IETF Logo Mail Archive

[CFRG] a few minor comments on voprf and opaque drafts

"Gajcowski, Nicholas H" <nhgajco@nsa.gov> Tue, 26 April 2022 16:01 UTC

Return-Path: <nhgajco@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D35C157B57 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2022 09:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.003
X-Spam-Level:
X-Spam-Status: No, score=-3.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.329, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nsa.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NJY4BvSkaT4 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2022 09:01:00 -0700 (PDT)
Received: from UCOL19PA34.eemsg.mail.mil (UCOL19PA34.eemsg.mail.mil [214.24.24.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03323C14F73F for <cfrg@ietf.org>; Tue, 26 Apr 2022 09:00:56 -0700 (PDT)
X-EEMSG-check-017: 359739928|UCOL19PA34_ESA_OUT01.csd.disa.mil
X-IronPort-AV: E=Sophos;i="5.90,291,1643673600"; d="scan'208";a="359739928"
Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by UCOL19PA34.eemsg.mail.mil with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Apr 2022 16:00:25 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nsa.gov; i=@nsa.gov; q=dns/txt; s=nsa.gov; t=1650988825; x=1682524825; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=QiW05fyocKb7SomvSULh3P/BVF1ylhcEnS47exD7ENg=; b=SXo6jhOBH+K28eGw6z+3S3MCE52eBMH56c/IsBArXIJiQY1mYUSKj/kL LvgV7VdWyAo6YlAhMMqAZc2bHkSldY6t/N25U5GmaTAo8DWFbGH0AAofi feVM3xMVrJESXZZpW4hPAglw6QF54sp9fql60fJ7yTUdzHiTg0J2T+rHb L4XB6VtfBmFcd9PQE0FDk2gVJHTcu0Tmt1VHHniZ9bIVIcSmgKaJVgI/v N6ZPpPJPvSJtvRGtXbZLgK1dPyTJ338RgCzTkdVtfud6hXD8r+2rU77iC SUsfrfGD4vu1mAF/znTSKcYR66JMgKS9z436HuXHuea3XyloNfRq8yU+t w==;
X-IronPort-AV: E=Sophos;i="5.90,291,1643673600"; d="scan'208";a="67564645"
IronPort-PHdr: A9a23:rJPmdBLAyKsBs1pOVtmcuP1mWUAX0o4c3iYr45Yqw4hDbr6kt8y7ehCFvrM01xSYBM2bs6sC17CM9fi4GCQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTajb75+Ngi6oAveusQSnIdpN6I9xgfUrndSdOla231kKUiPkxrg48u74YJu/TlXt/897cBLTL/0f74/TbxWDTQmN3466cj2vhTdTgWB+2URXHwOnhVHHwbK4hf6XozssiThrepyxDOaPcztQr8qXzmp8rpmRwXpiCcDMD457X3Xh8lth69VvB6tuxpyyJPab4GPMPp1Y73Tc9UUS2FcWspdTjJNDp+5Y4YJEuEPP/tXr5PlqlUOsxWwGBWsCu3sxD9JmnD40qI13v89EQHf3gwsA84CvGjKoNjzKawcUfq1zK7NzTjbYf9Y2C3y6IrUfRAmr/CMRrFwccvJxUIyDw3Fj0mfqYziPzORzOsNqHWQ4ehuWemyjGMnrQFxoje1ycculobJgZkYylbf9Spj2oo1Ktq4SFBibNOiDZBfuD2UOZFsTcM+X2Fnpjw6yrsetJO1YCUG1ZQqyh/cZvKHfYaG4hztWemfLDp3mH5pZryyihWu/EavxeDxS8a53VZWoyZZjtXCtnAD2hjP5sWHSPZw+Fqq1ziI1wDW8O5EIEY0mLLcK54737E/iIATvV7fHi/xnkj9kayYdl089+S15Onqba/qq5+BO4Nulw3zPbgilta8DOgkKgQCQnSX9f6i2LH+/UD1WqtGg/Myn6XDrZzXJcYWqrakDwJa3Ysv8RayAyq83NgFknQLMEhJdRGEgoXvJlrAOur3De2ljFSpiDprwvfGMaD/DZjVNXjDlavhfa56605B1Ao/1dBf6IxQCrEGOP/9XVL/ut7GABMgMgK6wfvrBMxz2Y0RRW+CArOVPLnOvl+P/OIvO/OAZIkOuDnnMfQl6PnujWEhlV8ce6mmw4cXZWilEvlpLEiVe3rhjsobHWsXsQcyUPbmhV6eXTJLYna9RaM85jU1CIK8CofDQ5iggLqB3Ce0BJJWZHxJCleXHHfubIWLQe0AaC2VIs9/ijAEU6OuRJc71R6yrA/616ZnLu3M9yEFrZ7jzsR65/XPlREu8jx5F9iS02+XT2F7hW4IRiE53LxxoUBnzVeDy6d40LRkEokZ7P1TXS87OILSietgBJq6DgnPZNihSVu6TJOhGz5nHfwrxNpbKWl0Gd6lkQvA3m7iJb4el7uPDYd80uiUi37xKM9/wHHu0rIoyVYhXJ0cZiWdmqdj+l2LVMbymEKDmvPvL/x04Q==
IronPort-Data: A9a23:R3vT+q5eAIYnn2d5981McQxRtBPFchMFZxGqfqrLsTDasY5as4F+vmIeW2/TOvfeYWL0co0kPY7j8hsAucXQyNFqGwdr/nszEysa+MHILOrCIxarNUt+DOWYFR46sJ9OAjXjBJ1uEiWM9k/F3oAMHhCQ7InQLlbHILOCa3gZqTNMEn9700o/wbBh2OaEvPDga++zkYKqyyHgEAL9s9JEGjp8B5Or8HuDjtyr0N8rlgVWicRwgbPrvyJ94KQ3ePvtdSuoGuG4KcbhLwrL5OnREmo0ZH7BAPv9+lrwWhVirrI/oWGzZnRqt6iK2nCupwQX6YYHcdU8MAJqphzUx5Z6z89V85qrQEEmObOkdOY1CkUEVXwne/QaoPmXeRBTsuTKp6HCW33szPxsB0YeO5YRvOlwHwmi8NRGd21TMk7f2opax5r+EIGAnP8LJ8fxM6set21uizbDAp4brTrrK0nRzYYEgHFt34YXQa6YN5JxVNamVzyYCzUnB7vdIM5WcD+Uu0TC
IronPort-HdrOrdr: A9a23:Upi4Pa3DzS5nin/vKkj0wwqjBL8kLtp133Aq2lEZdPWaSKOlfqeV7ZYmPH7P+VUssRQb8rq90ca7MBbhHOFOkO0s1NuZMTUO21HJEGgB1+XfKlTbckXDH4VmtJuIHZITNDT4NykcsfrH
X-IPAS-Result: A2CiBADJFWhi/1CMM5BaHgEBCxIMQAmDTIEkgW20PQsBAQEBAQEBAQEIAUIEAQGKFCY4EwECBBUBAQEFAQEBAQEHAwEBgRuFaQyCNSmEJVEBFSlCHwcBBBuCK7AVgTMaZ4RthREJAYEzijuEWQaCDYkqhlMEnVAUgkTBSQqDSp9xMBWWcgORXpZgIKF4hFoCBAIEBQIWgXiBfisKQQ+DJVAXAo47Fo4ugTACBgsBAQMJjB+BEgEB
Received: from unknown (HELO MSHT-GH1-UEA50.corp.nsa.gov) ([144.51.140.80]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 26 Apr 2022 16:00:25 +0000
Received: from MSMS-GH1-UEA12.corp.nsa.gov (144.51.140.83) by MSHT-GH1-UEA50.corp.nsa.gov (144.51.140.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Tue, 26 Apr 2022 12:00:25 -0400
Received: from MSMS-GH1-UEA17.corp.nsa.gov (144.51.140.88) by MSMS-GH1-UEA12.corp.nsa.gov (144.51.140.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Tue, 26 Apr 2022 12:00:24 -0400
Received: from MSMS-GH1-UEA17.corp.nsa.gov ([144.51.140.88]) by MSMS-GH1-UEA17.corp.nsa.gov ([144.51.140.88]) with mapi id 15.01.2375.018; Tue, 26 Apr 2022 12:00:24 -0400
From: "Gajcowski, Nicholas H" <nhgajco@nsa.gov>
To: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: a few minor comments on voprf and opaque drafts
Thread-Index: AdhZhmRPA5usyx78Tim0XCsAcupvvg==
Date: Tue, 26 Apr 2022 16:00:24 +0000
Message-ID: <8ce3c020e12447088d5cfd085024fe16@nsa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.239.157]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/P4F00i3DbQR2KkHQ0Sl2E-i-D2E>
Subject: [CFRG] a few minor comments on voprf and opaque drafts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 16:01:04 -0000

voprf comments:

section 2.2.1

The proof batching via ComputeCompositesFast requires 3 + i scalar multiplications to generate a proof for a batch of size i.  It's fairly complicated and spans over 4 pages.  However, the "basic scheme" in [ChaumPedersen] requires 2 such multiplications for a single proof, and is simple/intuitive.  Given that, I think it makes sense to include it in the draft and perhaps move the  batching method to an annex as an option.  (FWIW I did spend a few cycles looking at the batching proof and the steps taken do seem necessary).  

pg. 11
In definition of GenerateProof appears the only use of the mod operator on scalars (it is used elsewhere on integers):

 			s = (r - c*k) mod G.order().

To be consistent, consider replacing with s = (r - c*k) as scalars lie in GF(p).  

pg. 24
3.3.3, raise InverseError when skS + m = 0.
While it is common practice to return an error message, here the server learns that the key skS is leaked as m is known externally.  Given that this is being checked, perhaps add a warning that it may be time to rekey.

OPAQUE comments

pg. 7
typo in Blind(element) API:  "revert this the" 

pg. 15 Envelope recovery
1st paragraph says recover function recovers envelope.  However, envelope (as defined in 4.1.1) consists of the nonce and auth_tag which are inputs.  Rather, client_private_key and export_key are returned.

Best,

Nick G

v2.23.0 | Report a Bug | By Email