Closed rot256 closed 3 years ago
The editor's copy of draft-irtf-cfrg-voprf uses OPRF(ristretto255, SHA-512), which is why OPAQUE uses it. We chose SHA-512 because implementations using ristretto255 are more likely to also have a SHA-512 implementation (due to Ed25519 requiring SHA-512). See this PR and related issue(s).
draft-irtf-cfrg-voprf lists the following OPRF instanciations:
OPRF(ristretto255, SHA-256) OPRF(decaf448, SHA-512) OPRF(P-256, SHA-256) OPRF(P-384, SHA-512) OPRF(P-521, SHA-512)
However section 5 of draft-irtf-cfrg-opaque, says:
An OPAQUE configuration is a tuple (OPRF, Hash, MHF, EnvelopeMode). The OPAQUE OPRF protocol is drawn from the "base mode" variant of [I-D.irtf-cfrg-voprf]. The following OPRF ciphersuites are supported:
It seems like it should be SHA-256 in both places (targeting 128-bits of security)?