Move VOPRF into spec. #257
Conversation
This removes issuer protocol and moves some of the VOPRF serialization into the bikeshed spec. Partially resolves #230.
There was a problem hiding this comment.
The variance from voprf draft21 should generally be made more explicit. For places that might change (eg: the serialization of the nonces) we could offer recommendations such as:
const count = bytes.readInt(2);
// calculate blinded length to handle Ne=49 or legacy uncompressed (Ne=97)
const blindedLength = Math.round((bytes.length - 2) / count);
for (let i = 0; i < count; i++) {
const nonce = bytes.readBytes(blindedLength);
...
spec.bs
Outdated
| uint16 issued; | ||
| uint32 key_id = keyID; | ||
| SignedNonce signed[issued]; | ||
| opaque proof<1..2^16-1>; // Length-prefixed form of DLEQProof. |
There was a problem hiding this comment.
Should mention that the proof is a serialized Scalar of both values each of Ns
spec.bs
Outdated
|
|
||
| 1. Let |unmaskOperation| be the Unmask operation corresponding to |issuerKeys|["protocol_version"]. | ||
| 1. Let |result| ([=list=] of byte strings) be the result of running |unmaskOperation| on |pretokens| and |response|. | ||
| 1. Let |request| be a [=byte sequence=] consisting of |numTokens| encoded as a uint16. |
There was a problem hiding this comment.
Not sure I fully grok this. Is it bytes or uint16? Can you say a little bit more about what this is and why it's called "request" here? Maybe we should call these fields issueHeader and pretokens like in their later usage?
There was a problem hiding this comment.
Renamed and tried to clarify.
Co-authored-by: Johann Hofmann <[email protected]>
Co-authored-by: Jeffrey Yasskin <[email protected]>
| @@ -666,8 +773,9 @@ To <dfn>handle a redeem response</dfn>, given [=request=] |request| and [=respon | |||
|
|
|||
| 1. If |request|'s [=request/header list=] [=header list/contains|does not contain=] <a http-header>Sec-Private-State-Token</a>, return null. | |||
| 1. If |response|'s [=response/header list=] [=header list/contains|does not contain=] <a http-header>Sec-Private-State-Token</a>, return a [=network error=]. | |||
| 1. Let |header| be the result of [=header list/get|getting=] <a http-header>Sec-Private-State-Token</a> from |response|'s [=response/header list=]. | |||
| 1. If |header| is empty, return null. | |||
| 1. Let |rawHeader| be the result of [=header list/get|getting=] <a http-header>Sec-Private-State-Token</a> from |response|'s [=response/header list=]. | |||
There was a problem hiding this comment.
This should use https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header, right? And then check that it's a https://httpwg.org/specs/rfc8941.html#binary?
There was a problem hiding this comment.
Added a step for the base64 decoding, unfortunately as currently implemented, this is just a base64 in a header and not the full structured header format.
There was a problem hiding this comment.
Oh no, and simple base64 isn't forward compatible with the ':'-wrapped form used by structured field byte sequences. It'll parse as a Token instead.
There was a problem hiding this comment.
@aykutbulut Since you were looking at some of the structured header bits?
Co-authored-by: Jeffrey Yasskin <[email protected]>
spec.bs
Outdated
| 1. Let |blinds| be an empty [=list=]. | ||
| 1. Repeat the following steps, |numTokens| times: | ||
| 1. Let |input| be an [=implementation-defined=] random value. | ||
| 1. Let |result| ([=tuple=] ([=byte sequence=], [=byte sequence=])) be the result of running the [=Issue=] method, where the second element is encoded as a X9.62 uncompressed point. |
There was a problem hiding this comment.
What arguments get passed to [=Issue=]?
You can expand the result using the Infra syntax (|evaluatedElement|, |proof|) so you don't need the |result| variable.
There was a problem hiding this comment.
Should be Blind, fixed and added arguments.
spec.bs
Outdated
| 1. Set |issueRequest|["count"] to |numTokens|. | ||
| 1. Let |blinds| be an empty [=list=]. | ||
| 1. Repeat the following steps, |numTokens| times: | ||
| 1. Let |input| be an [=implementation-defined=] random value. |
There was a problem hiding this comment.
Is |input| ever used? If it is, you need to say the type of the random value here, and you probably don't need to say it's [=implementation-defined=], unless each implementation is supposed to pick one random value and use it forever (https://xkcd.com/221/).
spec.bs
Outdated
|
|
||
| This document encodes protocol messages in the TLS presentation language from section 3 of [[!RFC8446]]. | ||
|
|
||
| For <dfn>Issue</dfn> (corresponding to [=BlindEvaluate=] function of the [[!VOPRF]] protocol), the <dfn>IssueRequest</dfn> and <dfn>IssueResponse</dfn> are serialized as: |
There was a problem hiding this comment.
What's it mean for "Issue" to correspond to BlindEvaluate? Could you just have all the call sites call BlindEvaluate directly?
I also don't see obvious things in BlindEvaluate that would correspond to IssueRequest or IssueResponse. Are they just how we serialize things that'll eventually be passed to or from that algorithm?
There was a problem hiding this comment.
Clarified the wording here, these are also the server-side steps so removed the Issue/Redeem function naming.
Co-authored-by: Jeffrey Yasskin <[email protected]>
| @@ -655,7 +760,8 @@ To <dfn>append private state token redemption request headers</dfn> given a [=/r | |||
| the issuer's most recent commitments. | |||
| 1. Let |token| be the result of [=retrieve a token|retrieving a token=] for |issuer|. | |||
| 1. If |token| is null, return. | |||
| 1. Let |record| be the result of running a cryptographic redemption procedure with |token|. If the procedure fails, return. | |||
| 1. Let |redeemRequest| be an empty [=RedeemRequest=]. | |||
There was a problem hiding this comment.
RedeemRequest is a struct. Does step mean with empty members?
Add serializing/deserializing step.
spec.bs
Outdated
|
|
||
| This document encodes protocol messages in the TLS presentation language from section 3 of [[!RFC8446]]. | ||
|
|
||
| When the server is performing the [=BlindEvaluate=] function of the [[!VOPRF]] protocol, the input <dfn>IssueRequest</dfn> and output <dfn>IssueResponse</dfn> are serialized as: |
There was a problem hiding this comment.
The BlindEvaluate function in https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-21.html#name-voprf-protocol has a signature of
def BlindEvaluate(skS, pkS, blindedElement):
How does that correspond to the count and nonces[count] fields in IssueRequest?
There was a problem hiding this comment.
Added comments on the correspondence.
spec.bs
Outdated
| } IssueResponse; | ||
| ``` | ||
|
|
||
| When the server is performing the [=Evaluate=] function of the [[!VOPRF]] protocol, the input <dfn>RedeemRequest</dfn> and output <dfn>RedeemResponse</dfn> are serialized as: |
There was a problem hiding this comment.
Similarly, Evaluate takes skS and input. While this is at least the same number of fields as in RedeemRequest, they have different names, so it's not clear they're supposed to match. Can you be clearer about how they map to each other?
There was a problem hiding this comment.
Added comments and updated this to point at the PSTEvaluate version below.
spec.bs
Outdated
| ``` | ||
| struct { | ||
| uint32 key_id; | ||
| opaque nonce<nonce_size>; |
There was a problem hiding this comment.
Added it above along with G.
spec.bs
Outdated
| uint16 count; | ||
| ECPoint nonces[count]; |
There was a problem hiding this comment.
Is this equivalent to
| uint16 count; | |
| ECPoint nonces[count]; | |
| ECPoint nonces<0..65535>; |
?
There was a problem hiding this comment.
Yes, though being able to refer to count separately from nonces is slightly useful from the original form.
Co-authored-by: Jeffrey Yasskin <[email protected]>
Fix typos.
SHA: 9dfaf87 Reason: push, by dvorak42 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 9dfaf87 Reason: push, by aykutbulut Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This removes issuer protocol and moves some of the VOPRF serialization into the bikeshed spec.
Partially resolves #230.
Preview | Diff