-
Protocols like VOPRF and blind RSA/BLS have different semantics and wire images. As an example, batching seems to be a per-crypto-protocol property. VOPRF supports it, whereas BLS/RSA do not.
Tryin…
-
Currently `KeGroup` is implemented on what represents the public key of a curve, the `RistrettoPoint` for ristretto255, `ProjectivePoint` for P-256 and `MontgomaryPoint` for X25519. When I switched to…
-
Currently, in the proxied-verifier server running mode, the entire redemption token is sent to the server. However, we may be able to avoid this by only sending the initial `data` inside the Redemptio…
-
Currently, domain separation on OPRF evaluation is done using the client's record identifier and a global seed to derive a user-specific evaluation key.
(V)OPRF introduces POPRF with metadata that …
-
The above is quite confusing to take output as input.
I'm not really liking the nomenclature of input and output for VOPRFs.
Have you considered other names?
For input, I think `message`…
-
The (V)OPRF spec has been updated to include the POPRF findings. We should integrate these changes since this spec depends on it.
_Update: POPRF merged with #282, but some questions remain_
- _D…
-
Currently, RedemptionRequest messages have the following structure:
```
struct {
opaque data; // input to the token issuance flow
opaque tag; // output of the token issuance flow
opaque …
-
The current spec punts on key derivation. In particular, it assumes some mechanism for deriving keys. To promote an EdDSA-like interface, wherein "private keys" are random seeds used to _derive_ actua…
-
`HashToGroup` can produce the identity element and `HashToScalar` can produce a zero scalar. It is extremely unlikely though.
Currently it's not specified how to behave when this happens. Potential…
-
do we need to include an error when the inverse of `k+m` does not exist?
_Originally posted by @armfazh in https://github.com/cfrg/draft-irtf-cfrg-voprf/pull/284#discussion_r727727425_