Open colinbendell opened 1 year ago
This seems to be more of a bug in Chrome, as PrivacyPass Protocol (Draft 10) more clearly defines the use of the Evaluate
function. The ISSUER_PROTOCOL.md
is just out of date.
Re-opening because it is all very confusing. Protocol Draft10 is not updated to reflect voprf draft 21 and the structure and method of the redemption process is odd.
Compounding this is that the ECPoint W
doesn't match any documentation:
Ne + Ns
long instead of Ne
in length (97 v 49)Evaluate()
function in voprf produces a hash of Ns
length, so it's unclear if the redemption request should be passing the hash output from Finalize()
instead of a Point value.
The redemption record verification does not match the functions in VOPRF Draft21 and it is unclear how it can be updated to align. The updated chrome implementation uses Draft21 for the Issuer protocol but still uses Draft7 (with
P384_XMD:SHA-512_SSWU_RO_
) for redemptionContext: from ISSUER_PROTOCOL.md:
In Draft7, this stage is described as:
Where the current redemption validation process would compare the signed
issuedElement
with theECPoint W
using the DST ofTrustToken VOPRF Experiment V2 HashToGroup\0
and the hashsha512
.In draft21 of VOPRF, the VerifyFinalize stage has been replaced with the
Finalize
stage and theEvaluate
function to determine the PRF result. However, theEvaluate
function returns a hash of the input after signing.