-
Currently, we set ku as
`(oprf_key, _) = DeriveKeyPair(ikm)` ( and ` (kU, _) = DeriveKeyPair(self.config.oprf_suite, ikm)` in the POC ). We always discard the public key, and it's therefore unclear wh…
-
-
[Tyagi et al.](https://eprint.iacr.org/2021/864.pdf) present a modified variant of the 2HashDH-based OPRF that enables so-called "partially-oblivious" evaluation. Abstractly, this means that the OPRF …
-
The PMB Tokens paper constructs a weaker version of a VOPRF without DLEQ proofs (see Section 7 of https://eprint.iacr.org/2020/072). The weakness of the construction allows the server to send back ran…
-
In this call to HashToScalar, no DST is specified, which is not conformant with Ciphersuite section in the draft.
https://github.com/cfrg/draft-irtf-cfrg-voprf/blob/866a54cc1021390359e67d8a1b773e2d…
-
Currently, the list of HashTo* DST's used are:
| Designation | Value | Used in | Defined in|
| ------------- | ------------- | ------------- | ------------- |
| skc h2s | "OPAQUE-HashToScalar" |…
-
Here is a list of all of the constant strings currently specified in the protocol:
Strings relating to envelope construction:
- "Pad"
- "AuthKey"
- "ExportKey"
Strings relating to the AKE sec…
-
Community partners, can you help me look at this problem
version:webrtc-java-0.6.0.zip
Maven output
[INFO]
[INFO] --- cmake-maven-plugin:3.19.2-b1:compile (cmake-compile) @ webrtc-java-jni --…
-
draft-irtf-cfrg-voprf lists the following OPRF instanciations:
OPRF(ristretto255, **SHA-256**)
OPRF(decaf448, SHA-512)
OPRF(P-256, SHA-256)
OPRF(P-384, SHA-512)
OPRF(P-521, SHA-51…
-
From @hugokraw:
> An attack with Q queries, lowers security by (log Q)/2 bits (not log Q), and it only applies if Q is a divisor of p-1 or p+1. Moreover, the *memory* cost of the attack (not just t…