Conform to voprf spec (facebook#71)

Author: kevinlewi

benches/oprf.rs

@@ -11,7 +11,7 @@ use curve25519_dalek::{edwards::EdwardsPoint, ristretto::RistrettoPoint};
 use generic_array::arr;
 use opaque_ke::{
     group::Group,
-    oprf::{generate_oprf1_shim, generate_oprf2_shim, generate_oprf3_shim, OprfClientBytes},
+    oprf::{blind_shim, evaluate_shim, unblind_and_finalize_shim},
 };
 use rand::{prelude::ThreadRng, thread_rng};
 use sha2::Sha256;
@@ -20,12 +20,9 @@ fn oprf1(c: &mut Criterion) {
     let mut csprng: ThreadRng = thread_rng();
     let input = b"hunter2";
 
-    c.bench_function("generate_oprf1 with Ristretto", move |b| {
+    c.bench_function("blind with Ristretto", move |b| {
         b.iter(|| {
-            let OprfClientBytes {
-                alpha: _alpha,
-                blinding_factor: _blinding_factor,
-            } = generate_oprf1_shim::<_, RistrettoPoint>(&input[..], None, &mut csprng).unwrap();
+            blind_shim::<_, RistrettoPoint>(&input[..], &mut csprng).unwrap();
         })
     });
 }
@@ -34,12 +31,9 @@ fn oprf1_edwards(c: &mut Criterion) {
     let mut csprng: ThreadRng = thread_rng();
     let input = b"hunter2";
 
-    c.bench_function("generate_oprf1 with Edwards", move |b| {
+    c.bench_function("blind with Edwards", move |b| {
         b.iter(|| {
-            let OprfClientBytes {
-                alpha: _alpha,
-                blinding_factor: _blinding_factor,
-            } = generate_oprf1_shim::<_, EdwardsPoint>(&input[..], None, &mut csprng).unwrap();
+            blind_shim::<_, EdwardsPoint>(&input[..], &mut csprng).unwrap();
         })
     });
 }
@@ -48,19 +42,16 @@ fn oprf2(c: &mut Criterion) {
     let mut csprng: ThreadRng = thread_rng();
     let input = b"hunter2";
 
-    let OprfClientBytes {
-        alpha,
-        blinding_factor: _blinding_factor,
-    } = generate_oprf1_shim::<_, RistrettoPoint>(&input[..], None, &mut csprng).unwrap();
+    let (_, alpha) = blind_shim::<_, RistrettoPoint>(&input[..], &mut csprng).unwrap();
     let salt_bytes = arr![
         u8; 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
         24, 25, 26, 27, 28, 29, 30, 31, 32,
     ];
     let salt = RistrettoPoint::from_scalar_slice(&salt_bytes).unwrap();
 
-    c.bench_function("generate_oprf2 with Ristretto", move |b| {
+    c.bench_function("evaluate with Ristretto", move |b| {
         b.iter(|| {
-            let _beta = generate_oprf2_shim::<RistrettoPoint>(alpha, &salt).unwrap();
+            let _beta = evaluate_shim::<RistrettoPoint>(alpha, &salt).unwrap();
         })
     });
 }
@@ -69,19 +60,16 @@ fn oprf2_edwards(c: &mut Criterion) {
     let mut csprng: ThreadRng = thread_rng();
     let input = b"hunter2";
 
-    let OprfClientBytes {
-        alpha,
-        blinding_factor: _blinding_factor,
-    } = generate_oprf1_shim::<_, EdwardsPoint>(&input[..], None, &mut csprng).unwrap();
+    let (_, alpha) = blind_shim::<_, EdwardsPoint>(&input[..], &mut csprng).unwrap();
     let salt_bytes = arr![
         u8; 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
         24, 25, 26, 27, 28, 29, 30, 31, 32,
     ];
     let salt = RistrettoPoint::from_scalar_slice(&salt_bytes).unwrap();
 
-    c.bench_function("generate_oprf2 with Edwards", move |b| {
+    c.bench_function("evaluate with Edwards", move |b| {
         b.iter(|| {
-            let _beta = generate_oprf2_shim::<EdwardsPoint>(alpha, &salt).unwrap();
+            let _beta = evaluate_shim::<EdwardsPoint>(alpha, &salt).unwrap();
         })
     });
 }
@@ -90,21 +78,17 @@ fn oprf3(c: &mut Criterion) {
     let mut csprng: ThreadRng = thread_rng();
     let input = b"hunter2";
 
-    let OprfClientBytes {
-        alpha,
-        blinding_factor,
-    } = generate_oprf1_shim::<_, RistrettoPoint>(&input[..], None, &mut csprng).unwrap();
+    let (token, alpha) = blind_shim::<_, RistrettoPoint>(&input[..], &mut csprng).unwrap();
     let salt_bytes = arr![
         u8; 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
         24, 25, 26, 27, 28, 29, 30, 31, 32,
     ];
     let salt = RistrettoPoint::from_scalar_slice(&salt_bytes).unwrap();
-    let beta = generate_oprf2_shim::<RistrettoPoint>(alpha, &salt).unwrap();
+    let beta = evaluate_shim::<RistrettoPoint>(alpha, &salt).unwrap();
 
-    c.bench_function("generate_oprf3 with Ristretto", move |b| {
+    c.bench_function("unblind_and_finalize with Ristretto", move |b| {
         b.iter(|| {
-            let _res = generate_oprf3_shim::<RistrettoPoint, Sha256>(input, beta, &blinding_factor)
-                .unwrap();
+            let _res = unblind_and_finalize_shim::<RistrettoPoint, Sha256>(&token, beta).unwrap();
         })
     });
 }
@@ -113,21 +97,17 @@ fn oprf3_edwards(c: &mut Criterion) {
     let mut csprng: ThreadRng = thread_rng();
     let input = b"hunter2";
 
-    let OprfClientBytes {
-        alpha,
-        blinding_factor,
-    } = generate_oprf1_shim::<_, EdwardsPoint>(&input[..], None, &mut csprng).unwrap();
+    let (token, alpha) = blind_shim::<_, EdwardsPoint>(&input[..], &mut csprng).unwrap();
     let salt_bytes = arr![
         u8; 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
         24, 25, 26, 27, 28, 29, 30, 31, 32,
     ];
     let salt = RistrettoPoint::from_scalar_slice(&salt_bytes).unwrap();
-    let beta = generate_oprf2_shim::<EdwardsPoint>(alpha, &salt).unwrap();
+    let beta = evaluate_shim::<EdwardsPoint>(alpha, &salt).unwrap();
 
-    c.bench_function("generate_oprf3 with Edwards", move |b| {
+    c.bench_function("unblind_and_finalize with Edwards", move |b| {
         b.iter(|| {
-            let _res =
-                generate_oprf3_shim::<EdwardsPoint, Sha256>(input, beta, &blinding_factor).unwrap();
+            let _res = unblind_and_finalize_shim::<EdwardsPoint, Sha256>(&token, beta).unwrap();
         })
     });
 }

src/lib.rs

@@ -89,7 +89,6 @@
 //! let mut client_rng = OsRng;
 //! let (r1, client_state) = ClientRegistration::<Default>::start(
 //!     b"password",
-//!     Some(b"pepper"),
 //!     &mut client_rng,
 //! )?;
 //! # Ok::<(), ProtocolError>(())
@@ -119,7 +118,6 @@
 //! # let mut client_rng = OsRng;
 //! # let (r1, client_state) = ClientRegistration::<Default>::start(
 //! #     b"password",
-//! #     Some(b"pepper"),
 //! #     &mut client_rng,
 //! # )?;
 //! use opaque_ke::opaque::ServerRegistration;
@@ -153,7 +151,6 @@
 //! # let mut client_rng = OsRng;
 //! # let (r1, client_state) = ClientRegistration::<Default>::start(
 //! #     b"password",
-//! #     Some(b"pepper"),
 //! #     &mut client_rng,
 //! # )?;
 //! # let mut server_rng = OsRng;
@@ -188,7 +185,6 @@
 //! # let mut client_rng = OsRng;
 //! # let (r1, client_state) = ClientRegistration::<Default>::start(
 //! #     b"password",
-//! #     Some(b"pepper"),
 //! #     &mut client_rng,
 //! # )?;
 //! # let mut server_rng = OsRng;
@@ -232,7 +228,6 @@
 //! let mut client_rng = OsRng;
 //! let (l1, client_state) = ClientLogin::<Default>::start(
 //!   b"password",
-//!   Some(b"pepper"),
 //!   &mut client_rng,
 //! )?;
 //! # Ok::<(), ProtocolError>(())
@@ -262,7 +257,6 @@
 //! # let mut client_rng = OsRng;
 //! # let (r1, client_state) = ClientRegistration::<Default>::start(
 //! #     b"password",
-//! #     Some(b"pepper"),
 //! #     &mut client_rng,
 //! # )?;
 //! # let mut server_rng = OsRng;
@@ -272,7 +266,6 @@
 //! # let password_file_bytes = server_state.finish(r3)?.to_bytes();
 //! # let (l1, client_state) = ClientLogin::<Default>::start(
 //! #   b"password",
-//! #   Some(b"pepper"),
 //! #   &mut client_rng,
 //! # )?;
 //! use opaque_ke::opaque::ServerLogin;
@@ -308,7 +301,6 @@
 //! # let mut client_rng = OsRng;
 //! # let (r1, client_state) = ClientRegistration::<Default>::start(
 //! #     b"password",
-//! #     Some(b"pepper"),
 //! #     &mut client_rng,
 //! # )?;
 //! # let mut server_rng = OsRng;
@@ -318,7 +310,6 @@
 //! # let password_file_bytes = server_state.finish(r3)?.to_bytes();
 //! # let (l1, client_state) = ClientLogin::<Default>::start(
 //! #   b"password",
-//! #   Some(b"pepper"),
 //! #   &mut client_rng,
 //! # )?;
 //! # use std::convert::TryFrom;
@@ -365,7 +356,6 @@
 //! # let mut client_rng = OsRng;
 //! # let (r1, client_state) = ClientRegistration::<Default>::start(
 //! #     b"password",
-//! #     Some(b"pepper"),
 //! #     &mut client_rng,
 //! # )?;
 //! # let mut server_rng = OsRng;
@@ -375,7 +365,6 @@
 //! # let password_file_bytes = server_state.finish(r3)?.to_bytes();
 //! # let (l1, client_state) = ClientLogin::<Default>::start(
 //! #   b"password",
-//! #   Some(b"pepper"),
 //! #   &mut client_rng,
 //! # )?;
 //! # use std::convert::TryFrom;

src/map_to_curve.rs

@@ -15,19 +15,22 @@ use sha2::{Sha256, Sha512};
 /// A subtrait of Group specifying how to hash a password into a point
 pub trait GroupWithMapToCurve: Group {
     /// transforms a password and optional pepper into a curve point
-    fn map_to_curve(password: &[u8], pepper: Option<&[u8]>) -> Self;
+    fn map_to_curve(password: &[u8], dst: Option<&[u8]>) -> Self;
 }
 
+// TODO: incorporate expand_message_xmd from https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.txt
+// instead of using HKDF-extract here
+
 impl GroupWithMapToCurve for RistrettoPoint {
-    fn map_to_curve(password: &[u8], pepper: Option<&[u8]>) -> Self {
-        let (hashed_input, _) = Hkdf::<Sha512>::extract(pepper, password);
+    fn map_to_curve(password: &[u8], dst: Option<&[u8]>) -> Self {
+        let (hashed_input, _) = Hkdf::<Sha512>::extract(dst, password);
         <Self as Group>::hash_to_curve(&hashed_input)
     }
 }
 
 impl GroupWithMapToCurve for EdwardsPoint {
-    fn map_to_curve(password: &[u8], pepper: Option<&[u8]>) -> Self {
-        let (hashed_input, _) = Hkdf::<Sha256>::extract(pepper, password);
+    fn map_to_curve(password: &[u8], dst: Option<&[u8]>) -> Self {
+        let (hashed_input, _) = Hkdf::<Sha256>::extract(dst, password);
         <Self as Group>::hash_to_curve(&hashed_input)
     }
 }