[Cfrg] Reviewing draft-irtf-cfrg-voprf-01
Jack Grigg <ietf@jackgrigg.com> Wed, 24 July 2019 23:59 UTC
Return-Path: <me@jackgrigg.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BEF712016C for <cfrg@ietfa.amsl.com>; Wed, 24 Jul 2019 16:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pp60AZafctND for <cfrg@ietfa.amsl.com>; Wed, 24 Jul 2019 16:59:49 -0700 (PDT)
Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 818D3120154 for <cfrg@irtf.org>; Wed, 24 Jul 2019 16:59:49 -0700 (PDT)
Received: by mail-wr1-f46.google.com with SMTP id c2so45510233wrm.8 for <cfrg@irtf.org>; Wed, 24 Jul 2019 16:59:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=BSQTH342a+eiSS5y1896AeyA62QailMfYWV0B1P/FsM=; b=ufNilKDrM8FWCjRn8bUNLzY3hMr/yuVfnsdWMuSakfTBMGirT7gyA7BkbjMHUKDRcD k8mIZZKLQDclA3EmUvXLOvqqJGPpUon8MfziMDGUN447ilEBeoGoGv32T/RJV0i3xdlw cKh/RPOv3J5tZ9Hdl0oIZvMFaoSn415nGhMjam8B1h/gHWWJE90ep+lrPmQx8SWB8kmB sui1w7AvJ8v8VQsdp0Lr8XVflEd/tJF4qS7EH0ier10+ZRuBiTi9kZz6lDTklKn2YmI/ Q4dX91B6P+QrZ94xLQ401yTYMJHtyraEOe9u2mgOycX6pxhK+AEMfdHTO5JLrg+wMcaJ wWkg==
X-Gm-Message-State: APjAAAU1kGTqk8TFIO7f1jpzE6JfyalbcC8omB98JWO9AK22E3gpPJuH DviSSY5VC6SNvsTf9Ufx8lfIyp7h5N0IeTkl52/T7DJdR7Tuqg==
X-Google-Smtp-Source: APXvYqxk/A4eedpZFk3waSz8crJa+jLAc1+ZXFFsUhkwkPGgZ4reoJ1Vwd11wc7INH6asLU5x5NNe0VtDnWRCLf0yn8=
X-Received: by 2002:a5d:4d81:: with SMTP id b1mr7334662wru.27.1564012787542; Wed, 24 Jul 2019 16:59:47 -0700 (PDT)
MIME-Version: 1.0
Reply-To: ietf@jackgrigg.com
From: Jack Grigg <ietf@jackgrigg.com>
Date: Thu, 25 Jul 2019 00:59:37 +0100
Message-ID: <CAPC=aNUMKxVKuhAKtN4S-7z_CqK=CJ+6WkzE42FtCS-B2OCKug@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000a03f53058e761a34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uy-8aRx-W6JUQc0vip2nTzNHIKw>
Subject: [Cfrg] Reviewing draft-irtf-cfrg-voprf-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 23:59:52 -0000
Hi all, I've been looking at the VOPRF draft as part of my work on ristretto255, and have some comments which I hope will be of use to the CFRG. --- Section 4: > Let GG be an additive group of prime-order p, let GF(p) be the Galois field defined by the integers modulo p. Section 4.2: > As we remarked above, GG is a subgroup with associated prime-order p. These sections are inconsistent in defining GG as a group vs a subgroup (section 4.2 is the first mention of the latter). > In the multiplicative setting we can choose GG to be a prime-order > subgroup of a finite field FF_p. For example, let p be some large > prime (e.g. > 2048 bits) where p = 2q+1 for some other prime q. This is confusing regarding naming of the primes. GG is defined to have order p; in this example, GG now has order q, while the base field has order p. > There are also other settings where GG is a prime-order subgroup > of an elliptic curve over a base field of non-prime order, these > include the work of Ristretto [RISTRETTO] and Decaf [DECAF]. Ristretto and Decaf are abstractions that define a prime-order group of elements, not a prime-order subgroup of points on a specific elliptic curve. If the intention is to solely refer to Ristretto and Decaf in this paragraph, I suggest rewording this (lifting wording from the ristretto255 introduction) as: > There are also other settings where GG is a prime-order group > constructed from non-prime-order elliptic curves, using techniques > such as Ristretto [RISTRETTO] and Decaf [DECAF]. If the intention is to also include elliptic curves with prime-order subgroups and cofactors, I suggest rewording this as: > There are also other settings where GG is a prime-order subgroup > of an elliptic curve over a base field of non-prime order (such as > edwards25519 [RFC7748]), or where GG is a prime-order group > constructed from non-prime-order elliptic curves (using techniques > such as Ristretto [RISTRETTO] and Decaf [DECAF]). It would be generally useful to refactor section 4.2 to be clear that GG is assumed to be a group of prime-order p, and then be explicit about when (in examples or otherwise) this group is a subgroup of a larger group with prime or non-prime order. --- Section 4.3: > 1. P samples a uniformly random key k <- {0,1}^l for sufficient > length l, and interprets it as an integer. Section 4.3.1: > l: Some suitable choice of key-length (e.g. as described in [NIST]). This definition feels less clear than something like "P samples a key uniformly from GF(p)". Particularly given the NIST reference, it appears to imply that greater security can be obtained by choosing a longer key, while in practice the security is bounded by the size of the group GG. I suggest making the modular reduction (applied to the key) explicit in OPRF_Setup, instead of being tucked away in bin2scalar. Perhaps "and interprets it as an integer modulo p" would suffice? --- Section 5.1: > H_3: A hash function from GG to {0,1}^L, modelled as a random oracle. Judging from the later definition of H_4, and looking at how H_3 is used, I suspect this is intended to be: > H_3: A hash function from GG^6 to {0,1}^L, modelled as a random oracle. --- Section 7.2 defines an instantiation of VOPRF using ristretto255 as follows: > 7.2. ECVOPRF-RISTRETTO-HKDF-SHA512-Elligator2: > o GG: Ristretto [RISTRETTO] > o H_1: H2C-Curve25519-SHA512-Elligator2-Clear [I-D.irtf-cfrg-hash-to-curve] > * label: voprf_h2c > o H_2: SHA512 > o H_3: SHA512 > o H_4: SHA512 > o H_5: HKDF-Expand-SHA512 > In the case of Ristretto, internal point representations are represented by > Ed25519 [RFC7748] points. As a result, we can use the same hash-to-curve > encoding as we would use for Ed25519 [I-D.irtf-cfrg-hash-to-curve]. This directly conflicts with the VOPRF draft's normative reference to the ristretto255 draft, which states: > Implementations MUST NOT perform any other operation on internal > representations and MUST NOT construct group elements except via > "DECODE" and "FROM_UNIFORM_BYTES". Such an instantiation would breach the Ristretto abstraction, and in practice would not be compatible with ristretto255 implementations that use an alternative isomorphic curve instead of edwards25519. EDIT: While I was typing these comments up, a new revision of the VOPRF draft was published that alters section 7.2 to: > 7.2. ECVOPRF-ed25519-HKDF-SHA256-Elligator2: > o GG: Ristretto255 > o H_1: edwards25519-SHA256-EDELL2-RO > * label: voprf_h2c > o H_2: SHA256 > o H_3: SHA256 > o H_4: SHA256 > o H_5: HKDF-Expand-SHA256 This retains the above problem, and it is now unclear from the name whether this is an instantiation on ristretto255 or edwards25519. The two are of course incompatible (the encoding of ristretto255 elements is not equivalent to the encoding used for edwards25519 points). I suggest using the following instantiation and text for a ristretto255-based ECVOPRF: > ECVOPRF-ristretto255-HKDF-SHA256: > o GG: ristretto255 > o H_1: ristretto255.FROM_UNIFORM_BYTES(SHA512) > o H_2: SHA256 > o H_3: SHA256 > o H_4: SHA256 > o H_5: HKDF-Expand-SHA256 > > The Ristretto API provides a FROM_UNIFORM_BYTES function > for mapping a 64-byte input to a ristretto255 element, suitable for > hash-to-group operations. To satisfy the arbitrary input requirement > of H_1, we hash the arbitrary input x with SHA512 to obtain 64 bytes, > then use this as the input to FROM_UNIFORM_BYTES. --- I'm happy to contribute a patch addressing these points. Cheers, Jack
- [Cfrg] Reviewing draft-irtf-cfrg-voprf-01 Jack Grigg
- Re: [Cfrg] Reviewing draft-irtf-cfrg-voprf-01 Alex Davidson