1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
//! # 3. Protocol
//!
//!
//! In this section, we define and describe three protocol variants
//! referred to as the OPRF, VOPRF, and POPRF modes. Each of these
//! variants involve two messages between client and server but differ
//! slightly in terms of the security properties; see Section 7.1 for
//! more information. A high level description of the functionality of
//! each mode follows.
//!
//! In the OPRF mode, a client and server interact to compute output =
//! F(skS, input), where input is the client's private input, skS is the
//! server's private key, and output is the OPRF output. After the
//! execution of the protocol, the client learns output and the server
//! learns nothing. This interaction is shown below.
//!
//! ``` text
//! Client(input) Server(skS)
//! -------------------------------------------------------------------
//! blind, blindedElement = Blind(input)
//!
//! blindedElement
//! ---------->
//!
//! evaluatedElement = BlindEvaluate(skS, blindedElement)
//!
//! evaluatedElement
//! <----------
//!
//! output = Finalize(input, blind, evaluatedElement)
//!
//! Figure 1: OPRF protocol overview
//! ```
//!
//! In the VOPRF mode, the client additionally receives proof that the
//! server used skS in computing the function. To achieve verifiability,
//! as in [JKK14], the server provides a zero-knowledge proof that the
//! key provided as input by the server in the BlindEvaluate function is
//! the same key as it used to produce the server's public key, pkS,
//! which the client receives as input to the protocol. This proof does
//! not reveal the server's private key to the client. This interaction
//! is shown below.
//!
//! ``` text
//! Client(input, pkS) <---- pkS ------ Server(skS, pkS)
//! -------------------------------------------------------------------
//! blind, blindedElement = Blind(input)
//!
//! blindedElement
//! ---------->
//!
//! evaluatedElement, proof = BlindEvaluate(skS, pkS,
//! blindedElement)
//!
//! evaluatedElement, proof
//! <----------
//!
//! output = Finalize(input, blind, evaluatedElement,
//! blindedElement, pkS, proof)
//!
//! Figure 2: VOPRF protocol overview with additional proof
//! ```
//!
//! The POPRF mode extends the VOPRF mode such that the client and server
//! can additionally provide a public input info that is used in
//! computing the pseudorandom function. That is, the client and server
//! interact to compute output = F(skS, input, info) as is shown below.
//!
//! ``` text
//! Client(input, pkS, info) <---- pkS ------ Server(skS, pkS, info)
//! -------------------------------------------------------------------
//! blind, blindedElement, tweakedKey = Blind(input, info, pkS)
//!
//! blindedElement
//! ---------->
//!
//! evaluatedElement, proof = BlindEvaluate(skS, blindedElement,
//! info)
//! ```
//!
//! ```text
//! evaluatedElement, proof
//! <----------
//!
//! output = Finalize(input, blind, evaluatedElement,
//! blindedElement, proof, info, tweakedKey)
//!
//! Figure 3: POPRF protocol overview with additional public input
//! ```
//!
//! Each protocol consists of an offline setup phase and an online phase,
//! described in Section 3.2 and Section 3.3, respectively.
//! Configuration details for the offline phase are described in
//! Section 3.1.
pub mod configuration;