Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Normalizing references to sections in RFC9497
Browse files Browse the repository at this point in the history
kevinlewi committed Sep 18, 2024
1 parent f56995d commit 122f2e3
Showing 1 changed file with 13 additions and 14 deletions.
27 changes: 13 additions & 14 deletions draft-irtf-cfrg-opaque.md
Original file line number Diff line number Diff line change
@@ -394,7 +394,7 @@ and the input to the function is provided by the client. The client does not
learn anything about the PRF other than the obtained output and the server
learns nothing about the client's input or the function output.
This specification depends on the prime-order OPRF construction specified
in {{RFC9497}}, using the OPRF mode (0x00) from {{RFC9497, Section 3.1}}.
as `modeOPRF` (`0x00`) from {{RFC9497, Section 3.1}}.

The following OPRF client APIs are used:

@@ -1513,7 +1513,7 @@ as defined in {{?RISTRETTO=I-D.irtf-cfrg-ristretto255-decaf448}}.
- DeriveDiffieHellmanKeyPair(seed): This function is implemented as
DeriveKeyPair(seed, "OPAQUE-DeriveDiffieHellmanKeyPair"), where DeriveKeyPair is
as specified in {{RFC9497, Section 3.2}}. The public value from DeriveKeyPair
is encoded using SerializeElement from {{Section 2.1 of RFC9497}}.
is encoded using SerializeElement from {{RFC9497, Section 2.1}}.
- DiffieHellman(k, B): Implemented as scalar multiplication as described in
{{Section 4 of RISTRETTO}} after decoding `B` from its encoded input using
the Decode function in {{Section 4.3.1 of RISTRETTO}}. The output is then
@@ -1528,7 +1528,7 @@ as defined in {{?NISTCurves=DOI.10.6028/NIST.FIPS.186-4}}.
- DeriveDiffieHellmanKeyPair(seed): This function is implemented as
DeriveKeyPair(seed, "OPAQUE-DeriveDiffieHellmanKeyPair"), where DeriveKeyPair is
as specified in {{RFC9497, Section 3.2}}. The public value from DeriveKeyPair
is encoded using SerializeElement from {{Section 2.1 of RFC9497}}.
is encoded using SerializeElement from {{RFC9497, Section 2.1}}.
- DiffieHellman(k, B): Implemented as scalar multiplication as described in
{{NISTCurves}}, after decoding `B` from its encoded input using
the compressed Octet-String-to-Elliptic-Curve-Point method according to {{NISTCurves}}.
@@ -1813,9 +1813,9 @@ def AuthServerFinalize(ke3):
An OPAQUE-3DH configuration is a tuple (OPRF, KDF, MAC, Hash, KSF, Group, Context)
such that the following conditions are met:

- The OPRF protocol uses the "base mode" variant of {{RFC9497}} and implements
the interface in {{dependencies}}. Examples include ristretto255-SHA512 and
P256-SHA256.
- The OPRF protocol uses the `modeOPRF` configuration of {{RFC9497, Section 3.1}} and
implements the interface in {{dependencies}}. Examples include ristretto255-SHA512
and P256-SHA256.
- The KDF, MAC, and Hash functions implement the interfaces in {{dependencies}}.
Examples include HKDF {{RFC5869}} for the KDF, HMAC {{!RFC2104}} for the MAC,
and SHA-256 and SHA-512 for the Hash functions. If an extensible output function
@@ -2098,16 +2098,16 @@ suitable for interoperable implementations.
values over the wire. This specification instantiates the prime-order group used for
3DH using prime-order groups based on elliptic curves, as described in
{{RFC9497, Section 2.1}}. This specification also delegates OPRF group
choice and operations to {{!RFC9497}}. As such, the prime-order group as used
choice and operations to {{RFC9497, Section 4}}. As such, the prime-order group as used
in the OPRF and 3DH as specified in this document both adhere to the requirements as
{{JKX18}}.
- {{JKX18}} specified DH-OPRF (see Appendix B) to instantiate
the OPRF functionality in the protocol. A critical part of DH-OPRF is the
hash-to-group operation, which was not instantiated in the original analysis.
However, the requirements for this operation were included. This specification
instantiates the OPRF functionality based on the {{RFC9497}}, which
instantiates the OPRF functionality based on {{RFC9497, Section 3.3.1}}, which
is identical to the DH-OPRF functionality in {{JKX18}} and, concretely, uses
the hash-to-curve functions in {{?RFC9380}}. All hash-to-curve
the hash-to-curve functions in {{RFC9380}}. All hash-to-curve
methods in {{RFC9380}} are compliant with the requirement
in {{JKX18}}, namely, that the output be a member of the prime-order group.
- {{JKX18}} and {{I-D.krawczyk-cfrg-opaque-06}} both used HMQV as the AKE
@@ -2230,7 +2230,7 @@ order of computing discrete logarithms or solving Diffie-Hellman, Brown and
Gallant {{BG04}} and Cheon {{Cheon06}} show an attack that slightly improves
on generic attacks. For typical curves, the attack requires an infeasible
number of calls to the OPRF or results in insignificant security loss;
see {{RFC9497}} for more information. For OPAQUE, these attacks
see {{RFC9497, Section 7.2.3}} for more information. For OPAQUE, these attacks
are particularly impractical as they translate into an infeasible number of
failed authentication attempts directed at individual users.

@@ -2501,10 +2501,9 @@ outputs computed during the authentication of an unknown or unregistered user. N

All values are encoded in hexadecimal strings. The configuration information
includes the (OPRF, Hash, KSF, KDF, MAC, Group, Context) tuple, where the Group
matches that which is used in the OPRF. These test vectors were generated using
{{RFC9497}}. The KSF used for each test vector is the identity function
(denoted Identity), which returns as output the input message supplied to the function
without any modification, i.e., msg = Stretch(msg).
matches that which is used in the OPRF. The KSF used for each test vector is the
identity function (denoted Identity), which returns as output the input message
supplied to the function without any modification, i.e., msg = Stretch(msg).

## Real Test Vectors {#real-vectors}

0 comments on commit 122f2e3

Please sign in to comment.