What is an OPRF keypair? #54
Comments
|
i just realized this might be a typo and should say OPAQUE instead of OPRF? |
|
It's not a typo. The OPRF dependency in this document has a private and public key component to it. (Is your point that it should only be a secret key?) |
|
OPRF as such does not use any public/private keypair. An OPRF blinds the value of the initiator, the responder contributes its own value, and the initiator then unblinds the responders value. there is no use for a (sk=x, pk=g^x) keypair in this computation. |
|
however OPAQUE itself makes use of public private keypairs (and thus of keygen) for the values pkU, skU, pkS, skS, and their ephemeral counterparts. thus my assumption this being a typo. |
|
Please review the dependent OPRF document. This OPRF has a public and private key pair. The public key is only used for verification, which is why OPAQUE discards it. |
|
sorry, i only read the paper by Jarecki et al., i wasn't aware that there is also an IETF (V)OPRF rfc draft. looking at that it makes kind of sense to call this keygen(), as for nist curves it must be guaranteed that the scalar is member of the field. and for voprfs actually to verify it. thanks for pointing that out, maybe this could be explained where the keygen() is mentioned in the opaque draft |
|
i just reread the paper, and i apologize for the noise. |
in the Cryptographic primitives section there is this sentence:
i'm sorry, but what does that mean? The notion of a keypair in the OPRF context makes no sense to me.
The text was updated successfully, but these errors were encountered: