Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
Sander Dijkhuis <mail@sanderdijkhuis.nl> Sat, 30 March 2024 15:34 UTC
Return-Path: <mail@sanderdijkhuis.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1192BC14F6A8 for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2024 08:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sanderdijkhuis.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJbtfDCYoeGW for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2024 08:34:03 -0700 (PDT)
Received: from st43p00im-zteg10063501.me.com (st43p00im-zteg10063501.me.com [17.58.63.176]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2641C14F684 for <cfrg@irtf.org>; Sat, 30 Mar 2024 08:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sanderdijkhuis.nl; s=sig1; t=1711812842; bh=0I0Y2fn8u6ZEisJwo9+myKRo3WWybVSRm87F9NEul3A=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=Jl7mdb0ZhvswTpf3H2wUCgrdolMQ4uPxWu0O5bfE2fu/Ide4pDx70FBcEkLqe8kpy 44zhGP0dRM6DR3O+7uUcE+lGe2krT4vs2S4/9P0tjaW5JrwzCYcZm/dufXxyZ907TO RkKKRVtqpvzPo0qUIZPshzAmBIsLuqPnbRcEmrRS+yO7S9abE8xEBvH3FLD7Zi4AaP qZviF6hfELE7qNa70pm7ov9EE8z4qUjZWYE0Qf3SdeSEQLVWjmv7ClbSa4ZZy/WBws CMvCFCjLjD6mB8RbBUgCQX/aDRjNw9yv7o9pR8fjvggz9uxi0l1i8BEY6tFo1kh30n uzs+Ro/cTwkrg==
Received: from smtpclient.apple (st43p00im-dlb-asmtp-mailmevip.me.com [17.42.251.41]) by st43p00im-zteg10063501.me.com (Postfix) with ESMTPSA id 1EA779803BC; Sat, 30 Mar 2024 15:34:01 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-5FA1BDAD-CB03-417B-8203-19042051F866"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Sander Dijkhuis <mail@sanderdijkhuis.nl>
In-Reply-To: <D62E408E-EFF1-4A40-BF7F-D8E12B41A716@shiftleft.org>
Cc: stef <s@ctrlc.hu>, IRTF CFRG <cfrg@irtf.org>, Mike Hamburg <mike@shiftleft.org>
Date: Sat, 30 Mar 2024 16:33:33 +0100
Message-Id: <3800D391-4E59-4488-832E-8F817FD1D823@sanderdijkhuis.nl>
References: <D62E408E-EFF1-4A40-BF7F-D8E12B41A716@shiftleft.org>
To: Stefan Santesson <stefan@aaa-sec.com>
X-Mailer: iPhone Mail (21E236)
X-Proofpoint-ORIG-GUID: eflrh24nFLuKV9L6_HC4VP-q6ABTLwnN
X-Proofpoint-GUID: eflrh24nFLuKV9L6_HC4VP-q6ABTLwnN
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-30_10,2024-03-28_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 clxscore=1030 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 mlxscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403300127
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PSjQoCQMKOvLwGNUagB6NFLzvp4>
Subject: Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 15:34:08 -0000
Op 30 mrt 2024 om 16:19 heeft Mike Hamburg <mike@shiftleft.org> het volgende geschreven:
Hi Stefan,
I haven’t studied OPRF/OPAQUE in detail. But I believe that yes, it is critically important to implement it using hashToGroup(x) rather than as g^hashToScalar(x). If it were g^hashToScalar(x), and the server’s secret were k, then the OPRF protocol would output
h := g^(k * hashToScalar(x))
which would then be hashed again client-side. But having received this value, a malicious client could calculate the value h’ corresponding to another password x’, as:
h’ = h^(hashToScalar(x’) / hashToScalar(x)).
If I am reading the protocol correctly, this would allow the malicious client to brute-force the password, since the client’s first message is not otherwise bound to a specific password, but the server’s response includes enough information to check a guess. Constructing the OPRF using hashToGroup instead prevents this attack, because finding
hashToGroup(x')^k
from
hashToGroup(x), hashToGroup(x)^k
ought to be hard, because hashToGroup’s output should look unstructured. If its output were truly random (i.e. in the random oracle model), this would be a computational Diffie-Hellman (CDH) problem, or rather a one-more-CDH because a client could try to connect several times.
Regards,
— MikeOn Mar 30, 2024, at 10:53 AM, Stefan Santesson <stefan@aaa-sec.com> wrote:Hey,Thanks a lot for the answers.Right now I'm more interested in the security analysis than interop. So right now I'm mostly interested if there is a distinct and important security requirement to implement hashToGroup a´la RFC 9380, of if a simpler approach as the one I showed would do the job. And if not, why?Regarding library support I haven't found any libraries implementing P-256 OPRF in the platforms I'm looking for which is mobile development, Java and Python.Where can I find all current implementations of OPRF/OPAQUE, and in particular hathToGroup and hashToScalar ?/StefanOn 2024-03-30 13:24, stef wrote:hey, Stefan.On Sat, Mar 30, 2024 at 12:56:10PM +0100, Stefan Santesson wrote:Note that there are not even a "MUST" expressed here. Just a "must" andtherefore not a requirement according to section 1.1.nothing really is a must, but if you don't implement the hashtogroup as perthe rfc you will not be able to satisfy the test vectors, and if you don'tsatisfy the test vectors it is difficult to claim compliance with the rfc. andalso compatibility with all the other implementations. if that is ok with you,you should be doing whatever you want.tbh i also think this is overkill since for some groups, like ristretto255 forexample there is a widely used hashtogroup available in most bigimplementations (like crypto_scalarmult_ed25519 andcrypto_core_ristretto255_from_hash in libsodium). but i do understand that forother curves this might be more involved, and seems to be also problematic as- afaik - there has been for 20 years attempts made at defining a hashtogroupthat applies to all widely used - standardized - groups be it curves or dlog...Finally, is there any support for G.hashToGroup being planned in any majorlibraries supporting OPRF/OPAQUE?i don't quite understand what you mean with "being planned", as as far as iknow all of the implementations that satisfy the test vectors have thisimplemented, and liboprfhttps://rad.ctrlc.hu/nodes/rad.ctrlc.hu/rad:z3P9keM4KFAMp8wZuULi71VS7cWwp/tree/src/oprf.h#L105exports this also via the .h file. i suppose all others conforming totestvectors do so too.greets,stefan_______________________________________________CFRG mailing listCFRG@irtf.orghttps://mailman.irtf.org/mailman/listinfo/cfrg
_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Michael StJohns
- [CFRG] Does OPRF/OPAQUE require full implementati… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… stef
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… stef
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Jack Grigg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Mike Hamburg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Mike Hamburg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Hubert Kario
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Hubert Kario
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Sander Dijkhuis