oprf/protocol/mod.rs
1//! # 3. Protocol
2//!
3//!
4//! In this section, we define and describe three protocol variants
5//! referred to as the OPRF, VOPRF, and POPRF modes. Each of these
6//! variants involve two messages between client and server but differ
7//! slightly in terms of the security properties; see Section 7.1 for
8//! more information. A high level description of the functionality of
9//! each mode follows.
10//!
11//! In the OPRF mode, a client and server interact to compute output =
12//! F(skS, input), where input is the client's private input, skS is the
13//! server's private key, and output is the OPRF output. After the
14//! execution of the protocol, the client learns output and the server
15//! learns nothing. This interaction is shown below.
16//!
17//! ``` text
18//! Client(input) Server(skS)
19//! -------------------------------------------------------------------
20//! blind, blindedElement = Blind(input)
21//!
22//! blindedElement
23//! ---------->
24//!
25//! evaluatedElement = BlindEvaluate(skS, blindedElement)
26//!
27//! evaluatedElement
28//! <----------
29//!
30//! output = Finalize(input, blind, evaluatedElement)
31//!
32//! Figure 1: OPRF protocol overview
33//! ```
34//!
35//! In the VOPRF mode, the client additionally receives proof that the
36//! server used skS in computing the function. To achieve verifiability,
37//! as in [JKK14], the server provides a zero-knowledge proof that the
38//! key provided as input by the server in the BlindEvaluate function is
39//! the same key as it used to produce the server's public key, pkS,
40//! which the client receives as input to the protocol. This proof does
41//! not reveal the server's private key to the client. This interaction
42//! is shown below.
43//!
44//! ``` text
45//! Client(input, pkS) <---- pkS ------ Server(skS, pkS)
46//! -------------------------------------------------------------------
47//! blind, blindedElement = Blind(input)
48//!
49//! blindedElement
50//! ---------->
51//!
52//! evaluatedElement, proof = BlindEvaluate(skS, pkS,
53//! blindedElement)
54//!
55//! evaluatedElement, proof
56//! <----------
57//!
58//! output = Finalize(input, blind, evaluatedElement,
59//! blindedElement, pkS, proof)
60//!
61//! Figure 2: VOPRF protocol overview with additional proof
62//! ```
63//!
64//! The POPRF mode extends the VOPRF mode such that the client and server
65//! can additionally provide a public input info that is used in
66//! computing the pseudorandom function. That is, the client and server
67//! interact to compute output = F(skS, input, info) as is shown below.
68//!
69//! ``` text
70//! Client(input, pkS, info) <---- pkS ------ Server(skS, pkS, info)
71//! -------------------------------------------------------------------
72//! blind, blindedElement, tweakedKey = Blind(input, info, pkS)
73//!
74//! blindedElement
75//! ---------->
76//!
77//! evaluatedElement, proof = BlindEvaluate(skS, blindedElement,
78//! info)
79//! ```
80//!
81//! ```text
82//! evaluatedElement, proof
83//! <----------
84//!
85//! output = Finalize(input, blind, evaluatedElement,
86//! blindedElement, proof, info, tweakedKey)
87//!
88//! Figure 3: POPRF protocol overview with additional public input
89//! ```
90//!
91//! Each protocol consists of an offline setup phase and an online phase,
92//! described in Section 3.2 and Section 3.3, respectively.
93//! Configuration details for the offline phase are described in
94//! Section 3.1.
95
96pub mod configuration;