IETF Logo Mail Archive

Re: [CFRG] Threshold OPRF support and draft-irtf-cfrg-voprf

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 16 December 2021 16:50 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534713A1187 for <cfrg@ietfa.amsl.com>; Thu, 16 Dec 2021 08:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhOE86O1qKOj for <cfrg@ietfa.amsl.com>; Thu, 16 Dec 2021 08:50:49 -0800 (PST)
Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FDBB3A1186 for <cfrg@irtf.org>; Thu, 16 Dec 2021 08:50:49 -0800 (PST)
Received: by mail-yb1-f175.google.com with SMTP id f186so66112952ybg.2 for <cfrg@irtf.org>; Thu, 16 Dec 2021 08:50:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NXRniJoRb5yz4+33ExW3PdSfYc9RT6oNpXoh29Gi+MQ=; b=3hLIJWanWDgwa+itt9Jmu9TJj6jkwJQs4bep6cHoOdmkBG58DU9Acqt1eXXXnjDNGD UuC+qHjgSn3BWuVk5hJn5HAwgZ6UokMtT07WJoAwA16zM6D+Mg3ESArz5efEHUtEWboO Dus/lH7rVNukdq8U3iYM8+Ay+JmgXy0Bp6xljLFGY2/tGaM7rpiRVF4O10/1hZvaG9W+ c2Nr3LOCCJkeTDRphS0hSw7wcmGQsy3PIG5gkKlEx2DLbMu27PK2y99+uaOj/CRnEJLZ pEJpFnnWcDHKYtcepuVXxtLD27AtSsqgNNG7RVe4r61Qyjd+2+ZO3rlO7VUd94mDnZ1Y qAeQ==
X-Gm-Message-State: AOAM531g1YmCLV/ZeX6U3DmdUFnfIzhYwVmJP1zt7UZRL5l4wLQ3Kiz1 WyvpnM5Ek2twGbelm5pDsmadHHlmqeH7jw4C+GM=
X-Google-Smtp-Source: ABdhPJw9gXDcrVVTc5qrO1RiJqJZp+d7MAWxLcic9e2d1TKHUYfcybACiW86QJwtvqFLwIi5+pvjYVzOnOht+Yk9Zug=
X-Received: by 2002:a25:2d6d:: with SMTP id s45mr13607820ybe.532.1639673448241; Thu, 16 Dec 2021 08:50:48 -0800 (PST)
MIME-Version: 1.0
References: <312ce6ce-6268-41a5-8096-72c53689f6d4@www.fastmail.com> <CADi0yUNKiHUi5Kat1t3sWJthehorr2u_h07nbQA4T8QKjxFyDA@mail.gmail.com>
In-Reply-To: <CADi0yUNKiHUi5Kat1t3sWJthehorr2u_h07nbQA4T8QKjxFyDA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 16 Dec 2021 11:50:37 -0500
Message-ID: <CAMm+LwhveG2wykM=o-aXA4qQeBNoei_teZdG+cmxX3_RLKi-uA@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Cc: Christopher Wood <caw@heapingbits.net>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000006e1e9e05d34639c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/kNxVWHAi1EDCVTWvXQZQSo0h3w8>
Subject: Re: [CFRG] Threshold OPRF support and draft-irtf-cfrg-voprf
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2021 16:50:54 -0000

Seems rather strange that we are discussing Threshold versions of exotic
cryptographic functions that we do not currently make use of in IETF
protocols at all when the group has still not been given the opportunity to
consider adopting the draft I proposed two years ago describing Threshold
Key Exchange and Threshold Key Generation.



On Wed, Nov 3, 2021 at 1:59 AM Hugo Krawczyk <hugo@ee.technion.ac.il> wrote:

> My preferred choices here are:
>
> - Specify both: POPRF needs to be specified for the cases that need a
> partial OPRF and 2HashDH needs to be specified for cases where 2HashDH is
> sufficient, even without considering the threshold extension. Indeed,
> 2HashDH has advantages in terms of simplicity, 40 years of use (in the form
> of blinding and different signature flavors), weaker cryptographic
> assumptions, and an analysis in the Universally Composable framework. The
> latter is used to prove the security of OPAQUE (and other applications);
> namely, the analysis of OPAQUE formalizes Asymmetric PAKEs as UC objects
> and the OPAQUE proof assumes the OPRF to satisfy a defined UC
> functionality. POPRF does not currently have such formalization (I am not
> saying it is impossible to have it, but that's the current situation). More
> generally, I see no reason to use the more involved POPRF construction when
> metadata values are not needed.
>
> Btw,  2HashDH can also accommodate metadata values  by setting the 2HashDH
> key to a regular PRF computed on the metadata value (e.g., we use that in
> OPAQUE to address enumeration attacks). But, in general,  POPRF is better
> as a partial OPRF, especially when verifiability  is needed.
>
> - Specifying both with same or similar syntax would be my preferred way. I
> would have assumed that doing so would be simple and natural but I guess
> that I am missing something since otherwise the answer to this question
> would be obvious.
>
> - Specify both in the same document  the threshold variant as out of scope.
>
> - The threshold variant can be defined in a separate document. Doing so
> will take many months (or more) of work and we want to have a specification
> of 2HashDH for use with OPAQUE and other applications for which 2HashDH
> suffices (or where it is necessary, if you want to maintain the validity of
> proofs).
>
> Hugo
>
> PS: I will be happy to discuss threshold applications in a separate thread
> without derailing the discussion on the above  important questions.
>
>
> On Tue, Nov 2, 2021 at 8:32 AM Christopher Wood <caw@heapingbits.net>
> wrote:
>
>> As proposed during the CFRG meeting at IETF 111 [1], the latest version
>> of draft-irtf-cfrg-voprf adopted the POPRF protocol from [2], which has the
>> following syntax:
>>
>>    y = F(k, x, t)
>>
>> Where k is the server's private key, x is the client's private input, t
>> is a public value agreed upon by client and server, and y is the PRF
>> output. The motivation for this change was to enable applications and
>> protocols that require "metadata" bound to the PRF output to scale beyond
>> the "unique PRF key per metadata value" approach [3,4]. Moreover, with a
>> fixed public value t, a POPRF is functionally equivalent to a classical
>> OPRF.
>>
>> One question that arose subsequently to the release of [2] is the extent
>> to which threshold secret sharing of a secret key k can be supported. The
>> prior 2HashDH OPRF protocol can be easily deployed in a threshold manner,
>> transparently to the client. In contrast, the 3HashSDHI POPRF protocol
>> cannot. After discussion with others off-list, whether one can build a
>> fast, pairing-free POPRF that supports thresholding seems an open research
>> question.
>>
>> The current situation begs the following questions: Is thresholding a
>> feature that is important for known use cases? What are these use cases?
>> And, importantly, do folks want to use threshold systems to meet these use
>> cases?
>>
>> [5] plainly laid out the case for thresholding, but whether the vision
>> and demand has materialized is unclear to me. Understanding whether there
>> are motivating use cases right now will help shape the ongoing
>> specification work.
>>
>> In particular, assuming we want to support thresholding, we have the
>> following questions:
>>
>> 1) Should we specify only the 2HashDH OPRF, 3HashSDHI POPRF, or both?
>> 2) If both, should the syntax for the OPRF be kept separate from that of
>> the POPRF? That is, should the document treat them as two separate
>> cryptographic objects, each with their own API and ciphersuites?
>> 3) If the 2HashDH OPRF is included, should we describe how to deploy the
>> protocol in a threshold system? And if so, what do we say about distributed
>> key generation?
>>
>> I think a reasonable outcome for the specification that would be
>> maximally useful to implementers and protocol designers comes from the
>> following answers:
>>
>> 1) Both, either in draft-irtf-cfrg-voprf or in separate documents.
>> 2) Separate syntaxes.
>> 3) Include threshold details but punt on the DKG protocol, similar to
>> FROST [6].
>>
>> What do others think?
>>
>> Thanks,
>> Chris
>>
>> [1]
>> https://datatracker.ietf.org/meeting/111/materials/slides-111-cfrg-ietf111-cfrg-voprf-00.pdf
>> [2] https://eprint.iacr.org/2021/864, but the order of x and t in the
>> API are flipped
>> [3]
>> https://mailarchive.ietf.org/arch/msg/privacy-pass/QWtRvUQ4d3wS96rPzUYfKSfKWps/
>> [4]
>> https://mailarchive.ietf.org/arch/msg/privacy-pass/9THC0-P__-e90KycWLVJu7xDh68/
>> [5]
>> https://csrc.nist.gov/CSRC/media/Presentations/Threshold-Cryptography-Ready-for-Prime-Time/images-media/krawczyk-hugo-keynote-NTCW19.pdf
>> [6]
>> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-frost-01#section-8
>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email