idnits 2.17.1 draft-irtf-cfrg-voprf-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 4 instances of too long lines in the document, the longest one being 25 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (25 October 2021) is 914 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'Nh' is mentioned on line 1015, but not defined == Missing Reference: 'C' is mentioned on line 935, but not defined == Missing Reference: 'D' is mentioned on line 936, but not defined == Outdated reference: A later version (-16) exists of draft-irtf-cfrg-hash-to-curve-12 == Outdated reference: A later version (-14) exists of draft-irtf-cfrg-opaque-06 == Outdated reference: A later version (-08) exists of draft-irtf-cfrg-ristretto255-decaf448-01 Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Davidson 3 Internet-Draft Brave Software 4 Intended status: Informational A. Faz-Hernandez 5 Expires: 28 April 2022 N. Sullivan 6 C.A. Wood 7 Cloudflare, Inc. 8 25 October 2021 10 Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups 11 draft-irtf-cfrg-voprf-08 13 Abstract 15 An Oblivious Pseudorandom Function (OPRF) is a two-party protocol 16 between client and server for computing the output of a Pseudorandom 17 Function (PRF). The server provides the PRF secret key, and the 18 client provides the PRF input. At the end of the protocol, the 19 client learns the PRF output without learning anything about the PRF 20 secret key, and the server learns neither the PRF input nor output. 21 A Partially-Oblivious PRF (POPRF) is an OPRF that allows client and 22 server to provide public input to the PRF. OPRFs and POPRFs can also 23 satisfy a notion of 'verifiability'. In this setting, clients can 24 verify that the server used a specific private key during the 25 execution of the protocol. This document specifies a POPRF protocol 26 with optional verifiability instantiated within standard prime-order 27 groups, including elliptic curves. 29 Discussion Venues 31 This note is to be removed before publishing as an RFC. 33 Source for this draft and an issue tracker can be found at 34 https://github.com/cfrg/draft-irtf-cfrg-voprf. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at https://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on 28 April 2022. 53 Copyright Notice 55 Copyright (c) 2021 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 60 license-info) in effect on the date of publication of this document. 61 Please review these documents carefully, as they describe your rights 62 and restrictions with respect to this document. Code Components 63 extracted from this document must include Simplified BSD License text 64 as described in Section 4.e of the Trust Legal Provisions and are 65 provided without warranty as described in the Simplified BSD License. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 70 1.1. Change log . . . . . . . . . . . . . . . . . . . . . . . 4 71 1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 6 72 2. Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . 7 73 2.1. Prime-Order Group Dependency . . . . . . . . . . . . . . 7 74 2.2. Notation and Terminology . . . . . . . . . . . . . . . . 9 75 3. POPRF Protocol . . . . . . . . . . . . . . . . . . . . . . . 10 76 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 10 77 3.2. Context Setup . . . . . . . . . . . . . . . . . . . . . . 11 78 3.3. Context APIs . . . . . . . . . . . . . . . . . . . . . . 12 79 3.3.1. Server Context . . . . . . . . . . . . . . . . . . . 12 80 3.3.2. VerifiableServerContext . . . . . . . . . . . . . . . 15 81 3.3.3. Client Context . . . . . . . . . . . . . . . . . . . 20 82 3.3.4. VerifiableClientContext . . . . . . . . . . . . . . . 22 83 4. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . 25 84 4.1. OPRF(ristretto255, SHA-512) . . . . . . . . . . . . . . . 26 85 4.2. OPRF(decaf448, SHAKE-256) . . . . . . . . . . . . . . . . 26 86 4.3. OPRF(P-256, SHA-256) . . . . . . . . . . . . . . . . . . 27 87 4.4. OPRF(P-384, SHA-384) . . . . . . . . . . . . . . . . . . 27 88 4.5. OPRF(P-521, SHA-512) . . . . . . . . . . . . . . . . . . 28 89 5. Application Considerations . . . . . . . . . . . . . . . . . 28 90 5.1. Error Considerations . . . . . . . . . . . . . . . . . . 28 91 5.2. Public Metadata . . . . . . . . . . . . . . . . . . . . . 29 92 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 93 6.1. Security Properties . . . . . . . . . . . . . . . . . . . 29 94 6.2. Cryptographic Security . . . . . . . . . . . . . . . . . 30 95 6.2.1. Protocol Security and Computational Hardness 96 Assumptions . . . . . . . . . . . . . . . . . . . . . 30 97 6.2.2. Static q-DL Assumption . . . . . . . . . . . . . . . 31 98 6.2.3. Implications for Ciphersuite Choices . . . . . . . . 31 99 6.3. Proof Randomness . . . . . . . . . . . . . . . . . . . . 32 100 6.4. Domain Separation . . . . . . . . . . . . . . . . . . . . 32 101 6.5. Element and Scalar Validation . . . . . . . . . . . . . . 32 102 6.6. Hashing to Group . . . . . . . . . . . . . . . . . . . . 33 103 6.7. Timing Leaks . . . . . . . . . . . . . . . . . . . . . . 33 104 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 105 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 106 8.1. Normative References . . . . . . . . . . . . . . . . . . 33 107 8.2. Informative References . . . . . . . . . . . . . . . . . 34 108 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 36 109 A.1. OPRF(ristretto255, SHA-512) . . . . . . . . . . . . . . . 37 110 A.1.1. Base Mode . . . . . . . . . . . . . . . . . . . . . . 37 111 A.1.2. Verifiable Mode . . . . . . . . . . . . . . . . . . . 37 112 A.2. OPRF(decaf448, SHAKE-256) . . . . . . . . . . . . . . . . 39 113 A.2.1. Base Mode . . . . . . . . . . . . . . . . . . . . . . 39 114 A.2.2. Verifiable Mode . . . . . . . . . . . . . . . . . . . 40 115 A.3. OPRF(P-256, SHA-256) . . . . . . . . . . . . . . . . . . 42 116 A.3.1. Base Mode . . . . . . . . . . . . . . . . . . . . . . 42 117 A.3.2. Verifiable Mode . . . . . . . . . . . . . . . . . . . 42 118 A.4. OPRF(P-384, SHA-384) . . . . . . . . . . . . . . . . . . 44 119 A.4.1. Base Mode . . . . . . . . . . . . . . . . . . . . . . 44 120 A.4.2. Verifiable Mode . . . . . . . . . . . . . . . . . . . 45 121 A.5. OPRF(P-521, SHA-512) . . . . . . . . . . . . . . . . . . 46 122 A.5.1. Base Mode . . . . . . . . . . . . . . . . . . . . . . 46 123 A.5.2. Verifiable Mode . . . . . . . . . . . . . . . . . . . 47 124 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 126 1. Introduction 128 A Pseudorandom Function (PRF) F(k, x) is an efficiently computable 129 function taking a private key k and a value x as input. This 130 function is pseudorandom if the keyed function K(_) = F(k, _) is 131 indistinguishable from a randomly sampled function acting on the same 132 domain and range as K(). An Oblivious PRF (OPRF) is a two-party 133 protocol between a server and a client, where the server holds a PRF 134 key k and the client holds some input x. The protocol allows both 135 parties to cooperate in computing F(k, x) such that the client learns 136 F(k, x) without learning anything about k; and the server does not 137 learn anything about x or F(k, x). A Partially-Oblivious PRF (POPRF) 138 is a variant of an OPRF wherein client and server interact in 139 computing F(k, x, y), for some PRF F with server-provided key k, 140 client-provided input x, and public input y [TCRSTW21]. A POPRF with 141 fixed input y is functionally equivalent to an OPRF. A POPRF is said 142 to be 'verifiable' if the server can prove to the client that F(k, x, 143 y) was computed using key k, without revealing k to the client. 145 POPRFs have a variety of applications, including: password-protected 146 secret sharing schemes [JKKX16], privacy-preserving password stores 147 [SJKS17], and password-authenticated key exchange or PAKE 148 [I-D.irtf-cfrg-opaque]. Verifiable POPRFs are necessary in some 149 applications such as Privacy Pass [I-D.davidson-pp-protocol]. 150 Verifiable POPRFs have also been used for password-protected secret 151 sharing schemes such as that of [JKK14]. 153 This document introduces a POPRF protocol built upon prime-order 154 groups based on [TCRSTW21]. The protocol supports optional 155 verifiability with the addition of a non-interactive zero knowledge 156 proof (NIZK). This proof demonstrates correctness of the 157 computation, using a known public key that serves as a commitment to 158 the server's private key. The document describes the protocol, 159 application considerations, and its security properties. 161 1.1. Change log 163 draft-08 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-08): 165 * Adopt partially-oblivious PRF construction from [TCRSTW21]. 167 * Update P-384 suite to use SHA-384 instead of SHA-512. 169 * Update test vectors. 171 * Apply various editorial changes. 173 draft-07 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-07): 175 * Bind blinding mechanism to mode (additive for verifiable mode and 176 multiplicative for base mode). 178 * Add explicit errors for deserialization. 180 * Document explicit errors and API considerations. 182 * Adopt SHAKE-256 for decaf448 ciphersuite. 184 * Normalize HashToScalar functionality for all ciphersuites. 186 * Refactor and generalize DLEQ proof functionality and domain 187 separation tags for use in other protocols. 189 * Update test vectors. 191 * Apply various editorial changes. 193 draft-06 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-06): 195 * Specify of group element and scalar serialization. 197 * Remove info parameter from the protocol API and update domain 198 separation guidance. 200 * Fold Unblind function into Finalize. 202 * Optimize ComputeComposites for servers (using knowledge of the 203 private key). 205 * Specify deterministic key generation method. 207 * Update test vectors. 209 * Apply various editorial changes. 211 draft-05 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-05): 213 * Move to ristretto255 and decaf448 ciphersuites. 215 * Clean up ciphersuite definitions. 217 * Pin domain separation tag construction to draft version. 219 * Move key generation outside of context construction functions. 221 * Editorial changes. 223 draft-04 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04): 225 * Introduce Client and Server contexts for controlling verifiability 226 and required functionality. 228 * Condense API. 230 * Remove batching from standard functionality (included as an 231 extension) 233 * Add Curve25519 and P-256 ciphersuites for applications that 234 prevent strong-DH oracle attacks. 236 * Provide explicit prime-order group API and instantiation advice 237 for each ciphersuite. 239 * Proof-of-concept implementation in sage. 241 * Remove privacy considerations advice as this depends on 242 applications. 244 draft-03 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-03): 246 * Certify public key during VerifiableFinalize. 248 * Remove protocol integration advice. 250 * Add text discussing how to perform domain separation. 252 * Drop OPRF_/VOPRF_ prefix from algorithm names. 254 * Make prime-order group assumption explicit. 256 * Changes to algorithms accepting batched inputs. 258 * Changes to construction of batched DLEQ proofs. 260 * Updated ciphersuites to be consistent with hash-to-curve and added 261 OPRF specific ciphersuites. 263 draft-02 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-02): 265 * Added section discussing cryptographic security and static DH 266 oracles. 268 * Updated batched proof algorithms. 270 draft-01 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-01): 272 * Updated ciphersuites to be in line with 273 https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04. 275 * Made some necessary modular reductions more explicit. 277 1.2. Requirements 279 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 280 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 281 "OPTIONAL" in this document are to be interpreted as described in 282 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 283 capitals, as shown here. 285 2. Preliminaries 287 The (V)OPRF protocol in this document has two primary dependencies: 289 * GG: A prime-order group implementing the API described below in 290 Section 2.1, with base point defined in the corresponding 291 reference for each group. (See Section 4 for these base points.) 293 * Hash: A cryptographic hash function that is indifferentiable from 294 a Random Oracle, whose output length is Nh bytes long. 296 Section 4 specifies ciphersuites as combinations of GG and Hash. 298 2.1. Prime-Order Group Dependency 300 In this document, we assume the construction of an additive, prime- 301 order group GG for performing all mathematical operations. Such 302 groups are uniquely determined by the choice of the prime p that 303 defines the order of the group. We use GF(p) to represent the finite 304 field of order p. For the purpose of understanding and implementing 305 this document, we take GF(p) to be equal to the set of integers 306 defined by {0, 1, ..., p-1}. 308 The fundamental group operation is addition + with identity element 309 I. For any elements A and B of the group GG, A + B = B + A is also a 310 member of GG. Also, for any A in GG, there exists an element -A such 311 that A + (-A) = (-A) + A = I. Scalar multiplication is equivalent to 312 the repeated application of the group operation on an element A with 313 itself r-1 times, this is denoted as r*A = A + ... + A. For any 314 element A, p*A=I. We denote G as the fixed generator of the group. 315 Scalar base multiplication is equivalent to the repeated application 316 of the group operation G with itself r-1 times, this is denoted as 317 ScalarBaseMult(r). The set of scalars corresponds to GF(p). This 318 document uses types Element and Scalar to denote elements of the 319 group GG and its set of scalars, respectively. 321 We now detail a number of member functions that can be invoked on a 322 prime-order group GG. 324 * Order(): Outputs the order of GG (i.e. p). 326 * Identity(): Outputs the identity element of the group (i.e. I). 328 * HashToGroup(x): A member function of GG that deterministically 329 maps an array of bytes x to an element of GG. The map must ensure 330 that, for any adversary receiving R = HashToGroup(x), it is 331 computationally difficult to reverse the mapping. This function 332 is optionally parameterized by a domain separation tag (DST); see 333 Section 4. 335 * HashToScalar(x): A member function of GG that deterministically 336 maps an array of bytes x to an element in GF(p). This function is 337 optionally parameterized by a DST; see Section 4. 339 * RandomScalar(): A member function of GG that chooses at random a 340 non-zero element in GF(p). 342 * SerializeElement(A): A member function of GG that maps a group 343 element A to a unique byte array buf of fixed length Ne. The 344 output type of this function is SerializedElement. 346 * DeserializeElement(buf): A member function of GG that maps a byte 347 array buf to a group element A, or fails if the input is not a 348 valid byte representation of an element. This function can raise 349 a DeserializeError if deserialization fails or A is the identity 350 element of the group; see Section 6.5. 352 * SerializeScalar(s): A member function of GG that maps a scalar 353 element s to a unique byte array buf of fixed length Ns. The 354 output type of this function is SerializedScalar. 356 * DeserializeScalar(buf): A member function of GG that maps a byte 357 array buf to a scalar s, or fails if the input is not a valid byte 358 representation of a scalar. This function can raise a 359 DeserializeError if deserialization fails; see Section 6.5. 361 Two functions can be used for generating a (V)OPRF key pair (skS, 362 pkS) where skS is a non-zero integer less than p and pkS = 363 ScalarBaseMult(skS): GenerateKeyPair and DeriveKeyPair. 364 GenerateKeyPair is a randomized function that outputs a fresh key 365 pair (skS, pkS) upon every invocation. DeriveKeyPair is a 366 deterministic function that generates private key skS from a random 367 byte string seed, which SHOULD have at least Ns bytes of entropy, and 368 then computes pkS = ScalarBaseMult(skS). 370 It is convenient in cryptographic applications to instantiate such 371 prime-order groups using elliptic curves, such as those detailed in 372 [SEC2]. For some choices of elliptic curves (e.g. those detailed in 373 [RFC7748], which require accounting for cofactors) there are some 374 implementation issues that introduce inherent discrepancies between 375 standard prime-order groups and the elliptic curve instantiation. In 376 this document, all algorithms that we detail assume that the group is 377 a prime-order group, and this MUST be upheld by any implementation. 378 That is, any curve instantiation should be written such that any 379 discrepancies with a prime-order group instantiation are removed. 380 See Section 4 for advice corresponding to the implementation of this 381 interface for specific definitions of elliptic curves. 383 2.2. Notation and Terminology 385 The following functions and notation are used throughout the 386 document. 388 * For any object x, we write len(x) to denote its length in bytes. 390 * For two byte arrays x and y, write x || y to denote their 391 concatenation. 393 * I2OSP and OS2IP: Convert a byte array to and from a non-negative 394 integer as described in [RFC8017]. Note that these functions 395 operate on byte arrays in big-endian byte order. 397 * For any two byte strings a and b, CT_EQUAL(a, b) represents 398 constant-time equality between a and b which returns true if a and 399 b are equal and false otherwise. 401 Data structure descriptions use TLS notation [RFC8446], Section 3. 403 All algorithms and procedures described in this document are laid out 404 in a Python-like pseudocode. 406 String values such as "Context-" are ASCII string literals. 408 The following terms are used throughout this document. 410 * PRF: Pseudorandom Function. 412 * OPRF: Oblivious Pseudorandom Function. 414 * VOPRF: Verifiable Oblivious Pseudorandom Function. 416 * POPRF: Partially Oblivious Pseudorandom Function. 418 * Client: Protocol initiator. Learns pseudorandom function 419 evaluation as the output of the protocol. 421 * Server: Computes the pseudorandom function over a private key. 422 Learns nothing about the client's input or output. 424 * NIZK: Non-interactive zero knowledge. 426 * DLEQ: Discrete Logarithm Equality. 428 3. POPRF Protocol 430 In this section, we define two POPRF variants: a base mode and 431 verifiable mode. In the base mode, a client and server interact to 432 compute output = F(skS, input, info), where input is the client's 433 private input, skS is the server's private key, info is the public 434 input (or metadata), and output is the POPRF output. The client 435 learns output and the server learns nothing. In the verifiable mode, 436 the client also receives proof that the server used skS in computing 437 the function. 439 To achieve verifiability, as in the original work of [JKK14], we 440 provide a zero-knowledge proof that the key provided as input by the 441 server in the Evaluate function is the same key as it used to produce 442 their public key. As an example of the nature of attacks that this 443 prevents, this ensures that the server uses the same private key for 444 computing the verifiable POPRF output and does not attempt to "tag" 445 individual clients with select keys. This proof does not reveal the 446 server's private key to the client. 448 The following one-byte values distinguish between these two modes: 450 +================+=======+ 451 | Mode | Value | 452 +================+=======+ 453 | modeBase | 0x00 | 454 +----------------+-------+ 455 | modeVerifiable | 0x01 | 456 +----------------+-------+ 458 Table 1 460 3.1. Overview 462 Both participants agree on the mode and a choice of ciphersuite that 463 is used before the protocol exchange. Once established, the base 464 mode of the protocol runs to compute output = F(skS, input, info) as 465 follows: 467 Client(input, info) Server(skS, info) 468 ---------------------------------------------------------------------- 469 blind, blindedElement = Blind(input) 471 blindedElement 472 ----------> 474 evaluatedElement = Evaluate(skS, blindedElement, info) 476 evaluatedElement 477 <---------- 479 output = Finalize(input, blind, evaluatedElement, blindedElement, info) 481 In Blind the client generates a blinded element and blinding data. 482 The server computes the POPRF evaluation in Evaluate over the 483 client's blinded element, and public information info. In Finalize 484 the client unblinds the server response and produces the POPRF 485 output. 487 In the verifiable mode of the protocol, the server additionally 488 computes a proof in Evaluate. The client verifies this proof using 489 the server's expected public key before completing the protocol and 490 producing the protocol output. 492 3.2. Context Setup 494 Both modes of the POPRF involve an offline setup phase. In this 495 phase, both the client and server create a context used for executing 496 the online phase of the protocol. The key pair (skS, pkS) should be 497 generated by calling either GenerateKeyPair or DeriveKeyPair. 499 The base mode setup functions for creating client and server contexts 500 are below: 502 def SetupBaseServer(suite, skS): 503 contextString = 504 "VOPRF08-" || I2OSP(modeBase, 1) || I2OSP(suite.ID, 2) 505 return ServerContext(contextString, skS) 507 def SetupBaseClient(suite): 508 contextString = 509 "VOPRF08-" || I2OSP(modeBase, 1) || I2OSP(suite.ID, 2) 510 return ClientContext(contextString) 512 The verifiable mode setup functions for creating client and server 513 contexts are below: 515 def SetupVerifiableServer(suite, skS, pkS): 516 contextString = 517 "VOPRF08-" || I2OSP(modeVerifiable, 1) || I2OSP(suite.ID, 2) 518 return VerifiableServerContext(contextString, skS) 520 def SetupVerifiableClient(suite, pkS): 521 contextString = 522 "VOPRF08-" || I2OSP(modeVerifiable, 1) || I2OSP(suite.ID, 2) 523 return VerifiableClientContext(contextString, pkS) 525 Each setup function takes a ciphersuite from the list defined in 526 Section 4. Each ciphersuite has a two-byte field ID used to identify 527 the suite. 529 [[RFC editor: please change "VOPRF08" to "RFCXXXX", where XXXX is the 530 final number, here and elsewhere before publication.]] 532 3.3. Context APIs 534 In this section, we detail the APIs available on the client and 535 server POPRF contexts. Each API has the following implicit 536 parameters: 538 * GG, a prime-order group implementing the API described in 539 Section 2.1. 541 * contextString, a domain separation tag constructed during context 542 setup. 544 The data types PrivateInput and PublicInput are opaque byte strings 545 of arbitrary length no larger than 2^13 octets. Proof is a sequence 546 of two SerializedScalar values, as shown below. 548 struct { 549 SerializedScalar c; 550 SerializedScalar s; 551 } Proof; 553 3.3.1. Server Context 555 The ServerContext encapsulates the context string constructed during 556 setup and the POPRF key pair. It has three functions, Evaluate, 557 FullEvaluate and VerifyFinalize described below. Evaluate takes 558 serialized representations of blinded group elements from the client 559 as inputs along with public input info. 561 FullEvaluate takes PrivateInput values, and it is useful for 562 applications that need to compute the whole POPRF protocol on the 563 server side only. 565 VerifyFinalize takes PrivateInput values and their corresponding 566 output digests from Finalize as input, and returns true if the inputs 567 match the outputs. 569 Note that VerifyFinalize and FullEvaluate are not used in the main 570 POPRF protocol. They are exposed as an API for building higher-level 571 protocols. 573 3.3.1.1. Evaluate 575 Input: 577 Scalar skS 578 SerializedElement blindedElement 579 PublicInput info 581 Output: 583 SerializedElement evaluatedElement 585 Errors: DeserializeError, InverseError 587 def Evaluate(skS, blindedElement, info): 588 R = GG.DeserializeElement(blindedElement) 589 context = "Context-" || contextString || 590 I2OSP(len(info), 2) || info 591 m = GG.HashToScalar(context) 592 t = skS + m 593 if t == 0: 594 raise InverseError 595 Z = t^(-1) * R 596 evaluatedElement = GG.SerializeElement(Z) 598 return evaluatedElement 600 3.3.1.2. FullEvaluate 601 Input: 603 Scalar skS 604 PrivateInput input 605 PublicInput info 607 Output: 609 opaque output[Nh] 611 Errors: InverseError 613 def FullEvaluate(skS, input): 614 P = GG.HashToGroup(input) 615 context = "Context-" || contextString || 616 I2OSP(len(info), 2) || info 617 m = GG.HashToScalar(context) 618 t = skS + m 619 if t == 0: 620 raise InverseError 621 T = t^(-1) * P 622 issuedElement = GG.SerializeElement(T) 624 finalizeDST = "Finalize-" || contextString 625 hashInput = I2OSP(len(input), 2) || input || 626 I2OSP(len(info), 2) || info || 627 I2OSP(len(issuedElement), 2) || issuedElement || 628 I2OSP(len(finalizeDST), 2) || finalizeDST 630 return Hash(hashInput) 632 3.3.1.3. VerifyFinalize 633 Input: 635 Scalar skS 636 PrivateInput input 637 opaque output[Nh] 638 PublicInput info 640 Output: 642 boolean valid 644 def VerifyFinalize(skS, input, output, info): 645 T = GG.HashToGroup(input) 646 element = GG.SerializeElement(T) 647 E = Evaluate(skS, [element], info) 649 finalizeDST = "Finalize-" || contextString 650 hashInput = I2OSP(len(input), 2) || input || 651 I2OSP(len(info), 2) || info || 652 I2OSP(len(E), 2) || E || 653 I2OSP(len(finalizeDST), 2) || finalizeDST 655 digest = Hash(hashInput) 657 return CT_EQUAL(digest, output) 659 3.3.2. VerifiableServerContext 661 The VerifiableServerContext extends the base ServerContext with an 662 augmented Evaluate() function. This function produces a proof that 663 skS was used in computing the result. It makes use of the helper 664 functions GenerateProof and ComputeComposites, described below. 666 3.3.2.1. Evaluate 667 Input: 669 Scalar skS 670 SerializedElement blindedElement 671 PublicInput info 673 Output: 675 SerializedElement evaluatedElement 676 Proof proof 678 Errors: DeserializeError, InverseError 680 def Evaluate(skS, blindedElement, info): 681 R = GG.DeserializeElement(blindedElement) 682 context = "Context-" || contextString || 683 I2OSP(len(info), 2) || info 684 m = GG.HashToScalar(context) 685 t = skS + m 686 if t == 0: 687 raise InverseError 688 Z = t^(-1) * R 690 U = ScalarBaseMult(t) 691 proof = GenerateProof(t, G, U, Z, R) 692 evaluatedElement = GG.SerializeElement(Z) 693 return evaluatedElement, proof 695 The helper functions GenerateProof and ComputeComposites are defined 696 below. 698 3.3.2.2. GenerateProof 699 Input: 701 Scalar k 702 Element A 703 Element B 704 Element C 705 Element D 707 Output: 709 Proof proof 711 def GenerateProof(k, A, B, C, D) 712 Cs = [C] 713 Ds = [D] 714 (M, Z) = ComputeCompositesFast(k, B, Cs, Ds) 716 r = GG.RandomScalar() 717 t2 = r * A 718 t3 = r * M 720 Bm = GG.SerializeElement(B) 721 a0 = GG.SerializeElement(M) 722 a1 = GG.SerializeElement(Z) 723 a2 = GG.SerializeElement(t2) 724 a3 = GG.SerializeElement(t3) 726 challengeDST = "Challenge-" || contextString 727 h2Input = I2OSP(len(Bm), 2) || Bm || 728 I2OSP(len(a0), 2) || a0 || 729 I2OSP(len(a1), 2) || a1 || 730 I2OSP(len(a2), 2) || a2 || 731 I2OSP(len(a3), 2) || a3 || 732 I2OSP(len(challengeDST), 2) || challengeDST 734 c = GG.HashToScalar(h2Input) 735 s = (r - c * k) mod p 737 proof = GG.SerializeScalar(c) || GG.SerializeScalar(s) 738 return proof 740 3.3.2.2.1. Batching inputs 742 Unlike other functions, ComputeComposites takes lists of inputs, 743 rather than a single input. Applications can take advantage of this 744 functionality by invoking GenerateProof on batches of inputs to 745 produce a combined, constant-size proof. (In the pseudocode above, 746 the single inputs blindedElement and evaluatedElement are passed as 747 single-item lists to ComputeComposites.) 749 In particular, servers can produce a single, constant-sized proof for 750 N client inputs sent in a single request, rather than one proof per 751 client input. This optimization benefits clients and servers since 752 it amortizes the cost of proof generation and bandwidth across 753 multiple requests. 755 3.3.2.3. ComputeComposites 757 The definition of ComputeComposites is given below. This function is 758 used both on generation and verification of the proof. 760 Input: 762 Element B 763 Element Cs[m] 764 Element Ds[m] 766 Output: 768 Element M 769 Element Z 771 def ComputeComposites(B, Cs, Ds): 772 Bm = GG.SerializeElement(B) 773 seedDST = "Seed-" || contextString 774 compositeDST = "Composite-" || contextString 776 h1Input = I2OSP(len(Bm), 2) || Bm || 777 I2OSP(len(seedDST), 2) || seedDST 778 seed = Hash(h1Input) 780 M = GG.Identity() 781 Z = GG.Identity() 782 for i = 0 to m-1: 783 Ci = GG.SerializeElement(Cs[i]) 784 Di = GG.SerializeElement(Ds[i]) 785 h2Input = I2OSP(len(seed), 2) || seed || I2OSP(i, 2) || 786 I2OSP(len(Ci), 2) || Ci || 787 I2OSP(len(Di), 2) || Di || 788 I2OSP(len(compositeDST), 2) || compositeDST 789 di = GG.HashToScalar(h2Input) 790 M = di * Cs[i] + M 791 Z = di * Ds[i] + Z 793 return (M, Z) 795 If the private key is known, as is the case for the server, this 796 function can be optimized as shown in ComputeCompositesFast below. 798 Input: 800 Scalar k 801 Element B 802 Element Cs[m] 803 Element Ds[m] 805 Output: 807 Element M 808 Element Z 810 def ComputeCompositesFast(k, B, Cs, Ds): 811 Bm = GG.SerializeElement(B) 812 seedDST = "Seed-" || contextString 813 compositeDST = "Composite-" || contextString 815 h1Input = I2OSP(len(Bm), 2) || Bm || 816 I2OSP(len(seedDST), 2) || seedDST 817 seed = Hash(h1Input) 819 M = GG.Identity() 820 for i = 0 to m-1: 821 Ci = GG.SerializeElement(Cs[i]) 822 Di = GG.SerializeElement(Ds[i]) 823 h2Input = I2OSP(len(seed), 2) || seed || I2OSP(i, 2) || 824 I2OSP(len(Ci), 2) || Ci || 825 I2OSP(len(Di), 2) || Di || 826 I2OSP(len(compositeDST), 2) || compositeDST 827 di = GG.HashToScalar(h2Input) 828 M = di * Cs[i] + M 830 Z = k * M 832 return (M, Z) 834 3.3.3. Client Context 836 The ClientContext encapsulates the context string constructed during 837 setup. It has two functions, Blind() and Finalize(), as described 838 below. It also has an internal function, Unblind(), which is used by 839 Finalize. The implementation of these functions varies depending on 840 the mode. 842 3.3.3.1. Blind and Unblind 843 Input: 845 PrivateInput input 847 Output: 849 Scalar blind 850 SerializedElement blindedElement 852 def Blind(input): 853 blind = GG.RandomScalar() 854 P = GG.HashToGroup(input) 855 blindedElement = GG.SerializeElement(blind * P) 857 return blind, blindedElement 859 The inverse Unblind is implemented as follows. 861 Input: 863 Scalar blind 864 SerializedElement evaluatedElement 866 Output: 868 SerializedElement unblindedElement 870 Errors: DeserializeError 872 def Unblind(blind, evaluatedElement): 873 Z = GG.DeserializeElement(evaluatedElement) 874 N = blind^(-1) * Z 875 unblindedElement = GG.SerializeElement(N) 877 return unblindedElement 879 3.3.3.2. Finalize 881 Finalize depends on the internal Unblind function. In this mode, 882 Finalize does not include all inputs listed in Section 3.1. These 883 additional inputs are only useful for the verifiable mode, described 884 in Section 3.3.4.3. 886 Input: 888 PrivateInput input 889 Scalar blind 890 SerializedElement evaluatedElement 891 PublicInput info 893 Output: 895 opaque output[Nh] 897 def Finalize(input, blind, evaluatedElement, info): 898 unblindedElement = Unblind(blind, evaluatedElement) 900 finalizeDST = "Finalize-" || contextString 901 hashInput = I2OSP(len(input), 2) || input || 902 I2OSP(len(info), 2) || info || 903 I2OSP(len(unblindedElement), 2) || unblindedElement || 904 I2OSP(len(finalizeDST), 2) || finalizeDST 905 return Hash(hashInput) 907 3.3.4. VerifiableClientContext 909 The VerifiableClientContext extends the base ClientContext with the 910 desired server public key pkS with an augmented Unblind() function. 911 This function verifies an evaluation proof using pkS. It makes use 912 of the helper function ComputeComposites described above. It has one 913 helper function, VerifyProof(), defined below. 915 3.3.4.1. VerifyProof 917 This algorithm outputs a boolean verified which indicates whether the 918 proof inside of the evaluation verifies correctly, or not. 920 Input: 922 Element A 923 Element B 924 Element C 925 Element D 926 Proof proof 928 Output: 930 boolean verified 932 Errors: DeserializeError 934 def VerifyProof(A, B, C, D, proof): 935 Cs = [C] 936 Ds = [D] 938 (M, Z) = ComputeComposites(B, Cs, Ds) 939 c = GG.DeserializeScalar(proof.c) 940 s = GG.DeserializeScalar(proof.s) 942 t2 = ((s * A) + (c * B)) 943 t3 = ((s * M) + (c * Z)) 945 Bm = GG.SerializeElement(B) 946 a0 = GG.SerializeElement(M) 947 a1 = GG.SerializeElement(Z) 948 a2 = GG.SerializeElement(t2) 949 a3 = GG.SerializeElement(t3) 951 challengeDST = "Challenge-" || contextString 952 h2Input = I2OSP(len(Bm), 2) || Bm || 953 I2OSP(len(a0), 2) || a0 || 954 I2OSP(len(a1), 2) || a1 || 955 I2OSP(len(a2), 2) || a2 || 956 I2OSP(len(a3), 2) || a3 || 957 I2OSP(len(challengeDST), 2) || challengeDST 959 expectedC = GG.HashToScalar(h2Input) 961 return CT_EQUAL(expectedC, c) 963 3.3.4.2. Verifiable Unblind 965 The inverse VerifiableUnblind is implemented as follows. This 966 function can raise an exception if element deserialization or proof 967 verification fails. 969 Input: 971 Scalar blind 972 SerializedElement evaluatedElement 973 SerializedElement blindedElement 974 Element pkS 975 Scalar proof 976 PublicInput info 978 Output: 980 SerializedElement unblindedElement 982 Errors: DeserializeError, VerifyError 984 def VerifiableUnblind(blind, evaluatedElement, blindedElement, pkS, proof, info): 985 context = "Context-" || contextString || 986 I2OSP(len(info), 2) || info 987 m = GG.HashToScalar(context) 989 R = GG.DeserializeElement(blindedElement) 990 Z = GG.DeserializeElement(evaluatedElement) 992 T = ScalarBaseMult(m) 993 U = T + pkS 994 if VerifyProof(G, U, Z, R, proof) == false: 995 raise VerifyError 997 N = blind^(-1) * Z 998 unblindedElement = GG.SerializeElement(N) 1000 return unblindedElement 1002 3.3.4.3. Verifiable Finalize 1003 Input: 1005 PrivateInput input 1006 Scalar blind 1007 SerializedElement evaluatedElement 1008 SerializedElement blindedElement 1009 Element pkS 1010 Scalar proof 1011 PublicInput info 1013 Output: 1015 opaque output[Nh] 1017 def VerifiableFinalize(input, blind, pkS, evaluatedElement, blindedElement, pkS, proof, info): 1018 unblindedElement = VerifiableUnblind(blind, evaluatedElement, blindedElement, pkS, proof, info) 1020 finalizeDST = "Finalize-" || contextString 1021 hashInput = I2OSP(len(input), 2) || input || 1022 I2OSP(len(info), 2) || info || 1023 I2OSP(len(unblindedElement), 2) || unblindedElement || 1024 I2OSP(len(finalizeDST), 2) || finalizeDST 1025 return Hash(hashInput) 1027 4. Ciphersuites 1029 A ciphersuite (also referred to as 'suite' in this document) for the 1030 protocol wraps the functionality required for the protocol to take 1031 place. This ciphersuite should be available to both the client and 1032 server, and agreement on the specific instantiation is assumed 1033 throughout. A ciphersuite contains instantiations of the following 1034 functionalities: 1036 * GG: A prime-order group exposing the API detailed in Section 2.1, 1037 with base point defined in the corresponding reference for each 1038 group. Each group also specifies HashToGroup, HashToScalar, and 1039 serialization functionalities. For HashToGroup, the domain 1040 separation tag (DST) is constructed in accordance with the 1041 recommendations in [I-D.irtf-cfrg-hash-to-curve], Section 3.1. 1042 For HashToScalar, each group specifies an integer order that is 1043 used in reducing integer values to a member of the corresponding 1044 scalar field. 1046 * Hash: A cryptographic hash function that is indifferentiable from 1047 a Random Oracle, whose output length is Nh bytes long. 1049 This section specifies ciphersuites with supported groups and hash 1050 functions. For each ciphersuite, contextString is that which is 1051 computed in the Setup functions. 1053 Applications should take caution in using ciphersuites targeting 1054 P-256 and ristretto255. See Section 6.2 for related discussion. 1056 4.1. OPRF(ristretto255, SHA-512) 1058 * Group: ristretto255 [RISTRETTO] 1060 - HashToGroup(): Use hash_to_ristretto255 1061 [I-D.irtf-cfrg-hash-to-curve] with DST = "HashToGroup-" || 1062 contextString, and expand_message = expand_message_xmd using 1063 SHA-512. 1065 - HashToScalar(): Compute uniform_bytes using expand_message = 1066 expand_message_xmd, DST = "HashToScalar-" || contextString, and 1067 output length 64, interpret uniform_bytes as a 512-bit integer 1068 in little-endian order, and reduce the integer modulo Order(). 1070 - Serialization: Both group elements and scalars are encoded in 1071 Ne = Ns = 32 bytes. For group elements, use the 'Encode' and 1072 'Decode' functions from [RISTRETTO]. For scalars, ensure they 1073 are fully reduced modulo Order() and in little-endian order. 1075 * Hash: SHA-512, and Nh = 64. 1077 * ID: 0x0001 1079 4.2. OPRF(decaf448, SHAKE-256) 1081 * Group: decaf448 [RISTRETTO] 1083 - HashToGroup(): Use hash_to_decaf448 1084 [I-D.irtf-cfrg-hash-to-curve] with DST = "HashToGroup-" || 1085 contextString, and expand_message = expand_message_xof using 1086 SHAKE-256. 1088 - HashToScalar(): Compute uniform_bytes using expand_message = 1089 expand_message_xof, DST = "HashToScalar-" || contextString, and 1090 output length 64, interpret uniform_bytes as a 512-bit integer 1091 in little-endian order, and reduce the integer modulo Order(). 1093 - Serialization: Both group elements and scalars are encoded in 1094 Ne = Ns = 56 bytes. For group elements, use the 'Encode' and 1095 'Decode' functions from [RISTRETTO]. For scalars, ensure they 1096 are fully reduced modulo Order() and in little-endian order. 1098 * Hash: SHAKE-256, and Nh = 64. 1100 * ID: 0x0002 1102 4.3. OPRF(P-256, SHA-256) 1104 * Group: P-256 (secp256r1) [x9.62] 1106 - HashToGroup(): Use hash_to_curve with suite P256_XMD:SHA- 1107 256_SSWU_RO_ [I-D.irtf-cfrg-hash-to-curve] and DST = 1108 "HashToGroup-" || contextString. 1110 - HashToScalar(): Use hash_to_field from 1111 [I-D.irtf-cfrg-hash-to-curve] using L = 48, expand_message_xmd 1112 with SHA-256, DST = "HashToScalar-" || contextString, and prime 1113 modulus equal to Order(). 1115 - Serialization: Elements are serialized as Ne = 33 byte strings 1116 using compressed point encoding for the curve [SEC1]. Scalars 1117 are serialized as Ns = 32 byte strings by fully reducing the 1118 value modulo Order() and in big-endian order. 1120 * Hash: SHA-256, and Nh = 32. 1122 * ID: 0x0003 1124 4.4. OPRF(P-384, SHA-384) 1126 * Group: P-384 (secp384r1) [x9.62] 1128 - HashToGroup(): Use hash_to_curve with suite P384_XMD:SHA- 1129 384_SSWU_RO_ [I-D.irtf-cfrg-hash-to-curve] and DST = 1130 "HashToGroup-" || contextString. 1132 - HashToScalar(): Use hash_to_field from 1133 [I-D.irtf-cfrg-hash-to-curve] using L = 72, expand_message_xmd 1134 with SHA-384, DST = "HashToScalar-" || contextString, and prime 1135 modulus equal to Order(). 1137 - Serialization: Elements are serialized as Ne = 49 byte strings 1138 using compressed point encoding for the curve [SEC1]. Scalars 1139 are serialized as Ns = 48 byte strings by fully reducing the 1140 value modulo Order() and in big-endian order. 1142 * Hash: SHA-384, and Nh = 48. 1144 * ID: 0x0004 1146 4.5. OPRF(P-521, SHA-512) 1148 * Group: P-521 (secp521r1) [x9.62] 1150 - HashToGroup(): Use hash_to_curve with suite P521_XMD:SHA- 1151 512_SSWU_RO_ [I-D.irtf-cfrg-hash-to-curve] and DST = 1152 "HashToGroup-" || contextString. 1154 - HashToScalar(): Use hash_to_field from 1155 [I-D.irtf-cfrg-hash-to-curve] using L = 98, expand_message_xmd 1156 with SHA-512, DST = "HashToScalar-" || contextString, and prime 1157 modulus equal to Order(). 1159 - Serialization: Elements are serialized as Ne = 67 byte strings 1160 using compressed point encoding for the curve [SEC1]. Scalars 1161 are serialized as Ns = 66 byte strings by fully reducing the 1162 value modulo Order() and in big-endian order. 1164 * Hash: SHA-512, and Nh = 64. 1166 * ID: 0x0005 1168 5. Application Considerations 1170 This section describes considerations for applications, including 1171 explicit error treatment and public metadata representation. 1173 5.1. Error Considerations 1175 Some POPRF APIs specified in this document are fallible. For 1176 example, Finalize and Evaluate can fail if any element received from 1177 the peer fails deserialization. The explicit errors generated 1178 throughout this specification, along with the conditions that lead to 1179 each error, are as follows: 1181 * VerifyError: Verifiable POPRF proof verification failed; 1182 Section 3.3.4.2. 1184 * DeserializeError: Group element or scalar deserialization failure; 1185 Section 2.1. 1187 * InverseError: A scalar is zero and has no inverse; Section 2.1. 1189 The errors in this document are meant as a guide to implementors. 1190 They are not an exhaustive list of all the errors an implementation 1191 might emit. For example, implementations might run out of memory and 1192 return a corresponding error. 1194 5.2. Public Metadata 1196 The optional and public info string included in the protocol allows 1197 clients and servers to cryptographically bind additional data to the 1198 POPRF output. This metadata is known to both parties at the start of 1199 the protocol. It is RECOMMENDED that this metadata be constructed 1200 with some type of higher-level domain separation to avoid cross 1201 protocol attacks or related issues. For example, protocols using 1202 this construction might ensure that the metadata uses a unique, 1203 prefix-free encoding. See [I-D.irtf-cfrg-hash-to-curve], 1204 Section 10.4 for further discussion on constructing domain separation 1205 values. 1207 6. Security Considerations 1209 This section discusses the cryptographic security of our protocol, 1210 along with some suggestions and trade-offs that arise from the 1211 implementation of a POPRF. 1213 6.1. Security Properties 1215 The security properties of a POPRF protocol with functionality y = 1216 F(k, x, t) include those of a standard PRF. Specifically: 1218 * Pseudorandomness: F is pseudorandom if the output y = F(k, x, t) 1219 on any input x is indistinguishable from uniformly sampling any 1220 element in F's range, for a random sampling of k. 1222 In other words, consider an adversary that picks inputs x from the 1223 domain of F and evaluates F on (k, x, t) (without knowledge of 1224 randomly sampled k). Then the output distribution F(k, x, t) is 1225 indistinguishable from the output distribution of a randomly chosen 1226 function with the same domain and range. 1228 A consequence of showing that a function is pseudorandom, is that it 1229 is necessarily non-malleable (i.e. we cannot compute a new evaluation 1230 of F from an existing evaluation). A genuinely random function will 1231 be non-malleable with high probability, and so a pseudorandom 1232 function must be non-malleable to maintain indistinguishability. 1234 A POPRF protocol must also satisfy the following property: 1236 * Partial obliviousness: The server must learn nothing about the 1237 client's private input or the output of the function. In 1238 addition, the client must learn nothing about the server's private 1239 key. Both client and server learn the public input (info). 1241 Essentially, partial obliviousness tells us that, even if the server 1242 learns the client's private input x at some point in the future, then 1243 the server will not be able to link any particular POPRF evaluation 1244 to x. This property is also known as unlinkability [DGSTV18]. 1246 Optionally, for any protocol that satisfies the above properties, 1247 there is an additional security property: 1249 * Verifiable: The client must only complete execution of the 1250 protocol if it can successfully assert that the POPRF output it 1251 computes is correct. This is taken with respect to the POPRF key 1252 held by the server. 1254 Any POPRF that satisfies the 'verifiable' security property is known 1255 as a verifiable POPRF. In practice, the notion of verifiability 1256 requires that the server commits to the key before the actual 1257 protocol execution takes place. Then the client verifies that the 1258 server has used the key in the protocol using this commitment. In 1259 the following, we may also refer to this commitment as a public key. 1261 6.2. Cryptographic Security 1263 Below, we discuss the cryptographic security of the verifiable POPRF 1264 protocol from Section 3, relative to the necessary cryptographic 1265 assumptions that need to be made. 1267 6.2.1. Protocol Security and Computational Hardness Assumptions 1269 The POPRF construction in this document is based on the construction 1270 known as 3HashSDHI given by [TCRSTW21]. The construction is 1271 identical to 3HashSDHI, except that this design can optionally 1272 perform multiple POPRF evaluations in one go, whilst only 1273 constructing one NIZK proof object. This is enabled using an 1274 established batching technique. 1276 The cryptographic security of the construction is based on the 1277 assumption that the One-More Gap Strong Diffie-Hellman Inversion 1278 (SDHI) assumption from [TCRSTW21] is computationally difficult to 1279 solve. [TCRSTW21] show that both the One-More Gap Computational 1280 Diffie Hellman (CDH) assumption and the One-More Gap SDHI assumption 1281 reduce to the q-DL assumption in the algebraic group model, for some 1282 q number of Evaluate queries. (The One-More Gap CDH assumption was 1283 the hardness assumption used to evaluate the 2HashDH-NIZK 1284 construction from [JKK14], which is a predecessor to the design in 1285 this specification.) 1287 6.2.2. Static q-DL Assumption 1289 A side-effect of the POPRF design is that it allows instantiation of 1290 an oracle for retrieving "strong-DH" evaluations, in which an 1291 adversary can query a group element B and scalar c, and receive 1292 evaluation output 1/(k+c)*B. This type of oracle allows an adversary 1293 to form elements of "repeated powers" of the server-side secret. 1294 This "repeated powers" structure has been studied in terms of the 1295 q-DL problem which asks the following: Given G1, G2, h*G2, (h^2)*G2, 1296 ..., (h^Q)*G2; for G1 and G2 generators of GG. Output h where h is 1297 an element of GF(p) 1299 For example, consider an adversary that queries the strong-DH oracle 1300 provided by the POPRF on a fixed scalar c starting with group element 1301 G2, then passes the received evaluation group element back as input 1302 for the next evaluation. If we set h = 1/(k+c), such an adversary 1303 would receive exactly the evaluations given in the q-DL problem: 1304 h*G2, (h^2)*G2, ..., (h^Q)*G2. 1306 [TCRSTW21] capture the power of the strong-DH oracle in the One-More 1307 Gap SDHI assumption and show, in the algebraic group model, the 1308 security of this assumption can be reduced to the security of the 1309 q-DL problem, where q is the number of queries made to the blind 1310 evaluation oracle. 1312 The q-DL assumption has been well studied in the literature, and 1313 there exist a number of cryptanalytic studies to inform parameter 1314 choice and group instantiation (for example, [BG04] and [Cheon06]). 1316 6.2.3. Implications for Ciphersuite Choices 1318 The POPRF instantiations that we recommend in this document are 1319 informed by the cryptanalytic discussion above. In particular, 1320 choosing elliptic curves configurations that describe 128-bit group 1321 instantiations would appear to in fact instantiate a POPRF with 1322 128-(log_2(Q)/2) bits of security. Moreover, such attacks are only 1323 possible for those certain applications where the adversary can query 1324 the POPRF directly. In applications where such an oracle is not made 1325 available this security loss does not apply. 1327 In most cases, it would require an informed and persistent attacker 1328 to launch a highly expensive attack to reduce security to anything 1329 much below 100 bits of security. We see this possibility as 1330 something that may result in problems in the future. Applications 1331 that admit the aforementioned oracle functionality, and that cannot 1332 tolerate discrete logarithm security of lower than 128 bits, are 1333 RECOMMENDED to only implement ciphersuites 0x0002, 0x0004, and 1334 0x0005. 1336 6.3. Proof Randomness 1338 It is essential that a different r value is used for every invocation 1339 of GenerateProof. Failure to do so may leak skS as is possible in 1340 Schnorr or (EC)DSA scenarios where fresh randomness is not used. 1342 6.4. Domain Separation 1344 Applications SHOULD construct input to the protocol to provide domain 1345 separation. Any system which has multiple POPRF applications should 1346 distinguish client inputs to ensure the POPRF results are separate. 1347 Guidance for constructing info can be found in 1348 [I-D.irtf-cfrg-hash-to-curve], Section 3.1. 1350 6.5. Element and Scalar Validation 1352 The DeserializeElement function recovers a group element from an 1353 arbitrary byte array. This function validates that the element is a 1354 proper member of the group and is not the identity element, and 1355 returns an error if either condition is not met. 1357 For P-256, P-384, and P-521 ciphersuites, this function performs 1358 partial public-key validation as defined in Section 5.6.2.3.4 of 1359 [keyagreement]. This includes checking that the coordinates are in 1360 the correct range, that the point is on the curve, and that the point 1361 is not the point at infinity. If these checks fail, deserialization 1362 returns an error. 1364 For ristretto255 and decaf448, elements are deserialized by invoking 1365 the Decode function from [RISTRETTO], Section 4.3.1 and [RISTRETTO], 1366 Section 5.3.1, respectively, which returns false if the element is 1367 invalid. If this function returns false, deserialization returns an 1368 error. 1370 The DeserializeScalar function recovers a scalar field element from 1371 an arbitrary byte array. Like DeserializeElement, this function 1372 validates that the element is a member of the scalar field and 1373 returns an error if this condition is not met. 1375 For P-256, P-384, and P-521 ciphersuites, this function ensures that 1376 the input, when treated as a big-endian integer, is a value between 0 1377 and Order(). For ristretto255 and decaf448, this function ensures 1378 that the input, when treated as a little-endian integer, is a valud 1379 between 0 and Order(). 1381 6.6. Hashing to Group 1383 A critical requirement of implementing the prime-order group using 1384 elliptic curves is a method to instantiate the function 1385 GG.HashToGroup, that maps inputs to group elements. In the elliptic 1386 curve setting, this deterministically maps inputs x (as byte arrays) 1387 to uniformly chosen points on the curve. 1389 In the security proof of the construction Hash is modeled as a random 1390 oracle. This implies that any instantiation of GG.HashToGroup must 1391 be pre-image and collision resistant. In Section 4 we give 1392 instantiations of this functionality based on the functions described 1393 in [I-D.irtf-cfrg-hash-to-curve]. Consequently, any OPRF 1394 implementation must adhere to the implementation and security 1395 considerations discussed in [I-D.irtf-cfrg-hash-to-curve] when 1396 instantiating the function. 1398 6.7. Timing Leaks 1400 To ensure no information is leaked during protocol execution, all 1401 operations that use secret data MUST run in constant time. 1402 Operations that SHOULD run in constant time include all prime-order 1403 group operations and proof-specific operations (GenerateProof() and 1404 VerifyProof()). 1406 7. Acknowledgements 1408 This document resulted from the work of the Privacy Pass team 1409 [PrivacyPass]. The authors would also like to acknowledge helpful 1410 conversations with Hugo Krawczyk. Eli-Shaoul Khedouri provided 1411 additional review and comments on key consistency. Daniel Bourdrez, 1412 Tatiana Bradley, Sofia Celi, Frank Denis, Kevin Lewi, and Bas 1413 Westerbaan also provided helpful input and contributions to the 1414 document. 1416 8. References 1418 8.1. Normative References 1420 [I-D.davidson-pp-protocol] 1421 Davidson, A., "Privacy Pass: The Protocol", Work in 1422 Progress, Internet-Draft, draft-davidson-pp-protocol-01, 1423 13 July 2020, . 1426 [I-D.irtf-cfrg-hash-to-curve] 1427 Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S., 1428 and C. A. Wood, "Hashing to Elliptic Curves", Work in 1429 Progress, Internet-Draft, draft-irtf-cfrg-hash-to-curve- 1430 12, 16 September 2021, 1431 . 1434 [I-D.irtf-cfrg-opaque] 1435 Krawczyk, H., Bourdrez, D., Lewi, K., and C. A. Wood, "The 1436 OPAQUE Asymmetric PAKE Protocol", Work in Progress, 1437 Internet-Draft, draft-irtf-cfrg-opaque-06, 12 July 2021, 1438 . 1441 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1442 Requirement Levels", BCP 14, RFC 2119, 1443 DOI 10.17487/RFC2119, March 1997, 1444 . 1446 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, 1447 "PKCS #1: RSA Cryptography Specifications Version 2.2", 1448 RFC 8017, DOI 10.17487/RFC8017, November 2016, 1449 . 1451 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1452 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1453 May 2017, . 1455 [RISTRETTO] 1456 Valence, H. D., Grigg, J., Tankersley, G., Valsorda, F., 1457 Lovecruft, I., and M. Hamburg, "The ristretto255 and 1458 decaf448 Groups", Work in Progress, Internet-Draft, draft- 1459 irtf-cfrg-ristretto255-decaf448-01, 4 August 2021, 1460 . 1463 8.2. Informative References 1465 [BG04] "The Static Diffie-Hellman Problem", 1466 . 1468 [Cheon06] "Security Analysis of the Strong Diffie-Hellman Problem", 1469 . 1472 [DGSTV18] "Privacy Pass, Bypassing Internet Challenges Anonymously", 1473 . 1476 [JKK14] "Round-Optimal Password-Protected Secret Sharing and 1477 T-PAKE in the Password-Only model", 1478 . 1480 [JKKX16] "Highly-Efficient and Composable Password-Protected Secret 1481 Sharing (Or, How to Protect Your Bitcoin Wallet Online)", 1482 . 1484 [keyagreement] 1485 Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. 1486 Davis, "Recommendation for pair-wise key-establishment 1487 schemes using discrete logarithm cryptography", National 1488 Institute of Standards and Technology report, 1489 DOI 10.6028/nist.sp.800-56ar3, April 2018, 1490 . 1492 [PrivacyPass] 1493 "Privacy Pass", 1494 . 1496 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1497 for Security", RFC 7748, DOI 10.17487/RFC7748, January 1498 2016, . 1500 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1501 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1502 . 1504 [SEC1] Standards for Efficient Cryptography Group (SECG), ., "SEC 1505 1: Elliptic Curve Cryptography", 1506 . 1508 [SEC2] Standards for Efficient Cryptography Group (SECG), ., "SEC 1509 2: Recommended Elliptic Curve Domain Parameters", 1510 . 1512 [SJKS17] "SPHINX, A Password Store that Perfectly Hides from 1513 Itself", . 1515 [TCRSTW21] "A Fast and Simple Partially Oblivious PRF, with 1516 Applications", . 1518 [x9.62] ANSI, "Public Key Cryptography for the Financial Services 1519 Industry: the Elliptic Curve Digital Signature Algorithm 1520 (ECDSA)", ANSI X9.62-1998, September 1998. 1522 Appendix A. Test Vectors 1524 This section includes test vectors for the (V)OPRF protocol specified 1525 in this document. For each ciphersuite specified in Section 4, there 1526 is a set of test vectors for the protocol when run in the base mode 1527 and verifiable mode. Each test vector lists the batch size for the 1528 evaluation. Each test vector value is encoded as a hexadecimal byte 1529 string. The label for each test vector value is described below. 1531 * "Input": The private client input, an opaque byte string. 1533 * "Info": The public info, an opaque byte string. 1535 * "Blind": The blind value output by Blind(), a serialized Scalar of 1536 Ns bytes long. 1538 * "BlindedElement": The blinded value output by Blind(), a 1539 serialized Element of Ne bytes long. 1541 * "EvaluatedElement": The evaluated element output by Evaluate(), a 1542 serialized Element of Ne bytes long. 1544 * "Proof": The serialized Proof output from GenerateProof() (only 1545 listed for verifiable mode test vectors), composed of two 1546 serialized Scalar values each of Ns bytes long. 1548 * "ProofRandomScalar": The random scalar r computed in 1549 GenerateProof() (only listed for verifiable mode test vectors), a 1550 serialized Scalar of Ns bytes long. 1552 * "Output": The OPRF output, a byte string of length Nh bytes. 1554 Test vectors with batch size B > 1 have inputs separated by a comma 1555 ",". Applicable test vectors will have B different values for the 1556 "Input", "Blind", "BlindedElement", "EvaluationElement", and "Output" 1557 fields. 1559 Base mode and verifiable mode uses multiplicative blinding. 1561 The server key material, pkSm and skSm, are listed under the mode for 1562 each ciphersuite. Both pkSm and skSm are the serialized values of 1563 pkS and skS, respectively, as used in the protocol. Each key pair is 1564 derived from a seed, which is listed as well, using the following 1565 implementation of DeriveKeyPair: 1567 def DeriveKeyPair(mode, suite, seed): 1568 skS = GG.HashToScalar(seed, DST = "HashToScalar-" || contextString) 1569 pkS = ScalarBaseMult(skS) 1570 return skS, pkS 1572 A.1. OPRF(ristretto255, SHA-512) 1574 A.1.1. Base Mode 1576 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1577 3a3 1578 skSm = 74db8e13d2c5148a1181d57cc06debd730da4df1978b72ac18bc48992a0d2 1579 c0f 1581 A.1.1.1. Test Vector 1, Batch Size 1 1583 Input = 00 1584 Info = 7465737420696e666f 1585 Blind = c604c785ada70d77a5256ae21767de8c3304115237d262134f5e46e512cf 1586 8e03 1587 BlindedElement = 744441a5d3ee12571a84d34812443eba2b6521a47265ad655f0 1588 1e759b3dd7d35 1589 EvaluationElement = 4254c503ee2013262473eec926b109b018d699b8dd954ee8 1590 78bc17b159696353 1591 Output = 9aef8983b729baacb7ecf1be98d1276ca29e7d62dbf39bc595be018b66b 1592 199119f18579a9ae96a39d7d506c9e00f75b433a870d76ba755a3e7196911fff89ff 1593 3 1595 A.1.1.2. Test Vector 2, Batch Size 1 1597 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1598 Info = 7465737420696e666f 1599 Blind = 5ed895206bfc53316d307b23e46ecc6623afb3086da74189a416012be037 1600 e50b 1601 BlindedElement = f4eeea4e1bcb2ec818ee2d5c1fcec56c24064a9ff4bea5b3dd6 1602 877800fc28e4d 1603 EvaluationElement = 185dae43b6209dacbc41a62fd4889700d11eeeff4e83ffbc 1604 72d54daee7e25659 1605 Output = f556e2d83e576b4edc890472572d08f0d90d2ecc52a73b35b2a8416a72f 1606 f676549e3a83054fdf4fd16fe03e03bee7bb32cbd83c7ca212ea0d03b8996c2c268b 1607 2 1609 A.1.2. Verifiable Mode 1610 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1611 3a3 1612 skSm = ad08ad9c7107691d792d346d743e8a79b8f6ae0673d58cbf7389d7003598c 1613 903 1614 pkSm = 7a5627aec2f2209a2fc62f39f57a8f5ffc4bbfd679d0273e6081b2b621ee3 1615 b52 1617 A.1.2.1. Test Vector 1, Batch Size 1 1619 Input = 00 1620 Info = 7465737420696e666f 1621 Blind = ed8366feb6b1d05d1f46acb727061e43aadfafe9c10e5a64e7518d63e326 1622 3503 1623 BlindedElement = 56c6926e940df23d5dfe6a48949c5a9e5b503df3bff36454ba4 1624 821afa1528718 1625 EvaluationElement = 523774950001072a4fb1f1f3300f7feb1eeddb5b8304baa9 1626 c3d463c11e7f0509 1627 Proof = c973c8cfbcdbb12a09e7640e44e45d85d420ed0539a18dc6c67c189b4f28 1628 c70dd32f9b13717ee073e1e73333a7cb17545dd42ed8a2008c5dae11a3bd7e70260d 1629 ProofRandomScalar = 019cbd1d7420292528f8cdd62f339fdabb602f04a95dac9d 1630 bcec831b8c681a09 1631 Output = 2d9ed987fdfa623a5b4d5e445b127e86212b7c8f2567c175b424c59602f 1632 bba7c36975df5e4ecdf060430c8b1b581fc97e953535fd82089e15afbafcf310b339 1633 9 1635 A.1.2.2. Test Vector 2, Batch Size 1 1637 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1638 Info = 7465737420696e666f 1639 Blind = e6d0f1d89ad552e383d6c6f4e8598cc3037d6e274d22da3089e7afbd4171 1640 ea02 1641 BlindedElement = 5cd133d03df2e1ff919ed85501319c2039853dd7dc59da73605 1642 fd5791b835d23 1643 EvaluationElement = c0ba1012cbfb0338dadb435ef1d910eb179dc18c0d0a341f 1644 0249a3a9ff03b06e 1645 Proof = 156761aee4eb6a5e1e32bc0adb56ea46d65883777e152d4c607a3a3b8abf 1646 3b036ecebae005d3f26222a8da0a3924cceed8a1a7c707ef4ba077456c3e80f8c40f 1647 ProofRandomScalar = 74ae06fd50d5f26c2519bd7b184f45dd3ef2cb50197d42df 1648 9d013f7d6c312a0b 1649 Output = f5da1276b5ca3de4591534cf2d96f7bb49059bd374f40259f42dca89d72 1650 3cac69ed3ae567128aaa2dfdf777f333615524aec24bc77b0a38e200e6a07b6c638e 1651 b 1653 A.1.2.3. Test Vector 3, Batch Size 2 1654 Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1655 Info = 7465737420696e666f 1656 Blind = 80513e77795feeec6d2c450589b0e1b178febd5c193a9fcba0d27f0a06e0 1657 d50f,533c2e6d91c934f919ac218973be55ba0d7b234160a0d4cf3bddafbda99e2e0 1658 c 1659 BlindedElement = 1c7ee9c1b4145dabeba9ad159531432a20718cb44a86f79dc73 1660 f6f8671c9bf5e,7c1ef37881602cb6d3cf995e6ee310ed51e39b80ce0a825a316bc6 1661 21d0580a14 1662 EvaluationElement = a8a66348d351408cb7e2d26341a1258ba91c1a7d1b380f62 1663 15bdfc242500991b,5a4b72bee9d2ca80ea220571690e2f92fadd0c13635b2888bc1 1664 ff255f8fee975 1665 Proof = caad28bac17ce71d59b43956e8d80f3edde3d0c317144bef3d10d9733ef1 1666 cf09fd910c663ea85ad7cfaf641d73314694fe18d3f6b89cfe001b18163ff908d10a 1667 ProofRandomScalar = 3af5aec325791592eee4a8860522f8444c8e71ac33af5186 1668 a9706137886dce08 1669 Output = 2d9ed987fdfa623a5b4d5e445b127e86212b7c8f2567c175b424c59602f 1670 bba7c36975df5e4ecdf060430c8b1b581fc97e953535fd82089e15afbafcf310b339 1671 9,f5da1276b5ca3de4591534cf2d96f7bb49059bd374f40259f42dca89d723cac69e 1672 d3ae567128aaa2dfdf777f333615524aec24bc77b0a38e200e6a07b6c638eb 1674 A.2. OPRF(decaf448, SHAKE-256) 1676 A.2.1. Base Mode 1678 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1679 3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3 1680 skSm = 82c2a6492e1792e6ccdf1d7cff410c717681bd53ad47da7646b14ebd05885 1681 53e4c034e02b3ae5e724600a17a638ad528c04f793df56c2618 1683 A.2.1.1. Test Vector 1, Batch Size 1 1685 Input = 00 1686 Info = 7465737420696e666f 1687 Blind = d1080372f0fcf8c5eace50914e7127f576725f215cc7c111673c635ce668 1688 bbbb9b50601ad89b358ab8c23ed0b6c9d040365ec9d060868714 1689 BlindedElement = 1c354d6d31500c7c5ae6fb10901ac87552ea3af1824e79871e2 1690 596ef537f86abac64859cf6f35911ab74f0b09a06ecc757a65a104e9e49fb 1691 EvaluationElement = 9e5bbf27b2312a493b2f2f1d051b7cdf3801769ec5dc0724 1692 51b68c4d0d4ed9303979ec4798261a01fabd8d25540f48a11dd8342fded95383 1693 Output = 5f8c28d5e760786cbd000ac58444bd216141472b9370b058408a714da5e 1694 3dd51fc572f96c99a9338bc8569abc991bc1523fa1467cd3a0de3aef7f154bd65d92 1695 e 1697 A.2.1.2. Test Vector 2, Batch Size 1 1698 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1699 Info = 7465737420696e666f 1700 Blind = aed1ffa44fd8f0ed16373606a3cf7df589cca86d8ea1abbf5768771dbef3 1701 d401c74ae55ba1e28b9565e1e4018eb261a14134a4ce60c1c718 1702 BlindedElement = e8111f22d50595f68f01a6a9135f50e8702c90794c2637fbe00 1703 9046f0c455884cc77ee7a87f3abf494afe780b3620ab0e7fb65c65ba902b2 1704 EvaluationElement = 0ec625f99914ba702f0e6bc5d0f837cb4deaf7ab3ac55458 1705 7182c3dfe1dad6d1540964f9581d26e8ef0a47b61c5f145109a5fffe04ad528e 1706 Output = 7f0e40c08d8220f88c0961925f764ee0e4e08909d497f462a97a2030b40 1707 b44986fa76d344efb9b0acab23db81356fc8c380b80701a61a5fa76097a5d2ea7aa9 1708 e 1710 A.2.2. Verifiable Mode 1712 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1713 3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3 1714 skSm = 5d295b55d1d6e46411bbb4151d154dc61711012ff2390255b3345988f8e3c 1715 458089d52e9b1d837049898f9e4e63a4534f0ed3b3a47c7051c 1716 pkSm = 8e623ef9b65ef2ce148ce56249ee5e69ed6acd3e504a07905cc4c09312551 1717 8d30ae7d6de274438b822d5a55a4365216ac588a4c400fbf6ff 1719 A.2.2.1. Test Vector 1, Batch Size 1 1721 Input = 00 1722 Info = 7465737420696e666f 1723 Blind = 4c936db1779a621b6c71475ac3111fd5703a59b713929f36dfd1e892a7fe 1724 814479c93d8b4b6e11d1f6fe5351e51457b665fa7b76074e531f 1725 BlindedElement = 74bb2406b15a86ba94b0686901545f8ddc23e64918de47c76fa 1726 0bf812387021392c73e01068ac9cc07c7647b3d0d4e648c27bb3880ddb8e5 1727 EvaluationElement = 90997b495c19f16561a3286a7bcba9a4ee6e12bab4d580d5 1728 004ae5064d90a389124e81066f3f1dbf9a729ab46ed674c3292f56d54a0d5641 1729 Proof = 668f6ef88b249d51b6c94bfe82f2bec35ab7386bc9f3d14209d0247a5b6e 1730 bedec4c333947fff96d322f516f4674cc07638b8e854c52be7045d83d65aff518104 1731 60ec43417a6c6efbfb67ba7b0257b1237c64e6792195e338474d09df32b076c0b702 1732 ec8c639b34c29878b87aad70d63c 1733 ProofRandomScalar = 1b3f5a55b2f18f8c53d4ecf2e1c27e1028f1c345bb504486 1734 4aa9dd8439d7520a7ba6183d50ef08bdf6c781aa465660c93e8195a8d231b62f 1735 Output = 7db8c49354861f2d71c8175681c9cc930a00251330b2acc5c321f9833fe 1736 d4113a1cb3e05a3840082c24e8d49470474dd1c7586f3663f32f66dc3888c63dc0e6 1737 e 1739 A.2.2.2. Test Vector 2, Batch Size 1 1740 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1741 Info = 7465737420696e666f 1742 Blind = 15b3355179392f40c3d5a15f0d5ffc354e340454ec779f575e4573a3886a 1743 b5e57e4da2985cea9e32f6d95539ce2c7189e1bd7462e8c5483a 1744 BlindedElement = ea3418614d71144ac4ecbd2c63c30ce34718b739ba0a5dd3585 1745 efd9800b9debdad4cffc25dcc39b4691aaffba19ead8a425d7d50f016f57e 1746 EvaluationElement = 7e12ab491c3787a1f17118f7a0308f8c41f4cd6e850cf7fa 1747 ba030b6c1bf1888337149e7c2fc88068626a0107be18e8b9e29f41c8d1510049 1748 Proof = 91ed184bf518a155749a99d39bed3f9dc9895054e55fab0ebd0ce4270e84 1749 52fcc8da055e8c2f75f2306ecacaa594de592e0d0b059b8eb30e15d5c3132b71ebc4 1750 933596c563ee8ce8681e0e40534e92ce487a0e33e341f02a9aaa1f750d9efa7545a0 1751 008b2f8dde5047ce68d00c2e962e 1752 ProofRandomScalar = 2f2e9955be83a4b25743ebd3618d4fad8b7288477da50bed 1753 9befa58af639ddd950fec34205f8a4f166fadcb8fa71a3ffdd2e98f4c8ef5e26 1754 Output = 66125718c5d651c88ab57dda67c52a506d436600f1521b7684c869b9a2b 1755 3e67d1b41c47593e79fd6b70aaae8d3689536897ae8964ffcd433c0884c12c94929d 1756 c 1758 A.2.2.3. Test Vector 3, Batch Size 2 1760 Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1761 Info = 7465737420696e666f 1762 Blind = 614bb578f29cc677ea9e7aea3e4839413997e020f9377b63c13584156a09 1763 a46dd2a425c41eac0e313a47e99d05df72c6e1d58e6592577a0d,4c115060bca87db 1764 7d73e00cbb8559f84cb7a221b235b0950a0ab553f03f10e1386abe954011b7da62bb 1765 6599418ef90b5d4ea98cc28aff517 1766 BlindedElement = 909b0b8bcb900bd9e70f27258d7264015c50f3717361afff22d 1767 16ad84758d2c6b7a1963263d0d035f63b88df8b473f9365c53abcec34b201,726315 1768 ee47e217344da7036a24f806177e221c9f6eae5763f9089b16bada69b85aec56c3ca 1769 83b6f5f1091640ea3fe3e9429ff2aa7772efef 1770 EvaluationElement = 46d8dec85a27698b4b69a67299eab1da0ec2bbed013a3a59 1771 b932e2938e2e2c5bcc8274febf49b7903419c18b895f17c4a9a504737d7a3fdc,fe4 1772 7eca9d06b400c80cc2b749284312c6f97c7b5d88055fe56b068c441e053fe909c6c2 1773 2bb7cd646a932e2d3838b7b3e2e883cfe0ed1a2a1 1774 Proof = 1f63637de4f945f5937ac015a508420f119f7b6a8e001439a1923a1705ce 1775 ee704ad17664ff4c72f89566f83ceccee3001d44d849ac4dad2bc05b9bc718ba787f 1776 c3c5b09198c4ab244455bac64a9a231b18c4682c0e6e30ae5398f5c041ee2c5b02c6 1777 19b7497c5bf070fdb4656353de1d 1778 ProofRandomScalar = a614f1894bcf6a1c7cef33909b794fe6e69a642b20f4c911 1779 8febffaf6b6a31471fe7794aa77ced123f07e56cc27de60b0ab106c0b8eab127 1780 Output = 7db8c49354861f2d71c8175681c9cc930a00251330b2acc5c321f9833fe 1781 d4113a1cb3e05a3840082c24e8d49470474dd1c7586f3663f32f66dc3888c63dc0e6 1782 e,66125718c5d651c88ab57dda67c52a506d436600f1521b7684c869b9a2b3e67d1b 1783 41c47593e79fd6b70aaae8d3689536897ae8964ffcd433c0884c12c94929dc 1785 A.3. OPRF(P-256, SHA-256) 1787 A.3.1. Base Mode 1789 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1790 3a3 1791 skSm = c15d9e9ab36d495d9d62954db6aafe06d3edabf41600d58f9be0737af2719 1792 e97 1794 A.3.1.1. Test Vector 1, Batch Size 1 1796 Input = 00 1797 Info = 7465737420696e666f 1798 Blind = 5d9e7f6efd3093c32ecceabd57fb03cf760c926d2a7bfa265babf29ec98a 1799 f0d0 1800 BlindedElement = 03e9097c54d2ea05f99424bdf984ea30ecc3614029bd5f1139e 1801 70c4e1ae3bdbd92 1802 EvaluationElement = 0202e4d1a338659c211900c39855f30025359928d261e6c9 1803 558d667b3fbbc811cd 1804 Output = 15b96275d06b85741f491fe0cad5cb835baa6c39066cbea73132dcf95e8 1805 58e1c 1807 A.3.1.2. Test Vector 2, Batch Size 1 1809 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1810 Info = 7465737420696e666f 1811 Blind = 825155ab61f17605af2ae2e935c78d857c9407bcd45128d57d338f1671b5 1812 fcbe 1813 BlindedElement = 03fa1ea45dd58d6b516c1252f2791610bf5ff1828c93be8af66 1814 786f45fb4d14db5 1815 EvaluationElement = 02657822553416d91bb3d707040fd0d5a0555f5cbae7519d 1816 f3a297747a3ad1dd57 1817 Output = e97f3f451f3cfce45a530dec0a0dec934cd78c5b656771549072ee236ce 1818 070b9 1820 A.3.2. Verifiable Mode 1822 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1823 3a3 1824 skSm = 7f62054fcd598b5e023c08ef0f04e05e26867438d5e355e846c9d8788d5c7 1825 a12 1826 pkSm = 03d6c3f69cfa683418a533fc52143a377f166e571ae50581abcb97ffd4e71 1827 24395 1829 A.3.2.1. Test Vector 1, Batch Size 1 1830 Input = 00 1831 Info = 7465737420696e666f 1832 Blind = cee64d86fd20ab4caa264a26c0e3d42fb773b3173ba76f9588c9b14779bd 1833 8d91 1834 BlindedElement = 029e103c4003ab9bf4a42e2003dd180922c8517927a68320058 1835 178fee56c6ac8a0 1836 EvaluationElement = 02856ac0748085d250d842b8b8fff6c1a9f688c961de52c4 1837 a1e6c004c48196a123 1838 Proof = 2a95bd827cf47873c886967ef6c17fe0e46efddd3b5f639927215cb7592a 1839 4bf12a29117174a1af5899d64855352690e416b37f2a95580846a6bec445d82364fc 1840 ProofRandomScalar = 70a5204b2b606f5a28328916e1e5ea5a17862d7a261fdd6d 1841 959759758d5e34ac 1842 Output = 14afc50acf64589445991da5b60add8b3f71205d53a983023d3cdaf8c95 1843 c300d 1845 A.3.2.2. Test Vector 2, Batch Size 1 1847 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1848 Info = 7465737420696e666f 1849 Blind = 5c4b401063eff0bf242b4cd534a79bacfc2e715b2db1e7a3ad4ff8af1b24 1850 daa2 1851 BlindedElement = 0323aabcfa93e9570524253671b3ce083144b183cecb562ec8f 1852 8a8472fc8cf341b 1853 EvaluationElement = 03087bc7e00b8ad80b8a27484b91f8bf824a5d896a703135 1854 4edfa3269866493d9f 1855 Proof = fe55ecc9a92f940d4a56207a58e5554c6976b9425c917d24237b0a35c312 1856 bdcdea778a5c56690309ff28f26cc8bc5994e85868e3c870e5a32c0a559d80deccb8 1857 ProofRandomScalar = 3b9217801b5d51cef66d9fdbd94a53533e7c5057e09e2200 1858 65ea8c257c0dd606 1859 Output = 533c79459ee0ffa8844ac37572f3616e10a1074dcbf945ce37b0c651cbb 1860 5775f 1862 A.3.2.3. Test Vector 3, Batch Size 2 1863 Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1864 Info = 7465737420696e666f 1865 Blind = f0c7822ba317fb5e86028c44b92bd3aedcf6744d388ca013ef33edd36930 1866 4eda,3b9631be9f8b274d9aaf671bfb6a775229bf435021b89c683259773bc686956 1867 b 1868 BlindedElement = 021af4563c31cf1513bc5ae0b89c5b527c7ac70614b9d31c44c 1869 eb292ab49c91cc4,03f7e7ebe5610710c360df40cbd90dc52c2da500664e879f2afb 1870 78e71f815abee1 1871 EvaluationElement = 03c8678cdb95e2f0eac027932c51893a20326b774ef23531 1872 bcd95def84060d240d,02b68c3891314a9696b5dff5df4b4e5b325938e2c5cb90f5f 1873 b9ba6a1133aa4dd14 1874 Proof = 6efbde69d36e3f9d53a79a73ce46d5d8ef31f0df2fb3f6f2c882b21fdf0e 1875 d76dcd755e42f35f00daaa6e964f48125cf1d642b1cea2e5faa2fb868584a8752bf2 1876 ProofRandomScalar = 8306b863276ae74049615162a416d507a6532c99c1ea3f03 1877 d05f6e78dc1edabe 1878 Output = 14afc50acf64589445991da5b60add8b3f71205d53a983023d3cdaf8c95 1879 c300d,533c79459ee0ffa8844ac37572f3616e10a1074dcbf945ce37b0c651cbb577 1880 5f 1882 A.4. OPRF(P-384, SHA-384) 1884 A.4.1. Base Mode 1886 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1887 3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3 1888 skSm = b9ff42e68ef6f8eaa3b4d15d15ceb6f3f36b9dc332a3473d64840fc7b4462 1889 6c6e70336bdecbe01d9c512b7e7d7e6af21 1891 A.4.1.1. Test Vector 1, Batch Size 1 1893 Input = 00 1894 Info = 7465737420696e666f 1895 Blind = 359073c015b92d15450f7fb395bf52c6ea98384c491fe4e4d423b59de7b0 1896 df382902c13bdc9993d3717bda68fc080b99 1897 BlindedElement = 0285d803c65fda56993a296b99e8f4944e45cccb9b322bbc265 1898 c91a21d2c9cd146212aefbf3126ed59d84c32d6ab823b66 1899 EvaluationElement = 026061a4ccfe38777e725855c96570fe85303cd70567007e 1900 489d0aa8bfced0e47579ecbc290e5150b9e84bf25188294f7e 1901 Output = bc2c3c895f96d769703aec18359cbc0e84b41248559f0bd44f1e5467522 1902 3c77e00874bbe61c1c320d3c95aee5a8c752f 1904 A.4.1.2. Test Vector 2, Batch Size 1 1905 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1906 Info = 7465737420696e666f 1907 Blind = 21ece4f9b6ffd01ce82082545413bd9bb5e8f3c63b86ae88d9ce0530b01c 1908 b1c23382c7ec9bdd6e75898e4877d8e2bc17 1909 BlindedElement = 0211dd06e40b902006c33a92dc476a7c708b6b46c990656239c 1910 d6867ff0be5867d859517eaf7ea9bad10702b80a9dc6bdc 1911 EvaluationElement = 03a1d34b657f6267b29338592e3c769db5d3fc8713bf2eb7 1912 238efb8138d5af8c56f9437315a5c58761b35cbfc0e1d2511d 1913 Output = ee37530d0d7b20635fbc476317343b257750ffb3e83a2865ce2a46e5959 1914 1f854b8301d6ca7d063322314a33b953c8bd5 1916 A.4.2. Verifiable Mode 1918 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1919 3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3 1920 skSm = 42c4d1c15d27be015844404088967afe48c8ae96d4f00ce48e4d38ecabfb8 1921 feb5b748de625cdf81ab076745d6211be95 1922 pkSm = 0389ad5e50eebf9617ae3a5778e4f0665b56aa9066919e1fa5580d8dd781d 1923 560824e0e78aae816af6eff8abe2ad0585a0d 1925 A.4.2.1. Test Vector 1, Batch Size 1 1927 Input = 00 1928 Info = 7465737420696e666f 1929 Blind = 102f6338df84c9602bfa9e7d690b1f7a173d07e6d54a419db4a6308f8b09 1930 589e4283efb9cd1ee4061c6bf884e60a8774 1931 BlindedElement = 02ae8990d580dcd52b6bc273bc6d0fd25be50b057511b953d9c 1932 c95bb27cb3e1fd3249ae19744ed496c6e4104ebc1ed48f1 1933 EvaluationElement = 024cffdae0cae5fa4d6a68246ae797dbe06508284b65e0f0 1934 9046977ab5d52a8b38f0245607db74979e5276fc636332cdee 1935 Proof = 128ad4f987ce1e3a9aab1e487df15d8c8000d5c4c9f14bd7fd699fabdb8d 1936 a3f577d91625fabb0d9cf6069f8af6d9cc232dd63cd161be84a1e146e0110dc741e6 1937 26a082193aa0a26e03118b662f1b903667f6e6fba51d69a2d65982a3b64ecb35 1938 ProofRandomScalar = 90f67cafc0ffaa7a1e1d1ced3c477fea691e696032c8709c 1939 86cbcda2b184ad0029d29abeabede9788d11782429bff297 1940 Output = 8a0b4829bc8422b1a2301d5471256892883c5e3fe27b998d1010225a706 1941 545637336a20a76f842d8a22e591d382c77e4 1943 A.4.2.2. Test Vector 2, Batch Size 1 1944 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1945 Info = 7465737420696e666f 1946 Blind = 8aec1d0c3d16afd032da7ba961449a56cec6fb918e932b06d5778ac7f67b 1947 ecfb3e3869237f74106241777f230582e84a 1948 BlindedElement = 02a384f2d9635adffcc5482344c519036c019f3cc0918ec737c 1949 67cdda10ac0f73a9fe348835531f1900ea2c1f06dacdce4 1950 EvaluationElement = 0306f0f71b58d53ae0973538a7bf2ce8fba7143efc88d2ef 1951 ca6cf1f98fb8399b16840d1fbbe7897807db930f67916418ae 1952 Proof = 2c47297ee0093061ca2c87b430b2851a860aaae76c2bdba48779ba4294e7 1953 de0556ede3e6b881a04970b68a6126e2fa197d69e6784fbbd173604501c0edd21696 1954 628f0fd7cb13be28f94e5e15c042ffccadd780b2448d7d9d528e9615e4e70539 1955 ProofRandomScalar = bb1876a7f7165ac7ec79bfd5213ea2e374252f29a6e19915 1956 f81b0c7dcea93ce6580e089ede31c1b6b5b33494581b4868 1957 Output = 8c52d40c1f6cc80208bd610178a5034d6c4a05584e19b69617f846b09a8 1958 545443c63c8aa4d85bf0aad368e0591b1216a 1960 A.4.2.3. Test Vector 3, Batch Size 2 1962 Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 1963 Info = 7465737420696e666f 1964 Blind = 41fabd4722d92472d858051ce9ad1a533176a862c697b2c392aff2aeb77e 1965 b20c2ae6ba52fe31e13e03bf1d9f39878b23,51171628f1d28bb7402ca4aea6465e2 1966 67b7f977a1fb71593281099ef2625644aee0b6c5f5e6e01a2b052b3bd4caf539b 1967 BlindedElement = 02d4e6186c9ffa92565055f43f27bb1e2c4103c3325bba0b499 1968 adb99a157987d20fb374096814e438a6b483efa8f2a3307,033a3b052416a8a6d842 1969 a0baea6f5fab99d36645a70c89897a536970d34038eca35afac24906294cb7925b1b 1970 05e4327c8f 1971 EvaluationElement = 037bf8e28a0607b1f8aa59363380b5a7450b66b98017cf03 1972 3797f6c6c74e7625a445f71ace1bea7836ea5baa75d54eb5bd,03b793a9cb2d76991 1973 f1d6cd822abfbfa89fdfa1a06ef42b0bc8ade161e1996ed08c288a08366d4140c762 1974 7bba4e3472bcf 1975 Proof = 27240901b6855d2b58ce84afefa91dd11819d7d5df73f94865a9d7e19020 1976 41200eb732b60b57fa0daf6e456402bb1ccb1aed901af35d3d790cd7c618604b766b 1977 b9271010354da9e4e5507e0468adf177977143db2ddb94d9b70e837ad7578275 1978 ProofRandomScalar = 1b538ff23749be19e92df82df1acd3f606cc9faa9dc7ab25 1979 1997738a3a232f352c2059c25684e6ccea420f8d0c793fa0 1980 Output = 8a0b4829bc8422b1a2301d5471256892883c5e3fe27b998d1010225a706 1981 545637336a20a76f842d8a22e591d382c77e4,8c52d40c1f6cc80208bd610178a503 1982 4d6c4a05584e19b69617f846b09a8545443c63c8aa4d85bf0aad368e0591b1216a 1984 A.5. OPRF(P-521, SHA-512) 1986 A.5.1. Base Mode 1987 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1988 3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 1989 3a3 1990 skSm = 00a2f8572ee764d2ec34363fb62ef9e8ff48883b5357b6802f43fffe5c5fd 1991 0d11f766bf7086aab33e2dce02cc71d77250ef6ed360a3fd56244abb6bdbc3aa6534 1992 da1 1994 A.5.1.1. Test Vector 1, Batch Size 1 1996 Input = 00 1997 Info = 7465737420696e666f 1998 Blind = 01b983705fcc9a39607288b935b0797ac6b3c4b2e848823ac9ae16b3a3b5 1999 816be03432370deb7c3c17d9fc7cb4e0ce646e04e42d638e0fa7a434ed340772a8b5 2000 d626 2001 BlindedElement = 03006ce4a27e778a624d943cf4db48f9d393d3d4dd9cd44b78a 2002 cf2d5b668a12f0ca587962de8c82b5aaa1f0166eb60d511f060aaab895fc6c519332 2003 77bc945add6d74a 2004 EvaluationElement = 030055f7cd3ee3b1734e73ad8bbd4baca72ae8d051160c27 2005 7ee329f23fa2365f9f138b38e6e2c59cc287242eeca01fae83d0c7cc3bb19724ac59 2006 8a188816e7cfe1ca88 2007 Output = aa59060a41ec8ca7b6c47f9c5a31883a44ffd95869a09dbe845ea8ce20c 2008 b290dba0b57c505824a0dcf6f961a2baeb8e6b49df8c158761a3fdb46f39e8e7fcb8 2009 b 2011 A.5.1.2. Test Vector 2, Batch Size 1 2013 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 2014 Info = 7465737420696e666f 2015 Blind = 01a03b1096b0316bc8567c89bd70267d35c8ddcb2be2cdc867089a2eb5cf 2016 471b1e6eb4b043b9644c8539857abe3a2022e9c9fd6a1695bbabe8add48bcd149ff3 2017 b841 2018 BlindedElement = 0201459ba64ad0e0f9f689f0ad5ab29ca5b960f5c9da3aef412 2019 6d2d547b871e754b17971fd45e0d64bdcfc8d256c342a141f04e2640705c38936c8c 2020 f53c22ea6b13966 2021 EvaluationElement = 030094036457e8e5bf77719b11f01dd4aa2959efdb3329c3 2022 e3b25493efc3ab572c2e7db104cd5922645320ef51bbb282f84e5f6b08e9b49354f9 2023 d6a9f3a4327a1de6e4 2024 Output = 5efe6f00f45ec4e87e4c9b89aeaec61313c15c0a0a21ee2e41362d6af54 2025 536adf2f68d23c729b92b6fa8d5611764b0272be6cc153d47a0256c8cb44bd740037 2026 a 2028 A.5.2. Verifiable Mode 2029 seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 2030 3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a 2031 3a3 2032 skSm = 0064799c2f9c0f9e6b9ac2aca5c42687cf15742fb73e086c4954aa0bdc8b8 2033 25911ff03712e8d308c0a6ff5435375036f189391234bf21aac57fa73df155d70da4 2034 7bd 2035 pkSm = 03013e587a7750213bb7c2b338a4507635f1ba60ece346de32ad975373e56 2036 fbabd878f9956996aac83a550ed5f5ba98fcc56817f6230cc7e84cb7eb2a1e1db51d 2037 bfc1b 2039 A.5.2.1. Test Vector 1, Batch Size 1 2041 Input = 00 2042 Info = 7465737420696e666f 2043 Blind = 00bbb82117c88bbd91b8954e16c0b9ceed3ce992b198be1ebfba9ba970db 2044 d75beefbfc6d056b7f7ba1ef79f4facbf2d912c26ce2ecc5bb8d66419b379952e96b 2045 d6f5 2046 BlindedElement = 02002ff3ef3f2411aa0358936f852be710af790c9affbced8c3 2047 9b018fd97de0a45d80c66cbf0dbda690ee4f594e0795627e6c6f37a500f223c30f31 2048 c24e73501532e7c 2049 EvaluationElement = 0300769fd56c5174c4e3922900fcefdd5a89c9592f4d8e8f 2050 2396678fa72c01d4f8551ec92d4b5287ca673dc29d8db9bb05d2396121a6b8732b68 2051 ebf310fc2620059d67 2052 Proof = 011fd92f54f6a955a333648d843807bd88f644d235a7d592189da42d721e 2053 a6f7b55ec813146f35982487910aa15bbf5ce90653edb6a1b48c0bfd15758e9358aa 2054 731601baa67a3a59db301f41caa020986ae9e93a80d6c06d92e8c5eef6056fa6f342 2055 6b6054d118dc9fecb77fdcb4fc86b9857ada6de18394ff7d6c574cbd08d746b9dde0 2056 ProofRandomScalar = 00ce4f0d824939827888f4c28773466f3c0a05741260040b 2057 c9f302a4fea13f1d8f2f6b92a02a32d5eb06f81de7960470f06169bee12cf47965b7 2058 2a59946ca3879670 2059 Output = a647c5a940aa19d767ab0e163d1357ca068206b2b78f9e8e1021c0bb0f3 2060 27d20cb8fadf996199d86d4cc0a08ac314493319979e1c2a98a96085b8fabff9f0d0 2061 7 2063 A.5.2.2. Test Vector 2, Batch Size 1 2064 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 2065 Info = 7465737420696e666f 2066 Blind = 009055c99bf9591cb0eab2a72d044c05ca2cc2ef9b609a38546f74b6d688 2067 f70cf205f782fa11a0d61b2f5a8a2a1143368327f3077c68a1545e9aafbba6a90dc0 2068 d40a 2069 BlindedElement = 0301e2ecf7313820e9d47763e12633ce6acf9b3dec89928c83b 2070 de1ede2180dc73553af1317408846af5c53ebfed00d19a4125f4ffb7df9f4260ccc0 2071 84a6f7482414a9d 2072 EvaluationElement = 02000e69591ab605652cb3310e774edf79417e102cf89005 2073 c2c7f2bd3a06060d740817802f2cf484748d93df5b281a4bd835617a97ec9809519d 2074 474ca53bba15cdf014 2075 Proof = 0076fa4275414acb9f87dc9e4f20971d51fcd0d38a980854ac2ad1bd5737 2076 eec23bfb4599d021881f7b3872d2e90d9b47e4219f490cf7f0235b2f0859cb2ef15d 2077 dfd401acb6b0844edf066a5767b4b85536bfee69bdf472acf7a59254cf6578f9f35e 2078 ba51bb58c6428d6b7c9e5c9af97edc66d98886fda9544048bf9ceea6fc745bf970da 2079 ProofRandomScalar = 00b5dfc19eb96faba6382ec845097904db87240b9dd47b1e 2080 487ec625f11a7ba2cc3de74c5078a81806f74dd65065273c5bd886c7f87ff8c5f39f 2081 90320718eff747e3 2082 Output = 8d109503ccced41cbec087dab86c607763020be93bdd5ec8508cb078607 2083 1a2b22a7b06150242bcaf6ea1b555a994e0266647eb72914caf73cabe53ddfb0f940 2084 d 2086 A.5.2.3. Test Vector 3, Batch Size 2 2087 Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a 2088 Info = 7465737420696e666f 2089 Blind = 01c6cf092d80c7cf2cb55388d899515238094c800bdd9c65f71780ba85f5 2090 ae9b4703e17e559ca3ccd1944f9a70536c175f11a827452672b60d4e9f89eba28104 2091 6e29,00cba1ba1a337759061965a423d9d3d6e1e1006dc8984ad28a4c93ecfc36fc2 2092 171046b3c4284855cfa2434ed98db9e68a597db2c14728fade716a6a82d600444b26 2093 e 2094 BlindedElement = 0201e22c01df5ac0502842fad603f7a1e1183bcc79a5cb04bb7 2095 befdea870a9a6ea96fbccd752ea9927a9e1e28438098f693461e81832a3f690616bf 2096 983fced079f3a33,0300b49216dd8ba5ba1275d8345679f70fbc6baf4f4b32a03e91 2097 7165a18afa9fad849c48eecb4bae965057ef7c215b52b42ca53c8d5f650633e0bb70 2098 97f2bd809d09ea 2099 EvaluationElement = 03002949c2478249b918a0cf2cd870226541a81d2f3e88c4 2100 7119f732301e749c3dea317c11174a18b89d1b9d2aa4f6ae92ae724e03a4800a26b7 2101 c827b00199f1114bcd,0300924ab017ea6e6328a0b0f341bbeb7d209c67ac169fa4e 2102 f7b04055c66b92aa9657f5d83b0b1ee9c79f3f0198519c97fef07dbecf3f6d477755 2103 0242a1c87953f9461 2104 Proof = 01f5d3c3f835d91aa88202f0fe8728180eeffe7fbc66ffe3f7a7dd958696 2105 a7cd3d47b3c0ec6cd59e9ee23090137293e6f42269923f3d4a1659bc706fd9762070 2106 7d230028cd4b0aa237b91a352fce81248936826ba99e7bd5103a871715126014b8d4 2107 7447e5f20192ed377a7431516fbd82763098ba23f9d15b84fe24fb1126beb0d46f03 2108 ProofRandomScalar = 00d47b0d4ca4c64825ba085de242042b84d9ebe3b2e9de07 2109 678ff96713dfe16f40f2c662a56ed2db95e1e7bf2dea02bd1fa76e953a630772f68b 2110 53baade9962d1646 2111 Output = a647c5a940aa19d767ab0e163d1357ca068206b2b78f9e8e1021c0bb0f3 2112 27d20cb8fadf996199d86d4cc0a08ac314493319979e1c2a98a96085b8fabff9f0d0 2113 7,8d109503ccced41cbec087dab86c607763020be93bdd5ec8508cb0786071a2b22a 2114 7b06150242bcaf6ea1b555a994e0266647eb72914caf73cabe53ddfb0f940d 2116 Authors' Addresses 2118 Alex Davidson 2119 Brave Software 2121 Email: alex.davidson92@gmail.com 2123 Armando Faz-Hernandez 2124 Cloudflare, Inc. 2125 101 Townsend St 2126 San Francisco, 2127 United States of America 2129 Email: armfazh@cloudflare.com 2130 Nick Sullivan 2131 Cloudflare, Inc. 2132 101 Townsend St 2133 San Francisco, 2134 United States of America 2136 Email: nick@cloudflare.com 2138 Christopher A. Wood 2139 Cloudflare, Inc. 2140 101 Townsend St 2141 San Francisco, 2142 United States of America 2144 Email: caw@heapingbits.net