search

alxdavids / voprf-poc

Proof-of-concept implementation of the (V)OPRF protocol in https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/
23 stars 8 forks source link

Cofactor clearing #25

Open alxdavids opened 4 years ago

alxdavids commented 4 years ago

We should adopt the advice in https://eprint.iacr.org/2017/212.pdf to make all scalar multiplication values a multiple of the curve cofactor. This ensures that we have a prime-order group interface even when using curve448, and also reduces the number of necessary scalar multiplications.

cc @armfazh

claucece commented 4 years ago

This is interesting. One thing that can be done for curve448 is move it to the twisted edwards, apply the decaf functionality there, and then convert it back to montgomery.

alxdavids commented 4 years ago

Yeah that would potentially be a good solution! Do you think the overheads of doing those transformation will be favourable compared to incorporating more scalar multiplications?

armfazh commented 4 years ago

One thing that can be done for curve448 is move it to the twisted edwards, apply the decaf functionality there, and then convert it back to montgomery.

That could work, we can evaluate this approach; otherwise, we can shift the suite to Edwards448.

alxdavids commented 4 years ago

So the best approach here sounds like using Edwards and handling the cofactor as in RFC8032?

claucece commented 4 years ago

What we can do is the following:

I can create the interfaces for:

And then we can see which one might be easier to use.. what do you think?

armfazh commented 4 years ago

See https://github.com/cloudflare/circl/issues/101

claucece commented 4 years ago

Now that ed448 have been merged to master in circl, I was thinking to start moving this library to use that one as well, prior to using it as well for decaf later. Sounds good? @alxdavids

alxdavids commented 4 years ago

Now that ed448 have been merged to master in circl, I was thinking to start moving this library to use that one as well, prior to using it as well for decaf later. Sounds good? @alxdavids

Yeah I think that's a great idea 👍 I've not been keeping that up-to-date with the ed448 change, do you think it will be a big change to adapt the VOPRF implementation to use this?

claucece commented 4 years ago

@alxdavids .. not that of a big change.. as the functions should probably be called the same. I'll review it tomorrow just to be sure ;)

claucece commented 4 years ago

@alxdavids decaf is probably going to be added to circl soon! I'll wait for the merge and then send the PR over here (then if all works over here we can also update the document) ;)

alxdavids commented 4 years ago

Great, thanks @claucece!