Remove input from Finalize DST

cfrg / draft-irtf-cfrg-voprf

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups

https://cfrg.github.io/draft-irtf-cfrg-voprf/#go.draft-irtf-cfrg-voprf.html

Other

39 stars 15 forks source link

Remove input from Finalize DST #288

Closed chris-wood closed 2 years ago

chris-wood commented 3 years ago

In Finalize, we include evaluatedElement in the hash input, which seems redundant with input. We could probably drop input from this step, which would simplify the API quite a bit too. Or we could replace it with the representative of input in the group (HashToGroup(input)).

bytemare commented 3 years ago

This would also avoid to keep it in a state :)

armfazh commented 2 years ago

In principle this is a good idea especially when long inputs are passed to two hash functions (HashToGroup and last Hash). OTOH, after looking at the JKK paper, the security proof and any other arguments always consider the client's input to be part of the last hash invocation. So, I am not really confident about removing the input from the last hash, not sure what is the effect on the security proof.

chris-wood commented 2 years ago

Yeah, I no longer think we can just remove it, but we could replace it with its concise representation (i.e., HashToGroup(input)).

chris-wood commented 2 years ago

Leaving this as-is absent security analysis.