.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> Cfrg mailing list