Diff: rfc9497v6.txt - rfc9497.txt

	rfc9497v6.txt	rfc9497.txt

	Internet Research Task Force (IRTF) A. Davidson	Internet Research Task Force (IRTF) A. Davidson
	Request for Comments: 9497 Brave Software	Request for Comments: 9497 Brave Software
	Category: Informational A. Faz-Hernandez	Category: Informational A. Faz-Hernandez
	ISSN: 2070-1721 N. Sullivan	ISSN: 2070-1721 N. Sullivan
	C. A. Wood	C. A. Wood
	Cloudflare, Inc.	Cloudflare, Inc.

	October 2023	December 2023

	Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups	Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups

	Abstract	Abstract

	An Oblivious Pseudorandom Function (OPRF) is a two-party protocol	An Oblivious Pseudorandom Function (OPRF) is a two-party protocol
	between a client and a server for computing the output of a	between a client and a server for computing the output of a
	Pseudorandom Function (PRF). The server provides the PRF private	Pseudorandom Function (PRF). The server provides the PRF private
	key, and the client provides the PRF input. At the end of the	key, and the client provides the PRF input. At the end of the
	protocol, the client learns the PRF output without learning anything	protocol, the client learns the PRF output without learning anything

	skipping to change at line 729 ¶	skipping to change at line 729 ¶
	contextString = CreateContextString(modePOPRF, identifier)	contextString = CreateContextString(modePOPRF, identifier)
	return POPRFServerContext(contextString, skS)	return POPRFServerContext(contextString, skS)

	def SetupPOPRFClient(identifier, pkS):	def SetupPOPRFClient(identifier, pkS):
	contextString = CreateContextString(modePOPRF, identifier)	contextString = CreateContextString(modePOPRF, identifier)
	return POPRFClientContext(contextString, pkS)	return POPRFClientContext(contextString, pkS)

	3.2.1. Deterministic Key Generation	3.2.1. Deterministic Key Generation

	This section describes a deterministic key generation function,	This section describes a deterministic key generation function,

	DeriveKeyPair. It accepts a seed of Ns bytes generated from a	DeriveKeyPair. It accepts a seed of 32 bytes generated from a
	cryptographically secure random number generator and an optional	cryptographically secure random number generator and an optional

	(possibly empty) info string. The constant Ns corresponds to the	(possibly empty) info string. Note that, by design, knowledge of
	size in bytes of a serialized Scalar and is defined in Section 2.1.	seed and info is necessary to compute this function, which means that
	Note that, by design, knowledge of seed and info is necessary to	the secrecy of the output private key (skS) depends on the secrecy of
	compute this function, which means that the secrecy of the output	seed (since the info string is public).
	private key (skS) depends on the secrecy of seed (since the info
	string is public).

	Input:	Input:


	opaque seed[Ns]	opaque seed[32]
	PublicInput info	PublicInput info

	Output:	Output:

	Scalar skS	Scalar skS
	Element pkS	Element pkS

	Parameters:	Parameters:

	Group G	Group G

	skipping to change at line 1827 ¶	skipping to change at line 1825 ¶
	2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,	2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
	May 2017, <https://www.rfc-editor.org/info/rfc8174>.	May 2017, <https://www.rfc-editor.org/info/rfc8174>.

	[RFC9380] Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S.,	[RFC9380] Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S.,
	and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380,	and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380,
	DOI 10.17487/RFC9380, August 2023,	DOI 10.17487/RFC9380, August 2023,
	<https://www.rfc-editor.org/info/rfc9380>.	<https://www.rfc-editor.org/info/rfc9380>.

	[RFC9496] de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I.,	[RFC9496] de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I.,
	Tankersley, G., and F. Valsorda, "The ristretto255 and	Tankersley, G., and F. Valsorda, "The ristretto255 and

	decaf448 Groups", RFC 9496, DOI 10.17487/RFC9496, October	decaf448 Groups", RFC 9496, DOI 10.17487/RFC9496, December
	2023, <https://www.rfc-editor.org/info/rfc9496>.	2023, <https://www.rfc-editor.org/info/rfc9496>.

	8.2. Informative References	8.2. Informative References

	[BG04] Brown, D. and R. Gallant, "The Static Diffie-Hellman	[BG04] Brown, D. and R. Gallant, "The Static Diffie-Hellman
	Problem", November 2004,	Problem", November 2004,
	<https://eprint.iacr.org/2004/306>.	<https://eprint.iacr.org/2004/306>.

	[ChaumPedersen]	[ChaumPedersen]
	Chaum, D. and T. Pedersen, "Wallet Databases with	Chaum, D. and T. Pedersen, "Wallet Databases with

	skipping to change at line 1881 ¶	skipping to change at line 1879 ¶
	<https://doi.org/10.1109/eurosp.2016.30>.	<https://doi.org/10.1109/eurosp.2016.30>.

	[NISTCurves]	[NISTCurves]
	National Institute of Standards and Technology (NIST),	National Institute of Standards and Technology (NIST),
	"Digital Signature Standard (DSS)", FIPS PUB 186-5,	"Digital Signature Standard (DSS)", FIPS PUB 186-5,
	DOI 10.6028/NIST.FIPS.186-5, February 2023,	DOI 10.6028/NIST.FIPS.186-5, February 2023,
	<https://doi.org/10.6028/NIST.FIPS.186-5>.	<https://doi.org/10.6028/NIST.FIPS.186-5>.

	[OPAQUE] Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The	[OPAQUE] Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The
	OPAQUE Asymmetric PAKE Protocol", Work in Progress,	OPAQUE Asymmetric PAKE Protocol", Work in Progress,

	Internet-Draft, draft-irtf-cfrg-opaque-12, 5 October 2023,	Internet-Draft, draft-irtf-cfrg-opaque-13, 18 December
	<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-	2023, <https://datatracker.ietf.org/doc/html/draft-irtf-
	opaque-12>.	cfrg-opaque-13>.

	[PRIVACY-PASS]	[PRIVACY-PASS]
	Celi, S., Davidson, A., Valdez, S., and C. A. Wood,	Celi, S., Davidson, A., Valdez, S., and C. A. Wood,
	"Privacy Pass Issuance Protocol", Work in Progress,	"Privacy Pass Issuance Protocol", Work in Progress,
	Internet-Draft, draft-ietf-privacypass-protocol-16, 3	Internet-Draft, draft-ietf-privacypass-protocol-16, 3
	October 2023, <https://datatracker.ietf.org/doc/html/	October 2023, <https://datatracker.ietf.org/doc/html/
	draft-ietf-privacypass-protocol-16>.	draft-ietf-privacypass-protocol-16>.

	[PrivacyPass]	[PrivacyPass]
	"Privacy Pass", commit 085380a, March 2018,	"Privacy Pass", commit 085380a, March 2018,

	skipping to change at line 2894 ¶	skipping to change at line 2892 ¶

	Authors' Addresses	Authors' Addresses

	Alex Davidson	Alex Davidson
	Brave Software	Brave Software
	Email: alex.davidson92@gmail.com	Email: alex.davidson92@gmail.com

	Armando Faz-Hernandez	Armando Faz-Hernandez
	Cloudflare, Inc.	Cloudflare, Inc.
	101 Townsend St	101 Townsend St

	San Francisco,	San Francisco, CA
	United States of America	United States of America
	Email: armfazh@cloudflare.com	Email: armfazh@cloudflare.com

	Nick Sullivan	Nick Sullivan
	Cloudflare, Inc.	Cloudflare, Inc.
	101 Townsend St	101 Townsend St

	San Francisco,	San Francisco, CA
	United States of America	United States of America

	Email: nick@cloudflare.com	Email: nicholas.sullivan+ietf@gmail.com

	Christopher A. Wood	Christopher A. Wood
	Cloudflare, Inc.	Cloudflare, Inc.
	101 Townsend St	101 Townsend St

	San Francisco,	San Francisco, CA
	United States of America	United States of America
	Email: caw@heapingbits.net	Email: caw@heapingbits.net

End of changes. 10 change blocks.
	17 lines changed or deleted	15 lines changed or added
This html diff was produced by rfcdiff 1.48.