RFC Errata
RFC 9497, "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups", December 2023
Source of RFC: IRTF
Errata ID: 7999
Status: Rejected
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Quanwei Cai
Date Reported: 2024-06-24
Rejected by: Nick Sullivan
Date Rejected: 2026-01-27
Section 3.3.3 says:
evaluatedElement = G.ScalarInverse(t) * blindedElement
It should say:
evaluatedElement = t * blindedElement
Notes:
This appears in def BlindEvaluate(skS, blindedElement, info). It seems that the evaluatedElement=t * blindedElement, which is consistent with tweakedKey = t * G.Generator()
Verified on CFRG list by co-author with note: I would also change "0" to "seq = 0"
--VERIFIER NOTES--
No change needed. RFC 9497 defines GenerateProof(k, A, B, C, D) to prove k*A = B and k*C[i] = D[i] (Section 2.2.1). In POPRF BlindEvaluate (Section 3.3.3) the proof is generated as GenerateProof(t, G.Generator(), tweakedKey, evaluatedElements, blindedElements), so the element relation being proven is t*evaluatedElement = blindedElement. This is consistent with evaluatedElement being defined as ScalarInverse(t) * blindedElement, since t*(ScalarInverse(t)*blindedElement) = blindedElement. The likely source of confusion is comparing with VOPRF, where the proof wiring uses the opposite direction for the element lists.