oprf/protocol/
mod.rs

1//! # 3. Protocol
2//!
3//!
4//! In this section, we define and describe three protocol variants
5//! referred to as the OPRF, VOPRF, and POPRF modes.  Each of these
6//! variants involve two messages between client and server but differ
7//! slightly in terms of the security properties; see Section 7.1 for
8//! more information.  A high level description of the functionality of
9//! each mode follows.
10//!
11//! In the OPRF mode, a client and server interact to compute output =
12//! F(skS, input), where input is the client's private input, skS is the
13//! server's private key, and output is the OPRF output.  After the
14//! execution of the protocol, the client learns output and the server
15//! learns nothing.  This interaction is shown below.
16//!
17//! ``` text
18//!     Client(input)                                        Server(skS)
19//!   -------------------------------------------------------------------
20//!   blind, blindedElement = Blind(input)
21//!
22//!                                                      blindedElement
23//!                                                        ---------->
24//!
25//!                             evaluatedElement = BlindEvaluate(skS, blindedElement)
26//!
27//!                                                      evaluatedElement
28//!                                                        <----------
29//!
30//!   output = Finalize(input, blind, evaluatedElement)
31//!
32//!                                Figure 1: OPRF protocol overview
33//! ```
34//!
35//! In the VOPRF mode, the client additionally receives proof that the
36//! server used skS in computing the function.  To achieve verifiability,
37//! as in [JKK14], the server provides a zero-knowledge proof that the
38//! key provided as input by the server in the BlindEvaluate function is
39//! the same key as it used to produce the server's public key, pkS,
40//! which the client receives as input to the protocol.  This proof does
41//! not reveal the server's private key to the client.  This interaction
42//! is shown below.
43//!
44//! ``` text
45//!     Client(input, pkS)       <---- pkS ------        Server(skS, pkS)
46//!   -------------------------------------------------------------------
47//!   blind, blindedElement = Blind(input)
48//!
49//!                                                      blindedElement
50//!                                                        ---------->
51//!
52//!                       evaluatedElement, proof = BlindEvaluate(skS, pkS,
53//!                                                                                                       blindedElement)
54//!
55//!                                              evaluatedElement, proof
56//!                                                        <----------
57//!
58//!   output = Finalize(input, blind, evaluatedElement,
59//!                                     blindedElement, pkS, proof)
60//!
61//! Figure 2: VOPRF protocol overview with additional proof
62//! ```
63//!
64//! The POPRF mode extends the VOPRF mode such that the client and server
65//! can additionally provide a public input info that is used in
66//! computing the pseudorandom function.  That is, the client and server
67//! interact to compute output = F(skS, input, info) as is shown below.
68//!
69//! ``` text
70//!     Client(input, pkS, info) <---- pkS ------  Server(skS, pkS, info)
71//!   -------------------------------------------------------------------
72//!   blind, blindedElement, tweakedKey = Blind(input, info, pkS)
73//!
74//!                                                      blindedElement
75//!                                                        ---------->
76//!
77//!              evaluatedElement, proof = BlindEvaluate(skS, blindedElement,
78//!                                                                                              info)
79//! ```
80//!
81//! ```text
82//!                                              evaluatedElement, proof
83//!                                                        <----------
84//!
85//!   output = Finalize(input, blind, evaluatedElement,
86//!                                     blindedElement, proof, info, tweakedKey)
87//!
88//! Figure 3: POPRF protocol overview with additional public input
89//! ```
90//!
91//! Each protocol consists of an offline setup phase and an online phase,
92//! described in Section 3.2 and Section 3.3, respectively.
93//! Configuration details for the offline phase are described in
94//! Section 3.1.
95
96pub mod configuration;