I'm trying out verifypal to prove some PAKE protocols, and I'm struggling with OPRF using passwords for blind salt, as in OPAQUE.
I cannot find out how to invert a scalar (the blinding factor, as I want to compute HASH(pwd)^r^k^(1/r) )
the verifier is unhappy because HASH(pwd)^r reveals the password. Ideally I want H2C(HASH(pwd))^r, I'm not sure how to communicate that to verifypal, but I guess that shouldn't reveal the password if r remains secret?
I'm trying out verifypal to prove some PAKE protocols, and I'm struggling with OPRF using passwords for blind salt, as in OPAQUE.
HASH(pwd)^r^k^(1/r)
)HASH(pwd)^r
reveals the password. Ideally I wantH2C(HASH(pwd))^r
, I'm not sure how to communicate that to verifypal, but I guess that shouldn't reveal the password ifr
remains secret?