Proving protocol using OPRF with a password

symbolicsoft / verifpal

Cryptographic protocol analysis for real-world protocols.

https://verifpal.com

GNU General Public License v3.0

41 stars 4 forks source link

Open forty opened 7 months ago

forty commented 7 months ago

I'm trying out verifypal to prove some PAKE protocols, and I'm struggling with OPRF using passwords for blind salt, as in OPAQUE.

I cannot find out how to invert a scalar (the blinding factor, as I want to compute HASH(pwd)^r^k^(1/r) )
the verifier is unhappy because HASH(pwd)^r reveals the password. Ideally I want H2C(HASH(pwd))^r, I'm not sure how to communicate that to verifypal, but I guess that shouldn't reveal the password if r remains secret?

forty commented 7 months ago

(sorry, I don't know if this is a feature request, or just my own misunderstanding of how things work)