Closed chris-wood closed 3 years ago
alxdavids
commented
3 years ago I think this could be useful. Would the choice of H3 be completely open, or would there would be a set of potential choices? I only ask because the puncturable version requires a non-standard usage of an unstandardised PRF, and I was wondering if this is the sort of thing that we'd want to allow in general?
chris-wood
commented
3 years ago If anything, I imagine it would be fixed (in this doc) to reasonable choices, namely, random oracles. Though, now that I think more about it, it's not unreasonable to just specify elsewhere how info is computed on client and server using the PRF, and then how the result is passed into the existing APIs. So nothing probably needs to happen here. Closing!
It's possible to extend the POPRF design to build a puncturable variant (in the metadata), a la STAR. Currently, the POPRF abstraction does not allow this to be done so easily. We could probably accommodate it by allowing servers to specify H3, the HashToScalar function used for computing the evaluation context. @alxdavids, thoughts?