Open lognorman20 opened 1 year ago
@lognorman20 this is great -- thank you. I think we can do something simpler such as the 2HashDH OPRF, covered in a section of https://eprint.iacr.org/2022/302.pdf. The reason why is
2HashDH is where we are working in some predefined curve (such as BabyJubJub or secp256k1) of order n
with generator G
.
There is also a hash function H
. For this, let's use blake512 or sha512, mod n
.
Server always has key k
and Client has input x
, which they want the PRF of.
The PRF is the function PRF(x,k) = H(H(x)kG)
. Let's see how this it works:
r*H(x)*G
. Note Server learns no information at all about r or H(x) from this value.r*H(x)*k*G
and returns this value. Note this does not reveal the private key due to discrete logarithm assumption.H(X)kG
Just now noticed there's an implementation it here https://github.com/multiparty/oprf/blob/master/src/oprf.slim.ts which is pretty cool. It still would be nice to have the same in babyjubjub library though so we can do it with our MPC network eventually.
Overview
An Oblivious Pseudorandom Function (OPRF) is a two-party protocol between client and server for computing the output of a Pseudorandom Function (PRF). The server provides the PRF private key, and the client provides the PRF input. At the end of the protocol, the client learns the PRF output without learning anything about the PRF private key, and the server learns neither the PRF input nor output. An OPRF can also satisfy a notion of 'verifiability', called a VOPRF. A VOPRF ensures clients can verify that the server used a specific private key during the execution of the protocol.
The birds-eye view of the OPRf algorithm is to have the following interaction between a client C and a server S:
G
to commonly refer tok
x
x
with some random constantr
to producea
d
witha
to produce some blind tokenb
b
over to Sb
k
G
and passes it as an outputo
back to Co
by multiplyingo
by the inverse ofr
Proposed Implementation
I aim to create a variation of the methodology used in this paper.
Data Structures
PrivateInput: inputs that are known only to the client in the protocol
PublicInput: inputs that are known to both client and server in the protocol
Opaque: byte strings of arbitrary length no larger than 2^16 - 1 bytes. This length restriction exists because
PublicInput
andPrivateInput
values are length-prefixed with two bytes before use throughout the protocol.Proof: stores the secret key and the output?
OPRFServerContext: data structure that stores a context string and the relevant key material for each party
OPRFClientContext: data structure that stores a context string and the relevant key material for each party
Group: An implementation of a Prime-Order Group. This is to help generate constants/scalars easily and quickly. Further, it allows for easy key generation. This API will have the following functions:
p
)I
)x
to an element ofGroup
. The map must ensure that, for any adversary receivingR = HashToGroup(x)
, it is computationally difficult to reverse the mapping. This function is optionally parameterized by a domain separation tag (DST)x
to an element in GF(p). This function is optionally parameterized by a DSTScalar
s
onGF(p)
Element
A
to a canonical byte arraybuf
of fixed lengthNe
.buf
to anElement
A
, and fails if the input is not the valid canonical byte representation of an element of the group. This function can raise a DeserializeError if deserialization fails orA
is the identity element of the groupScalar
s
to a canonical byte arraybuf
of fixed lengthNs
.buf
to aScalar
s
. This function can raise a DeserializeError if deserialization fails for group-specific input validation steps.Functionality
Pseudocode of Protocol:
Regarding the Group API Implementation, there are many different Cipher-suites to choose from in the paper. I'm not sure which one to pick, nor do I fully understand the tradeoffs of each yet, so I'd have to investigate this further.
Following the necessary functions from here
References
These papers gave me some background on OPRFs
This VOPRF implementation in Rust by Facebook engineers