Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
Jack Grigg <ietf@jackgrigg.com> Sat, 30 March 2024 20:01 UTC
Return-Path: <me@jackgrigg.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70B68C14F614 for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2024 13:01:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnzw_uOUBN-Z for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2024 13:01:57 -0700 (PDT)
Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8AD6C14F60F for <cfrg@irtf.org>; Sat, 30 Mar 2024 13:01:57 -0700 (PDT)
Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-5157af37806so3303115e87.0 for <cfrg@irtf.org>; Sat, 30 Mar 2024 13:01:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711828916; x=1712433716; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6k2H7uIyWRXKk4k2ZqjIv2ENcfIzXNgEcGDh9iAo5gE=; b=Y0WMOaREak5NSkjZbJWnAwGN9AN4h8Vpin4td6DGmcHa3CcO96G2/UQt2HTDvh9mFW i9dFVpW4YK1CCLkm3I9dDZzBmSgxoiv4V4uVsSCyRP/ouApxJxToUB3Rn4Sbl0iqQSIC 2g3BX81XnkRG+F452gmEYNg+lNlTo3AudEb2y41cARqcHW0qfDIntieusqy9KJaq37SN dvSiaYVE4/1GYp06YOTnronfczh8vWD6X76dDtV7fuqNBHtLhPH0Qrg0PyoC4P7Yzrkm Sj0h6IHe0brdQjk+AEZh+UxMQcwmtoGYrW+i6T9DxooVhhM+AAUsHE3ik6ia7AI+mfCM h/lA==
X-Forwarded-Encrypted: i=1; AJvYcCVziLyZgsOAptfdkzscpFd355eheMx4HXQOXhJM+ABu97Xmq5nxaqnBiL/HAxiO50mh4ngdqKvFcLV/g2dn
X-Gm-Message-State: AOJu0Yyepvzs5GgHl8m4L6cka4j6cfeHPdJOtDCof94cmUpASOANpUnb NdYuvq8fv2fqBQGI4gY3PcT7sIxPlVSxCCq8U/Cv6tNVtTh+7SnP150NNvND59XrV1VwnrtAKey I0rO/7uGiUyn+tkA7Vz0zgCz9A1o5kGofY+lAfw==
X-Google-Smtp-Source: AGHT+IHcKSo89jmjrFz70RHmvNLOWUYvAGLcGk0RWB+2HdmKqO5c2AN1lR9kBqKwHOGWVRtZlsV38CweoeYP1wdHja8=
X-Received: by 2002:ac2:47e3:0:b0:513:d640:ff16 with SMTP id b3-20020ac247e3000000b00513d640ff16mr3686136lfp.29.1711828915541; Sat, 30 Mar 2024 13:01:55 -0700 (PDT)
MIME-Version: 1.0
References: <410a0800-78ff-422f-8ca3-5a0211478cbd@aaa-sec.com> <ZggHSDs5bRweThW5@localhost>
In-Reply-To: <ZggHSDs5bRweThW5@localhost>
Reply-To: ietf@jackgrigg.com
From: Jack Grigg <ietf@jackgrigg.com>
Date: Sat, 30 Mar 2024 15:01:43 -0500
Message-ID: <CAPC=aNUSTv=JtpkG71vhu25jgpVqzL5XS81543ntLMUuXcchqw@mail.gmail.com>
To: stef <f3o09vld@ctrlc.hu>
Cc: Stefan Santesson <stefan@aaa-sec.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000006d76900614e63ad3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/c0otG8EI-iF26-ki6ISmJH5NSu4>
Subject: Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 20:01:58 -0000
Hi all, On Sat, Mar 30, 2024 at 6:56 AM Stefan Santesson <stefan@aaa-sec.com> wrote: > Section 2.1 in OPR (RFC 9497) states: > > "HashToGroup(x): Deterministically maps an array of bytes x to an element > of Group. The map must ensure that, for any adversary receiving R = > HashToGroup(x), it is computationally difficult to reverse the mapping." > [..] > > It continues to say that "Security properties of this function are > described in [RFC9380]". > [..] > > I would really appreciate help. Has this been discussed already to any > detail. Is there any guidance available? > As Mike Hamburg alludes to in another message in this thread, the security property of HashToGroup relied upon here is that the output of the function must be a uniformly random element of the group, with no easily-determined relation to any canonical generator of the group (more precisely, HashToGroup should be indifferentiable from a random oracle; see Sections 2.2.3 and 10.1 of RFC 9380). The proposed approach in your email makes inputScalar a known quantity, which directly breaks this property (inputScalar is the easily-determined relation to the canonical generator, because outputElement = [inputScalar] G). Regardless of RFC 9497 using "must" instead of "MUST" when describing it, its reliance on this security property is clear; see Sections 2.1, 4.6, and 7.2.1 of RFC 9497 for further details. > If this is not good enough. Can you take any simpler path than full RFC > 9380 implementation? > If you use ristretto255 or decaf448, then most of the work should already be done by the libraries implementing the group (see below). See Section 4.1 of RFC 9497 for an OPRF ciphersuite instantiated over ristretto255 and SHA-512. For other groups (such as elliptic curves), there are other approaches like "try-and-increment", but these are not constant-time and may have other side-channel vulnerabilities in your setting; you would need to consult a cryptographer. On Sat, Mar 30, 2024 at 7:37 AM stef <f3o09vld@ctrlc.hu> wrote: > tbh i also think this is overkill since for some groups, like ristretto255 > for > example there is a widely used hashtogroup available in most big > implementations (like crypto_scalarmult_ed25519 and > crypto_core_ristretto255_from_hash in libsodium). > Just to clarify here for wider benefit: RFC 9496 (which specifies ristretto255, as well as decaf448) includes an Element Derivation function (in Section 4.3.4), which when paired with a hash function can be used to build a hash-to-group operation (which I believe is what library functions like crypto_core_ristretto255_from_hash in libsodium provide). Appendix B of RFC 9380 documents precisely how this should be done to be compatible with it (specifically using an expand_message function that conforms to Section 5.3 of RFC 9380). Cheers, Jack
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Michael StJohns
- [CFRG] Does OPRF/OPAQUE require full implementati… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… stef
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… stef
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Jack Grigg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Mike Hamburg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Mike Hamburg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Hubert Kario
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Hubert Kario
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Sander Dijkhuis