[CFRG] G.HashToScalar - Errata for OPRF (RFC 9497) ?
Stefan Santesson <stefan@aaa-sec.com> Wed, 10 April 2024 05:41 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31FD9C14F610 for <cfrg@ietfa.amsl.com>; Tue, 9 Apr 2024 22:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaa-sec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WU4IKxRnfotV for <cfrg@ietfa.amsl.com>; Tue, 9 Apr 2024 22:41:06 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF146C14F5FF for <cfrg@irtf.org>; Tue, 9 Apr 2024 22:41:05 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id BA4293009214 for <cfrg@irtf.org>; Wed, 10 Apr 2024 07:41:02 +0200 (CEST)
Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id AA5D42E278A5 for <cfrg@irtf.org>; Wed, 10 Apr 2024 07:41:02 +0200 (CEST)
Received: from s474.loopia.se (unknown [172.22.191.5]) by s979.loopia.se (Postfix) with ESMTP id A90A910BC451 for <cfrg@irtf.org>; Wed, 10 Apr 2024 07:41:02 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Authentication-Results: s474.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=aaa-sec.com
Received: from s934.loopia.se ([172.22.191.6]) by s474.loopia.se (s474.loopia.se [172.22.190.14]) (amavisd-new, port 10024) with LMTP id 0hrESn4JamEw for <cfrg@irtf.org>; Wed, 10 Apr 2024 07:41:02 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.228.170.155
Received: from [10.10.0.158] (unknown [90.228.170.155]) (Authenticated sender: mailstore2@aaa-sec.com) by s934.loopia.se (Postfix) with ESMTPSA id EF0B67CEA50 for <cfrg@irtf.org>; Wed, 10 Apr 2024 07:41:01 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaa-sec.com; s=loopiadkim1707241022; t=1712727662; bh=DtiNgsOxSleVDQ38CTghCdlOjwFohF0cRXlcRFyJY8k=; h=Date:To:From:Subject; b=KsNwpbZXDhkhH7jOicWkGcSQbDdjHN983XBKJaC1QdJmsDIAAM5PqDC+dadNa8hEr BZ6cGlSrJX+H6aykyNoB2hZD7dhbrov4EXIN7IfYicWRB7f8/O+FNjJo5/TKCpfjIJ BctG7alpNKAciKrWmJsyUZYeJZxvQK8W25xWq/9rMoVzLLvGiV4CnG8+llS65WbuCV Fdmst0wOPyHjVGDnFzK6aZtyhagMWppnYkf6sMvH+TpyNGcrX+GMCV/x+Li9/4hVGE qj75okwCDuDsRkS3PlGbOkHAkfPlK1Of37orhi0SzGS9Ri9ZWMbFX9tJWkaKEpRLc1 zM2rydUjsXcmg==
Message-ID: <fd8b5f8e-c0ee-4fb2-9c9d-8b338d443720@aaa-sec.com>
Date: Wed, 10 Apr 2024 07:41:01 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird Beta
Content-Language: sv-SE, en-GB
To: IRTF CFRG <cfrg@irtf.org>
From: Stefan Santesson <stefan@aaa-sec.com>
Autocrypt: addr=stefan@aaa-sec.com; keydata= xsDNBGB0SQwBDADRZIRQH2PciJEmsZ7noEFV8jdtUoB/3AiNPg5CYWJz3YlB1ZyqizIYRXlY EzhIcHRCdn+NrJvReq3Xi3kvycqvhUrrxMIxMYY7YZEripjrbyleFbbZjX4oCu+CTRj8y1Wo V6h9fLlpdqEriXwQ1brs1F/4KmHXTli4FIAmRTzdGBDWgD9sg2UmuloC4+A3d2Zoo6D6Tbjv Piyy3hwqdxjOF0tXSrtH9OXkyoIlmOdaHKLT3hB7nRlurq7dWZYGsnWIIg6YIMwA/eo6OHry nq9OpQ2Zktz40r6WaOARM4RTJgBI45BgR0IVXGJG3ie05lrORYxfLKJ9//JR+4VqY/6RC85C L5Ch6KH7smzraNZXZWPlDjrs25O0X2PwEwv676vJ9tDY7oLN0RHpVMYFx2GOKAYtH0K1BAwY yFlSNRmLbSjNPnGN4yk6ad5J6HB/Z9A0On/Ud2R8eXR5ZJVBNDdcCjM2L2WleRoTbh52DmhX yisi1loEROOZjaqfBf03jlsAEQEAAc0lU3RlZmFuIFNhbnRlc3NvbiA8c3RlZmFuQGFhYS1z ZWMuY29tPsLBDwQTAQgAORYhBKkgqX8QoC/CtVBH1S8bGjmXZjPRBQJgdEkMBQkFo5qAAhsD BQsJCAcCBhUICQoLAgUWAgMBAAAKCRAvGxo5l2Yz0S+7C/94cy3pZYEK9E1PCSwtSYcVrpuJ FwEioeoswoCVU5JzCdiyv4kSP3+lY35Z71Dw1pzoBrSsLb7xbRLrEdoM05AQqRK3eaioI/8R nbPg5M+H86m7Y7bxYzBpcJ+ipNCvA2BbE+2YLSmHEEA0nTWbXtamqib+5jWRd0i/DTtTCzaP /IVSxy7PVcyB8KEF09Go5LFeZOJquIyfHU1KVjG+8UxKSjcyO3Rku5Rdt1D4tX7M6G5d1PMj BqLZPFYUvi5hB2sftMcmZzy9QLkP+2oLlo0R+vc50JO5jpUC1czAXRdp6Rr2r0mFbz1mV6Je AvN4PcFoepTwq97c0lg+zZL5swfcNSAEFKXWZgKJxo6b2iby2wDqaWORjQSNlqKETFOUeQDH dcqLPioQbW95MPa8DtfHGYbdKjk5esyY/PFQw0xR4XvrZx7CeIb6gwGgQByZqTP/lbzWnPHE zpL0DslrtBdfF+i90xGlz0FB4GVQVmygfB4g/l0bajzCb06cyjMiqTrOwM0EYHRJDAEMALsD BRBzhRH3qTcPvO3sFG3VvWlNlKiAKW5XlVp3yw/mBdaVhg0BMb0LlmEamz4HHMoL5hmfUDLS 4TJfJhZMY3ZufvGwVYsiZpl5YtebkH3M8ik5dfUz15xg0ievm3foJLjOwAutS1BKRJSrEnMt YjPqS8APSYs3pd1s1zPfvwaTYy5MrNE6mS2LDqbKA4nJVdq3LpEaBmSW+njfQAIZTRKmgxsb 6kxn4JWVseVRKKDMbqSHZpm8a4RO194FOqdXEz9fTVz2Zn8nJ1zJZTNWzcsHq3gBtM84kwUo NghYDqExuIHahojUHXHntfjZ5ZDW4/ZbOcCrVRDNWWoIoxBvxz10+TPgM+/ytA8VFr4Sglnj 1pnnRFs7aUXa5zIoFUC7NKWCR158ujnYD6S6Ap4nkDhdovL54azvt+/ChWiuQqoQSPE2ihLo vkM8cR9UNPjBVAuLA+pr6RPeg8LrjMRD86lBCfc5KkiP22oTOVzZal+jGgdgiYvD13KM2jUd VB8H9QARAQABwsD8BBgBCAAmFiEEqSCpfxCgL8K1UEfVLxsaOZdmM9EFAmB0SQ0FCQWjmoAC GwwACgkQLxsaOZdmM9Gc3wv/Wyquulv2Y7kUPXITDs/oLugd2Lx6KhFfPOhaoe2amQqhWk8H Hhauqb2Qx8rMFeDmaqzfxLsRpM0FMjtovH3XswPuZoZ3mLw0XuHGgU5QVS/zL6NrNVdwq8dv OV5m6QCm0RomI1cPRAB8P6/bbJy+FUBWvqqCUbQo5T5KXYgNwA/m1Y/S5cej/Wz3V7/Ixwkl 2t63TTrhnXBBGkAz5ApBT/YJ7L89eHLZJUMJJXaNewfhb3dIcZgza705BU5jHchpmJtTzgnS PaYqhKciMQUxd8/8jJ/XqlNVw7XxY77mNK+9BDf7y2EG6bRrzQExhS08vtuPexOE66IXdRId kENY+UQeopSb6EXU6eRD7BsXHLRfxzvs0+wMU7lRUigiONMUv54p6PqBa8PMFV4Jv8NcB9Qu Phy/7YtaBjmJn0FDTKpbDYILwh0WNoxjFqWI3jMo2ZTVjKY0aJMndJ0MxB3eAHjhQLkeKtIL 4831tbIM6eKC9gY3xUsE4vSV/CPdPKjV
Organization: 3xA Security AB
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/jht1Tv9jbeyP9JWGGN6ati1tNq0>
Subject: [CFRG] G.HashToScalar - Errata for OPRF (RFC 9497) ?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 05:41:12 -0000
After successfully implementing RFC 9380 (hash2Curve) with very minor
issue, I really got stuck trying to get the test vectors of OPAQUE and
OPRF to work.
After sorting the issue (by reading the details of the code in the
reference implementation) I think the OPRF document has some issues
(possibly errata).
Here was the root of my implementation problems.
1) DST as input elements in G.HashToScalar(x)
In section 2 HashToScalar is said to have one input (x). However in
section 3.2.1 (DeriveKeyPair) it has 2 inputs (x, and the DST to use).
In section 4 HashToScalar is said to always have the DST =
"HashToScalar-" || contextString, It is therefore very confusing to find
this function with 2 input values in 3.2.1 specifying another DST.
I didn't know how to interpret that and ended up implementing it wrong
(With "DeriveKeyPair" as part of the input x).
Shouldn't HashToScalar be defined to have 2 input values (x , dst) as
implemented in the reference, and as specified in 3.2.1, where dst
defaults to "HashToScalar-" || contextString if absent ?
2) Curve order of Field order?
The second thing that threw me off the wagon was that for OPRF(P-256,
SHA-256) the definition was:
"Use hash_to_field from [RFC9380] using L = 48"
The problem here is that hash_to_field (RFC 9380) reduces the scalar mod
Field order (characteristics), while OPRF requires this to be reduced to
mod Curve (Group) order.
Yes, the text is right there in your face ("and a prime modulus equal to
Group.Order()") but it so easily missed.
I think the correct/better way to say this is how this is expressed for
e.g. ristretto255
"Compute uniform_bytes using expand_message =
expand_message_xmd, DST = "HashToScalar-" || contextString, and
an output length of 64 bytes, interpret uniform_bytes as a
512-bit integer in little-endian order, and reduce the integer
modulo Group.Order()."
This text more clearly focus on the use of the expand_message_xmd
function instead of hash_to_field, escaping the issue the hash_to_field
reduces the result to the Field characteristic. But this text has the
problem of saying that the DST is always "HashToScalar-" ||
contextString which is not always true (see above).
I don't know if any of these should be fixed in an errata? I leave that
up to you. If you think so, I could help write one.
--
________________
Stefan Santesson
- [CFRG] G.HashToScalar - Errata for OPRF (RFC 9497… Stefan Santesson