RFC Errata
RFC 9497, "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups", December 2023
Source of RFC: IRTF
Errata ID: 7999
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Quanwei Cai
Date Reported: 2024-06-24
Edited by: Nick Sullivan
Date Edited: 2025-01-18
Section 3.3.3 says:
evaluatedElement = G.ScalarInverse(t) * blindedElement
It should say:
evaluatedElement = t * blindedElement
Notes:
This appears in def BlindEvaluate(skS, blindedElement, info). It seems that the evaluatedElement=t * blindedElement, which is consistent with tweakedKey = t * G.Generator()
Verified on CFRG list by co-author with note: I would also change "0" to "seq = 0"