Allow specifying OPRF client seed

Author: DJAndries

examples_test.go

@@ -108,7 +108,7 @@ func Example_serverSetup() {
 		log.Fatalln(err)
 	}
 
-	if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
+	if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed, nil); err != nil {
 		log.Fatalln(err)
 	}
 
@@ -234,13 +234,16 @@ func Example_registration() {
 		// The server creates a database entry for the client and creates a credential identifier that must absolutely
 		// be unique among all clients.
 		credID = opaque.RandomBytes(64)
-		pks, err := server.Deserialize.DecodeAkePublicKey(serverPublicKey)
-		if err != nil {
+
+		if err = server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed, nil); err != nil {
 			log.Fatalln(err)
 		}
 
 		// The server uses its public key and secret OPRF seed created at the setup.
-		response := server.RegistrationResponse(request, pks, credID, secretOprfSeed)
+		response, err := server.RegistrationResponse(request, credID)
+		if err != nil {
+			log.Fatalln(err)
+		}
 
 		// The server responds with its serialized response.
 		message2 = response.Serialize()
@@ -310,7 +313,7 @@ func Example_loginKeyExchange() {
 		log.Fatalln(err)
 	}
 
-	if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
+	if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed, nil); err != nil {
 		log.Fatalln(err)
 	}
 
@@ -426,7 +429,7 @@ func Example_fakeResponse() {
 			log.Fatalln(err)
 		}
 
-		if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed); err != nil {
+		if err := server.SetKeyMaterial(serverID, serverPrivateKey, serverPublicKey, secretOprfSeed, nil); err != nil {
 			log.Fatalln(err)
 		}
 

server.go

@@ -58,6 +58,11 @@ type keyMaterial struct {
 	serverSecretKey *ecc.Scalar
 	serverPublicKey []byte
 	oprfSeed        []byte
+	oprfClientSeed  []byte
+}
+
+type OPRFSeedOptions struct {
+	OPRFSeed []byte
 }
 
 // NewServer returns a Server instantiation given the application Configuration.
@@ -84,49 +89,67 @@ func (s *Server) GetConf() *internal.Configuration {
 	return s.conf
 }
 
-func (s *Server) oprfResponse(element *ecc.Element, oprfSeed, credentialIdentifier []byte) *ecc.Element {
-	seed := s.conf.KDF.Expand(
-		oprfSeed,
-		encoding.SuffixString(credentialIdentifier, tag.ExpandOPRF),
-		internal.SeedLength,
-	)
+func (s *Server) oprfResponse(element *ecc.Element, credentialIdentifier []byte) (*ecc.Element, error) {
+	if s.keyMaterial == nil {
+		return nil, fmt.Errorf("key material must be specified")
+	}
+	seed := s.keyMaterial.oprfClientSeed
+	if seed == nil {
+		if s.keyMaterial.oprfSeed == nil {
+			return nil, fmt.Errorf("OPRF seed must be specified")
+		}
+		seed = s.conf.KDF.Expand(
+			s.keyMaterial.oprfSeed,
+			encoding.SuffixString(credentialIdentifier, tag.ExpandOPRF),
+			internal.SeedLength,
+		)
+	}
 	ku := s.conf.OPRF.DeriveKey(seed, []byte(tag.DeriveKeyPair))
 
-	return s.conf.OPRF.Evaluate(ku, element)
+	return s.conf.OPRF.Evaluate(ku, element), nil
 }
 
 // RegistrationResponse returns a RegistrationResponse message to the input RegistrationRequest message and given
 // identifiers.
 func (s *Server) RegistrationResponse(
 	req *message.RegistrationRequest,
-	serverPublicKey *ecc.Element,
-	credentialIdentifier, oprfSeed []byte,
-) *message.RegistrationResponse {
-	z := s.oprfResponse(req.BlindedMessage, oprfSeed, credentialIdentifier)
+	credentialIdentifier []byte,
+) (*message.RegistrationResponse, error) {
+	z, err := s.oprfResponse(req.BlindedMessage, credentialIdentifier)
+	if err != nil {
+		return nil, err
+	}
+
+	serverPublicKey := s.conf.Group.NewElement()
+	if err := serverPublicKey.Decode(s.keyMaterial.serverPublicKey); err != nil {
+		return nil, fmt.Errorf("invalid server public key: %w", err)
+	}
 
 	return &message.RegistrationResponse{
 		EvaluatedMessage: z,
 		Pks:              serverPublicKey,
-	}
+	}, nil
 }
 
 func (s *Server) credentialResponse(
 	req *message.CredentialRequest,
-	serverPublicKey []byte,
 	record *message.RegistrationRecord,
-	credentialIdentifier, oprfSeed, maskingNonce []byte,
-) *message.CredentialResponse {
-	z := s.oprfResponse(req.BlindedMessage, oprfSeed, credentialIdentifier)
+	credentialIdentifier, maskingNonce []byte,
+) (*message.CredentialResponse, error) {
+	z, err := s.oprfResponse(req.BlindedMessage, credentialIdentifier)
+	if err != nil {
+		return nil, err
+	}
 
 	maskingNonce, maskedResponse := masking.Mask(
 		s.conf,
 		maskingNonce,
 		record.MaskingKey,
-		serverPublicKey,
+		s.keyMaterial.serverPublicKey,
 		record.Envelope,
 	)
 
-	return message.NewCredentialResponse(z, maskingNonce, maskedResponse)
+	return message.NewCredentialResponse(z, maskingNonce, maskedResponse), nil
 }
 
 // GenerateKE2Options enables setting optional values for the session, which default to secure random values if not
@@ -160,7 +183,7 @@ func getGenerateKE2Options(options []GenerateKE2Options) *ake.Options {
 // - serverSecretKey is the server's secret AKE key.
 // - serverPublicKey is the server's public AKE key to the serverSecretKey.
 // - oprfSeed is the long-term OPRF input seed.
-func (s *Server) SetKeyMaterial(serverIdentity, serverSecretKey, serverPublicKey, oprfSeed []byte) error {
+func (s *Server) SetKeyMaterial(serverIdentity, serverSecretKey, serverPublicKey, oprfSeed []byte, oprfClientSeed []byte) error {
 	sks := s.conf.Group.NewScalar()
 	if err := sks.Decode(serverSecretKey); err != nil {
 		return fmt.Errorf("invalid server AKE secret key: %w", err)
@@ -170,7 +193,15 @@ func (s *Server) SetKeyMaterial(serverIdentity, serverSecretKey, serverPublicKey
 		return ErrZeroSKS
 	}
 
-	if len(oprfSeed) != s.conf.Hash.Size() {
+	if oprfSeed != nil {
+		if len(oprfSeed) != s.conf.Hash.Size() {
+			return ErrInvalidOPRFSeedLength
+		}
+	} else if oprfClientSeed != nil {
+		if len(oprfClientSeed) != internal.SeedLength {
+			return ErrInvalidOPRFSeedLength
+		}
+	} else {
 		return ErrInvalidOPRFSeedLength
 	}
 
@@ -187,6 +218,7 @@ func (s *Server) SetKeyMaterial(serverIdentity, serverSecretKey, serverPublicKey
 		serverSecretKey: sks,
 		serverPublicKey: serverPublicKey,
 		oprfSeed:        oprfSeed,
+		oprfClientSeed:  oprfClientSeed,
 	}
 
 	return nil
@@ -211,8 +243,11 @@ func (s *Server) GenerateKE2(
 
 	op := getGenerateKE2Options(options)
 
-	response := s.credentialResponse(ke1.CredentialRequest, s.keyMaterial.serverPublicKey,
-		record.RegistrationRecord, record.CredentialIdentifier, s.keyMaterial.oprfSeed, record.TestMaskNonce)
+	response, err := s.credentialResponse(ke1.CredentialRequest,
+		record.RegistrationRecord, record.CredentialIdentifier, record.TestMaskNonce)
+	if err != nil {
+		return nil, err
+	}
 
 	identities := ake.Identities{
 		ClientIdentity: record.ClientIdentity,

tests/client_test.go

@@ -40,15 +40,15 @@ func TestClientRegistrationFinalize_InvalidPks(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		_, pks := conf.conf.KeyGen()
+		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
 		r1 := client.RegistrationInit([]byte("yo"))
 
-		pk := server.GetConf().Group.NewElement()
-		if err := pk.Decode(pks); err != nil {
-			panic(err)
+		server.SetKeyMaterial([]byte("server"), sks, pks, oprfSeed, nil)
+		r2, err := server.RegistrationResponse(r1, credID)
+		if err != nil {
+			t.Fatalf("failed to generate registration response: %v", err)
 		}
-		r2 := server.RegistrationResponse(r1, pk, credID, oprfSeed)
 
 		// message length
 		badr2 := internal.RandomBytes(15)
@@ -127,11 +127,11 @@ func TestClientFinish_BadMaskedResponse(t *testing.T) {
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
 
-		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed, nil); err != nil {
 			t.Fatal(err)
 		}
 
-		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
+		rec := buildRecord(credID, oprfSeed, []byte("yo"), sks, pks, client, server, false)
 
 		ke1 := client.GenerateKE1([]byte("yo"))
 		ke2, _ := server.GenerateKE2(ke1, rec)
@@ -173,11 +173,11 @@ func TestClientFinish_InvalidEnvelopeTag(t *testing.T) {
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
 
-		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed, nil); err != nil {
 			t.Fatal(err)
 		}
 
-		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
+		rec := buildRecord(credID, oprfSeed, []byte("yo"), sks, pks, client, server, false)
 
 		ke1 := client.GenerateKE1([]byte("yo"))
 		ke2, _ := server.GenerateKE2(ke1, rec)
@@ -231,11 +231,11 @@ func TestClientFinish_InvalidKE2KeyEncoding(t *testing.T) {
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
 
-		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed, nil); err != nil {
 			t.Fatal(err)
 		}
 
-		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
+		rec := buildRecord(credID, oprfSeed, []byte("yo"), sks, pks, client, server, false)
 
 		ke1 := client.GenerateKE1([]byte("yo"))
 		ke2, _ := server.GenerateKE2(ke1, rec)
@@ -314,11 +314,11 @@ func TestClientFinish_InvalidKE2Mac(t *testing.T) {
 		sks, pks := conf.conf.KeyGen()
 		oprfSeed := internal.RandomBytes(conf.conf.Hash.Size())
 
-		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed); err != nil {
+		if err := server.SetKeyMaterial(nil, sks, pks, oprfSeed, nil); err != nil {
 			log.Fatal(err)
 		}
 
-		rec := buildRecord(credID, oprfSeed, []byte("yo"), pks, client, server)
+		rec := buildRecord(credID, oprfSeed, []byte("yo"), sks, pks, client, server, false)
 
 		ke1 := client.GenerateKE1([]byte("yo"))
 		ke2, _ := server.GenerateKE2(ke1, rec)

tests/helper_test.go

@@ -173,9 +173,10 @@ func getBadScalar(t *testing.T, c *configuration) []byte {
 }
 
 func buildRecord(
-	credID, oprfSeed, password, pks []byte,
+	credID, oprfSeed, password, sks, pks []byte,
 	client *opaque.Client,
 	server *opaque.Server,
+	noServerID bool,
 ) *opaque.ClientRecord {
 	conf := server.GetConf()
 	r1 := client.RegistrationInit(password)
@@ -184,8 +185,18 @@ func buildRecord(
 	if err := pk.Decode(pks); err != nil {
 		panic(err)
 	}
+	var serverID []byte
+	if !noServerID {
+		serverID = []byte("server")
+	}
 
-	r2 := server.RegistrationResponse(r1, pk, credID, oprfSeed)
+	if err := server.SetKeyMaterial(serverID, sks, pks, oprfSeed, nil); err != nil {
+		panic(err)
+	}
+	r2, err := server.RegistrationResponse(r1, credID)
+	if err != nil {
+		panic(err)
+	}
 	r3, _ := client.RegistrationFinalize(r2)
 
 	return &opaque.ClientRecord{

tests/opaque_test.go

@@ -89,13 +89,15 @@ func testRegistration(t *testing.T, p *testParams) (*opaque.Client, *opaque.Serv
 		}
 
 		credID = internal.RandomBytes(32)
-		pks, err := server.Deserialize.DecodeAkePublicKey(p.serverPublicKey)
+
+		if err := server.SetKeyMaterial(p.serverID, p.serverSecretKey, p.serverPublicKey, p.oprfSeed, nil); err != nil {
+			t.Fatalf(dbgErr, err)
+		}
+		respReg, err := server.RegistrationResponse(m1, credID)
 		if err != nil {
 			t.Fatalf(dbgErr, err)
 		}
 
-		respReg := server.RegistrationResponse(m1, pks, credID, p.oprfSeed)
-
 		m2s = respReg.Serialize()
 	}
 
@@ -152,7 +154,7 @@ func testAuthentication(
 	var state []byte
 	server, _ := p.Server()
 	{
-		if err := server.SetKeyMaterial(p.serverID, p.serverSecretKey, p.serverPublicKey, p.oprfSeed); err != nil {
+		if err := server.SetKeyMaterial(p.serverID, p.serverSecretKey, p.serverPublicKey, p.oprfSeed, nil); err != nil {
 			t.Fatal(err)
 		}