Add DeriveKeyPair and separate serialization code from main protocol routines

cfrg / draft-irtf-cfrg-voprf

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups

https://cfrg.github.io/draft-irtf-cfrg-voprf/#go.draft-irtf-cfrg-voprf.html

Other

39 stars 15 forks source link

Add DeriveKeyPair and separate serialization code from main protocol routines #310

Closed chris-wood closed 2 years ago

chris-wood commented 2 years ago

Closes #306.

Rendered version of this PR

cc @bytemare, @kevinlewi, @tomrist

chris-wood commented 2 years ago

@armfazh @bytemare: reference implementation and test vectors updated!

armfazh commented 2 years ago

We can avoid the counter overflows by using an iterated hashing instead. what about something like this?

1. T = 000000
2. contextString = CreateContextString(mode, suiteID)
3. deriveInput = seed || I2OSP(len(info), 2) || info
4. MSG = deriveInput || T
5. DST = "DeriveKeyPair" || contextString
6. skS = GG.HashToScalar(MSG, DST)  
7. if skS == 0
8.    T = Hash(T)
9.    return to Step 4.
A. pks = ScalarBaseMult(skS)
B. return (skS,pkS).

chris-wood commented 2 years ago

We can avoid the counter overflows by using an iterated hashing instead.

Probability of counter overflow is negligible, so I don't think we need to be overly clever with the construction here. It seems best to match key generation routines used for other algorithms like HPKE. I suggest we stick with what's here in this PR, and file this iterated hash variant as an issue to possibly do later on.