cfrg / draft-irtf-cfrg-voprf

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups
https://cfrg.github.io/draft-irtf-cfrg-voprf/#go.draft-irtf-cfrg-voprf.html
Other
39 stars 15 forks source link

Chris P.'s review: Security Considerations #317

Closed cjpatton closed 2 years ago

cjpatton commented 2 years ago

In my opinion, this is the weakest section of the document right now. (But it's not far from being great!) I'll start off with some high level thoughts and follow with detailed comments.

The bulk of the security considerations is dedicated to discussion of computational assumptions used in security proofs. This is particularly important for this document because the assumptions are stronger than usual ones, e.g., DLOG, CDH, DDH, and the like. The main consequence is that, compared to other protocols, adopters of this standard will have to be much more careful in choosing the cryptographic parameters best suited for their application.

The reason for this is that the proposed protocols all inherently expose a so-called "static-DH" oracle. As the spec correctly points out, access to such an oracle leads to a key-recovery attack that, while not feasible for sufficiently large gropus, significantly degrades the security level, potentially making other attacks more likely. Yet the spec also points out that the degreee to which security is degraded depends on the protocol, as well as the application that is built upon it.

This is a murky state of affairs, and one I fear might lead to adopters making the wrong choice. I think the document would benefit from providing clearer and more conservative guidance. Some specific suggestions:

  1. Ideally we would be able to derive "safety limits" for each ciphersuite and protocol. In particular, the document would specify how many times a secret key operation can be performed before the key needs to be rotated. It's not immediately clear to me how this would work or how useful it would be, since the limits would have to be derived from the best known attacks. This is perhaps more of a research question than anything else.

  2. The document should provide stronger guidance on when using the smaller groups (ristretto255 or P-256) is safe. My take (based on my read of the doc) is that I would be comfortable just rate-limiting key operations for the larger groups, but if I had to pick the smaller ones, I would really only feel comfortable if there were some way of controlling the number of clients that access oracle (by authenticating them, for instance). Of course, this may end up being a question for the application.

  3. The document would benefit from providing examples of applications for which the static DH oracle is not likely a problem and applications for which the static DH oracle may be a problem. What about OPAQUE? PrivacyPass?

  4. Finally, because the computational assumptions are stronger, they are more likely to be falsified one day than "standard" assumptions. If I were writing this spec, I would probably NOT RECOMMEND that the smaller groups be used, simply as a hedge against future advancements in cryptanalysis. I realize this is probably a controversial position, so just take it as a suggestion. (As with all of these comments, of course!)

6

6.2

6.2.1

6.2.1.1

6.2.2

6.2.2.1

Simnilar comments as for Section 6.2.1.1.

6.2.3

6.2.4

6.7