search

cfrg / draft-irtf-cfrg-voprf

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups
https://cfrg.github.io/draft-irtf-cfrg-voprf/#go.draft-irtf-cfrg-voprf.html
Other
39 stars 15 forks source link

Finalize is underspecified #89

Closed chris-wood closed 4 years ago

chris-wood commented 4 years ago

Finalize uses H_2 like so:

H_2(DST, x .. N)

The reference implementation basically uses DST as a keyed hash, yet we define it as a hash function. Maybe we should just say this is a PRF, and then concretely say it's HMAC-H (with H depending on the suite) keyed by DST? (That works fine for HMAC as it's a dualPRF, but perhaps not other PRFs, so I might suggest swapping the input orders.)

Also, for what it's worth, 2HashDH doesn't require H_2 to be a PRF, so maybe this is a bit much. Maybe we should just use a normal hash (SHA2) and define an encoding of the inputs?

armfazh commented 4 years ago

Originally posted by @chris-wood in https://github.com/cfrg/draft-irtf-cfrg-voprf/pull/78

Unrelated to this change, but what is u here? Is DST guaranteed to be of size u? (2HashDH doesn't specify the hash this way. Maybe we ought to go back to what's in the original paper?)

alxdavids commented 4 years ago

This was done #97