[CFRG] [Errata Rejected] RFC9497 (7925)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 20 May 2024 22:51 UTC

Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: cfrg@irtf.org
Delivered-To: cfrg@ietfa.amsl.com
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB753C14F5E5; Mon, 20 May 2024 15:51:25 -0700 (PDT)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id 146831DEB87; Mon, 20 May 2024 15:51:25 -0700 (PDT)
To: stefan@aaa-sec.com, alex.davidson92@gmail.com, armfazh@cloudflare.com, nicholas.sullivan+ietf@gmail.com, caw@heapingbits.net
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240520225125.146831DEB87@rfcpa.rfc-editor.org>
Date: Mon, 20 May 2024 15:51:25 -0700
Message-ID-Hash: YTTWG4HVKBZ6HG3AQZBJRYC2OQTFRBEX
X-Message-ID-Hash: YTTWG4HVKBZ6HG3AQZBJRYC2OQTFRBEX
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: csp@csperkins.org, irsg@irtf.org, cfrg@irtf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] [Errata Rejected] RFC9497 (7925)
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Qe7ZJuBfWhIKwHkFr0nlO9knUaQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

The following errata report has been rejected for RFC9497,
"Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7925

--------------------------------------
Status: Rejected
Type: Technical

Reported by: Stefan Santesson <stefan@aaa-sec.com>
Date Reported: 2024-05-07
Rejected by: Colin Perkins (IRSG)

Section: 4.3

Original Text
-------------
HashToScalar():  Use hash_to_field from [RFC9380] using L = 48,
         expand_message_xmd with SHA-256, DST = "HashToScalar-" ||
         contextString, and a prime modulus equal to Group.Order().

Corrected Text
--------------
HashToScalar():  Compute uniform_bytes using expand_message =
         expand_message_xmd, DST = "HashToScalar-" || contextString, and
         an output length of 48 bytes, interpret uniform_bytes as a
         384-bit integer in little-endian order, and reduce the integer
         modulo Group.Order().

Notes
-----
It is incorrect to refer to the hash_to_filed operation of RFC 9380 because the implementation of hash_to_field, as described in section 5.2 of RFC 9380 reduces the result integer mod Field order (not Group order).

 7.     e_j = OS2IP(tv) mod p

Where p is the characteristic of field F.

The current text imply that the existing hash_to_field implementation for P-256 can be used. But using this will cause a false result due to the mod field order operation.

The a better, and accurate way to describe this is by using the same explanation as for other curve types and specify the use of expand_message_xmd directly modulus Group.Order().
 --VERIFIER NOTES-- 
Discussed on CFRG list. The original text is correct, see https://mailarchive.ietf.org/arch/msg/cfrg/YLqRy76LFlVzeOofGyQiYeDhAuM/

--------------------------------------
RFC9497 (draft-irtf-cfrg-voprf-21)
--------------------------------------
Title               : Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups
Publication Date    : December 2023
Author(s)           : A. Davidson, A. Faz-Hernandez, N. Sullivan, C. A. Wood
Category            : INFORMATIONAL
Source              : Crypto Forum Research Group
Stream              : IRTF
Verifying Party     : IRSG