hofmann-rfc 2.0.0

Rust implementation of RFC 9380 (Hash-to-Curve), RFC 9497 (OPRF), and RFC 9807 (OPAQUE)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201

use crate::common::{concat, xor};
use crate::opaque::config::OpaqueConfig;
use crate::opaque::config::NN;
use crate::opaque::internal::opaque_envelope::{self, RecoverResult};
use crate::opaque::internal::opaque_oprf;
use crate::opaque::model::*;

/// Client creates a registration request by blinding the password.
pub fn create_registration_request(
    password: &[u8],
    config: &OpaqueConfig,
    rng: &mut dyn rand_core::CryptoRngCore,
) -> ClientRegistrationState {
    let blind = config.cipher_suite().oprf_suite().random_scalar(rng);
    create_registration_request_with_blind(password, &blind, config)
}

/// Client creates a registration request with a given blinding factor (for deterministic testing).
pub fn create_registration_request_with_blind(
    password: &[u8],
    blind: &[u8],
    config: &OpaqueConfig,
) -> ClientRegistrationState {
    let blinded_element = opaque_oprf::blind(config.cipher_suite(), password, blind);
    ClientRegistrationState {
        blind: blind.to_vec(),
        password: password.to_vec(),
        request: RegistrationRequest { blinded_element },
    }
}

/// Server creates a registration response: evaluates OPRF and includes server public key.
pub fn create_registration_response(
    config: &OpaqueConfig,
    request: &RegistrationRequest,
    server_public_key: &[u8],
    credential_identifier: &[u8],
    oprf_seed: &[u8],
) -> Result<RegistrationResponse, &'static str> {
    let oprf_key =
        opaque_oprf::derive_oprf_key(config.cipher_suite(), oprf_seed, credential_identifier);
    let evaluated_element =
        opaque_oprf::blind_evaluate(config.cipher_suite(), &oprf_key, &request.blinded_element)?;
    Ok(RegistrationResponse {
        evaluated_element,
        server_public_key: server_public_key.to_vec(),
    })
}

/// Client finalizes registration: derives randomized_pwd, stores envelope.
pub fn finalize_registration(
    state: &ClientRegistrationState,
    response: &RegistrationResponse,
    server_identity: Option<&[u8]>,
    client_identity: Option<&[u8]>,
    config: &OpaqueConfig,
    rng: &mut dyn rand_core::CryptoRngCore,
) -> Result<RegistrationRecord, &'static str> {
    let mut nonce = vec![0u8; NN];
    rng.fill_bytes(&mut nonce);
    finalize_registration_with_nonce(
        state,
        response,
        server_identity,
        client_identity,
        config,
        &nonce,
    )
}

/// Client finalizes registration with a provided nonce (for deterministic testing).
pub fn finalize_registration_with_nonce(
    state: &ClientRegistrationState,
    response: &RegistrationResponse,
    server_identity: Option<&[u8]>,
    client_identity: Option<&[u8]>,
    config: &OpaqueConfig,
    envelope_nonce: &[u8],
) -> Result<RegistrationRecord, &'static str> {
    let randomized_pwd = derive_randomized_pwd(
        &state.password,
        &state.blind,
        &response.evaluated_element,
        config,
    )?;

    let stored = opaque_envelope::store(
        config,
        &randomized_pwd,
        &response.server_public_key,
        server_identity,
        client_identity,
        envelope_nonce,
    );

    Ok(RegistrationRecord {
        client_public_key: stored.client_public_key,
        masking_key: stored.masking_key,
        envelope: stored.envelope,
    })
}

/// Server creates a credential response for authentication.
pub fn create_credential_response_with_nonce(
    config: &OpaqueConfig,
    request: &CredentialRequest,
    server_public_key: &[u8],
    record: &RegistrationRecord,
    credential_identifier: &[u8],
    oprf_seed: &[u8],
    masking_nonce: &[u8],
) -> Result<CredentialResponse, &'static str> {
    let oprf_key =
        opaque_oprf::derive_oprf_key(config.cipher_suite(), oprf_seed, credential_identifier);
    let evaluated_element =
        opaque_oprf::blind_evaluate(config.cipher_suite(), &oprf_key, &request.blinded_element)?;

    // pad = HKDF-Expand(masking_key, masking_nonce || "CredentialResponsePad", Npk + Nn + Nm)
    let pad_info = concat(&[masking_nonce, b"CredentialResponsePad"]);
    let pad = config.cipher_suite().hkdf_expand(
        &record.masking_key,
        &pad_info,
        config.masked_response_size(),
    );

    // plaintext = server_public_key || envelope_nonce || auth_tag
    let plaintext = concat(&[server_public_key, &record.envelope.serialize()]);
    let masked_response = xor(&pad, &plaintext);

    Ok(CredentialResponse {
        evaluated_element,
        masking_nonce: masking_nonce.to_vec(),
        masked_response,
    })
}

/// Client recovers credentials from the credential response during authentication.
pub fn recover_credentials(
    password: &[u8],
    blind: &[u8],
    response: &CredentialResponse,
    server_identity: Option<&[u8]>,
    client_identity: Option<&[u8]>,
    config: &OpaqueConfig,
) -> Result<RecoverResult, &'static str> {
    let randomized_pwd =
        derive_randomized_pwd(password, blind, &response.evaluated_element, config)?;

    // Recover masking_key = Expand(randomized_pwd, "MaskingKey", Nh)
    let masking_key =
        config
            .cipher_suite()
            .hkdf_expand(&randomized_pwd, b"MaskingKey", config.nh());

    // The masked response is supplied by the (untrusted) server. Validate its
    // length before unmasking so a short value cannot panic the client: xor
    // requires equal lengths, and the subsequent slices assume the full layout
    // server_public_key (Npk) || envelope_nonce (Nn) || auth_tag (Nm).
    if response.masked_response.len() != config.masked_response_size() {
        return Err("invalid masked response length");
    }

    // Unmask
    let pad_info = concat(&[&response.masking_nonce, b"CredentialResponsePad"]);
    let pad =
        config
            .cipher_suite()
            .hkdf_expand(&masking_key, &pad_info, config.masked_response_size());
    let plaintext = xor(&pad, &response.masked_response);

    // Extract server_public_key || envelope
    let server_public_key = plaintext[..config.npk()].to_vec();
    let envelope = Envelope::deserialize(&plaintext, config.npk(), NN, config.nm())?;

    opaque_envelope::recover(
        config,
        &randomized_pwd,
        &server_public_key,
        &envelope,
        server_identity,
        client_identity,
    )
}

/// Derives randomized password from OPRF output.
///
/// Returns `Err` if `evaluated_element` (from the server) is not a valid
/// non-identity group element.
pub fn derive_randomized_pwd(
    password: &[u8],
    blind: &[u8],
    evaluated_element: &[u8],
    config: &OpaqueConfig,
) -> Result<Vec<u8>, &'static str> {
    let oprf_output =
        opaque_oprf::finalize(config.cipher_suite(), password, blind, evaluated_element)?;
    let stretched_output = config.stretch_password(&oprf_output);
    Ok(config
        .cipher_suite()
        .hkdf_extract(&[], &concat(&[&oprf_output, &stretched_output])))
}