idnits 2.17.1 draft-sullivan-cfrg-voprf-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 105 instances of too long lines in the document, the longest one being 13 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 05, 2018) is 2237 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC8032' is defined on line 557, but no explicit reference was found in the text Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group N. Sullivan 3 Internet-Draft Cloudflare 4 Intended status: Informational C. Wood 5 Expires: September 6, 2018 Apple Inc. 6 March 05, 2018 8 Verifiable Oblivious Pseudorandom Functions (VOPRFs) 9 draft-sullivan-cfrg-voprf-00 11 Abstract 13 A Verifiable Oblivious Pseudorandom Function (VOPRF) is a two-party 14 protocol for computing the output of a PRF that is symmetrically 15 verifiable. In summary, the PRF key holder learns nothing of the 16 input while simultaneously providing proof that its private key was 17 used during execution. VOPRFs are useful for computing one-time 18 unlinkable tokens that are verifiable by secret key holders. This 19 document specifies a VOPRF construction based on Elliptic Curves. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 6, 2018. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. Security Properties . . . . . . . . . . . . . . . . . . . . . 4 60 4. Elliptic Curve VOPRF Protocol . . . . . . . . . . . . . . . . 5 61 4.1. Algorithmic Details . . . . . . . . . . . . . . . . . . . 6 62 4.1.1. ECVOPRF_Blind . . . . . . . . . . . . . . . . . . . . 6 63 4.1.2. ECVOPRF_Sign . . . . . . . . . . . . . . . . . . . . 7 64 4.1.3. ECVOPRF_Unblind . . . . . . . . . . . . . . . . . . . 7 65 4.1.4. ECVOPRF_Finalize . . . . . . . . . . . . . . . . . . 8 66 5. NIZK Discrete Logarithm Equality Proof . . . . . . . . . . . 8 67 5.1. DLEQ_Generate . . . . . . . . . . . . . . . . . . . . . . 9 68 5.2. DLEQ_Verify . . . . . . . . . . . . . . . . . . . . . . . 9 69 5.3. Group and Hash Function Instantiations . . . . . . . . . 9 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 71 6.1. Timing Leaks . . . . . . . . . . . . . . . . . . . . . . 12 72 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 73 7.1. Key Consistency . . . . . . . . . . . . . . . . . . . . . 12 74 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 75 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 12 76 10. Normative References . . . . . . . . . . . . . . . . . . . . 12 77 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 13 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 80 1. Introduction 82 A pseudorandom function (PRF) F(k, x) is an efficiently computable 83 function with secret key k on input x. Roughly, F is pseudorandom if 84 the output y = F(k, x) is indistinguishable from uniformly sampling 85 any element in F's range for random choice of k. An oblivious PRF 86 (OPRF) is a two-party protocol between a prover P and verifier V 87 where P holds a PRF key k and V holds some input x. The protocol 88 allows both parties to cooperate in computing F(k, x) with P's secret 89 key k and V's input x such that: V learns F(k, x) without learning 90 anything about k; and P does not learn anything about x. A 91 Verifiable OPRF (VOPRF) is an OPRF wherein P can prove to V that F(k, 92 x) was computed using key k, which is bound to a trusted public key Y 93 = kG. Informally, this is done by presenting a non-interactive zero- 94 knowledge (NIZK) proof of equality between (G, Y) and (Z, M), where Z 95 = kM for some point M. 97 VOPRFs are useful for producing tokens that are verifiable by V. 98 This may be needed, for example, if V wants assurance that P did not 99 use a unique key in its computation, i.e., if V wants key consistency 100 from P. This property is necessary in some applications, e.g., the 101 Privacy Pass protocol [PrivacyPass], wherein this VOPRF is used to 102 generate one-time authentic tokens to bypass CAPTCHA challenges. 104 This document introduces a VOPRF protocol built on Elliptic Curves, 105 called ECVOPRF. It describes the protocol, its security properties, 106 and provides preliminary test vectors for experimentation. This rest 107 of document is structured as follows: 109 o Section Section 2: Describe background, related related, and use 110 cases of VOPRF protocols. 112 o Section Section 3: Discuss security properties of VOPRFs. 114 o Section Section 4: Specify a VOPRF protocol based on elliptic 115 curves. 117 o Section Section 5: Specify the NIZK discrete logarithm equality 118 construction used for verifying protocol outputs. 120 1.1. Terminology 122 The following terms are used throughout this document. 124 o PRF: Pseudorandom Function. 126 o OPRF: Oblivious PRF. 128 o VOPRF: Verifiable Oblivious Pseudorandom Function. 130 o Verifier (V): Protocol initiator when computing F(k, x). 132 o Prover (P): Holder of secret key k. 134 o NIZK: Non-interactive zero knowledge. 136 o DLEQ: Discrete Logarithm Equality. 138 1.2. Requirements 140 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 141 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 142 document are to be interpreted as described in [RFC2119]. 144 2. Background 146 VOPRFs are functionally related to RSA-based blind signature schemes, 147 e.g., [ChaumBlindSignature]. Such a scheme works as follows. Let m 148 be a message to be signed by a server. It is assumed to be a member 149 of the RSA group. Also, let N be the RSA modulus, and e and d be the 150 public and private keys, respectively. A prover P and verifier V 151 engage in the following protocol given input m. 153 1. V generates a random blinding element r from the RSA group, and 154 compute m' = m^r (mod N). Send m' to the P. 156 2. P uses m' to compute s' = (m')^d (mod N), and sends s' to the V. 158 3. V removes the blinding factor r to obtain the original signature 159 as s = (s')^(r^-1) (mod N). 161 By the properties of RSA, s is clearly a valid signature for m. OPRF 162 protocols are the symmetric equivalent to blind signatures in the 163 same way that PRFs are the symmetric equivalent traditional digital 164 signatures. This is discussed more in the following section. 166 3. Security Properties 168 The security properties of a VOPRF protocol with functionality y = 169 F(k, x) include those of a standard PRF. Specifically: 171 o Given value x, it is infeasible to compute y = F(k, x) without 172 knowledge of k. 174 o Output y = F(k, x) is indistinguishable from a random value in the 175 domain of F. 177 Additionally, we require the following additional properties: 179 o Non-malleable: Given (x, y = F(k, x)), V must not be able to 180 generate (x', y') where x' != x and y' = F(k, x'). 182 o Verifiable: V must only complete execution of the protocol if it 183 asserts that P used its secret key k, associated with public key Y 184 = kG, in execution. 186 o Oblivious: P must learn nothing about V's input, and V must learn 187 nothing about P's private key. 189 o Unlinkable: If V reveals x to P, P cannot link x to the protocol 190 instance in which y = F(k, x) was computed. 192 4. Elliptic Curve VOPRF Protocol 194 In this section we describe the ECVOPRF protocol. Let GG be a prime- 195 order subgroup of an elliptic curve over base field GF(p) for prime 196 p, with two distinct hash functions H_1 and H_2, where H_1 maps 197 arbitrary input onto GG and H_2 maps arbitrary input to a fixed- 198 length output, e.g., SHA256. All hash functions in the protocol are 199 assumed to be random oracles. Let L be the security parameter. Let 200 k be the prover's (P) secret key, and Y = kG be its corresponding 201 public key for some generator G taken from the group GG. Let x be 202 the verifier's (V) input to the VOPRF protocol. (Commonly, it is a 203 random L-bit string, though this is not required.) ECVOPRF begins 204 with V randomly blinding its input for the signer. The latter then 205 applies its secret key to the blinded value and returns the result. 206 To finish the computation, V then removes its blind and hashes the 207 result using H_2 to yield an output. This flow is illustrated below. 209 Verifier Prover 210 ------------------------------------ 211 r <-$ G 212 M = rH_1(x) 213 M 214 -------> 215 Z = kM 216 D = DLEQ_Generate(Z/M == Y/G) 217 Z,D 218 <------- 219 b = DLEQ_Verify(M, Z, D, Y) 220 Output H_2(x, Zr^(-1)) if b=1, else "error" 222 DLEQ(Z/M == Y/G) is described in Section Section 5. Intuitively, the 223 DLEQ proof allows P to prove to V in NIZK that the same key k is the 224 exponent of both Y and M. In other words, computing the discrete 225 logarithm of Y and Z (with respect to G and M, respectively) results 226 in the same value. The committed value Y should be public before the 227 protocol is initiated. 229 The actual PRF function computed is as follows: 231 F(k, x) = H_2(x, N) = H_2(x, kH_1(x)) 233 Note that V finishes this computation upon receiving kH_1(x) from P. 234 The output from P is not the PRF value. 236 This protocol may be decomposed into a series of steps, as described 237 below: 239 o ECVOPRF_Blind(x): Compute and return a blind, r, and blinded 240 representation of x, denoted M. 242 o ECVOPRF_Sign(M): Sign input M using secret key k to produce Z, 243 generate a proof D of DLEQ(Z/M == Y/G), and output (Z, D). 245 o ECVOPRF_Unblind((Z, D), r, Y, G, M): Unblind blinded signature Z 246 with blind r, yielding N. Output N if D is a valid proof. 247 Otherwise, output an error. 249 o ECVOPRF_Finalize(N): Finalize N to produce PRF output F(k, x). 251 Protocol correctness requires that, for any key k, input x, and (r, 252 M) = ECVOPRF_Blind(x), it must be true that: 254 ECVOPRF_Finalize(x, ECVOPRF_Unblind(ECVOPRF_Sign(M), M, r)) = F(k, x) 256 with overwhelming probability. 258 4.1. Algorithmic Details 260 This section provides algorithms for each step in the VOPRF protocol. 262 1. V computes X = H_1(x) and a random element r (blinding factor) 263 from GF(p), and computes M = rX. 265 2. V sends M to P. 267 3. P computes Z = kM = rkX, and D = DLEQ(Z/M == Y/G). 269 4. P sends (Z, D) to V. 271 5. V verifies D using Y. If invalid, V outputs an error. 273 6. V unblinds Z to compute N = r^(-1)Z = kX. 275 7. V outputs the pair H_2(x, N). 277 4.1.1. ECVOPRF_Blind 278 Input: 280 x - V's PRF input. 282 Output: 284 r - Random scalar in [1, p - 1]. 285 M - Blinded representation of x using blind r, a point in GG. 287 Steps: 289 1. r <-$ GF(p) 290 2. M := rH_1(x) 291 5. Output (r, M) 293 4.1.2. ECVOPRF_Sign 295 Input: 297 M - Point in G. 299 Output: 301 Z - Scalar multiplication of k and M, point in GG. 302 D - DLEQ proof that log_G(Y) == log_M(Z). 304 Steps: 306 1. Z := kM 307 2. D = DLEQ_Generate(Y, G, M, Z) 308 2. Output (Z, D) 310 4.1.3. ECVOPRF_Unblind 311 Input: 313 Z - Point in GG. 314 D - DLEQ proof that log_G(Y) == log_M(Z). 315 M - Blinded representation of x using blind r, a point in G. 316 r - Random scalar in [1, p - 1]. 318 Output: 320 N - Unblinded signature, point in GG. 322 Steps: 324 1. N := (-r)Z 325 2. If DLEQ_Verify(G, Y, M, Z, D) output N 326 3. Output "error" 328 4.1.4. ECVOPRF_Finalize 330 Input: 332 x - PRF input string. 333 N - Point in GG, or "error". 335 Output: 337 y - Random element in {0,1}^L, or "error" 339 Steps: 341 1. If N == "error", output "error". 342 2. y := H_2(x, N) 343 3. Output y 345 5. NIZK Discrete Logarithm Equality Proof 347 In some cases, it may be desirable for the V to have proof that P 348 used its private key to compute Z from M. This is done by proving 349 log_G(Y) == log_M(Z). This may be used, for example, to ensure that 350 P uses the same private key for computing the VOPRF output and does 351 not attempt to "tag" individual verifiers with select keys. This 352 proof must not reveal the P's long-term private key to V. 353 Consequently, we extend the protocol in the previous section with a 354 (non-interactive) discrete logarithm equality (DLEQ) algorithm built 355 on a Chaum-Pedersen [ChaumPedersen] proof. This proof is divided 356 into two procedures: DLEQ_Generate and DLEQ_Verify. These are 357 specified below. 359 5.1. DLEQ_Generate 361 Input: 363 G: Generator of group GG with prime order p. 364 Y: Signer public key. 365 M: Point in GG. 366 Z: Point in GG. 367 H_3: A hash function from GG to a bitstring of length L modeled as a random oracle. 369 Output: 371 D: DLEQ proof (c, s). 373 Steps: 375 1. r <-$ GF(p) 376 2. A = rG and B = rM. 377 2. c = H_3(G,Y,M,Z,A,B) 378 3. s = (r - ck) (mod p) 379 4. Output D = (c, s) 381 5.2. DLEQ_Verify 383 Input: 385 G: Generator of group GG with prime order p. 386 Y: Signer public key. 387 M: Point in GG. 388 Z: Point in GG. 389 D: DLEQ proof (c, s). 391 Output: 393 True if log_G(Y) == log_M(Z), False otherwise. 395 Steps: 397 1. A' = (sG + cY) 398 2. B' = (sM + cZ) 399 3. c' = H_3(G,E,M,Z,A',B') 400 4. Output c == c' 402 5.3. Group and Hash Function Instantiations 404 This section specifies supported VOPRF group and hash function 405 instantiations. 407 EC-VOPRF-P256-SHA256: 409 o G: P-256 411 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 413 o H_2: SHA256 415 o H_3: SHA256 417 EC-VOPRF-P256-SHA512: 419 o G: P-256 421 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 423 o H_2: SHA512 425 o H_3: SHA512 427 EC-VOPRF-P384-SHA256: 429 o G: P-384 431 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 433 o H_2: SHA256 435 o H_3: SHA256 437 EC-VOPRF-P384-SHA512: 439 o G: P-384 441 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 443 o H_2: SHA512 445 o H_3: SHA512 447 EC-VOPRF-CURVE25519-SHA256: 449 o G: Curve25519 [RFC7748] 451 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 453 o H_2: SHA256 454 o H_3: SHA256 456 EC-VOPRF-CURVE25519-SHA512: 458 o G: Curve25519 [RFC7748] 460 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 462 o H_2: SHA512 464 o H_3: SHA512 466 EC-VOPRF-CURVE448-SHA256: 468 o G: Curve448 [RFC7748] 470 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 472 o H_2: SHA256 474 o H_3: SHA256 476 EC-VOPRF-CURVE448-SHA512: 478 o G: Curve448 [RFC7748] 480 o H_1: ((TODO: choose from [I-D.draft-sullivan-cfrg-hash-to-curve] 482 o H_2: SHA512 484 o H_3: SHA512 486 6. Security Considerations 488 Security of the protocol depends on P's secrecy of k. Best practices 489 recommend P regularly rotate k so as to keep its window of compromise 490 small. Moreover, it each key should be generated from a source of 491 safe, cryptographic randomness. 493 Another critical aspect of this protocol is reliance on 494 [I-D.draft-sullivan-cfrg-hash-to-curve] for mapping arbitrary input 495 to points on a curve. Security requires this mapping be pre-image 496 and collision resistant. 498 6.1. Timing Leaks 500 To ensure no information is leaked during protocol execution, all 501 operations that use secret data MUST be constant time. Operations 502 that SHOULD be constant time include: H_1() (hashing arbitrary 503 strings to curves) and DLEQ_Generate(). 504 [I-D.draft-sullivan-cfrg-hash-to-curve] describes various algorithms 505 for constant-time implementations of H_1. 507 7. Privacy Considerations 509 7.1. Key Consistency 511 DLEQ proofs are essential to the protocol to allow V to check that 512 P's designated private key was used in the computation. A side 513 effect of this property is that it prevents P from using unique key 514 for select verifiers as a way of "tagging" them. If all verifiers 515 expect use of a certain private key, e.g., by locating P's public key 516 key published from a trusted registry, then P cannot present unique 517 keys to an individual verifier. 519 8. Acknowledgments 521 This document resulted from the work of the Privacy Pass team 522 [PrivacyPass]. 524 9. Contributors 526 Alex Davidson contributed to earlier versions of this document. 528 10. Normative References 530 [ChaumBlindSignature] 531 "Blind Signatures for Untraceable Payments", n.d., 532 . 535 [ChaumPedersen] 536 "Wallet Databases with Observers", n.d., 537 . 539 [I-D.draft-sullivan-cfrg-hash-to-curve] 540 "Hashing to Elliptic Curves", n.d., 541 . 544 [PrivacyPass] 545 "Privacy Pass", n.d., 546 . 548 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 549 Requirement Levels", BCP 14, RFC 2119, 550 DOI 10.17487/RFC2119, March 1997, 551 . 553 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 554 for Security", RFC 7748, DOI 10.17487/RFC7748, January 555 2016, . 557 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 558 Signature Algorithm (EdDSA)", RFC 8032, 559 DOI 10.17487/RFC8032, January 2017, 560 . 562 Appendix A. Test Vectors 564 This section includes test vectors for the primary VOPRF protocol, 565 excluding DLEQ output. 567 ((TODO: add DLEQ vectors)) 569 P-224 570 X: 0403cd8bc2f2f3c4c647e063627ca9c9ac246e3e3ec74ab76d32d3e999c522d60ff7aa1c8b0e4 \ 571 X: 0403cd8bc2f2f3c4c647e063627ca9c9ac246e3e3ec74ab76d32d3e999c522d60ff7aa1c8b0e4 572 r: c4cf3c0b3a334f805d3ce3c3b4d007fbbdaf078a42a8cbdc833e54a9 573 M: 046b2b8482c36e65f87528415e210cff8561c1c8e07600a159893973365617ee2c1c33eb0662d \ 574 M: 046b2b8482c36e65f87528415e210cff8561c1c8e07600a159893973365617ee2c1c33eb0662d 575 k: a364119e1c932a534a8d440fef2169a0e4c458d702eca56746655845 576 Z: 04ed11656b4981e39242b170025bf8d5314bef75006e6c4c9afcdb9a85e21fb5fcf9055eb95d3 \ 577 Z: 04ed11656b4981e39242b170025bf8d5314bef75006e6c4c9afcdb9a85e21fb5fcf9055eb95d3 578 Y: 04fd80db5301a54ee2cbc688d47cbcae9eb84f5d246e3da3e2b03e9be228ed6c57a936b6b5faf \ 579 Y: 04fd80db5301a54ee2cbc688d47cbcae9eb84f5d246e3da3e2b03e9be228ed6c57a936b6b5faf 581 P-224 582 X: 0429e41b7e1a58e178afc522d0fb4a6d17ae883e6fd439931cf1e81456ab7ed6445dbe0a231be \ 583 X: 0429e41b7e1a58e178afc522d0fb4a6d17ae883e6fd439931cf1e81456ab7ed6445dbe0a231be 584 r: 86a27e1bd51ac91eae32089015bf903fe21da8d79725edcc4dc30566 585 M: 04d8c8ffaa92b21aa1cc6056710bd445371e8afebd9ef0530c68cd0d09536423f78382e4f6b20 \ 586 M: 04d8c8ffaa92b21aa1cc6056710bd445371e8afebd9ef0530c68cd0d09536423f78382e4f6b20 587 k: ab449c896261dc3bd1f20d87272e6c8184a2252a439f0b3140078c3d 588 Z: 048ac9722189b596ffe5cb986332e89008361e68f77f12a931543f63eaa01fabf6f63d5d4b3b6 \ 589 Z: 048ac9722189b596ffe5cb986332e89008361e68f77f12a931543f63eaa01fabf6f63d5d4b3b6 590 Y: 046e83dff2c9b6f9e88f1091f355ad6fa637bdbd829072411ea2d74a5bf3501ccf3bcc2789d48 \ 591 Y: 046e83dff2c9b6f9e88f1091f355ad6fa637bdbd829072411ea2d74a5bf3501ccf3bcc2789d48 593 P-256 594 X: 041b0e84c521f8dcd530d59a692d4ffa1ca05b8ba7ce22a884a511f93919ac121cc91dd588228 \ 595 X: 041b0e84c521f8dcd530d59a692d4ffa1ca05b8ba7ce22a884a511f93919ac121cc91dd588228 596 r: a3ec1dc3303a316fc06565ace0a8910da65cf498ea3884c4349b6c4fc9a2f99a 597 M: 04794c5a54236782088594ccdb1975e93b05ff742674cc400cb101f55c0f37e877c5ada0d72fb \ 598 M: 04794c5a54236782088594ccdb1975e93b05ff742674cc400cb101f55c0f37e877c5ada0d72fb 599 k: 9c103b889808a8f4cb6d76ea8b634416a286be7fa4a14e94f1478ada7f172ec3 600 Z: 0484cfda0fdcba7693672fe5e78f4c429c096ece730789e8d00ec1f7be33a6515f186dcf7aa38 \ 601 Z: 0484cfda0fdcba7693672fe5e78f4c429c096ece730789e8d00ec1f7be33a6515f186dcf7aa38 602 Y: 044ff2e31de9fda542c2c63314e2bce5ce2d5ccb8332dbe1115ff5740e5e60bb867994e196ead \ 603 Y: 044ff2e31de9fda542c2c63314e2bce5ce2d5ccb8332dbe1115ff5740e5e60bb867994e196ead 605 P-256 606 X: 043ea9d81b99ac0db002ad2823f7cab28af18f83419cce6800f3d786cc00b6fd030858d073916 \ 607 X: 043ea9d81b99ac0db002ad2823f7cab28af18f83419cce6800f3d786cc00b6fd030858d073916 608 r: ed7294b42792760825645b635e9d92ef5a3baa70879dd59fdb1802d4a44271b2 609 M: 04ec894e496d0297756a17365f866d9449e6ebc51852ab1ffa57bc29c843ef003b116f5ef1f60 \ 610 M: 04ec894e496d0297756a17365f866d9449e6ebc51852ab1ffa57bc29c843ef003b116f5ef1f60 611 k: a324338a7254415dbedcd1855abd2503b4e5268124358d014dac4fc2c722cd67 612 Z: 04a477c5fefd9bc6bcd8e893a1b0c6dc73b0bd23ebe952dcad810de73b8a99f5e1e216a833b32 \ 613 Z: 04a477c5fefd9bc6bcd8e893a1b0c6dc73b0bd23ebe952dcad810de73b8a99f5e1e216a833b32 614 Y: 04ffe55e2a95a21e1605c1ed11ac6bea93f00fa15a6b27e90adad470ad27f0e0fe5b8607b4689 \ 615 Y: 04ffe55e2a95a21e1605c1ed11ac6bea93f00fa15a6b27e90adad470ad27f0e0fe5b8607b4689 617 P-384 618 X: 04c0b51e5dcd6a309c77bb5720bf9850279e8142b6127952595ab9092578de810a13795bceff3 \ 619 d358f0480a61469f17ad62ebaecd0f817c1e9c7d41d536ab410e7a2b5d7a7905d1bef5499b654b0e \ 620 d358f0480a61469f17ad62ebaecd0f817c1e9c7d41d536ab410e7a2b5d7a7905d1bef5499b654b0e 621 r: 889b5e4812d683c4df735971240741ff869ccf77e10c2e97bef67d6fe6b8350abe59ec8fe2bfa \ 622 r: 889b5e4812d683c4df735971240741ff869ccf77e10c2e97bef67d6fe6b8350abe59ec8fe2bfa 623 M: 044e2d86fa6e53ebba7f2a9b661a2de884a8ccc68e29b68586d517eb66e8b4b7dac334c6e769d \ 624 485d672fac3a0311877572254754e318077aec3631208c6b503c5cdfe57716e1232da64cebe46f0d \ 625 485d672fac3a0311877572254754e318077aec3631208c6b503c5cdfe57716e1232da64cebe46f0d 626 k: b8c854a33c8c564d0598b1ac179546acdccad671265cff1ea5a329279272e8d21c94b7e5b6bea \ 627 k: b8c854a33c8c564d0598b1ac179546acdccad671265cff1ea5a329279272e8d21c94b7e5b6bea 628 Z: 047bf23eef00e83e6cb6fb9ade5e5995cf81abb8dc73a570ff4cb7be48f21281edfed9bf76cc2 \ 629 88b35d2df615ff711ed2a1fb85cd0b22812438665cdd300039685b3f593f4b574f9e8b294982c2a2 \ 630 88b35d2df615ff711ed2a1fb85cd0b22812438665cdd300039685b3f593f4b574f9e8b294982c2a2 631 Y: 04ab4886ecf7e489a0be8529ff4b537941c95ba4ce570db537dcfad5cabc064c43f1b0a1d1b89 \ 632 101facd93f2f9a8b5f28431489be4664f446af8a51cc7c4221f633adb4f8f2f2a073dfd83ddf8d77 \ 633 101facd93f2f9a8b5f28431489be4664f446af8a51cc7c4221f633adb4f8f2f2a073dfd83ddf8d77 635 P-384 636 X: 047511a846277a2009f37b3583f14c8ea3af17e3a146e0e737fdc1260b6d4a18ff01f21ec3bbc \ 637 e39e1cade76d455feadc1bb16f65cd54042e1bc5aba1dee2434f59d00698a963b902148750240f8f \ 638 e39e1cade76d455feadc1bb16f65cd54042e1bc5aba1dee2434f59d00698a963b902148750240f8f 639 r: e514ef9b3ea87eafdb78da48e642daa79f036ac00228997ab8da6ac198fb888cd2fec84d52010 \ 640 r: e514ef9b3ea87eafdb78da48e642daa79f036ac00228997ab8da6ac198fb888cd2fec84d52010 642 M: 04fd9b68973b0fcefcf4458b4faa1c3815bdad8975b7fb0bfc4c1db7e3f169fb3a26ddabe1b25 \ 643 c4a23cf8a2faeb12c18f06f2227e87ede6039f55a61ef0c89ca3c582e2864fe130ea0c709f92519d \ 644 c4a23cf8a2faeb12c18f06f2227e87ede6039f55a61ef0c89ca3c582e2864fe130ea0c709f92519d 645 k: bcc73da3b2adace9c4f4c32eeadef57436c97f8d395614e78aa91523e1e5d7f551ebb55e87da2 \ 646 k: bcc73da3b2adace9c4f4c32eeadef57436c97f8d395614e78aa91523e1e5d7f551ebb55e87da2 647 Z: 042d885d2945cde40e490dd8497975eaeb54e4e10c5986a9688c9de915b16cf43572fd155e159 \ 648 9e2233a75056a72b54d30092e30bb2edc70e0d90da934c27362e0e6303bafae12f13bf3d5be322e6 \ 649 9e2233a75056a72b54d30092e30bb2edc70e0d90da934c27362e0e6303bafae12f13bf3d5be322e6 650 Y: 044833fba4973c1c6eae6745850866ebbb23783ea0d4d8b867e2c93acb2f01fd3d36d9cb5c491 \ 651 ff9440c8c8e325db326bf88ddf0ba6008158a67999e18cd378d701d1f8a6a7b088dc261c85b6a78b \ 652 ff9440c8c8e325db326bf88ddf0ba6008158a67999e18cd378d701d1f8a6a7b088dc261c85b6a78b 654 P-521 655 X: 040039d290b20c604b5c59cb85dfacd90cbf9f5e275ee8c38a8ff80df0872e8e1dd214a9ec3b2 \ 656 2c8d75bf634739afdc09acc342542abacf35bf2a6488d084825c5d96003be29e201e75c1b78667f5 \ 657 a64cc7207722796b225b49edaaf457fcafff4f644252ebe8057291d317f30109f1526aacbfff2308 \ 658 a64cc7207722796b225b49edaaf457fcafff4f644252ebe8057291d317f30109f1526aacbfff2308 659 r: 010606612666705556ac3c28dde30f134e930b0c31bfc9715f0812e0b99f0212dc427e344cb97 \ 660 r: 010606612666705556ac3c28dde30f134e930b0c31bfc9715f0812e0b99f0212dc427e344cb97 661 M: 040065366112a0598e4e5997e79e42f287f7202e5d956bef29890e963169d9eaab8d21501283c \ 662 47dd37aca1710c8b5f456b1c044c8582ba6feef3edc997fecef7d4f40180ceb9bbbe3ab1907ea2d1 \ 663 21ec00156848e04e323744d86444111fc09a21ca316df2cae925a0bb079d0faa2474ec8d5a96e6fa \ 664 21ec00156848e04e323744d86444111fc09a21ca316df2cae925a0bb079d0faa2474ec8d5a96e6fa 665 k: 01297d92cfe6895269aa5406f2ba6cbfffbba66a11ab0db34655213624fa238c50e27177aea5d \ 666 k: 01297d92cfe6895269aa5406f2ba6cbfffbba66a11ab0db34655213624fa238c50e27177aea5d 667 Z: 040151d2dc5290ebd47065680dcb4db350c4d81346680c5589f94acfb1e28418585e7f2cbfa11 \ 668 5945d9f7b98157ea8c2ab190c6a47b939502c2f793b77ceff671f5e60086fdd1ebf960f29bf5d590 \ 669 f8f7511d248df22d964637e2286adab4654991d338691f4673a006ff116e61afe65c914b27c3ef4c \ 670 f8f7511d248df22d964637e2286adab4654991d338691f4673a006ff116e61afe65c914b27c3ef4c 671 Y: 04009534bd720bd4ebe703968a8496eec352711a81b7fe594a72ef318c2ce582b41880262a1c6 \ 672 05079231de91e71b1301d1be4e9618e96081ccfd4f6cab92f52b860e01beec2c58cb01713e941035 \ 673 adbe882ab4f3eaa31e27a96d210d35f6161b1487dd28d8da4a11a915182752b1450a89aad2a013c2 \ 674 adbe882ab4f3eaa31e27a96d210d35f6161b1487dd28d8da4a11a915182752b1450a89aad2a013c2 676 P-521 677 X: 04012ea416842dfad169a9eb860b0af2af3c0140e1918ccd043650d83ad261633f20c5ca02c1b \ 678 ffb857ab72814cf46cfc16ac9ba79887044709f72480358c4b990e46010a62336bb57b87b494b064 \ 679 4d2b6a385f3d5b5da29e22cae33c624f561513a5e8e6669b4e99704c56157dde83994a3c0800a64b \ 680 4d2b6a385f3d5b5da29e22cae33c624f561513a5e8e6669b4e99704c56157dde83994a3c0800a64b 681 r: 019d02efd97add5facc5defbb63fd74daaacda04ae7321abec0da1551b4cc980b8ce6855a28a1 \ 682 r: 019d02efd97add5facc5defbb63fd74daaacda04ae7321abec0da1551b4cc980b8ce6855a28a1 683 M: 040066e3d0b5b9758c9288a725ce6724fdc3bd797a8222f07233897a5916dc167531ebc6a4710 \ 684 cbb240684c9a02eb82214b009d636f24abb8e409e78ff1f02a1dbfb90069056693e96acd760887f9 \ 685 6c9b1f487441b7142fb13a67deb7332194ff454b3aac89f9cf02c338dae69a700bd26844881e6106 \ 686 6c9b1f487441b7142fb13a67deb7332194ff454b3aac89f9cf02c338dae69a700bd26844881e6106 687 k: 018eeea896de104bf1e772155836f6ceddab0b4c2e3e4c33ba08a6fd6db0291cfb15faff0b3c7 \ 688 k: 018eeea896de104bf1e772155836f6ceddab0b4c2e3e4c33ba08a6fd6db0291cfb15faff0b3c7 689 Z: 04016825ea754324d5761ada130a1b87b03b5e2a6b0f403343925c67df39bbf85bc782909124d \ 690 d297a1edfb049efa7ce61c626c0ad99d8cf462abcce1ee1967d8a355011e2c5a7ce621fc822a7d95 \ 691 bf7359d938ee4a5c3431e7dd270b7fb6e95fda29cf460d89454763bb0db9b8b705503170a9ac1c7a \ 692 bf7359d938ee4a5c3431e7dd270b7fb6e95fda29cf460d89454763bb0db9b8b705503170a9ac1c7a 693 Y: 04006b0413e2686c4bb62340706de7723471080093422f02dd125c3e72f3507b9200d11481468 \ 694 74bbaa5b6108b834c892eeebab4e21f3707ee20c303ebc1e34fcd3c701f2171131ee7c5f07c1ccad \ 695 240183d777181259761741343959d476bbc2591a1af0a516e6403a6b81423234746d7a2e8c2ce60a \ 696 240183d777181259761741343959d476bbc2591a1af0a516e6403a6b81423234746d7a2e8c2ce60a 698 Authors' Addresses 700 Nick Sullivan 701 Cloudflare 702 101 Townsend St 703 San Francisco 704 United States of America 706 Email: nick@cloudflare.com 708 Christopher A. Wood 709 Apple Inc. 710 One Apple Park Way 711 Cupertino, California 95014 712 United States of America 714 Email: cawood@apple.com