I'm trying out verifypal to prove some PAKE protocols, and I'm struggling with OPRF using passwords for blind salt, as in OPAQUE.
- I cannot find out how to invert a scalar (the blinding factor, as I want to compute
HASH(pwd)^r^k^(1/r) )
- the verifier is unhappy because
HASH(pwd)^r reveals the password. Ideally I want H2C(HASH(pwd))^r, I'm not sure how to communicate that to verifypal, but I guess that shouldn't reveal the password if r remains secret?
I'm trying out verifypal to prove some PAKE protocols, and I'm struggling with OPRF using passwords for blind salt, as in OPAQUE.
HASH(pwd)^r^k^(1/r))HASH(pwd)^rreveals the password. Ideally I wantH2C(HASH(pwd))^r, I'm not sure how to communicate that to verifypal, but I guess that shouldn't reveal the password ifrremains secret?