Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf

"Paterson Kenneth" <> Wed, 08 May 2019 07:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70059120041 for <>; Wed, 8 May 2019 00:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2p4uhypF7hFk for <>; Wed, 8 May 2019 00:35:40 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9860E12002F for <>; Wed, 8 May 2019 00:35:39 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 8 May 2019 09:34:14 +0200
Received: from ([fe80::c1d4:d225:fabf:1974]) by ([fe80::cce:fc66:7b56:a06a%10]) with mapi id 14.03.0439.000; Wed, 8 May 2019 09:34:19 +0200
From: "Paterson Kenneth" <>
To: Rene Struik <>, CFRG <>
CC: "" <>
Thread-Topic: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf
Thread-Index: AQHVBOvRThxv6MT2QEqnPUhbcUKUiKZgBJMAgADSeoA=
Date: Wed, 8 May 2019 07:34:19 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: de-CH, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B62E70D59BAE43328CE44AB0E3B229C8infethzch_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 May 2019 07:35:42 -0000

Hi Rene,

You’re right that there’s not been much discussion on the list about this draft. It was presented at IETF 101 and there was some discussion in person at the meeting; below is a relevant extract from the minutes of the meeting (

Verifiable Oblivious Pseudorandom Functions (VOPRFs)


presenter: Nick Sullivan



Sullivan introduced a draft that constructs VOPRF based on Elliptic Curves.

Q: (): What is the contents of the draft -- I didn't read it.  You discussed several crypto primitives.

A: (Sullivan): A generic description of VOPRFs and a specific instantiation.

Q: (Melnikov): What are you interest in having happen to this draft?

A: (Sullivan): CFRG adoption.

A: (Paterson): How do you you see this and the above draft progressing given the dependency?

A: (Sullivan): They can proceed in parallel.

Q: (Gillmor): One of the concerns is how the key remains constant?

A: (Sullivan): You're noting the tagging attack.  The signer’s public key needs public verifiability -- maybe a transparency log or consensus protocol.  Those are outside of the scope of the draft.

A: (Gillmor): I was hoping to hear that they should be separate.

A: (Sullivan): We'll add language to the draft.

A: (Melnikov): Let's take further discussion to the mailing list.

Perhaps the draft’s authors can clarify here on the extent to which there is a dependency on other drafts, especially the ristretto draft (which is not a CFRG document, currently).

I think this draft does fit with the CFRG charter, in that VOPRFs are an emerging cryptographic mechanism that at least some people here see as being useful in contexts traditionally associated with IETF. Again, the authors of the draft can explain their intended applications better than me, but I think a good starting point if you are interested in knowing more would be:

My personal take on the “CFRG philosophy” is that we should respond to the interests and needs of the CFRG community, interpreted broadly. So if people express a willingness to work on something, there is general support for adoption, and the technical content is cryptographic and useful in contexts traditionally associated with IETF, then we should do it. Of course, the previous sentence is deliberately imprecise, and a case-by-case judgement call on the part of the chairs is needed. The mechanism of having a call for adoption provides key input to that decision-making process.

I hope this helps – happy to discuss further of course, but perhaps the more general discussion should be on a different thread to this adoption call.

Best wishes,


From: Rene Struik <>
Date: Tuesday, 7 May 2019 at 23:01
To: Paterson Kenneth <>ch>, CFRG <>
Cc: "" <>
Subject: Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf

Hi Kenny:

I had some trouble finding recent discussions on this document. The document seems to have dependencies on other drafts (e.g., Ristretto) for which it is very hard to find any discussion either (and are not that easy to read ). If you could point to this, that would be great.

Could you explain how this fits within CFRG's charter? What is the general philosophy nowadays ("more is better" vs. "less is more", protocols with wide applicability vs. specialized, etc, etc.)?

Best regards, Rene

[excerpted from]

The Crypto Forum Research Group (CFRG) is a general forum for discussing and reviewing uses of cryptographic mechanisms, both for network security in general and for the IETF in particular.

The CFRG serves as a bridge between theory and practice, bringing new cryptographic techniques to the Internet community and promoting an understanding of the use and applicability of these mechanisms via Informational RFCs (in the tradition of, e.g., RFC 1321 (MD5) and RFC 2104 (HMAC). Our goal is to provide a forum for discussing and analyzing general cryptographic aspects of security protocols, and to offer guidance on the use of emerging mechanisms and new uses of existing mechanisms. IETF working groups developing protocols that include cryptographic elements are welcome to bring questions concerning the protocols to the CFRG for advice.

Meetings and Membership

The CFRG meetings, membership, and mailing list are open to all who wish to participate.

On 5/7/2019 11:44 AM, Paterson Kenneth wrote:

Dear CFRG,

This email starts a 2-week adoption call for:

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups

Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it.

(We have two other adoption calls running concurrently; they will end this Friday, May 10th.)


Kenny (for the chairs)


Cfrg mailing list<>


email:<> | Skype: rstruik

cell: +1 (647) 867-5658 | US: +1 (415) 690-7363