IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf

Hugo Krawczyk <hugo@ee.technion.ac.il> Mon, 20 May 2019 20:55 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F133F120113 for <cfrg@ietfa.amsl.com>; Mon, 20 May 2019 13:55:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhNKfSfrRqzb for <cfrg@ietfa.amsl.com>; Mon, 20 May 2019 13:55:25 -0700 (PDT)
Received: from mail-it1-f181.google.com (mail-it1-f181.google.com [209.85.166.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B960120026 for <cfrg@irtf.org>; Mon, 20 May 2019 13:55:25 -0700 (PDT)
Received: by mail-it1-f181.google.com with SMTP id m140so1276737itg.2 for <cfrg@irtf.org>; Mon, 20 May 2019 13:55:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S8+45EKy2ZKhH4vGF1LDx3w6cfR0oq504bE+UdhbMn0=; b=LHwUeXm9EjX/mPhQ3N6tNvQfMUTGkosKM1r+ff/gQxxpudO5efqrGEXFzhn2wjjeXz UzwgomnQe5zr07jdqqtTgqUKsEtlGXmx2AtNvTYGS3oV0LOBFA41pgsGdlMzrST+8oi5 zkoQgRcxY09uyufe9pI1MFvomoFPQvhqZi9leDSqFoV7JIVwKK+VqMAD8i6S7R+XDeNk ndE46zbUmdU3AVxRApsTZAmdVsBeKOR1uFEGxe9tAcjeTm+DH/iAanshbVIOUj4FPgt4 4fDfs64x1KEjrVCucgrin/0w75x3qEV/hmedOr9fEZoVgJZXWMiH9+95KWFEQfIE4/cM aiOA==
X-Gm-Message-State: APjAAAVZuvn+VMWt0GiRvRjREN6A/2FjB2Ql55P0UtEO+XCQeJ4dM0SJ YLLGov52u1h+aTX6fFpubkkr+ghbWWiuzk9cYJu7Hw==
X-Google-Smtp-Source: APXvYqwWBfqUnWAcE+5AgizxCD/F8vThQBkkOaEO6Gj/zTTPNc/TN1g74nIPf80CwPdG5SZyBQasENzLNWoGHW2phBI=
X-Received: by 2002:a24:6f14:: with SMTP id x20mr966256itb.24.1558385724271; Mon, 20 May 2019 13:55:24 -0700 (PDT)
MIME-Version: 1.0
References: <54235333-9FEA-4543-93B6-2D4B1C8FCC2D@inf.ethz.ch> <0a67411b-9a2d-9e08-ca06-08ea938c0c89@gmail.com> <B62E70D5-9BAE-4332-8CE4-4AB0E3B229C8@inf.ethz.ch> <553170C6-11B3-4287-A033-9C051401F4C1@cloudflare.com> <0E69ED80-2479-4048-BF18-8E1F16EF57CA@gmail.com>
In-Reply-To: <0E69ED80-2479-4048-BF18-8E1F16EF57CA@gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 20 May 2019 16:54:58 -0400
Message-ID: <CADi0yUPt8DFG9N+8CxznMcO7JZ78nsCdUTUr+eq6jmrB+Hp2Bw@mail.gmail.com>
To: David Wong <davidwong.crypto@gmail.com>
Cc: Alex Davidson <adavidson=40cloudflare.com@dmarc.ietf.org>, CFRG <cfrg@irtf.org>, "draft-sullivan-cfrg-voprf.authors@ietf.org" <draft-sullivan-cfrg-voprf.authors@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084b2e4058957f338"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/kv0gsaJMvFZ8B9tM0L5sk1pW8rU>
Subject: Re: [Cfrg] Adoption call for draft-sullivan-cfrg-voprf
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 20:55:27 -0000

Hi David, to use a V-OPRF the client needs to store the public key Y=kG
corresponding to the server's OPRF key k. In the OPAQUE setting we do not
assume that the user carries any public key with her. The only information
the user carries is the password (and account information where to login).
This makes OPAQUE immune to PKI failures.

Hugo

On Tue, May 14, 2019 at 11:23 AM David Wong <davidwong.crypto@gmail.com>
wrote:

> Hey all,
>
> I’m very interested in the verifiability of the OPRF.
> Note that OPAQUE also mentions this draft currently:
> https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque-01
> I would be interested in knowing why OPAQUE doesn’t want to use a VOPRF
>
> I support the adoption of this draft.
>
> Cheers,
> David
>
> On May 9, 2019, at 2:44 AM, Alex Davidson <
> adavidson=40cloudflare.com@dmarc.ietf.org> wrote:
>
> Hi all,
>
> I’m one of the authors of this draft.
>
> Perhaps the draft’s authors can clarify here on the extent to which there
> is a dependency on other drafts, especially the ristretto draft (which is
> not a CFRG document, currently).
>
>
> The only hard dependency of this draft is on the specification of the
> hash-to-curve algorithm that is made in
> https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03. The
> dependency on the Ristretto draft is made only as a plausible cryptographic
> configuration for using OPRFs. We are happy to remove the dependency on
> Ristretto and specify a different set of ciphersuites focusing only on the
> NIST curves and others such as Curve25519, for example. In general, it
> would be useful for us to have a wider discussion with the community on
> what parameter/curve settings are suitable for our use-case.
>
>
> I think this draft does fit with the CFRG charter, in that VOPRFs are an
> emerging cryptographic mechanism that at least some people here see as
> being useful in contexts traditionally associated with IETF. Again, the
> authors of the draft can explain their intended applications better than
> me, but I think a good starting point if you are interested in knowing more
> would be:
>
> *https://petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf
> <https://petsymposium.org/2018/files/papers/issue3/popets-2018-0026...pdf>*
>
>
> Other applications that feature OPRFs as dependencies include
> password-protected secret-sharing (https://eprint.iacr.org/2014/650.pdf),
> password-authenticated key-exchange (
> https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque-01) and hiding
> password-storage (http://webee.technion.ac.il/~hugo/sphinx.pdf). In
> particular, the current version of the OPAQUE draft
> (draft-krawczyk-cfrg-opaque) lists draft-sullivan-cfrg-voprf as a
> dependency. There are also many applications in general secure computation
> research literature (such as constructions of protocols for private set
> intersection).
>
> Thanks,
> Alex
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email