IETF Logo Mail Archive

Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380

Sander Dijkhuis <mail@sanderdijkhuis.nl> Sat, 30 March 2024 15:34 UTC

Return-Path: <mail@sanderdijkhuis.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1192BC14F6A8 for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2024 08:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sanderdijkhuis.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJbtfDCYoeGW for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2024 08:34:03 -0700 (PDT)
Received: from st43p00im-zteg10063501.me.com (st43p00im-zteg10063501.me.com [17.58.63.176]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2641C14F684 for <cfrg@irtf.org>; Sat, 30 Mar 2024 08:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sanderdijkhuis.nl; s=sig1; t=1711812842; bh=0I0Y2fn8u6ZEisJwo9+myKRo3WWybVSRm87F9NEul3A=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=Jl7mdb0ZhvswTpf3H2wUCgrdolMQ4uPxWu0O5bfE2fu/Ide4pDx70FBcEkLqe8kpy 44zhGP0dRM6DR3O+7uUcE+lGe2krT4vs2S4/9P0tjaW5JrwzCYcZm/dufXxyZ907TO RkKKRVtqpvzPo0qUIZPshzAmBIsLuqPnbRcEmrRS+yO7S9abE8xEBvH3FLD7Zi4AaP qZviF6hfELE7qNa70pm7ov9EE8z4qUjZWYE0Qf3SdeSEQLVWjmv7ClbSa4ZZy/WBws CMvCFCjLjD6mB8RbBUgCQX/aDRjNw9yv7o9pR8fjvggz9uxi0l1i8BEY6tFo1kh30n uzs+Ro/cTwkrg==
Received: from smtpclient.apple (st43p00im-dlb-asmtp-mailmevip.me.com [17.42.251.41]) by st43p00im-zteg10063501.me.com (Postfix) with ESMTPSA id 1EA779803BC; Sat, 30 Mar 2024 15:34:01 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-5FA1BDAD-CB03-417B-8203-19042051F866"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Sander Dijkhuis <mail@sanderdijkhuis.nl>
In-Reply-To: <D62E408E-EFF1-4A40-BF7F-D8E12B41A716@shiftleft.org>
Cc: stef <s@ctrlc.hu>, IRTF CFRG <cfrg@irtf.org>, Mike Hamburg <mike@shiftleft.org>
Date: Sat, 30 Mar 2024 16:33:33 +0100
Message-Id: <3800D391-4E59-4488-832E-8F817FD1D823@sanderdijkhuis.nl>
References: <D62E408E-EFF1-4A40-BF7F-D8E12B41A716@shiftleft.org>
To: Stefan Santesson <stefan@aaa-sec.com>
X-Mailer: iPhone Mail (21E236)
X-Proofpoint-ORIG-GUID: eflrh24nFLuKV9L6_HC4VP-q6ABTLwnN
X-Proofpoint-GUID: eflrh24nFLuKV9L6_HC4VP-q6ABTLwnN
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-30_10,2024-03-28_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 clxscore=1030 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 mlxscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2403300127
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PSjQoCQMKOvLwGNUagB6NFLzvp4>
Subject: Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 15:34:08 -0000

Hej Stefan,

In case you’re also looking for a small JVM implementation based on BouncyCastle: I started drafting one in https://github.com/sander/hashtocurve-kotlin?tab=readme-ov-file" rel="nofollow">https://github.com/sander/hashtocurve-kotlin some months ago for wallet prototyping. In Kotlin for conciseness but should be easy to reuse/rewrite in Java.

We’ll likely need one in production soon as well. I would be interested in collaborating on an easily testable and maintainable pure Java+BC version since I couldn’t find one back then.

I arrived at the same conclusion as Mike for this problem. But note that given the application domain involving network I/O, local timing side-channel attacks may be less important so you may want to consider the try-and-increment approach to HashToGroup also if that’s easier.

Op 30 mrt 2024 om 16:19 heeft Mike Hamburg <mike@shiftleft.org> het volgende geschreven:

Hi Stefan,

I haven’t studied OPRF/OPAQUE in detail.  But I believe that yes, it is critically important to implement it using hashToGroup(x) rather than as g^hashToScalar(x).  If it were g^hashToScalar(x), and the server’s secret were k, then the OPRF protocol would output

h := g^(k * hashToScalar(x))

which would then be hashed again client-side.  But having received this value, a malicious client could calculate the value h’ corresponding to another password x’, as:

h’ = h^(hashToScalar(x’) / hashToScalar(x)).

If I am reading the protocol correctly, this would allow the malicious client to brute-force the password, since the client’s first message is not otherwise bound to a specific password, but the server’s response includes enough information to check a guess.  Constructing the OPRF using hashToGroup instead prevents this attack, because finding

hashToGroup(x')^k

from

hashToGroup(x), hashToGroup(x)^k

ought to be hard, because hashToGroup’s output should look unstructured.  If its output were truly random (i.e. in the random oracle model), this would be a computational Diffie-Hellman (CDH) problem, or rather a one-more-CDH because a client could try to connect several times.

Regards,
— Mike

On Mar 30, 2024, at 10:53 AM, Stefan Santesson <stefan@aaa-sec.com> wrote:

Hey,

Thanks a lot for the answers.

Right now I'm more interested in the security analysis than interop. So right now I'm mostly interested if there is a distinct and important security requirement to implement hashToGroup a´la RFC 9380, of if a simpler approach as the one I showed would do the job. And if not, why?

Regarding library support I haven't found any libraries implementing P-256 OPRF in the platforms I'm looking for which is mobile development, Java and Python.
Where can I find all current implementations of OPRF/OPAQUE, and in particular hathToGroup and hashToScalar ?

/Stefan


On 2024-03-30 13:24, stef wrote:
hey, Stefan.

On Sat, Mar 30, 2024 at 12:56:10PM +0100, Stefan Santesson wrote:
Note that there are not even a "MUST" expressed here. Just a "must" and
therefore not a requirement according to section 1.1.
nothing really is a must, but if you don't implement the hashtogroup as per
the rfc you will not be able to satisfy the test vectors, and if you don't
satisfy the test vectors it is difficult to claim compliance with the rfc. and
also compatibility with all the other implementations. if that is ok with you,
you should be doing whatever you want.

tbh i also think this is overkill since for some groups, like ristretto255 for
example there is a widely used hashtogroup available in most big
implementations (like crypto_scalarmult_ed25519 and
crypto_core_ristretto255_from_hash in libsodium). but i do understand that for
other curves this might be more involved, and seems to be also problematic as
- afaik - there has been for 20 years attempts made at defining a hashtogroup
that applies to all widely used - standardized - groups be it curves or dlog...

Finally, is there any support for G.hashToGroup being planned in any major
libraries supporting OPRF/OPAQUE?
i don't quite understand what you mean with "being planned", as as far as i
know all of the implementations that satisfy the test vectors have this
implemented, and liboprf
https://rad.ctrlc.hu/nodes/rad.ctrlc.hu/rad:z3P9keM4KFAMp8wZuULi71VS7cWwp/tree/src/oprf.h#L105
exports this also via the .h file. i suppose all others conforming to
testvectors do so too.

greets,
stefan

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email