cfrg / draft-irtf-cfrg-voprf

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups
https://cfrg.github.io/draft-irtf-cfrg-voprf/#go.draft-irtf-cfrg-voprf.html
Other
39 stars 15 forks source link

Fix comments by JH (part 2) #355

Closed armfazh closed 2 years ago

armfazh commented 2 years ago

Together with #354 , this PR addresses all the comments by JH posted here.

The best way to review this PR is going commit by commit.

Comments Addressed

"Verifiable POPRF": the verifiability property is not optional in the draft, but the fact that it is sometimes called "verifiable POPRF" hints that it is. Why not avoid any confusion by calling it VPOPRF throughout the document?

Section 1.3 introduces PrivateInput and PublicInput as the exact same data types. What distinguishes them? The terms Private and Public hint at something, but it seems never spelled out in the document.

In general the distinction between "Input" and "Parameters" in the function descriptions confused me. What are the semantics here? First I thought Parameters are implementation-wide and fixed objects, like the Group, but then the OPRF key skS appears as a Parameter of BlindEvaluate. Since the document also hints that keys can be updated during the run of the protocol ("key rotation"), skS does not seem to be a long-term parameter to me. Sometimes both the terms Input and Parameter are mixed, for example when "PublicInput contextString" appears under Parameters. Another example is in the flow diagram of POPRF, where both Inputs (info) and Parameters (pkS,skS) appear in parantheses after a party's name. Overall it would be good to clarify why the function descriptions distinguish between "Inputs" and "Parameters", as otherwise implementors might interpret their own meaning to these terms.

Explain the list notation []

Section 3, protocol overviews: skS and pkS appear as input to the parties but are not used in the protocols. E.g., it should be BlindEvaluate(skS,blindedElement) instead of BlindEvaluate(blindedElement).

"client and server augment the pkS and skS, respectively, using the info value": this could be modified to explain the (otherwise unexplained) "tweakedKey" term that appears in the protocol overview. Maybe "client and server tweak their pkS and skS, respectively, using the info value"?

If I would implement this, I would wonder about Input "opaque seed[Ns]". Ns is an integer, and this seed appears to be a list of Ns opaque values. In the text it says "randomly generated seed". The seeds suggested in the test vector section do not appear very random to me ;) Not sure if this is underspecified or just common knowledge.

"Recall that servers may batch multiple client inputs to BlindEvaluate." - Maybe one more sentence how this is done? Just repeated execution of BlindEvaluate and concatenating the evaluatedElements in the message to the client?

"certain public inputs that map to invalid public keys for server evaluation." I could not parse "public key for server evaluation" here.

I could not make any sense of 5.2, but again, not an implementor...

Partial obliviousness: I don't understand this definition. Everything but the last sentence are properties of any OPRF, as described already in the other properties. The sentence "Both client and server learn the public input (info)" does not seem to have any meaning, since info is input to both parties and hence they of course learn it. The partial obliviousness property rather seems to enforce usage of info in an evaluation. I was also surprised that partial obliviousness is equivalent to unlinkability. Are OPRFs linkable, in the sense of linkability described in the draft?

In reference [SJKS17] typos in Jareckiy, Krawczykz

No change

Still protocol overviews: I find the term "evaluatedElement" computed by the server a bit misleading, as it sounds like the server is learning the evaluation. On the other hand I don't have a better idea. BlindedEvaluatedElement would indicate more precisely what happens, but is probably too long.

We remain using evaluatedElement for the output of the server computation.