rfc9380.original.xml   rfc9380.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!DOCTYPE rfc [
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.4.14 --> <!ENTITY nbsp "&#160;">
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> <!ENTITY zwsp "&#8203;">
<?rfc toc="yes"?> <!ENTITY nbhy "&#8209;">
<?rfc sortrefs="yes"?> <!ENTITY wj "&#8288;">
<?rfc symrefs="yes"?> ]>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-irtf-cfrg-hash-to-curve-16" category="info" obsoletes="" updates="" submissionT <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.35 (Ruby 3.0.
ype="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" versio 2) -->
n="3"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" number="9380"
<!-- xml2rfc v2v3 conversion 2.42.0 --> docName="draft-irtf-cfrg-hash-to-curve-16" category="info" submissionType="IRTF"
consensus="true" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true"
<!-- xml2rfc v2v3 conversion 3.17.4 -->
<front> <front>
<title abbrev="hash-to-curve">Hashing to Elliptic Curves</title> <title>Hashing to Elliptic Curves</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hash-to-curve-16"/> <seriesInfo name="RFC" value="9380"/>
<author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernande z"> <author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernande z">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>armfazh@cloudflare.com</email> <email>armfazh@cloudflare.com</email>
</address> </address>
</author> </author>
<author initials="S." surname="Scott" fullname="Sam Scott"> <author initials="S." surname="Scott" fullname="Sam Scott">
<organization>Cornell Tech</organization> <organization>Oso Security, Inc.</organization>
<address> <address>
<postal> <postal>
<street>2 West Loop Rd</street> <street>335 Madison Ave</street>
<city>New York, New York 10044</city> <city>New York</city>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>sam.scott@cornell.edu</email> <email>sam.scott89@gmail.com</email>
</address> </address>
</author> </author>
<author initials="N." surname="Sullivan" fullname="Nick Sullivan"> <author initials="N." surname="Sullivan" fullname="Nick Sullivan">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>nick@cloudflare.com</email> <email>nicholas.sullivan@gmail.com</email>
</address> </address>
</author> </author>
<author initials="R.S." surname="Wahby" fullname="Riad S. Wahby"> <author initials="R. S." surname="Wahby" fullname="Riad S. Wahby">
<organization>Stanford University</organization> <organization>Stanford University</organization>
<address> <address>
<email>rsw@cs.stanford.edu</email> <email>rsw@cs.stanford.edu</email>
</address> </address>
</author> </author>
<author initials="C.A." surname="Wood" fullname="Christopher A. Wood"> <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>caw@heapingbits.net</email> <email>caw@heapingbits.net</email>
</address> </address>
</author> </author>
<date year="2022" month="June" day="15"/> <date year="2023" month="August"/>
<workgroup>CFRG</workgroup> <workgroup>Crypto Forum</workgroup>
<abstract> <abstract>
<t>This document specifies a number of algorithms for encoding or hashing <?line 1121?>
<t>This document specifies a number of algorithms for encoding or hashing an
arbitrary string to a point on an elliptic curve. This document is a product arbitrary string to a point on an elliptic curve. This document is a product
of the Crypto Forum Research Group (CFRG) in the IRTF.</t> of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>Discussion Venues</name>
<t>Discussion of this document takes place on the
Crypto Forum Research Group mailing list (cfrg@ietf.org),
which is archived at <eref target="https://mailarchive.ietf.org/arch/search/
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve"/>.</t>
</front> </front>
<middle> <middle>
<section anchor="introduction" numbered="true" toc="default"> <?line 1127?>
<section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>Many cryptographic protocols require a procedure that encodes an arbitr ary input, <t>Many cryptographic protocols require a procedure that encodes an arbitr ary input,
e.g., a password, to a point on an elliptic curve. This procedure is known e.g., a password, to a point on an elliptic curve. This procedure is known
as hashing to an elliptic curve, where the hashing procedure provides collision as hashing to an elliptic curve, where the hashing procedure provides collision
resistance and does not reveal the discrete logarithm of the output point. resistance and does not reveal the discrete logarithm of the output point.
Prominent examples of cryptosystems that hash to elliptic curves include Prominent examples of cryptosystems that hash to elliptic curves include
password-authenticated key exchanges <xref target="BM92" format="default"/> <xre password-authenticated key exchanges <xref target="BM92"/> <xref target="J96"/>
f target="J96" format="default"/> <xref target="BMP00" format="default"/> <xref <xref target="BMP00"/> <xref target="p1363.2"/>, Identity-Based
target="p1363.2" format="default"/>, Identity-Based Encryption <xref target="BF01"/>, Boneh-Lynn-Shacham signatures <xref target="BL
Encryption <xref target="BF01" format="default"/>, Boneh-Lynn-Shacham signatures S01"/> <xref target="I-D.irtf-cfrg-bls-signature"/>,
<xref target="BLS01" format="default"/> <xref target="I-D.irtf-cfrg-bls-signatu Verifiable Random Functions <xref target="MRV99"/> <xref target="I-D.irtf-cfrg-v
re" format="default"/>, rf"/>, and Oblivious Pseudorandom
Verifiable Random Functions <xref target="MRV99" format="default"/> <xref target Functions <xref target="NR97"/> <xref target="I-D.irtf-cfrg-voprf"/>.</t>
="I-D.irtf-cfrg-vrf" format="default"/>, and Oblivious Pseudorandom
Functions <xref target="NR97" format="default"/> <xref target="I-D.irtf-cfrg-vop
rf" format="default"/>.</t>
<t>Unfortunately for implementors, the precise hash function that is suita ble <t>Unfortunately for implementors, the precise hash function that is suita ble
for a given protocol implemented using a given elliptic curve is often unclear for a given protocol implemented using a given elliptic curve is often unclear
from the protocol's description. Meanwhile, an incorrect choice of hash from the protocol's description. Meanwhile, an incorrect choice of hash
function can have disastrous consequences for security.</t> function can have disastrous consequences for security.</t>
<t>This document aims to bridge this gap by providing a comprehensive set of <t>This document aims to bridge this gap by providing a comprehensive set of
recommended algorithms for a range of curve types. recommended algorithms for a range of curve types.
Each algorithm conforms to a common interface: it takes as input an arbitrary-le ngth Each algorithm conforms to a common interface: it takes as input an arbitrary-le ngth
byte string and produces as output a point on an elliptic curve. byte string and produces as output a point on an elliptic curve.
We provide implementation details for each algorithm, describe We provide implementation details for each algorithm, describe
the security rationale behind each recommendation, and give guidance for the security rationale behind each recommendation, and give guidance for
elliptic curves that are not explicitly covered. We also present optimized elliptic curves that are not explicitly covered. We also present optimized
implementations for internal functions used by these algorithms.</t> implementations for internal functions used by these algorithms.</t>
<t>Readers wishing to quickly specify or implement a conforming hash funct ion <t>Readers wishing to quickly specify or implement a conforming hash funct ion
should consult <xref target="suites" format="default"/>, which lists recommended hash-to-curve suites should consult <xref target="suites"/>, which lists recommended hash-to-curve su ites
and describes both how to implement an existing suite and how to specify and describes both how to implement an existing suite and how to specify
a new one.</t> a new one.</t>
<t>This document does not cover rejection sampling methods, sometimes refe <t>This document does not specify probabilistic rejection sampling methods
rred to , sometimes
as "try-and-increment" or "hunt-and-peck," because the goal is to describe referred to as "try-and-increment" or "hunt-and-peck," because the
algorithms that can plausibly be computed in constant time. Use of these rejecti goal is to specify algorithms that can plausibly be computed in
on constant time. Use of these probabilistic rejection methods is <bcp14>NOT RECOMM
methods is NOT RECOMMENDED, because they have been a perennial cause of ENDED</bcp14>, because they have been a perennial cause of side-channel
side-channel vulnerabilities. See Dragonblood <xref target="VR20" format="defaul vulnerabilities. See Dragonblood <xref target="VR20"/> as one example of this
t"/> as one example of this problem in practice, and see <xref target="related"/> for an informal descriptio
problem in practice, and see <xref target="related" format="default"/> for a fur n of rejection
ther description of sampling methods and the timing side-channels they introduce.</t>
rejection sampling methods.</t>
<t>This document represents the consensus of the Crypto Forum Research Gro up (CFRG).</t> <t>This document represents the consensus of the Crypto Forum Research Gro up (CFRG).</t>
<section anchor="requirements-notation" numbered="true" toc="default"> <section anchor="requirements-notation">
<name>Requirements Notation</name> <name>Requirements Notation</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", 14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"MAY", and "OPTIONAL" in this document are to be interpreted as NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO
described in BCP&nbsp;14 <xref target="RFC2119" format="default"/> <xref target= MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"RFC8174" format="default"/> when, and only when, they "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i
nterpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/> when,
and only when, they
appear in all capitals, as shown here.</t> appear in all capitals, as shown here.</t>
</section> <?line -18?>
</section> </section>
<section anchor="background" numbered="true" toc="default"> <section anchor="background">
<name>Background</name> <name>Background</name>
<section anchor="bg-curves" numbered="true" toc="default"> <section anchor="bg-curves">
<name>Elliptic curves</name> <name>Elliptic Curves</name>
<t>The following is a brief definition of elliptic curves, with an empha sis on <t>The following is a brief definition of elliptic curves, with an empha sis on
important parameters and their relation to hashing to curves. important parameters and their relation to hashing to curves.
For further reference on elliptic curves, consult <xref target="CFADLNV05" forma t="default"/> or <xref target="W08" format="default"/>.</t> For further reference on elliptic curves, consult <xref target="CFADLNV05"/> or <xref target="W08"/>.</t>
<t>Let F be the finite field GF(q) of prime characteristic p &gt; 3. <t>Let F be the finite field GF(q) of prime characteristic p &gt; 3.
(This document does not consider elliptic curves over fields of characteristic 2 or 3.) (This document does not consider elliptic curves over fields of characteristic 2 or 3.)
In most cases F is a prime field, so q = p. In most cases, F is a prime field, so q = p.
Otherwise, F is an extension field, so q = p^m for an integer m &gt; 1. Otherwise, F is an extension field, so q = p^m for an integer m &gt; 1.
This document writes elements of extension fields This document writes elements of extension fields
in a primitive element or polynomial basis, i.e., as a vector in a primitive element or polynomial basis, i.e., as a vector
of m elements of GF(p) written in ascending order by degree. of m elements of GF(p) written in ascending order by degree.
The entries of this vector are indexed in ascending order starting from 1, The entries of this vector are indexed in ascending order starting from 1,
i.e., x = (x_1, x_2, ..., x_m). i.e., x = (x_1, x_2, ..., x_m).
For example, if q = p^2 and the primitive element basis is (1, I), For example, if q = p^2 and the primitive element basis is (1, I),
then x = (a, b) corresponds to the element a + b * I, where then x = (a, b) corresponds to the element a + b * I, where
x_1 = a and x_2 = b. x_1 = a and x_2 = b.
(Note that all choices of basis are isomorphic, but certain choices may (Note that all choices of basis are isomorphic, but certain choices may
skipping to change at line 159 skipping to change at line 166
including (but not limited to) Weierstrass, Montgomery, and Edwards.</t> including (but not limited to) Weierstrass, Montgomery, and Edwards.</t>
<t>The curve E induces an algebraic group of order n, meaning that the g roup <t>The curve E induces an algebraic group of order n, meaning that the g roup
has n distinct elements. has n distinct elements.
(This document uses additive notation for the elliptic curve group operation.) (This document uses additive notation for the elliptic curve group operation.)
Elements of an elliptic curve group are points with affine coordinates (x, y) Elements of an elliptic curve group are points with affine coordinates (x, y)
satisfying the curve equation, where x and y are elements of F. satisfying the curve equation, where x and y are elements of F.
In addition, all elliptic curve groups have a distinguished element, the identit y In addition, all elliptic curve groups have a distinguished element, the identit y
point, which acts as the identity element for the group operation. point, which acts as the identity element for the group operation.
On certain curves (including Weierstrass and Montgomery curves), the identity On certain curves (including Weierstrass and Montgomery curves), the identity
point cannot be represented as an (x, y) coordinate pair.</t> point cannot be represented as an (x, y) coordinate pair.</t>
<t>For security reasons, cryptographic uses of elliptic curves generally require <t>For security reasons, cryptographic applications of elliptic curves g enerally require
using a (sub)group of prime order. using a (sub)group of prime order.
Let G be such a subgroup of the curve of prime order r, where n = h * r. Let G be such a subgroup of the curve of prime order r, where n = h * r.
In this equation, h is an integer called the cofactor. In this equation, h is an integer called the cofactor.
An algorithm that takes as input an arbitrary point on the curve E and An algorithm that takes as input an arbitrary point on the curve E and
produces as output a point in the subgroup G of E is said to "clear produces as output a point in the subgroup G of E is said to "clear
the cofactor." Such algorithms are discussed in <xref target="cofactor-clearing" format="default"/>.</t> the cofactor." Such algorithms are discussed in <xref target="cofactor-clearing" />.</t>
<t>Certain hash-to-curve algorithms restrict the form of the curve equat ion, the <t>Certain hash-to-curve algorithms restrict the form of the curve equat ion, the
characteristic of the field, or the parameters of the curve. For each characteristic of the field, or the parameters of the curve. For each
algorithm presented, this document lists the relevant restrictions.</t> algorithm presented, this document lists the relevant restrictions.</t>
<t>The table below summarizes quantities relevant to hashing to curves:< /t> <t>The table below summarizes quantities relevant to hashing to curves:< /t>
<table anchor="definition-table" align="center"> <table anchor="definition-table">
<name>Summary of symbols and their definitions.</name> <name>Summary of Symbols and Their Definitions</name>
<thead> <thead>
<tr> <tr>
<th align="center">Symbol</th> <th align="center">Symbol</th>
<th align="left">Meaning</th> <th align="left">Meaning</th>
<th align="left">Relevance</th> <th align="left">Relevance</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="center">F,q,p</td> <td align="center">F,q,p</td>
<td align="left">A finite field F of characteristic p and #F = q = p^m.</td> <td align="left">A finite field F of characteristic p and #F = q = p^m.</td>
<td align="left">For prime fields, q = p; otherwise, q = p^m and m &gt;1.</td> <td align="left">For prime fields, q&nbsp;=&nbsp;p; otherwise, q&n bsp;=&nbsp;p^m and m&gt;1.</td>
</tr> </tr>
<tr> <tr>
<td align="center">E</td> <td align="center">E</td>
<td align="left">Elliptic curve.</td> <td align="left">Elliptic curve.</td>
<td align="left">E is specified by an equation and a field F.</td> <td align="left">E is specified by an equation and a field F.</td>
</tr> </tr>
<tr> <tr>
<td align="center">n</td> <td align="center">n</td>
<td align="left">Number of points on the elliptic curve E.</td> <td align="left">Number of points on the elliptic curve E.</td>
<td align="left">n = h * r, for h and r defined below.</td> <td align="left">n = h * r, for h and r defined below.</td>
</tr> </tr>
<tr> <tr>
<td align="center">G</td> <td align="center">G</td>
<td align="left">A prime-order subgroup of the points on E.</td> <td align="left">A prime-order subgroup of the points on E.</td>
<td align="left">Destination group to which byte strings are encod ed.</td> <td align="left">G is a destination group to which byte strings ar e encoded.</td>
</tr> </tr>
<tr> <tr>
<td align="center">r</td> <td align="center">r</td>
<td align="left">Order of G.</td> <td align="left">Order of G.</td>
<td align="left">r is a prime factor of n (usually, the largest su ch factor).</td> <td align="left">r is a prime factor of n (usually, the largest su ch factor).</td>
</tr> </tr>
<tr> <tr>
<td align="center">h</td> <td align="center">h</td>
<td align="left">Cofactor, h &gt;= 1.</td> <td align="left">Cofactor, h &gt;= 1.</td>
<td align="left">An integer satisfying n = h * r.</td> <td align="left">h is an integer satisfying n = h * r.</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="terminology" numbered="true" toc="default"> <section anchor="terminology">
<name>Terminology</name> <name>Terminology</name>
<t>In this section, we define important terms used throughout the docume nt.</t> <t>In this section, we define important terms used throughout the docume nt.</t>
<section anchor="term-mapping" numbered="true" toc="default"> <section anchor="term-mapping">
<name>Mappings</name> <name>Mappings</name>
<t>A mapping is a deterministic function from an element of the field F to a point <t>A mapping is a deterministic function from an element of the field F to a point
on an elliptic curve E defined over F.</t> on an elliptic curve E defined over F.</t>
<t>In general, the set of all points that a mapping can produce over a ll <t>In general, the set of all points that a mapping can produce over a ll
possible inputs may be only a subset of the points on an elliptic curve possible inputs may be only a subset of the points on an elliptic curve
(i.e., the mapping may not be surjective). (i.e., the mapping may not be surjective).
In addition, a mapping may output the same point for two or more distinct inputs In addition, a mapping may output the same point for two or more distinct inputs
(i.e., the mapping may not be injective). (i.e., the mapping may not be injective).
For example, consider a mapping from F to an elliptic curve having n points: For example, consider a mapping from F to an elliptic curve having n points:
if the number of elements of F is not equal to n, if the number of elements of F is not equal to n,
then this mapping cannot be bijective (i.e., both injective and surjective) then this mapping cannot be bijective (i.e., both injective and surjective),
since the mapping is defined to be deterministic.</t> since the mapping is defined to be deterministic.</t>
<t>Mappings may also be invertible, meaning that there is an efficient algorithm <t>Mappings may also be invertible, meaning that there is an efficient algorithm
that, for any point P output by the mapping, outputs an x in F such that that, for any point P output by the mapping, outputs an x in F such that
applying the mapping to x outputs P. applying the mapping to x outputs P.
Some of the mappings given in <xref target="mappings" format="default"/> are inv ertible, but this Some of the mappings given in <xref target="mappings"/> are invertible, but this
document does not discuss inversion algorithms.</t> document does not discuss inversion algorithms.</t>
</section> </section>
<section anchor="term-encoding" numbered="true" toc="default"> <section anchor="term-encoding">
<name>Encodings</name> <name>Encodings</name>
<t>Encodings are closely related to mappings. <t>Encodings are closely related to mappings.
Like a mapping, an encoding is a function that outputs a point on an elliptic cu rve. Like a mapping, an encoding is a function that outputs a point on an elliptic cu rve.
In contrast to a mapping, however, the input to an encoding is an arbitrary-leng th In contrast to a mapping, however, the input to an encoding is an arbitrary-leng th
byte string.</t> byte string.</t>
<t>This document constructs deterministic encodings by composing a has h function Hf <t>This document constructs deterministic encodings by composing a has h function Hf
with a deterministic mapping. with a deterministic mapping.
In particular, Hf takes as input an arbitrary string and outputs an element of F . In particular, Hf takes as input an arbitrary string and outputs an element of F .
The deterministic mapping takes that element as input and outputs a point on an The deterministic mapping takes that element as input and outputs a point on an
elliptic curve E defined over F. elliptic curve E defined over F.
Since Hf takes arbitrary-length byte strings as inputs, it cannot be injective: Since Hf takes arbitrary-length byte strings as inputs, it cannot be injective:
the set of inputs is larger than the set of outputs, so there must the set of inputs is larger than the set of outputs, so there must
be distinct inputs that give the same output (i.e., there must be collisions). be distinct inputs that give the same output (i.e., there must be collisions).
Thus, any encoding built from Hf is also not injective.</t> Thus, any encoding built from Hf is also not injective.</t>
<t>Like mappings, encodings may be invertible, meaning that there is a <t>Like mappings, encodings may be invertible, meaning that there is a
n efficient n
algorithm that, for any point P output by the encoding, outputs a string s efficient algorithm that, for any point P output by the encoding,
such that applying the encoding to s outputs P. outputs a string s such that applying the encoding to s outputs P.
The instantiation of Hf used by all encodings specified in this document (<xref However, the instantiation of Hf used by all encodings specified in
target="hashtofield" format="default"/>) this document (<xref target="hashtofield"/>) is not invertible; thus, those enco
is not invertible. Thus, the encodings are also not invertible.</t> dings
are also not invertible.</t>
<t>In some applications of hashing to elliptic curves, it is important that <t>In some applications of hashing to elliptic curves, it is important that
encodings do not leak information through side channels. encodings do not leak information through side channels.
<xref target="VR20" format="default"/> is one example of this type of leakage le <xref target="VR20"/> is one example of this type of leakage leading to a securi
ading to a security vulnerability. ty vulnerability.
See <xref target="security-considerations-constant" format="default"/> for furth See <xref target="security-considerations-constant"/> for further discussion.</t
er discussion.</t> >
</section> </section>
<section anchor="term-rom" numbered="true" toc="default"> <section anchor="term-rom">
<name>Random oracle encodings</name> <name>Random Oracle Encodings</name>
<t>A random-oracle encoding satisfies a strong property: it can be pro ved <t>A random-oracle encoding satisfies a strong property: it can be pro ved
indifferentiable from a random oracle <xref target="MRH04" format="default"/> un indifferentiable from a random oracle <xref target="MRH04"/> under a suitable as
der a suitable assumption.</t> sumption.</t>
<t>Both constructions described in <xref target="roadmap" format="defa <t>Both constructions described in <xref target="roadmap"/> are indiff
ult"/> are indifferentiable from erentiable from
random oracles <xref target="MRH04" format="default"/> when instantiated followi random oracles <xref target="MRH04"/> when instantiated following the guidelines
ng the guidelines in this document. in this document.
The constructions differ in their output distributions: one gives a uniformly ra ndom The constructions differ in their output distributions: one gives a uniformly ra ndom
point on the curve, the other gives a point sampled from a nonuniform distributi on.</t> point on the curve, the other gives a point sampled from a nonuniform distributi on.</t>
<t>A random-oracle encoding with a uniform output distribution is suit able for use <t>A random-oracle encoding with a uniform output distribution is suit able for use
in many cryptographic protocols proven secure in the random oracle model. in many cryptographic protocols proven secure in the random-oracle model.
See <xref target="security-considerations-props" format="default"/> for further See <xref target="security-considerations-props"/> for further discussion.</t>
</section> </section>
<section anchor="term-serialization" numbered="true" toc="default"> <section anchor="term-serialization">
<name>Serialization</name> <name>Serialization</name>
<t>A procedure related to encoding is the conversion of an elliptic cu rve point to a bit string. <t>A procedure related to encoding is the conversion of an elliptic cu rve point to a bit string.
This is called serialization, and is typically used for compactly storing or tra nsmitting points. This is called serialization, and it is typically used for compactly storing or transmitting points.
The inverse operation, deserialization, converts a bit string to an elliptic cur ve point. The inverse operation, deserialization, converts a bit string to an elliptic cur ve point.
For example, <xref target="SEC1" format="default"/> and <xref target="p1363a" fo rmat="default"/> give standard methods for serialization and deserialization.</t > For example, <xref target="SEC1"/> and <xref target="p1363a"/> give standard met hods for serialization and deserialization.</t>
<t>Deserialization is different from encoding in that only certain str ings <t>Deserialization is different from encoding in that only certain str ings
(namely, those output by the serialization procedure) can be deserialized. (namely, those output by the serialization procedure) can be deserialized.
In contrast, this document is concerned with encodings from arbitrary strings In contrast, this document is concerned with encodings from arbitrary strings
to elliptic curve points. to elliptic curve points.
This document does not cover serialization or deserialization.</t> This document does not cover serialization or deserialization.</t>
</section> </section>
<section anchor="term-domain-separation" numbered="true" toc="default"> <section anchor="term-domain-separation">
<name>Domain separation</name> <name>Domain Separation</name>
<t>Cryptographic protocols proven secure in the random oracle model ar <t>Cryptographic protocols proven secure in the random-oracle model ar
e often analyzed e often analyzed
under the assumption that the random oracle only answers queries associated under the assumption that the random oracle only answers queries associated
with that protocol (including queries made by adversaries) <xref target="BR93" f ormat="default"/>. with that protocol (including queries made by adversaries) <xref target="BR93"/> .
In practice, this assumption does not hold if two protocols use the In practice, this assumption does not hold if two protocols use the
same function to instantiate the random oracle. same function to instantiate the random oracle.
Concretely, consider protocols P1 and P2 that query a random oracle RO: Concretely, consider protocols P1 and P2 that query a random-oracle RO:
if P1 and P2 both query RO on the same value x, the security analysis of if P1 and P2 both query RO on the same value x, the security analysis of
one or both protocols may be invalidated.</t> one or both protocols may be invalidated.</t>
<t>A common way of addressing this issue is called domain separation, <t>A common way of addressing this issue is called domain separation,
which allows a single random oracle to simulate multiple, independent oracles. which allows a single random oracle to simulate multiple, independent oracles.
This is effected by ensuring that each simulated oracle sees queries that are This is effected by ensuring that each simulated oracle sees queries that are
distinct from those seen by all other simulated oracles. distinct from those seen by all other simulated oracles.
For example, to simulate two oracles RO1 and RO2 given a single oracle RO, For example, to simulate two oracles RO1 and RO2 given a single oracle RO,
one might define</t> one might define</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
RO1(x) := RO("RO1" || x) RO1(x) := RO("RO1" || x)
RO2(x) := RO("RO2" || x) RO2(x) := RO("RO2" || x)
]]></artwork> ]]></artwork>
<t>where || is the concatenation operator. <t>where || is the concatenation operator.
In this example, "RO1" and "RO2" are called domain separation tags; In this example, "RO1" and "RO2" are called domain separation tags (DSTs);
they ensure that queries to RO1 and RO2 cannot result in identical they ensure that queries to RO1 and RO2 cannot result in identical
queries to RO, meaning that it is safe to treat RO1 and RO2 as queries to RO, meaning that it is safe to treat RO1 and RO2 as
independent oracles.</t> independent oracles.</t>
<t>In general, domain separation requires defining a distinct injectiv e <t>In general, domain separation requires defining a distinct injectiv e
encoding for each oracle being simulated. encoding for each oracle being simulated.
In the above example, "RO1" and "RO2" have the same length and thus In the above example, "RO1" and "RO2" have the same length and thus
satisfy this requirement when used as prefixes. satisfy this requirement when used as prefixes.
The algorithms specified in this document take a different approach to ensuring The algorithms specified in this document take a different approach to ensuring
injectivity; see <xref target="hashtofield-expand" format="default"/> and <xref target="security-considerations-domain-separation-expmsg-var" format="default"/> injectivity; see Sections <xref format="counter" target="hashtofield-expand"/> a nd <xref format="counter" target="security-considerations-domain-separation-expm sg-var"/>
for more details.</t> for more details.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="roadmap" numbered="true" toc="default"> <section anchor="roadmap">
<name>Encoding byte strings to elliptic curves</name> <name>Encoding Byte Strings to Elliptic Curves</name>
<t>This section presents a general framework and interface for encoding by te strings <t>This section presents a general framework and interface for encoding by te strings
to points on an elliptic curve. The constructions in this section rely on three to points on an elliptic curve. The constructions in this section rely on three
basic functions:</t> basic functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>The function hash_to_field hashes arbitrary-length byte strings to a list <t>The function hash_to_field hashes arbitrary-length byte strings to a list
of one or more elements of a finite field F; its implementation is defined in of one or more elements of a finite field F; its implementation is defined in
<xref target="hashtofield" format="default"/>. </t> <xref target="hashtofield"/>. </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_field(msg, count) hash_to_field(msg, count)
Inputs: Input:
- msg, a byte string containing the message to hash. - msg, a byte string containing the message to hash.
- count, the number of elements of F to output. - count, the number of elements of F to output.
Outputs: Output:
- (u_0, ..., u_(count - 1)), a list of field elements. - (u_0, ..., u_(count - 1)), a list of field elements.
Steps: defined in Section 5. Steps: defined in Section 5.
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>The function map_to_curve calculates a point on the elliptic curve E <t>The function map_to_curve calculates a point on the elliptic curve E
from an element of the finite field F over which E is defined. from an element of the finite field F over which E is defined.
<xref target="mappings" format="default"/> describes mappings for a range of cur <xref target="mappings"/> describes mappings for a range of curve families. </t
ve families. </t> >
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve(u) map_to_curve(u)
Input: u, an element of field F. Input: u, an element of field F.
Output: Q, a point on the elliptic curve E. Output: Q, a point on the elliptic curve E.
Steps: defined in Section 6. Steps: defined in Section 6.
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>The function clear_cofactor sends any point on the curve E to <t>The function clear_cofactor sends any point on the curve E to
the subgroup G of E. <xref target="cofactor-clearing" format="default"/> describ es methods to perform the subgroup G of E. <xref target="cofactor-clearing"/> describes methods to per form
this operation. </t> this operation. </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
clear_cofactor(Q) clear_cofactor(Q)
Input: Q, a point on the elliptic curve E. Input: Q, a point on the elliptic curve E.
Output: P, a point in G. Output: P, a point in G.
Steps: defined in Section 7. Steps: defined in Section 7.
</sourcecode> ]]></sourcecode>
</li> </li>
</ul> </ul>
<t>The two encodings (<xref target="term-encoding" format="default"/>) def <t>The two encodings (<xref target="term-encoding"/>) defined in this sect
ined in this section have the ion have the
same interface and are both random-oracle encodings (<xref target="term-rom" for same interface and are both random-oracle encodings (<xref target="term-rom"/>).
Both are implemented as a composition of the three basic functions above. Both are implemented as a composition of the three basic functions above.
The difference between the two is that their outputs are sampled from The difference between the two is that their outputs are sampled from
different distributions:</t> different distributions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>encode_to_curve is a nonuniform encoding from byte strings to point s in G. <t>encode_to_curve is a nonuniform encoding from byte strings to point s in G.
That is, the distribution of its output is not uniformly random in G: That is, the distribution of its output is not uniformly random in G:
the set of possible outputs of encode_to_curve is only a fraction of the the set of possible outputs of encode_to_curve is only a fraction of the
points in G, and some points in this set are more likely to be output than other s. points in G, and some points in this set are more likely to be output than other s.
<xref target="security-considerations-encode" format="default"/> gives a more pr ecise definition of <xref target="security-considerations-encode"/> gives a more precise definition of
encode_to_curve's output distribution. </t> encode_to_curve's output distribution. </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
encode_to_curve(msg) encode_to_curve(msg)
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, a point in G. Output: P, a point in G.
Steps: Steps:
1. u = hash_to_field(msg, 1) 1. u = hash_to_field(msg, 1)
2. Q = map_to_curve(u[0]) 2. Q = map_to_curve(u[0])
3. P = clear_cofactor(Q) 3. P = clear_cofactor(Q)
4. return P 4. return P
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>hash_to_curve is a uniform encoding from byte strings to points in G. <t>hash_to_curve is a uniform encoding from byte strings to points in G.
That is, the distribution of its output is statistically close to uniform in G. </t> That is, the distribution of its output is statistically close to uniform in G. </t>
<t> <t>
This function is suitable for most applications requiring a random oracle This function is suitable for most applications requiring a random oracle
returning points in G, when instantiated with any of the map_to_curve returning points in G, when instantiated with any of the map_to_curve
functions described in <xref target="mappings" format="default"/>. functions described in <xref target="mappings"/>.
See <xref target="security-considerations-props" format="default"/> for further See <xref target="security-considerations-props"/> for further discussion. </t>
discussion. </t> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
hash_to_curve(msg) hash_to_curve(msg)
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, a point in G. Output: P, a point in G.
Steps: Steps:
1. u = hash_to_field(msg, 2) 1. u = hash_to_field(msg, 2)
2. Q0 = map_to_curve(u[0]) 2. Q0 = map_to_curve(u[0])
3. Q1 = map_to_curve(u[1]) 3. Q1 = map_to_curve(u[1])
4. R = Q0 + Q1 # Point addition 4. R = Q0 + Q1 # Point addition
5. P = clear_cofactor(R) 5. P = clear_cofactor(R)
6. return P 6. return P
</sourcecode> ]]></sourcecode>
</li> </li>
</ul> </ul>
<t>Each hash-to-curve suite in <xref target="suites" format="default"/> in <t>Each hash-to-curve suite in <xref target="suites"/> instantiates one of
stantiates one of these encoding these encoding
functions for a specifc elliptic curve.</t> functions for a specific elliptic curve.</t>
<section anchor="domain-separation" numbered="true" toc="default"> <section anchor="domain-separation">
<name>Domain separation requirements</name> <name>Domain Separation Requirements</name>
<t>All uses of the encoding functions defined in this document MUST incl <t>All uses of the encoding functions defined in this document <bcp14>MU
ude ST</bcp14> include
domain separation (<xref target="term-domain-separation" format="default"/>) to domain separation (<xref target="term-domain-separation"/>) to avoid interfering
avoid interfering with with
other uses of similar functionality.</t> other uses of similar functionality.</t>
<t>Applications that instantiate multiple, independent instances of eith er <t>Applications that instantiate multiple, independent instances of eith er
hash_to_curve or encode_to_curve MUST enforce domain separation hash_to_curve or encode_to_curve <bcp14>MUST</bcp14> enforce domain separation
between those instances. between those instances.
This requirement applies both in the case of multiple instances targeting This requirement applies in both the case of multiple instances targeting
the same curve and in the case of multiple instances targeting different curves. the same curve and the case of multiple instances targeting different curves.
(This is because the internal hash_to_field primitive (<xref target="hashtofield (This is because the internal hash_to_field primitive (<xref target="hashtofield
" format="default"/>) "/>)
requires domain separation to guarantee independent outputs.)</t> requires domain separation to guarantee independent outputs.)</t>
<t>Domain separation is enforced with a domain separation tag (DST), <t>Domain separation is enforced with a domain separation tag (DST),
which is a byte string constructed according to the following requirements:</t> which is a byte string constructed according to the following requirements:</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>Tags <bcp14>MUST</bcp14> be supplied a
<li>Tags MUST be supplied as the DST parameter to hash_to_field, as s the DST parameter to hash_to_field, as
described in <xref target="hashtofield" format="default"/>.</li> described in <xref target="hashtofield"/>.</li>
<li>Tags MUST have nonzero length. A minimum length of 16 bytes <li>Tags <bcp14>MUST</bcp14> have nonzero length. A minimum length of
is RECOMMENDED to reduce the chance of collisions with other 16 bytes
is <bcp14>RECOMMENDED</bcp14> to reduce the chance of collisions with other
applications.</li> applications.</li>
<li>Tags SHOULD begin with a fixed identification string <li>Tags <bcp14>SHOULD</bcp14> begin with a fixed identification strin g
that is unique to the application.</li> that is unique to the application.</li>
<li>Tags SHOULD include a version number.</li> <li>Tags <bcp14>SHOULD</bcp14> include a version number.</li>
<li>For applications that define multiple ciphersuites, each ciphersui te's <li>For applications that define multiple ciphersuites, each ciphersui te's
tag MUST be different. For this purpose, it is RECOMMENDED to tag <bcp14>MUST</bcp14> be different. For this purpose, it is <bcp14>RECOMMENDED </bcp14> to
include a ciphersuite identifier in each tag.</li> include a ciphersuite identifier in each tag.</li>
<li>For applications that use multiple encodings, either to the same c <li>For applications that use multiple encodings, to either the same c
urve urve
or to different curves, each encoding MUST use a different tag. or different curves, each encoding <bcp14>MUST</bcp14> use a different tag.
For this purpose, it is RECOMMENDED to include the encoding's For this purpose, it is <bcp14>RECOMMENDED</bcp14> to include the encoding's
Suite ID (<xref target="suites" format="default"/>) in the domain separation tag Suite ID (<xref target="suites"/>) in the domain separation tag.
. For independent encodings based on the same suite, each tag <bcp14>SHOULD</bcp14
For independent encodings based on the same suite, each tag SHOULD >
also include a distinct identifier, e.g., "ENC1" and "ENC2".</li> also include a distinct identifier, e.g., "ENC1" and "ENC2".</li>
</ol> </ol>
<t>As an example, consider a fictional application named Quux <t>As an example, consider a fictional application named Quux
that defines several different ciphersuites, each for a different curve. that defines several different ciphersuites, each for a different curve.
A reasonable choice of tag is "QUUX-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;", w here A reasonable choice of tag is "QUUX-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;", w here
&lt;xx&gt; and &lt;yy&gt; are two-digit numbers indicating the version and &lt;xx&gt; and &lt;yy&gt; are two-digit numbers indicating the version and
ciphersuite, respectively, and &lt;suiteID&gt; is the Suite ID of the ciphersuite, respectively, and &lt;suiteID&gt; is the Suite ID of the
encoding used in ciphersuite &lt;yy&gt;.</t> encoding used in ciphersuite &lt;yy&gt;.</t>
<t>As another example, consider a fictional application named Baz that r equires <t>As another example, consider a fictional application named Baz that r equires
two independent random oracles to the same curve. two independent random oracles to the same curve.
Reasonable choices of tags for these oracles are Reasonable choices of tags for these oracles are
"BAZ-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;-ENC1" and "BAZ-V&lt;xx&gt;-CS&lt;y y&gt;-&lt;suiteID&gt;-ENC2", "BAZ-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;-ENC1" and "BAZ-V&lt;xx&gt;-CS&lt;y y&gt;-&lt;suiteID&gt;-ENC2",
respectively, where &lt;xx&gt;, &lt;yy&gt;, and &lt;suiteID&gt; are as described above.</t> respectively, where &lt;xx&gt;, &lt;yy&gt;, and &lt;suiteID&gt; are as described above.</t>
<t>The example tags given above are assumed to be ASCII-encoded byte str ings <t>The example tags given above are assumed to be ASCII-encoded byte str ings
without null termination, which is the RECOMMENDED format. Other encodings without null termination, which is the <bcp14>RECOMMENDED</bcp14> format. Other
can be used, but in all cases the encoding as a sequence of bytes MUST be encodings
can be used, but in all cases the encoding as a sequence of bytes <bcp14>MUST</b
cp14> be
specified unambiguously.</t> specified unambiguously.</t>
</section> </section>
</section> </section>
<section anchor="utility" numbered="true" toc="default"> <section anchor="utility">
<name>Utility functions</name> <name>Utility Functions</name>
<t>Algorithms in this document use the utility functions described below, <t>Algorithms in this document use the utility functions described below,
plus standard arithmetic operations (addition, multiplication, modular plus standard arithmetic operations (addition, multiplication, modular
reduction, etc.) and elliptic curve point operations (point addition and reduction, etc.) and elliptic curve point operations (point addition and
scalar multiplication).</t> scalar multiplication).</t>
<t>For security, implementations of these functions SHOULD be constant tim <t>For security, implementations of these functions <bcp14>SHOULD</bcp14>
e: be constant time:
in brief, this means that execution time and memory access patterns SHOULD NOT in brief, this means that execution time and memory access patterns <bcp14>SHOUL
D NOT</bcp14>
depend on the values of secret inputs, intermediate values, or outputs. depend on the values of secret inputs, intermediate values, or outputs.
For such constant-time implementations, all arithmetic, comparisons, and For such constant-time implementations, all arithmetic, comparisons, and
assignments MUST also be implemented in constant time. assignments <bcp14>MUST</bcp14> also be implemented in constant time.
<xref target="security-considerations-constant" format="default"/> briefly discu <xref target="security-considerations-constant"/> briefly discusses constant-tim
sses constant-time security issues.</t> e security issues.</t>
<t>Guidance on implementing low-level operations (in constant time or othe rwise) <t>Guidance on implementing low-level operations (in constant time or othe rwise)
is beyond the scope of this document; readers should consult standard reference is beyond the scope of this document; readers should consult standard reference
material <xref target="MOV96" format="default"/> <xref target="CFADLNV05" format ="default"/>.</t> material <xref target="MOV96"/> <xref target="CFADLNV05"/>.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>CMOV(a, b, c): If c is False, CMOV returns a, otherwise it returns b <li>CMOV(a, b, c): If c is False, CMOV returns a; otherwise, it returns
. b.
For constant-time implementations, this operation must run in For constant-time implementations, this operation must run in a
time independent of the value of c.</li> time that is independent of the value of c.</li>
<li>AND, OR, NOT, and XOR are standard bitwise logical operators. <li>AND, OR, NOT, and XOR are standard bitwise logical operators.
For constant-time implementations, short-circuit operators MUST be avoided.</li> For constant-time implementations, short-circuit operators <bcp14>MUST</bcp14> b e avoided.</li>
<li> <li>
<t>is_square(x): This function returns True whenever the value x is a <t>is_square(x): This function returns True whenever the value x is a
square in the field F. By Euler's criterion, this function can be square in the field F. By Euler's criterion, this function can be
calculated in constant time as </t> calculated in constant time as </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F; is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F;
{ False, otherwise. { False, otherwise.
</sourcecode> ]]></sourcecode>
<t> <t>
In certain extension fields, is_square can be computed in constant In certain extension fields, is_square can be computed in constant
time more quickly than by the above exponentiation. time more quickly than by the above exponentiation.
<xref target="AR13" format="default"/> and <xref target="S85" format="default"/> <xref target="AR13"/> and <xref target="S85"/> describe optimized methods for ex
describe optimized methods for extension fields. tension fields.
<xref target="appx-sqrt-issq" format="default"/> gives an optimized straight-lin <xref target="appx-sqrt-issq"/> gives an optimized straight-line method for GF(p
e method for GF(p^2).</t> ^2).</t>
</li> </li>
<li> <li>
<t>sqrt(x): The sqrt operation is a multi-valued function, i.e., there exist <t>sqrt(x): The sqrt operation is a multi-valued function, i.e., there exist
two roots of x in the field F whenever x is square (except when x = 0). two roots of x in the field F whenever x is square (except when x = 0).
To maintain compatibility across implementations while allowing implementors To maintain compatibility across implementations while allowing implementors
leeway for optimizations, this document does not require sqrt() to return a leeway for optimizations, this document does not require sqrt() to return a
particular value. Instead, as explained in <xref target="point-sign" format="def ault"/>, any function that particular value. Instead, as explained in <xref target="point-sign"/>, any func tion that
calls sqrt also specifies how to determine the correct root. </t> calls sqrt also specifies how to determine the correct root. </t>
<t> <t>
The preferred way of computing square roots is to fix a deterministic The preferred way of computing square roots is to fix a deterministic
algorithm particular to F. We give several algorithms in <xref target="appx-sqrt " format="default"/>.</t> algorithm particular to F. We give several algorithms in <xref target="appx-sqrt "/>.</t>
</li> </li>
<li>sgn0(x): This function returns either 0 or 1 indicating the "sign" o f x, <li>sgn0(x): This function returns either 0 or 1 indicating the "sign" o f x,
where sgn0(x) == 1 just when x is "negative". where sgn0(x) == 1 just when x is "negative".
(In other words, this function always considers 0 to be positive.) (In other words, this function always considers 0 to be positive.)
<xref target="sgn0-function" format="default"/> defines this function and discus ses its implementation.</li> <xref target="sgn0-function"/> defines this function and discusses its implement ation.</li>
<li> <li>
<t>inv0(x): This function returns the multiplicative inverse of x in F , <t>inv0(x): This function returns the multiplicative inverse of x in F ,
extended to all of F by fixing inv0(0) == 0. extended to all of F by fixing inv0(0) == 0.
A straightforward way to implement inv0 in constant time is to compute </t> A straightforward way to implement inv0 in constant time is to compute </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
inv0(x) := x^(q - 2). inv0(x) := x^(q - 2).
</sourcecode> ]]></sourcecode>
<t> <t>
Notice that on input 0, the output is 0 as required. Notice that on input 0, the output is 0 as required.
Certain fields may allow faster inversion methods; detailed discussion Certain fields may allow faster inversion methods; detailed discussion
of such methods is beyond the scope of this document.</t> of such methods is beyond the scope of this document.</t>
</li> </li>
<li>I2OSP and OS2IP: These functions are used to convert a byte string t o <li>I2OSP and OS2IP: These functions are used to convert a byte string t o
and from a non-negative integer as described in <xref target="RFC8017" format="d efault"/>. and from a non-negative integer as described in <xref target="RFC8017"/>.
(Note that these functions operate on byte strings in big-endian byte (Note that these functions operate on byte strings in big-endian byte
order.)</li> order.)</li>
<li>a || b: denotes the concatenation of byte strings a and b. For examp le, <li>a || b: denotes the concatenation of byte strings a and b. For examp le,
"ABC" || "DEF" == "ABCDEF".</li> "ABC" || "DEF" == "ABCDEF".</li>
<li>substr(str, sbegin, slen): for a byte string str, this function retu rns <li>substr(str, sbegin, slen): For a byte string str, this function retu rns
the slen-byte substring starting at position sbegin; positions are zero the slen-byte substring starting at position sbegin; positions are zero
indexed. indexed.
For example, substr("ABCDEFG", 2, 3) == "CDE".</li> For example, substr("ABCDEFG", 2, 3) == "CDE".</li>
<li>len(str): for a byte string str, this function returns the length of str <li>len(str): For a byte string str, this function returns the length of str
in bytes. For example, len("ABC") == 3.</li> in bytes. For example, len("ABC") == 3.</li>
<li>strxor(str1, str2): for byte strings str1 and str2, strxor(str1, str 2) <li>strxor(str1, str2): For byte strings str1 and str2, strxor(str1, str 2)
returns the bitwise XOR of the two strings. returns the bitwise XOR of the two strings.
For example, strxor("abc", "XYZ") == "9;9" (the strings in this example For example, strxor("abc", "XYZ") == "9;9" (the strings in this example
are ASCII literals, but strxor is defined for arbitrary byte strings). are ASCII literals, but strxor is defined for arbitrary byte strings).
In this document, strxor is only applied to inputs of equal length.</li> In this document, strxor is only applied to inputs of equal length.</li>
</ul> </ul>
<section anchor="sgn0-function" numbered="true" toc="default"> <section anchor="sgn0-function">
<name>The sgn0 function</name> <name>The sgn0 Function</name>
<t>This section defines a generic sgn0 implementation that applies to an y field F = GF(p^m). <t>This section defines a generic sgn0 implementation that applies to an y field F = GF(p^m).
It also gives simplified implementations for the cases F = GF(p) and F = GF(p^2) .</t> It also gives simplified implementations for the cases F = GF(p) and F = GF(p^2) .</t>
<t>The definition of the sgn0 function for extension fields relies on <t>The definition of the sgn0 function for extension fields relies on
the polynomial basis or vector representation of field elements, and the polynomial basis or vector representation of field elements, and
iterates over the entire vector representation of the input element. iterates over the entire vector representation of the input element.
As a result, sgn0 depends on the primitive polynomial used to define As a result, sgn0 depends on the primitive polynomial used to define
the polynomial basis; see <xref target="suites" format="default"/> for more info the polynomial basis; see <xref target="suites"/> for more information about thi
rmation about this s
basis, and see <xref target="bg-curves" format="default"/> for a discussion of r basis, and see <xref target="bg-curves"/> for a discussion of representing eleme
epresenting elements nts
of extension fields as vectors.</t> of extension fields as vectors.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sgn0(x) sgn0(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
- p, the characteristic of F (see immediately above). - p, the characteristic of F (see immediately above).
- m, the extension degree of F, m &gt;= 1 (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above).
Input: x, an element of F. Input: x, an element of F.
Output: 0 or 1. Output: 0 or 1.
Steps: Steps:
1. sign = 0 1. sign = 0
2. zero = 1 2. zero = 1
3. for i in (1, 2, ..., m): 3. for i in (1, 2, ..., m):
4. sign_i = x_i mod 2 4. sign_i = x_i mod 2
5. zero_i = x_i == 0 5. zero_i = x_i == 0
6. sign = sign OR (zero AND sign_i) # Avoid short-circuit logic ops 6. sign = sign OR (zero AND sign_i) # Avoid short-circuit logic ops
7. zero = zero AND zero_i 7. zero = zero AND zero_i
8. return sign 8. return sign
</sourcecode> ]]></sourcecode>
<t>When m == 1, sgn0 can be significantly simplified:</t> <t>When m == 1, sgn0 can be significantly simplified:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sgn0_m_eq_1(x) sgn0_m_eq_1(x)
Input: x, an element of GF(p). Input: x, an element of GF(p).
Output: 0 or 1. Output: 0 or 1.
Steps: Steps:
1. return x mod 2 1. return x mod 2
</sourcecode> ]]></sourcecode>
<t>The case m == 2 is only slightly more complicated:</t> <t>The case m == 2 is only slightly more complicated:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sgn0_m_eq_2(x) sgn0_m_eq_2(x)
Input: x, an element of GF(p^2). Input: x, an element of GF(p^2).
Output: 0 or 1. Output: 0 or 1.
Steps: Steps:
1. sign_0 = x_0 mod 2 1. sign_0 = x_0 mod 2
2. zero_0 = x_0 == 0 2. zero_0 = x_0 == 0
3. sign_1 = x_1 mod 2 3. sign_1 = x_1 mod 2
4. s = sign_0 OR (zero_0 AND sign_1) # Avoid short-circuit logic ops 4. s = sign_0 OR (zero_0 AND sign_1) # Avoid short-circuit logic ops
5. return s 5. return s
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="hashtofield" numbered="true" toc="default"> <section anchor="hashtofield">
<name>Hashing to a finite field</name> <name>Hashing to a Finite Field</name>
<t>The hash_to_field function hashes a byte string msg of arbitrary length into <t>The hash_to_field function hashes a byte string msg of arbitrary length into
one or more elements of a field F. one or more elements of a field F.
This function works in two steps: it first hashes the input byte string This function works in two steps: it first hashes the input byte string
to produce a uniformly random byte string, and then interprets this byte string to produce a uniformly random byte string, and then interprets this byte string
as one or more elements of F.</t> as one or more elements of F.</t>
<t>For the first step, hash_to_field calls an auxiliary function expand_me ssage. <t>For the first step, hash_to_field calls an auxiliary function expand_me ssage.
This document defines two variants of expand_message: one appropriate This document defines two variants of expand_message: one appropriate
for hash functions like SHA-2 <xref target="FIPS180-4" format="default"/> or SHA for hash functions like SHA-2 <xref target="FIPS180-4"/> or SHA-3 <xref target="
-3 <xref target="FIPS202" format="default"/>, and another FIPS202"/>, and another
appropriate for extendable-output functions such as SHAKE128 <xref target="FIPS2 appropriate for extendable-output functions such as SHAKE128 <xref target="FIPS2
02" format="default"/>. 02"/>.
Security considerations for each expand_message variant are discussed Security considerations for each expand_message variant are discussed
below (<xref target="hashtofield-expand-xmd" format="default"/>, <xref target="h below (Sections <xref format="counter" target="hashtofield-expand-xmd"/> and <xr
ashtofield-expand-xof" format="default"/>).</t> ef format="counter" target="hashtofield-expand-xof"/>).</t>
<t>Implementors MUST NOT use rejection sampling to generate a uniformly ra <t>Implementors <bcp14>MUST NOT</bcp14> use rejection sampling to generate
ndom a uniformly random
element of F, to ensure that the hash_to_field function is amenable to element of F, to ensure that the hash_to_field function is amenable to
constant-time implementation. constant-time implementation.
The reason is that rejection sampling procedures are difficult to implement The reason is that rejection sampling procedures are difficult to implement
in constant time, and later well-meaning "optimizations" may silently render in constant time, and later well-meaning "optimizations" may silently render
an implementation non-constant-time. an implementation non-constant-time.
This means that any hash_to_field function based on rejection sampling This means that any hash_to_field function based on rejection sampling
would be incompatible with constant-time implementation.</t> would be incompatible with constant-time implementation.</t>
<t>The hash_to_field function is also suitable for securely hashing to sca lars. <t>The hash_to_field function is also suitable for securely hashing to sca lars.
For example, when hashing to the scalar field for an elliptic curve (sub)group For example, when hashing to the scalar field for an elliptic curve (sub)group
with prime order r, it suffices to instantiate hash_to_field with target field with prime order r, it suffices to instantiate hash_to_field with target field
GF(r).</t> GF(r).</t>
<t>The hash_to_field function is designed to be indifferentiable from a <t>The hash_to_field function is designed to be indifferentiable from a
random oracle <xref target="MRH04" format="default"/> when expand_message (<xref random oracle <xref target="MRH04"/> when expand_message (<xref target="hashtofi
target="hashtofield-expand" format="default"/>) eld-expand"/>)
is modeled as a random oracle (see <xref target="security-considerations-hash-to is modeled as a random oracle (see <xref target="security-considerations-hash-to
-field" format="default"/> -field"/>
for details about its indifferentiability). for details about its indifferentiability).
Ensuring indifferentiability requires care; to see why, consider a prime Ensuring indifferentiability requires care; to see why, consider a prime
p that is close to 3/4 * 2^256. p that is close to 3/4 * 2^256.
Reducing a random 256-bit integer modulo this p yields a value that is in Reducing a random 256-bit integer modulo this p yields a value that is in
the range [0, p / 3] with probability roughly 1/2, meaning that this value the range [0, p / 3] with probability roughly 1/2, meaning that this value
is statistically far from uniform in [0, p - 1].</t> is statistically far from uniform in [0, p - 1].</t>
<t>To control bias, hash_to_field instead uses random integers whose <t>To control bias, hash_to_field instead uses random integers whose
length is at least ceil(log2(p)) + k bits, where k is the target security length is at least ceil(log2(p)) + k bits, where k is the target security
level for the suite in bits. level for the suite in bits.
Reducing such integers mod p gives bias at most 2^-k for any p; this bias Reducing such integers mod p gives bias at most 2^-k for any p; this bias
is appropriate when targeting k-bit security. is appropriate when targeting k-bit security.
For each such integer, hash_to_field uses expand_message to obtain For each such integer, hash_to_field uses expand_message to obtain
L uniform bytes, where</t> L uniform bytes, where</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
L = ceil((ceil(log2(p)) + k) / 8) L = ceil((ceil(log2(p)) + k) / 8)
]]></artwork> ]]></artwork>
<t>These uniform bytes are then interpreted as an integer via OS2IP. <t>These uniform bytes are then interpreted as an integer via OS2IP.
For example, for a 255-bit prime p, and k = 128-bit security, For example, for a 255-bit prime p, and k = 128-bit security,
L = ceil((255 + 128) / 8) = 48 bytes.</t> L = ceil((255 + 128) / 8) = 48 bytes.</t>
<t>Note that k is an upper bound on the security level for the <t>Note that k is an upper bound on the security level for the
corresponding curve. corresponding curve.
See <xref target="security-considerations-targets" format="default"/> for more d See <xref target="security-considerations-targets"/> for more details and
etails, and <xref target="new-suite"/> for guidelines on choosing k for a given curve.</t>
<xref target="new-suite" format="default"/> for guidelines on choosing k for a g <section anchor="hashtofield-exteff">
iven curve.</t> <name>Efficiency Considerations in Extension Fields</name>
<section anchor="hashtofield-exteff" numbered="true" toc="default">
<name>Efficiency considerations in extension fields</name>
<t>The hash_to_field function described in this section is inefficient f or certain <t>The hash_to_field function described in this section is inefficient f or certain
extension fields. Specifically, when hashing to an element of the extension extension fields. Specifically, when hashing to an element of the extension
field GF(p^m), hash_to_field requires expanding msg into m * L bytes (for L as d efined above). field GF(p^m), hash_to_field requires expanding msg into m * L bytes (for L as d efined above).
For extension fields where log2(p) is significantly smaller than the security For extension fields where log2(p) is significantly smaller than the security
level k, this approach is inefficient: it requires expand_message to output level k, this approach is inefficient: it requires expand_message to output
roughly m * log2(p) + m * k bits, whereas m * log2(p) + k bytes suffices to roughly m * log2(p) + m * k bits, whereas m * log2(p) + k bytes suffices to
generate an element of GF(p^m) with bias at most 2^-k. In such cases, generate an element of GF(p^m) with bias at most 2^-k. In such cases,
applications MAY use an alternative hash_to_field function, provided it applications <bcp14>MAY</bcp14> use an alternative hash_to_field function, provi ded it
meets the following security requirements:</t> meets the following security requirements:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The function MUST output field element(s) that are uniformly rando <li>The function <bcp14>MUST</bcp14> output one or more field elements
m except with bias at most 2^-k.</li> that are uniformly random except with bias at most 2^-k.</li>
<li>The function MUST NOT use rejection sampling.</li> <li>The function <bcp14>MUST NOT</bcp14> use rejection sampling.</li>
<li>The function SHOULD be amenable to straight line implementations.< <li>The function <bcp14>SHOULD</bcp14> be amenable to straight-line im
/li> plementations.</li>
</ul> </ul>
<t>For example, Pornin <xref target="P20" format="default"/> describes a method for hashing to GF(9767^19) that meets <t>For example, Pornin <xref target="P20"/> describes a method for hashi ng to GF(9767^19) that meets
these requirements while using fewer output bits from expand_message than these requirements while using fewer output bits from expand_message than
hash_to_field would for that field.</t> hash_to_field would for that field.</t>
</section> </section>
<section anchor="hashtofield-impl" numbered="true" toc="default"> <section anchor="hashtofield-impl">
<name>hash_to_field implementation</name> <name>hash_to_field Implementation</name>
<t>The following procedure implements hash_to_field.</t> <t>The following procedure implements hash_to_field.</t>
<t>The expand_message parameter to this function MUST conform to the req <t>The expand_message parameter to this function <bcp14>MUST</bcp14> con
uirements form to the requirements
given in <xref target="hashtofield-expand" format="default"/>. <xref target="dom given in <xref target="hashtofield-expand"/>. <xref target="domain-separation"/>
ain-separation" format="default"/> discusses the REQUIRED discusses the <bcp14>REQUIRED</bcp14>
method for constructing DST, the domain separation tag. Note that hash_to_field method for constructing DST, the domain separation tag. Note that hash_to_field
may fail (abort) if expand_message fails.</t> may fail (ABORT) if expand_message fails.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_field(msg, count) hash_to_field(msg, count)
Parameters: Parameters:
- DST, a domain separation tag (see Section 3.1). - DST, a domain separation tag (see Section 3.1).
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
- p, the characteristic of F (see immediately above). - p, the characteristic of F (see immediately above).
- m, the extension degree of F, m &gt;= 1 (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above).
- L = ceil((ceil(log2(p)) + k) / 8), where k is the security - L = ceil((ceil(log2(p)) + k) / 8), where k is the security
parameter of the suite (e.g., k = 128). parameter of the suite (e.g., k = 128).
- expand_message, a function that expands a byte string and - expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string domain separation tag into a uniformly random byte string
(see Section 5.3). (see Section 5.3).
Inputs: Input:
- msg, a byte string containing the message to hash. - msg, a byte string containing the message to hash.
- count, the number of elements of F to output. - count, the number of elements of F to output.
Outputs: Output:
- (u_0, ..., u_(count - 1)), a list of field elements. - (u_0, ..., u_(count - 1)), a list of field elements.
Steps: Steps:
1. len_in_bytes = count * m * L 1. len_in_bytes = count * m * L
2. uniform_bytes = expand_message(msg, DST, len_in_bytes) 2. uniform_bytes = expand_message(msg, DST, len_in_bytes)
3. for i in (0, ..., count - 1): 3. for i in (0, ..., count - 1):
4. for j in (0, ..., m - 1): 4. for j in (0, ..., m - 1):
5. elm_offset = L * (j + i * m) 5. elm_offset = L * (j + i * m)
6. tv = substr(uniform_bytes, elm_offset, L) 6. tv = substr(uniform_bytes, elm_offset, L)
7. e_j = OS2IP(tv) mod p 7. e_j = OS2IP(tv) mod p
8. u_i = (e_0, ..., e_(m - 1)) 8. u_i = (e_0, ..., e_(m - 1))
9. return (u_0, ..., u_(count - 1)) 9. return (u_0, ..., u_(count - 1))
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="hashtofield-expand" numbered="true" toc="default"> <section anchor="hashtofield-expand">
<name>expand_message</name> <name>expand_message</name>
<t>expand_message is a function that generates a uniformly random byte s tring. <t>expand_message is a function that generates a uniformly random byte s tring.
It takes three arguments:</t> It takes three arguments:</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>msg, a byte string containing the mess
<li>msg, a byte string containing the message to hash,</li> age to hash,</li>
<li>DST, a byte string that acts as a domain separation tag, and</li> <li>DST, a byte string that acts as a domain separation tag, and</li>
<li>len_in_bytes, the number of bytes to be generated.</li> <li>len_in_bytes, the number of bytes to be generated.</li>
</ol> </ol>
<t>This document defines the following two variants of expand_message:</ t> <t>This document defines the following two variants of expand_message:</ t>
<ul spacing="normal"> <ul spacing="normal">
<li>expand_message_xmd (<xref target="hashtofield-expand-xmd" format=" <li>expand_message_xmd (<xref target="hashtofield-expand-xmd"/>) is ap
default"/>) is appropriate for use propriate for use
with a wide range of hash functions, including SHA-2 <xref target="FIPS180-4" fo with a wide range of hash functions, including SHA-2 <xref target="FIPS180-4"/>,
rmat="default"/>, SHA-3 SHA-3
<xref target="FIPS202" format="default"/>, BLAKE2 <xref target="RFC7693" format= <xref target="FIPS202"/>, BLAKE2 <xref target="RFC7693"/>, and others.</li>
"default"/>, and others.</li> <li>expand_message_xof (<xref target="hashtofield-expand-xof"/>) is ap
<li>expand_message_xof (<xref target="hashtofield-expand-xof" format=" propriate for use
default"/>) is appropriate for use with extendable-output functions (XOFs), including functions in the SHAKE
with extendable-output functions (XOFs) including functions in the SHAKE <xref target="FIPS202"/> or BLAKE2X <xref target="BLAKE2X"/> families.</li>
<xref target="FIPS202" format="default"/> or BLAKE2X <xref target="BLAKE2X" form
at="default"/> families.</li>
</ul> </ul>
<t>These variants should suffice for the vast majority of use cases, but other <t>These variants should suffice for the vast majority of use cases, but other
variants are possible; <xref target="hashtofield-expand-other" format="default"/ variants are possible; <xref target="hashtofield-expand-other"/> discusses requi
> discusses requirements.</t> rements.</t>
<section anchor="hashtofield-expand-xmd" numbered="true" toc="default"> <section anchor="hashtofield-expand-xmd">
<name>expand_message_xmd</name> <name>expand_message_xmd</name>
<t>The expand_message_xmd function produces a uniformly random byte st ring using <t>The expand_message_xmd function produces a uniformly random byte st ring using
a cryptographic hash function H that outputs b bits. For security, H MUST meet a cryptographic hash function H that outputs b bits. For security, H <bcp14>MUST </bcp14> meet
the following requirements:</t> the following requirements:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The number of bits output by H MUST be b &gt;= 2 * k, for k the <li>The number of bits output by H <bcp14>MUST</bcp14> be b &gt;= 2
target * k, where k is the target
security level in bits, and b MUST be divisible by 8. security level in bits, and b <bcp14>MUST</bcp14> be divisible by 8.
The first requirement ensures k-bit collision resistance; the second The first requirement ensures k-bit collision resistance; the second
ensures uniformity of expand_message_xmd's output.</li> ensures uniformity of expand_message_xmd's output.</li>
<li>H MAY be a Merkle-Damgaard hash function like SHA-2. <li>H <bcp14>MAY</bcp14> be a Merkle-Damgaard hash function like SHA -2.
In this case, security holds when the underlying compression function is In this case, security holds when the underlying compression function is
modeled as a random oracle <xref target="CDMP05" format="default"/>. (See modeled as a random oracle <xref target="CDMP05"/>. (See
<xref target="security-considerations-expand-xmd" format="default"/> for discuss <xref target="security-considerations-expand-xmd"/> for discussion.)</li>
ion.)</li> <li>H <bcp14>MAY</bcp14> be a sponge-based hash function like SHA-3
<li>H MAY be a sponge-based hash function like SHA-3 or BLAKE2. or BLAKE2.
In this case, security holds when the inner function is modeled as a In this case, security holds when the inner function is modeled as a
random transformation or as a random permutation <xref target="BDPV08" format="d random transformation or as a random permutation <xref target="BDPV08"/>.</li>
efault"/>.</li> <li>Otherwise, H <bcp14>MUST</bcp14> be a hash function that has bee
<li>Otherwise, H MUST be a hash function that has been proved indiff n proved indifferentiable
erentiable from a random oracle <xref target="MRH04"/> under a reasonable cryptographic ass
from a random oracle <xref target="MRH04" format="default"/> under a reasonable umption.</li>
cryptographic assumption.</li>
</ul> </ul>
<t>SHA-2 <xref target="FIPS180-4" format="default"/> and SHA-3 <xref t arget="FIPS202" format="default"/> are typical and RECOMMENDED choices. <t>SHA-2 <xref target="FIPS180-4"/> and SHA-3 <xref target="FIPS202"/> are typical and <bcp14>RECOMMENDED</bcp14> choices.
As an example, for the 128-bit security level, b &gt;= 256 bits and either SHA-2 56 or As an example, for the 128-bit security level, b &gt;= 256 bits and either SHA-2 56 or
SHA3-256 would be an appropriate choice.</t> SHA3-256 would be an appropriate choice.</t>
<t>The hash function H is assumed to work by repeatedly ingesting fixe d-length <t>The hash function H is assumed to work by repeatedly ingesting fixe d-length
blocks of data. The length in bits of these blocks is called the input block blocks of data. The length in bits of these blocks is called the input block
size (s). As examples, s = 1024 for SHA-512 <xref target="FIPS180-4" format="def size (s). As examples, s = 1024 for SHA-512 <xref target="FIPS180-4"/> and s = 5
ault"/> and s = 576 for 76 for
SHA3-512 <xref target="FIPS202" format="default"/>. For correctness, H requires SHA3-512 <xref target="FIPS202"/>. For correctness, H requires b &lt;= s.</t>
b &lt;= s.</t>
<t>The following procedure implements expand_message_xmd.</t> <t>The following procedure implements expand_message_xmd.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
expand_message_xmd(msg, DST, len_in_bytes) expand_message_xmd(msg, DST, len_in_bytes)
Parameters: Parameters:
- H, a hash function (see requirements above). - H, a hash function (see requirements above).
- b_in_bytes, b / 8 for b the output size of H in bits. - b_in_bytes, b / 8 for b the output size of H in bits.
For example, for b = 256, b_in_bytes = 32. For example, for b = 256, b_in_bytes = 32.
- s_in_bytes, the input block size of H, measured in bytes (see - s_in_bytes, the input block size of H, measured in bytes (see
discussion above). For example, for SHA-256, s_in_bytes = 64. discussion above). For example, for SHA-256, s_in_bytes = 64.
Input: Input:
skipping to change at line 788 skipping to change at line 794
- DST, a byte string of at most 255 bytes. - DST, a byte string of at most 255 bytes.
See below for information on using longer DSTs. See below for information on using longer DSTs.
- len_in_bytes, the length of the requested output in bytes, - len_in_bytes, the length of the requested output in bytes,
not greater than the lesser of (255 * b_in_bytes) or 2^16-1. not greater than the lesser of (255 * b_in_bytes) or 2^16-1.
Output: Output:
- uniform_bytes, a byte string. - uniform_bytes, a byte string.
Steps: Steps:
1. ell = ceil(len_in_bytes / b_in_bytes) 1. ell = ceil(len_in_bytes / b_in_bytes)
2. ABORT if ell > 255 or len_in_bytes &gt; 65535 or len(DST) &gt; 255 2. ABORT if ell > 255 or len_in_bytes > 65535 or len(DST) &gt; 255
3. DST_prime = DST || I2OSP(len(DST), 1) 3. DST_prime = DST || I2OSP(len(DST), 1)
4. Z_pad = I2OSP(0, s_in_bytes) 4. Z_pad = I2OSP(0, s_in_bytes)
5. l_i_b_str = I2OSP(len_in_bytes, 2) 5. l_i_b_str = I2OSP(len_in_bytes, 2)
6. msg_prime = Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime 6. msg_prime = Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime
7. b_0 = H(msg_prime) 7. b_0 = H(msg_prime)
8. b_1 = H(b_0 || I2OSP(1, 1) || DST_prime) 8. b_1 = H(b_0 || I2OSP(1, 1) || DST_prime)
9. for i in (2, ..., ell): 9. for i in (2, ..., ell):
10. b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) 10. b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime)
11. uniform_bytes = b_1 || ... || b_ell 11. uniform_bytes = b_1 || ... || b_ell
12. return substr(uniform_bytes, 0, len_in_bytes) 12. return substr(uniform_bytes, 0, len_in_bytes)
</sourcecode> ]]></sourcecode>
<t>Note that the string Z_pad (step 6) is prefixed to msg before compu ting b_0 (step 7). <t>Note that the string Z_pad (step 6) is prefixed to msg before compu ting b_0 (step 7).
This is necessary for security when H is a Merkle-Damgaard hash, e.g., SHA-2 This is necessary for security when H is a Merkle-Damgaard hash, e.g., SHA-2
(see <xref target="security-considerations-expand-xmd" format="default"/>). (see <xref target="security-considerations-expand-xmd"/>).
Hashing this additional data means that the cost of computing b_0 is higher Hashing this additional data means that the cost of computing b_0 is higher
than the cost of simply computing H(msg). than the cost of simply computing H(msg).
In most settings this overhead is negligible, because the cost of evaluating In most settings, this overhead is negligible, because the cost of evaluating
H is much less than the other costs involved in hashing to a curve.</t> H is much less than the other costs involved in hashing to a curve.</t>
<t>It is possible, however, to entirely avoid this overhead by taking advantage <t>It is possible, however, to entirely avoid this overhead by taking advantage
of the fact that Z_pad depends only on H, and not on the arguments to of the fact that Z_pad depends only on H, and not on the arguments to
expand_message_xmd. expand_message_xmd.
To do so, first precompute and save the internal state of H after ingesting To do so, first precompute and save the internal state of H after ingesting
Z_pad. Then, when computing b_0, initialize H using the saved state. Z_pad. Then, when computing b_0, initialize H using the saved state.
Further details are implementation dependent, and beyond the scope of this docum ent.</t> Further details are implementation dependent and are beyond the scope of this do cument.</t>
</section> </section>
<section anchor="hashtofield-expand-xof" numbered="true" toc="default"> <section anchor="hashtofield-expand-xof">
<name>expand_message_xof</name> <name>expand_message_xof</name>
<t>The expand_message_xof function produces a uniformly random byte st ring <t>The expand_message_xof function produces a uniformly random byte st ring
using an extendable-output function (XOF) H. using an extendable-output function (XOF) H.
For security, H MUST meet the following criteria:</t> For security, H <bcp14>MUST</bcp14> meet the following criteria:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The collision resistance of H MUST be at least k bits.</li> <li>The collision resistance of H <bcp14>MUST</bcp14> be at least k
<li>H MUST be an XOF that has been proved indifferentiable from a ra bits.</li>
ndom oracle <li>H <bcp14>MUST</bcp14> be an XOF that has been proved indifferent
iable from a random oracle
under a reasonable cryptographic assumption.</li> under a reasonable cryptographic assumption.</li>
</ul> </ul>
<t>The SHAKE <xref target="FIPS202" format="default"/> XOF family is a typical and RECOMMENDED choice. <t>The SHAKE XOF family <xref target="FIPS202"/> is a typical and <bcp 14>RECOMMENDED</bcp14> choice.
As an example, for 128-bit security, SHAKE128 would be an appropriate choice.</t > As an example, for 128-bit security, SHAKE128 would be an appropriate choice.</t >
<t>The following procedure implements expand_message_xof.</t> <t>The following procedure implements expand_message_xof.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
expand_message_xof(msg, DST, len_in_bytes) expand_message_xof(msg, DST, len_in_bytes)
Parameters: Parameters:
- H(m, d), an extendable-output function that processes - H(m, d), an extendable-output function that processes
input message m and returns d bytes. input message m and returns d bytes.
Input: Input:
- msg, a byte string. - msg, a byte string.
- DST, a byte string of at most 255 bytes. - DST, a byte string of at most 255 bytes.
See below for information on using longer DSTs. See below for information on using longer DSTs.
- len_in_bytes, the length of the requested output in bytes. - len_in_bytes, the length of the requested output in bytes.
Output: Output:
- uniform_bytes, a byte string. - uniform_bytes, a byte string.
Steps: Steps:
1. ABORT if len_in_bytes > 65535 or len(DST) &gt; 255 1. ABORT if len_in_bytes > 65535 or len(DST) &gt; 255
2. DST_prime = DST || I2OSP(len(DST), 1) 2. DST_prime = DST || I2OSP(len(DST), 1)
3. msg_prime = msg || I2OSP(len_in_bytes, 2) || DST_prime 3. msg_prime = msg || I2OSP(len_in_bytes, 2) || DST_prime
4. uniform_bytes = H(msg_prime, len_in_bytes) 4. uniform_bytes = H(msg_prime, len_in_bytes)
5. return uniform_bytes 5. return uniform_bytes
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="hashtofield-expand-dst" numbered="true" toc="default"> <section anchor="hashtofield-expand-dst">
<name>Using DSTs longer than 255 bytes</name> <name>Using DSTs Longer than 255 Bytes</name>
<t>The expand_message variants defined in this section accept domain s eparation <t>The expand_message variants defined in this section accept domain s eparation
tags of at most 255 bytes. tags of at most 255 bytes.
If applications require a domain separation tag longer than 255 bytes, e.g., bec ause If applications require a domain separation tag longer than 255 bytes, e.g., bec ause
of requirements imposed by an invoking protocol, implementors MUST compute a sho rt of requirements imposed by an invoking protocol, implementors <bcp14>MUST</bcp14 > compute a short
domain separation tag by hashing, as follows:</t> domain separation tag by hashing, as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>For expand_message_xmd using hash function H, DST is computed a s </t> <t>For expand_message_xmd using hash function H, DST is computed a s </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST) DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST)
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>For expand_message_xof using extendable-output function H, DST is computed as </t> <t>For expand_message_xof using extendable-output function H, DST is computed as </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8)) DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8))
</sourcecode> ]]></sourcecode>
</li> </li>
</ul> </ul>
<t>Here, a_very_long_DST is the DST whose length is greater than 255 b ytes, <t>Here, a_very_long_DST is the DST whose length is greater than 255 b ytes,
"H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal, and "H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal, and
k is the target security level in bits.</t> k is the target security level in bits.</t>
</section> </section>
<section anchor="hashtofield-expand-other" numbered="true" toc="default" <section anchor="hashtofield-expand-other">
> <name>Defining Other expand_message Variants</name>
<name>Defining other expand_message variants</name>
<t>When defining a new expand_message variant, the most important cons ideration <t>When defining a new expand_message variant, the most important cons ideration
is that hash_to_field models expand_message as a random oracle. is that hash_to_field models expand_message as a random oracle.
Thus, implementors SHOULD prove indifferentiability from a random oracle Thus, implementors <bcp14>SHOULD</bcp14> prove indifferentiability from a random oracle
under an appropriate assumption about the underlying cryptographic primitives; under an appropriate assumption about the underlying cryptographic primitives;
see <xref target="security-considerations-hash-to-field" format="default"/> for more information.</t> see <xref target="security-considerations-hash-to-field"/> for more information. </t>
<t>In addition, expand_message variants:</t> <t>In addition, expand_message variants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>MUST give collision resistance commensurate with the security le <li>
vel of <bcp14>MUST</bcp14> give collision resistance commensurate with th
e security level of
the target elliptic curve.</li> the target elliptic curve.</li>
<li>MUST be built on primitives designed for use in applications req <li>
uiring <bcp14>MUST</bcp14> be built on primitives designed for use in app
lications requiring
cryptographic randomness. As examples, a secure stream cipher is an appropriate cryptographic randomness. As examples, a secure stream cipher is an appropriate
primitive, whereas a Mersenne twister pseudorandom number generator <xref target primitive, whereas a Mersenne twister pseudorandom number generator <xref target
="MT98" format="default"/> is not.</li> ="MT98"/> is not.</li>
<li>MUST NOT use rejection sampling.</li> <li>
<li>MUST give independent values for distinct (msg, DST, length) inp <bcp14>MUST NOT</bcp14> use rejection sampling.</li>
uts. <li>
<bcp14>MUST</bcp14> give independent values for distinct (msg, DST
, length) inputs.
Meeting this requirement is subtle. Meeting this requirement is subtle.
As a simplified example, hashing msg || DST does not work, As a simplified example, hashing msg || DST does not work,
because in this case distinct (msg, DST) pairs whose concatenations are equal because in this case distinct (msg, DST) pairs whose concatenations are equal
will return the same output (e.g., ("AB", "CDEF") and ("ABC", "DEF")). will return the same output (e.g., ("AB", "CDEF") and ("ABC", "DEF")).
The variants defined in this document use a suffix-free encoding of DST The variants defined in this document use a suffix-free encoding of DST
to avoid this issue.</li> to avoid this issue.</li>
<li>MUST use the domain separation tag DST to ensure that invocation <li>
s of <bcp14>MUST</bcp14> use the domain separation tag DST to ensure th
cryptographic primitives inside of expand_message are domain separated at invocations of
cryptographic primitives inside of expand_message are domain-separated
from invocations outside of expand_message. from invocations outside of expand_message.
For example, if the expand_message variant uses a hash function H, an encoding For example, if the expand_message variant uses a hash function H, an encoding
of DST MUST be added either as a prefix or a suffix of the input to each invocat of DST <bcp14>MUST</bcp14> be added either as a prefix or a suffix of the input
ion to each invocation
of H. Adding DST as a suffix is the RECOMMENDED approach.</li> of H. Adding DST as a suffix is the <bcp14>RECOMMENDED</bcp14> approach.</li>
<li>SHOULD read msg exactly once, for efficiency when msg is long.</ <li>
li> <bcp14>SHOULD</bcp14> read msg exactly once, for efficiency when m
sg is long.</li>
</ul> </ul>
<t>In addition, each expand_message variant MUST specify a unique EXP_ <t>In addition, each expand_message variant <bcp14>MUST</bcp14> specif
TAG y a unique EXP_TAG
that identifies that variant in a Suite ID. See <xref target="suiteIDformat" for that identifies that variant in a Suite ID. See <xref target="suiteIDformat"/> f
mat="default"/> for more information.</t> or more information.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="mappings" numbered="true" toc="default"> <section anchor="mappings">
<name>Deterministic mappings</name> <name>Deterministic Mappings</name>
<t>The mappings in this section are suitable for implementing either nonun iform <t>The mappings in this section are suitable for implementing either nonun iform
or uniform encodings using the constructions in <xref target="roadmap" format="d efault"/>. or uniform encodings using the constructions in <xref target="roadmap"/>.
Certain mappings restrict the form of the curve or its parameters. Certain mappings restrict the form of the curve or its parameters.
For each mapping presented, this document lists the relevant restrictions.</t> For each mapping presented, this document lists the relevant restrictions.</t>
<t>Note that mappings in this section are not interchangeable: different m appings <t>Note that mappings in this section are not interchangeable: different m appings
will almost certainly output different points when evaluated on the same input.< /t> will almost certainly output different points when evaluated on the same input.< /t>
<section anchor="choosing-mapping" numbered="true" toc="default"> <section anchor="choosing-mapping">
<name>Choosing a mapping function</name> <name>Choosing a Mapping Function</name>
<t>This section gives brief guidelines on choosing a mapping function <t>This section gives brief guidelines on choosing a mapping function
for a given elliptic curve. for a given elliptic curve.
Note that the suites given in <xref target="suites" format="default"/> are recom mended mappings Note that the suites given in <xref target="suites"/> are recommended mappings
for the respective curves.</t> for the respective curves.</t>
<t>If the target elliptic curve is a Montgomery curve (<xref target="mon <t>If the target elliptic curve is a Montgomery curve (<xref target="mon
tgomery" format="default"/>), tgomery"/>),
the Elligator 2 method (<xref target="elligator2" format="default"/>) is recomme the Elligator 2 method (<xref target="elligator2"/>) is recommended.
nded. Similarly, if the target elliptic curve is a twisted Edwards curve (<xref target
Similarly, if the target elliptic curve is a twisted Edwards curve (<xref target ="twisted-edwards"/>),
="twisted-edwards" format="default"/>), the twisted Edwards Elligator 2 method (<xref target="ell2edwards"/>) is recomme
the twisted Edwards Elligator 2 method (<xref target="ell2edwards" format="defau nded.</t>
lt"/>) is recommended.</t>
<t>The remaining cases are Weierstrass curves. <t>The remaining cases are Weierstrass curves.
For curves supported by the Simplified SWU method (<xref target="simple-swu" for mat="default"/>), For curves supported by the Simplified Shallue-van de Woestijne-Ulas (SWU) metho d (<xref target="simple-swu"/>),
that mapping is the recommended one. that mapping is the recommended one.
Otherwise, the Simplified SWU method for AB == 0 (<xref target="simple-swu-AB0" format="default"/>) Otherwise, the Simplified SWU method for AB == 0 (<xref target="simple-swu-AB0"/ >)
is recommended if the goal is best performance, while is recommended if the goal is best performance, while
the Shallue-van de Woestijne method (<xref target="svdw" format="default"/>) is recommended the Shallue-van de Woestijne method (<xref target="svdw"/>) is recommended
if the goal is simplicity of implementation. if the goal is simplicity of implementation.
(The reason for this distinction is that the Simplified SWU method for AB == 0 (The reason for this distinction is that the Simplified SWU method for AB == 0
requires implementing an isogeny map in addition to the mapping function, while requires implementing an isogeny map in addition to the mapping function, while
the Shallue-van de Woestijne method does not.)</t> the Shallue-van de Woestijne method does not.)</t>
<t>The Shallue-van de Woestijne method (<xref target="svdw" format="defa ult"/>) works with any curve, <t>The Shallue-van de Woestijne method (<xref target="svdw"/>) works wit h any curve
and may be used in cases where a generic mapping is required. and may be used in cases where a generic mapping is required.
Note, however, that this mapping is almost always more computationally Note, however, that this mapping is almost always more computationally
expensive than the curve-specific recommendations above.</t> expensive than the curve-specific recommendations above.</t>
</section> </section>
<section anchor="interface" numbered="true" toc="default"> <section anchor="interface">
<name>Interface</name> <name>Interface</name>
<t>The generic interface shared by all mappings in this section is as fo llows:</t> <t>The generic interface shared by all mappings in this section is as fo llows:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
(x, y) = map_to_curve(u) (x, y) = map_to_curve(u)
</sourcecode> ]]></sourcecode>
<t>The input u and outputs x and y are elements of the field F. <t>The input u and outputs x and y are elements of the field F.
The affine coordinates (x, y) specify a point on an elliptic curve defined The affine coordinates (x, y) specify a point on an elliptic curve defined
over F. Note, however, that the point (x, y) is not a uniformly random point.</t > over F. Note, however, that the point (x, y) is not a uniformly random point.</t >
</section> </section>
<section anchor="notation" numbered="true" toc="default"> <section anchor="notation">
<name>Notation</name> <name>Notation</name>
<t>As a rough guide, the following conventions are used in pseudocode:</ t> <t>As a rough guide, the following conventions are used in pseudocode:</ t>
<ul spacing="normal"> <ul spacing="normal">
<li>All arithmetic operations are performed over a field F, unless <li>All arithmetic operations are performed over a field F, unless
explicitly stated otherwise.</li> explicitly stated otherwise.</li>
<li>u: the input to the mapping function. <li>u: the input to the mapping function.
This is an element of F produced by the hash_to_field function.</li> This is an element of F produced by the hash_to_field function.</li>
<li>(x, y), (s, t), (v, w): the affine coordinates of the point output by the mapping. <li>(x, y), (s, t), (v, w): the affine coordinates of the point output by the mapping.
Indexed variables (e.g., x1, y2, ...) are used for candidate values.</li> Indexed variables (e.g., x1, y2, ...) are used for candidate values.</li>
<li>tv1, tv2, ...: reusable temporary variables.</li> <li>tv1, tv2, ...: reusable temporary variables.</li>
<li>c1, c2, ...: constant values, which can be computed in advance.</l i> <li>c1, c2, ...: constant values, which can be computed in advance.</l i>
</ul> </ul>
</section> </section>
<section anchor="point-sign" numbered="true" toc="default"> <section anchor="point-sign">
<name>Sign of the resulting point</name> <name>Sign of the Resulting Point</name>
<t>In general, elliptic curves have equations of the form y^2 = g(x). <t>In general, elliptic curves have equations of the form y^2 = g(x).
The mappings in this section first identify an x such that The mappings in this section first identify an x such that
g(x) is square, then take a square root to find y. Since there g(x) is square, then take a square root to find y. Since there
are two square roots when g(x) != 0, this may result in an ambiguity are two square roots when g(x) != 0, this may result in an ambiguity
regarding the sign of y.</t> regarding the sign of y.</t>
<t>When necessary, the mappings in this section resolve this ambiguity b y <t>When necessary, the mappings in this section resolve this ambiguity b y
specifying the sign of the y-coordinate in terms of the input to the mapping specifying the sign of the y-coordinate in terms of the input to the mapping
function. function.
Two main reasons support this approach: first, this covers elliptic curves Two main reasons support this approach: first, this covers elliptic curves
over any field in a uniform way, and second, it gives implementors leeway over any field in a uniform way, and second, it gives implementors leeway
in optimizing square-root implementations.</t> in optimizing square-root implementations.</t>
</section> </section>
<section anchor="map-exceptions" numbered="true" toc="default"> <section anchor="map-exceptions">
<name>Exceptional cases</name> <name>Exceptional Cases</name>
<t>Mappings may have exceptional cases, i.e., inputs u <t>Mappings may have exceptional cases, i.e., inputs u
on which the mapping is undefined. These cases must be handled on which the mapping is undefined. These cases must be handled
carefully, especially for constant-time implementations.</t> carefully, especially for constant-time implementations.</t>
<t>For each mapping in this section, we discuss the exceptional cases an d show <t>For each mapping in this section, we discuss the exceptional cases an d show
how to handle them in constant time. Note that all implementations SHOULD use how to handle them in constant time. Note that all implementations <bcp14>SHOULD
inv0 (<xref target="utility" format="default"/>) to compute multiplicative inver </bcp14> use
ses, to avoid exceptional inv0 (<xref target="utility"/>) to compute multiplicative inverses, to avoid exc
cases that result from attempting to compute the inverse of 0.</t> cases that result from attempting to compute the inverse of 0.</t>
</section> </section>
<section anchor="weierstrass" numbered="true" toc="default"> <section anchor="weierstrass">
<name>Mappings for Weierstrass curves</name> <name>Mappings for Weierstrass Curves</name>
<t>The mappings in this section apply to a target curve E defined by the equation</t> <t>The mappings in this section apply to a target curve E defined by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
y^2 = g(x) = x^3 + A * x + B y^2 = g(x) = x^3 + A * x + B
</sourcecode> ]]></sourcecode>
<t>where 4 * A^3 + 27 * B^2 != 0.</t> <t>where 4 * A^3 + 27 * B^2 != 0.</t>
<section anchor="svdw" numbered="true" toc="default"> <section anchor="svdw">
<name>Shallue-van de Woestijne method</name> <name>Shallue-van de Woestijne Method</name>
<t>Shallue and van de Woestijne <xref target="SW06" format="default"/> <t>Shallue and van de Woestijne <xref target="SW06"/> describe a mappi
describe a mapping that applies to ng that applies to
essentially any elliptic curve. essentially any elliptic curve.
(Note, however, that this mapping is more expensive to evaluate than (Note, however, that this mapping is more expensive to evaluate than
the other mappings in this document.)</t> the other mappings in this document.)</t>
<t>The parameterization given below is for Weierstrass curves; <t>The parameterization given below is for Weierstrass curves;
its derivation is detailed in <xref target="W19" format="default"/>. its derivation is detailed in <xref target="W19"/>.
This parameterization also works for Montgomery (<xref target="montgomery" forma This parameterization also works for Montgomery curves (<xref target="montgomery
t="default"/>) and "/>) and
twisted Edwards (<xref target="twisted-edwards" format="default"/>) curves via t twisted Edwards curves (<xref target="twisted-edwards"/>) via the rational maps
he rational maps given in <xref target="appx-rational-map"/>:
given in <xref target="appx-rational-map" format="default"/>: first, evaluate the Shallue-van de Woestijne mapping to an equivalent Weierstras
first evaluate the Shallue-van de Woestijne mapping to an equivalent Weierstrass s
curve, then map that point to the target Montgomery or twisted Edwards curve curve, then map that point to the target Montgomery or twisted Edwards curve
using the corresponding rational map.</t> using the corresponding rational map.</t>
<t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B.</t> <t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B.</t>
<t>Constants:</t> <t>Constants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A and B, the parameter of the Weierstrass curve.</li> <li>A and B, the parameter of the Weierstrass curve.</li>
<li> <li>
<t>Z, a non-zero element of F meeting the below criteria. <t>Z, a non-zero element of F meeting the below criteria.
<xref target="svdw-z-code" format="default"/> gives a Sage <xref target="SAGE" f <xref target="svdw-z-code"/> gives a Sage script <xref target="SAGE"/> that outp
ormat="default"/> script that outputs the RECOMMENDED Z. </t> uts the <bcp14>RECOMMENDED</bcp14> Z. </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>g(Z) != 0 in F.</li>
<li>g(Z) != 0 in F.</li>
<li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F.</li> <li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F.</li>
<li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.</li> <li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.</li>
<li>At least one of g(Z) and g(-Z / 2) is square in F.</li> <li>At least one of g(Z) and g(-Z / 2) is square in F.</li>
</ol> </ol>
</li> </li>
</ul> </ul>
<t>Sign of y: Inputs u and -u give the same x-coordinate for many valu es of u. <t>Sign of y: Inputs u and -u give the same x-coordinate for many valu es of u.
Thus, we set sgn0(y) == sgn0(u).</t> Thus, we set sgn0(y) == sgn0(u).</t>
<t>Exceptions: The exceptional cases for u occur when <t>Exceptions: The exceptional cases for u occur when
(1 + u^2 * g(Z)) * (1 - u^2 * g(Z)) == 0. (1 + u^2 * g(Z)) * (1 - u^2 * g(Z)) == 0.
The restrictions on Z given above ensure that implementations that use inv0 The restrictions on Z given above ensure that implementations that use inv0
to invert this product are exception free.</t> to invert this product are exception free.</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. tv1 = u^2 * g(Z) 1. tv1 = u^2 * g(Z)
2. tv2 = 1 + tv1 2. tv2 = 1 + tv1
3. tv1 = 1 - tv1 3. tv1 = 1 - tv1
4. tv3 = inv0(tv1 * tv2) 4. tv3 = inv0(tv1 * tv2)
5. tv4 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # can be precomputed 5. tv4 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # can be precomputed
6. If sgn0(tv4) == 1, set tv4 = -tv4 # sgn0(tv4) MUST equal 0 6. If sgn0(tv4) == 1, set tv4 = -tv4 # sgn0(tv4) MUST equal 0
7. tv5 = u * tv1 * tv3 * tv4 7. tv5 = u * tv1 * tv3 * tv4
8. tv6 = -4 * g(Z) / (3 * Z^2 + 4 * A) # can be precomputed 8. tv6 = -4 * g(Z) / (3 * Z^2 + 4 * A) # can be precomputed
9. x1 = -Z / 2 - tv5 9. x1 = -Z / 2 - tv5
10. x2 = -Z / 2 + tv5 10. x2 = -Z / 2 + tv5
11. x3 = Z + tv6 * (tv2^2 * tv3)^2 11. x3 = Z + tv6 * (tv2^2 * tv3)^2
12. If is_square(g(x1)), set x = x1 and y = sqrt(g(x1)) 12. If is_square(g(x1)), set x = x1 and y = sqrt(g(x1))
13. Else If is_square(g(x2)), set x = x2 and y = sqrt(g(x2)) 13. Else If is_square(g(x2)), set x = x2 and y = sqrt(g(x2))
14. Else set x = x3 and y = sqrt(g(x3)) 14. Else set x = x3 and y = sqrt(g(x3))
15. If sgn0(u) != sgn0(y), set y = -y 15. If sgn0(u) != sgn0(y), set y = -y
16. return (x, y) 16. return (x, y)
</sourcecode> ]]></sourcecode>
<t><xref target="straightline-svdw" format="default"/> gives an exampl <t><xref target="straightline-svdw"/> gives an example straight-line i
e straight-line implementation of this mplementation of this
mapping.</t> mapping.</t>
</section> </section>
<section anchor="simple-swu" numbered="true" toc="default"> <section anchor="simple-swu">
<name>Simplified Shallue-van de Woestijne-Ulas method</name> <name>Simplified Shallue-van de Woestijne-Ulas Method</name>
<t>The function map_to_curve_simple_swu(u) implements a simplification <t>The function map_to_curve_simple_swu(u) implements a simplification
of the Shallue-van de Woestijne-Ulas mapping <xref target="U07" format="default" of the Shallue-van de Woestijne-Ulas mapping <xref target="U07"/> described by B
/> described by Brier et rier et
al. <xref target="BCIMRT10" format="default"/>, which they call the "simplified al.&nbsp;<xref target="BCIMRT10"/>, which they call the "simplified SWU" map. Wa
SWU" map. Wahby and Boneh hby and Boneh
<xref target="WB19" format="default"/> generalize and optimize this mapping.</t> <xref target="WB19"/> generalize and optimize this mapping.</t>
<t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B where A != 0 and B != 0.</t> <t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B where A != 0 and B != 0.</t>
<t>Constants:</t> <t>Constants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A and B, the parameters of the Weierstrass curve.</li> <li>A and B, the parameters of the Weierstrass curve.</li>
<li> <li>
<t>Z, an element of F meeting the below criteria. <t>Z, an element of F meeting the below criteria.
<xref target="sswu-z-code" format="default"/> gives a Sage <xref target="SAGE" f <xref target="sswu-z-code"/> gives a Sage script <xref target="SAGE"/> that outp
ormat="default"/> script that outputs the RECOMMENDED Z. uts the <bcp14>RECOMMENDED</bcp14> Z.
The criteria are: </t> The criteria are as follows: </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>Z is non-square in F,</li>
<li>Z is non-square in F,</li>
<li>Z != -1 in F,</li> <li>Z != -1 in F,</li>
<li>the polynomial g(x) - Z is irreducible over F, and</li> <li>the polynomial g(x) - Z is irreducible over F, and</li>
<li>g(B / (Z * A)) is square in F.</li> <li>g(B / (Z * A)) is square in F.</li>
</ol> </ol>
</li> </li>
</ul> </ul>
<t>Sign of y: Inputs u and -u give the same x-coordinate. <t>Sign of y: Inputs u and -u give the same x-coordinate.
Thus, we set sgn0(y) == sgn0(u).</t> Thus, we set sgn0(y) == sgn0(u).</t>
<t>Exceptions: The exceptional cases are values of u such that <t>Exceptions: The exceptional cases are values of u such that
Z^2 * u^4 + Z * u^2 == 0. This includes u == 0, and may include Z^2 * u^4 + Z * u^2 == 0. This includes u == 0 and may include
other values depending on Z. Implementations must detect other values that depend on Z. Implementations must detect
this case and set x1 = B / (Z * A), which guarantees that g(x1) this case and set x1 = B / (Z * A), which guarantees that g(x1)
is square by the condition on Z given above.</t> is square by the condition on Z given above.</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. tv1 = inv0(Z^2 * u^4 + Z * u^2) 1. tv1 = inv0(Z^2 * u^4 + Z * u^2)
2. x1 = (-B / A) * (1 + tv1) 2. x1 = (-B / A) * (1 + tv1)
3. If tv1 == 0, set x1 = B / (Z * A) 3. If tv1 == 0, set x1 = B / (Z * A)
4. gx1 = x1^3 + A * x1 + B 4. gx1 = x1^3 + A * x1 + B
5. x2 = Z * u^2 * x1 5. x2 = Z * u^2 * x1
6. gx2 = x2^3 + A * x2 + B 6. gx2 = x2^3 + A * x2 + B
7. If is_square(gx1), set x = x1 and y = sqrt(gx1) 7. If is_square(gx1), set x = x1 and y = sqrt(gx1)
8. Else set x = x2 and y = sqrt(gx2) 8. Else set x = x2 and y = sqrt(gx2)
9. If sgn0(u) != sgn0(y), set y = -y 9. If sgn0(u) != sgn0(y), set y = -y
10. return (x, y) 10. return (x, y)
</sourcecode> ]]></sourcecode>
<t><xref target="straightline-sswu" format="default"/> gives a general <t><xref target="straightline-sswu"/> gives a general and optimized st
and optimized straight-line implementation of raight-line implementation of
this mapping. For more information on optimizing this mapping, see <xref target= this mapping. For more information on optimizing this mapping, see Section 4 of
"WB19" format="default"/> Section <xref target="WB19"/>
4 or the example code found at <xref target="hash2curve-repo" format="default"/> or the example code found at <xref target="hash2curve-repo"/>.</t>
</section> </section>
<section anchor="simple-swu-AB0" numbered="true" toc="default"> <section anchor="simple-swu-AB0">
<name>Simplified SWU for AB == 0</name> <name>Simplified SWU for AB == 0</name>
<t>Wahby and Boneh <xref target="WB19" format="default"/> show how to adapt the simplified SWU mapping to <t>Wahby and Boneh <xref target="WB19"/> show how to adapt the Simplif ied SWU mapping to
Weierstrass curves having A == 0 or B == 0, which the mapping of Weierstrass curves having A == 0 or B == 0, which the mapping of
<xref target="simple-swu" format="default"/> does not support. <xref target="simple-swu"/> does not support.
(The case A == B == 0 is excluded because y^2 = x^3 is not an elliptic curve.)</ t> (The case A == B == 0 is excluded because y^2 = x^3 is not an elliptic curve.)</ t>
<t>This method applies to curves like secp256k1 <xref target="SEC2" fo <t>This method applies to curves like secp256k1 <xref target="SEC2"/>
rmat="default"/> and to pairing-friendly and to pairing-friendly
curves in the Barreto-Lynn-Scott <xref target="BLS03" format="default"/>, Barret curves in the Barreto-Lynn-Scott family <xref target="BLS03"/>, Barreto-Naehrig
o-Naehrig <xref target="BN05" format="default"/>, and other families.</t> family <xref target="BN05"/>, and other families.</t>
<t>This method requires finding another elliptic curve E' given by the equation</t> <t>This method requires finding another elliptic curve E' given by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
y'^2 = g'(x') = x'^3 + A' * x' + B' y'^2 = g'(x') = x'^3 + A' * x' + B'
</sourcecode> ]]></sourcecode>
<t>that is isogenous to E and has A' != 0 and B' != 0. <t>that is isogenous to E and has A' != 0 and B' != 0.
(See <xref target="WB19" format="default"/>, Appendix A, for one way of finding E' using <xref target="SAGE" format="default"/>.) (See <xref target="WB19"/>, Appendix A, for one way of finding E' using <xref ta rget="SAGE"/>.)
This isogeny defines a map iso_map(x', y') given by a pair of rational functions . This isogeny defines a map iso_map(x', y') given by a pair of rational functions .
iso_map takes as input a point on E' and produces as output a point on E.</t> iso_map takes as input a point on E' and produces as output a point on E.</t>
<t>Once E' and iso_map are identified, this mapping works as follows: on input <t>Once E' and iso_map are identified, this mapping works as follows: on input
u, first apply the simplified SWU mapping to get a point on E', then apply u, first apply the Simplified SWU mapping to get a point on E', then apply
the isogeny map to that point to get a point on E.</t> the isogeny map to that point to get a point on E.</t>
<t>Note that iso_map is a group homomorphism, meaning that point addit ion <t>Note that iso_map is a group homomorphism, meaning that point addit ion
commutes with iso_map. commutes with iso_map.
Thus, when using this mapping in the hash_to_curve construction of <xref target= "roadmap" format="default"/>, Thus, when using this mapping in the hash_to_curve construction discussed in <xr ef target="roadmap"/>,
one can effect a small optimization by first mapping u0 and u1 to E', adding one can effect a small optimization by first mapping u0 and u1 to E', adding
the resulting points on E', and then applying iso_map to the sum. the resulting points on E', and then applying iso_map to the sum.
This gives the same result while requiring only one evaluation of iso_map.</t> This gives the same result while requiring only one evaluation of iso_map.</t>
<t>Preconditions: An elliptic curve E' with A' != 0 and B' != 0 that i s <t>Preconditions: An elliptic curve E' with A' != 0 and B' != 0 that i s
isogenous to the target curve E with isogeny map iso_map from isogenous to the target curve E with isogeny map iso_map from
E' to E.</t> E' to E.</t>
<t>Helper functions:</t> <t>Helper functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>map_to_curve_simple_swu is the mapping of <xref target="simple-s wu" format="default"/> to E'</li> <li>map_to_curve_simple_swu is the mapping of <xref target="simple-s wu"/> to E'</li>
<li>iso_map is the isogeny map from E' to E</li> <li>iso_map is the isogeny map from E' to E</li>
</ul> </ul>
<t>Sign of y: for this map, the sign is determined by map_to_curve_sim ple_swu. <t>Sign of y: For this map, the sign is determined by map_to_curve_sim ple_swu.
No further sign adjustments are necessary.</t> No further sign adjustments are necessary.</t>
<t>Exceptions: map_to_curve_simple_swu handles its exceptional cases. <t>Exceptions: map_to_curve_simple_swu handles its exceptional cases.
Exceptional cases of iso_map are inputs that cause the denominator of Exceptional cases of iso_map are inputs that cause the denominator of
either rational function to evaluate to zero; such cases MUST return the either rational function to evaluate to zero; such cases <bcp14>MUST</bcp14> ret urn the
identity point on E.</t> identity point on E.</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. (x', y') = map_to_curve_simple_swu(u) # (x', y') is on E' 1. (x', y') = map_to_curve_simple_swu(u) # (x', y') is on E'
2. (x, y) = iso_map(x', y') # (x, y) is on E 2. (x, y) = iso_map(x', y') # (x, y) is on E
3. return (x, y) 3. return (x, y)
</sourcecode> ]]></sourcecode>
<t>See <xref target="hash2curve-repo" format="default"/> or <xref targ <t>See <xref target="hash2curve-repo"/> or Section 4.3 of <xref target
et="WB19" format="default"/> Section 4.3 for details on implementing the isogeny ="WB19"/> for details on implementing the isogeny map.</t>
</section> </section>
</section> </section>
<section anchor="montgomery" numbered="true" toc="default"> <section anchor="montgomery">
<name>Mappings for Montgomery curves</name> <name>Mappings for Montgomery Curves</name>
<t>The mapping defined in this section applies to a target curve M defin ed by the equation</t> <t>The mapping defined in this section applies to a target curve M defin ed by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
K * t^2 = s^3 + J * s^2 + s K * t^2 = s^3 + J * s^2 + s
</sourcecode> ]]></sourcecode>
<section anchor="elligator2" numbered="true" toc="default"> <section anchor="elligator2">
<name>Elligator 2 method</name> <name>Elligator 2 Method</name>
<t>Bernstein, Hamburg, Krasnova, and Lange give a mapping that applies to any <t>Bernstein, Hamburg, Krasnova, and Lange give a mapping that applies to any
curve with a point of order 2 <xref target="BHKL13" format="default"/>, which th ey call Elligator 2.</t> curve with a point of order 2 <xref target="BHKL13"/>, which they call Elligator 2.</t>
<t>Preconditions: A Montgomery curve K * t^2 = s^3 + J * s^2 + s where <t>Preconditions: A Montgomery curve K * t^2 = s^3 + J * s^2 + s where
J != 0, K != 0, and (J^2 - 4) / K^2 is non-zero and non-square in F.</t> J&nbsp;!= 0, K != 0, and (J^2 - 4) / K^2 is non-zero and non-square in F.</t>
<t>Constants:</t> <t>Constants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>J and K, the parameters of the elliptic curve.</li> <li>J and K, the parameters of the elliptic curve.</li>
<li>Z, a non-square element of F. <li>Z, a non-square element of F.
<xref target="elligator-z-code" format="default"/> gives a Sage <xref target="SA GE" format="default"/> script that outputs the RECOMMENDED Z.</li> <xref target="elligator-z-code"/> gives a Sage script <xref target="SAGE"/> that outputs the <bcp14>RECOMMENDED</bcp14> Z.</li>
</ul> </ul>
<t>Sign of t: this mapping fixes the sign of t as specified in <xref t arget="BHKL13" format="default"/>. <t>Sign of t: This mapping fixes the sign of t as specified in <xref t arget="BHKL13"/>.
No additional adjustment is required.</t> No additional adjustment is required.</t>
<t>Exceptions: The exceptional case is Z * u^2 == -1, i.e., 1 + Z * u^ 2 == 0. <t>Exceptions: The exceptional case is Z * u^2 == -1, i.e., 1 + Z * u^ 2 == 0.
Implementations must detect this case and set x1 = -(J / K). Implementations must detect this case and set x1 = -(J / K).
Note that this can only happen when q = 3 (mod 4).</t> Note that this can only happen when q = 3 (mod 4).</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. x1 = -(J / K) * inv0(1 + Z * u^2) 1. x1 = -(J / K) * inv0(1 + Z * u^2)
2. If x1 == 0, set x1 = -(J / K) 2. If x1 == 0, set x1 = -(J / K)
3. gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2 3. gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2
4. x2 = -x1 - (J / K) 4. x2 = -x1 - (J / K)
5. gx2 = x2^3 + (J / K) * x2^2 + x2 / K^2 5. gx2 = x2^3 + (J / K) * x2^2 + x2 / K^2
6. If is_square(gx1), set x = x1, y = sqrt(gx1) with sgn0(y) == 1. 6. If is_square(gx1), set x = x1, y = sqrt(gx1) with sgn0(y) == 1.
7. Else set x = x2, y = sqrt(gx2) with sgn0(y) == 0. 7. Else set x = x2, y = sqrt(gx2) with sgn0(y) == 0.
8. s = x * K 8. s = x * K
9. t = y * K 9. t = y * K
10. return (s, t) 10. return (s, t)
</sourcecode> ]]></sourcecode>
<t><xref target="straightline-ell2" format="default"/> gives an exampl <t><xref target="straightline-ell2"/> gives an example straight-line i
e straight-line implementation of this mplementation of this
mapping. mapping.
<xref target="ell2-opt" format="default"/> gives optimized straight-line procedu res that apply to specific <xref target="ell2-opt"/> gives optimized straight-line procedures that apply to specific
classes of curves and base fields.</t> classes of curves and base fields.</t>
</section> </section>
</section> </section>
<section anchor="twisted-edwards" numbered="true" toc="default"> <section anchor="twisted-edwards">
<name>Mappings for twisted Edwards curves</name> <name>Mappings for Twisted Edwards Curves</name>
<t>Twisted Edwards curves (a class of curves that includes Edwards curve s) <t>Twisted Edwards curves (a class of curves that includes Edwards curve s)
are given by the equation</t> are given by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
a * v^2 + w^2 = 1 + d * v^2 * w^2 a * v^2 + w^2 = 1 + d * v^2 * w^2
</sourcecode> ]]></sourcecode>
<t>with a != 0, d != 0, and a != d <xref target="BBJLP08" format="defaul <t>with a != 0, d != 0, and a != d <xref target="BBJLP08"/>.</t>
<t>These curves are closely related to Montgomery <t>These curves are closely related to Montgomery
curves (<xref target="montgomery" format="default"/>): every twisted Edwards cur curves (<xref target="montgomery"/>): every twisted Edwards curve is birationall
ve is birationally equivalent y equivalent
to a Montgomery curve (<xref target="BBJLP08" format="default"/>, Theorem 3.2). to a Montgomery curve (<xref target="BBJLP08"/>, Theorem 3.2).
This equivalence yields an efficient way of hashing to a twisted Edwards curve: This equivalence yields an efficient way of hashing to a twisted Edwards curve:
first, hash to an equivalent Montgomery curve, then transform the first, hash to an equivalent Montgomery curve, then transform the
result into a point on the twisted Edwards curve via a rational map. result into a point on the twisted Edwards curve via a rational map.
This method of hashing to a twisted Edwards curve thus requires identifying a This method of hashing to a twisted Edwards curve thus requires identifying a
corresponding Montgomery curve and rational map. corresponding Montgomery curve and rational map.
We describe how to identify such a curve and map immediately below.</t> We describe how to identify such a curve and map immediately below.</t>
<section anchor="rational-map" numbered="true" toc="default"> <section anchor="rational-map">
<name>Rational maps from Montgomery to twisted Edwards curves</name> <name>Rational Maps from Montgomery to Twisted Edwards Curves</name>
<t>There are two ways to select a Montgomery curve and rational map <t>There are two ways to select a Montgomery curve and rational map
for use when hashing to a given twisted Edwards curve. for use when hashing to a given twisted Edwards curve.
The selected Montgomery curve and rational map MUST be specified as part of The selected Montgomery curve and rational map <bcp14>MUST</bcp14> be specified
the hash-to-curve suite for a given twisted Edwards curve; see <xref target="sui as part of
tes" format="default"/>.</t> the hash-to-curve suite for a given twisted Edwards curve; see <xref target="sui
<ol spacing="normal" type="1"> tes"/>.</t>
<li> <ol spacing="normal" type="1"><li>
<t>When hashing to a standardized twisted Edwards curve for which a corresponding <t>When hashing to a standardized twisted Edwards curve for which a corresponding
Montgomery form and rational map are also standardized, the standard Montgomery form and rational map are also standardized, the standard
Montgomery form and rational map SHOULD be used to ensure compatibility Montgomery form and rational map <bcp14>SHOULD</bcp14> be used to ensure compati bility
with existing software. </t> with existing software. </t>
<t> <t>
In certain cases, e.g., edwards25519 <xref target="RFC7748" format="default"/>, the sign of the rational In certain cases, e.g., edwards25519 <xref target="RFC7748"/>, the sign of the r ational
map from the twisted Edwards curve to its corresponding Montgomery curve map from the twisted Edwards curve to its corresponding Montgomery curve
is not given explicitly. is not given explicitly.
In this case, the sign MUST be fixed such that applying the rational map In this case, the sign <bcp14>MUST</bcp14> be fixed such that applying the rati onal map
to the twisted Edwards curve's base point yields the Montgomery curve's to the twisted Edwards curve's base point yields the Montgomery curve's
base point with correct sign. base point with correct sign.
(For edwards25519, see <xref target="RFC7748" format="default"/> and <xref targ et="EID4730" format="default"/>.) </t> (For edwards25519, see <xref target="RFC7748"/> and <xref target="Err4730"/>.) </t>
<t> <t>
When defining new twisted Edwards curves, a Montgomery equivalent and rational When defining new twisted Edwards curves, a Montgomery equivalent and rational
map SHOULD also be specified, and the sign of the rational map SHOULD be stated map <bcp14>SHOULD</bcp14> also be specified, and the sign of the rational map < bcp14>SHOULD</bcp14> be stated
explicitly.</t> explicitly.</t>
</li> </li>
<li>When hashing to a twisted Edwards curve that does not have a sta ndardized <li>When hashing to a twisted Edwards curve that does not have a sta ndardized
Montgomery form or rational map, the map given in <xref target="appx-rational-ma Montgomery form or rational map, the map given in <xref target="appx-rational-ma
p" format="default"/> p"/>
SHOULD be used.</li> <bcp14>SHOULD</bcp14> be used.</li>
</ol> </ol>
</section> </section>
<section anchor="ell2edwards" numbered="true" toc="default"> <section anchor="ell2edwards">
<name>Elligator 2 method</name> <name>Elligator 2 Method</name>
<t>Preconditions: A twisted Edwards curve E and an equivalent Montgome ry <t>Preconditions: A twisted Edwards curve E and an equivalent Montgome ry
curve M meeting the requirements in <xref target="rational-map" format="default" />.</t> curve M meeting the requirements in <xref target="rational-map"/>.</t>
<t>Helper functions:</t> <t>Helper functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>map_to_curve_elligator2 is the mapping of <xref target="elligato r2" format="default"/> to the curve M.</li> <li>map_to_curve_elligator2 is the mapping of <xref target="elligato r2"/> to the curve M.</li>
<li>rational_map is a function that takes a point (s, t) on M and <li>rational_map is a function that takes a point (s, t) on M and
returns a point (v, w) on E, as defined in <xref target="rational-map" format="d efault"/>.</li> returns a point (v, w) on E. This rational map should be chosen as defined in <x ref target="rational-map"/>.</li>
</ul> </ul>
<t>Sign of t (and v): for this map, the sign is determined by map_to_c urve_elligator2. <t>Sign of t (and v): For this map, the sign is determined by map_to_c urve_elligator2.
No further sign adjustments are required.</t> No further sign adjustments are required.</t>
<t>Exceptions: The exceptions for the Elligator 2 mapping are as given in <t>Exceptions: The exceptions for the Elligator 2 mapping are as given in
<xref target="elligator2" format="default"/>. <xref target="elligator2"/>.
The exceptions for the rational map are as given in <xref target="rational-map" The exceptions for the rational map are as given in <xref target="rational-map"/
format="default"/>. >.
No other exceptions are possible.</t> No other exceptions are possible.</t>
<t>The following procedure implements the Elligator 2 mapping for a tw isted <t>The following procedure implements the Elligator 2 mapping for a tw isted
Edwards curve. Edwards curve.
(Note that the output point is denoted (v, w) because it is a point on (Note that the output point is denoted (v, w) because it is a point on
the target twisted Edwards curve.)</t> the target twisted Edwards curve.)</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_edwards(u) map_to_curve_elligator2_edwards(u)
Input: u, an element of F. Input: u, an element of F.
Output: (v, w), a point on E. Output: (v, w), a point on E.
1. (s, t) = map_to_curve_elligator2(u) # (s, t) is on M 1. (s, t) = map_to_curve_elligator2(u) # (s, t) is on M
2. (v, w) = rational_map(s, t) # (v, w) is on E 2. (v, w) = rational_map(s, t) # (v, w) is on E
3. return (v, w) 3. return (v, w)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="cofactor-clearing" numbered="true" toc="default"> <section anchor="cofactor-clearing">
<name>Clearing the cofactor</name> <name>Clearing the Cofactor</name>
<t>The mappings of <xref target="mappings" format="default"/> always outpu <t>The mappings of <xref target="mappings"/> always output a point on the
t a point on the elliptic curve, elliptic curve,
i.e., a point in a group of order h * r (<xref target="bg-curves" format="defaul i.e., a point in a group of order h * r (<xref target="bg-curves"/>). Obtaining
t"/>). Obtaining a point in G a point in G
may require a final operation commonly called "clearing the cofactor," which may require a final operation commonly called "clearing the cofactor," which
takes as input any point on the curve and produces as output a point in the takes as input any point on the curve and produces as output a point in the
prime-order (sub)group G (<xref target="bg-curves" format="default"/>).</t> prime-order (sub)group G (<xref target="bg-curves"/>).</t>
<t>The cofactor can always be cleared via scalar multiplication by h. <t>The cofactor can always be cleared via scalar multiplication by h.
For elliptic curves where h = 1, i.e., the curves with a prime number of points, For elliptic curves where h = 1, i.e., the curves with a prime number of points,
no operation is required. This applies, for example, to the NIST curves P-256, no operation is required. This applies, for example, to the NIST curves P-256,
P-384, and P-521 <xref target="FIPS186-4" format="default"/>.</t> P-384, and P-521 <xref target="FIPS186-4"/>.</t>
<t>In some cases, it is possible to clear the cofactor via a faster method than <t>In some cases, it is possible to clear the cofactor via a faster method than
scalar multiplication by h. scalar multiplication by h.
These methods are equivalent to (but usually faster than) multiplication by These methods are equivalent to (but usually faster than) multiplication by
some scalar h_eff whose value is determined by the method and the curve. some scalar h_eff whose value is determined by the method and the curve.
Examples of fast cofactor clearing methods include the following:</t> Examples of fast cofactor clearing methods include the following:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>For certain pairing-friendly curves having subgroup G2 over an exten sion <li>For certain pairing-friendly curves having subgroup G2 over an exten sion
field, Scott et al. <xref target="SBCDK09" format="default"/> describe a method field, Scott et al.&nbsp;<xref target="SBCDK09"/> describe a method for fast cof
for fast cofactor clearing actor clearing
that exploits an efficiently-computable endomorphism. Fuentes-Castaneda that exploits an efficiently computable endomorphism. Fuentes-Castaneda
et al. <xref target="FKR11" format="default"/> propose an alternative method tha et al.&nbsp;<xref target="FKR11"/> propose an alternative method that is sometim
t is sometimes more efficient. es more efficient.
Budroni and Pintore <xref target="BP17" format="default"/> give concrete instant Budroni and Pintore <xref target="BP17"/> give concrete instantiations of these
iations of these methods methods
for Barreto-Lynn-Scott pairing-friendly curves <xref target="BLS03" format="defa for Barreto-Lynn-Scott pairing-friendly curves <xref target="BLS03"/>.
This method is described for the specific case of BLS12-381 in This method is described for the specific case of BLS12-381 in
<xref target="clear-cofactor-bls12381-g2" format="default"/>.</li> <xref target="clear-cofactor-bls12381-g2"/>.</li>
<li>Wahby and Boneh (<xref target="WB19" format="default"/>, Section 5) <li>Wahby and Boneh (<xref target="WB19"/>, Section 5) describe a trick
describe a trick due to Scott for due to Scott for
fast cofactor clearing on any elliptic curve for which the prime fast cofactor clearing on any elliptic curve for which the prime
factorization of h and the structure of the elliptic curve group meet factorization of h and the structure of the elliptic curve group meet
certain conditions.</li> certain conditions.</li>
</ul> </ul>
<t>The clear_cofactor function is parameterized by a scalar h_eff. <t>The clear_cofactor function is parameterized by a scalar h_eff.
Specifically,</t> Specifically,</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
clear_cofactor(P) := h_eff * P clear_cofactor(P) := h_eff * P
</sourcecode> ]]></sourcecode>
<t>where * represents scalar multiplication. <t>where * represents scalar multiplication.
When a curve does not support a fast cofactor clearing method, h_eff = h When a curve does not support a fast cofactor clearing method, h_eff = h
and the cofactor MUST be cleared via scalar multiplication.</t> and the cofactor <bcp14>MUST</bcp14> be cleared via scalar multiplication.</t>
<t>When a curve admits a fast cofactor clearing method, clear_cofactor <t>When a curve admits a fast cofactor clearing method, clear_cofactor
MAY be evaluated either via that method or via scalar multiplication <bcp14>MAY</bcp14> be evaluated either via that method or via scalar multiplicat ion
by the equivalent h_eff; these two methods give the same result. by the equivalent h_eff; these two methods give the same result.
Note that in this case scalar multiplication by the cofactor h does not Note that in this case scalar multiplication by the cofactor h does not
generally give the same result as the fast method, and MUST NOT be used.</t> generally give the same result as the fast method and <bcp14>MUST NOT</bcp14> be used.</t>
</section> </section>
<section anchor="suites" numbered="true" toc="default"> <section anchor="suites">
<name>Suites for hashing</name> <name>Suites for Hashing</name>
<t>This section lists recommended suites for hashing to standard elliptic curves.</t> <t>This section lists recommended suites for hashing to standard elliptic curves.</t>
<t>A hash-to-curve suite fully specifies the procedure for hashing byte st rings <t>A hash-to-curve suite fully specifies the procedure for hashing byte st rings
to points on a specific elliptic curve group. to points on a specific elliptic curve group.
<xref target="suites-howto" format="default"/> describes how to implement a suit e. <xref target="suites-howto"/> describes how to implement a suite.
Applications that require hashing to an elliptic curve should use either Applications that require hashing to an elliptic curve should use either
an existing suite or a new suite specified as described in <xref target="new-sui an existing suite or a new suite specified as described in <xref target="new-sui
te" format="default"/>.</t> te"/>.</t>
<t>All applications using a hash-to-curve suite MUST choose a domain <t>All applications using a hash-to-curve suite <bcp14>MUST</bcp14> choose
separation tag (DST) in accordance with the guidelines in <xref target="domain-s a domain
eparation" format="default"/>. separation tag (DST) in accordance with the guidelines in <xref target="domain-s
In addition, applications whose security requires a random oracle that returns In addition, applications whose security requires a random oracle that returns
uniformly random points on the target curve MUST use a suite whose encoding type uniformly random points on the target curve <bcp14>MUST</bcp14> use a suite whos
is hash_to_curve; see <xref target="roadmap" format="default"/> and immediately e encoding type
below for more information.</t> is hash_to_curve; see <xref target="roadmap"/> and immediately below for more in
<t>A hash-to-curve suite comprises the following parameters:</t> <t>A hash-to-curve suite comprises the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Suite ID, a short name used to refer to a given suite. <li>Suite ID, a short name used to refer to a given suite.
<xref target="suiteIDformat" format="default"/> discusses the naming conventions for suite IDs.</li> <xref target="suiteIDformat"/> discusses the naming conventions for Suite IDs.</ li>
<li>encoding type, either uniform (hash_to_curve) or nonuniform (encode_ to_curve). <li>encoding type, either uniform (hash_to_curve) or nonuniform (encode_ to_curve).
See <xref target="roadmap" format="default"/> for definitions of these encoding types.</li> See <xref target="roadmap"/> for definitions of these encoding types.</li>
<li>E, the target elliptic curve over a field F.</li> <li>E, the target elliptic curve over a field F.</li>
<li>p, the characteristic of the field F.</li> <li>p, the characteristic of the field F.</li>
<li>m, the extension degree of the field F. If m &gt; 1, the suite MUST also specify <li>m, the extension degree of the field F. If m &gt; 1, the suite <bcp1 4>MUST</bcp14> also specify
the polynomial basis used to represent extension field elements.</li> the polynomial basis used to represent extension field elements.</li>
<li>k, the target security level of the suite in bits. <li>k, the target security level of the suite in bits.
(See <xref target="security-considerations-targets" format="default"/> for discu (See <xref target="security-considerations-targets"/> for discussion.)</li>
ssion.)</li> <li>L, the length parameter for hash_to_field (<xref target="hashtofield
<li>L, the length parameter for hash_to_field (<xref target="hashtofield "/>).</li>
" format="default"/>).</li> <li>expand_message, one of the variants specified in <xref target="hasht
<li>expand_message, one of the variants specified in <xref target="hasht ofield-expand"/>
ofield-expand" format="default"/>
plus any parameters required for the specified variant (for example, H, plus any parameters required for the specified variant (for example, H,
the underlying hash function).</li> the underlying hash function).</li>
<li>f, a mapping function from <xref target="mappings" format="default"/ <li>f, a mapping function from <xref target="mappings"/>.</li>
>.</li> <li>h_eff, the scalar parameter for clear_cofactor (<xref target="cofact
<li>h_eff, the scalar parameter for clear_cofactor (<xref target="cofact or-clearing"/>).</li>
or-clearing" format="default"/>).</li>
</ul> </ul>
<t>In addition to the above parameters, the mapping f may require <t>In addition to the above parameters, the mapping f may require
additional parameters Z, M, rational_map, E', or iso_map. additional parameters Z, M, rational_map, E', or iso_map.
When applicable, these MUST be specified.</t> When applicable, these <bcp14>MUST</bcp14> be specified.</t>
<t>The below table lists suites RECOMMENDED for some elliptic curves. <t>The table below lists suites <bcp14>RECOMMENDED</bcp14> for some ellipt
ic curves.
The corresponding parameters are given in the following subsections. The corresponding parameters are given in the following subsections.
Applications instantiating cryptographic protocols whose security analysis Applications instantiating cryptographic protocols whose security analysis
relies on a random oracle that outputs points with a uniform distribution MUST N OT use a relies on a random oracle that outputs points with a uniform distribution <bcp14 >MUST NOT</bcp14> use a
nonuniform encoding. nonuniform encoding.
Moreover, applications that use a nonuniform encoding SHOULD carefully Moreover, applications that use a nonuniform encoding <bcp14>SHOULD</bcp14> care fully
analyze the security implications of nonuniformity. analyze the security implications of nonuniformity.
When the required encoding is not clear, applications SHOULD use a When the required encoding is not clear, applications <bcp14>SHOULD</bcp14> use a
uniform encoding for security.</t> uniform encoding for security.</t>
<table anchor="suite-table" align="center"> <table anchor="suite-table">
<name>Suites for hashing to elliptic curves.</name> <name>Suites for hashing to elliptic curves.</name>
<thead> <thead>
<tr> <tr>
<th align="left">E</th> <th align="left">E</th>
<th align="left">Suites</th> <th align="left">Suites</th>
<th align="left">Section</th> <th align="left">Section</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">NIST P-256</td> <td align="left">NIST P-256</td>
<td align="left">P256_XMD:SHA-256_SSWU_RO_ P256_XMD:SHA-256_SSWU_NU_ </td> <td align="left">P256_XMD:SHA-256_SSWU_RO_ P256_XMD:SHA-256_SSWU_NU_ </td>
<td align="left"> <td align="left">
<xref target="suites-p256" format="default"/></td> <xref format="counter" target="suites-p256"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">NIST P-384</td> <td align="left">NIST P-384</td>
<td align="left">P384_XMD:SHA-384_SSWU_RO_ P384_XMD:SHA-384_SSWU_NU_ </td> <td align="left">P384_XMD:SHA-384_SSWU_RO_ P384_XMD:SHA-384_SSWU_NU_ </td>
<td align="left"> <td align="left">
<xref target="suites-p384" format="default"/></td> <xref format="counter" target="suites-p384"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">NIST P-521</td> <td align="left">NIST P-521</td>
<td align="left">P521_XMD:SHA-512_SSWU_RO_ P521_XMD:SHA-512_SSWU_NU_ </td> <td align="left">P521_XMD:SHA-512_SSWU_RO_ P521_XMD:SHA-512_SSWU_NU_ </td>
<td align="left"> <td align="left">
<xref target="suites-p521" format="default"/></td> <xref format="counter" target="suites-p521"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">curve25519</td> <td align="left">curve25519</td>
<td align="left">curve25519_XMD:SHA-512_ELL2_RO_ curve25519_XMD:SHA- 512_ELL2_NU_</td> <td align="left">curve25519_XMD:SHA-512_ELL2_RO_ curve25519_XMD:SHA- 512_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-25519" format="default"/></td> <xref format="counter" target="suites-25519"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">edwards25519</td> <td align="left">edwards25519</td>
<td align="left">edwards25519_XMD:SHA-512_ELL2_RO_ edwards25519_XMD: SHA-512_ELL2_NU_</td> <td align="left">edwards25519_XMD:SHA-512_ELL2_RO_ edwards25519_XMD: SHA-512_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-25519" format="default"/></td> <xref format="counter" target="suites-25519"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">curve448</td> <td align="left">curve448</td>
<td align="left">curve448_XOF:SHAKE256_ELL2_RO_ curve448_XOF:SHAKE25 6_ELL2_NU_</td> <td align="left">curve448_XOF:SHAKE256_ELL2_RO_ curve448_XOF:SHAKE25 6_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-448" format="default"/></td> <xref format="counter" target="suites-448"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">edwards448</td> <td align="left">edwards448</td>
<td align="left">edwards448_XOF:SHAKE256_ELL2_RO_ edwards448_XOF:SHA KE256_ELL2_NU_</td> <td align="left">edwards448_XOF:SHAKE256_ELL2_RO_ edwards448_XOF:SHA KE256_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-448" format="default"/></td> <xref format="counter" target="suites-448"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">secp256k1</td> <td align="left">secp256k1</td>
<td align="left">secp256k1_XMD:SHA-256_SSWU_RO_ secp256k1_XMD:SHA-25 6_SSWU_NU_</td> <td align="left">secp256k1_XMD:SHA-256_SSWU_RO_ secp256k1_XMD:SHA-25 6_SSWU_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-secp256k1" format="default"/></td> <xref format="counter" target="suites-secp256k1"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">BLS12-381 G1</td> <td align="left">BLS12-381 G1</td>
<td align="left">BLS12381G1_XMD:SHA-256_SSWU_RO_ BLS12381G1_XMD:SHA- 256_SSWU_NU_</td> <td align="left">BLS12381G1_XMD:SHA-256_SSWU_RO_ BLS12381G1_XMD:SHA- 256_SSWU_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-bls12381" format="default"/></td> <xref format="counter" target="suites-bls12381"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">BLS12-381 G2</td> <td align="left">BLS12-381 G2</td>
<td align="left">BLS12381G2_XMD:SHA-256_SSWU_RO_ BLS12381G2_XMD:SHA- 256_SSWU_NU_</td> <td align="left">BLS12381G2_XMD:SHA-256_SSWU_RO_ BLS12381G2_XMD:SHA- 256_SSWU_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-bls12381" format="default"/></td> <xref format="counter" target="suites-bls12381"/></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<section anchor="suites-howto" numbered="true" toc="default"> <section anchor="suites-howto">
<name>Implementing a hash-to-curve suite</name> <name>Implementing a Hash-to-Curve Suite</name>
<t>A hash-to-curve suite requires the following functions. <t>A hash-to-curve suite requires the following functions.
Note that some of these require utility functions from <xref target="utility" fo Note that some of these require utility functions from <xref target="utility"/>.
rmat="default"/>.</t> </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>Base field arithmetic operations for t
<li>Base field arithmetic operations for the target elliptic curve, e. he target elliptic curve, e.g.,
addition, multiplication, and square root.</li> addition, multiplication, and square root.</li>
<li>Elliptic curve point operations for the target curve, e.g., <li>Elliptic curve point operations for the target curve, e.g.,
point addition and scalar multiplication.</li> point addition and scalar multiplication.</li>
<li>The hash_to_field function; see <xref target="hashtofield" format= <li>The hash_to_field function; see <xref target="hashtofield"/>. This
"default"/>. This includes the expand_message includes the expand_message
variant (<xref target="hashtofield-expand" format="default"/>) and any constitue variant (<xref target="hashtofield-expand"/>) and any constituent hash function
nt hash function or XOF.</li> or XOF.</li>
<li>The suite-specified mapping function; see the corresponding subsec <li>The suite-specified mapping function; see the corresponding subsec
tion of <xref target="mappings" format="default"/>.</li> tion of <xref target="mappings"/>.</li>
<li>A cofactor clearing function; see <xref target="cofactor-clearing" <li>A cofactor clearing function; see <xref target="cofactor-clearing"
format="default"/>. This may be implemented as />. This may be implemented as
scalar multiplication by h_eff or as a faster equivalent method.</li> scalar multiplication by h_eff or as a faster equivalent method.</li>
<li>The desired encoding function; see <xref target="roadmap" format=" default"/>. This is either hash_to_curve or <li>The desired encoding function; see <xref target="roadmap"/>. This is either hash_to_curve or
encode_to_curve.</li> encode_to_curve.</li>
</ol> </ol>
</section> </section>
<section anchor="suites-p256" numbered="true" toc="default"> <section anchor="suites-p256">
<name>Suites for NIST P-256</name> <name>Suites for NIST P-256</name>
<t>This section defines ciphersuites for the NIST P-256 elliptic curve < xref target="FIPS186-4" format="default"/>.</t> <t>This section defines ciphersuites for the NIST P-256 elliptic curve < xref target="FIPS186-4"/>.</t>
<t>P256_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>P256_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: y^2 = x^3 + A * x + B, where <t>E: y^2 = x^3 + A * x + B, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = -3</li> <li>A = -3</li>
<li>B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e 27d2604b</li> <li>B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e 27d2604b</li>
</ul> </ul>
</li> </li>
<li>p: 2^256 - 2^224 + 2^192 + 2^96 - 1</li> <li>p: 2^256 - 2^224 + 2^192 + 2^96 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 48</li> <li>L: 48</li>
<li>f: Simplified SWU method (<xref target="simple-swu" format="defaul t"/>)</li> <li>f: Simplified SWU method (<xref target="simple-swu"/>)</li>
<li>Z: -10</li> <li>Z: -10</li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>P256_XMD:SHA-256_SSWU_NU_ is identical to P256_XMD:SHA-256_SSWU_RO_, <t>P256_XMD:SHA-256_SSWU_NU_ is identical to P256_XMD:SHA-256_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to P-256 is given in <xref target="straightline-sswu" format="default"/>.</t> to P-256 is given in <xref target="straightline-sswu"/>.</t>
</section> </section>
<section anchor="suites-p384" numbered="true" toc="default"> <section anchor="suites-p384">
<name>Suites for NIST P-384</name> <name>Suites for NIST P-384</name>
<t>This section defines ciphersuites for the NIST P-384 elliptic curve < xref target="FIPS186-4" format="default"/>.</t> <t>This section defines ciphersuites for the NIST P-384 elliptic curve < xref target="FIPS186-4"/>.</t>
<t>P384_XMD:SHA-384_SSWU_RO_ is defined as follows:</t> <t>P384_XMD:SHA-384_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: y^2 = x^3 + A * x + B, where <t>E: y^2 = x^3 + A * x + B, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = -3</li> <li>A = -3</li>
<li>B = 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f 5013875ac656398d8a2ed19d2a85c8edd3ec2aef</li> <li>B&nbsp;=&nbsp;0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141 120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef</li>
</ul> </ul>
</li> </li>
<li>p: 2^384 - 2^128 - 2^96 + 2^32 - 1</li> <li>p: 2^384 - 2^128 - 2^96 + 2^32 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 192</li> <li>k: 192</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-384</li> <li>H: SHA-384</li>
<li>L: 72</li> <li>L: 72</li>
<li>f: Simplified SWU method (<xref target="simple-swu" format="defaul t"/>)</li> <li>f: Simplified SWU method (<xref target="simple-swu"/>)</li>
<li>Z: -12</li> <li>Z: -12</li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>P384_XMD:SHA-384_SSWU_NU_ is identical to P384_XMD:SHA-384_SSWU_RO_, <t>P384_XMD:SHA-384_SSWU_NU_ is identical to P384_XMD:SHA-384_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to P-384 is given in <xref target="straightline-sswu" format="default"/>.</t> to P-384 is given in <xref target="straightline-sswu"/>.</t>
</section> </section>
<section anchor="suites-p521" numbered="true" toc="default"> <section anchor="suites-p521">
<name>Suites for NIST P-521</name> <name>Suites for NIST P-521</name>
<t>This section defines ciphersuites for the NIST P-521 elliptic curve < xref target="FIPS186-4" format="default"/>.</t> <t>This section defines ciphersuites for the NIST P-521 elliptic curve < xref target="FIPS186-4"/>.</t>
<t>P521_XMD:SHA-512_SSWU_RO_ is defined as follows:</t> <t>P521_XMD:SHA-512_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: y^2 = x^3 + A * x + B, where <t>E: y^2 = x^3 + A * x + B, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = -3</li> <li>A = -3</li>
<li>B = 0x51953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489 918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00</li> <li>B&nbsp;=&nbsp;0x51953eb9618e1c9a1f929a21a0b68540eea2da725b99b3 15f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b50 3f00</li>
</ul> </ul>
</li> </li>
<li>p: 2^521 - 1</li> <li>p: 2^521 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 256</li> <li>k: 256</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-512</li> <li>H: SHA-512</li>
<li>L: 98</li> <li>L: 98</li>
<li>f: Simplified SWU method (<xref target="simple-swu" format="defaul t"/>)</li> <li>f: Simplified SWU method (<xref target="simple-swu"/>)</li>
<li>Z: -4</li> <li>Z: -4</li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>P521_XMD:SHA-512_SSWU_NU_ is identical to P521_XMD:SHA-512_SSWU_RO_, <t>P521_XMD:SHA-512_SSWU_NU_ is identical to P521_XMD:SHA-512_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to P-521 is given in <xref target="straightline-sswu" format="default"/>.</t> to P-521 is given in <xref target="straightline-sswu"/>.</t>
</section> </section>
<section anchor="suites-25519" numbered="true" toc="default"> <section anchor="suites-25519">
<name>Suites for curve25519 and edwards25519</name> <name>Suites for curve25519 and edwards25519</name>
<t>This section defines ciphersuites for curve25519 and edwards25519 <xr <t>This section defines ciphersuites for curve25519 and edwards25519 <xr
ef target="RFC7748" format="default"/>. ef target="RFC7748"/>.
Note that these ciphersuites MUST NOT be used when hashing to ristretto255 Note that these ciphersuites <bcp14>MUST NOT</bcp14> be used when hashing to ris
<xref target="I-D.irtf-cfrg-ristretto255-decaf448" format="default"/>. tretto255
See <xref target="appx-ristretto255" format="default"/> for information on how t <xref target="I-D.irtf-cfrg-ristretto255-decaf448"/>.
o hash to that group.</t> See <xref target="appx-ristretto255"/> for information on how to hash to that gr
<t>curve25519_XMD:SHA-512_ELL2_RO_ is defined as follows:</t> <t>curve25519_XMD:SHA-512_ELL2_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: K * t^2 = s^3 + J * s^2 + s, where <t>E: K * t^2 = s^3 + J * s^2 + s, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>J = 486662</li> <li>J = 486662</li>
<li>K = 1</li> <li>K = 1</li>
</ul> </ul>
</li> </li>
<li>p: 2^255 - 19</li> <li>p: 2^255 - 19</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-512</li> <li>H: SHA-512</li>
<li>L: 48</li> <li>L: 48</li>
<li>f: Elligator 2 method (<xref target="elligator2" format="default"/ >)</li> <li>f: Elligator 2 method (<xref target="elligator2"/>)</li>
<li>Z: 2</li> <li>Z: 2</li>
<li>h_eff: 8</li> <li>h_eff: 8</li>
</ul> </ul>
<t>edwards25519_XMD:SHA-512_ELL2_RO_ is identical to curve25519_XMD:SHA- 512_ELL2_RO_, <t>edwards25519_XMD:SHA-512_ELL2_RO_ is identical to curve25519_XMD:SHA- 512_ELL2_RO_,
except for the following parameters:</t> except for the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where <t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>a = -1</li> <li>a = -1</li>
<li>d = 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca 135978a3</li> <li>d = 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca 135978a3</li>
</ul> </ul>
</li> </li>
<li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards" <li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards"/
format="default"/>)</li> >)</li>
<li>M: curve25519 defined in <xref target="RFC7748" format="default"/> <li>M: curve25519, defined in <xref section="4.1" sectionFormat="comma
, Section 4.1</li> " target="RFC7748"/></li>
<li>rational_map: the birational map defined in <xref target="RFC7748" <li>rational_map: the birational maps defined in <xref section="4.1" s
format="default"/>, Section 4.1</li> ectionFormat="comma" target="RFC7748"/></li>
</ul> </ul>
<t>curve25519_XMD:SHA-512_ELL2_NU_ is identical to curve25519_XMD:SHA-51 2_ELL2_RO_, <t>curve25519_XMD:SHA-512_ELL2_NU_ is identical to curve25519_XMD:SHA-51 2_ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>edwards25519_XMD:SHA-512_ELL2_NU_ is identical to edwards25519_XMD:SH A-512_ELL2_RO_, <t>edwards25519_XMD:SHA-512_ELL2_NU_ is identical to edwards25519_XMD:SH A-512_ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Optimized example implementations of the above mappings are given in <t>Optimized example implementations of the above mappings are given in
<xref target="map-to-curve25519" format="default"/> and <xref target="map-to-edw ards25519" format="default"/>.</t> <xref target="map-to-curve25519"/> and <xref target="map-to-edwards25519"/>.</t>
</section> </section>
<section anchor="suites-448" numbered="true" toc="default"> <section anchor="suites-448">
<name>Suites for curve448 and edwards448</name> <name>Suites for curve448 and edwards448</name>
<t>This section defines ciphersuites for curve448 and edwards448 <xref t <t>This section defines ciphersuites for curve448 and edwards448 <xref t
arget="RFC7748" format="default"/>. arget="RFC7748"/>.
Note that these ciphersuites MUST NOT be used when hashing to decaf448 Note that these ciphersuites <bcp14>MUST NOT</bcp14> be used when hashing to dec
<xref target="I-D.irtf-cfrg-ristretto255-decaf448" format="default"/>. af448
See <xref target="appx-decaf448" format="default"/> for information on how to ha <xref target="I-D.irtf-cfrg-ristretto255-decaf448"/>.
sh to that group.</t> See <xref target="appx-decaf448"/> for information on how to hash to that group.
<t>curve448_XOF:SHAKE256_ELL2_RO_ is defined as follows:</t> <t>curve448_XOF:SHAKE256_ELL2_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: K * t^2 = s^3 + J * s^2 + s, where <t>E: K * t^2 = s^3 + J * s^2 + s, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>J = 156326</li> <li>J = 156326</li>
<li>K = 1</li> <li>K = 1</li>
</ul> </ul>
</li> </li>
<li>p: 2^448 - 2^224 - 1</li> <li>p: 2^448 - 2^224 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 224</li> <li>k: 224</li>
<li>expand_message: expand_message_xof (<xref target="hashtofield-expa nd-xof" format="default"/>)</li> <li>expand_message: expand_message_xof (<xref target="hashtofield-expa nd-xof"/>)</li>
<li>H: SHAKE256</li> <li>H: SHAKE256</li>
<li>L: 84</li> <li>L: 84</li>
<li>f: Elligator 2 method (<xref target="elligator2" format="default"/ >)</li> <li>f: Elligator 2 method (<xref target="elligator2"/>)</li>
<li>Z: -1</li> <li>Z: -1</li>
<li>h_eff: 4</li> <li>h_eff: 4</li>
</ul> </ul>
<t>edwards448_XOF:SHAKE256_ELL2_RO_ is identical to curve448_XOF:SHAKE25 6_ELL2_RO_, <t>edwards448_XOF:SHAKE256_ELL2_RO_ is identical to curve448_XOF:SHAKE25 6_ELL2_RO_,
except for the following parameters:</t> except for the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where <t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>a = 1</li> <li>a = 1</li>
<li>d = -39081</li> <li>d = -39081</li>
</ul> </ul>
</li> </li>
<li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards" <li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards"/
format="default"/>)</li> >)</li>
<li>M: curve448, defined in <xref target="RFC7748" format="default"/>, <li>M: curve448, defined in <xref section="4.2" sectionFormat="comma"
Section 4.2</li> target="RFC7748"/></li>
<li>rational_map: the 4-isogeny map defined in <xref target="RFC7748" <li>rational_map: the 4-isogeny map defined in <xref section="4.2" sec
format="default"/>, Section 4.2</li> tionFormat="comma" target="RFC7748"/></li>
</ul> </ul>
<t>curve448_XOF:SHAKE256_ELL2_NU_ is identical to curve448_XOF:SHAKE256_ ELL2_RO_, <t>curve448_XOF:SHAKE256_ELL2_NU_ is identical to curve448_XOF:SHAKE256_ ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>edwards448_XOF:SHAKE256_ELL2_NU_ is identical to edwards448_XOF:SHAKE 256_ELL2_RO_, <t>edwards448_XOF:SHAKE256_ELL2_NU_ is identical to edwards448_XOF:SHAKE 256_ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Optimized example implementations of the above mappings are given in <t>Optimized example implementations of the above mappings are given in
<xref target="map-to-curve448" format="default"/> and <xref target="map-to-edwar ds448" format="default"/>.</t> <xref target="map-to-curve448"/> and <xref target="map-to-edwards448"/>.</t>
</section> </section>
<section anchor="suites-secp256k1" numbered="true" toc="default"> <section anchor="suites-secp256k1">
<name>Suites for secp256k1</name> <name>Suites for secp256k1</name>
<t>This section defines ciphersuites for the secp256k1 elliptic curve <x ref target="SEC2" format="default"/>.</t> <t>This section defines ciphersuites for the secp256k1 elliptic curve <x ref target="SEC2"/>.</t>
<t>secp256k1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>secp256k1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li>E: y^2 = x^3 + 7</li> <li>E: y^2 = x^3 + 7</li>
<li>p: 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1</li> <li>p: 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 48</li> <li>L: 48</li>
<li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0" forma t="default"/>)</li> <li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0"/>)</l i>
<li>Z: -11</li> <li>Z: -11</li>
<li> <li>
<t>E': y'^2 = x'^3 + A' * x' + B', where <t>E': y'^2 = x'^3 + A' * x' + B', where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A': 0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c0 1a444533</li> <li>A': 0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c0 1a444533</li>
<li>B': 1771</li> <li>B': 1771</li>
</ul> </ul>
</li> </li>
<li>iso_map: the 3-isogeny map from E' to E given in <xref target="app x-iso-secp256k1" format="default"/></li> <li>iso_map: the 3-isogeny map from E' to E given in <xref target="app x-iso-secp256k1"/></li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>secp256k1_XMD:SHA-256_SSWU_NU_ is identical to secp256k1_XMD:SHA-256_ SSWU_RO_, <t>secp256k1_XMD:SHA-256_SSWU_NU_ is identical to secp256k1_XMD:SHA-256_ SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to the curve E' isogenous to secp256k1 is given in <xref target="straightline-ss wu" format="default"/>.</t> to the curve E' isogenous to secp256k1 is given in <xref target="straightline-ss wu"/>.</t>
</section> </section>
<section anchor="suites-bls12381" numbered="true" toc="default"> <section anchor="suites-bls12381">
<name>Suites for BLS12-381</name> <name>Suites for BLS12-381</name>
<t>This section defines ciphersuites for groups G1 and G2 of <t>This section defines ciphersuites for groups G1 and G2 of
the BLS12-381 elliptic curve <xref target="BLS12-381" format="default"/>. the BLS12-381 elliptic curve <xref target="BLS12-381"/>.</t>
The curve parameters in this section match the ones listed in <section anchor="suites-bls12381-g1">
<xref target="I-D.irtf-cfrg-pairing-friendly-curves" format="default"/>, Appendi
x C.</t>
<section anchor="suites-bls12381-g1" numbered="true" toc="default">
<name>BLS12-381 G1</name> <name>BLS12-381 G1</name>
<t>BLS12381G1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>BLS12381G1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="def ault"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li>E: y^2 = x^3 + 4</li> <li>E: y^2 = x^3 + 4</li>
<li>p: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b 0f6241eabfffeb153ffffb9feffffffffaaab</li> <li>p:&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 a0f6b0f6241eabfffeb153ffffb9feffffffffaaab</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 64</li> <li>L: 64</li>
<li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0" for mat="default"/>)</li> <li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0"/>)< /li>
<li>Z: 11</li> <li>Z: 11</li>
<li> <li>
<t>E': y'^2 = x'^3 + A' * x' + B', where <t>E': y'^2 = x'^3 + A' * x' + B', where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A' = 0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981 <li>A'&nbsp;=&nbsp;0x144698a3b8e9433d693a02c96d4982b0ea985383ee6
aefd881ac98936f8da0e0f97f5cf428082d584c1d</li> 6a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d</li>
<li>B' = 0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c <li>B'&nbsp;=&nbsp;0x12e2908d11688030018b12e8753eee3b2016c1f0f24
14fcef35ef55a23215a316ceaa5d1cc48e98e172be0</li> f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0</li>
</ul> </ul>
</li> </li>
<li>iso_map: the 11-isogeny map from E' to E given in <xref target=" appx-iso-bls12381-g1" format="default"/></li> <li>iso_map: the 11-isogeny map from E' to E given in <xref target=" appx-iso-bls12381-g1"/></li>
<li>h_eff: 0xd201000000010001</li> <li>h_eff: 0xd201000000010001</li>
</ul> </ul>
<t>BLS12381G1_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G1_XMD:SHA- 256_SSWU_RO_, <t>BLS12381G1_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G1_XMD:SHA- 256_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Note that the h_eff values for these suites are chosen for compatib ility <t>Note that the h_eff values for these suites are chosen for compatib ility
with the fast cofactor clearing method described by Scott (<xref target="WB19" f ormat="default"/> Section 5).</t> with the fast cofactor clearing method described by Scott (<xref target="WB19"/> , Section 5).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to the curve E' isogenous to BLS12-381 G1 is given in <xref target="straightline -sswu" format="default"/>.</t> to the curve E' isogenous to BLS12-381 G1 is given in <xref target="straightline -sswu"/>.</t>
</section> </section>
<section anchor="suites-bls12381-g2" numbered="true" toc="default"> <section anchor="suites-bls12381-g2">
<name>BLS12-381 G2</name> <name>BLS12-381 G2</name>
<t>BLS12381G2_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>BLS12381G2_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="def ault"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li>E: y^2 = x^3 + 4 * (1 + I)</li> <li>E: y^2 = x^3 + 4 * (1 + I)</li>
<li> <li>
<t>base field F is GF(p^m), where <t>base field F is GF(p^m), where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>p: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a 0f6b0f6241eabfffeb153ffffb9feffffffffaaab</li> <li>p:&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf67 30d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab</li>
<li>m: 2</li> <li>m: 2</li>
<li>(1, I) is the basis for F, where I^2 + 1 == 0 in F</li> <li>(1, I) is the basis for F, where I^2 + 1 == 0 in F</li>
</ul> </ul>
</li> </li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 64</li> <li>L: 64</li>
<li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0" for mat="default"/>)</li> <li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0"/>)< /li>
<li>Z: -(2 + I)</li> <li>Z: -(2 + I)</li>
<li> <li>
<t>E': y'^2 = x'^3 + A' * x' + B', where <t>E': y'^2 = x'^3 + A' * x' + B', where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A' = 240 * I</li> <li>A' = 240 * I</li>
<li>B' = 1012 * (1 + I)</li> <li>B' = 1012 * (1 + I)</li>
</ul> </ul>
</li> </li>
<li>iso_map: the isogeny map from E' to E given in <xref target="app <li>iso_map: the isogeny map from E' to E given in <xref target="app
x-iso-bls12381-g2" format="default"/></li> x-iso-bls12381-g2"/></li>
<li>h_eff: 0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff03 <li>h_eff:&nbsp;0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad768998
1508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0a 6ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a3598
debbf6b4e8020005aaa95551</li> 94c0adebbf6b4e8020005aaa95551</li>
</ul> </ul>
<t>BLS12381G2_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G2_XMD:SHA- 256_SSWU_RO_, <t>BLS12381G2_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G2_XMD:SHA- 256_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Note that the h_eff values for these suites are chosen for compatib ility <t>Note that the h_eff values for these suites are chosen for compatib ility
with the fast cofactor clearing method described by with the fast cofactor clearing method described by
Budroni and Pintore (<xref target="BP17" format="default"/>, Section 4.1), and s ummarized in <xref target="clear-cofactor-bls12381-g2" format="default"/>.</t> Budroni and Pintore (<xref target="BP17"/>, Section 4.1) and are summarized in < xref target="clear-cofactor-bls12381-g2"/>.</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to the curve E' isogenous to BLS12-381 G2 is given in <xref target="straightline -sswu" format="default"/>.</t> to the curve E' isogenous to BLS12-381 G2 is given in <xref target="straightline -sswu"/>.</t>
</section> </section>
</section> </section>
<section anchor="new-suite" numbered="true" toc="default"> <section anchor="new-suite">
<name>Defining a new hash-to-curve suite</name> <name>Defining a New Hash-to-Curve Suite</name>
<t>For elliptic curves not listed elsewhere in <xref target="suites" for <t>For elliptic curves not listed elsewhere in <xref target="suites"/>,
mat="default"/>, a new hash-to-curve a new hash-to-curve
suite can be defined by:</t> suite can be defined by the following:</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>E, F, p, and m are determined by the e
<li>E, F, p, and m are determined by the elliptic curve and its base f lliptic curve and its base field.</li>
<li>k is an upper bound on the target security level of the suite <li>k is an upper bound on the target security level of the suite
(<xref target="security-considerations-targets" format="default"/>). (<xref target="security-considerations-targets"/>).
A reasonable choice of k is ceil(log2(r) / 2), where r is A reasonable choice of k is ceil(log2(r) / 2), where r is
the order of the subgroup G of the curve E (<xref target="bg-curves" format="def the order of the subgroup G of the curve E (<xref target="bg-curves"/>).</li>
ault"/>).</li> <li>Choose encoding type, either hash_to_curve or encode_to_curve (<xr
<li>Choose encoding type, either hash_to_curve or encode_to_curve (<xr ef target="roadmap"/>).</li>
ef target="roadmap" format="default"/>).</li> <li>Compute L as described in <xref target="hashtofield"/>.</li>
<li>Compute L as described in <xref target="hashtofield" format="defau <li>Choose an expand_message variant from <xref target="hashtofield-ex
lt"/>.</li> pand"/> plus any
<li>Choose an expand_message variant from <xref target="hashtofield-ex
pand" format="default"/> plus any
underlying cryptographic primitives (e.g., a hash function H).</li> underlying cryptographic primitives (e.g., a hash function H).</li>
<li>Choose a mapping following the guidelines in <xref target="choosin g-mapping" format="default"/>, <li>Choose a mapping following the guidelines in <xref target="choosin g-mapping"/>,
and select any required parameters for that mapping.</li> and select any required parameters for that mapping.</li>
<li>Choose h_eff to be either the cofactor of E or, if a fast cofactor <li>Choose h_eff to be either the cofactor of E or, if a fast cofactor
clearing method is to be used, a value appropriate to that method clearing method is to be used, a value appropriate to that method
as discussed in <xref target="cofactor-clearing" format="default"/>.</li> as discussed in <xref target="cofactor-clearing"/>.</li>
<li>Construct a Suite ID following the guidelines in <xref target="sui <li>Construct a Suite ID following the guidelines in <xref target="sui
teIDformat" format="default"/>.</li> teIDformat"/>.</li>
</ol> </ol>
</section> </section>
<section anchor="suiteIDformat" numbered="true" toc="default"> <section anchor="suiteIDformat">
<name>Suite ID naming conventions</name> <name>Suite ID Naming Conventions</name>
<t>Suite IDs MUST be constructed as follows:</t> <t>Suite IDs <bcp14>MUST</bcp14> be constructed as follows:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
CURVE_ID || "_" || HASH_ID || "_" || MAP_ID || "_" || ENC_VAR || "_" CURVE_ID || "_" || HASH_ID || "_" || MAP_ID || "_" || ENC_VAR || "_"
]]></artwork> ]]></artwork>
<t>The fields CURVE_ID, HASH_ID, MAP_ID, and ENC_VAR are <t>The fields CURVE_ID, HASH_ID, MAP_ID, and ENC_VAR are
ASCII-encoded strings of at most 64 characters each. ASCII-encoded strings of at most 64 characters each.
Fields MUST contain only ASCII characters between 0x21 and 0x7E (inclusive) Fields <bcp14>MUST</bcp14> contain only ASCII characters between 0x21 and 0x7E (
except that underscore (i.e., 0x5f) is not allowed.</t> inclusive),
except that underscore (i.e., 0x5F) is not allowed.</t>
<t>As indicated above, each field (including the last) is followed by an underscore <t>As indicated above, each field (including the last) is followed by an underscore
("_", ASCII 0x5f). ("_", ASCII 0x5F).
This helps to ensure that Suite IDs are prefix free. This helps to ensure that Suite IDs are prefix free.
Suite IDs MUST include the final underscore and MUST NOT include any characters Suite IDs <bcp14>MUST</bcp14> include the final underscore and <bcp14>MUST NOT</ bcp14> include any characters
after the final underscore.</t> after the final underscore.</t>
<t>Suite ID fields MUST be chosen as follows:</t> <t>Suite ID fields <bcp14>MUST</bcp14> be chosen as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>CURVE_ID: a human-readable representation of the target elliptic c urve.</li> <li>CURVE_ID: a human-readable representation of the target elliptic c urve.</li>
<li> <li>
<t>HASH_ID: a human-readable representation of the expand_message fu nction <t>HASH_ID: a human-readable representation of the expand_message fu nction
and any underlying hash primitives used in hash_to_field (<xref target="hashtofi and any underlying hash primitives used in hash_to_field (<xref target="hashtofi
eld" format="default"/>). eld"/>).
This field MUST be constructed as follows: </t> This field <bcp14>MUST</bcp14> be constructed as follows: </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
]]></artwork> ]]></artwork>
<t> <t>
EXP_TAG indicates the expand_message variant: </t> EXP_TAG indicates the expand_message variant: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>"XMD" for expand_message_xmd (<xref target="hashtofield-expand <li>"XMD" for expand_message_xmd (<xref target="hashtofield-expand
-xmd" format="default"/>).</li> -xmd"/>).</li>
<li>"XOF" for expand_message_xof (<xref target="hashtofield-expand <li>"XOF" for expand_message_xof (<xref target="hashtofield-expand
-xof" format="default"/>).</li> -xof"/>).</li>
</ul> </ul>
<t> <t>
HASH_NAME is a human-readable name for the underlying hash primitive. HASH_NAME is a human-readable name for the underlying hash primitive.
As examples: </t> As examples: </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>For expand_message_xof (<xref targ
<li>For expand_message_xof (<xref target="hashtofield-expand-xof" et="hashtofield-expand-xof"/>) with SHAKE128,
format="default"/>) with SHAKE128,
HASH_ID is "XOF:SHAKE128".</li> HASH_ID is "XOF:SHAKE128".</li>
<li>For expand_message_xmd (<xref target="hashtofield-expand-xmd" format="default"/>) with SHA3-256, <li>For expand_message_xmd (<xref target="hashtofield-expand-xmd"/ >) with SHA3-256,
HASH_ID is "XMD:SHA3-256".</li> HASH_ID is "XMD:SHA3-256".</li>
</ol> </ol>
<t> <t>
Suites that use an alternative hash_to_field function that meets the requirement s Suites that use an alternative hash_to_field function that meets the requirement s
in <xref target="hashtofield-exteff" format="default"/> MUST indicate this by ap pending a tag identifying that function in <xref target="hashtofield-exteff"/> <bcp14>MUST</bcp14> indicate this by appe nding a tag identifying that function
to the HASH_ID field, separated by a colon (":", ASCII 0x3A).</t> to the HASH_ID field, separated by a colon (":", ASCII 0x3A).</t>
</li> </li>
<li> <li>
<t>MAP_ID: a human-readable representation of the map_to_curve funct ion <t>MAP_ID: a human-readable representation of the map_to_curve funct ion
as defined in <xref target="mappings" format="default"/>. These are defined as f ollows: </t> as defined in <xref target="mappings"/>. These are defined as follows: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>"SVDW" for or Shallue and van de Woestijne (<xref target="svdw <li>"SVDW" for Shallue and van de Woestijne (<xref target="svdw"/>
" format="default"/>).</li> ).</li>
<li>"SSWU" for Simplified SWU (<xref target="simple-swu" format="d <li>"SSWU" for Simplified SWU (Sections <xref format="counter" tar
efault"/>, <xref target="simple-swu-AB0" format="default"/>).</li> get="simple-swu"/> and <xref format="counter" target="simple-swu-AB0"/>).</li>
<li>"ELL2" for Elligator 2 (<xref target="elligator2" format="defa <li>"ELL2" for Elligator 2 (Sections <xref format="counter" target
ult"/>, <xref target="ell2edwards" format="default"/>).</li> ="elligator2"/> and <xref format="counter" target="ell2edwards"/>).</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>ENC_VAR: a string indicating the encoding type and other informat ion. <t>ENC_VAR: a string indicating the encoding type and other informat ion.
The first two characters of this string indicate whether the suite The first two characters of this string indicate whether the suite
represents a hash_to_curve or an encode_to_curve operation represents a hash_to_curve or an encode_to_curve operation
(<xref target="roadmap" format="default"/>), as follows: </t> (<xref target="roadmap"/>), as follows: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>If ENC_VAR begins with "RO", the suite uses hash_to_curve.</li > <li>If ENC_VAR begins with "RO", the suite uses hash_to_curve.</li >
<li>If ENC_VAR begins with "NU", the suite uses encode_to_curve.</ li> <li>If ENC_VAR begins with "NU", the suite uses encode_to_curve.</ li>
<li>ENC_VAR MUST NOT begin with any other string.</li> <li>ENC_VAR <bcp14>MUST NOT</bcp14> begin with any other string.</ li>
</ul> </ul>
<t> <t>
ENC_VAR MAY also be used to encode other information used to identify ENC_VAR <bcp14>MAY</bcp14> also be used to encode other information used to iden tify
variants, for example, a version number. variants, for example, a version number.
The RECOMMENDED way to do so is to add one or more subfields separated The <bcp14>RECOMMENDED</bcp14> way to do so is to add one or more subfields se parated
by colons. by colons.
For example, "RO:V02" is an appropriate ENC_VAR value for the second For example, "RO:V02" is an appropriate ENC_VAR value for the second
version of a uniform encoding suite, while "RO:V02:FOO01:BAR17" might be version of a uniform encoding suite, while "RO:V02:FOO01:BAR17" might be
used to indicate a variant of that suite.</t> used to indicate a variant of that suite.</t>
</li> </li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="iana-considerations" numbered="true" toc="default"> <section anchor="iana-considerations">
<name>IANA considerations</name> <name>IANA Considerations</name>
<t>This document has no IANA actions.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="security-considerations" numbered="true" toc="default"> <section anchor="security-considerations">
<name>Security considerations</name> <name>Security Considerations</name>
<t>This section contains additional security considerations about the hash -to-curve mechanisms <t>This section contains additional security considerations about the hash -to-curve mechanisms
described in this document.</t> described in this document.</t>
<section anchor="security-considerations-props" numbered="true" toc="defau <section anchor="security-considerations-props">
lt"> <name>Properties of Encodings</name>
<name>Properties of encodings</name> <t>Each encoding type (<xref target="roadmap"/>) accepts an arbitrary by
<t>Each encoding type (<xref target="roadmap" format="default"/>) accept te string and maps
s an arbitrary byte string and maps
it to a point on the curve sampled from a distribution that depends on the it to a point on the curve sampled from a distribution that depends on the
encoding type. encoding type.
It is important to note that using a nonuniform encoding or directly It is important to note that using a nonuniform encoding or directly
evaluating one of the mappings of <xref target="mappings" format="default"/> pro duces an output that is evaluating one of the mappings of <xref target="mappings"/> produces an output t hat is
easily distinguished from a uniformly random point. easily distinguished from a uniformly random point.
Applications that use a nonuniform encoding SHOULD carefully analyze the securit y Applications that use a nonuniform encoding <bcp14>SHOULD</bcp14> carefully anal yze the security
implications of nonuniformity. implications of nonuniformity.
When the required encoding is not clear, applications SHOULD use a uniform When the required encoding is not clear, applications <bcp14>SHOULD</bcp14> use a uniform
encoding.</t> encoding.</t>
<t>Both encodings given in <xref target="roadmap" format="default"/> can output the identity element of the group G. <t>Both encodings given in <xref target="roadmap"/> can output the ident ity element of the group G.
The probability that either encoding function outputs the identity element is The probability that either encoding function outputs the identity element is
roughly 1/r for a random input, which is negligible for cryptographically useful roughly 1/r for a random input, which is negligible for cryptographically useful
elliptic curves. elliptic curves.
Further, it is computationally infeasible to find an input to either encoding fu nction Further, it is computationally infeasible to find an input to either encoding fu nction
whose corresponding output is the identity element. whose corresponding output is the identity element.
(Both of these properties hold when the encoding functions are instantiated with a (Both of these properties hold when the encoding functions are instantiated with a
hash_to_field function that follows all guidelines in <xref target="hashtofield" hash_to_field function that follows all guidelines in <xref target="hashtofield"
format="default"/>.) />.)
Protocols that use these encoding functions SHOULD NOT add a special case Protocols that use these encoding functions <bcp14>SHOULD NOT</bcp14> add a spec
ial case
to detect and "fix" the identity element.</t> to detect and "fix" the identity element.</t>
<t>When the hash_to_curve function (<xref target="roadmap" format="defau lt"/>) is instantiated with a <t>When the hash_to_curve function (<xref target="roadmap"/>) is instant iated with a
hash_to_field function that is indifferentiable from a random oracle hash_to_field function that is indifferentiable from a random oracle
(<xref target="hashtofield" format="default"/>), the resulting function is indif (<xref target="hashtofield"/>), the resulting function is indifferentiable from
ferentiable from a random a random
oracle (<xref target="MRH04" format="default"/>, <xref target="BCIMRT10" format= oracle (<xref target="MRH04"/> <xref target="BCIMRT10"/> <xref target="FFSTV13"/
"default"/>, <xref target="FFSTV13" format="default"/>, <xref target="LBB19" for > <xref target="LBB19"/> <xref target="H20"/>).
mat="default"/>, <xref target="H20" format="default"/>). In many cases, such a function can be safely used in cryptographic protocols
In many cases such a function can be safely used in cryptographic protocols
whose security analysis assumes a random oracle that outputs uniformly random whose security analysis assumes a random oracle that outputs uniformly random
points on an elliptic curve. points on an elliptic curve.
As Ristenpart et al. discuss in <xref target="RSS11" format="default"/>, however , not all security proofs As Ristenpart et al.&nbsp;discuss in <xref target="RSS11"/>, however, not all se curity proofs
that rely on random oracles continue to hold when those oracles are replaced that rely on random oracles continue to hold when those oracles are replaced
by indifferentiable functionalities. by indifferentiable functionalities.
This limitation should be considered when analyzing the security of protocols This limitation should be considered when analyzing the security of protocols
relying on the hash_to_curve function.</t> relying on the hash_to_curve function.</t>
</section> </section>
<section anchor="security-considerations-passwords" numbered="true" toc="d <section anchor="security-considerations-passwords">
efault"> <name>Hashing Passwords</name>
<name>Hashing passwords</name>
<t>When hashing passwords using any function described in this document, an adversary <t>When hashing passwords using any function described in this document, an adversary
who learns the output of the hash function (or potentially any intermediate valu e, who learns the output of the hash function (or potentially any intermediate valu e,
e.g., the output of hash_to_field) may be able to carry out a dictionary attack. e.g., the output of hash_to_field) may be able to carry out a dictionary attack.
To mitigate such attacks, it is recommended to first execute a more costly key To mitigate such attacks, it is recommended to first execute a more costly key
derivation function (e.g., PBKDF2 <xref target="RFC2898" format="default"/>, scr derivation function (e.g., PBKDF2 <xref target="RFC8018"/>, scrypt <xref target=
ypt <xref target="RFC7914" format="default"/>, or Argon2 "RFC7914"/>, or Argon2
<xref target="I-D.irtf-cfrg-argon2" format="default"/>) on the password, then ha <xref target="RFC9106"/>) on the password, then hash the output of that
sh the output of that
function to the target elliptic curve. function to the target elliptic curve.
For collision resistance, the hash underlying the key derivation function For collision resistance, the hash underlying the key derivation function
should be chosen according to the guidelines listed in <xref target="hashtofield -expand-xmd" format="default"/>.</t> should be chosen according to the guidelines listed in <xref target="hashtofield -expand-xmd"/>.</t>
</section> </section>
<section anchor="security-considerations-constant" numbered="true" toc="de <section anchor="security-considerations-constant">
fault"> <name>Constant-Time Requirements</name>
<name>Constant-time requirements</name>
<t>Constant-time implementations of all functions in this document are S TRONGLY <t>Constant-time implementations of all functions in this document are S TRONGLY
RECOMMENDED for all uses, to avoid leaking information via side channels. <bcp14>RECOMMENDED</bcp14> for all uses, to avoid leaking information via side c hannels.
It is especially important to use a constant-time implementation when inputs to It is especially important to use a constant-time implementation when inputs to
an encoding are secret values; in such cases, constant-time implementations an encoding are secret values; in such cases, constant-time implementations
are REQUIRED for security against timing attacks (e.g., <xref target="VR20" form at="default"/>). are <bcp14>REQUIRED</bcp14> for security against timing attacks (e.g., <xref tar get="VR20"/>).
When constant-time implementations are required, all basic operations and When constant-time implementations are required, all basic operations and
utility functions must be implemented in constant time, as discussed in utility functions must be implemented in constant time, as discussed in
<xref target="utility" format="default"/>. <xref target="utility"/>.
In some applications (e.g., embedded systems), leakage through other side In some applications (e.g., embedded systems), leakage through other side
channels (e.g., power or electromagnetic side channels) may be pertinent. channels (e.g., power or electromagnetic side channels) may be pertinent.
Defending against such leakage is outside the scope of this document, because Defending against such leakage is outside the scope of this document, because
the nature of the leakage and the appropriate defense depend on the application. </t> the nature of the leakage and the appropriate defense depend on the application. </t>
</section> </section>
<section anchor="security-considerations-encode" numbered="true" toc="defa <section anchor="security-considerations-encode">
ult"> <name>encode_to_curve: Output Distribution and Indifferentiability</name
<name>encode_to_curve: output distribution and indifferentiability</name >
> <t>The encode_to_curve function (<xref target="roadmap"/>) returns point
<t>The encode_to_curve function (<xref target="roadmap" format="default" s sampled from a
/>) returns points sampled from a
distribution that is statistically far from uniform. distribution that is statistically far from uniform.
This distribution is bounded roughly as follows: This distribution is bounded roughly as follows:
first, it includes at least one eighth of the points in G, and second, the first, it includes at least one eighth of the points in G, and second, the
probability of points in the distribution varies by at most a factor of four. probability of points in the distribution varies by at most a factor of four.
These bounds hold when encode_to_curve is instantiated with any of the These bounds hold when encode_to_curve is instantiated with any of the
map_to_curve functions in <xref target="mappings" format="default"/>.</t> map_to_curve functions in <xref target="mappings"/>.</t>
<t>The bounds above are derived from several works in the literature. <t>The bounds above are derived from several works in the literature.
Specifically:</t> Specifically:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Shallue and van de Woestijne <xref target="SW06" format="default"/ <li>Shallue and van de Woestijne <xref target="SW06"/> and Fouque and
> and Fouque and Tibouchi <xref target="FT12" format="default"/> Tibouchi <xref target="FT12"/>
derive bounds on the Shallue-van de Woestijne mapping (<xref target="svdw" forma derive bounds on the Shallue-van de Woestijne mapping (<xref target="svdw"/>).</
t="default"/>).</li> li>
<li>Fouque and Tibouchi <xref target="FT10" format="default"/> and Tib <li>Fouque and Tibouchi <xref target="FT10"/> and Tibouchi <xref targe
ouchi <xref target="T14" format="default"/> derive bounds for the t="T14"/> derive bounds for the
Simplified SWU mapping (<xref target="simple-swu" format="default"/>, <xref targ Simplified SWU mapping (Sections <xref format="counter" target="simple-swu"/> an
et="simple-swu-AB0" format="default"/>).</li> d <xref format="counter" target="simple-swu-AB0"/>).</li>
<li>Bernstein et al. <xref target="BHKL13" format="default"/> derive b <li>Bernstein et al.&nbsp;<xref target="BHKL13"/> derive bounds for th
ounds for the Elligator 2 mapping e Elligator 2 mapping
(<xref target="elligator2" format="default"/>, <xref target="ell2edwards" format (Sections <xref format="counter" target="elligator2"/> and <xref format="counter
="default"/>).</li> " target="ell2edwards"/>).</li>
</ul> </ul>
<t>Indifferentiability of encode_to_curve follows from an argument simil ar <t>Indifferentiability of encode_to_curve follows from an argument simil ar
to the one given by Brier et al. <xref target="BCIMRT10" format="default"/>; we briefly sketch. to the one given by Brier et al.&nbsp;<xref target="BCIMRT10"/>; we briefly sket ch this argument as follows.
Consider an ideal random oracle Hc() that samples from the distribution induced Consider an ideal random oracle Hc() that samples from the distribution induced
by the map_to_curve function called by encode_to_curve, and assume for by the map_to_curve function called by encode_to_curve, and assume for
simplicity that the target elliptic curve has cofactor 1 (a similar argument simplicity that the target elliptic curve has cofactor 1 (a similar argument
applies for non-unity cofactors). applies for non-unity cofactors).
Indifferentiability holds just if it is possible to efficiently simulate Indifferentiability holds just if it is possible to efficiently simulate
the "inner" random oracle in encode_to_curve, namely, hash_to_field. the "inner" random oracle in encode_to_curve, namely, hash_to_field.
The simulator works as follows: The simulator works as follows:
on a fresh query msg, the simulator queries Hc(msg) and receives a point on a fresh query msg, the simulator queries Hc(msg) and receives a point
P in the image of map_to_curve (if msg is the same as a prior query, P in the image of map_to_curve (if msg is the same as a prior query,
the simulator just returns the value it gave in response to that query). the simulator just returns the value it gave in response to that query).
The simulator then computes the possible preimages of P under map_to_curve, The simulator then computes the possible preimages of P under map_to_curve,
i.e., elements u of F such that map_to_curve(u) == P i.e., elements u of F such that map_to_curve(u) == P
(Tibouchi <xref target="T14" format="default"/> shows that this can be done effi (Tibouchi <xref target="T14"/> shows that this can be done efficiently for the S
ciently for the Shallue-van hallue-van
de Woestijne and Simplified SWU maps, and Bernstein et al. show the same for de Woestijne and Simplified SWU maps, and Bernstein et al.&nbsp;show the same fo
Elligator 2). Elligator 2).
The simulator selects one such preimage at random and returns this value The simulator selects one such preimage at random and returns this value
as the simulated output of the "inner" random oracle. as the simulated output of the "inner" random oracle.
By hypothesis, Hc() samples from the distribution induced by map_to_curve By hypothesis, Hc() samples from the distribution induced by map_to_curve
on a uniformly random input element of F, so this value is uniformly random on a uniformly random input element of F, so this value is uniformly random
and induces the correct point P when passed through map_to_curve.</t> and induces the correct point P when passed through map_to_curve.</t>
</section> </section>
<section anchor="security-considerations-hash-to-field" numbered="true" to <section anchor="security-considerations-hash-to-field">
c="default"> <name>hash_to_field Security</name>
<name>hash_to_field security</name> <t>The hash_to_field function, defined in <xref target="hashtofield"/>,
<t>The hash_to_field function defined in <xref target="hashtofield" form is indifferentiable
at="default"/> is indifferentiable from a random oracle <xref target="MRH04"/> when expand_message (<xref target="h
from a random oracle <xref target="MRH04" format="default"/> when expand_message ashtofield-expand"/>)
(<xref target="hashtofield-expand" format="default"/>)
is modeled as a random oracle. is modeled as a random oracle.
By composability of indifferentiability proofs, this also holds when Since indifferentiability proofs are composable, this also holds when
expand_message is proved indifferentiable from a random oracle relative expand_message is proved indifferentiable from a random oracle relative
to an underlying primitive that is modeled as a random oracle. to an underlying primitive that is modeled as a random oracle.
When following the guidelines in <xref target="hashtofield-expand" format="defau lt"/>, both variants When following the guidelines in <xref target="hashtofield-expand"/>, both varia nts
of expand_message defined in that section meet this requirement of expand_message defined in that section meet this requirement
(see also <xref target="security-considerations-expand-xmd" format="default"/>). </t> (see also <xref target="security-considerations-expand-xmd"/>).</t>
<t>We very briefly sketch the indifferentiability argument for hash_to_f ield. <t>We very briefly sketch the indifferentiability argument for hash_to_f ield.
Notice that each integer mod p that hash_to_field returns (i.e., each element Notice that each integer mod p that hash_to_field returns (i.e., each element
of the vector representation of F) is a member of an equivalence class of roughl y of the vector representation of F) is a member of an equivalence class of roughl y
2^k integers of length log2(p) + k bits, all of which are equal modulo p. 2^k integers of length log2(p) + k bits, all of which are equal modulo p.
For each integer mod p that hash_to_field returns, the simulator samples For each integer mod p that hash_to_field returns, the simulator samples
one member of this equivalence class at random and outputs the byte string one member of this equivalence class at random and outputs the byte string
returned by I2OSP. returned by I2OSP.
(Notice that this is essentially the inverse of the hash_to_field procedure.)</t > (Notice that this is essentially the inverse of the hash_to_field procedure.)</t >
</section> </section>
<section anchor="security-considerations-expand-xmd" numbered="true" toc=" <section anchor="security-considerations-expand-xmd">
default"> <name>expand_message_xmd Security</name>
<name>expand_message_xmd security</name> <t>The expand_message_xmd function, defined in <xref target="hashtofield
<t>The expand_message_xmd function defined in <xref target="hashtofield- -expand-xmd"/>, is
expand-xmd" format="default"/> is indifferentiable from a random oracle <xref target="MRH04"/> when one of the fol
indifferentiable from a random oracle <xref target="MRH04" format="default"/> wh lowing holds:</t>
en one of the following holds:</t> <ol spacing="normal" type="1"><li>H is indifferentiable from a random or
<ol spacing="normal" type="1"> acle,</li>
<li>H is indifferentiable from a random oracle,</li>
<li>H is a sponge-based hash function whose inner function <li>H is a sponge-based hash function whose inner function
is modeled as a random transformation or random permutation <xref target="BDPV08 " format="default"/>, or</li> is modeled as a random transformation or random permutation <xref target="BDPV08 "/>, or</li>
<li>H is a Merkle-Damgaard hash function whose compression function is <li>H is a Merkle-Damgaard hash function whose compression function is
modeled as a random oracle <xref target="CDMP05" format="default"/>.</li> modeled as a random oracle <xref target="CDMP05"/>.</li>
</ol> </ol>
<t>For cases (1) and (2), the indifferentiability of expand_message_xmd follows <t>For cases (1) and (2), the indifferentiability of expand_message_xmd follows
directly from the indifferentiability of H.</t> directly from the indifferentiability of H.</t>
<t>For case (3), i.e., for H a Merkle-Damgaard hash function, indifferen <t>For case (3), i.e., where H is a Merkle-Damgaard hash function, indif
tiability ferentiability
follows from <xref target="CDMP05" format="default"/>, Theorem 3.5. follows from <xref target="CDMP05"/>, Theorem 5.
In particular, expand_message_xmd computes b_0 by prefixing the message In particular, expand_message_xmd computes b_0 by prefixing the message
with one block of 0-bytes plus auxiliary information (length, counter, and DST). with one block of zeros plus auxiliary information (length, counter, and DST).
Then, each of the output blocks b_i, i &gt;= 1 in expand_message_xmd is the Then, each of the output blocks b_i, i &gt;= 1 in expand_message_xmd is the
result of invoking H on a unique, prefix-free encoding of b_0. result of invoking H on a unique, prefix-free encoding of b_0.
This is true, first, because the length of the input to all such invocations This is true, first because the length of the input to all such invocations
is equal and fixed by the choice of H and DST, and is equal and fixed by the choice of H and DST, and
second, because each such input has a unique suffix (because of the inclusion second because each such input has a unique suffix (because of the inclusion
of the counter byte I2OSP(i, 1)).</t> of the counter byte I2OSP(i, 1)).</t>
<t>The essential difference between the construction of <xref target="CD MP05" format="default"/> and <t>The essential difference between the construction discussed in <xref target="CDMP05"/> and
expand_message_xmd is that the latter hashes a counter appended to expand_message_xmd is that the latter hashes a counter appended to
strxor(b_0, b_(i - 1)) (step 10) rather than to b_0. strxor(b_0, b_(i - 1)) ({#hashtofield-expand-xmd}, step 10) rather than to b_0.
This approach increases the Hamming distance between inputs to different This approach increases the Hamming distance between inputs to different
invocations of H, which reduces the likelihood that nonidealities in H invocations of H, which reduces the likelihood that nonidealities in H
affect the distribution of the b_i values.</t> affect the distribution of the b_i values.</t>
<t>We note that expand_message_xmd can be used to instantiate a general- purpose <t>We note that expand_message_xmd can be used to instantiate a general- purpose
indifferentiable functionality with variable-length output based on any hash indifferentiable functionality with variable-length output based on any hash
function meeting one of the above criteria. function meeting one of the above criteria.
Applications that use expand_message_xmd outside of hash_to_field should Applications that use expand_message_xmd outside of hash_to_field should
ensure domain separation by picking a distinct value for DST.</t> ensure domain separation by picking a distinct value for DST.</t>
</section> </section>
<section anchor="security-considerations-domain-separation-expmsg-var" num <section anchor="security-considerations-domain-separation-expmsg-var">
bered="true" toc="default"> <name>Domain Separation for expand_message Variants</name>
<name>Domain separation for expand_message variants</name> <t>As discussed in <xref target="term-domain-separation"/>, the purpose
<t>As discussed in <xref target="term-domain-separation" format="default of domain separation
"/>, the purpose of domain separation
is to ensure that security analyses of cryptographic protocols that query is to ensure that security analyses of cryptographic protocols that query
multiple independent random oracles remain valid even if all of these random multiple independent random oracles remain valid even if all of these random
oracles are instantiated based on one underlying function H.</t> oracles are instantiated based on one underlying function H.</t>
<t>The expand_message variants in this document (<xref target="hashtofie ld-expand" format="default"/>) ensure <t>The expand_message variants in this document (<xref target="hashtofie ld-expand"/>) ensure
domain separation by appending a suffix-free-encoded domain separation tag domain separation by appending a suffix-free-encoded domain separation tag
DST_prime to all strings hashed by H, an underlying hash or DST_prime to all strings hashed by H, an underlying hash or
extendable-output function. extendable-output function.
(Other expand_message variants that follow the guidelines in (Other expand_message variants that follow the guidelines in
<xref target="hashtofield-expand-other" format="default"/> are expected to behav e similarly, <xref target="hashtofield-expand-other"/> are expected to behave similarly,
but these should be analyzed on a case-by-case basis.) but these should be analyzed on a case-by-case basis.)
For security, applications that use the same function H outside of expand_messag e For security, applications that use the same function H outside of expand_messag e
should enforce domain separation between those uses of H and expand_message, should enforce domain separation between those uses of H and expand_message,
and should separate all of these from uses of H in other applications.</t> and they should separate all of these from uses of H in other applications.</t>
<t>This section suggests four methods for enforcing domain separation <t>This section suggests four methods for enforcing domain separation
from expand_message variants, explains how each method achieves domain from expand_message variants, explains how each method achieves domain
separation, and lists the situations in which each is appropriate. separation, and lists the situations in which each is appropriate.
These methods share a high-level structure: the application designer fixes a tag These methods share a high-level structure: the application designer fixes a tag
DST_ext distinct from DST_prime and augments calls to H with DST_ext. DST_ext distinct from DST_prime and augments calls to H with DST_ext.
Each method augments calls to H differently, and each may impose Each method augments calls to H differently, and each may impose
additional requirements on DST_ext.</t> additional requirements on DST_ext.</t>
<t>These methods can be used to instantiate multiple domain separated fu nctions <t>These methods can be used to instantiate multiple domain-separated fu nctions
(e.g., H1 and H2) by selecting distinct DST_ext values for each (e.g., H1 and H2) by selecting distinct DST_ext values for each
(e.g., DST_ext1, DST_ext2).</t> (e.g., DST_ext1, DST_ext2).</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>
<t>(Suffix-only domain separation.) <t>(Suffix-only domain separation.)
This method is useful when domain separating invocations of H This method is useful when domain-separating invocations of H
from expand_message_xmd or expand_message_xof. from expand_message_xmd or expand_message_xof.
It is not appropriate for domain separating expand_message from HMAC-H It is not appropriate for domain-separating expand_message from HMAC-H
<xref target="RFC2104" format="default"/>; for that purpose, see method 4. </t> <xref target="RFC2104"/>; for that purpose, see method 4. </t>
<t> <t>
To instantiate a suffix-only domain separated function Hso, compute </t> To instantiate a suffix-only domain-separated function Hso, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hso(msg) = H(msg || DST_ext) Hso(msg) = H(msg || DST_ext)
]]></artwork> ]]></artwork>
<t> <t>
DST_ext should be suffix-free encoded (e.g., by appending one byte DST_ext should be suffix-free encoded (e.g., by appending one byte
encoding the length of DST_ext) to make it infeasible to find distinct encoding the length of DST_ext) to make it infeasible to find distinct
(msg, DST_ext) pairs that hash to the same value. </t> (msg, DST_ext) pairs that hash to the same value. </t>
<t> <t>
This method ensures domain separation because all distinct invocations of This method ensures domain separation because all distinct invocations of
H have distinct suffixes, since DST_ext is distinct from DST_prime.</t> H have distinct suffixes, since DST_ext is distinct from DST_prime.</t>
</li> </li>
<li> <li>
<t>(Prefix-suffix domain separation.) <t>(Prefix-suffix domain separation.)
This method can be used in the same cases as the suffix-only method. </t> This method can be used in the same cases as the suffix-only method. </t>
<t> <t>
To instantiate a prefix-suffix domain separated function Hps, compute </t> To instantiate a prefix-suffix domain-separated function Hps, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hps(msg) = H(DST_ext || msg || I2OSP(0, 1)) Hps(msg) = H(DST_ext || msg || I2OSP(0, 1))
]]></artwork> ]]></artwork>
<t> <t>
DST_ext should be prefix-free encoded (e.g., by adding a one-byte prefix DST_ext should be prefix-free encoded (e.g., by adding a one-byte prefix
that encodes the length of DST_ext) to make it infeasible to find distinct that encodes the length of DST_ext) to make it infeasible to find distinct
(msg, DST_ext) pairs that hash to the same value. </t> (msg, DST_ext) pairs that hash to the same value. </t>
<t> <t>
This method ensures domain separation because This method ensures domain separation because
appending the byte I2OSP(0, 1) ensures that inputs to H inside Hps appending the byte I2OSP(0, 1) ensures that inputs to H inside Hps
are distinct from those inside expand_message. are distinct from those inside expand_message.
Specifically, the final byte of DST_prime encodes the length of DST, which Specifically, the final byte of DST_prime encodes the length of DST, which
is required to be nonzero (<xref target="domain-separation" format="default"/>, requirement 2), and is required to be nonzero (<xref target="domain-separation"/>, requirement 2), a nd
DST_prime is always appended to invocations of H inside expand_message.</t> DST_prime is always appended to invocations of H inside expand_message.</t>
</li> </li>
<li> <li>
<t>(Prefix-only domain separation.) <t>(Prefix-only domain separation.)
This method is only useful for domain separating invocations of H This method is only useful for domain-separating invocations of H
from expand_message_xmd. from expand_message_xmd.
It does not give domain separation for expand_message_xof or HMAC-H. </t> It does not give domain separation for expand_message_xof or HMAC-H. </t>
<t> <t>
To instantiate a prefix-only domain separated function Hpo, compute </t> To instantiate a prefix-only domain-separated function Hpo, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hpo(msg) = H(DST_ext || msg) Hpo(msg) = H(DST_ext || msg)
]]></artwork> ]]></artwork>
<t> <t>
In order for this method to give domain separation, DST_ext should In order for this method to give domain separation, DST_ext should
be at least b bits long, where b is the number of bits output by the be at least b bits long, where b is the number of bits output by the
hash function H. hash function H.
In addition, at least one of the first b bits must be nonzero. In addition, at least one of the first b bits must be nonzero.
Finally, DST_ext should be prefix-free encoded (e.g., by adding a Finally, DST_ext should be prefix-free encoded (e.g., by adding a
one-byte prefix that encodes the length of DST_ext) to make it infeasible to one-byte prefix that encodes the length of DST_ext) to make it infeasible to
find distinct (msg, DST_ext) pairs that hash to the same value. </t> find distinct (msg, DST_ext) pairs that hash to the same value. </t>
<t> <t>
This method ensures domain separation as follows. This method ensures domain separation as follows.
First, since DST_ext contains at least one nonzero bit among its first b bits, First, since DST_ext contains at least one nonzero bit among its first b bits,
it is guaranteed to be distinct from the value Z_pad it is guaranteed to be distinct from the value Z_pad
(<xref target="hashtofield-expand-xmd" format="default"/>, step 4), which ensure s that all inputs to H (<xref target="hashtofield-expand-xmd"/>, step 4), which ensures that all inputs to H
are distinct from the input used to generate b_0 in expand_message_xmd. are distinct from the input used to generate b_0 in expand_message_xmd.
Second, since DST_ext is at least b bits long, it is almost certainly Second, since DST_ext is at least b bits long, it is almost certainly
distinct from the values b_0 and strxor(b_0, b_(i - 1)), and therefore distinct from the values b_0 and strxor(b_0, b_(i - 1)), and therefore
all inputs to H are distinct from the inputs used to generate b_i, i &gt;= 1, all inputs to H are distinct from the inputs used to generate b_i, i &gt;= 1,
with high probability.</t> with high probability.</t>
</li> </li>
<li> <li>
<t>(XMD-HMAC domain separation.) <t>(XMD-HMAC domain separation.)
This method is useful for domain separating invocations of H inside This method is useful for domain-separating invocations of H inside
HMAC-H (i.e., HMAC <xref target="RFC2104" format="default"/> instantiated with h HMAC-H (i.e., HMAC <xref target="RFC2104"/> instantiated with hash function H) f
ash function H) from rom
expand_message_xmd. expand_message_xmd.
It also applies to HKDF-H <xref target="RFC5869" format="default"/>, as discusse d below. </t> It also applies to HKDF-H (i.e., HKDF <xref target="RFC5869"/> instantiated with hash function H), as discussed below. </t>
<t> <t>
Specifically, this method applies when HMAC-H is used with a non-secret Specifically, this method applies when HMAC-H is used with a non-secret
key to instantiate a random oracle based on a hash function H key to instantiate a random oracle based on a hash function H
(note that expand_message_xmd can also be used for this purpose; see (note that expand_message_xmd can also be used for this purpose; see
<xref target="security-considerations-expand-xmd" format="default"/>). <xref target="security-considerations-expand-xmd"/>).
When using HMAC-H with a high-entropy secret key, domain separation is not When using HMAC-H with a high-entropy secret key, domain separation is not
necessary; see discussion below. </t> necessary; see discussion below. </t>
<t> <t>
To choose a non-secret HMAC key DST_key that ensures domain separation To choose a non-secret HMAC key DST_key that ensures domain separation
from expand_message_xmd, compute </t> from expand_message_xmd, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
DST_key_preimage = "DERIVE-HMAC-KEY-" || DST_ext || I2OSP(0, 1) DST_key_preimage = "DERIVE-HMAC-KEY-" || DST_ext || I2OSP(0, 1)
DST_key = H(DST_key_preimage) DST_key = H(DST_key_preimage)
]]></artwork> ]]></artwork>
<t> <t>
Then, to instantiate the random oracle Hro using HMAC-H, compute </t> Then, to instantiate the random oracle Hro using HMAC-H, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hro(msg) = HMAC-H(DST_key, msg) Hro(msg) = HMAC-H(DST_key, msg)
]]></artwork> ]]></artwork>
<t> <t>
The trailing zero byte in DST_key_preimage ensures that this value The trailing zero byte in DST_key_preimage ensures that this value
is distinct from inputs to H inside expand_message_xmd (because all is distinct from inputs to H inside expand_message_xmd (because all
such inputs have suffix DST_prime, which cannot end with a zero byte such inputs have suffix DST_prime, which cannot end with a zero byte
as discussed above). as discussed above).
This ensures domain separation because, with overwhelming probability, This ensures domain separation because, with overwhelming probability,
all inputs to H inside of HMAC-H using key DST_key have prefixes that all inputs to H inside of HMAC-H using key DST_key have prefixes that
are distinct from the values Z_pad, b_0, and strxor(b_0, b_(i - 1)) are distinct from the values Z_pad, b_0, and strxor(b_0, b_(i - 1))
inside of expand_message_xmd. </t> inside of expand_message_xmd. </t>
<t> <t>
For uses of HMAC-H that instantiate a private random oracle by fixing For uses of HMAC-H that instantiate a private random oracle by fixing
a high-entropy secret key, domain separation from expand_message_xmd a high-entropy secret key, domain separation from expand_message_xmd
is not necessary. is not necessary.
This is because, similarly to the case above, all inputs to H inside This is because, similarly to the case above, all inputs to H inside
HMAC-H using this secret key almost certainly have distinct prefixes HMAC-H using this secret key almost certainly have distinct prefixes
from all inputs to H inside expand_message_xmd. </t> from all inputs to H inside expand_message_xmd. </t>
<t> <t>
Finally, this method can be used with HKDF-H <xref target="RFC5869" format="defa ult"/> by fixing Finally, this method can be used with HKDF-H <xref target="RFC5869"/> by fixing
the salt input to HKDF-Extract to DST_key, computed as above. the salt input to HKDF-Extract to DST_key, computed as above.
This ensures domain separation for HKDF-Extract by the same argument This ensures domain separation for HKDF-Extract by the same argument
as for HMAC-H using DST_key. as for HMAC-H using DST_key.
Moreover, assuming that the IKM input to HKDF-Extract has sufficiently Moreover, assuming that the input keying material (IKM) supplied to HKDF-Extract has sufficiently
high entropy (say, commensurate with the security parameter), the high entropy (say, commensurate with the security parameter), the
HKDF-Expand step is domain separated by the same argument as for HKDF-Expand step is domain-separated by the same argument as for
HMAC-H with a high-entropy secret key (since PRK is exactly that).</t> HMAC-H with a high-entropy secret key (since a pseudorandom key is exactly that)
</li> </li>
</ol> </ol>
</section> </section>
<section anchor="security-considerations-targets" numbered="true" toc="def <section anchor="security-considerations-targets">
ault"> <name>Target Security Levels</name>
<name>Target security levels</name>
<t>Each ciphersuite specifies a target security level (in bits) for the underlying <t>Each ciphersuite specifies a target security level (in bits) for the underlying
curve. This parameter ensures the corresponding hash_to_field instantiation is curve. This parameter ensures the corresponding hash_to_field instantiation is
conservative and correct. We stress that this parameter is only an upper bound o n conservative and correct. We stress that this parameter is only an upper bound o n
the security level of the curve, and is neither a guarantee nor endorsement of i ts the security level of the curve and is neither a guarantee nor endorsement of it s
suitability for a given application. Mathematical and cryptographic advancements suitability for a given application. Mathematical and cryptographic advancements
may reduce the effective security level for any curve.</t> may reduce the effective security level for any curve.</t>
</section> </section>
</section> </section>
<section anchor="acknowledgements" numbered="true" toc="default">
<t>The authors would like to thank Adam Langley for his detailed writeup o
f Elligator 2 with
Curve25519 <xref target="L13" format="default"/>;
Dan Boneh, Christopher Patton, Benjamin Lipp, and Leonid Reyzin for educational
discussions; and
David Benjamin, Daniel Bourdrez, Frank Denis, Sean Devlin, Justin Drake, Bjoern
Haase, Mike Hamburg,
Dan Harkins, Daira Hopwood, Thomas Icart, Andy Polyakov, Thomas Pornin, Mamy Rat
simbazafy, Michael Scott,
Filippo Valsorda, and Mathy Vanhoef for helpful reviews and feedback.</t>
<section anchor="contributors" numbered="true" toc="default">
<ul spacing="normal">
<li>Sharon Goldberg, Boston University (goldbe@cs.bu.edu)</li>
<li>Ela Lee, Royal Holloway, University of London (Ela.Lee.2010@live.rhu
<li>Michele Orru (michele.orru@ens.fr)</li>
</middle> </middle>
<back> <back>
<displayreference target="I-D.irtf-cfrg-bls-signature" to="BLS-SIG" />
<displayreference target="I-D.irtf-cfrg-vrf" to="VRF" />
<displayreference target="I-D.irtf-cfrg-voprf" to="OPRFs" />
<displayreference target="I-D.irtf-cfrg-ristretto255-decaf448" to="ristretto255-
decaf448" />
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="EID4730" target="https://www.rfc-editor.org/errata/ei d4730"> <reference anchor="Err4730" target="https://www.rfc-editor.org/errata/ei d4730">
<front> <front>
<title>RFC 7748, Errata ID 4730</title> <title>Erratum ID 4730</title>
<author initials="A." surname="Langley" fullname="Adam Langley"> <author>
<organization/> <organization>RFC Errata</organization>
</author> </author>
<date year="2016" month="July"/> <date year="2016" month="July"/>
</front> </front>
<refcontent>RFC 7748</refcontent>
</reference> </reference>
<reference anchor="RFC2119">
<title>Key words for use in RFCs to Indicate Requirement Levels</tit
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="BCP" value="14"/>
<author fullname="S. Bradner" initials="S." surname="Bradner">
<date month="March" year="1997"/>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized.
This document defines these words as they should be interpreted in IETF document
s. This document specifies an Internet Best Current Practices for the Internet
Community, and requests discussion and suggestions for improvements.</t>
<reference anchor="RFC8174">
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="BCP" value="14"/>
<author fullname="B. Leiba" initials="B." surname="Leiba">
<date month="May" year="2017"/>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying tha
t only UPPERCASE usage of the key words have the defined special meanings.</t>
<reference anchor="RFC8017">
<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
<seriesInfo name="DOI" value="10.17487/RFC8017"/>
<seriesInfo name="RFC" value="8017"/>
<author fullname="K. Moriarty" initials="K." role="editor" surname="
<author fullname="B. Kaliski" initials="B." surname="Kaliski">
<author fullname="J. Jonsson" initials="J." surname="Jonsson">
<author fullname="A. Rusch" initials="A." surname="Rusch">
<date month="November" year="2016"/>
<t>This document provides recommendations for the implementation o
f public-key cryptography based on the RSA algorithm, covering cryptographic pri
mitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax f
or representing keys and for identifying the schemes.</t>
<t>This document represents a republication of PKCS #1 v2.2 from R
SA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing
this RFC, change control is transferred to the IETF.</t>
<t>This document also obsoletes RFC 3447.</t>
<reference anchor="RFC7748">
<title>Elliptic Curves for Security</title>
<seriesInfo name="DOI" value="10.17487/RFC7748"/>
<seriesInfo name="RFC" value="7748"/>
<author fullname="A. Langley" initials="A." surname="Langley">
<author fullname="M. Hamburg" initials="M." surname="Hamburg">
<author fullname="S. Turner" initials="S." surname="Turner">
<date month="January" year="2016"/>
<t>This memo specifies two elliptic curves over prime fields that
offer a high level of practical security in cryptographic applications, includin
g Transport Layer Security (TLS). These curves are intended to operate at the ~
128-bit and ~224-bit security level, respectively, and are generated determinist
ically based on a list of required properties.</t>
<reference anchor="I-D.irtf-cfrg-pairing-friendly-curves">
<title>Pairing-Friendly Curves</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-pairing-fri
<author fullname="Yumi Sakemi">
<author fullname="Tetsutaro Kobayashi">
<author fullname="Tsunekazu Saito">
<author fullname="Riad S. Wahby">
<organization>Stanford University</organization>
<date day="30" month="July" year="2021"/>
<t> Pairing-based cryptography, a subfield of elliptic curve
cryptography, has received attention due to its flexible and
practical functionality. Pairings are special maps defined using
elliptic curves and it can be applied to construct several
cryptographic protocols such as identity-based encryption, attribute-
based encryption, and so on. At CRYPTO 2016, Kim and Barbulescu
proposed an efficient number field sieve algorithm named exTNFS for
the discrete logarithm problem in a finite field. Several types of
pairing-friendly curves such as Barreto-Naehrig curves are affected
by the attack. In particular, a Barreto-Naehrig curve with a 254-bit
characteristic was adopted by a lot of cryptographic libraries as a
parameter of 128-bit security, however, it ensures no more than the
100-bit security level due to the effect of the attack. In this
memo, we list the security levels of certain pairing-friendly curves,
and motivate our choices of curves. First, we summarize the adoption
status of pairing-friendly curves in standards, libraries and
applications, and classify them in the 128-bit, 192-bit, and 256-bit
security levels. Then, from the viewpoints of "security" and "widely
used", we select the recommended pairing-friendly curves considering
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"
</abstract> />
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"
</reference> />
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml"
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/"> <reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/">
<front> <front>
<title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title> <title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title>
<author initials="S." surname="Bowe" fullname="Sean Bowe"> <author initials="S." surname="Bowe" fullname="Sean Bowe">
<organization>Electric Coin Company</organization> <organization>Electric Coin Company</organization>
</author> </author>
<date year="2017" month="March"/> <date year="2017" month="March"/>
skipping to change at line 2330 skipping to change at line 2210
<name>Informative References</name> <name>Informative References</name>
<reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/"> <reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/">
<front> <front>
<title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title> <title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title>
<author initials="S." surname="Bowe" fullname="Sean Bowe"> <author initials="S." surname="Bowe" fullname="Sean Bowe">
<organization>Electric Coin Company</organization> <organization>Electric Coin Company</organization>
</author> </author>
<date year="2017" month="March"/> <date year="2017" month="March"/>
</front> </front>
</reference> </reference>
<reference anchor="BR93" target="https://doi.org/10.1145/168588.168596"> <reference anchor="BR93" target="https://doi.org/10.1145/168588.168596">
<front> <front>
<title>Random oracles are practical: a paradigm for designing effici ent protocols</title> <title>Random oracles are practical: a paradigm for designing effici ent protocols</title>
<seriesInfo name="DOI" value="10.1145/168588.168596"/>
<seriesInfo name="pages" value="62-73"/>
<seriesInfo name="In" value="Proceedings of the 1993 ACM Conference
on Computer and Communications Security"/>
<author initials="M." surname="Bellare" fullname="Mihir Bellare"> <author initials="M." surname="Bellare" fullname="Mihir Bellare">
<organization>UC San Diego</organization> <organization>UC San Diego</organization>
</author> </author>
<author initials="P." surname="Rogaway" fullname="Phillip Rogaway"> <author initials="P." surname="Rogaway" fullname="Phillip Rogaway">
<organization>UC Davis</organization> <organization>UC Davis</organization>
</author> </author>
<date year="1993" month="December"/> <date year="1993" month="December"/>
</front> </front>
<refcontent>In Proceedings of the 1993 ACM Conference on Computer and Communicat
ions Security, pages 62-73</refcontent>
<seriesInfo name="DOI" value="10.1145/168588.168596"/>
</reference> </reference>
<reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf"> <reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf">
<front> <front>
<title>SEC 1: Elliptic Curve Cryptography</title> <title>SEC 1: Elliptic Curve Cryptography</title>
<author> <author>
<organization>Standards for Efficient Cryptography Group (SECG)</o rganization> <organization>Standards for Efficient Cryptography Group (SECG)</o rganization>
</author> </author>
<date year="2009" month="May"/> <date year="2009" month="May"/>
</front> </front>
</reference> </reference>
<reference anchor="SEC2" target="http://www.secg.org/sec2-v2.pdf"> <reference anchor="SEC2" target="http://www.secg.org/sec2-v2.pdf">
<front> <front>
<title>SEC 2: Recommended Elliptic Curve Domain Parameters</title> <title>SEC 2: Recommended Elliptic Curve Domain Parameters</title>
<author> <author>
<organization>Standards for Efficient Cryptography Group (SECG)</o rganization> <organization>Standards for Efficient Cryptography Group (SECG)</o rganization>
</author> </author>
<date year="2010" month="January"/> <date year="2010" month="January"/>
</front> </front>
</reference> </reference>
<reference anchor="FIPS180-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.180-4.pdf"> <reference anchor="FIPS180-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.180-4.pdf">
<front> <front>
<title>Secure Hash Standard (SHS)</title> <title>Secure Hash Standard (SHS)</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST )</organization> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date year="2015" month="August"/> <date year="2015" month="August"/>
</front> </front>
<seriesInfo name="FIPS" value="180-4"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/>
</reference> </reference>
<reference anchor="FIPS186-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.186-4.pdf"> <reference anchor="FIPS186-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.186-4.pdf">
<front> <front>
<title>FIPS Publication 186-4: Digital Signature Standard</title> <title>Digital Signature Standard (DSS)</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST )</organization> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date year="2013" month="July"/> <date year="2013" month="July"/>
</front> </front>
<seriesInfo name="FIPS" value="186-4"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/>
</reference> </reference>
<reference anchor="FIPS202" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.202.pdf"> <reference anchor="FIPS202" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.202.pdf">
<front> <front>
<title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title> <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST )</organization> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date year="2015" month="August"/> <date year="2015" month="August"/>
</front> </front>
<seriesInfo name="FIPS" value="202"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.202"/>
</reference> </reference>
<reference anchor="BDPV08" target="https://doi.org/10.1007/978-3-540-789 67-3_11"> <reference anchor="BDPV08" target="https://doi.org/10.1007/978-3-540-789 67-3_11">
<front> <front>
<title>On the Indifferentiability of the Sponge Construction</title> <title>On the Indifferentiability of the Sponge Construction</title>
<seriesInfo name="DOI" value="10.1007/978-3-540-78967-3_11"/> <author initials="G." surname="Bertoni" fullname="Guido Bertoni">
<seriesInfo name="pages" value="181-197"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2008
<author initials="G." surname="Bertoni," fullname="Guido Bertoni">
<organization>STMicroelectronics</organization> <organization>STMicroelectronics</organization>
</author> </author>
<author initials="J." surname="Daemen" fullname="Joan Daemen"> <author initials="J." surname="Daemen" fullname="Joan Daemen">
<organization>STMicroelectronics</organization> <organization>STMicroelectronics</organization>
</author> </author>
<author initials="M." surname="Peeters" fullname="Michael Peeters"> <author initials="M." surname="Peeters" fullname="Michael Peeters">
<organization>NXP Semiconductors</organization> <organization>NXP Semiconductors</organization>
</author> </author>
<author initials="G." surname="Van Assche" fullname="Gilles Van Assc he"> <author initials="G." surname="Van Assche" fullname="Gilles Van Assc he">
<organization>STMicroelectronics</organization> <organization>STMicroelectronics</organization>
</author> </author>
<date year="2008"/> <date year="2008" month="April"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2008, pages 181-197</refconten
<seriesInfo name="DOI" value="10.1007/978-3-540-78967-3_11"/>
</reference> </reference>
<reference anchor="CDMP05" target="https://doi.org/10.1007/11535218_26"> <reference anchor="CDMP05" target="https://doi.org/10.1007/11535218_26">
<front> <front>
<title>Merkle-Damgaard Revisited: How to Construct a Hash Function</ <title>Merkle-Damgård Revisited: How to Construct a Hash Function</t
title> itle>
<seriesInfo name="DOI" value="10.1007/11535218_26"/> <author initials="J.-S." surname="Coron" fullname="Jean-Sebastien Co
<seriesInfo name="pages" value="430-448"/> ron">
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2005"/>
<author initials="J-S." surname="Coron" fullname="Jean-Sebastien Cor
<organization>University of Luxembourg</organization> <organization>University of Luxembourg</organization>
</author> </author>
<author initials="Y." surname="Dodis" fullname="Yevgeniy Dodis"> <author initials="Y." surname="Dodis" fullname="Yevgeniy Dodis">
<organization>New York University</organization> <organization>New York University</organization>
</author> </author>
<author initials="C." surname="Malinaud" fullname="Cecile Malinaud"> <author initials="C." surname="Malinaud" fullname="Cecile Malinaud">
<organization>University of Luxembourg</organization> <organization>University of Luxembourg</organization>
</author> </author>
<author initials="P." surname="Puniya" fullname="Prashant Puniya"> <author initials="P." surname="Puniya" fullname="Prashant Puniya">
<organization>New York University</organization> <organization>New York University</organization>
</author> </author>
<date year="2005"/> <date year="2005" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology -- CRYPTO 2005, pages 430-448</refcontent>
<seriesInfo name="DOI" value="10.1007/11535218_26"/>
</reference> </reference>
<reference anchor="BLAKE2X" target="https://blake2.net/blake2x.pdf"> <reference anchor="BLAKE2X" target="https://blake2.net/blake2x.pdf">
<front> <front>
<title>BLAKE2X</title> <title>BLAKE2X</title>
<author initials="J-P." surname="Aumasson" fullname="Jean-Philippe A umasson"> <author initials="J.-P." surname="Aumasson" fullname="Jean-Philippe Aumasson">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Neves" fullname="Samuel Neves"> <author initials="S." surname="Neves" fullname="Samuel Neves">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn"> <author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Winnerlein" fullname="Christian Winne rlein"> <author initials="C." surname="Winnerlein" fullname="Christian Winne rlein">
<organization/> <organization/>
skipping to change at line 2450 skipping to change at line 2342
</author> </author>
<author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn"> <author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Winnerlein" fullname="Christian Winne rlein"> <author initials="C." surname="Winnerlein" fullname="Christian Winne rlein">
<organization/> <organization/>
</author> </author>
<date year="2016" month="December"/> <date year="2016" month="December"/>
</front> </front>
</reference> </reference>
<reference anchor="Icart09" target="https://doi.org/10.1007/978-3-642-03 356-8_18"> <reference anchor="Icart09" target="https://doi.org/10.1007/978-3-642-03 356-8_18">
<front> <front>
<title>How to Hash into Elliptic Curves</title> <title>How to Hash into Elliptic Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-03356-8_18"/>
<seriesInfo name="pages" value="303-316"/>
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2009"/>
<author initials="T." surname="Icart" fullname="Thomas Icart"> <author initials="T." surname="Icart" fullname="Thomas Icart">
<organization>Sagem Securite and Universite du Luxembourg</organiz ation> <organization>Sagem Securite and Universite du Luxembourg</organiz ation>
</author> </author>
<date year="2009"/> <date year="2009" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology - CRYPTO 2009, pages 303-316</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-03356-8_18"/>
</reference> </reference>
<reference anchor="BBJLP08" target="https://doi.org/10.1007/978-3-540-68 164-9_26"> <reference anchor="BBJLP08" target="https://doi.org/10.1007/978-3-540-68 164-9_26">
<front> <front>
<title>Twisted Edwards curves</title> <title>Twisted Edwards Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-540-68164-9_26"/> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Ber
<seriesInfo name="pages" value="389-405"/> nstein">
<seriesInfo name="In" value="AFRICACRYPT 2008"/>
<author initials="D.J." surname="Bernstein" fullname="Daniel J. Bern
<organization>Department of Computer Science, University of Illino is at Chicago, USA</organization> <organization>Department of Computer Science, University of Illino is at Chicago, USA</organization>
</author> </author>
<author initials="P." surname="Birkner" fullname="Peter Birkner"> <author initials="P." surname="Birkner" fullname="Peter Birkner">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="M." surname="Joye" fullname="Marc Joye"> <author initials="M." surname="Joye" fullname="Marc Joye">
<organization>Thomson R&amp;D France</organization> <organization>Thomson R&amp;D France</organization>
</author> </author>
<author initials="T." surname="Lange" fullname="Tanja Lange"> <author initials="T." surname="Lange" fullname="Tanja Lange">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="C." surname="Peters" fullname="Christiane Peters"> <author initials="C." surname="Peters" fullname="Christiane Peters">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<date year="2008"/> <date year="2008" month="June"/>
</front> </front>
<refcontent>In AFRICACRYPT 2008, pages 389-405</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-540-68164-9_26"/>
</reference> </reference>
<reference anchor="CK11" target="https://doi.org/10.1016/j.jsc.2011.11.0 03"> <reference anchor="CK11" target="https://doi.org/10.1016/j.jsc.2011.11.0 03">
<front> <front>
<title>The geometry of flex tangents to a cubic curve and its parame terizations</title> <title>The geometry of flex tangents to a cubic curve and its parame terizations</title>
<seriesInfo name="DOI" value="10.1016/j.jsc.2011.11.003"/> <author initials="J.-M." surname="Couveignes" fullname="Jean-Marc Co
<seriesInfo name="pages" value="266-281"/> uveignes">
<seriesInfo name="In" value="Journal of Symbolic Computation, vol 47
issue 3"/>
<author initials="J." surname="Couveignes" fullname="Jean-Marc Couve
<organization>Universite Bordeaux</organization> <organization>Universite Bordeaux</organization>
</author> </author>
<author initials="J." surname="Kammerer" fullname="Jean-Gabriel Kamm erer"> <author initials="J.-G." surname="Kammerer" fullname="Jean-Gabriel K ammerer">
<organization>Universite de Rennes</organization> <organization>Universite de Rennes</organization>
</author> </author>
<date year="2012"/> <date year="2012" month="March"/>
</front> </front>
<refcontent>In Journal of Symbolic Computation, vol 47 issue 3, pages 266-281</r
<seriesInfo name="DOI" value="10.1016/j.jsc.2011.11.003"/>
</reference> </reference>
<reference anchor="VR20" target="https://eprint.iacr.org/2019/383"> <reference anchor="VR20" target="https://eprint.iacr.org/2019/383">
<front> <front>
<title>Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EA P-pwd</title> <title>Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EA P-pwd</title>
<seriesInfo name="In" value="IEEE Symposium on Security &amp; Privac y (SP)"/>
<author initials="M." surname="Vanhoef" fullname="Mathy Vanhoef"> <author initials="M." surname="Vanhoef" fullname="Mathy Vanhoef">
<organization>New York University Abu Dhabi</organization> <organization>New York University Abu Dhabi</organization>
</author> </author>
<author initials="E." surname="Ronen" fullname="Eyal Ronen"> <author initials="E." surname="Ronen" fullname="Eyal Ronen">
<organization>Tel Aviv University and KU Leuven</organization> <organization>Tel Aviv University and KU Leuven</organization>
</author> </author>
<date year="2020"/> <date year="2020" month="May"/>
</front> </front>
<refcontent>In IEEE Symposium on Security &amp; Privacy (SP)</refcontent>
</reference> </reference>
<reference anchor="F11" target="https://doi.org/10.1007/978-3-642-21969- 6_17"> <reference anchor="F11" target="https://doi.org/10.1007/978-3-642-21969- 6_17">
<front> <front>
<title>Hashing into Hessian curves</title> <title>Hashing into Hessian Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-21969-6_17"/> <author initials="R. R." surname="Farashahi" fullname="Reza R. Faras
<seriesInfo name="pages" value="278-289"/> hahi">
<seriesInfo name="In" value="AFRICACRYPT 2011"/>
<author initials="R.R." surname="Farashahi" fullname="Reza R. Farash
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<date year="2011"/> <date year="2011" month="July"/>
</front> </front>
<refcontent>In AFRICACRYPT 2011, pages 278-289</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-21969-6_17"/>
</reference> </reference>
<reference anchor="FSV09" target="https://doi.org/10.1515/JMC.2009.022"> <reference anchor="FSV09" target="https://doi.org/10.1515/JMC.2009.022">
<front> <front>
<title>On hashing into elliptic curves</title> <title>On hashing into elliptic curves</title>
<seriesInfo name="DOI" value="10.1515/JMC.2009.022"/> <author initials="R. R." surname="Farashahi" fullname="Reza R. Faras
<seriesInfo name="pages" value="353-360"/> hahi">
<seriesInfo name="In" value="Journal of Mathematical Cryptology, vol
3 no 4"/>
<author initials="R.R." surname="Farashahi" fullname="Reza R. Farash
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="I.E." surname="Shparlinski" fullname="Igor E. Shpa rlinski"> <author initials="I. E." surname="Shparlinski" fullname="Igor E. Shp arlinski">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="J.F." surname="Voloch" fullname="J. Felipe Voloch" > <author initials="J. F." surname="Voloch" fullname="J. Felipe Voloch ">
<organization>University of Texas</organization> <organization>University of Texas</organization>
</author> </author>
<date year="2009"/> <date year="2009" month="March"/>
</front> </front>
<refcontent>In Journal of Mathematical Cryptology, vol 3 no 4, pages 353-360</re
<seriesInfo name="DOI" value="10.1515/JMC.2009.022"/>
</reference> </reference>
<reference anchor="FT10" target="https://doi.org/10.1007/978-3-642-14712 -8_5"> <reference anchor="FT10" target="https://doi.org/10.1007/978-3-642-14712 -8_5">
<front> <front>
<title>Estimating the size of the image of deterministic hash functi <title>Estimating the Size of the Image of Deterministic Hash Functi
ons to elliptic curves.</title> ons to Elliptic Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-14712-8_5"/> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou
<seriesInfo name="pages" value="81-91"/> que">
<seriesInfo name="In" value="Progress in Cryptology - LATINCRYPT 201
<author initials="P-A." surname="Fouque" fullname="Pierre-Alain Fouq
<organization>Ecole Normale Superieure and INRIA Rennes</organizat ion> <organization>Ecole Normale Superieure and INRIA Rennes</organizat ion>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2010"/> <date year="2010" month="August"/>
</front> </front>
<refcontent>In Progress in Cryptology - LATINCRYPT 2010, pages 81-91</refcontent
<seriesInfo name="DOI" value="10.1007/978-3-642-14712-8_5"/>
</reference> </reference>
<reference anchor="FT12" target="https://doi.org/10.1007/978-3-642-33481 -8_1"> <reference anchor="FT12" target="https://doi.org/10.1007/978-3-642-33481 -8_1">
<front> <front>
<title>Indifferentiable Hashing to Barreto-Naehrig Curves</title> <title>Indifferentiable Hashing to Barreto--Naehrig Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-33481-8_1"/> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou
<seriesInfo name="pages" value="1-7"/> que">
<seriesInfo name="In" value="Progress in Cryptology - LATINCRYPT 201
<author initials="P-A." surname="Fouque" fullname="Pierre-Alain Fouq
<organization>Ecole Normale Superieure and INRIA Rennes</organizat ion> <organization>Ecole Normale Superieure and INRIA Rennes</organizat ion>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2012"/> <date year="2012"/>
</front> </front>
<refcontent>In Progress in Cryptology - LATINCRYPT 2012, pages 1-17</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-33481-8_1"/>
</reference> </reference>
<reference anchor="FJT13" target="https://doi.org/10.1007/978-3-642-3905 9-3_14"> <reference anchor="FJT13" target="https://doi.org/10.1007/978-3-642-3905 9-3_14">
<front> <front>
<title>Injective encodings to elliptic curves</title> <title>Injective Encodings to Elliptic Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-39059-3_14"/> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou
<seriesInfo name="pages" value="203-218"/> que">
<seriesInfo name="In" value="ACISP 2013"/>
<author initials="P-A." surname="Fouque" fullname="Pierre-Alain Fouq
<organization>Ecole Normale Superieure and INRIA Rennes</organizat ion> <organization>Ecole Normale Superieure and INRIA Rennes</organizat ion>
</author> </author>
<author initials="A." surname="Joux" fullname="Antoine Joux"> <author initials="A." surname="Joux" fullname="Antoine Joux">
<organization>Sorbonne Universite</organization> <organization>Sorbonne Universite</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2013"/> <date year="2013"/>
</front> </front>
<refcontent>In ACISP 2013, pages 203-218</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-39059-3_14"/>
</reference> </reference>
<reference anchor="KLR10" target="https://doi.org/10.1007/978-3-642-1745 5-1_18"> <reference anchor="KLR10" target="https://doi.org/10.1007/978-3-642-1745 5-1_18">
<front> <front>
<title>Encoding points on hyperelliptic curves over finite fields in <title>Encoding Points on Hyperelliptic Curves over Finite Fields in
deterministic polynomial time</title> Deterministic Polynomial Time</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-17455-1_18"/> <author initials="J.-G." surname="Kammerer" fullname="Jean-Gabriel K
<seriesInfo name="pages" value="278-297"/> ammerer">
<seriesInfo name="In" value="PAIRING 2010"/>
<author initials="J." surname="Kammerer" fullname="Jean-Gabriel Kamm
<organization>Universite de Rennes</organization> <organization>Universite de Rennes</organization>
</author> </author>
<author initials="R." surname="Lercier" fullname="Reynald Lercier"> <author initials="R." surname="Lercier" fullname="Reynald Lercier">
<organization>Universite de Rennes</organization> <organization>Universite de Rennes</organization>
</author> </author>
<author initials="G." surname="Renault" fullname="Guenael Renault"> <author initials="G." surname="Renault" fullname="Guenael Renault">
<organization>Universite Pierre et Marie Curie</organization> <organization>Universite Pierre et Marie Curie</organization>
</author> </author>
<date year="2010"/> <date year="2010"/>
</front> </front>
<refcontent>In Pairing-Based Cryptography - Pairing 2010, pages 278-297</refcont
<seriesInfo name="DOI" value="10.1007/978-3-642-17455-1_18"/>
</reference> </reference>
<reference anchor="AR13" target="https://doi.org/10.1109/TC.2013.145"> <reference anchor="AR13" target="https://doi.org/10.1109/TC.2013.145">
<front> <front>
<title>Square Root Computation over Even Extension Fields</title> <title>Square Root Computation over Even Extension Fields</title>
<seriesInfo name="DOI" value="10.1109/TC.2013.145"/>
<seriesInfo name="pages" value="2829-2841"/>
<seriesInfo name="In" value="IEEE Transactions on Computers. vol 63
issue 11"/>
<author initials="G." surname="Adj" fullname="Gora Adj"> <author initials="G." surname="Adj" fullname="Gora Adj">
<organization>ISFA, Universite Claude Bernard Lyon 1, Villeurbanne , France</organization> <organization>ISFA, Universite Claude Bernard Lyon 1, Villeurbanne , France</organization>
</author> </author>
<author initials="F." surname="Rodriguez-Henriquez" fullname="Franci sco Rodriguez-Henriquez"> <author initials="F." surname="Rodríguez-Henríquez" fullname="Franci sco Rodríguez-Henríquez">
<organization>CINVESTAV-IPN, San Pedro Zacatenco, Mexico City, Mex ico.</organization> <organization>CINVESTAV-IPN, San Pedro Zacatenco, Mexico City, Mex ico.</organization>
</author> </author>
<date year="2014" month="November"/> <date year="2014" month="November"/>
</front> </front>
<refcontent>In IEEE Transactions on Computers. vol 63 issue 11, pages 2829-2841<
<seriesInfo name="DOI" value="10.1109/TC.2013.145"/>
</reference> </reference>
<reference anchor="BN05" target="https://doi.org/10.1007/11693383_22"> <reference anchor="BN05" target="https://doi.org/10.1007/11693383_22">
<front> <front>
<title>Pairing-Friendly Elliptic Curves of Prime Order</title> <title>Pairing-Friendly Elliptic Curves of Prime Order</title>
<seriesInfo name="DOI" value="10.1007/11693383_22"/> <author initials="P. S. L. M." surname="Barreto" fullname="Paulo S.
<seriesInfo name="pages" value="319-331"/> L. M. Barreto">
<seriesInfo name="In" value="Selected Areas in Cryptography 2005"/>
<author initials="P." surname="Barreto" fullname="Paulo S. L. M. Bar
<organization>Escola Politecnica, Universidade de Sao Paulo, Sao P aulo, Brazil</organization> <organization>Escola Politecnica, Universidade de Sao Paulo, Sao P aulo, Brazil</organization>
</author> </author>
<author initials="M." surname="Naehrig" fullname="Michael Naehrig"> <author initials="M." surname="Naehrig" fullname="Michael Naehrig">
<organization>Lehrstuhl fur Theoretische Informationstechnik, Rhei nisch-Westfalische Technische Hochschule Aachen, Aachen, Germany</organization> <organization>Lehrstuhl fur Theoretische Informationstechnik, Rhei nisch-Westfalische Technische Hochschule Aachen, Aachen, Germany</organization>
</author> </author>
<date year="2006"/> <date year="2006"/>
</front> </front>
<refcontent>In Selected Areas in Cryptography 2005, pages 319-331</refcontent>
<seriesInfo name="DOI" value="10.1007/11693383_22"/>
</reference> </reference>
<reference anchor="AFQTZ14" target="https://doi.org/10.1007/978-3-319-13 051-4_2"> <reference anchor="AFQTZ14" target="https://doi.org/10.1007/978-3-319-13 051-4_2">
<front> <front>
<title>Binary Elligator squared</title> <title>Binary Elligator Squared</title>
<seriesInfo name="DOI" value="10.1007/978-3-319-13051-4_2"/> <author initials="D. F." surname="Aranha" fullname="Diego F. Aranha"
<seriesInfo name="pages" value="20-37"/> >
<seriesInfo name="In" value="Selected Areas in Cryptography - SAC 20
<author initials="D.F." surname="Aranha" fullname="Diego F. Aranha">
<organization>Institute of Computing, University of Campinas</orga nization> <organization>Institute of Computing, University of Campinas</orga nization>
</author> </author>
<author initials="P.A." surname="Fouque" fullname="Pierre-Alain Fouq ue"> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou que">
<organization>Universite de Rennes 1 and Institut Universitaire de France</organization> <organization>Universite de Rennes 1 and Institut Universitaire de France</organization>
</author> </author>
<author initials="C." surname="Qian" fullname="Chen Qian"> <author initials="C." surname="Qian" fullname="Chen Qian">
<organization>ENS Rennes</organization> <organization>ENS Rennes</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<author initials="J.C." surname="Zapalowicz" fullname="Jean-Christop he Zapalowicz"> <author initials="J. C." surname="Zapalowicz" fullname="Jean-Christo phe Zapalowicz">
<organization>INRIA</organization> <organization>INRIA</organization>
</author> </author>
<date year="2014"/> <date year="2014" month="November"/>
</front> </front>
<refcontent>In Selected Areas in Cryptography - SAC 2014, pages 20-37</refconten
<seriesInfo name="DOI" value="10.1007/978-3-319-13051-4_2"/>
</reference> </reference>
<reference anchor="T14" target="https://doi.org/10.1007/978-3-662-45472- 5_10"> <reference anchor="T14" target="https://doi.org/10.1007/978-3-662-45472- 5_10">
<front> <front>
<title>Elligator squared: Uniform points on elliptic curves of prime <title>Elligator Squared: Uniform Points on Elliptic Curves of Prime
order as uniform random strings</title> Order as Uniform Random Strings</title>
<seriesInfo name="DOI" value="10.1007/978-3-662-45472-5_10"/>
<seriesInfo name="pages" value="139-156"/>
<seriesInfo name="In" value="Financial Cryptography and Data Securit
y - FC 2014"/>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2014"/> <date year="2014" month="November"/>
</front> </front>
<refcontent>In Financial Cryptography and Data Security - FC 2014, pages 139-156
<seriesInfo name="DOI" value="10.1007/978-3-662-45472-5_10"/>
</reference> </reference>
<reference anchor="TK17" target="https://doi.org/10.1007/s10623-016-0288 -2"> <reference anchor="TK17" target="https://doi.org/10.1007/s10623-016-0288 -2">
<front> <front>
<title>Improved elliptic curve hashing and point representation</tit le> <title>Improved elliptic curve hashing and point representation</tit le>
<seriesInfo name="DOI" value="10.1007/s10623-016-0288-2"/>
<seriesInfo name="pages" value="161-177"/>
<seriesInfo name="In" value="Designs, Codes, and Cryptography, vol 8
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<author initials="T." surname="Kim" fullname="Taechan Kim"> <author initials="T." surname="Kim" fullname="Taechan Kim">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2017"/> <date year="2017" month="January"/>
</front> </front>
<refcontent>In Designs, Codes, and Cryptography, vol 82, pages 161-177</refconte
<seriesInfo name="DOI" value="10.1007/s10623-016-0288-2"/>
</reference> </reference>
<reference anchor="BF01" target="https://doi.org/10.1007/3-540-44647-8_1 3"> <reference anchor="BF01" target="https://doi.org/10.1007/3-540-44647-8_1 3">
<front> <front>
<title>Identity-based encryption from the Weil pairing</title> <title>Identity-Based Encryption from the Weil Pairing</title>
<seriesInfo name="DOI" value="10.1007/3-540-44647-8_13"/>
<seriesInfo name="pages" value="213-229"/>
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2001"/>
<author initials="D." surname="Boneh" fullname="Dan Boneh"> <author initials="D." surname="Boneh" fullname="Dan Boneh">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="M." surname="Franklin" fullname="Matthew Franklin" > <author initials="M." surname="Franklin" fullname="Matthew Franklin" >
<organization>UC Davis</organization> <organization>UC Davis</organization>
</author> </author>
<date year="2001" month="August"/> <date year="2001" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology - CRYPTO 2001, pages 213-229</refcontent>
<seriesInfo name="DOI" value="10.1007/3-540-44647-8_13"/>
</reference> </reference>
<reference anchor="BLS01" target="https://doi.org/10.1007/s00145-004-031 4-9"> <reference anchor="BLS01" target="https://doi.org/10.1007/s00145-004-031 4-9">
<front> <front>
<title>Short signatures from the Weil pairing</title> <title>Short Signatures from the Weil Pairing</title>
<seriesInfo name="DOI" value="10.1007/s00145-004-0314-9"/>
<seriesInfo name="pages" value="297-319"/>
<seriesInfo name="In" value="Journal of Cryptology, vol 17"/>
<author initials="D." surname="Boneh" fullname="Dan Boneh"> <author initials="D." surname="Boneh" fullname="Dan Boneh">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="B." surname="Lynn" fullname="Ben Lynn"> <author initials="B." surname="Lynn" fullname="Ben Lynn">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="H." surname="Shacham" fullname="Hovav Shacham"> <author initials="H." surname="Shacham" fullname="Hovav Shacham">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<date year="2004" month="July"/> <date year="2004" month="July"/>
</front> </front>
<refcontent>In Journal of Cryptology, vol 17, pages 297-319</refcontent>
<seriesInfo name="DOI" value="10.1007/s00145-004-0314-9"/>
</reference> </reference>
<reference anchor="BLS03" target="https://doi.org/10.1007/3-540-36413-7_ 19"> <reference anchor="BLS03" target="https://doi.org/10.1007/3-540-36413-7_ 19">
<front> <front>
<title>Constructing Elliptic Curves with Prescribed Embedding Degree s</title> <title>Constructing Elliptic Curves with Prescribed Embedding Degree s</title>
<seriesInfo name="DOI" value="10.1007/3-540-36413-7_19"/> <author initials="P. S. L. M." surname="Barreto" fullname="Paulo S.
<seriesInfo name="pages" value="257-267"/> L. M. Barreto">
<seriesInfo name="In" value="Security in Communication Networks"/>
<author initials="P." surname="Barreto" fullname="Paulo S. L. M. Bar
<organization>Universidade de Sao Paulo, Brazil</organization> <organization>Universidade de Sao Paulo, Brazil</organization>
</author> </author>
<author initials="B." surname="Lynn" fullname="Ben Lynn"> <author initials="B." surname="Lynn" fullname="Ben Lynn">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="M." surname="Scott" fullname="Michael Scott"> <author initials="M." surname="Scott" fullname="Michael Scott">
<organization>Dublin City University, Ireland</organization> <organization>Dublin City University, Ireland</organization>
</author> </author>
<date year="2003"/> <date year="2002" month="September"/>
</front> </front>
<refcontent>In Security in Communication Networks, pages 257-267</refcontent>
<seriesInfo name="DOI" value="10.1007/3-540-36413-7_19"/>
</reference> </reference>
<reference anchor="BM92" target="https://doi.org/10.1109/RISP.1992.21326 9"> <reference anchor="BM92" target="https://doi.org/10.1109/RISP.1992.21326 9">
<front> <front>
<title>Encrypted key exchange: Password-based protocols secure again <title>Encrypted key exchange: password-based protocols secure again
st dictionary attacks</title> st dictionary attacks</title>
<seriesInfo name="DOI" value="10.1109/RISP.1992.213269"/> <author initials="S. M." surname="Bellovin" fullname="Steven M. Bell
<seriesInfo name="pages" value="72-84"/> ovin">
<seriesInfo name="In" value="IEEE Symposium on Security and Privacy
- Oakland 1992"/>
<author initials="S.M." surname="Bellovin" fullname="Steven M. Bello
<organization>AT&amp;T Bell Laboratories</organization> <organization>AT&amp;T Bell Laboratories</organization>
</author> </author>
<author initials="M." surname="Merritt" fullname="Michael Merritt"> <author initials="M." surname="Merritt" fullname="Michael Merritt">
<organization>AT&amp;T Bell Laboratories</organization> <organization>AT&amp;T Bell Laboratories</organization>
</author> </author>
<date year="1992"/> <date year="1992" month="May"/>
</front> </front>
<refcontent>In IEEE Symposium on Security and Privacy - Oakland 1992, pages 72-8
<seriesInfo name="DOI" value="10.1109/RISP.1992.213269"/>
</reference> </reference>
<reference anchor="BMP00" target="https://doi.org/10.1007/3-540-45539-6_ 12"> <reference anchor="BMP00" target="https://doi.org/10.1007/3-540-45539-6_ 12">
<front> <front>
<title>Provably secure password-authenticated key exchange using Dif <title>Provably Secure Password-Authenticated Key Exchange Using Dif
fie-Hellman</title> fie-Hellman</title>
<seriesInfo name="DOI" value="10.1007/3-540-45539-6_12"/>
<seriesInfo name="pages" value="156-171"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2000
<author initials="V." surname="Boyko" fullname="Victor Boyko"> <author initials="V." surname="Boyko" fullname="Victor Boyko">
<organization>MIT Laboratory for Computer Science</organization> <organization>MIT Laboratory for Computer Science</organization>
</author> </author>
<author initials="P.D." surname="MacKenzie" fullname="Philip D. MacK enzie"> <author initials="P." surname="MacKenzie" fullname="Philip D. MacKen zie">
<organization>Bell Laboratories, Lucent Technologies</organization > <organization>Bell Laboratories, Lucent Technologies</organization >
</author> </author>
<author initials="S." surname="Patel" fullname="Sarvar Patel"> <author initials="S." surname="Patel" fullname="Sarvar Patel">
<organization>Bell Laboratories, Lucent Technologies</organization > <organization>Bell Laboratories, Lucent Technologies</organization >
</author> </author>
<date year="2000" month="May"/> <date year="2000" month="May"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2000, pages 156-171</refconten
<seriesInfo name="DOI" value="10.1007/3-540-45539-6_12"/>
</reference> </reference>
<reference anchor="J96" target="https://doi.org/10.1145/242896.242897"> <reference anchor="J96" target="https://doi.org/10.1145/242896.242897">
<front> <front>
<title>Strong password-only authenticated key exchange</title> <title>Strong password-only authenticated key exchange</title>
<seriesInfo name="DOI" value="10.1145/242896.242897"/> <author initials="D. P." surname="Jablon" fullname="David P. Jablon"
<seriesInfo name="pages" value="5-26"/> >
<seriesInfo name="In" value="SIGCOMM Computer Communication Review, <organization></organization>
vol 26 issue 5"/>
<author initials="D.P." surname="Jablon" fullname="David P. Jablon">
<organization>Integrity Sciences, Inc. Westboro, MA.</organization
</author> </author>
<date year="1996"/> <date year="1996" month="October"/>
</front> </front>
<refcontent>In SIGCOMM Computer Communication Review, vol 26 issue 5, pages 5-26
<seriesInfo name="DOI" value="10.1145/242896.242897"/>
</reference> </reference>
<reference anchor="hash2curve-repo" target="https://github.com/cfrg/draf t-irtf-cfrg-hash-to-curve"> <reference anchor="hash2curve-repo" target="https://github.com/cfrg/draf t-irtf-cfrg-hash-to-curve">
<front> <front>
<title>Hashing to Elliptic Curves - GitHub repository</title> <title>Hashing to Elliptic Curves</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date year="2022" month="June"/>
</front> </front>
<refcontent>commit 664b135</refcontent>
</reference> </reference>
<reference anchor="jubjub-fq" target="https://github.com/zkcrypto/jubjub /blob/master/src/fq.rs"> <reference anchor="jubjub-fq" target="https://github.com/zkcrypto/jubjub /pull/18">
<front> <front>
<title>zkcrypto/jubjub - fq.rs</title> <title>zkcrypto/jubjub - fq.rs</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="L13" target="https://www.imperialviolet.org/2013/12/2 5/elligator.html"> <reference anchor="L13" target="https://www.imperialviolet.org/2013/12/2 5/elligator.html">
<front> <front>
<title>Implementing Elligator for Curve25519</title> <title>Implementing Elligator for Curve25519</title>
<author initials="A." surname="Langley" fullname="Adam Langley"> <author initials="A." surname="Langley" fullname="Adam Langley">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date year="2013" month="December"/>
</front> </front>
</reference> </reference>
<reference anchor="SBCDK09" target="https://doi.org/10.1007/978-3-642-03 298-1_8"> <reference anchor="SBCDK09" target="https://doi.org/10.1007/978-3-642-03 298-1_8">
<front> <front>
<title>Fast Hashing to G2 on Pairing-Friendly Curves</title> <title>Fast Hashing to G2 on Pairing-Friendly Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-03298-1_8"/>
<seriesInfo name="pages" value="102-113"/>
<seriesInfo name="In" value="Pairing-Based Cryptography - Pairing 20
<author initials="M." surname="Scott" fullname="Michael Scott"> <author initials="M." surname="Scott" fullname="Michael Scott">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="N." surname="Benger" fullname="Naomi Benger"> <author initials="N." surname="Benger" fullname="Naomi Benger">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="M." surname="Charlemagne" fullname="Manuel Charlem agne"> <author initials="M." surname="Charlemagne" fullname="Manuel Charlem agne">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="L.J." surname="Dominguez Perez" fullname="Luis J. Dominguez Perez"> <author initials="L. J." surname="Dominguez Perez" fullname="Luis J. Dominguez Perez">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="E.J." surname="Kachisa" fullname="Ezekiel J. Kachi sa"> <author initials="E. J." surname="Kachisa" fullname="Ezekiel J. Kach isa">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<date year="2009"/> <date year="2009" month="August"/>
</front> </front>
<refcontent>In Pairing-Based Cryptography - Pairing 2009, pages 102-113</refcont
<seriesInfo name="DOI" value="10.1007/978-3-642-03298-1_8"/>
</reference> </reference>
<reference anchor="FKR11" target="https://doi.org/10.1007/978-3-642-2849 6-0_25"> <reference anchor="FKR11" target="https://doi.org/10.1007/978-3-642-2849 6-0_25">
<front> <front>
<title>Fast Hashing to G2 on Pairing-Friendly Curves</title> <title>Faster Hashing to G2</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-28496-0_25"/> <author initials="L." surname="Fuentes-Castañeda" fullname="Laura Fu
<seriesInfo name="pages" value="412-430"/> entes-Castañeda">
<seriesInfo name="In" value="Selected Areas in Cryptography"/>
<author initials="L." surname="Fuentes-Castaneda" fullname="Laura Fu
<organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization> <organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization>
</author> </author>
<author initials="E." surname="Knapp" fullname="Edward Knapp"> <author initials="E." surname="Knapp" fullname="Edward Knapp">
<organization>Dept. Combinatorics &amp; Optimization, University o f Waterloo, Canada</organization> <organization>Dept. Combinatorics &amp; Optimization, University o f Waterloo, Canada</organization>
</author> </author>
<author initials="F." surname="Rodriguez-Henriquez" fullname="Franci sco Rodriguez-Henriquez"> <author initials="F." surname="Rodriguez-Henriquez" fullname="Franci sco Rodriguez-Henriquez">
<organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization> <organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization>
</author> </author>
<date year="2011"/> <date year="2011" month="August"/>
</front> </front>
<refcontent>In Selected Areas in Cryptography, pages 412-430</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-28496-0_25"/>
</reference> </reference>
<reference anchor="BP17" target="https://eprint.iacr.org/2017/419"> <reference anchor="BP17" target="https://eprint.iacr.org/2017/419">
<front> <front>
<title>Efficient hash maps to G2 on BLS curves</title> <title>Efficient hash maps to \mathbb{G}_2 on BLS curves</title>
<seriesInfo name="ePrint" value="2017/419"/>
<author initials="A." surname="Budroni" fullname="Alessandro Budroni "> <author initials="A." surname="Budroni" fullname="Alessandro Budroni ">
<organization>University of Bergen, Norway and MIRACL Labs, London , England</organization> <organization>University of Bergen, Norway and MIRACL Labs, London , England</organization>
</author> </author>
<author initials="F." surname="Pintore" fullname="Federico Pintore"> <author initials="F." surname="Pintore" fullname="Federico Pintore">
<organization>University of Trento, Italy</organization> <organization>University of Trento, Italy</organization>
</author> </author>
<date year="2017" month="May"/> <date year="2017" month="May"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2017/419</refcontent>
</reference> </reference>
<reference anchor="BHKL13" target="https://doi.org/10.1145/2508859.25167 34"> <reference anchor="BHKL13" target="https://doi.org/10.1145/2508859.25167 34">
<front> <front>
<title>Elligator: elliptic-curve points indistinguishable from unifo rm random strings</title> <title>Elligator: elliptic-curve points indistinguishable from unifo rm random strings</title>
<seriesInfo name="DOI" value="10.1145/2508859.2516734"/> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Ber
<seriesInfo name="pages" value="967-980"/> nstein">
<seriesInfo name="In" value="Proceedings of the 2013 ACM SIGSAC Conf
erence on Computer and Communications Security"/>
<author initials="D.J." surname="Bernstein" fullname="Daniel J. Bern
<organization>Department of Computer Science, University of Illino is at Chicago, USA</organization> <organization>Department of Computer Science, University of Illino is at Chicago, USA</organization>
</author> </author>
<author initials="M." surname="Hamburg" fullname="Mike Hamburg"> <author initials="M." surname="Hamburg" fullname="Mike Hamburg">
<organization>Cryptography Research, a division of Rambus, USA</or ganization> <organization>Cryptography Research, a division of Rambus, USA</or ganization>
</author> </author>
<author initials="A." surname="Krasnova" fullname="Anna Krasnova"> <author initials="A." surname="Krasnova" fullname="Anna Krasnova">
<organization>Privacy &amp; Identity lab, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands</organiza tion> <organization>Privacy &amp; Identity lab, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands</organiza tion>
</author> </author>
<author initials="T." surname="Lange" fullname="Tanja Lange"> <author initials="T." surname="Lange" fullname="Tanja Lange">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<date year="2013" month="November"/> <date year="2013" month="November"/>
</front> </front>
<refcontent>In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Com
munications Security, pages 967-980</refcontent>
<seriesInfo name="DOI" value="10.1145/2508859.2516734"/>
</reference> </reference>
<reference anchor="BLMP19" target="https://doi.org/10.1007/978-3-030-176
56-3"> <reference anchor="BLMP19" target="https://doi.org/10.1007/978-3-030-176
<front> <front>
<title>Quantum circuits for the CSIDH: optimizing quantum evaluation <title>Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation
of isogenies</title> of Isogenies</title>
<seriesInfo name="DOI" value="10.1007/978-3-030-17656-3"/> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Ber
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2019 nstein">
<author initials="D.J." surname="Bernstein" fullname="Daniel J. Bern
<organization>Department of Computer Science, University of Illino is at Chicago, USA</organization> <organization>Department of Computer Science, University of Illino is at Chicago, USA</organization>
</author> </author>
<author initials="T." surname="Lange" fullname="Tanja Lange"> <author initials="T." surname="Lange" fullname="Tanja Lange">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="C." surname="Martindale" fullname="Chloe Martindal e"> <author initials="C." surname="Martindale" fullname="Chloe Martindal e">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="L." surname="Panny" fullname="Lorenz Panny"> <author initials="L." surname="Panny" fullname="Lorenz Panny">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<date year="2019"/> <date year="2019" month="May"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2019, pages 409-441</refconten
<seriesInfo name="DOI" value="10.1007/978-3-030-17656-3"/>
</reference> </reference>
<reference anchor="SS04" target="https://doi.org/10.4064/ba52-3-1"> <reference anchor="SS04" target="https://doi.org/10.4064/ba52-3-1">
<front> <front>
<title>On equations y^2 = x^n + k in a finite field.</title> <title>On equations y^2 = x^n + k in a finite field</title>
<seriesInfo name="DOI" value="10.4064/ba52-3-1"/>
<seriesInfo name="pages" value="223-226"/>
<seriesInfo name="In" value="Bulletin Polish Acad. Sci. Math. vol 52
, no 3"/>
<author initials="A." surname="Schinzel" fullname="Andrzej Schinzel" > <author initials="A." surname="Schinzel" fullname="Andrzej Schinzel" >
<organization>Department of Mathemetics, University of Warsaw</org anization> <organization>Department of Mathemetics, University of Warsaw</org anization>
</author> </author>
<author initials="M." surname="Skalba" fullname="Mariusz Skalba"> <author initials="M." surname="Skałba" fullname="Mariusz Skałba">
<organization>Department of Mathematics, University of Warsaw</org anization> <organization>Department of Mathematics, University of Warsaw</org anization>
</author> </author>
<date year="2004"/> <date year="2004"/>
</front> </front>
<refcontent>In Bulletin Polish Academy of Sciences. Mathematics, vol 52 no 3, pa
ges 223-226</refcontent>
<seriesInfo name="DOI" value="10.4064/ba52-3-1"/>
</reference> </reference>
<reference anchor="S05" target="https://doi.org/10.4064/aa117-3-7"> <reference anchor="S05" target="https://doi.org/10.4064/aa117-3-7">
<front> <front>
<title>Points on elliptic curves over finite fields</title> <title>Points on elliptic curves over finite fields</title>
<seriesInfo name="DOI" value="10.4064/aa117-3-7"/> <author initials="M." surname="Skałba" fullname="Mariusz Skałba">
<seriesInfo name="pages" value="293-301"/>
<seriesInfo name="In" value="Acta Arithmetica, vol 117 no 3"/>
<author initials="M." surname="Skalba" fullname="Mariusz Skalba">
<organization>Department of Mathematics, University of Warsaw</org anization> <organization>Department of Mathematics, University of Warsaw</org anization>
</author> </author>
<date year="2005"/> <date year="2005"/>
</front> </front>
<refcontent>In Acta Arithmetica, vol 117 no 3, pages 293-301</refcontent>
<seriesInfo name="DOI" value="10.4064/aa117-3-7"/>
</reference> </reference>
<reference anchor="SW06" target="https://doi.org/10.1007/11792086_36"> <reference anchor="SW06" target="https://doi.org/10.1007/11792086_36">
<front> <front>
<title>Construction of rational points on elliptic curves over finit <title>Construction of Rational Points on Elliptic Curves over Finit
e fields</title> e Fields</title>
<seriesInfo name="DOI" value="10.1007/11792086_36"/>
<seriesInfo name="pages" value="510-524"/>
<seriesInfo name="In" value="Algorithmic Number Theory. ANTS 2006."/
<author initials="A." surname="Shallue" fullname="Andrew Shallue"> <author initials="A." surname="Shallue" fullname="Andrew Shallue">
<organization>Mathematics Department, University of Wisconsin-Madi son. Madison, USA.</organization> <organization>Mathematics Department, University of Wisconsin-Madi son. Madison, USA.</organization>
</author> </author>
<author initials="C." surname="van de Woestijne" fullname="Christiaa n van de Woestijne"> <author initials="C. E." surname="van de Woestijne" fullname="Christ iaan van de Woestijne">
<organization>Mathematisch Instituut, Universiteit Leiden. Leiden, The Netherlands.</organization> <organization>Mathematisch Instituut, Universiteit Leiden. Leiden, The Netherlands.</organization>
</author> </author>
<date year="2006"/> <date year="2006" month="July"/>
</front> </front>
<refcontent>In Algorithmic Number Theory - ANTS 2006, pages 510-524</refcontent>
<seriesInfo name="DOI" value="10.1007/11792086_36"/>
</reference> </reference>
<reference anchor="U07" target="https://doi.org/10.4064/ba55-2-1"> <reference anchor="U07" target="https://doi.org/10.4064/ba55-2-1">
<front> <front>
<title>Rational points on certain hyperelliptic curves over finite f <title>Rational Points on Certain Hyperelliptic Curves over Finite F
ields</title> ields</title>
<seriesInfo name="DOI" value="10.4064/ba55-2-1"/>
<seriesInfo name="pages" value="97-104"/>
<seriesInfo name="In" value="Bulletin Polish Acad. Sci. Math. vol 55
, no 2"/>
<author initials="M." surname="Ulas" fullname="Maciej Ulas"> <author initials="M." surname="Ulas" fullname="Maciej Ulas">
<organization>Institute of Mathematics, Jagiellonian University. P oland</organization> <organization>Institute of Mathematics, Jagiellonian University. P oland</organization>
</author> </author>
<date year="2007"/> <date year="2007" month="July"/>
</front> </front>
<refcontent>In Bulletin Polish Academy of Science. Mathematics, vol 55 no 2, pag
es 97-104</refcontent>
<seriesInfo name="DOI" value="10.4064/ba55-2-1"/>
</reference> </reference>
<reference anchor="BCIMRT10" target="https://doi.org/10.1007/978-3-642-1 4623-7_13"> <reference anchor="BCIMRT10" target="https://doi.org/10.1007/978-3-642-1 4623-7_13">
<front> <front>
<title>Efficient Indifferentiable Hashing into Ordinary Elliptic Cur ves</title> <title>Efficient Indifferentiable Hashing into Ordinary Elliptic Cur ves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_13"/>
<seriesInfo name="pages" value="237-254"/>
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2010"/>
<author initials="E." surname="Brier" fullname="Eric Brier"> <author initials="E." surname="Brier" fullname="Eric Brier">
<organization>Ingenico</organization> <organization>Ingenico</organization>
</author> </author>
<author initials="J-S." surname="Coron" fullname="Jean-Sebastien Cor on"> <author initials="J.-S." surname="Coron" fullname="Jean-Sebastien Co ron">
<organization>Universite du Luxembourg</organization> <organization>Universite du Luxembourg</organization>
</author> </author>
<author initials="T." surname="Icart" fullname="Thomas Icart"> <author initials="T." surname="Icart" fullname="Thomas Icart">
<organization>Universite du Luxembourg</organization> <organization>Universite du Luxembourg</organization>
</author> </author>
<author initials="D." surname="Madore" fullname="David Madore"> <author initials="D." surname="Madore" fullname="David Madore">
<organization>TELECOM-ParisTech</organization> <organization>TELECOM-ParisTech</organization>
</author> </author>
<author initials="H." surname="Randriam" fullname="Hugues Randriam"> <author initials="H." surname="Randriam" fullname="Hugues Randriam">
<organization>TELECOM-ParisTech</organization> <organization>TELECOM-ParisTech</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>Universite du Luxembourg, Ecole normale superieure</ organization> <organization>Universite du Luxembourg, Ecole normale superieure</ organization>
</author> </author>
<date year="2010"/> <date year="2010" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology - CRYPTO 2010, pages 237-254</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_13"/>
</reference> </reference>
<reference anchor="W08" target="https://www.crcpress.com/9781420071467"> <reference anchor="W08" target="https://www.crcpress.com/9781420071467">
<front> <front>
<title>Elliptic curves: Number theory and cryptography</title> <title>Elliptic Curves: Number Theory and Cryptography, Second Editi
<seriesInfo name="ISBN" value="9781420071467"/> on</title>
<seriesInfo name="publisher" value="Chapman and Hall / CRC"/> <author initials="L. C." surname="Washington" fullname="Lawrence C.
<seriesInfo name="edition" value="2nd"/> Washington">
<author initials="L.C." surname="Washington" fullname="Lawrence C. W
<organization/> <organization/>
</author> </author>
<date year="2008"/> <date year="2008" month="April"/>
</front> </front>
<refcontent>Chapman and Hall / CRC</refcontent>
<seriesInfo name="ISBN" value="9781420071467"/>
</reference> </reference>
<reference anchor="C93" target="https://doi.org/10.1007/978-3-662-02945- 9"> <reference anchor="C93" target="https://doi.org/10.1007/978-3-662-02945- 9">
<front> <front>
<title>A Course in Computational Algebraic Number Theory</title> <title>A Course in Computational Algebraic Number Theory</title>
<seriesInfo name="ISBN" value="9783642081422"/>
<seriesInfo name="publisher" value="Springer-Verlag"/>
<author initials="H." surname="Cohen" fullname="Henri Cohen"> <author initials="H." surname="Cohen" fullname="Henri Cohen">
<organization/> <organization/>
</author> </author>
<date year="1993"/> <date year="1993"/>
</front> </front>
<seriesInfo name="ISBN" value="9783642081422"/>
<seriesInfo name="DOI" value="10.1007/978-3-662-02945-9"/>
</reference> </reference>
<reference anchor="CFADLNV05" target="https://www.crcpress.com/978158488 5184"> <reference anchor="CFADLNV05" target="https://www.crcpress.com/978158488 5184">
<front> <front>
<title>Handbook of Elliptic and Hyperelliptic Curve Cryptography</ti tle> <title>Handbook of Elliptic and Hyperelliptic Curve Cryptography</ti tle>
<seriesInfo name="ISBN" value="9781584885184"/>
<seriesInfo name="publisher" value="Chapman and Hall / CRC"/>
<author initials="H." surname="Cohen" fullname="Henri Cohen"> <author initials="H." surname="Cohen" fullname="Henri Cohen">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Frey" fullname="Gerhard Frey"> <author initials="G." surname="Frey" fullname="Gerhard Frey">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Avanzi" fullname="Roberto Avanzi"> <author initials="R." surname="Avanzi" fullname="Roberto Avanzi">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Doche" fullname="Christophe Doche"> <author initials="C." surname="Doche" fullname="Christophe Doche">
skipping to change at line 3042 skipping to change at line 2931
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Nguyen" fullname="Kim Nguyen"> <author initials="K." surname="Nguyen" fullname="Kim Nguyen">
<organization/> <organization/>
</author> </author>
<author initials="F." surname="Vercauteren" fullname="Frederik Verca uteren"> <author initials="F." surname="Vercauteren" fullname="Frederik Verca uteren">
<organization/> <organization/>
</author> </author>
<date year="2005"/> <date year="2005"/>
</front> </front>
<refcontent>Chapman and Hall / CRC</refcontent>
<seriesInfo name="ISBN" value="9781584885184"/>
</reference> </reference>
<reference anchor="MOV96" target="http://cacr.uwaterloo.ca/hac/"> <reference anchor="MOV96" target="http://cacr.uwaterloo.ca/hac/">
<front> <front>
<title>Handbook of Applied Cryptography</title> <title>Handbook of Applied Cryptography</title>
<seriesInfo name="ISBN" value="9780849385230"/> <author initials="A. J." surname="Menezes" fullname="Alfred J. Menez
<seriesInfo name="publisher" value="CRC Press"/> es">
<author initials="A.J." surname="Menezes" fullname="Alfred J. Meneze
<organization/> <organization/>
</author> </author>
<author initials="P.C." surname="van Oorschot" fullname="Paul C. van Oorschot"> <author initials="P. C." surname="van Oorschot" fullname="Paul C. va n Oorschot">
<organization/> <organization/>
</author> </author>
<author initials="S.A." surname="Vanstone" fullname="Scott A. Vansto ne"> <author initials="S. A." surname="Vanstone" fullname="Scott A. Vanst one">
<organization/> <organization/>
</author> </author>
<date year="1996"/> <date year="1996" month="October"/>
</front> </front>
<refcontent>CRC Press</refcontent>
<seriesInfo name="ISBN" value="9780849385230"/>
</reference> </reference>
<reference anchor="WB19" target="https://eprint.iacr.org/2019/403"> <reference anchor="WB19" target="https://eprint.iacr.org/2019/403">
<front> <front>
<title>Fast and simple constant-time hashing to the BLS12-381 ellipt ic curve</title> <title>Fast and simple constant-time hashing to the BLS12-381 ellipt ic curve</title>
<seriesInfo name="ePrint" value="2019/403"/> <author initials="R. S." surname="Wahby" fullname="Riad S. Wahby">
<seriesInfo name="DOI" value="10.13154/tches.v2019.i4.154-179"/>
<seriesInfo name="issue" value="4"/>
<seriesInfo name="volume" value="2019"/>
<seriesInfo name="In" value="IACR Trans. CHES"/>
<author initials="R.S." surname="Wahby" fullname="Riad S. Wahby">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="D." surname="Boneh" fullname="Dan Boneh"> <author initials="D." surname="Boneh" fullname="Dan Boneh">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<date year="2019" month="August"/> <date year="2019" month="August"/>
</front> </front>
<refcontent>In IACR Transactions on Cryptographic Hardware and Embedded Systems,
vol 2019 issue 4</refcontent>
<refcontent>Cryptology ePrint Archive, Paper 2019/403</refcontent>
<seriesInfo name="DOI" value="10.13154/tches.v2019.i4.154-179"/>
</reference> </reference>
<reference anchor="FFSTV13" target="https://doi.org/10.1090/S0025-5718-2 012-02606-8"> <reference anchor="FFSTV13" target="https://doi.org/10.1090/S0025-5718-2 012-02606-8">
<front> <front>
<title>Indifferentiable deterministic hashing to elliptic and hypere lliptic curves</title> <title>Indifferentiable deterministic hashing to elliptic and hypere lliptic curves</title>
<seriesInfo name="DOI" value="10.1090/S0025-5718-2012-02606-8"/> <author initials="R. R." surname="Farashahi" fullname="Reza R. Faras
<seriesInfo name="pages" value="491-512"/> hahi">
<seriesInfo name="In" value="Math. Comp. vol 82"/>
<author initials="R.R." surname="Farashahi" fullname="Reza R. Farash
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="P.A." surname="Fouque" fullname="Pierre-Alain Fouq ue"> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou que">
<organization>Ecole normale superieure</organization> <organization>Ecole normale superieure</organization>
</author> </author>
<author initials="I.E." surname="Shparlinski" fullname="Igor E. Shpa rlinski"> <author initials="I. E." surname="Shparlinski" fullname="Igor E. Shp arlinski">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>Ecole normale superieure</organization> <organization>Ecole normale superieure</organization>
</author> </author>
<author initials="J.F." surname="Voloch" fullname="J. Felipe Voloch" > <author initials="J. F." surname="Voloch" fullname="J. Felipe Voloch ">
<organization>University of Texas</organization> <organization>University of Texas</organization>
</author> </author>
<date year="2013"/> <date year="2013"/>
</front> </front>
<refcontent>In Mathematics of Computation. vol 82, pages 491-512</refcontent>
<seriesInfo name="DOI" value="10.1090/S0025-5718-2012-02606-8"/>
</reference> </reference>
<reference anchor="MRH04" target="https://doi.org/10.1007/978-3-540-2463 8-1_2"> <reference anchor="MRH04" target="https://doi.org/10.1007/978-3-540-2463 8-1_2">
<front> <front>
<title>Indifferentiability, impossibility results on reductions, and <title>Indifferentiability, Impossibility Results on Reductions, and
applications to the random oracle methodology</title> Applications to the Random Oracle Methodology</title>
<seriesInfo name="DOI" value="10.1007/978-3-540-24638-1_2"/>
<seriesInfo name="pages" value="21-39"/>
<seriesInfo name="In" value="TCC 2004: Theory of Cryptography"/>
<author initials="U." surname="Maurer" fullname="Ueli Maurer"> <author initials="U." surname="Maurer" fullname="Ueli Maurer">
<organization>ETH Zurich</organization> <organization>ETH Zurich</organization>
</author> </author>
<author initials="R." surname="Renner" fullname="Renato Renner"> <author initials="R." surname="Renner" fullname="Renato Renner">
<organization>ETH Zurich</organization> <organization>ETH Zurich</organization>
</author> </author>
<author initials="C." surname="Holenstein" fullname="Clemens Holenst ein"> <author initials="C." surname="Holenstein" fullname="Clemens Holenst ein">
<organization>ETH Zurich</organization> <organization>ETH Zurich</organization>
</author> </author>
<date year="2004" month="February"/> <date year="2004" month="February"/>
</front> </front>
<refcontent>In TCC 2004: Theory of Cryptography, pages 21-39</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-540-24638-1_2"/>
</reference> </reference>
<reference anchor="MRV99" target="https://doi.org/10.1109/SFFCS.1999.814 584"> <reference anchor="MRV99" target="https://doi.org/10.1109/SFFCS.1999.814 584">
<front> <front>
<title>Verifiable Random Functions</title> <title>Verifiable random functions</title>
<seriesInfo name="DOI" value="10.1109/SFFCS.1999.814584"/>
<seriesInfo name="In" value="Symposium on the Foundations of Compute
r Science"/>
<author initials="S." surname="Micali" fullname="Silvio Micali"> <author initials="S." surname="Micali" fullname="Silvio Micali">
<organization>MIT Laboratory for Computer Science</organization> <organization>MIT Laboratory for Computer Science</organization>
</author> </author>
<author initials="M." surname="Rabin" fullname="Michael Rabin"> <author initials="M." surname="Rabin" fullname="Michael Rabin">
<organization>Harvard University Department of Applied Science</or ganization> <organization>Harvard University Department of Applied Science</or ganization>
</author> </author>
<author initials="S." surname="Vadhan" fullname="Salil Vadhan"> <author initials="S." surname="Vadhan" fullname="Salil Vadhan">
<organization>MIT Laboratory for Computer Science</organization> <organization>MIT Laboratory for Computer Science</organization>
</author> </author>
<date year="1999" month="October"/> <date year="1999" month="October"/>
</front> </front>
<refcontent>40th Annual Symposium on Foundations of Computer Science (Cat. No.99
CB37039), pages 120-130</refcontent>
<seriesInfo name="DOI" value="10.1109/SFFCS.1999.814584"/>
</reference> </reference>
<reference anchor="NR97" target="https://doi.org/10.1109/SFCS.1997.64613 4"> <reference anchor="NR97" target="https://doi.org/10.1109/SFCS.1997.64613 4">
<front> <front>
<title>Number-theoretic constructions of efficient pseudo-random fun ctions</title> <title>Number-theoretic constructions of efficient pseudo-random fun ctions</title>
<seriesInfo name="DOI" value="10.1109/SFCS.1997.646134"/>
<seriesInfo name="In" value="Symposium on the Foundations of Compute
r Science"/>
<author initials="M." surname="Naor" fullname="Moni Naor"> <author initials="M." surname="Naor" fullname="Moni Naor">
<organization>Weizmann Institute</organization> <organization>Weizmann Institute</organization>
</author> </author>
<author initials="O." surname="Reingold" fullname="Omer Reingold"> <author initials="O." surname="Reingold" fullname="Omer Reingold">
<organization>Weizmann Institute</organization> <organization>Weizmann Institute</organization>
</author> </author>
<date year="1997" month="October"/> <date year="1997" month="October"/>
</front> </front>
<refcontent>In Proceedings 38th Annual Symposium on Foundations of Computer Scie
nce, pages 458-467</refcontent>
<seriesInfo name="DOI" value="10.1109/SFCS.1997.646134"/>
</reference> </reference>
<reference anchor="S85" target="https://doi.org/10.1090/S0025-5718-1985- 0777280-6"> <reference anchor="S85" target="https://doi.org/10.1090/S0025-5718-1985- 0777280-6">
<front> <front>
<title>Elliptic Curves Over Finite Fields and the Computation of Squ <title>Elliptic curves over finite fields and the computation of squ
are Roots mod p</title> are roots mod p</title>
<seriesInfo name="DOI" value="10.1090/S0025-5718-1985-0777280-6"/>
<seriesInfo name="pages" value="483-494"/>
<seriesInfo name="In" value="Mathematics of Computation vol 44 issue
<author initials="R." surname="Schoof" fullname="Rene Schoof"> <author initials="R." surname="Schoof" fullname="Rene Schoof">
<organization/> <organization/>
</author> </author>
<date year="1985" month="April"/> <date year="1985" month="April"/>
</front> </front>
<refcontent>In Mathematics of Computation, vol 44 issue 170, pages 483-494</refc
<seriesInfo name="DOI" value="10.1090/S0025-5718-1985-0777280-6"/>
</reference> </reference>
<reference anchor="SAGE" target="https://www.sagemath.org"> <reference anchor="SAGE" target="https://www.sagemath.org">
<front> <front>
<title>SageMath, the Sage Mathematics Software System</title> <title>SageMath, the Sage Mathematics Software System</title>
<author> <author>
<organization>The Sage Developers</organization> <organization>The Sage Developers</organization>
</author> </author>
<date year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="LBB19" target="https://hal.inria.fr/hal-02100345/"> <reference anchor="LBB19" target="https://hal.inria.fr/hal-02100345/">
<front> <front>
<title>A Mechanised Proof of the WireGuard Virtual Private Network P <title>A Mechanised Cryptographic Proof of the WireGuard Virtual Pri
rotocol</title> vate Network Protocol</title>
<seriesInfo name="In" value="INRIA Research Report No. 9269"/>
<author initials="B." surname="Lipp" fullname="Benjamin Lipp"> <author initials="B." surname="Lipp" fullname="Benjamin Lipp">
<organization>INRIA Paris</organization> <organization>INRIA Paris</organization>
</author> </author>
<author initials="B." surname="Blanchet" fullname="Bruno Blanchet"> <author initials="B." surname="Blanchet" fullname="Bruno Blanchet">
<organization>INRIA Paris</organization> <organization>INRIA Paris</organization>
</author> </author>
<author initials="K." surname="Bhargavan" fullname="Karthikeyan Bhar gavan"> <author initials="K." surname="Bhargavan" fullname="Karthikeyan Bhar gavan">
<organization>INRIA Paris</organization> <organization>INRIA Paris</organization>
</author> </author>
<date year="2019" month="April"/> <date year="2019" month="April"/>
</front> </front>
<refcontent>In INRIA Research Report 9269</refcontent>
</reference> </reference>
<reference anchor="RCB16" target="https://doi.org/10.1007/978-3-662-4989 0-3_16"> <reference anchor="RCB16" target="https://doi.org/10.1007/978-3-662-4989 0-3_16">
<front> <front>
<title>Complete addition formulas for prime order elliptic curves</t <title>Complete Addition Formulas for Prime Order Elliptic Curves</t
itle> itle>
<seriesInfo name="DOI" value="10.1007/978-3-662-49890-3_16"/>
<seriesInfo name="pages" value="403-428"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2016
<author initials="J." surname="Renes" fullname="Joost Renes"> <author initials="J." surname="Renes" fullname="Joost Renes">
<organization>Radboud University</organization> <organization>Radboud University</organization>
</author> </author>
<author initials="C." surname="Costello" fullname="Craig Costello"> <author initials="C." surname="Costello" fullname="Craig Costello">
<organization>Microsoft Research</organization> <organization>Microsoft Research</organization>
</author> </author>
<author initials="L." surname="Batina" fullname="Lejla Batina"> <author initials="L." surname="Batina" fullname="Lejla Batina">
<organization>Radboud University</organization> <organization>Radboud University</organization>
</author> </author>
<date year="2016" month="May"/> <date year="2016" month="April"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2016, pages 403-428</refconten
<seriesInfo name="DOI" value="10.1007/978-3-662-49890-3_16"/>
</reference> </reference>
<reference anchor="RSS11" target="https://doi.org/10.1007/978-3-642-2046 5-4_27"> <reference anchor="RSS11" target="https://doi.org/10.1007/978-3-642-2046 5-4_27">
<front> <front>
<title>Careful with Composition: Limitations of the Indifferentiabil ity Framework</title> <title>Careful with Composition: Limitations of the Indifferentiabil ity Framework</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-20465-4_27"/>
<seriesInfo name="pages" value="487-506"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2011
<author initials="T." surname="Ristenpart" fullname="Thomas Ristenpa rt"> <author initials="T." surname="Ristenpart" fullname="Thomas Ristenpa rt">
<organization>University of Wisconsin-Madison</organization> <organization>University of Wisconsin-Madison</organization>
</author> </author>
<author initials="H." surname="Shacham" fullname="Hovav Shacham"> <author initials="H." surname="Shacham" fullname="Hovav Shacham">
<organization>UC San Diego</organization> <organization>UC San Diego</organization>
</author> </author>
<author initials="T." surname="Shrimpton" fullname="Thomas Shrimpton "> <author initials="T." surname="Shrimpton" fullname="Thomas Shrimpton ">
<organization>Portland State University</organization> <organization>Portland State University</organization>
</author> </author>
<date year="2011" month="May"/> <date year="2011" month="May"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2011, pages 487-506</refconten
<seriesInfo name="DOI" value="10.1007/978-3-642-20465-4_27"/>
</reference> </reference>
<reference anchor="W19" target="https://github.com/cfrg/draft-irtf-cfrg-
hash-to-curve/raw/master/doc/svdw_params.pdf"> <reference anchor="W19" target="https://github.com/cfrg/draft-irtf-cfrg-
<front> <front>
<title>An explicit, generic parameterization for the Shallue--van de Woestijne map</title> <title>An explicit, generic parameterization for the Shallue--van de Woestijne map</title>
<author initials="R.S." surname="Wahby" fullname="Riad S. Wahby"> <author initials="R. S." surname="Wahby" fullname="Riad S. Wahby">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<date year="2019"/> <date month="March" year="2020"/>
</front> </front>
<refcontent>commit e2a625f</refcontent>
</reference> </reference>
<reference anchor="p1363.2" target="https://standards.ieee.org/standard/ 1363_2-2008.html"> <reference anchor="p1363.2" target="https://standards.ieee.org/standard/ 1363_2-2008.html">
<front> <front>
<title>IEEE Standard Specification for Password-Based Public-Key Cry ptography Techniques</title> <title>IEEE Standard Specification for Password-Based Public-Key Cry ptography Techniques</title>
<author> <author>
<organization>IEEE Computer Society</organization> <organization>IEEE</organization>
</author> </author>
<date year="2008" month="September"/> <date year="2008" month="September"/>
</front> </front>
<seriesInfo name="IEEE" value="1363.2-2008"/>
</reference> </reference>
<reference anchor="p1363a" target="https://standards.ieee.org/standard/1 363a-2004.html"> <reference anchor="p1363a" target="https://standards.ieee.org/standard/1 363a-2004.html">
<front> <front>
<title>IEEE Standard Specifications for Public-Key Cryptography---Am endment 1: Additional Techniques</title> <title>IEEE Standard Specifications for Public-Key Cryptography - Am endment 1: Additional Techniques</title>
<author> <author>
<organization>IEEE Computer Society</organization> <organization>IEEE</organization>
</author> </author>
<date year="2004" month="March"/> <date year="2004" month="March"/>
</front> </front>
<seriesInfo name="IEEE" value="1363a-2004"/>
</reference> </reference>
<reference anchor="MT98" target="https://doi.org/10.1145/272991.272995"> <reference anchor="MT98" target="https://doi.org/10.1145/272991.272995">
<front> <front>
<title>Mersenne twister: A 623-dimensionally equidistributed uniform pseudo-random number generator</title> <title>Mersenne twister: A 623-dimensionally equidistributed uniform pseudo-random number generator</title>
<seriesInfo name="DOI" value="10.1145/272991.272995"/>
<seriesInfo name="pages" value="3-30"/>
<seriesInfo name="In" value="ACM Transactions on Modeling and Comput
er Simulation (TOMACS), Volume 8, Issue 1"/>
<author initials="M." surname="Matsumoto"> <author initials="M." surname="Matsumoto">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Nishimura"> <author initials="T." surname="Nishimura">
<organization/> <organization/>
</author> </author>
<date year="1998" month="January"/> <date year="1998" month="January"/>
</front> </front>
<refcontent>In ACM Transactions on Modeling and Computer Simulation (TOMACS), vo
l 8 issue 1, pages 3-30</refcontent>
<seriesInfo name="DOI" value="10.1145/272991.272995"/>
</reference> </reference>
<reference anchor="P20" target="https://eprint.iacr.org/2020/009"> <reference anchor="P20" target="https://eprint.iacr.org/2020/009">
<front> <front>
<title>Efficient Elliptic Curve Operations On Microcontrollers With Finite Field Extensions</title> <title>Efficient Elliptic Curve Operations On Microcontrollers With Finite Field Extensions</title>
<author initials="T." surname="Pornin" fullname="Thomas Pornin"> <author initials="T." surname="Pornin" fullname="Thomas Pornin">
<organization>NCC Group</organization> <organization>NCC Group</organization>
</author> </author>
<date year="2020"/> <date year="2020"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2020/009</refcontent>
</reference> </reference>
<reference anchor="H20" target="https://eprint.iacr.org/2020/1513"> <reference anchor="H20" target="https://eprint.iacr.org/2020/1513">
<front> <front>
<title>Indifferentiable hashing from Elligator 2</title> <title>Indifferentiable hashing from Elligator 2</title>
<author initials="M." surname="Hamburg" fullname="Mike Hamburg"> <author initials="M." surname="Hamburg" fullname="Mike Hamburg">
<organization>Rambus Inc</organization> <organization>Rambus Inc</organization>
</author> </author>
<date year="2020"/> <date year="2020"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2020/1513</refcontent>
</reference> </reference>
<reference anchor="I-D.irtf-cfrg-bls-signature">
<title>BLS Signatures</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-bls-signatu
<author fullname="Dan Boneh">
<organization>Stanford University</organization>
<author fullname="Sergey Gorbunov">
<organization>University of Waterloo</organization>
<author fullname="Riad S. Wahby">
<organization>Stanford University</organization>
<author fullname="Hoeteck Wee">
<organization>NTT Research and ENS</organization>
<author fullname="Zhenfei Zhang">
<date day="10" month="September" year="2020"/>
<t> BLS is a digital signature scheme with aggregation propertie
s. Given
set of signatures (signature_1, ..., signature_n) anyone can produce
an aggregated signature. Aggregation can also be done on secret keys
and public keys. Furthermore, the BLS signature scheme is
deterministic, non-malleable, and efficient. Its simplicity and
cryptographic properties allows it to be useful in a variety of use-
cases, specifically when minimal storage space or bandwidth are
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
</abstract> g-bls-signature.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
</reference> g-vrf.xml"/>
<reference anchor="I-D.irtf-cfrg-vrf"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
<front> g-voprf.xml"/>
<title>Verifiable Random Functions (VRFs)</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-vrf-12"/>
<author fullname="Sharon Goldberg">
<organization>Boston University</organization>
<author fullname="Leonid Reyzin">
<organization>Boston University and Algorand</organization>
<author fullname="Dimitrios Papadopoulos">
<organization>Hong Kong University of Science and Technology</orga
<author fullname="Jan Vcelak">
<date day="26" month="May" year="2022"/>
<t> A Verifiable Random Function (VRF) is the public-key version
of a
keyed cryptographic hash. Only the holder of the private key can
compute the hash, but anyone with the public key can verify the
correctness of the hash. VRFs are useful for preventing enumeration
of hash-based data structures. This document specifies several VRF
constructions based on RSA and Elliptic Curves that are secure in the
cryptographic random oracle model.
This document is a product of the Crypto Forum Research Group (CFRG) <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7693.xml"
in the IRTF. />
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
</abstract> g-ristretto255-decaf448.xml"/>
<reference anchor="I-D.irtf-cfrg-voprf">
<title>Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Gr
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-voprf-09"/>
<author fullname="Alex Davidson">
<organization>Brave Software</organization>
<author fullname="Armando Faz-Hernandez">
<organization>Cloudflare, Inc.</organization>
<author fullname="Nick Sullivan">
<organization>Cloudflare, Inc.</organization>
<author fullname="Christopher A. Wood">
<organization>Cloudflare, Inc.</organization>
<date day="8" month="February" year="2022"/>
<t> An Oblivious Pseudorandom Function (OPRF) is a two-party pro
between client and server for computing the output of a Pseudorandom
Function (PRF). The server provides the PRF secret key, and the
client provides the PRF input. At the end of the protocol, the
client learns the PRF output without learning anything about the PRF
secret key, and the server learns neither the PRF input nor output.
An OPRF can also satisfy a notion of 'verifiability', called a VOPRF.
A VOPRF ensures clients can verify that the server used a specific
private key during the execution of the protocol. A VOPRF can also
be partially-oblivious, called a POPRF. A POPRF allows clients and
servers to provide public input to the PRF computation. This
document specifies an OPRF, VOPRF, and POPRF instantiated within
standard prime-order groups, including elliptic curves.
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8018.xml"
</abstract> />
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7914.xml"
</reference> />
<reference anchor="RFC7693"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9106.xml"
<front> />
<title>The BLAKE2 Cryptographic Hash and Message Authentication Code <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"
(MAC)</title> />
<seriesInfo name="DOI" value="10.17487/RFC7693"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"
<seriesInfo name="RFC" value="7693"/> />
<author fullname="M-J. Saarinen" initials="M-J." role="editor" surna
<author fullname="J-P. Aumasson" initials="J-P." surname="Aumasson">
<date month="November" year="2015"/>
<t>This document describes the cryptographic hash function BLAKE2
and makes the algorithm specification and C source code conveniently available t
o the Internet community. BLAKE2 comes in two main flavors: BLAKE2b is optimize
d for 64-bit platforms and BLAKE2s for smaller architectures. BLAKE2 can be dir
ectly keyed, making it functionally equivalent to a Message Authentication Code
<reference anchor="I-D.irtf-cfrg-ristretto255-decaf448">
<title>The ristretto255 and decaf448 Groups</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-ristretto25
<author fullname="Henry de Valence">
<author fullname="Jack Grigg">
<author fullname="Mike Hamburg">
<author fullname="Isis Lovecruft">
<author fullname="George Tankersley">
<author fullname="Filippo Valsorda">
<date day="25" month="February" year="2022"/>
<t> This memo specifies two prime-order groups, ristretto255 and
decaf448, suitable for safely implementing higher-level and complex
cryptographic protocols. The ristretto255 group can be implemented
using Curve25519, allowing existing Curve25519 implementations to be
reused and extended to provide a prime-order group. Likewise, the
decaf448 group can be implemented using edwards448.
<reference anchor="RFC2898">
<title>PKCS #5: Password-Based Cryptography Specification Version 2.
<seriesInfo name="DOI" value="10.17487/RFC2898"/>
<seriesInfo name="RFC" value="2898"/>
<author fullname="B. Kaliski" initials="B." surname="Kaliski">
<date month="September" year="2000"/>
<t>This document provides recommendations for the implementation o
f password-based cryptography, covering key derivation functions, encryption sch
emes, message-authentication schemes, and ASN.1 syntax identifying the technique
s. This memo provides information for the Internet community.</t>
<reference anchor="RFC7914">
<title>The scrypt Password-Based Key Derivation Function</title>
<seriesInfo name="DOI" value="10.17487/RFC7914"/>
<seriesInfo name="RFC" value="7914"/>
<author fullname="C. Percival" initials="C." surname="Percival">
<author fullname="S. Josefsson" initials="S." surname="Josefsson">
<date month="August" year="2016"/>
<t>This document specifies the password-based key derivation funct
ion scrypt. The function derives one or more secret keys from a secret string.
It is based on memory-hard functions, which offer added protection against atta
cks using custom hardware. The document also provides an ASN.1 schema.</t>
<reference anchor="I-D.irtf-cfrg-argon2">
<title>Argon2 Memory-Hard Function for Password Hashing and Proof-of
-Work Applications</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-argon2-13"/
<author fullname="Alex Biryukov">
<organization>University of Luxembourg</organization>
<author fullname="Daniel Dinu">
<organization>University of Luxembourg</organization>
<author fullname="Dmitry Khovratovich">
<organization>ABDK Consulting</organization>
<author fullname="Simon Josefsson">
<organization>SJD AB</organization>
<date day="11" month="March" year="2021"/>
<t>This document describes the Argon2 memory-hard function for pas
sword hashing and proof-of-work applications. We provide an implementer-oriente
d description with test vectors. The purpose is to simplify adoption of Argon2
for Internet protocols. This document is a product of the Crypto Forum Research
Group (CFRG) in the IRTF.
<reference anchor="RFC2104">
<title>HMAC: Keyed-Hashing for Message Authentication</title>
<seriesInfo name="DOI" value="10.17487/RFC2104"/>
<seriesInfo name="RFC" value="2104"/>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk">
<author fullname="M. Bellare" initials="M." surname="Bellare">
<author fullname="R. Canetti" initials="R." surname="Canetti">
<date month="February" year="1997"/>
<t>This document describes HMAC, a mechanism for message authentic
ation using cryptographic hash functions. HMAC can be used with any iterative cr
yptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared
key. The cryptographic strength of HMAC depends on the properties of the under
lying hash function. This memo provides information for the Internet community.
This memo does not specify an Internet standard of any kind</t>
<reference anchor="RFC5869">
<title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)<
<seriesInfo name="DOI" value="10.17487/RFC5869"/>
<seriesInfo name="RFC" value="5869"/>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk">
<author fullname="P. Eronen" initials="P." surname="Eronen">
<date month="May" year="2010"/>
<t>This document specifies a simple Hashed Message Authentication
Code (HMAC)-based key derivation function (HKDF), which can be used as a buildin
g block in various protocols and applications. The key derivation function (KDF
) is intended to support a wide range of applications and requirements, and is c
onservative in its use of cryptographic hash functions. This document is not an
Internet Standards Track specification; it is published for informational pur
</references> </references>
</references> </references>
<section anchor="related" numbered="true" toc="default"> <?line 3251?>
<name>Related work</name>
<section anchor="related">
<name>Related Work</name>
<t>The problem of mapping arbitrary bit strings to elliptic curve points <t>The problem of mapping arbitrary bit strings to elliptic curve points
has been the subject of both practical and theoretical research. has been the subject of both practical and theoretical research.
This section briefly describes the background and research results This section briefly describes the background and research results
that underly the recommendations in this document. that underlie the recommendations in this document.
This section is provided for informational purposes only.</t> This section is provided for informational purposes only.</t>
<t>A naive but generally insecure method of mapping a string msg to <t>A naive but generally insecure method of mapping a string msg to
a point on an elliptic curve E having n points is to first fix a point P that a point on an elliptic curve E having n points is to first fix a point P that
generates the elliptic curve group, and a hash function Hn from bit strings generates the elliptic curve group, and a hash function Hn from bit strings
to integers less than n; then compute Hn(msg) * P, where the * operator to integers less than n; then compute Hn(msg) * P, where the * operator
represents scalar multiplication. The reason this approach is insecure is represents scalar multiplication. The reason this approach is insecure is
that the resulting point has a known discrete log relationship to P. that the resulting point has a known discrete log relationship to P.
Thus, except in cases where this method is specified by the protocol, Thus, except in cases where this method is specified by the protocol,
it must not be used; doing so risks catastrophic security failures.</t> it must not be used; doing so risks catastrophic security failures.</t>
<t>Boneh et al. <xref target="BLS01" format="default"/> describe an encodi ng method they call MapToGroup, <t>Boneh et al.&nbsp;<xref target="BLS01"/> describe an encoding method th ey call MapToGroup,
which works roughly as follows: first, use the input string to initialize a which works roughly as follows: first, use the input string to initialize a
pseudorandom number generator, then use the generator to produce a pseudorandom number generator, then use the generator to produce a
value x in F. value x in F.
If x is the x-coordinate of a point on the elliptic curve, output that If x is the x-coordinate of a point on the elliptic curve, output that
point. Otherwise, generate a new value x in F and try again. point. Otherwise, generate a new value x in F and try again.
Since a random value x in F has probability about 1/2 of corresponding to Since a random value x in F has probability about 1/2 of corresponding to
a point on the curve, the expected number of tries is just two. a point on the curve, the expected number of tries is just two.
However, the running time of this method, which is generally referred However, the running time of this method, which is generally referred
to as a probabilistic try-and-increment algorithm, depends on the input string. to as a probabilistic try-and-increment algorithm, depends on the input string.
As such, it is not safe to use in protocols sensitive to timing As such, it is not safe to use in protocols sensitive to timing
side channels, as was exemplified by the Dragonblood attack <xref target="VR20" side channels, as was exemplified by the Dragonblood attack <xref target="VR20"/
format="default"/>.</t> >.</t>
<t>Schinzel and Skalba <xref target="SS04" format="default"/> introduce a <t>Schinzel and Skalba <xref target="SS04"/> introduce a method of constru
method of constructing cting
elliptic curve points deterministically, for a restricted class of curves elliptic curve points deterministically, for a restricted class of curves
and a very small number of points. and a very small number of points.
Skalba <xref target="S05" format="default"/> generalizes this construction to mo re curves and more points Skalba <xref target="S05"/> generalizes this construction to more curves and mor e points
on those curves. on those curves.
Shallue and van de Woestijne <xref target="SW06" format="default"/> further gene ralize and simplify Shallue and van de Woestijne <xref target="SW06"/> further generalize and simpli fy
Skalba's construction, yielding concretely efficient maps to a constant Skalba's construction, yielding concretely efficient maps to a constant
fraction of the points on almost any curve. fraction of the points on almost any curve.
Fouque and Tibouchi <xref target="FT12" format="default"/> give a parameterizati Fouque and Tibouchi <xref target="FT12"/> give a parameterization of this mappin
on of this mapping g
for Barreto-Naehrig pairing-friendly curves <xref target="BN05" format="default" for Barreto-Naehrig pairing-friendly curves <xref target="BN05"/>.</t>
/>.</t> <t>Ulas <xref target="U07"/> describes a simpler version of the Shallue-va
<t>Ulas <xref target="U07" format="default"/> describes a simpler version n de Woestijne map,
of the Shallue-van de Woestijne map, and Brier et al.&nbsp;<xref target="BCIMRT10"/> give a further simplification, w
and Brier et al. <xref target="BCIMRT10" format="default"/> give a further simpl hich the authors
ification, which the authors call the "Simplified SWU" map.
call the "simplified SWU" map.
That simplified map applies only to fields of characteristic p = 3 (mod 4); That simplified map applies only to fields of characteristic p = 3 (mod 4);
Wahby and Boneh <xref target="WB19" format="default"/> generalize to fields of a ny characteristic, and Wahby and Boneh <xref target="WB19"/> generalize to fields of any characteristic and
give further optimizations.</t> give further optimizations.</t>
<t>Boneh and Franklin give a deterministic algorithm mapping to certain <t>Boneh and Franklin give a deterministic algorithm mapping to certain
supersingular curves over fields of characteristic p = 2 (mod 3) <xref target="B supersingular curves over fields of characteristic p = 2 (mod 3) <xref target="B
F01" format="default"/>. F01"/>.
Icart gives another deterministic algorithm which maps to any curve Icart gives another deterministic algorithm that maps to any curve
over a field of characteristic p = 2 (mod 3) <xref target="Icart09" format="defa over a field of characteristic p = 2 (mod 3) <xref target="Icart09"/>.
Several extensions and generalizations follow this work, including Several extensions and generalizations follow this work, including
<xref target="FSV09" format="default"/>, <xref target="FT10" format="default"/>, <xref target="FSV09"/>, <xref target="FT10"/>, <xref target="KLR10"/>, <xref tar
<xref target="KLR10" format="default"/>, <xref target="F11" format="default"/>, get="F11"/>, and <xref target="CK11"/>.</t>
and <xref target="CK11" format="default"/>.</t> <t>Following the work of Farashahi <xref target="F11"/>, Fouque et al.&nbs
<t>Following the work of Farashahi <xref target="F11" format="default"/>, p;<xref target="FJT13"/> describe a
Fouque et al. <xref target="FJT13" format="default"/> describe a
mapping to curves over fields of characteristic p = 3 (mod 4) having a number of points mapping to curves over fields of characteristic p = 3 (mod 4) having a number of points
divisible by 4. Bernstein et al. <xref target="BHKL13" format="default"/> optim ize this mapping and divisible by 4. Bernstein et al.&nbsp;<xref target="BHKL13"/> optimize this map ping and
describe a related mapping that they call "Elligator 2," which applies to describe a related mapping that they call "Elligator 2," which applies to
any curve over a field of odd characteristic having a point of order 2. any curve over a field of odd characteristic having a point of order 2.
This includes Curve25519 and Curve448, both of which are CFRG-recommended This includes Curve25519 and Curve448, both of which are CFRG-recommended
curves <xref target="RFC7748" format="default"/>. Bernstein et al. <xref target= "BLMP19" format="default"/> extend the Elligator 2 map curves <xref target="RFC7748"/>. Bernstein et al.&nbsp;<xref target="BLMP19"/> e xtend the Elligator 2 map
to a class of supersingular curves over fields of characteristic p = 3 (mod 4).< /t> to a class of supersingular curves over fields of characteristic p = 3 (mod 4).< /t>
<t>An important caveat regarding all of the above deterministic mapping <t>An important caveat regarding all of the above deterministic mapping
functions is that none of them map to the entire curve, but rather to some functions is that none of them map to the entire curve, but rather to some
fraction of the points. This means that they cannot be used directly to fraction of the points. This means that they cannot be used directly to
construct a random oracle that outputs points on the curve.</t> construct a random oracle that outputs points on the curve.</t>
<t>Brier et al. <xref target="BCIMRT10" format="default"/> give two soluti <t>Brier et al.&nbsp;<xref target="BCIMRT10"/> give two solutions to this
ons to this problem. problem.
The first, which Brier et al. prove applies to Icart's method, The first, which Brier et al.&nbsp;prove applies to Icart's method,
computes f(H0(msg)) + f(H1(msg)) for two distinct hash functions computes f(H0(msg)) + f(H1(msg)) for two distinct hash functions
H0 and H1 from bit strings to F and a mapping f from F to the elliptic curve E. H0 and H1 from bit strings to F and a mapping f from F to the elliptic curve E.
The second, which applies to essentially all deterministic mappings but The second, which applies to essentially all deterministic mappings but
is more costly, computes f(H0(msg)) + H2(msg) * P, for P a generator of the is more costly, computes f(H0(msg)) + H2(msg) * P, where P is a generator of the
elliptic curve group and H2 a hash from bit strings to integers modulo r, elliptic curve group, H2 is a hash from bit strings to integers modulo r,
the order of the elliptic curve group. and r is the order of the elliptic curve group.</t>
Farashahi et al. <xref target="FFSTV13" format="default"/> improve the analysis <t>Farashahi et al.&nbsp;<xref target="FFSTV13"/> improve the analysis of
of the first method, the first method,
showing that it applies to essentially all deterministic mappings. showing that it applies to essentially all deterministic mappings.
Tibouchi and Kim <xref target="TK17" format="default"/> further refine the analy sis and describe additional Tibouchi and Kim <xref target="TK17"/> further refine the analysis and describe additional
optimizations.</t> optimizations.</t>
<t>Complementary to the problem of mapping from bit strings to elliptic cu rve <t>Complementary to the problem of mapping from bit strings to elliptic cu rve
points, Bernstein et al. <xref target="BHKL13" format="default"/> study the prob lem of mapping from elliptic points, Bernstein et al.&nbsp;<xref target="BHKL13"/> study the problem of mappi ng from elliptic
curve points to uniformly random bit strings, giving solutions for a class of curve points to uniformly random bit strings, giving solutions for a class of
curves including Montgomery and twisted Edwards curves. curves that includes Montgomery and twisted Edwards curves.
Tibouchi <xref target="T14" format="default"/> and Aranha et al. <xref target="A Tibouchi <xref target="T14"/> and Aranha et al.&nbsp;<xref target="AFQTZ14"/> ge
FQTZ14" format="default"/> generalize these results. neralize these results.
This document does not deal with this complementary problem.</t> This document does not deal with this complementary problem.</t>
</section> </section>
<section anchor="appx-ristretto255" numbered="true" toc="default"> <section anchor="appx-ristretto255">
<name>Hashing to ristretto255</name> <name>Hashing to ristretto255</name>
<t>ristretto255 <xref target="I-D.irtf-cfrg-ristretto255-decaf448" format= <t>ristretto255 <xref target="I-D.irtf-cfrg-ristretto255-decaf448"/> provi
"default"/> provides a prime-order des a prime-order
group based on Curve25519 <xref target="RFC7748" format="default"/>. group based on curve25519 <xref target="RFC7748"/>.
This section describes hash_to_ristretto255, which implements a random-oracle This section describes hash_to_ristretto255, which implements a random-oracle
encoding to this group that has a uniform output distribution (<xref target="ter m-rom" format="default"/>) encoding to this group that has a uniform output distribution (<xref target="ter m-rom"/>)
and the same security properties and interface as the hash_to_curve function and the same security properties and interface as the hash_to_curve function
(<xref target="roadmap" format="default"/>).</t> (<xref target="roadmap"/>).</t>
<t>The ristretto255 API defines a one-way map (<xref target="I-D.irtf-cfrg <t>The ristretto255 API defines a one-way map (<xref section="4.3.4" secti
-ristretto255-decaf448" format="default"/>, onFormat="comma" target="I-D.irtf-cfrg-ristretto255-decaf448"/>); this section r
Section 4.3.4); this section refers to that map as ristretto255_map.</t> efers to that map as ristretto255_map.</t>
<t>The hash_to_ristretto255 function MUST be instantiated with an expand_m <t>The hash_to_ristretto255 function <bcp14>MUST</bcp14> be instantiated w
essage ith an expand_message
function that conforms to the requirements given in <xref target="hashtofield-ex function that conforms to the requirements given in <xref target="hashtofield-ex
pand" format="default"/>. pand"/>.
In addition, it MUST use a domain separation tag constructed as described In addition, it <bcp14>MUST</bcp14> use a domain separation tag constructed as d
in <xref target="domain-separation" format="default"/>, and all domain separatio escribed
n recommendations given in <xref target="domain-separation"/>, and all domain separation recommendations
in <xref target="security-considerations-domain-separation-expmsg-var" format="d given
efault"/> apply when implementing in <xref target="security-considerations-domain-separation-expmsg-var"/> apply w
hen implementing
protocols that use hash_to_ristretto255.</t> protocols that use hash_to_ristretto255.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_ristretto255(msg) hash_to_ristretto255(msg)
Parameters: Parameters:
- DST, a domain separation tag (see discussion above). - DST, a domain separation tag (see discussion above).
- expand_message, a function that expands a byte string and - expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string domain separation tag into a uniformly random byte string
(see discussion above). (see discussion above).
- ristretto255_map, the one-way map from the ristretto255 API. - ristretto255_map, the one-way map from the ristretto255 API.
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, an element of the ristretto255 group. Output: P, an element of the ristretto255 group.
Steps: Steps:
1. uniform_bytes = expand_message(msg, DST, 64) 1. uniform_bytes = expand_message(msg, DST, 64)
2. P = ristretto255_map(uniform_bytes) 2. P = ristretto255_map(uniform_bytes)
3. return P 3. return P
</sourcecode> ]]></sourcecode>
<t>Since hash_to_ristretto255 is not a hash-to-curve suite, it does not <t>Since hash_to_ristretto255 is not a hash-to-curve suite, it does not
have a Suite ID. have a Suite ID.
If a similar identifier is needed, it MUST be constructed following If a similar identifier is needed, it <bcp14>MUST</bcp14> be constructed followi
the guidelines in <xref target="suiteIDformat" format="default"/>, with the foll ng
owing parameters:</t> the guidelines in <xref target="suiteIDformat"/>, with the following parameters:
<ul spacing="normal"> <ul spacing="normal">
<li>CURVE_ID: "ristretto255"</li> <li>CURVE_ID: "ristretto255"</li>
<li>HASH_ID: as described in <xref target="suiteIDformat" format="defaul t"/></li> <li>HASH_ID: as described in <xref target="suiteIDformat"/></li>
<li>MAP_ID: "R255MAP"</li> <li>MAP_ID: "R255MAP"</li>
<li>ENC_VAR: "RO"</li> <li>ENC_VAR: "RO"</li>
</ul> </ul>
<t>For example, if expand_message is expand_message_xmd using SHA-512, the <t>For example, if expand_message is expand_message_xmd using SHA-512, the
REQUIRED identifier is:</t> <bcp14>REQUIRED</bcp14> identifier is:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
ristretto255_XMD:SHA-512_R255MAP_RO_ ristretto255_XMD:SHA-512_R255MAP_RO_
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="appx-decaf448" numbered="true" toc="default"> <section anchor="appx-decaf448">
<name>Hashing to decaf448</name> <name>Hashing to decaf448</name>
<t>Similar to ristretto255, decaf448 <xref target="I-D.irtf-cfrg-ristretto <t>Similar to ristretto255, decaf448 <xref target="I-D.irtf-cfrg-ristretto
255-decaf448" format="default"/> provides 255-decaf448"/> provides
a prime-order group based on Curve448 <xref target="RFC7748" format="default"/>. a prime-order group based on curve448 <xref target="RFC7748"/>.
This section describes hash_to_decaf448, which implements a random-oracle This section describes hash_to_decaf448, which implements a random-oracle
encoding to this group that has a uniform output distribution (<xref target="ter m-rom" format="default"/>) encoding to this group that has a uniform output distribution (<xref target="ter m-rom"/>)
and the same security properties and interface as the hash_to_curve function and the same security properties and interface as the hash_to_curve function
(<xref target="roadmap" format="default"/>).</t> (<xref target="roadmap"/>).</t>
<t>The decaf448 API defines a one-way map (<xref target="I-D.irtf-cfrg-ris <t>The decaf448 API defines a one-way map (<xref section="5.3.4" sectionFo
tretto255-decaf448" format="default"/>, rmat="comma" target="I-D.irtf-cfrg-ristretto255-decaf448"/>); this section refer
Section 5.3.4); this section refers to that map as decaf448_map.</t> s to that map as decaf448_map.</t>
<t>The hash_to_decaf448 function MUST be instantiated with an expand_messa <t>The hash_to_decaf448 function <bcp14>MUST</bcp14> be instantiated with
ge an expand_message
function that conforms to the requirements given in <xref target="hashtofield-ex function that conforms to the requirements given in <xref target="hashtofield-ex
pand" format="default"/>. pand"/>.
In addition, it MUST use a domain separation tag constructed as described In addition, it <bcp14>MUST</bcp14> use a domain separation tag constructed as d
in <xref target="domain-separation" format="default"/>, and all domain separatio escribed
n recommendations given in <xref target="domain-separation"/>, and all domain separation recommendations
in <xref target="security-considerations-domain-separation-expmsg-var" format="d given
efault"/> apply when implementing in <xref target="security-considerations-domain-separation-expmsg-var"/> apply w
hen implementing
protocols that use hash_to_decaf448.</t> protocols that use hash_to_decaf448.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_decaf448(msg) hash_to_decaf448(msg)
Parameters: Parameters:
- DST, a domain separation tag (see discussion above). - DST, a domain separation tag (see discussion above).
- expand_message, a function that expands a byte string and - expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string domain separation tag into a uniformly random byte string
(see discussion above). (see discussion above).
- decaf448_map, the one-way map from the decaf448 API. - decaf448_map, the one-way map from the decaf448 API.
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, an element of the decaf448 group. Output: P, an element of the decaf448 group.
Steps: Steps:
1. uniform_bytes = expand_message(msg, DST, 112) 1. uniform_bytes = expand_message(msg, DST, 112)
2. P = decaf448_map(uniform_bytes) 2. P = decaf448_map(uniform_bytes)
3. return P 3. return P
</sourcecode> ]]></sourcecode>
<t>Since hash_to_decaf448 is not a hash-to-curve suite, it does not <t>Since hash_to_decaf448 is not a hash-to-curve suite, it does not
have a Suite ID. If a similar identifier is needed, it MUST be constructed have a Suite ID. If a similar identifier is needed, it <bcp14>MUST</bcp14> be co
following the guidelines in <xref target="suiteIDformat" format="default"/>, wit nstructed
h the following parameters:</t> following the guidelines in <xref target="suiteIDformat"/>, with the following p
<ul spacing="normal"> <ul spacing="normal">
<li>CURVE_ID: "decaf448"</li> <li>CURVE_ID: "decaf448"</li>
<li>HASH_ID: as described in <xref target="suiteIDformat" format="defaul t"/></li> <li>HASH_ID: as described in <xref target="suiteIDformat"/></li>
<li>MAP_ID: "D448MAP"</li> <li>MAP_ID: "D448MAP"</li>
<li>ENC_VAR: "RO"</li> <li>ENC_VAR: "RO"</li>
</ul> </ul>
<t>For example, if expand_message is expand_message_xof using SHAKE256, th e <t>For example, if expand_message is expand_message_xof using SHAKE256, th e
REQUIRED identifier is:</t> <bcp14>REQUIRED</bcp14> identifier is:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
decaf448_XOF:SHAKE256_D448MAP_RO_ decaf448_XOF:SHAKE256_D448MAP_RO_
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="appx-rational-map" numbered="true" toc="default"> <section anchor="appx-rational-map">
<name>Rational maps</name> <name>Rational Maps</name>
<t>This section gives rational maps that can be used when hashing to <t>This section gives rational maps that can be used when hashing to
twisted Edwards or Montgomery curves.</t> twisted Edwards or Montgomery curves.</t>
<t>Given a twisted Edwards curve, <xref target="appx-rational-map-edw" for mat="default"/> <t>Given a twisted Edwards curve, <xref target="appx-rational-map-edw"/>
shows how to derive a corresponding Montgomery shows how to derive a corresponding Montgomery
curve and how to map from that curve to the twisted Edwards curve. curve and how to map from that curve to the twisted Edwards curve.
This mapping may be used when hashing to twisted Edwards curves This mapping may be used when hashing to twisted Edwards curves
as described in <xref target="twisted-edwards" format="default"/>.</t> as described in <xref target="twisted-edwards"/>.</t>
<t>Given a Montgomery curve, <xref target="appx-rational-map-mont" format= <t>Given a Montgomery curve, <xref target="appx-rational-map-mont"/> shows
"default"/> shows
how to derive a corresponding Weierstrass curve and how to map from that how to derive a corresponding Weierstrass curve and how to map from that
curve to the Montgomery curve. curve to the Montgomery curve.
This mapping can be used to hash to Montgomery or twisted Edwards curves This mapping can be used to hash to Montgomery or twisted Edwards curves
via the Shallue-van de Woestijne (<xref target="svdw" format="default"/>) or Sim via the Shallue-van de Woestijne method (<xref target="svdw"/>) or Simplified SW
plified SWU (<xref target="simple-swu" format="default"/>) U method (<xref target="simple-swu"/>),
method, as follows:</t> as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>For Montgomery curves, first map to the Weierstrass curve, then conv ert <li>For Montgomery curves, first map to the Weierstrass curve, then conv ert
to Montgomery coordinates via the mapping.</li> to Montgomery coordinates via the mapping.</li>
<li>For twisted Edwards curves, compose the Weierstrass to Montgomery ma <li>For twisted Edwards curves, compose the mapping from Weierstrass
pping to Montgomery with the mapping from Montgomery to twisted Edwards
with the Montgomery to twisted Edwards mapping (<xref target="appx-rational-map-edw"/>) to obtain a Weierstrass curve and a
(<xref target="appx-rational-map-edw" format="default"/>) to obtain a Weierstras mapping to the target twisted Edwards curve.
s curve and a mapping
to the target twisted Edwards curve.
Map to this Weierstrass curve, then convert to Edwards coordinates Map to this Weierstrass curve, then convert to Edwards coordinates
via the mapping.</li> via the mapping.</li>
</ul> </ul>
<section anchor="appx-rational-map-edw" numbered="true" toc="default"> <section anchor="appx-rational-map-edw">
<name>Generic Montgomery to twisted Edwards map</name> <name>Generic Mapping from Montgomery to Twisted Edwards</name>
<t>This section gives a generic birational map between twisted Edwards <t>This section gives a generic birational map between twisted Edwards
and Montgomery curves.</t> and Montgomery curves.</t>
<t>The map in this section is a simplified version of the map given in <t>The map in this section is a simplified version of the map given in
<xref target="BBJLP08" format="default"/>, Theorem 3.2. <xref target="BBJLP08"/>, Theorem 3.2.
Specifically, this section's map handles exceptional cases in a Specifically, this section's map handles exceptional cases in a
simplified way that is geared towards hashing to a twisted Edwards simplified way that is geared towards hashing to a twisted Edwards
curve's prime-order subgroup.</t> curve's prime-order subgroup.</t>
<t>The twisted Edwards curve</t> <t>The twisted Edwards curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
a * v^2 + w^2 = 1 + d * v^2 * w^2 a * v^2 + w^2 = 1 + d * v^2 * w^2
</sourcecode> ]]></sourcecode>
<t>is birationally equivalent to the Montgomery curve</t> <t>is birationally equivalent to the Montgomery curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
K * t^2 = s^3 + J * s^2 + s K * t^2 = s^3 + J * s^2 + s
</sourcecode> ]]></sourcecode>
<t>which has the form required by the Elligator 2 mapping of <xref targe <t>which has the form required by the Elligator 2 mapping of <xref targe
t="elligator2" format="default"/>. t="elligator2"/>.
The coefficients of the Montgomery curve are</t> The coefficients of the Montgomery curve are</t>
<ul spacing="normal"> <ul spacing="normal">
<li>J = 2 * (a + d) / (a - d)</li> <li>J = 2 * (a + d) / (a - d)</li>
<li>K = 4 / (a - d)</li> <li>K = 4 / (a - d)</li>
</ul> </ul>
<t>The rational map from the point (s, t) on the above Montgomery curve <t>The rational map from the point (s, t) on the above Montgomery curve
to the point (v, w) on the twisted Edwards curve is given by</t> to the point (v, w) on the twisted Edwards curve is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>v = s / t</li> <li>v = s / t</li>
<li>w = (s - 1) / (s + 1)</li> <li>w = (s - 1) / (s + 1)</li>
</ul> </ul>
<t>This mapping is undefined when t == 0 or s == -1, i.e., when <t>This mapping is undefined when t == 0 or s == -1, i.e., when
the denominator of either of the above rational functions is zero. the denominator of either of the above rational functions is zero.
Implementations MUST detect exceptional cases and return the value Implementations <bcp14>MUST</bcp14> detect exceptional cases and return the valu e
(v, w) = (0, 1), which is the identity point on all twisted Edwards curves.</t> (v, w) = (0, 1), which is the identity point on all twisted Edwards curves.</t>
<t>The following straight-line implementation of the above rational map <t>The following straight-line implementation of the above rational map
handles the exceptional cases.</t> handles the exceptional cases.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
monty_to_edw_generic(s, t) monty_to_edw_generic(s, t)
Input: (s, t), a point on the curve K * t^2 = s^3 + J * s^2 + s. Input: (s, t), a point on the curve K * t^2 = s^3 + J * s^2 + s.
Output: (v, w), a point on an equivalent twisted Edwards curve. Output: (v, w), a point on an equivalent twisted Edwards curve.
1. tv1 = s + 1 1. tv1 = s + 1
2. tv2 = tv1 * t # (s + 1) * t 2. tv2 = tv1 * t # (s + 1) * t
3. tv2 = inv0(tv2) # 1 / ((s + 1) * t) 3. tv2 = inv0(tv2) # 1 / ((s + 1) * t)
4. v = tv2 * tv1 # 1 / t 4. v = tv2 * tv1 # 1 / t
5. v = v * s # s / t 5. v = v * s # s / t
6. w = tv2 * t # 1 / (s + 1) 6. w = tv2 * t # 1 / (s + 1)
7. tv1 = s - 1 7. tv1 = s - 1
8. w = w * tv1 # (s - 1) / (s + 1) 8. w = w * tv1 # (s - 1) / (s + 1)
9. e = tv2 == 0 9. e = tv2 == 0
10. w = CMOV(w, 1, e) # handle exceptional case 10. w = CMOV(w, 1, e) # handle exceptional case
11. return (v, w) 11. return (v, w)
</sourcecode> ]]></sourcecode>
<t>For completeness, we also give the inverse relations. <t>For completeness, we also give the inverse relations.
(Note that this map is not required when hashing to twisted Edwards curves.) (Note that this map is not required when hashing to twisted Edwards curves.)
The coefficients of the twisted Edwards curve corresponding to The coefficients of the twisted Edwards curve corresponding to
the above Montgomery curve are</t> the above Montgomery curve are</t>
<ul spacing="normal"> <ul spacing="normal">
<li>a = (J + 2) / K</li> <li>a = (J + 2) / K</li>
<li>d = (J - 2) / K</li> <li>d = (J - 2) / K</li>
</ul> </ul>
<t>The rational map from the point (v, w) on the twisted Edwards <t>The rational map from the point (v, w) on the twisted Edwards
curve to the point (s, t) on the Montgomery curve is given by</t> curve to the point (s, t) on the Montgomery curve is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>s = (1 + w) / (1 - w)</li> <li>s = (1 + w) / (1 - w)</li>
<li>t = (1 + w) / (v * (1 - w))</li> <li>t = (1 + w) / (v * (1 - w))</li>
</ul> </ul>
<t>The mapping is undefined when v == 0 or w == 1. <t>The mapping is undefined when v == 0 or w == 1.
When the goal is to map into the prime-order subgroup of the Montgomery When the goal is to map into the prime-order subgroup of the Montgomery
curve, it suffices to return the identity point on the Montgomery curve curve, it suffices to return the identity point on the Montgomery curve
in the exceptional cases.</t> in the exceptional cases.</t>
</section> </section>
<section anchor="appx-rational-map-mont" numbered="true" toc="default"> <section anchor="appx-rational-map-mont">
<name>Weierstrass to Montgomery map</name> <name>Mapping from Weierstrass to Montgomery</name>
<t>The rational map from the point (s, t) on the Montgomery curve</t> <t>The rational map from the point (s, t) on the Montgomery curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
K * t^2 = s^3 + J * s^2 + s K * t^2 = s^3 + J * s^2 + s
</sourcecode> ]]></sourcecode>
<t>to the point (x, y) on the equivalent Weierstrass curve</t> <t>to the point (x, y) on the equivalent Weierstrass curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
y^2 = x^3 + A * x + B y^2 = x^3 + A * x + B
</sourcecode> ]]></sourcecode>
<t>is given by:</t> <t>is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = (3 - J^2) / (3 * K^2)</li> <li>A = (3 - J^2) / (3 * K^2)</li>
<li>B = (2 * J^3 - 9 * J) / (27 * K^3)</li> <li>B = (2 * J^3 - 9 * J) / (27 * K^3)</li>
<li>x = (3 * s + J) / (3 * K)</li> <li>x = (3 * s + J) / (3 * K)</li>
<li>y = t / K</li> <li>y = t / K</li>
</ul> </ul>
<t>The inverse map, from the point (x, y) to the point (s, t), is given by</t> <t>The inverse map, from the point (x, y) to the point (s, t), is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>s = (3 * K * x - J) / 3</li> <li>s = (3 * K * x - J) / 3</li>
<li>t = y * K</li> <li>t = y * K</li>
</ul> </ul>
<t>This mapping can be used to apply the Shallue-van de Woestijne <t>This mapping can be used to apply the Shallue-van de Woestijne
(<xref target="svdw" format="default"/>) or Simplified SWU (<xref target="simple -swu" format="default"/>) method to method (<xref target="svdw"/>) or Simplified SWU method (<xref target="simple-sw u"/>) to
Montgomery curves.</t> Montgomery curves.</t>
</section> </section>
</section> </section>
<section anchor="appx-iso" numbered="true" toc="default"> <section anchor="appx-iso">
<name>Isogeny maps for suites</name> <name>Isogeny Maps for Suites</name>
<t>This section specifies the isogeny maps for the secp256k1 and BLS12-381 <t>This section specifies the isogeny maps for the secp256k1 and BLS12-381
suites listed in <xref target="suites" format="default"/>.</t> suites listed in <xref target="suites"/>.</t>
<t>These maps are given in terms of affine coordinates. <t>These maps are given in terms of affine coordinates.
Wahby and Boneh (<xref target="WB19" format="default"/>, Section 4.3) show how t Wahby and Boneh (<xref target="WB19"/>, Section 4.3) show how to evaluate these
o evaluate these maps maps
in a projective coordinate system (<xref target="projective-coords" format="defa in a projective coordinate system (<xref target="projective-coords"/>), which av
ult"/>), which avoids oids
modular inversions.</t> modular inversions.</t>
<t>Refer to the draft repository <xref target="hash2curve-repo" format="de fault"/> for a Sage <xref target="SAGE" format="default"/> script <t>Refer to <xref target="hash2curve-repo"/> for a Sage <xref target="SAGE "/> script
that constructs these isogenies.</t> that constructs these isogenies.</t>
<section anchor="appx-iso-secp256k1" numbered="true" toc="default"> <section anchor="appx-iso-secp256k1">
<name>3-isogeny map for secp256k1</name> <name>3-Isogeny Map for secp256k1</name>
<t>This section specifies the isogeny map for the secp256k1 suite listed <t>This section specifies the isogeny map for the secp256k1 suite listed
in <xref target="suites-secp256k1" format="default"/>.</t> in <xref target="suites-secp256k1"/>.</t>
<t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t> <t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>x = x_num / x_den, where <t>x = x_num / x_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li> <li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li>
<li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li> <li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li>
</ul> </ul>
</li> </li>
skipping to change at line 3862 skipping to change at line 3541
<t>y = y' * y_num / y_den, where <t>y = y' * y_num / y_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li> <li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li>
<li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li> <li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>The constants used to compute x_num are as follows:</t> <t>The constants used to compute x_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(1,0) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e3 <li>k_(1,0)&nbsp;=&nbsp;0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e
8daaaaa8c7</li> 38e38e38e38daaaaa8c7</li>
<li>k_(1,1) = 0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff104 <li>k_(1,1)&nbsp;=&nbsp;0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63
4f17c6581</li> b92dfff1044f17c6581</li>
<li>k_(1,2) = 0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0 <li>k_(1,2)&nbsp;=&nbsp;0x534c328d23f234e6e2a413deca25caece4506144037c
b53d9dd262</li> 40314ecbd0b53d9dd262</li>
<li>k_(1,3) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e3 <li>k_(1,3)&nbsp;=&nbsp;0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e
8daaaaa88c</li> 38e38e38e38daaaaa88c</li>
</ul> </ul>
<t>The constants used to compute x_den are as follows:</t> <t>The constants used to compute x_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(2,0) = 0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b7 <li>k_(2,0)&nbsp;=&nbsp;0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8
45781eb49b</li> 487d9fe6b745781eb49b</li>
<li>k_(2,1) = 0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56 <li>k_(2,1)&nbsp;=&nbsp;0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e
612a8c6d14</li> 41bbc52a56612a8c6d14</li>
</ul> </ul>
<t>The constants used to compute y_num are as follows:</t> <t>The constants used to compute y_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(3,0) = 0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f68 <li>k_(3,0)&nbsp;=&nbsp;0x4bda12f684bda12f684bda12f684bda12f684bda12f6
4b8e38e23c</li> 84bda12f684b8e38e23c</li>
<li>k_(3,1) = 0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90 <li>k_(3,1)&nbsp;=&nbsp;0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686
fc201d71a3</li> da6fdffc90fc201d71a3</li>
<li>k_(3,2) = 0x29a6194691f91a73715209ef6512e576722830a201be2018a765e8 <li>k_(3,2)&nbsp;=&nbsp;0x29a6194691f91a73715209ef6512e576722830a201be
5a9ecee931</li> 2018a765e85a9ecee931</li>
<li>k_(3,3) = 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda1 <li>k_(3,3)&nbsp;=&nbsp;0x2f684bda12f684bda12f684bda12f684bda12f684bda
2f38e38d84</li> 12f684bda12f38e38d84</li>
</ul> </ul>
<t>The constants used to compute y_den are as follows:</t> <t>The constants used to compute y_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(4,0) = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffff <li>k_(4,0)&nbsp;=&nbsp;0xffffffffffffffffffffffffffffffffffffffffffff
fefffff93b</li> fffffffffffefffff93b</li>
<li>k_(4,1) = 0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425 <li>k_(4,1)&nbsp;=&nbsp;0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8
d2685c2573</li> d978dfb425d2685c2573</li>
<li>k_(4,2) = 0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf81 <li>k_(4,2)&nbsp;=&nbsp;0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d
92bfd2a76f</li> 6299a7bf8192bfd2a76f</li>
</ul> </ul>
</section> </section>
<section anchor="appx-iso-bls12381-g1" numbered="true" toc="default"> <section anchor="appx-iso-bls12381-g1">
<name>11-isogeny map for BLS12-381 G1</name> <name>11-Isogeny Map for BLS12-381 G1</name>
<t>The 11-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t> <t>The 11-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>x = x_num / x_den, where <t>x = x_num / x_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>x_num = k_(1,11) * x'^11 + k_(1,10) * x'^10 + k_(1,9) * x'^9 + ... + k_(1,0)</li> <li>x_num = k_(1,11) * x'^11 + k_(1,10) * x'^10 + k_(1,9) * x'^9 + ... + k_(1,0)</li>
<li>x_den = x'^10 + k_(2,9) * x'^9 + k_(2,8) * x'^8 + ... + k_(2,0 )</li> <li>x_den = x'^10 + k_(2,9) * x'^9 + k_(2,8) * x'^8 + ... + k_(2,0 )</li>
</ul> </ul>
</li> </li>
skipping to change at line 3909 skipping to change at line 3588
<t>y = y' * y_num / y_den, where <t>y = y' * y_num / y_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>y_num = k_(3,15) * x'^15 + k_(3,14) * x'^14 + k_(3,13) * x'^13 + ... + k_(3,0)</li> <li>y_num = k_(3,15) * x'^15 + k_(3,14) * x'^14 + k_(3,13) * x'^13 + ... + k_(3,0)</li>
<li>y_den = x'^15 + k_(4,14) * x'^14 + k_(4,13) * x'^13 + ... + k_ (4,0)</li> <li>y_den = x'^15 + k_(4,14) * x'^14 + k_(4,13) * x'^13 + ... + k_ (4,0)</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>The constants used to compute x_num are as follows:</t> <t>The constants used to compute x_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(1,0) = 0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b <li>k_(1,0)&nbsp;=&nbsp;0x11a05f2b1e833340b809101dd99815856b303e88a2d7
56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7</li> 005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7</li>
<li>k_(1,1) = 0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e3 <li>k_(1,1)&nbsp;=&nbsp;0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a
3c70d1e86b4838f2a6f318c356e834eef1b3cb83bb</li> 8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb</li>
<li>k_(1,2) = 0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e50 <li>k_(1,2)&nbsp;=&nbsp;0xd54005db97678ec1d1048c5d10a9a1bce03247329598
1ec68e25c958c3e3d2a09729fe0179f9dac9edcb0</li> 3e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0</li>
<li>k_(1,3) = 0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b332 <li>k_(1,3)&nbsp;=&nbsp;0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8d
89f1b330835336e25ce3107193c5b388641d9b6861</li> bf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861</li>
<li>k_(1,4) = 0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb6 <li>k_(1,4)&nbsp;=&nbsp;0xe99726a3199f4436642b4b3e4118e5499db995a1257f
5982fac18985a286f301e77c451154ce9ac8895d9</li> b3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9</li>
<li>k_(1,5) = 0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab <li>k_(1,5)&nbsp;=&nbsp;0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952
9097e68f90a0870d2dcae73d19cd13c1c66f652983</li> 799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983</li>
<li>k_(1,6) = 0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e21 <li>k_(1,6)&nbsp;=&nbsp;0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8
8f9c86b2a8da25128c1052ecaddd7f225a139ed84</li> ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84</li>
<li>k_(1,7) = 0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c6 <li>k_(1,7)&nbsp;=&nbsp;0x17b81e7701abdbe2e8743884d1117e53356de5ab275b
2ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e</li> 4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e</li>
<li>k_(1,8) = 0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c <li>k_(1,8)&nbsp;=&nbsp;0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5
928c5d1de4fa295f296b74e956d71986a8497e317</li> 574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317</li>
<li>k_(1,9) = 0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314 <li>k_(1,9)&nbsp;=&nbsp;0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c
baf4bb1b7fa3190b2edc0327797f241067be390c9e</li> 5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e</li>
<li>k_(1,10) = 0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af <li>k_(1,10)&nbsp;=&nbsp;0x10321da079ce07e272d8ec09d2565b0dfa7dccdde67
36003b14866f69b771f8c285decca67df3f1605fb7b</li> 87f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b</li>
<li>k_(1,11) = 0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf <li>k_(1,11)&nbsp;=&nbsp;0x6e08c248e260e70bd1e962381edee3d31d79d7e22c8
1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229</li> 37bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229</li>
</ul> </ul>
<t>The constants used to compute x_den are as follows:</t> <t>The constants used to compute x_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(2,0) = 0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c95886 <li>k_(2,0)&nbsp;=&nbsp;0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b4
17fc8ac62b558d681be343df8993cf9fa40d21b1c</li> 8ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c</li>
<li>k_(2,1) = 0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2 <li>k_(2,1)&nbsp;=&nbsp;0x12561a5deb559c4348b4711298e536367041e8ca0cf0
588c48bf5713daa8846cb026e9e5c8276ec82b3bff</li> 800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff</li>
<li>k_(2,2) = 0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e0 <li>k_(2,2)&nbsp;=&nbsp;0xb2962fe57a3225e8137e629bff2991f6f89416f5a718
0b11aceacd6a3d0967c94fedcfcc239ba5cb83e19</li> cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19</li>
<li>k_(2,3) = 0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8a <li>k_(2,3)&nbsp;=&nbsp;0x3425581a58ae2fec83aafef7c40eb545b08243f16b16
bc28d6fd04976d5243eecf5c4130de8938dc62cd8</li> 55154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8</li>
<li>k_(2,4) = 0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44 <li>k_(2,4)&nbsp;=&nbsp;0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a120
e833b306da9bd29ba81f35781d539d395b3532a21e</li> 62bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e</li>
<li>k_(2,5) = 0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bce <li>k_(2,5)&nbsp;=&nbsp;0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9ca
f24b8982f7400d24bc4228f11c02df9a29f6304a5</li> d4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5</li>
<li>k_(2,6) = 0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073 <li>k_(2,6)&nbsp;=&nbsp;0x772caacf16936190f3e0c63e0596721570f5799af53a
062aede9cea73b3538f0de06cec2574496ee84a3a</li> 1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a</li>
<li>k_(2,7) = 0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1 <li>k_(2,7)&nbsp;=&nbsp;0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca
cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e</li> 68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e</li>
<li>k_(2,8) = 0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da <li>k_(2,8)&nbsp;=&nbsp;0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d71613
67f39883503826692abba43704776ec3a79a1d641</li> 66b74100da67f39883503826692abba43704776ec3a79a1d641</li>
<li>k_(2,9) = 0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533 <li>k_(2,9)&nbsp;=&nbsp;0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d
978f31c1593174e4b4b7865002d6384d168ecdd0a</li> 03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a</li>
</ul> </ul>
<t>The constants used to compute y_num are as follows:</t> <t>The constants used to compute y_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(3,0) = 0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6 <li>k_(3,0)&nbsp;=&nbsp;0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a86
c956543d3cd0c7aee9b3ba3c2be9845719707bb33</li> 9522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33</li>
<li>k_(3,1) = 0x134996a104ee5811d51036d776fb46831223e96c254f383d0f9063 <li>k_(3,1)&nbsp;=&nbsp;0x134996a104ee5811d51036d776fb46831223e96c254f
43eb67ad34d6c56711962fa8bfe097e75a2e41c696</li> 383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696</li>
<li>k_(3,2) = 0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b <li>k_(3,2)&nbsp;=&nbsp;0xcc786baa966e66f4a384c86a3b49942552e2d658a31c
91400da7d26d521628b00523b8dfe240c72de1f6</li> e2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6</li>
<li>k_(3,3) = 0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3e <li>k_(3,3)&nbsp;=&nbsp;0x1f86376e8981c217898751ad8746757d42aa7b90eeb7
c03251cf9de405aba9ec61deca6355c77b0e5f4cb</li> 91c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb</li>
<li>k_(3,4) = 0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd <li>k_(3,4)&nbsp;=&nbsp;0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce5
221351adc2ee7f8dc099040a841b6daecf2e8fedb</li> 0b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb</li>
<li>k_(3,5) = 0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c <li>k_(3,5)&nbsp;=&nbsp;0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afad
3d3ad5544e203f6326c95a807299b23ab13633a5f0</li> b7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0</li>
<li>k_(3,6) = 0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413 <li>k_(3,6)&nbsp;=&nbsp;0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be18
c4d634f3747a87ac2460f415ec961f8855fe9d6f2</li> 4cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2</li>
<li>k_(3,7) = 0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da <li>k_(3,7)&nbsp;=&nbsp;0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd
6c26c842642f64550fedfe935a15e4ca31870fb29</li> 81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29</li>
<li>k_(3,8) = 0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6 <li>k_(3,8)&nbsp;=&nbsp;0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc
a1f20cabe69d65201c78607a360370e577bdba587</li> 26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587</li>
<li>k_(3,9) = 0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7 <li>k_(3,9)&nbsp;=&nbsp;0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af
ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30</li> 6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30</li>
<li>k_(3,10) = 0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183 <li>k_(3,10)&nbsp;=&nbsp;0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6ca
e416389e61031bf3a5cce3fbafce813711ad011c132</li> f493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132</li>
<li>k_(3,11) = 0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bf <li>k_(3,11)&nbsp;=&nbsp;0x18b46a908f36f6deb918c143fed2edcc523559b8aaf
e7f911f643249d9cdf41b44d606ce07c8a4d0074d8e</li> 0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e</li>
<li>k_(3,12) = 0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710 <li>k_(3,12)&nbsp;=&nbsp;0xb182cac101b9399d155096004f53f447aa7b12a3426
e807b4633f06c851c1919211f20d4c04f00b971ef8</li> b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8</li>
<li>k_(3,13) = 0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e663 <li>k_(3,13)&nbsp;=&nbsp;0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c
2d3c40659cc6cf90ad1c232a6442d9d3f5db980133</li> 158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133</li>
<li>k_(3,14) = 0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f <li>k_(3,14)&nbsp;=&nbsp;0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e8
5d396a7ce46ba1049b6579afb7866b1e715475224b</li> 6568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b</li>
<li>k_(3,15) = 0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add <li>k_(3,15)&nbsp;=&nbsp;0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f849
4fa95af01b2b665027efec01c7704b456be69c8b604</li> 65a3957add4fa95af01b2b665027efec01c7704b456be69c8b604</li>
</ul> </ul>
<t>The constants used to compute y_den are as follows:</t> <t>The constants used to compute y_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(4,0) = 0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec323 <li>k_(4,0)&nbsp;=&nbsp;0x16112c4c3a9c98b252181140fad0eae9601a6de57898
2b5be72e7a07f3688ef60c206d01479253b03663c1</li> 0be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1</li>
<li>k_(4,1) = 0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a103 <li>k_(4,1)&nbsp;=&nbsp;0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4
56f453e01f78a4260763529e3532f6102c2e49a03d</li> d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d</li>
<li>k_(4,2) = 0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5d <li>k_(4,2)&nbsp;=&nbsp;0x58df3306640da276faaae7d6e8eb15778c4855551ae7
d279cd2eca6757cd636f96f891e2538b53dbf67f2</li> f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2</li>
<li>k_(4,3) = 0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da4 <li>k_(4,3)&nbsp;=&nbsp;0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbc
89e726af41727364f2c28297ada8d26d98445f5416</li> d30e123da489e726af41727364f2c28297ada8d26d98445f5416</li>
<li>k_(4,4) = 0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0 <li>k_(4,4)&nbsp;=&nbsp;0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69b
fc9dec916a20b15dc0fd2ededda39142311a5001d</li> bb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d</li>
<li>k_(4,5) = 0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87 <li>k_(4,5)&nbsp;=&nbsp;0x8d9e5297186db2d9fb266eaac783182b70152c65550d
b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac</li> 881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac</li>
<li>k_(4,6) = 0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365 <li>k_(4,6)&nbsp;=&nbsp;0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0c
bc400a0051d5fa9c01a58b1fb93d1a1399126a775c</li> f8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c</li>
<li>k_(4,7) = 0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34f <li>k_(4,7)&nbsp;=&nbsp;0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f
d206357132b920f5b00801dee460ee415a15812ed9</li> 4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9</li>
<li>k_(4,8) = 0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc575 <li>k_(4,8)&nbsp;=&nbsp;0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af
0c4bf39b4852cfe2f7bb9248836b233d9d55535d4a</li> 5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a</li>
<li>k_(4,9) = 0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb530859 <li>k_(4,9)&nbsp;=&nbsp;0x167a55cda70a6e1cea820597d94a84903216f763e13d
2e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55</li> 87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55</li>
<li>k_(4,10) = 0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b <li>k_(4,10)&nbsp;=&nbsp;0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61
36e636a5c871a5c29f4f83060400f8b49cba8f6aa8</li> a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8</li>
<li>k_(4,11) = 0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a <li>k_(4,11)&nbsp;=&nbsp;0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce
88cea7913516f968986f7ebbea9684b529e2561092</li> 42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092</li>
<li>k_(4,12) = 0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5cee <li>k_(4,12)&nbsp;=&nbsp;0xad6b9514c767fe3c3613144b45f1496543346d98adf
f9a00d9b8693000763e3b90ac11e99b138573345cc</li> 02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc</li>
<li>k_(4,13) = 0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748d <li>k_(4,13)&nbsp;=&nbsp;0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e729
f27942480e420517bd8714cc80d1fadc1326ed06f7</li> 27c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7</li>
<li>k_(4,14) = 0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efc <li>k_(4,14)&nbsp;=&nbsp;0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273
d6356caa205ca2f570f13497804415473a1d634b8f</li> b853324efcd6356caa205ca2f570f13497804415473a1d634b8f</li>
</ul> </ul>
</section> </section>
<section anchor="appx-iso-bls12381-g2" numbered="true" toc="default"> <section anchor="appx-iso-bls12381-g2">
<name>3-isogeny map for BLS12-381 G2</name> <name>3-Isogeny Map for BLS12-381 G2</name>
<t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t> <t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>x = x_num / x_den, where <t>x = x_num / x_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li> <li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li>
<li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li> <li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li>
</ul> </ul>
</li> </li>
skipping to change at line 3996 skipping to change at line 3675
<t>y = y' * y_num / y_den, where <t>y = y' * y_num / y_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li> <li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li>
<li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li> <li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>The constants used to compute x_num are as follows:</t> <t>The constants used to compute x_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(1,0) = 0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b5842 <li>k_(1,0)&nbsp;=&nbsp;0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a0
3c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6 + 0x5c759507e8e333ebb5b7a9a47d7ed8532c 42a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6&nbsp;+&nbsp;0x5c759507e8e333
52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6 * I</li> ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d
<li>k_(1,1) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 6&nbsp;*&nbsp;I</li>
6b4f20a4181472aaa9cb8d555526a9ffffffffc71a * I</li> <li>k_(1,1)&nbsp;=&nbsp;0x11560bf17baa99bc32126fced787c88f984f87adf7ae
<li>k_(1,2) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a&nbsp;*&nbsp;I</li>
6b4f20a4181472aaa9cb8d555526a9ffffffffc71e + 0x8ab05f8bdd54cde190937e76bc3e447cc <li>k_(1,2)&nbsp;=&nbsp;0x11560bf17baa99bc32126fced787c88f984f87adf7ae
27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d * I</li> 0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e&nbsp;+&nbsp;0x8ab05f8bdd54c
<li>k_(1,3) = 0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d610 de190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe3
8f142b85757098e38d0f671c7188e2aaaaaaaa5ed1</li> 8d&nbsp;*&nbsp;I</li>
</ul> </ul>
<t>The constants used to compute x_den are as follows:</t> <t>The constants used to compute x_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(2,0) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 <li>k_(2,0)&nbsp;=&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f385
a0f6b0f6241eabfffeb153ffffb9feffffffffaa63 * I</li> 12bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63&nbsp;*&nbsp;I</li>
<li>k_(2,1) = 0xc + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf <li>k_(2,1)&nbsp;= 0xc&nbsp;+&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd76
6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f * I</li> 4774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f&nbsp;*&nbsp;I</l
</ul> </ul>
<t>The constants used to compute y_num are as follows:</t> <t>The constants used to compute y_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(3,0) = 0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439 <li>k_(3,0)&nbsp;=&nbsp;0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f
d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706 + 0x1530477c7ab4113b59a4c18b076d11930 649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706&nbsp;+&nbsp;0x1530477c7ab41
f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706 * I</li> 13b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d
<li>k_(3,1) = 0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b5842 706&nbsp;*&nbsp;I</li>
3c50ae15d5c2638e343d9c71c6238aaaaaaaa97be * I</li> <li>k_(3,1)&nbsp;=&nbsp;0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a0
<li>k_(3,2) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 42a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be&nbsp;*&nbsp;I</li>
6b4f20a4181472aaa9cb8d555526a9ffffffffc71c + 0x8ab05f8bdd54cde190937e76bc3e447cc <li>k_(3,2)&nbsp;=&nbsp;0x11560bf17baa99bc32126fced787c88f984f87adf7ae
27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f * I</li> 0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c&nbsp;+&nbsp;0x8ab05f8bdd54c
<li>k_(3,3) = 0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977 de190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe3
c69aa274524e79097a56dc4bd9e1b371c71c718b10</li> 8f&nbsp;*&nbsp;I</li>
</ul> </ul>
<t>The constants used to compute y_den are as follows:</t> <t>The constants used to compute y_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(4,0) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 <li>k_(4,0)&nbsp;=&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f385
a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb + 0x1a0111ea397fe69a4b1ba7b6434bacd76 12bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb&nbsp;+&nbsp;0x1a0111ea397fe
4774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb * I</li> 69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa
<li>k_(4,1) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 8fb&nbsp;*&nbsp;I</li>
a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3 * I</li> <li>k_(4,1)&nbsp;=&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f385
<li>k_(4,2) = 0x12 + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512b 12bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3&nbsp;*&nbsp;I</li>
f6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99 * I</li> <li>k_(4,2)&nbsp;=&nbsp;0x12&nbsp;+&nbsp;0x1a0111ea397fe69a4b1ba7b6434
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="straightline" numbered="true" toc="default"> <section anchor="straightline">
<name>Straight-line implementations of deterministic mappings</name> <name>Straight-Line Implementations of Deterministic Mappings</name>
<t>This section gives straight-line implementations of the mappings of <xr <t>This section gives straight-line implementations of the mappings of <xr
ef target="mappings" format="default"/>. ef target="mappings"/>.
These implementations are generic, i.e., they are defined for any curve and fiel d. These implementations are generic, i.e., they are defined for any curve and fiel d.
<xref target="samplecode" format="default"/> gives further implementations that are optimized for specific <xref target="samplecode"/> gives further implementations that are optimized for specific
classes of curves and fields.</t> classes of curves and fields.</t>
<section anchor="straightline-svdw" numbered="true" toc="default"> <section anchor="straightline-svdw">
<name>Shallue-van de Woestijne method</name> <name>Shallue-van de Woestijne Method</name>
<t>This section gives a straight-line implementation of the Shallue and <t>This section gives a straight-line implementation of the Shallue-van
de Woestijne method for any Weierstrass curve of the form given in de Woestijne method for any Weierstrass curve of the form given in
<xref target="weierstrass" format="default"/>. <xref target="weierstrass"/>.
See <xref target="svdw" format="default"/> for information on the constants used See <xref target="svdw"/> for information on the constants used in this mapping.
in this mapping.</t> </t>
<t>Note that the constant c3 below MUST be chosen such that sgn0(c3) = 0 <t>Note that the constant c3 below <bcp14>MUST</bcp14> be chosen such th
. at sgn0(c3) = 0.
In other words, if the square-root computation returns a value cx such that In other words, if the square-root computation returns a value cx such that
sgn0(cx) = 1, set c3 = -cx; otherwise, set c3 = cx.</t> sgn0(cx) = 1, set c3 = -cx; otherwise, set c3 = cx.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_svdw(u) map_to_curve_svdw(u)
Input: u, an element of F. Input: u, an element of F.
Output: (x, y), a point on E. Output: (x, y), a point on E.
Constants: Constants:
1. c1 = g(Z) 1. c1 = g(Z)
2. c2 = -Z / 2 2. c2 = -Z / 2
3. c3 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # sgn0(c3) MUST equal 0 3. c3 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # sgn0(c3) MUST equal 0
4. c4 = -4 * g(Z) / (3 * Z^2 + 4 * A) 4. c4 = -4 * g(Z) / (3 * Z^2 + 4 * A)
skipping to change at line 4085 skipping to change at line 3764
27. x = CMOV(x3, x1, e1) # x = x1 if gx1 is square, else x = x3 27. x = CMOV(x3, x1, e1) # x = x1 if gx1 is square, else x = x3
28. x = CMOV(x, x2, e2) # x = x2 if gx2 is square and gx1 is not 28. x = CMOV(x, x2, e2) # x = x2 if gx2 is square and gx1 is not
29. gx = x^2 29. gx = x^2
30. gx = gx + A 30. gx = gx + A
31. gx = gx * x 31. gx = gx * x
32. gx = gx + B 32. gx = gx + B
33. y = sqrt(gx) 33. y = sqrt(gx)
34. e3 = sgn0(u) == sgn0(y) 34. e3 = sgn0(u) == sgn0(y)
35. y = CMOV(-y, y, e3) # Select correct sign of y 35. y = CMOV(-y, y, e3) # Select correct sign of y
36. return (x, y) 36. return (x, y)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="straightline-sswu" numbered="true" toc="default"> <section anchor="straightline-sswu">
<name>Simplified SWU method</name> <name>Simplified SWU Method</name>
<t>This section gives a straight-line implementation of the simplified <t>This section gives a straight-line implementation of the Simplified
SWU method for any Weierstrass curve of the form given in <xref target="weierstr SWU method for any Weierstrass curve of the form given in <xref target="weierstr
ass" format="default"/>. ass"/>.
See <xref target="simple-swu" format="default"/> for information on the constant See <xref target="simple-swu"/> for information on the constants used in this ma
s used in this mapping.</t> pping.</t>
<t>This optimized, straight-line procedure applies to any base field. <t>This optimized, straight-line procedure applies to any base field.
The sqrt_ratio subroutine is defined in <xref target="straightline-sswu-sqrt-rat The sqrt_ratio subroutine is defined in <xref target="straightline-sswu-sqrt-rat
io" format="default"/>.</t> io"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_simple_swu(u) map_to_curve_simple_swu(u)
Input: u, an element of F. Input: u, an element of F.
Output: (x, y), a point on E. Output: (x, y), a point on E.
Steps: Steps:
1. tv1 = u^2 1. tv1 = u^2
2. tv1 = Z * tv1 2. tv1 = Z * tv1
3. tv2 = tv1^2 3. tv2 = tv1^2
4. tv2 = tv2 + tv1 4. tv2 = tv2 + tv1
skipping to change at line 4127 skipping to change at line 3806
17. x = tv1 * tv3 17. x = tv1 * tv3
18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6) 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
19. y = tv1 * u 19. y = tv1 * u
20. y = y * y1 20. y = y * y1
21. x = CMOV(x, tv3, is_gx1_square) 21. x = CMOV(x, tv3, is_gx1_square)
22. y = CMOV(y, y1, is_gx1_square) 22. y = CMOV(y, y1, is_gx1_square)
23. e1 = sgn0(u) == sgn0(y) 23. e1 = sgn0(u) == sgn0(y)
24. y = CMOV(-y, y, e1) 24. y = CMOV(-y, y, e1)
25. x = x / tv4 25. x = x / tv4
26. return (x, y) 26. return (x, y)
</sourcecode> ]]></sourcecode>
<section anchor="straightline-sswu-sqrt-ratio" numbered="true" toc="defa <section anchor="straightline-sswu-sqrt-ratio">
ult"> <name>sqrt_ratio Subroutine</name>
<name>sqrt_ratio subroutines</name>
<t>This section defines three variants of the sqrt_ratio subroutine us ed by the <t>This section defines three variants of the sqrt_ratio subroutine us ed by the
above procedure. above procedure.
The first variant can be used with any field; the others are optimized versions The first variant can be used with any field; the others are optimized versions
for specific fields.</t> for specific fields.</t>
<t>The routines given in this section depend on the constant Z from th <t>The routines given in this section depend on the constant Z from th
e simplified SWU map. e Simplified SWU map.
For correctness, sqrt_ratio and map_to_curve_simple_swu MUST use the same value For correctness, sqrt_ratio and map_to_curve_simple_swu <bcp14>MUST</bcp14> use
for Z.</t> the same value for Z.</t>
<section anchor="sqrtratio-for-any-field" numbered="true" toc="default <section anchor="sqrtratio-for-any-field">
"> <name>sqrt_ratio for Any Field</name>
<name>sqrt_ratio for any field</name> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
sqrt_ratio(u, v) sqrt_ratio(u, v)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
- Z, the constant from the simplified SWU map. - Z, the constant from the Simplified SWU map.
Input: u and v, elements of F, where v != 0. Input: u and v, elements of F, where v != 0.
Output: (b, y), where Output: (b, y), where
b = True and y = sqrt(u / v) if (u / v) is square in F, and b = True and y = sqrt(u / v) if (u / v) is square in F, and
b = False and y = sqrt(Z * (u / v)) otherwise. b = False and y = sqrt(Z * (u / v)) otherwise.
Constants: Constants:
1. c1, the largest integer such that 2^c1 divides q - 1. 1. c1, the largest integer such that 2^c1 divides q - 1.
2. c2 = (q - 1) / (2^c1) # Integer arithmetic 2. c2 = (q - 1) / (2^c1) # Integer arithmetic
3. c3 = (c2 - 1) / 2 # Integer arithmetic 3. c3 = (c2 - 1) / 2 # Integer arithmetic
skipping to change at line 4187 skipping to change at line 3866
18. tv5 = i - 2 18. tv5 = i - 2
19. tv5 = 2^tv5 19. tv5 = 2^tv5
20. tv5 = tv4^tv5 20. tv5 = tv4^tv5
21. e1 = tv5 == 1 21. e1 = tv5 == 1
22. tv2 = tv3 * tv1 22. tv2 = tv3 * tv1
23. tv1 = tv1 * tv1 23. tv1 = tv1 * tv1
24. tv5 = tv4 * tv1 24. tv5 = tv4 * tv1
25. tv3 = CMOV(tv2, tv3, e1) 25. tv3 = CMOV(tv2, tv3, e1)
26. tv4 = CMOV(tv5, tv4, e1) 26. tv4 = CMOV(tv5, tv4, e1)
27. return (isQR, tv3) 27. return (isQR, tv3)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="optimized-sqrtratio-for-q-3-mod-4" numbered="true" to <section anchor="optimized-sqrtratio-for-q-3-mod-4">
c="default"> <name>Optimized sqrt_ratio for q = 3 mod 4</name>
<name>optimized sqrt_ratio for q = 3 mod 4</name> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
sqrt_ratio_3mod4(u, v) sqrt_ratio_3mod4(u, v)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m, - F, a finite field of characteristic p and order q = p^m,
where q = 3 mod 4. where q = 3 mod 4.
- Z, the constant from the simplified SWU map. - Z, the constant from the Simplified SWU map.
Input: u and v, elements of F, where v != 0. Input: u and v, elements of F, where v != 0.
Output: (b, y), where Output: (b, y), where
b = True and y = sqrt(u / v) if (u / v) is square in F, and b = True and y = sqrt(u / v) if (u / v) is square in F, and
b = False and y = sqrt(Z * (u / v)) otherwise. b = False and y = sqrt(Z * (u / v)) otherwise.
Constants: Constants:
1. c1 = (q - 3) / 4 # Integer arithmetic 1. c1 = (q - 3) / 4 # Integer arithmetic
2. c2 = sqrt(-Z) 2. c2 = sqrt(-Z)
skipping to change at line 4220 skipping to change at line 3899
2. tv2 = u * v 2. tv2 = u * v
3. tv1 = tv1 * tv2 3. tv1 = tv1 * tv2
4. y1 = tv1^c1 4. y1 = tv1^c1
5. y1 = y1 * tv2 5. y1 = y1 * tv2
6. y2 = y1 * c2 6. y2 = y1 * c2
7. tv3 = y1^2 7. tv3 = y1^2
8. tv3 = tv3 * v 8. tv3 = tv3 * v
9. isQR = tv3 == u 9. isQR = tv3 == u
10. y = CMOV(y2, y1, isQR) 10. y = CMOV(y2, y1, isQR)
11. return (isQR, y) 11. return (isQR, y)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="optimized-sqrtratio-for-q-5-mod-8" numbered="true" to <section anchor="optimized-sqrtratio-for-q-5-mod-8">
c="default"> <name>Optimized sqrt_ratio for q = 5 mod 8</name>
<name>optimized sqrt_ratio for q = 5 mod 8</name> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
sqrt_ratio_5mod8(u, v) sqrt_ratio_5mod8(u, v)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m, - F, a finite field of characteristic p and order q = p^m,
where q = 5 mod 8. where q = 5 mod 8.
- Z, the constant from the simplified SWU map. - Z, the constant from the Simplified SWU map.
Input: u and v, elements of F, where v != 0. Input: u and v, elements of F, where v != 0.
Output: (b, y), where Output: (b, y), where
b = True and y = sqrt(u / v) if (u / v) is square in F, and b = True and y = sqrt(u / v) if (u / v) is square in F, and
b = False and y = sqrt(Z * (u / v)) otherwise. b = False and y = sqrt(Z * (u / v)) otherwise.
Constants: Constants:
1. c1 = (q - 5) / 8 1. c1 = (q - 5) / 8
2. c2 = sqrt(-1) 2. c2 = sqrt(-1)
3. c3 = sqrt(Z / c2) 3. c3 = sqrt(Z / c2)
skipping to change at line 4267 skipping to change at line 3946
15. isQR = tv2 == u 15. isQR = tv2 == u
16. y2 = y1 * c3 16. y2 = y1 * c3
17. tv1 = y2 * c2 17. tv1 = y2 * c2
18. tv2 = tv1^2 18. tv2 = tv1^2
19. tv2 = tv2 * v 19. tv2 = tv2 * v
20. tv3 = Z * u 20. tv3 = Z * u
21. e2 = tv2 == tv3 21. e2 = tv2 == tv3
22. y2 = CMOV(y2, tv1, e2) 22. y2 = CMOV(y2, tv1, e2)
23. y = CMOV(y2, y1, isQR) 23. y = CMOV(y2, y1, isQR)
24. return (isQR, y) 24. return (isQR, y)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="straightline-ell2" numbered="true" toc="default"> <section anchor="straightline-ell2">
<name>Elligator 2 method</name> <name>Elligator 2 Method</name>
<t>This section gives a straight-line implementation of the Elligator 2 <t>This section gives a straight-line implementation of the Elligator 2
method for any Montgomery curve of the form given in <xref target="montgomery" f method for any Montgomery curve of the form given in <xref target="montgomery"/>
ormat="default"/>. .
See <xref target="elligator2" format="default"/> for information on the constant See <xref target="elligator2"/> for information on the constants used in this ma
s used in this mapping.</t> pping.</t>
<t><xref target="ell2-opt" format="default"/> gives optimized straight-l <t><xref target="ell2-opt"/> gives optimized straight-line procedures th
ine procedures that apply to specific at apply to specific
classes of curves and base fields, including curve25519 and curve448 <xref targe classes of curves and base fields, including curve25519 and curve448 <xref targe
t="RFC7748" format="default"/>.</t> t="RFC7748"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2(u) map_to_curve_elligator2(u)
Input: u, an element of F. Input: u, an element of F.
Output: (s, t), a point on M. Output: (s, t), a point on M.
Constants: Constants:
1. c1 = J / K 1. c1 = J / K
2. c2 = 1 / K^2 2. c2 = 1 / K^2
Steps: Steps:
skipping to change at line 4311 skipping to change at line 3990
13. gx2 = tv1 * gx1 13. gx2 = tv1 * gx1
14. e2 = is_square(gx1) # If is_square(gx1) 14. e2 = is_square(gx1) # If is_square(gx1)
15. x = CMOV(x2, x1, e2) # then x = x1, else x = x2 15. x = CMOV(x2, x1, e2) # then x = x1, else x = x2
16. y2 = CMOV(gx2, gx1, e2) # then y2 = gx1, else y2 = gx2 16. y2 = CMOV(gx2, gx1, e2) # then y2 = gx1, else y2 = gx2
17. y = sqrt(y2) 17. y = sqrt(y2)
18. e3 = sgn0(y) == 1 18. e3 = sgn0(y) == 1
19. y = CMOV(y, -y, e2 XOR e3) # fix sign of y 19. y = CMOV(y, -y, e2 XOR e3) # fix sign of y
20. s = x * K 20. s = x * K
21. t = y * K 21. t = y * K
22. return (s, t) 22. return (s, t)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="samplecode" numbered="true" toc="default"> <section anchor="samplecode">
<name>Curve-specific optimized sample code</name> <name>Curve-Specific Optimized Sample Code</name>
<t>This section gives sample implementations optimized for some of the <t>This section gives sample implementations optimized for some of the
elliptic curves listed in <xref target="suites" format="default"/>. elliptic curves listed in <xref target="suites"/>.
Sample Sage <xref target="SAGE" format="default"/> code for each algorithm can a Sample Sage code <xref target="SAGE"/> for each algorithm can also be found in <
lso be found in the xref target="hash2curve-repo"/>.</t>
draft repository <xref target="hash2curve-repo" format="default"/>.</t> <section anchor="projective-coords">
<section anchor="projective-coords" numbered="true" toc="default"> <name>Interface and Projective Coordinate Systems</name>
<name>Interface and projective coordinate systems</name>
<t>The sample code in this section uses a different interface than <t>The sample code in this section uses a different interface than
the mappings of <xref target="mappings" format="default"/>. the mappings of <xref target="mappings"/>.
Specifically, each mapping function in this section has the following Specifically, each mapping function in this section has the following
signature:</t> signature:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
(xn, xd, yn, yd) = map_to_curve(u) (xn, xd, yn, yd) = map_to_curve(u)
</sourcecode> ]]></sourcecode>
<t>The resulting affine point (x, y) is given by (xn / xd, yn / yd).</t> <t>The resulting affine point (x, y) is given by (xn / xd, yn / yd).</t>
<t>The reason for this modified interface is that it enables further <t>The reason for this modified interface is that it enables further
optimizations when working with points in a projective coordinate optimizations when working with points in a projective coordinate
system. system.
This is desirable, for example, when the resulting point will be This is desirable, for example, when the resulting point will be
immediately multiplied by a scalar, since most scalar multiplication immediately multiplied by a scalar, since most scalar multiplication
algorithms operate on projective points.</t> algorithms operate on projective points.</t>
<t>Projective coordinates are also useful when implementing random oracl <t>Projective coordinates are also useful when implementing random-oracl
e e
encodings (<xref target="roadmap" format="default"/>). encodings (<xref target="roadmap"/>).
One reason is that, in general, point addition is faster using projective One reason is that, in general, point addition is faster using projective
coordinates. coordinates.
Another reason is that, for Weierstrass curves, projective coordinates Another reason is that, for Weierstrass curves, projective coordinates
allow using complete addition formulas <xref target="RCB16" format="default"/>. allow using complete addition formulas <xref target="RCB16"/>.
This is especially convenient when implementing a constant-time encoding, This is especially convenient when implementing a constant-time encoding,
because it eliminates the need for a special case when Q0 == Q1, which because it eliminates the need for a special case when Q0 == Q1, which
incomplete addition formulas usually do not handle.</t> incomplete addition formulas usually do not handle.</t>
<t>The following are two commonly used projective coordinate systems <t>The following are two commonly used projective coordinate systems
and the corresponding conversions:</t> and the corresponding conversions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A point (X, Y, Z) in homogeneous projective coordinates correspond s <li>A point (X, Y, Z) in homogeneous projective coordinates correspond s
to the affine point (x, y) = (X / Z, Y / Z); to the affine point (x, y) = (X / Z, Y / Z);
the inverse conversion is given by (X, Y, Z) = (x, y, 1). the inverse conversion is given by (X, Y, Z) = (x, y, 1).
To convert (xn, xd, yn, yd) to homogeneous projective coordinates, To convert (xn, xd, yn, yd) to homogeneous projective coordinates,
compute (X, Y, Z) = (xn * yd, yn * xd, xd * yd).</li> compute (X, Y, Z) = (xn * yd, yn * xd, xd * yd).</li>
<li>A point (X', Y', Z') in Jacobian projective coordinates correspond s <li>A point (X', Y', Z') in Jacobian projective coordinates correspond s
to the affine point (x, y) = (X' / Z'^2, Y' / Z'^3); to the affine point (x, y) = (X'&nbsp;/&nbsp;Z'^2, Y' / Z'^3);
the inverse conversion is given by (X', Y', Z') = (x, y, 1). the inverse conversion is given by (X', Y', Z') = (x, y, 1).
To convert (xn, xd, yn, yd) to Jacobian projective coordinates, To convert (xn, xd, yn, yd) to Jacobian projective coordinates,
compute (X', Y', Z') = (xn * xd * yd^2, yn * yd^2 * xd^3, xd * yd).</li> compute (X', Y', Z') = (xn * xd * yd^2, yn * yd^2 * xd^3, xd * yd).</li>
</ul> </ul>
</section> </section>
<section anchor="ell2-opt" numbered="true" toc="default"> <section anchor="ell2-opt">
<name>Elligator 2</name> <name>Elligator 2</name>
<section anchor="map-to-curve25519" numbered="true" toc="default"> <section anchor="map-to-curve25519">
<name>curve25519 (q = 5 (mod 8), K = 1)</name> <name>curve25519 (q = 5 (mod 8), K = 1)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for curve25519 <xref target="RFC7748" format="default"/> as specified in <xref t arget="suites-25519" format="default"/>.</t> for curve25519 <xref target="RFC7748"/> as specified in <xref target="suites-255 19"/>.</t>
<t>This implementation can also be used for any Montgomery curve <t>This implementation can also be used for any Montgomery curve
with K = 1 over GF(q) where q = 5 (mod 8).</t> with K = 1 over GF(q) where q = 5 (mod 8).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_curve25519(u) map_to_curve_elligator2_curve25519(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on curve25519. point on curve25519.
Constants: Constants:
1. c1 = (q + 3) / 8 # Integer arithmetic 1. c1 = (q + 3) / 8 # Integer arithmetic
2. c2 = 2^c1 2. c2 = 2^c1
3. c3 = sqrt(-1) 3. c3 = sqrt(-1)
skipping to change at line 4421 skipping to change at line 4099
30. e2 = tv2 == gx2 30. e2 = tv2 == gx2
31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt
32. tv2 = y1^2 32. tv2 = y1^2
33. tv2 = tv2 * gxd 33. tv2 = tv2 * gxd
34. e3 = tv2 == gx1 34. e3 = tv2 == gx1
35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
37. e4 = sgn0(y) == 1 # Fix sign of y 37. e4 = sgn0(y) == 1 # Fix sign of y
38. y = CMOV(y, -y, e3 XOR e4) 38. y = CMOV(y, -y, e3 XOR e4)
39. return (xn, xd, y, 1) 39. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="map-to-edwards25519" numbered="true" toc="default"> <section anchor="map-to-edwards25519">
<name>edwards25519</name> <name>edwards25519</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for edwards25519 <xref target="RFC7748" format="default"/> as specified in <xref target="suites-25519" format="default"/>. for edwards25519 <xref target="RFC7748"/> as specified in <xref target="suites-2 5519"/>.
The subroutine map_to_curve_elligator2_curve25519 The subroutine map_to_curve_elligator2_curve25519
is defined in <xref target="map-to-curve25519" format="default"/>.</t> is defined in <xref target="map-to-curve25519"/>.</t>
<t>Note that the sign of the constant c1 below is chosen as specified <t>Note that the sign of the constant c1 below is chosen as specified
in <xref target="rational-map" format="default"/>, i.e., applying the rational m in <xref target="rational-map"/>, i.e., applying the rational map to the edwards
ap to the edwards25519 25519
base point yields the curve25519 base point (see erratum <xref target="EID4730" base point yields the curve25519 base point (see erratum <xref target="Err4730"/
format="default"/>).</t> >).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_edwards25519(u) map_to_curve_elligator2_edwards25519(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on edwards25519. point on edwards25519.
Constants: Constants:
1. c1 = sqrt(-486664) # sgn0(c1) MUST equal 0 1. c1 = sqrt(-486664) # sgn0(c1) MUST equal 0
Steps: Steps:
skipping to change at line 4456 skipping to change at line 4134
4. xd = xMd * yMn # xn / xd = c1 * xM / yM 4. xd = xMd * yMn # xn / xd = c1 * xM / yM
5. yn = xMn - xMd 5. yn = xMn - xMd
6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d) 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
7. tv1 = xd * yd 7. tv1 = xd * yd
8. e = tv1 == 0 8. e = tv1 == 0
9. xn = CMOV(xn, 0, e) 9. xn = CMOV(xn, 0, e)
10. xd = CMOV(xd, 1, e) 10. xd = CMOV(xd, 1, e)
11. yn = CMOV(yn, 1, e) 11. yn = CMOV(yn, 1, e)
12. yd = CMOV(yd, 1, e) 12. yd = CMOV(yd, 1, e)
13. return (xn, xd, yn, yd) 13. return (xn, xd, yn, yd)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="map-to-curve448" numbered="true" toc="default"> <section anchor="map-to-curve448">
<name>curve448 (q = 3 (mod 4), K = 1)</name> <name>curve448 (q = 3 (mod 4), K = 1)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for curve448 <xref target="RFC7748" format="default"/> as specified in <xref tar get="suites-448" format="default"/>.</t> for curve448 <xref target="RFC7748"/> as specified in <xref target="suites-448"/ >.</t>
<t>This implementation can also be used for any Montgomery curve <t>This implementation can also be used for any Montgomery curve
with K = 1 over GF(q) where q = 3 (mod 4).</t> with K = 1 over GF(q) where q = 3 (mod 4).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_curve448(u) map_to_curve_elligator2_curve448(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on curve448. point on curve448.
Constants: Constants:
1. c1 = (q - 3) / 4 # Integer arithmetic 1. c1 = (q - 3) / 4 # Integer arithmetic
Steps: Steps:
skipping to change at line 4502 skipping to change at line 4180
18. y2 = y1 * u 18. y2 = y1 * u
19. y2 = CMOV(y2, 0, e1) 19. y2 = CMOV(y2, 0, e1)
20. tv2 = y1^2 20. tv2 = y1^2
21. tv2 = tv2 * gxd 21. tv2 = tv2 * gxd
22. e2 = tv2 == gx1 22. e2 = tv2 == gx1
23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
25. e3 = sgn0(y) == 1 # Fix sign of y 25. e3 = sgn0(y) == 1 # Fix sign of y
26. y = CMOV(y, -y, e2 XOR e3) 26. y = CMOV(y, -y, e2 XOR e3)
27. return (xn, xd, y, 1) 27. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="map-to-edwards448" numbered="true" toc="default"> <section anchor="map-to-edwards448">
<name>edwards448</name> <name>edwards448</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for edwards448 <xref target="RFC7748" format="default"/> as specified in <xref t arget="suites-448" format="default"/>. for edwards448 <xref target="RFC7748"/> as specified in <xref target="suites-448 "/>.
The subroutine map_to_curve_elligator2_curve448 The subroutine map_to_curve_elligator2_curve448
is defined in <xref target="map-to-curve448" format="default"/>.</t> is defined in <xref target="map-to-curve448"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_edwards448(u) map_to_curve_elligator2_edwards448(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on edwards448. point on edwards448.
Steps: Steps:
1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u) 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
2. xn2 = xn^2 2. xn2 = xn^2
3. xd2 = xd^2 3. xd2 = xd^2
skipping to change at line 4556 skipping to change at line 4234
29. yEd = tv2 + tv1 29. yEd = tv2 + tv1
30. tv4 = tv4 * yd2 30. tv4 = tv4 * yd2
31. yEd = yEd + tv4 31. yEd = yEd + tv4
32. tv1 = xEd * yEd 32. tv1 = xEd * yEd
33. e = tv1 == 0 33. e = tv1 == 0
34. xEn = CMOV(xEn, 0, e) 34. xEn = CMOV(xEn, 0, e)
35. xEd = CMOV(xEd, 1, e) 35. xEd = CMOV(xEd, 1, e)
36. yEn = CMOV(yEn, 1, e) 36. yEn = CMOV(yEn, 1, e)
37. yEd = CMOV(yEd, 1, e) 37. yEd = CMOV(yEd, 1, e)
38. return (xEn, xEd, yEn, yEd) 38. return (xEn, xEd, yEn, yEd)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="ell2-map-to-3mod4" numbered="true" toc="default"> <section anchor="ell2-map-to-3mod4">
<name>Montgomery curves with q = 3 (mod 4)</name> <name>Montgomery Curves with q = 3 (mod 4)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
that applies to any Montgomery curve defined over GF(q) where q = 3 (mod 4).</t> that applies to any Montgomery curve defined over GF(q) where q = 3 (mod 4).</t>
<t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve448" format="default"/> <t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve448"/>
gives identical results with slightly reduced cost.</t> gives identical results with slightly reduced cost.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_3mod4(u) map_to_curve_elligator2_3mod4(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on the target curve. point on the target curve.
Constants: Constants:
1. c1 = (q - 3) / 4 # Integer arithmetic 1. c1 = (q - 3) / 4 # Integer arithmetic
2. c2 = K^2 2. c2 = K^2
skipping to change at line 4609 skipping to change at line 4287
24. tv2 = y1^2 24. tv2 = y1^2
25. tv2 = tv2 * gxd 25. tv2 = tv2 * gxd
26. e2 = tv2 == gx1 26. e2 = tv2 == gx1
27. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 27. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
28. xn = xn * K 28. xn = xn * K
29. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 29. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
30. e3 = sgn0(y) == 1 # Fix sign of y 30. e3 = sgn0(y) == 1 # Fix sign of y
31. y = CMOV(y, -y, e2 XOR e3) 31. y = CMOV(y, -y, e2 XOR e3)
32. y = y * K 32. y = y * K
33. return (xn, xd, y, 1) 33. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="ell2-map-to-5mod8" numbered="true" toc="default"> <section anchor="ell2-map-to-5mod8">
<name>Montgomery curves with q = 5 (mod 8)</name> <name>Montgomery Curves with q = 5 (mod 8)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
that applies to any Montgomery curve defined over GF(q) where q = 5 (mod 8).</t> that applies to any Montgomery curve defined over GF(q) where q = 5 (mod 8).</t>
<t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve25519" format="default"/> <t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve25519"/>
gives identical results with slightly reduced cost.</t> gives identical results with slightly reduced cost.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_5mod8(u) map_to_curve_elligator2_5mod8(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on the target curve. point on the target curve.
Constants: Constants:
1. c1 = (q + 3) / 8 # Integer arithmetic 1. c1 = (q + 3) / 8 # Integer arithmetic
2. c2 = 2^c1 2. c2 = 2^c1
3. c3 = sqrt(-1) 3. c3 = sqrt(-1)
skipping to change at line 4677 skipping to change at line 4355
36. tv2 = y1^2 36. tv2 = y1^2
37. tv2 = tv2 * gxd 37. tv2 = tv2 * gxd
38. e3 = tv2 == gx1 38. e3 = tv2 == gx1
39. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 39. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
40. xn = xn * K 40. xn = xn * K
41. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 41. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
42. e4 = sgn0(y) == 1 # Fix sign of y 42. e4 = sgn0(y) == 1 # Fix sign of y
43. y = CMOV(y, -y, e3 XOR e4) 43. y = CMOV(y, -y, e3 XOR e4)
44. y = y * K 44. y = y * K
45. return (xn, xd, y, 1) 45. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="clear-cofactor-bls12381-g2" numbered="true" toc="default" <section anchor="clear-cofactor-bls12381-g2">
> <name>Cofactor Clearing for BLS12-381 G2</name>
<name>Cofactor clearing for BLS12-381 G2</name> <t>The curve BLS12-381, whose parameters are defined in <xref target="su
<t>The curve BLS12-381, whose parameters are defined in <xref target="su ites-bls12381-g2"/>,
ites-bls12381-g2" format="default"/>, admits an efficiently computable endomorphism, psi, that can be used to
admits an efficiently-computable endomorphism psi that can be used to speed up cofactor clearing for G2 <xref target="SBCDK09"/> <xref target="FKR11"/
speed up cofactor clearing for G2 <xref target="SBCDK09" format="default"/> <xre > <xref target="BP17"/> (see also
f target="FKR11" format="default"/> <xref target="BP17" format="default"/> (see <xref target="cofactor-clearing"/>).
<xref target="cofactor-clearing" format="default"/>).
This section implements the endomorphism psi and a fast cofactor clearing This section implements the endomorphism psi and a fast cofactor clearing
method described by Budroni and Pintore <xref target="BP17" format="default"/>.< /t> method described by Budroni and Pintore <xref target="BP17"/>.</t>
<t>The functions in this section operate on points whose coordinates are <t>The functions in this section operate on points whose coordinates are
represented as ratios, i.e., (xn, xd, yn, yd) corresponds to the point represented as ratios, i.e., (xn, xd, yn, yd) corresponds to the point
(xn / xd, yn / yd); see <xref target="projective-coords" format="default"/> for further discussion of (xn / xd, yn / yd); see <xref target="projective-coords"/> for further discussio n of
projective coordinates. projective coordinates.
When points are represented in affine coordinates, one can simply ignore When points are represented in affine coordinates, one can simply ignore
the denominators (xd == 1 and yd == 1).</t> the denominators (xd == 1 and yd&nbsp;== 1).</t>
<t>The following function computes the Frobenius endomorphism for an ele ment <t>The following function computes the Frobenius endomorphism for an ele ment
of F = GF(p^2) with basis (1, I), where I^2 + 1 == 0 in F. of F = GF(p^2) with basis (1, I), where I^2 + 1 == 0 in F.
(This is the base field of the elliptic curve E defined in <xref target="suites- (This is the base field of the elliptic curve E defined in <xref target="suites-
bls12381-g2" format="default"/>.)</t> bls12381-g2"/>.)</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
frobenius(x) frobenius(x)
Input: x, an element of GF(p^2). Input: x, an element of GF(p^2).
Output: a, an element of GF(p^2). Output: a, an element of GF(p^2).
Notation: x = x0 + I * x1, where x0 and x1 are elements of GF(p). Notation: x = x0 + I * x1, where x0 and x1 are elements of GF(p).
Steps: Steps:
1. a = x0 - I * x1 1. a = x0 - I * x1
2. return a 2. return a
</sourcecode> ]]></sourcecode>
<t>The following function computes the endomorphism psi for points on th e <t>The following function computes the endomorphism psi for points on th e
elliptic curve E defined in <xref target="suites-bls12381-g2" format="default"/> elliptic curve E defined in <xref target="suites-bls12381-g2"/>.</t>
.</t> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
psi(xn, xd, yn, yd) psi(xn, xd, yn, yd)
Input: P, a point (xn / xd, yn / yd) on the curve E (see above). Input: P, a point (xn / xd, yn / yd) on the curve E (see above).
Output: Q, a point on the same curve. Output: Q, a point on the same curve.
Constants: Constants:
1. c1 = 1 / (1 + I)^((p - 1) / 3) # in GF(p^2) 1. c1 = 1 / (1 + I)^((p - 1) / 3) # in GF(p^2)
2. c2 = 1 / (1 + I)^((p - 1) / 2) # in GF(p^2) 2. c2 = 1 / (1 + I)^((p - 1) / 2) # in GF(p^2)
Steps: Steps:
1. qxn = c1 * frobenius(xn) 1. qxn = c1 * frobenius(xn)
2. qxd = frobenius(xd) 2. qxd = frobenius(xd)
3. qyn = c2 * frobenius(yn) 3. qyn = c2 * frobenius(yn)
4. qyd = frobenius(yd) 4. qyd = frobenius(yd)
5. return (qxn, qxd, qyn, qyd) 5. return (qxn, qxd, qyn, qyd)
</sourcecode> ]]></sourcecode>
<t>The following function efficiently computes psi(psi(P)).</t> <t>The following function efficiently computes psi(psi(P)).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
psi2(xn, xd, yn, yd) psi2(xn, xd, yn, yd)
Input: P, a point (xn / xd, yn / yd) on the curve E (see above). Input: P, a point (xn / xd, yn / yd) on the curve E (see above).
Output: Q, a point on the same curve. Output: Q, a point on the same curve.
Constants: Constants:
1. c1 = 1 / 2^((p - 1) / 3) # in GF(p^2) 1. c1 = 1 / 2^((p - 1) / 3) # in GF(p^2)
Steps: Steps:
1. qxn = c1 * xn 1. qxn = c1 * xn
2. qyn = -yn 2. qyn = -yn
3. return (qxn, xd, qyn, yd) 3. return (qxn, xd, qyn, yd)
</sourcecode> ]]></sourcecode>
<t>The following function maps any point on the elliptic curve E (<xref <t>The following function maps any point on the elliptic curve E (<xref
target="suites-bls12381-g2" format="default"/>) target="suites-bls12381-g2"/>)
into the prime-order subgroup G2. into the prime-order subgroup G2.
This function returns a point equal to h_eff * P, where h_eff is the parameter This function returns a point equal to h_eff * P, where h_eff is the parameter
given in <xref target="suites-bls12381-g2" format="default"/>.</t> given in <xref target="suites-bls12381-g2"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
clear_cofactor_bls12381_g2(P) clear_cofactor_bls12381_g2(P)
Input: P, a point (xn / xd, yn / yd) on the curve E (see above). Input: P, a point (xn / xd, yn / yd) on the curve E (see above).
Output: Q, a point in the subgroup G2 of BLS12-381. Output: Q, a point in the subgroup G2 of BLS12-381.
Constants: Constants:
1. c1 = -15132376222941642752 # the BLS parameter for BLS12-381 1. c1 = -15132376222941642752 # the BLS parameter for BLS12-381
# i.e., -0xd201000000010000 # i.e., -0xd201000000010000
Notation: in this procedure, + and - represent elliptic curve point Notation: in this procedure, + and - represent elliptic curve point
skipping to change at line 4773 skipping to change at line 4451
2. t2 = psi(P) 2. t2 = psi(P)
3. t3 = 2 * P 3. t3 = 2 * P
4. t3 = psi2(t3) 4. t3 = psi2(t3)
5. t3 = t3 - t2 5. t3 = t3 - t2
6. t2 = t1 + t2 6. t2 = t1 + t2
7. t2 = c1 * t2 7. t2 = c1 * t2
8. t3 = t3 + t2 8. t3 = t3 + t2
9. t3 = t3 - t1 9. t3 = t3 - t1
10. Q = t3 - P 10. Q = t3 - P
11. return Q 11. return Q
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="paramgen" numbered="true" toc="default"> <section anchor="paramgen">
<name>Scripts for parameter generation</name> <name>Scripts for Parameter Generation</name>
<t>This section gives Sage <xref target="SAGE" format="default"/> scripts <t>This section gives Sage scripts <xref target="SAGE"/> used to generate
used to generate parameters for the mappings of <xref target="mappings" format=" parameters for the mappings of <xref target="mappings"/>.</t>
default"/>.</t> <section anchor="svdw-z-code">
<section anchor="svdw-z-code" numbered="true" toc="default"> <name>Finding Z for the Shallue-van de Woestijne Map</name>
<name>Finding Z for the Shallue-van de Woestijne map</name> <t>The below function outputs an appropriate Z for the Shallue-van de Wo
<t>The below function outputs an appropriate Z for the Shallue and van d estijne map (<xref target="svdw"/>).</t>
e Woestijne map (<xref target="svdw" format="default"/>).</t> <sourcecode type=""><![CDATA[
<sourcecode type="sage">
# Arguments: # Arguments:
# - F, a field object, e.g., F = GF(2^521 - 1) # - F, a field object, e.g., F = GF(2^521 - 1)
# - A and B, the coefficients of the curve y^2 = x^3 + A * x + B # - A and B, the coefficients of the curve y^2 = x^3 + A * x + B
def find_z_svdw(F, A, B, init_ctr=1): def find_z_svdw(F, A, B, init_ctr=1):
g = lambda x: F(x)^3 + F(A) * F(x) + F(B) g = lambda x: F(x)^3 + F(A) * F(x) + F(B)
h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z)) h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z))
# NOTE: if init_ctr=1 fails to find Z, try setting it to F.gen() # NOTE: if init_ctr=1 fails to find Z, try setting it to F.gen()
ctr = init_ctr ctr = init_ctr
while True: while True:
for Z_cand in (F(ctr), F(-ctr)): for Z_cand in (F(ctr), F(-ctr)):
skipping to change at line 4810 skipping to change at line 4488
continue continue
# Criterion 3: # Criterion 3:
# -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F. # -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.
if not is_square(h(Z_cand)): if not is_square(h(Z_cand)):
continue continue
# Criterion 4: # Criterion 4:
# At least one of g(Z) and g(-Z / 2) is square in F. # At least one of g(Z) and g(-Z / 2) is square in F.
if is_square(g(Z_cand)) or is_square(g(-Z_cand / F(2))): if is_square(g(Z_cand)) or is_square(g(-Z_cand / F(2))):
return Z_cand return Z_cand
ctr += 1 ctr += 1
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sswu-z-code" numbered="true" toc="default"> <section anchor="sswu-z-code">
<name>Finding Z for Simplified SWU</name> <name>Finding Z for Simplified SWU</name>
<t>The below function outputs an appropriate Z for the Simplified SWU ma <t>The below function outputs an appropriate Z for the Simplified SWU ma
p (<xref target="simple-swu" format="default"/>).</t> p (<xref target="simple-swu"/>).</t>
<sourcecode type="sage"> <sourcecode type=""><![CDATA[
# Arguments: # Arguments:
# - F, a field object, e.g., F = GF(2^521 - 1) # - F, a field object, e.g., F = GF(2^521 - 1)
# - A and B, the coefficients of the curve y^2 = x^3 + A * x + B # - A and B, the coefficients of the curve y^2 = x^3 + A * x + B
def find_z_sswu(F, A, B): def find_z_sswu(F, A, B):
R.<xx&gt; = F[] # Polynomial ring over F R.<xx&gt; = F[] # Polynomial ring over F
g = xx^3 + F(A) * xx + F(B) # y^2 = g(x) = x^3 + A * x + B g = xx^3 + F(A) * xx + F(B) # y^2 = g(x) = x^3 + A * x + B
ctr = F.gen() ctr = F.gen()
while True: while True:
for Z_cand in (F(ctr), F(-ctr)): for Z_cand in (F(ctr), F(-ctr)):
# Criterion 1: Z is non-square in F. # Criterion 1: Z is non-square in F.
if is_square(Z_cand): if is_square(Z_cand):
continue continue
# Criterion 2: Z != -1 in F. # Criterion 2: Z != -1 in F.
if Z_cand == F(-1): if Z_cand == F(-1):
continue continue
# Criterion 3: g(x) - Z is irreducible over F. # Criterion 3: g(x) - Z is irreducible over F.
if not (g - Z_cand).is_irreducible(): if not (g - Z_cand).is_irreducible():
continue continue
# Criterion 4: g(B / (Z * A)) is square in F. # Criterion 4: g(B / (Z * A)) is square in F.
if is_square(g(B / (Z_cand * A))): if is_square(g(B / (Z_cand * A))):
return Z_cand return Z_cand
ctr += 1 ctr += 1
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="elligator-z-code" numbered="true" toc="default"> <section anchor="elligator-z-code">
<name>Finding Z for Elligator 2</name> <name>Finding Z for Elligator 2</name>
<t>The below function outputs an appropriate Z for the Elligator 2 map ( <t>The below function outputs an appropriate Z for the Elligator 2 map (
<xref target="elligator2" format="default"/>).</t> <xref target="elligator2"/>).</t>
<sourcecode type="sage"> <sourcecode type=""><![CDATA[
# Argument: # Argument:
# - F, a field object, e.g., F = GF(2^255 - 19) # - F, a field object, e.g., F = GF(2^255 - 19)
def find_z_ell2(F): def find_z_ell2(F):
ctr = F.gen() ctr = F.gen()
while True: while True:
for Z_cand in (F(ctr), F(-ctr)): for Z_cand in (F(ctr), F(-ctr)):
# Z must be a non-square in F. # Z must be a non-square in F.
if is_square(Z_cand): if is_square(Z_cand):
continue continue
return Z_cand return Z_cand
ctr += 1 ctr += 1
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="appx-sqrt" numbered="true" toc="default"> <section anchor="appx-sqrt">
<name>sqrt and is_square functions</name> <name>sqrt and is_square Functions</name>
<t>This section defines special-purpose sqrt functions for the three most common cases, <t>This section defines special-purpose sqrt functions for the three most common cases,
q = 3 (mod 4), q = 5 (mod 8), and q = 9 (mod 16), q = 3 (mod 4), q = 5 (mod 8), and q = 9 (mod 16),
plus a generic constant-time algorithm that works for any prime modulus.</t> plus a generic constant-time algorithm that works for any prime modulus.</t>
<t>In addition, it gives an optimized is_square method for GF(p^2).</t> <t>In addition, it gives an optimized is_square method for GF(p^2).</t>
<section anchor="sqrt-3mod4" numbered="true" toc="default"> <section anchor="sqrt-3mod4">
<name>sqrt for q = 3 (mod 4)</name> <name>sqrt for q = 3 (mod 4)</name>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_3mod4(x) sqrt_3mod4(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input: x, an element of F. Input: x, an element of F.
Output: z, an element of F such that (z^2) == x, if x is square in F. Output: z, an element of F such that (z^2) == x, if x is square in F.
Constants: Constants:
1. c1 = (q + 1) / 4 # Integer arithmetic 1. c1 = (q + 1) / 4 # Integer arithmetic
Procedure: Procedure:
1. return x^c1 1. return x^c1
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sqrt-5mod8" numbered="true" toc="default"> <section anchor="sqrt-5mod8">
<name>sqrt for q = 5 (mod 8)</name> <name>sqrt for q = 5 (mod 8)</name>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_5mod8(x) sqrt_5mod8(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input: x, an element of F. Input: x, an element of F.
Output: z, an element of F such that (z^2) == x, if x is square in F. Output: z, an element of F such that (z^2) == x, if x is square in F.
Constants: Constants:
1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
2. c2 = (q + 3) / 8 # Integer arithmetic 2. c2 = (q + 3) / 8 # Integer arithmetic
Procedure: Procedure:
1. tv1 = x^c2 1. tv1 = x^c2
2. tv2 = tv1 * c1 2. tv2 = tv1 * c1
3. e = (tv1^2) == x 3. e = (tv1^2) == x
4. z = CMOV(tv2, tv1, e) 4. z = CMOV(tv2, tv1, e)
5. return z 5. return z
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sqrt-9mod16" numbered="true" toc="default"> <section anchor="sqrt-9mod16">
<name>sqrt for q = 9 (mod 16)</name> <name>sqrt for q = 9 (mod 16)</name>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_9mod16(x) sqrt_9mod16(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input: x, an element of F. Input: x, an element of F.
Output: z, an element of F such that (z^2) == x, if x is square in F. Output: z, an element of F such that (z^2) == x, if x is square in F.
Constants: Constants:
1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
skipping to change at line 4934 skipping to change at line 4612
2. tv2 = c1 * tv1 2. tv2 = c1 * tv1
3. tv3 = c2 * tv1 3. tv3 = c2 * tv1
4. tv4 = c3 * tv1 4. tv4 = c3 * tv1
5. e1 = (tv2^2) == x 5. e1 = (tv2^2) == x
6. e2 = (tv3^2) == x 6. e2 = (tv3^2) == x
7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x
8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x
9. e3 = (tv2^2) == x 9. e3 = (tv2^2) == x
10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2 10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2
11. return z 11. return z
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sqrt-ts" numbered="true" toc="default"> <section anchor="sqrt-ts">
<name>Constant-time Tonelli-Shanks algorithm</name> <name>Constant-Time Tonelli-Shanks Algorithm</name>
<t>This algorithm is a constant-time version of the classic Tonelli-Shan ks algorithm <t>This algorithm is a constant-time version of the classic Tonelli-Shan ks algorithm
(<xref target="C93" format="default"/>, Algorithm 1.5.1) due to Sean Bowe, Jack Grigg, and Eirik Ogilvie-Wigley <xref target="jubjub-fq" format="default"/>, (<xref target="C93"/>, Algorithm 1.5.1) due to Sean Bowe, Jack Grigg, and Eirik Ogilvie-Wigley <xref target="jubjub-fq"/>,
adapted and optimized by Michael Scott.</t> adapted and optimized by Michael Scott.</t>
<t>This algorithm applies to GF(p) for any p. <t>This algorithm applies to GF(p) for any p.
Note, however, that the special-purpose algorithms given in the prior sections a re Note, however, that the special-purpose algorithms given in the prior sections a re
faster, when they apply.</t> faster, when they apply.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_ts_ct(x) sqrt_ts_ct(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input x, an element of F. Input x, an element of F.
Output: z, an element of F such that z^2 == x, if x is square in F. Output: z, an element of F such that z^2 == x, if x is square in F.
Constants: Constants:
1. c1, the largest integer such that 2^c1 divides q - 1. 1. c1, the largest integer such that 2^c1 divides q - 1.
skipping to change at line 4978 skipping to change at line 4656
8. for j in (1, 2, ..., i - 2): 8. for j in (1, 2, ..., i - 2):
9. b = b * b 9. b = b * b
10. e = b == 1 10. e = b == 1
11. zt = z * c 11. zt = z * c
12. z = CMOV(zt, z, e) 12. z = CMOV(zt, z, e)
13. c = c * c 13. c = c * c
14. tt = t * c 14. tt = t * c
15. t = CMOV(tt, t, e) 15. t = CMOV(tt, t, e)
16. b = t 16. b = t
17. return z 17. return z
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="appx-sqrt-issq" numbered="true" toc="default"> <section anchor="appx-sqrt-issq">
<name>is_square for F = GF(p^2)</name> <name>is_square for F = GF(p^2)</name>
<t>The following is_square method applies to any field F = GF(p^2) <t>The following is_square method applies to any field F = GF(p^2)
with basis (1, I) represented as described in <xref target="bg-curves" format="d efault"/>, i.e., with basis (1, I) represented as described in <xref target="bg-curves"/>, i.e.,
an element x = (x_1, x_2) = x_1 + x_2 * I.</t> an element x = (x_1, x_2) = x_1 + x_2 * I.</t>
<t>Other optimizations of this type are possible in other extension <t>Other optimizations of this type are possible in other extension
fields; see, e.g., <xref target="AR13" format="default"/> for more information.< fields; see, for example, <xref target="AR13"/> for more information.</t>
/t> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
is_square(x) is_square(x)
Parameters: Parameters:
- F, an extension field of characteristic p and order q = p^2 - F, an extension field of characteristic p and order q = p^2
with basis (1, I). with basis (1, I).
Input: x, an element of F. Input: x, an element of F.
Output: True if x is square in F, and False otherwise. Output: True if x is square in F, and False otherwise.
Constants: Constants:
1. c1 = (p - 1) / 2 # Integer arithmetic 1. c1 = (p - 1) / 2 # Integer arithmetic
Procedure: Procedure:
1. tv1 = x_1^2 1. tv1 = x_1^2
2. tv2 = I * x_2 2. tv2 = I * x_2
3. tv2 = tv2^2 3. tv2 = tv2^2
4. tv1 = tv1 - tv2 4. tv1 = tv1 - tv2
5. tv1 = tv1^c1 5. tv1 = tv1^c1
6. e1 = tv1 != -1 # Note: -1 in F 6. e1 = tv1 != -1 # Note: -1 in F
7. return e1 7. return e1
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="testvectors" numbered="true" toc="default"> <section anchor="testvectors">
<name>Suite test vectors</name> <name>Suite Test Vectors</name>
<t>This section gives test vectors for each suite defined in <xref target= <t>This section gives test vectors for each suite defined in <xref target=
"suites" format="default"/>. "suites"/>.
The test vectors in this section were generated using code that is The test vectors in this section were generated using code that is
available from <xref target="hash2curve-repo" format="default"/>.</t> available from <xref target="hash2curve-repo"/>.</t>
<t>Each test vector in this section lists values computed by the <t>Each test vector in this section lists values computed by the
appropriate encoding function, with variable names defined as appropriate encoding function, with variable names defined as
in <xref target="roadmap" format="default"/>. in <xref target="roadmap"/>.
For example, for a suite whose encoding type is random oracle, For example, for a suite whose encoding type is random oracle,
the test vector gives the value for msg, u, Q0, Q1, and the the test vector gives the value for msg, u, Q0, Q1, and the
output point P.</t> output point P.</t>
<section anchor="nist-p-256" numbered="true" toc="default"> <section anchor="nist-p-256">
<name>NIST P-256</name> <name>NIST P-256</name>
<section anchor="p256xmdsha-256sswuro" numbered="true" toc="default"> <section anchor="p256xmdsha-256sswuro">
<name>P256_XMD:SHA-256_SSWU_RO_</name> <name>P256_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P256_XMD:SHA-256_SSWU_RO_ suite = P256_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = 2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91 P.x = 2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91
c44247d3e4 c44247d3e4
P.y = 8a7a74985cc5c776cdfe4b1f19884970453912e9d31528c060be9a P.y = 8a7a74985cc5c776cdfe4b1f19884970453912e9d31528c060be9a
b5c43e8415 b5c43e8415
u[0] = ad5342c66a6dd0ff080df1da0ea1c04b96e0330dd89406465eeba1 u[0] = ad5342c66a6dd0ff080df1da0ea1c04b96e0330dd89406465eeba1
1582515009 1582515009
skipping to change at line 5132 skipping to change at line 4810
Q0.x = d88b989ee9d1295df413d4456c5c850b8b2fb0f5402cc5c4c7e815 Q0.x = d88b989ee9d1295df413d4456c5c850b8b2fb0f5402cc5c4c7e815
412e926db8 412e926db8
Q0.y = bb4a1edeff506cf16def96afff41b16fc74f6dbd55c2210e5b8f01 Q0.y = bb4a1edeff506cf16def96afff41b16fc74f6dbd55c2210e5b8f01
1ba32f4f40 1ba32f4f40
Q1.x = a281e34e628f3a4d2a53fa87ff973537d68ad4fbc28d3be5e8d9f6 Q1.x = a281e34e628f3a4d2a53fa87ff973537d68ad4fbc28d3be5e8d9f6
a2571c5a4b a2571c5a4b
Q1.y = f6ed88a7aab56a488100e6f1174fa9810b47db13e86be999644922 Q1.y = f6ed88a7aab56a488100e6f1174fa9810b47db13e86be999644922
961206e184 961206e184
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="p256xmdsha-256sswunu" numbered="true" toc="default"> <section anchor="p256xmdsha-256sswunu">
<name>P256_XMD:SHA-256_SSWU_NU_</name> <name>P256_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P256_XMD:SHA-256_SSWU_NU_ suite = P256_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = f871caad25ea3b59c16cf87c1894902f7e7b2c822c3d3f73596c5a P.x = f871caad25ea3b59c16cf87c1894902f7e7b2c822c3d3f73596c5a
ce8ddd14d1 ce8ddd14d1
P.y = 87b9ae23335bee057b99bac1e68588b18b5691af476234b8971bc4 P.y = 87b9ae23335bee057b99bac1e68588b18b5691af476234b8971bc4
f011ddc99b f011ddc99b
u[0] = b22d487045f80e9edcb0ecc8d4bf77833e2bf1f3a54004d7df1d57 u[0] = b22d487045f80e9edcb0ecc8d4bf77833e2bf1f3a54004d7df1d57
f4802d311f f4802d311f
skipping to change at line 5211 skipping to change at line 4889
cb16f7ef7b cb16f7ef7b
u[0] = 0e1527840b9df2dfbef966678ff167140f2b27c4dccd884c25014d u[0] = 0e1527840b9df2dfbef966678ff167140f2b27c4dccd884c25014d
ce0e41dfa3 ce0e41dfa3
Q.x = 5c4bad52f81f39c8e8de1260e9a06d72b8b00a0829a8ea004a610b Q.x = 5c4bad52f81f39c8e8de1260e9a06d72b8b00a0829a8ea004a610b
0691bea5d9 0691bea5d9
Q.y = c801e7c0782af1f74f24fc385a8555da0582032a3ce038de637ccd Q.y = c801e7c0782af1f74f24fc385a8555da0582032a3ce038de637ccd
cb16f7ef7b cb16f7ef7b
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="nist-p-384" numbered="true" toc="default"> <section anchor="nist-p-384">
<name>NIST P-384</name> <name>NIST P-384</name>
<section anchor="p384xmdsha-384sswuro" numbered="true" toc="default"> <section anchor="p384xmdsha-384sswuro">
<name>P384_XMD:SHA-384_SSWU_RO_</name> <name>P384_XMD:SHA-384_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P384_XMD:SHA-384_SSWU_RO_ suite = P384_XMD:SHA-384_SSWU_RO_
dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_RO_ dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_RO_
msg = msg =
P.x = eb9fe1b4f4e14e7140803c1d99d0a93cd823d2b024040f9c067a8e P.x = eb9fe1b4f4e14e7140803c1d99d0a93cd823d2b024040f9c067a8e
ca1f5a2eeac9ad604973527a356f3fa3aeff0e4d83 ca1f5a2eeac9ad604973527a356f3fa3aeff0e4d83
P.y = 0c21708cff382b7f4643c07b105c2eaec2cead93a917d825601e63 P.y = 0c21708cff382b7f4643c07b105c2eaec2cead93a917d825601e63
c8f21f6abd9abc22c93c2bed6f235954b25048bb1a c8f21f6abd9abc22c93c2bed6f235954b25048bb1a
u[0] = 25c8d7dc1acd4ee617766693f7f8829396065d1b447eedb155871f u[0] = 25c8d7dc1acd4ee617766693f7f8829396065d1b447eedb155871f
effd9c6653279ac7e5c46edb7010a0e4ff64c9f3b4 effd9c6653279ac7e5c46edb7010a0e4ff64c9f3b4
skipping to change at line 5321 skipping to change at line 4999
Q0.x = 42e6666f505e854187186bad3011598d9278b9d6e3e4d2503c3d23 Q0.x = 42e6666f505e854187186bad3011598d9278b9d6e3e4d2503c3d23
6381a56748dec5d139c223129b324df53fa147c4df 6381a56748dec5d139c223129b324df53fa147c4df
Q0.y = 8ee51dbda46413bf621838cc935d18d617881c6f33f3838a79c767 Q0.y = 8ee51dbda46413bf621838cc935d18d617881c6f33f3838a79c767
a1e5618e34b22f79142df708d2432f75c7366c8512 a1e5618e34b22f79142df708d2432f75c7366c8512
Q1.x = 4ff01ceeba60484fa1bc0d825fe1e5e383d8f79f1e5bb78e5fb26b Q1.x = 4ff01ceeba60484fa1bc0d825fe1e5e383d8f79f1e5bb78e5fb26b
7a7ef758153e31e78b9d60ce75c5e32e43869d4e12 7a7ef758153e31e78b9d60ce75c5e32e43869d4e12
Q1.y = 0f84b978fac8ceda7304b47e229d6037d32062e597dc7a9b95bcd9 Q1.y = 0f84b978fac8ceda7304b47e229d6037d32062e597dc7a9b95bcd9
af441f3c56c619a901d21635f9ec6ab4710b9fcd0e af441f3c56c619a901d21635f9ec6ab4710b9fcd0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="p384xmdsha-384sswunu" numbered="true" toc="default"> <section anchor="p384xmdsha-384sswunu">
<name>P384_XMD:SHA-384_SSWU_NU_</name> <name>P384_XMD:SHA-384_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P384_XMD:SHA-384_SSWU_NU_ suite = P384_XMD:SHA-384_SSWU_NU_
dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_NU_ dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_NU_
msg = msg =
P.x = de5a893c83061b2d7ce6a0d8b049f0326f2ada4b966dc7e7292725 P.x = de5a893c83061b2d7ce6a0d8b049f0326f2ada4b966dc7e7292725
6b033ef61058029a3bfb13c1c7ececd6641881ae20 6b033ef61058029a3bfb13c1c7ececd6641881ae20
P.y = 63f46da6139785674da315c1947e06e9a0867f5608cf24724eb379 P.y = 63f46da6139785674da315c1947e06e9a0867f5608cf24724eb379
3a1f5b3809ee28eb21a0c64be3be169afc6cdb38ca 3a1f5b3809ee28eb21a0c64be3be169afc6cdb38ca
u[0] = bc7dc1b2cdc5d588a66de3276b0f24310d4aca4977efda7d6272e1 u[0] = bc7dc1b2cdc5d588a66de3276b0f24310d4aca4977efda7d6272e1
be25187b001493d267dc53b56183c9e28282368e60 be25187b001493d267dc53b56183c9e28282368e60
skipping to change at line 5400 skipping to change at line 5078
5327943eca95d90b23b009ba45f58b72906f2a99e2 5327943eca95d90b23b009ba45f58b72906f2a99e2
u[0] = 7b01ce9b8c5a60d9fbc202d6dde92822e46915d8c17e03fcb92ece u[0] = 7b01ce9b8c5a60d9fbc202d6dde92822e46915d8c17e03fcb92ece
1ed6074d01e149fc9236def40d673de903c1d4c166 1ed6074d01e149fc9236def40d673de903c1d4c166
Q.x = af129727a4207a8cb9e9dce656d88f79fce25edbcea350499d65e9 Q.x = af129727a4207a8cb9e9dce656d88f79fce25edbcea350499d65e9
bf1204537bdde73c7cefb752a6ed5ebcd44e183302 bf1204537bdde73c7cefb752a6ed5ebcd44e183302
Q.y = ce68a3d5e161b2e6a968e4ddaa9e51504ad1516ec170c7eef3ca6b Q.y = ce68a3d5e161b2e6a968e4ddaa9e51504ad1516ec170c7eef3ca6b
5327943eca95d90b23b009ba45f58b72906f2a99e2 5327943eca95d90b23b009ba45f58b72906f2a99e2
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="nist-p-521" numbered="true" toc="default"> <section anchor="nist-p-521">
<name>NIST P-521</name> <name>NIST P-521</name>
<section anchor="p521xmdsha-512sswuro" numbered="true" toc="default"> <section anchor="p521xmdsha-512sswuro">
<name>P521_XMD:SHA-512_SSWU_RO_</name> <name>P521_XMD:SHA-512_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P521_XMD:SHA-512_SSWU_RO_ suite = P521_XMD:SHA-512_SSWU_RO_
dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_RO_ dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_RO_
msg = msg =
P.x = 00fd767cebb2452030358d0e9cf907f525f50920c8f607889a6a35 P.x = 00fd767cebb2452030358d0e9cf907f525f50920c8f607889a6a35
680727f64f4d66b161fafeb2654bea0d35086bec0a10b30b14adef 680727f64f4d66b161fafeb2654bea0d35086bec0a10b30b14adef
3556ed9f7f1bc23cecc9c088 3556ed9f7f1bc23cecc9c088
P.y = 0169ba78d8d851e930680322596e39c78f4fe31b97e57629ef6460 P.y = 0169ba78d8d851e930680322596e39c78f4fe31b97e57629ef6460
ddd68f8763fd7bd767a4e94a80d3d21a3c2ee98347e024fc73ee1c ddd68f8763fd7bd767a4e94a80d3d21a3c2ee98347e024fc73ee1c
27166dc3fe5eeef782be411d 27166dc3fe5eeef782be411d
skipping to change at line 5550 skipping to change at line 5228
4ac9ae7e80dfe7abea11db02cf1855312eae1447dbaecc9d7e8c88 4ac9ae7e80dfe7abea11db02cf1855312eae1447dbaecc9d7e8c88
0a5e76a39f6258074e1bc2e0 0a5e76a39f6258074e1bc2e0
Q1.x = 0125c0b69bcf55eab49280b14f707883405028e05c927cd7625d4e Q1.x = 0125c0b69bcf55eab49280b14f707883405028e05c927cd7625d4e
04115bd0e0e6323b12f5d43d0d6d2eff16dbcf244542f84ec05891 04115bd0e0e6323b12f5d43d0d6d2eff16dbcf244542f84ec05891
1260dc3bb6512ab5db285fbd 1260dc3bb6512ab5db285fbd
Q1.y = 008bddfb803b3f4c761458eb5f8a0aee3e1f7f68e9d7424405fa69 Q1.y = 008bddfb803b3f4c761458eb5f8a0aee3e1f7f68e9d7424405fa69
172919899317fb6ac1d6903a432d967d14e0f80af63e7035aaae0c 172919899317fb6ac1d6903a432d967d14e0f80af63e7035aaae0c
123e56862ce969456f99f102 123e56862ce969456f99f102
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="p521xmdsha-512sswunu" numbered="true" toc="default"> <section anchor="p521xmdsha-512sswunu">
<name>P521_XMD:SHA-512_SSWU_NU_</name> <name>P521_XMD:SHA-512_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P521_XMD:SHA-512_SSWU_NU_ suite = P521_XMD:SHA-512_SSWU_NU_
dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_NU_ dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_NU_
msg = msg =
P.x = 01ec604b4e1e3e4c7449b7a41e366e876655538acf51fd40d08b97 P.x = 01ec604b4e1e3e4c7449b7a41e366e876655538acf51fd40d08b97
be066f7d020634e906b1b6942f9174b417027c953d75fb6ec64b8c be066f7d020634e906b1b6942f9174b417027c953d75fb6ec64b8c
ee2a3672d4f1987d13974705 ee2a3672d4f1987d13974705
P.y = 00944fc439b4aad2463e5c9cfa0b0707af3c9a42e37c5a57bb4ecd P.y = 00944fc439b4aad2463e5c9cfa0b0707af3c9a42e37c5a57bb4ecd
12fef9fb21508568aedcdd8d2490472df4bbafd79081c81e99f4da 12fef9fb21508568aedcdd8d2490472df4bbafd79081c81e99f4da
3286eddf19be47e9c4cf0e91 3286eddf19be47e9c4cf0e91
skipping to change at line 5654 skipping to change at line 5332
e1b274d968d91c02f00cce91 e1b274d968d91c02f00cce91
Q.x = 01801de044c517a80443d2bd4f503a9e6866750d2f94a22970f62d Q.x = 01801de044c517a80443d2bd4f503a9e6866750d2f94a22970f62d
721f96e4310e4a828206d9cdeaa8f2d476705cc3bbc490a6165c68 721f96e4310e4a828206d9cdeaa8f2d476705cc3bbc490a6165c68
7668f15ec178a17e3d27349b 7668f15ec178a17e3d27349b
Q.y = 0068889ea2e1442245fe42bfda9e58266828c0263119f35a61631a Q.y = 0068889ea2e1442245fe42bfda9e58266828c0263119f35a61631a
3358330f3bb84443fcb54fcd53a1d097fccbe310489b74ee143fc2 3358330f3bb84443fcb54fcd53a1d097fccbe310489b74ee143fc2
938959a83a1f7dd4a6fd395b 938959a83a1f7dd4a6fd395b
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="curve25519" numbered="true" toc="default"> <section anchor="curve25519">
<name>curve25519</name> <name>curve25519</name>
<section anchor="curve25519xmdsha-512ell2ro" numbered="true" toc="defaul t"> <section anchor="curve25519xmdsha-512ell2ro">
<name>curve25519_XMD:SHA-512_ELL2_RO_</name> <name>curve25519_XMD:SHA-512_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve25519_XMD:SHA-512_ELL2_RO_ suite = curve25519_XMD:SHA-512_ELL2_RO_
dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_RO_ dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_RO_
msg = msg =
P.x = 2de3780abb67e861289f5749d16d3e217ffa722192d16bbd9d1bfb P.x = 2de3780abb67e861289f5749d16d3e217ffa722192d16bbd9d1bfb
9d112b98c0 9d112b98c0
P.y = 3b5dc2a498941a1033d176567d457845637554a2fe7a3507d21abd P.y = 3b5dc2a498941a1033d176567d457845637554a2fe7a3507d21abd
1c1bd6e878 1c1bd6e878
u[0] = 005fe8a7b8fef0a16c105e6cadf5a6740b3365e18692a9c05bfbb4 u[0] = 005fe8a7b8fef0a16c105e6cadf5a6740b3365e18692a9c05bfbb4
d97f645a6a d97f645a6a
skipping to change at line 5764 skipping to change at line 5442
Q0.x = 02d606e2699b918ee36f2818f2bc5013e437e673c9f9b9cdc15fd0 Q0.x = 02d606e2699b918ee36f2818f2bc5013e437e673c9f9b9cdc15fd0
c5ee913970 c5ee913970
Q0.y = 29e9dc92297231ef211245db9e31767996c5625dfbf92e1c8107ef Q0.y = 29e9dc92297231ef211245db9e31767996c5625dfbf92e1c8107ef
887365de1e 887365de1e
Q1.x = 38920e9b988d1ab7449c0fa9a6058192c0c797bb3d42ac34572434 Q1.x = 38920e9b988d1ab7449c0fa9a6058192c0c797bb3d42ac34572434
1a1aa98745 1a1aa98745
Q1.y = 24dcc1be7c4d591d307e89049fd2ed30aae8911245a9d8554bf603 Q1.y = 24dcc1be7c4d591d307e89049fd2ed30aae8911245a9d8554bf603
2e5aa40d3d 2e5aa40d3d
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="curve25519xmdsha-512ell2nu" numbered="true" toc="defaul t"> <section anchor="curve25519xmdsha-512ell2nu">
<name>curve25519_XMD:SHA-512_ELL2_NU_</name> <name>curve25519_XMD:SHA-512_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve25519_XMD:SHA-512_ELL2_NU_ suite = curve25519_XMD:SHA-512_ELL2_NU_
dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_NU_ dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_NU_
msg = msg =
P.x = 1bb913f0c9daefa0b3375378ffa534bda5526c97391952a7789eb9 P.x = 1bb913f0c9daefa0b3375378ffa534bda5526c97391952a7789eb9
76edfe4d08 76edfe4d08
P.y = 4548368f4f983243e747b62a600840ae7c1dab5c723991f85d3a97 P.y = 4548368f4f983243e747b62a600840ae7c1dab5c723991f85d3a97
68479f3ec4 68479f3ec4
u[0] = 608d892b641f0328523802a6603427c26e55e6f27e71a91a478148 u[0] = 608d892b641f0328523802a6603427c26e55e6f27e71a91a478148
d45b5093cd d45b5093cd
skipping to change at line 5843 skipping to change at line 5521
94f4d6d0b8 94f4d6d0b8
u[0] = 1a68a1af9f663592291af987203393f707305c7bac9c8d63d6a729 u[0] = 1a68a1af9f663592291af987203393f707305c7bac9c8d63d6a729
bdc553dc19 bdc553dc19
Q.x = 3bcd651ee54d5f7b6013898aab251ee8ecc0688166fce6e9548d38 Q.x = 3bcd651ee54d5f7b6013898aab251ee8ecc0688166fce6e9548d38
472f6bd196 472f6bd196
Q.y = 1bb36ad9197299f111b4ef21271c41f4b7ecf5543db8bb5931307e Q.y = 1bb36ad9197299f111b4ef21271c41f4b7ecf5543db8bb5931307e
bdb2eaa465 bdb2eaa465
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="edwards25519" numbered="true" toc="default"> <section anchor="edwards25519">
<name>edwards25519</name> <name>edwards25519</name>
<section anchor="edwards25519xmdsha-512ell2ro" numbered="true" toc="defa ult"> <section anchor="edwards25519xmdsha-512ell2ro">
<name>edwards25519_XMD:SHA-512_ELL2_RO_</name> <name>edwards25519_XMD:SHA-512_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards25519_XMD:SHA-512_ELL2_RO_ suite = edwards25519_XMD:SHA-512_ELL2_RO_
dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_ dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_
msg = msg =
P.x = 3c3da6925a3c3c268448dcabb47ccde5439559d9599646a8260e47 P.x = 3c3da6925a3c3c268448dcabb47ccde5439559d9599646a8260e47
b1e4822fc6 b1e4822fc6
P.y = 09a6c8561a0b22bef63124c588ce4c62ea83a3c899763af26d7953 P.y = 09a6c8561a0b22bef63124c588ce4c62ea83a3c899763af26d7953
02e115dc21 02e115dc21
u[0] = 03fef4813c8cb5f98c6eef88fae174e6e7d5380de2b007799ac7ee u[0] = 03fef4813c8cb5f98c6eef88fae174e6e7d5380de2b007799ac7ee
712d203f3a 712d203f3a
skipping to change at line 5953 skipping to change at line 5631
Q0.x = 21091b2e3f9258c7dfa075e7ae513325a94a3d8a28e1b1cb3b5b6f Q0.x = 21091b2e3f9258c7dfa075e7ae513325a94a3d8a28e1b1cb3b5b6f
5d65675592 5d65675592
Q0.y = 41a33d324c89f570e0682cdf7bdb78852295daf8084c669f2cc969 Q0.y = 41a33d324c89f570e0682cdf7bdb78852295daf8084c669f2cc969
2896ab5026 2896ab5026
Q1.x = 4c07ec48c373e39a23bd7954f9e9b66eeab9e5ee1279b867b3d531 Q1.x = 4c07ec48c373e39a23bd7954f9e9b66eeab9e5ee1279b867b3d531
5aa815454f 5aa815454f
Q1.y = 67ccac7c3cb8d1381242d8d6585c57eabaddbb5dca5243a68a8aeb Q1.y = 67ccac7c3cb8d1381242d8d6585c57eabaddbb5dca5243a68a8aeb
5477d94b3a 5477d94b3a
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="edwards25519xmdsha-512ell2nu" numbered="true" toc="defa ult"> <section anchor="edwards25519xmdsha-512ell2nu">
<name>edwards25519_XMD:SHA-512_ELL2_NU_</name> <name>edwards25519_XMD:SHA-512_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards25519_XMD:SHA-512_ELL2_NU_ suite = edwards25519_XMD:SHA-512_ELL2_NU_
dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_ dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_
msg = msg =
P.x = 1ff2b70ecf862799e11b7ae744e3489aa058ce805dd323a936375a P.x = 1ff2b70ecf862799e11b7ae744e3489aa058ce805dd323a936375a
84695e76da 84695e76da
P.y = 222e314d04a4d5725e9f2aff9fb2a6b69ef375a1214eb19021ceab P.y = 222e314d04a4d5725e9f2aff9fb2a6b69ef375a1214eb19021ceab
2d687f0f9b 2d687f0f9b
u[0] = 7f3e7fb9428103ad7f52db32f9df32505d7b427d894c5093f7a0f0 u[0] = 7f3e7fb9428103ad7f52db32f9df32505d7b427d894c5093f7a0f0
374a30641d 374a30641d
skipping to change at line 6032 skipping to change at line 5710
4245891a37 4245891a37
u[0] = 3cb0178a8137cefa5b79a3a57c858d7eeeaa787b2781be4a362a2f u[0] = 3cb0178a8137cefa5b79a3a57c858d7eeeaa787b2781be4a362a2f
0750d24fa0 0750d24fa0
Q.x = 3e6368cff6e88a58e250c54bd27d2c989ae9b3acb6067f2651ad28 Q.x = 3e6368cff6e88a58e250c54bd27d2c989ae9b3acb6067f2651ad28
2ab8c21cd9 2ab8c21cd9
Q.y = 38fb39f1566ca118ae6c7af42810c0bb9767ae5960abb5a8ca7925 Q.y = 38fb39f1566ca118ae6c7af42810c0bb9767ae5960abb5a8ca7925
30bfb9447d 30bfb9447d
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="curve448" numbered="true" toc="default"> <section anchor="curve448">
<name>curve448</name> <name>curve448</name>
<section anchor="curve448xofshake256ell2ro" numbered="true" toc="default "> <section anchor="curve448xofshake256ell2ro">
<name>curve448_XOF:SHAKE256_ELL2_RO_</name> <name>curve448_XOF:SHAKE256_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve448_XOF:SHAKE256_ELL2_RO_ suite = curve448_XOF:SHAKE256_ELL2_RO_
dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_ dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_
msg = msg =
P.x = 5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdf P.x = 5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdf
c7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6 c7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6
a9ea a9ea
P.y = afadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced P.y = afadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced
5c563b18e70a284c17d8f46b564c4e6ce11784a3825d9411166221 5c563b18e70a284c17d8f46b564c4e6ce11784a3825d9411166221
28c1 28c1
skipping to change at line 6182 skipping to change at line 5860
a806b8adb3e1a75ea48a1228b8937ba85c6cb6ee01046e10cad895 a806b8adb3e1a75ea48a1228b8937ba85c6cb6ee01046e10cad895
3b1e 3b1e
Q1.x = 126d744da6a14fddec0f78a9cee4571c1320ac7645b600187812e4 Q1.x = 126d744da6a14fddec0f78a9cee4571c1320ac7645b600187812e4
d7021f98fc4703732c54daec787206e1f34d9dbbf4b292c68160b8 d7021f98fc4703732c54daec787206e1f34d9dbbf4b292c68160b8
bfbd bfbd
Q1.y = 136eebe6020f2389d448923899a1a38a4c8ad74254e0686e91c4f9 Q1.y = 136eebe6020f2389d448923899a1a38a4c8ad74254e0686e91c4f9
3c1f8f8e1bd619ffb7c1281467882a9c957d22d50f65c5b72b2aee 3c1f8f8e1bd619ffb7c1281467882a9c957d22d50f65c5b72b2aee
11af 11af
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="curve448xofshake256ell2nu" numbered="true" toc="default "> <section anchor="curve448xofshake256ell2nu">
<name>curve448_XOF:SHAKE256_ELL2_NU_</name> <name>curve448_XOF:SHAKE256_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve448_XOF:SHAKE256_ELL2_NU_ suite = curve448_XOF:SHAKE256_ELL2_NU_
dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_ dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_
msg = msg =
P.x = b65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afc P.x = b65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afc
f6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aa f6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aa
fadc fadc
P.y = ea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4b P.y = ea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4b
b8b71bc83a64c771ed7686218a278ef1c5d620f3d26b5316218864 b8b71bc83a64c771ed7686218a278ef1c5d620f3d26b5316218864
5453 5453
skipping to change at line 6286 skipping to change at line 5964
70a9 70a9
Q.x = 08aed6480793218034fd3b3b0867943d7e0bd1b6f76b4929e0885b Q.x = 08aed6480793218034fd3b3b0867943d7e0bd1b6f76b4929e0885b
d082b84d4449341da6038bb08229ad9eb7d518dff2c7ea50148e70 d082b84d4449341da6038bb08229ad9eb7d518dff2c7ea50148e70
a4db a4db
Q.y = e00d32244561ebd4b5f4ef70fcac75a06416be0a1c1b304e7bd361 Q.y = e00d32244561ebd4b5f4ef70fcac75a06416be0a1c1b304e7bd361
a6a6586915bb902a323eaf73cf7738e70d34282f61485395ab2833 a6a6586915bb902a323eaf73cf7738e70d34282f61485395ab2833
d2c1 d2c1
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="edwards448" numbered="true" toc="default"> <section anchor="edwards448">
<name>edwards448</name> <name>edwards448</name>
<section anchor="edwards448xofshake256ell2ro" numbered="true" toc="defau lt"> <section anchor="edwards448xofshake256ell2ro">
<name>edwards448_XOF:SHAKE256_ELL2_RO_</name> <name>edwards448_XOF:SHAKE256_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards448_XOF:SHAKE256_ELL2_RO_ suite = edwards448_XOF:SHAKE256_ELL2_RO_
dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_RO_ dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_RO_
msg = msg =
P.x = 73036d4a88949c032f01507005c133884e2f0d81f9a950826245dd P.x = 73036d4a88949c032f01507005c133884e2f0d81f9a950826245dd
a9e844fc78186c39daaa7147ead3e462cff60e9c6340b58134480b a9e844fc78186c39daaa7147ead3e462cff60e9c6340b58134480b
4d17 4d17
P.y = 94c1d61b43728e5d784ef4fcb1f38e1075f3aef5e99866911de5a2 P.y = 94c1d61b43728e5d784ef4fcb1f38e1075f3aef5e99866911de5a2
34f1aafdc26b554344742e6ba0420b71b298671bbeb2b773661863 34f1aafdc26b554344742e6ba0420b71b298671bbeb2b773661863
4610 4610
skipping to change at line 6436 skipping to change at line 6114
8031cd607c98edc2a846c77a841f057c7251eb45077853c7b20595 8031cd607c98edc2a846c77a841f057c7251eb45077853c7b20595
7e52 7e52
Q1.x = 69583b00dc6b2aced6ffa44630cc8c8cd0dd0649f57588dd0fb1da Q1.x = 69583b00dc6b2aced6ffa44630cc8c8cd0dd0649f57588dd0fb1da
ad2ce132e281d01e3f25ccd3f405be759975c6484268bfe8f5e5f2 ad2ce132e281d01e3f25ccd3f405be759975c6484268bfe8f5e5f2
3c30 3c30
Q1.y = 8418484035f60bdccf48cb488634c2dfb40272123435f7e654fb6f Q1.y = 8418484035f60bdccf48cb488634c2dfb40272123435f7e654fb6f
254c6c42e7e38f1fa79a637a168a28de6c275232b704f9ded0ff76 254c6c42e7e38f1fa79a637a168a28de6c275232b704f9ded0ff76
dd94 dd94
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="edwards448xofshake256ell2nu" numbered="true" toc="defau lt"> <section anchor="edwards448xofshake256ell2nu">
<name>edwards448_XOF:SHAKE256_ELL2_NU_</name> <name>edwards448_XOF:SHAKE256_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards448_XOF:SHAKE256_ELL2_NU_ suite = edwards448_XOF:SHAKE256_ELL2_NU_
dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_NU_ dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_NU_
msg = msg =
P.x = eb5a1fc376fd73230af2de0f3374087cc7f279f0460114cf0a6c12 P.x = eb5a1fc376fd73230af2de0f3374087cc7f279f0460114cf0a6c12
d6d044c16de34ec2350c34b26bf110377655ab77936869d085406a d6d044c16de34ec2350c34b26bf110377655ab77936869d085406a
f71e f71e
P.y = df5dcea6d42e8f494b279a500d09e895d26ac703d75ca6d118e8ca P.y = df5dcea6d42e8f494b279a500d09e895d26ac703d75ca6d118e8ca
58bf6f608a2a383f292fce1563ff995dce75aede1fdc8e7c0c737a 58bf6f608a2a383f292fce1563ff995dce75aede1fdc8e7c0c737a
e9ad e9ad
skipping to change at line 6540 skipping to change at line 6218
06ea 06ea
Q.x = 0fd3bb833c1d7a5b319d1d4117406a23b9aece976186ecb18a11a6 Q.x = 0fd3bb833c1d7a5b319d1d4117406a23b9aece976186ecb18a11a6
35e6fbdb920d47e04762b1f2a8c59d2f8435d0fdefe501f544cda2 35e6fbdb920d47e04762b1f2a8c59d2f8435d0fdefe501f544cda2
3dbf 3dbf
Q.y = f13b0dad4d5eeb120f2443ac4392f8096a1396f5014ec2a3506a34 Q.y = f13b0dad4d5eeb120f2443ac4392f8096a1396f5014ec2a3506a34
7fef8076a7282035cf619599b1919cf29df5ce87711c11688aab77 7fef8076a7282035cf619599b1919cf29df5ce87711c11688aab77
00a6 00a6
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="secp256k1" numbered="true" toc="default"> <section anchor="secp256k1">
<name>secp256k1</name> <name>secp256k1</name>
<section anchor="secp256k1xmdsha-256sswuro" numbered="true" toc="default "> <section anchor="secp256k1xmdsha-256sswuro">
<name>secp256k1_XMD:SHA-256_SSWU_RO_</name> <name>secp256k1_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = secp256k1_XMD:SHA-256_SSWU_RO_ suite = secp256k1_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = c1cae290e291aee617ebaef1be6d73861479c48b841eaba9b7b585 P.x = c1cae290e291aee617ebaef1be6d73861479c48b841eaba9b7b585
2ddfeb1346 2ddfeb1346
P.y = 64fa678e07ae116126f08b022a94af6de15985c996c3a91b64c406 P.y = 64fa678e07ae116126f08b022a94af6de15985c996c3a91b64c406
a960e51067 a960e51067
u[0] = 6b0f9910dd2ba71c78f2ee9f04d73b5f4c5f7fc773a701abea1e57 u[0] = 6b0f9910dd2ba71c78f2ee9f04d73b5f4c5f7fc773a701abea1e57
3cab002fb3 3cab002fb3
skipping to change at line 6650 skipping to change at line 6328
Q0.x = b32b0ab55977b936f1e93fdc68cec775e13245e161dbfe556bbb1f Q0.x = b32b0ab55977b936f1e93fdc68cec775e13245e161dbfe556bbb1f
72799b4181 72799b4181
Q0.y = 2f5317098360b722f132d7156a94822641b615c91f8663be691698 Q0.y = 2f5317098360b722f132d7156a94822641b615c91f8663be691698
70a12af9e8 70a12af9e8
Q1.x = 148f98780f19388b9fa93e7dc567b5a673e5fca7079cd9cdafd719 Q1.x = 148f98780f19388b9fa93e7dc567b5a673e5fca7079cd9cdafd719
82ec4c5e12 82ec4c5e12
Q1.y = 3989645d83a433bc0c001f3dac29af861f33a6fd1e04f4b36873f5 Q1.y = 3989645d83a433bc0c001f3dac29af861f33a6fd1e04f4b36873f5
bff497298a bff497298a
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="secp256k1xmdsha-256sswunu" numbered="true" toc="default "> <section anchor="secp256k1xmdsha-256sswunu">
<name>secp256k1_XMD:SHA-256_SSWU_NU_</name> <name>secp256k1_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = secp256k1_XMD:SHA-256_SSWU_NU_ suite = secp256k1_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = a4792346075feae77ac3b30026f99c1441b4ecf666ded19b7522cf P.x = a4792346075feae77ac3b30026f99c1441b4ecf666ded19b7522cf
65c4c55c5b 65c4c55c5b
P.y = 62c59e2a6aeed1b23be5883e833912b08ba06be7f57c0e9cdc663f P.y = 62c59e2a6aeed1b23be5883e833912b08ba06be7f57c0e9cdc663f
31639ff3a7 31639ff3a7
u[0] = 0137fcd23bc3da962e8808f97474d097a6c8aa2881fceef4514173 u[0] = 0137fcd23bc3da962e8808f97474d097a6c8aa2881fceef4514173
635872cf3b 635872cf3b
skipping to change at line 6729 skipping to change at line 6407
ecc2a51718 ecc2a51718
u[0] = a9ffbeee1d6e41ac33c248fb3364612ff591b502386c1bf6ac4aaf u[0] = a9ffbeee1d6e41ac33c248fb3364612ff591b502386c1bf6ac4aaf
1ea51f8c3b 1ea51f8c3b
Q.x = 17d22b867658977b5002dbe8d0ee70a8cfddec3eec50fb93f36136 Q.x = 17d22b867658977b5002dbe8d0ee70a8cfddec3eec50fb93f36136
070fd9fa6c 070fd9fa6c
Q.y = e9178ff02f4dab73480f8dd590328aea99856a7b6cc8e5a6cdf289 Q.y = e9178ff02f4dab73480f8dd590328aea99856a7b6cc8e5a6cdf289
ecc2a51718 ecc2a51718
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="bls12-381-g1" numbered="true" toc="default"> <section anchor="bls12-381-g1">
<name>BLS12-381 G1</name> <name>BLS12-381 G1</name>
<section anchor="bls12381g1xmdsha-256sswuro" numbered="true" toc="defaul t"> <section anchor="bls12381g1xmdsha-256sswuro">
<name>BLS12381G1_XMD:SHA-256_SSWU_RO_</name> <name>BLS12381G1_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G1_XMD:SHA-256_SSWU_RO_ suite = BLS12381G1_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = 052926add2207b76ca4fa57a8734416c8dc95e24501772c8142787 P.x = 052926add2207b76ca4fa57a8734416c8dc95e24501772c8142787
00eed6d1e4e8cf62d9c09db0fac349612b759e79a1 00eed6d1e4e8cf62d9c09db0fac349612b759e79a1
P.y = 08ba738453bfed09cb546dbb0783dbb3a5f1f566ed67bb6be0e8c6 P.y = 08ba738453bfed09cb546dbb0783dbb3a5f1f566ed67bb6be0e8c6
7e2e81a4cc68ee29813bb7994998f3eae0c9c6a265 7e2e81a4cc68ee29813bb7994998f3eae0c9c6a265
u[0] = 0ba14bd907ad64a016293ee7c2d276b8eae71f25a4b941eece7b0d u[0] = 0ba14bd907ad64a016293ee7c2d276b8eae71f25a4b941eece7b0d
89f17f75cb3ae5438a614fb61d6835ad59f29c564f 89f17f75cb3ae5438a614fb61d6835ad59f29c564f
skipping to change at line 6839 skipping to change at line 6517
Q0.x = 0cf97e6dbd0947857f3e578231d07b309c622ade08f2c08b32ff37 Q0.x = 0cf97e6dbd0947857f3e578231d07b309c622ade08f2c08b32ff37
2bd90db19467b2563cc997d4407968d4ac80e154f8 2bd90db19467b2563cc997d4407968d4ac80e154f8
Q0.y = 127f0cddf2613058101a5701f4cb9d0861fd6c2a1b8e0afe194fcc Q0.y = 127f0cddf2613058101a5701f4cb9d0861fd6c2a1b8e0afe194fcc
f586a3201a53874a2761a9ab6d7220c68661a35ab3 f586a3201a53874a2761a9ab6d7220c68661a35ab3
Q1.x = 092f1acfa62b05f95884c6791fba989bbe58044ee6355d100973bf Q1.x = 092f1acfa62b05f95884c6791fba989bbe58044ee6355d100973bf
9553ade52b47929264e6ae770fb264582d8dce512a 9553ade52b47929264e6ae770fb264582d8dce512a
Q1.y = 028e6d0169a72cfedb737be45db6c401d3adfb12c58c619c82b93a Q1.y = 028e6d0169a72cfedb737be45db6c401d3adfb12c58c619c82b93a
5dfcccef12290de530b0480575ddc8397cda0bbebf 5dfcccef12290de530b0480575ddc8397cda0bbebf
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="bls12381g1xmdsha-256sswunu" numbered="true" toc="defaul t"> <section anchor="bls12381g1xmdsha-256sswunu">
<name>BLS12381G1_XMD:SHA-256_SSWU_NU_</name> <name>BLS12381G1_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G1_XMD:SHA-256_SSWU_NU_ suite = BLS12381G1_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = 184bb665c37ff561a89ec2122dd343f20e0f4cbcaec84e3c3052ea P.x = 184bb665c37ff561a89ec2122dd343f20e0f4cbcaec84e3c3052ea
81d1834e192c426074b02ed3dca4e7676ce4ce48ba 81d1834e192c426074b02ed3dca4e7676ce4ce48ba
P.y = 04407b8d35af4dacc809927071fc0405218f1401a6d15af775810e P.y = 04407b8d35af4dacc809927071fc0405218f1401a6d15af775810e
4e460064bcc9468beeba82fdc751be70476c888bf3 4e460064bcc9468beeba82fdc751be70476c888bf3
u[0] = 156c8a6a2c184569d69a76be144b5cdc5141d2d2ca4fe341f011e2 u[0] = 156c8a6a2c184569d69a76be144b5cdc5141d2d2ca4fe341f011e2
5e3969c55ad9e9b9ce2eb833c81a908e5fa4ac5f03 5e3969c55ad9e9b9ce2eb833c81a908e5fa4ac5f03
skipping to change at line 6918 skipping to change at line 6596
89ccde29ac7d46c53bb97a59b1901abf1db66052db 89ccde29ac7d46c53bb97a59b1901abf1db66052db
u[0] = 0dd824886d2123a96447f6c56e3a3fa992fbfefdba17b6673f9f63 u[0] = 0dd824886d2123a96447f6c56e3a3fa992fbfefdba17b6673f9f63
0ff19e4d326529db37e1c1be43f905bf9202e0278d 0ff19e4d326529db37e1c1be43f905bf9202e0278d
Q.x = 1775d400a1bacc1c39c355da7e96d2d1c97baa9430c4a3476881f8 Q.x = 1775d400a1bacc1c39c355da7e96d2d1c97baa9430c4a3476881f8
521c09a01f921f592607961efc99c4cd46bd78ca19 521c09a01f921f592607961efc99c4cd46bd78ca19
Q.y = 1109b5d59f65964315de65a7a143e86eabc053104ed289cf480949 Q.y = 1109b5d59f65964315de65a7a143e86eabc053104ed289cf480949
317a5685fad7254ff8e7fe6d24d3104e5d55ad6370 317a5685fad7254ff8e7fe6d24d3104e5d55ad6370
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="bls12-381-g2" numbered="true" toc="default"> <section anchor="bls12-381-g2">
<name>BLS12-381 G2</name> <name>BLS12-381 G2</name>
<section anchor="bls12381g2xmdsha-256sswuro" numbered="true" toc="defaul t"> <section anchor="bls12381g2xmdsha-256sswuro">
<name>BLS12381G2_XMD:SHA-256_SSWU_RO_</name> <name>BLS12381G2_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G2_XMD:SHA-256_SSWU_RO_ suite = BLS12381G2_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = 0141ebfbdca40eb85b87142e130ab689c673cf60f1a3e98d693352 P.x = 0141ebfbdca40eb85b87142e130ab689c673cf60f1a3e98d693352
66f30d9b8d4ac44c1038e9dcdd5393faf5c41fb78a 66f30d9b8d4ac44c1038e9dcdd5393faf5c41fb78a
+ I * 05cb8437535e20ecffaef7752baddf98034139c38452458baeefab + I * 05cb8437535e20ecffaef7752baddf98034139c38452458baeefab
379ba13dff5bf5dd71b72418717047f5b0f37da03d 379ba13dff5bf5dd71b72418717047f5b0f37da03d
P.y = 0503921d7f6a12805e72940b963c0cf3471c7b2a524950ca195d11 P.y = 0503921d7f6a12805e72940b963c0cf3471c7b2a524950ca195d11
062ee75ec076daf2d4bc358c4b190c0c98064fdd92 062ee75ec076daf2d4bc358c4b190c0c98064fdd92
skipping to change at line 7108 skipping to change at line 6786
Q1.x = 16ec57b7fe04c71dfe34fb5ad84dbce5a2dbbd6ee085f1d8cd17f4 Q1.x = 16ec57b7fe04c71dfe34fb5ad84dbce5a2dbbd6ee085f1d8cd17f4
5e8868976fc3c51ad9eeda682c7869024d24579bfd 5e8868976fc3c51ad9eeda682c7869024d24579bfd
+ I * 13103f7aace1ae1420d208a537f7d3a9679c287208026e4e3439ab + I * 13103f7aace1ae1420d208a537f7d3a9679c287208026e4e3439ab
8cd534c12856284d95e27f5e1f33eec2ce656533b0 8cd534c12856284d95e27f5e1f33eec2ce656533b0
Q1.y = 0958b2c4c2c10fcef5a6c59b9e92c4a67b0fae3e2e0f1b6b5edad9 Q1.y = 0958b2c4c2c10fcef5a6c59b9e92c4a67b0fae3e2e0f1b6b5edad9
c940b8f3524ba9ebbc3f2ceb3cfe377655b3163bd7 c940b8f3524ba9ebbc3f2ceb3cfe377655b3163bd7
+ I * 0ccb594ed8bd14ca64ed9cb4e0aba221be540f25dd0d6ba15a4a4b + I * 0ccb594ed8bd14ca64ed9cb4e0aba221be540f25dd0d6ba15a4a4b
e5d67bcf35df7853b2d8dad3ba245f1ea3697f66aa e5d67bcf35df7853b2d8dad3ba245f1ea3697f66aa
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="bls12381g2xmdsha-256sswunu" numbered="true" toc="defaul t"> <section anchor="bls12381g2xmdsha-256sswunu">
<name>BLS12381G2_XMD:SHA-256_SSWU_NU_</name> <name>BLS12381G2_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G2_XMD:SHA-256_SSWU_NU_ suite = BLS12381G2_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = 00e7f4568a82b4b7dc1f14c6aaa055edf51502319c723c4dc2688c P.x = 00e7f4568a82b4b7dc1f14c6aaa055edf51502319c723c4dc2688c
7fe5944c213f510328082396515734b6612c4e7bb7 7fe5944c213f510328082396515734b6612c4e7bb7
+ I * 126b855e9e69b1f691f816e48ac6977664d24d99f8724868a18418 + I * 126b855e9e69b1f691f816e48ac6977664d24d99f8724868a18418
6469ddfd4617367e94527d4b74fc86413483afb35b 6469ddfd4617367e94527d4b74fc86413483afb35b
P.y = 0caead0fd7b6176c01436833c79d305c78be307da5f6af6c133c47 P.y = 0caead0fd7b6176c01436833c79d305c78be307da5f6af6c133c47
311def6ff1e0babf57a0fb5539fce7ee12407b0a42 311def6ff1e0babf57a0fb5539fce7ee12407b0a42
skipping to change at line 7238 skipping to change at line 6916
+ I * 0eef4fa41ddc17ed47baf447a2c498548f3c72a02381313d13bef9 + I * 0eef4fa41ddc17ed47baf447a2c498548f3c72a02381313d13bef9
16e240b61ce125539090d62d9fbb14a900bf1b8e90 16e240b61ce125539090d62d9fbb14a900bf1b8e90
Q.y = 1260d6e0987eae96af9ebe551e08de22b37791d53f4db9e0d59da7 Q.y = 1260d6e0987eae96af9ebe551e08de22b37791d53f4db9e0d59da7
36e66699735793e853e26362531fe4adf99c1883e3 36e66699735793e853e26362531fe4adf99c1883e3
+ I * 0dbace5df0a4ac4ac2f45d8fdf8aee45484576fdd6efc4f98ab9b9 + I * 0dbace5df0a4ac4ac2f45d8fdf8aee45484576fdd6efc4f98ab9b9
f4112309e628255e183022d98ea5ed6e47ca00306c f4112309e628255e183022d98ea5ed6e47ca00306c
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
</section> </section>
<section anchor="expand-testvectors" numbered="true" toc="default"> <section anchor="expand-testvectors">
<name>Expand test vectors</name> <name>Expand Test Vectors</name>
<t>This section gives test vectors for expand_message variants specified i <t>This section gives test vectors for expand_message variants specified i
n <xref target="hashtofield-expand" format="default"/>. n <xref target="hashtofield-expand"/>.
The test vectors in this section were generated using code that is The test vectors in this section were generated using code that is
available from <xref target="hash2curve-repo" format="default"/>.</t> available from <xref target="hash2curve-repo"/>.</t>
<t>Each test vector in this section lists the expand_message name, hash fu nction, and DST, <t>Each test vector in this section lists the expand_message name, hash fu nction, and DST,
along with a series of tuples of the function inputs (msg and len_in_bytes), along with a series of tuples of the function inputs (msg and len_in_bytes),
output (uniform_bytes), and intermediate values (dst_prime and msg_prime). output (uniform_bytes), and intermediate values (dst_prime and msg_prime).
DST and msg are represented as ASCII strings. DST and msg are represented as ASCII strings.
Intermediate and output values are represented as byte strings in hexadecimal.</ t> Intermediate and output values are represented as byte strings in hexadecimal.</ t>
<section anchor="expandmessagexmdsha-256" numbered="true" toc="default"> <section anchor="expandmessagexmdsha-256">
<name>expand_message_xmd(SHA-256)</name> <name>expand_message_xmd(SHA-256)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xmd name = expand_message_xmd
DST = QUUX-V01-CS02-with-expander-SHA256-128 DST = QUUX-V01-CS02-with-expander-SHA256-128
hash = SHA256 hash = SHA256
k = 128 k = 128
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348413235362d31323826 722d5348413235362d31323826
msg_prime = 0000000000000000000000000000000000000000000000000000 msg_prime = 0000000000000000000000000000000000000000000000000000
skipping to change at line 7459 skipping to change at line 7137
435330322d776974682d657870616e6465722d5348413235362d31 435330322d776974682d657870616e6465722d5348413235362d31
323826 323826
uniform_bytes = 546aff5444b5b79aa6148bd81728704c32decb73a3ba76e9 uniform_bytes = 546aff5444b5b79aa6148bd81728704c32decb73a3ba76e9
e75885cad9def1d06d6792f8a7d12794e90efed817d96920d72889 e75885cad9def1d06d6792f8a7d12794e90efed817d96920d72889
6a4510864370c207f99bd4a608ea121700ef01ed879745ee3e4cee 6a4510864370c207f99bd4a608ea121700ef01ed879745ee3e4cee
f777eda6d9e5e38b90c86ea6fb0b36504ba4a45d22e86f6db5dd43 f777eda6d9e5e38b90c86ea6fb0b36504ba4a45d22e86f6db5dd43
d98a294bebb9125d5b794e9d2a81181066eb954966a487 d98a294bebb9125d5b794e9d2a81181066eb954966a487
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexmdsha-256-long-dst" numbered="true" toc="de <section anchor="expandmessagexmdsha-256-long-dst">
fault"> <name>expand_message_xmd(SHA-256) (Long DST)</name>
<name>expand_message_xmd(SHA-256) (long DST)</name> <artwork><![CDATA[
<artwork name="" type="" align="left" alt=""><![CDATA[
name = expand_message_xmd name = expand_message_xmd
DST = QUUX-V01-CS02-with-expander-SHA256-128-long-DST-111111 DST = QUUX-V01-CS02-with-expander-SHA256-128-long-DST-111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 1111111111111111111111111111111111111111
hash = SHA256 hash = SHA256
k = 128 k = 128
msg = msg =
skipping to change at line 7670 skipping to change at line 7348
616161616161616161616161616161008000412717974da474d0f8 616161616161616161616161616161008000412717974da474d0f8
c420f320ff81e8432adb7c927d9bd082b4fb4d16c0a23620 c420f320ff81e8432adb7c927d9bd082b4fb4d16c0a23620
uniform_bytes = 78b53f2413f3c688f07732c10e5ced29a17c6a16f717179f uniform_bytes = 78b53f2413f3c688f07732c10e5ced29a17c6a16f717179f
fbe38d92d6c9ec296502eb9889af83a1928cd162e845b0d3c5424e fbe38d92d6c9ec296502eb9889af83a1928cd162e845b0d3c5424e
83280fed3d10cffb2f8431f14e7a23f4c68819d40617589e4c4116 83280fed3d10cffb2f8431f14e7a23f4c68819d40617589e4c4116
9d0b56e0e3535be1fd71fbb08bb70c5b5ffed953d6c14bf7618b35 9d0b56e0e3535be1fd71fbb08bb70c5b5ffed953d6c14bf7618b35
fc1f4c4b30538236b4b08c9fbf90462447a8ada60be495 fc1f4c4b30538236b4b08c9fbf90462447a8ada60be495
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexmdsha-512" numbered="true" toc="default"> <section anchor="expandmessagexmdsha-512">
<name>expand_message_xmd(SHA-512)</name> <name>expand_message_xmd(SHA-512)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xmd name = expand_message_xmd
DST = QUUX-V01-CS02-with-expander-SHA512-256 DST = QUUX-V01-CS02-with-expander-SHA512-256
hash = SHA512 hash = SHA512
k = 256 k = 256
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348413531322d32353626 722d5348413531322d32353626
msg_prime = 0000000000000000000000000000000000000000000000000000 msg_prime = 0000000000000000000000000000000000000000000000000000
skipping to change at line 7905 skipping to change at line 7583
00515555582d5630312d435330322d776974682d657870616e6465 00515555582d5630312d435330322d776974682d657870616e6465
722d5348413531322d32353626 722d5348413531322d32353626
uniform_bytes = 05b0bfef265dcee87654372777b7c44177e2ae4c13a27f10 uniform_bytes = 05b0bfef265dcee87654372777b7c44177e2ae4c13a27f10
3340d9cd11c86cb2426ffcad5bd964080c2aee97f03be1ca18e30a 3340d9cd11c86cb2426ffcad5bd964080c2aee97f03be1ca18e30a
1f14e27bc11ebbd650f305269cc9fb1db08bf90bfc79b42a952b46 1f14e27bc11ebbd650f305269cc9fb1db08bf90bfc79b42a952b46
daf810359e7bc36452684784a64952c343c52e5124cd1f71d474d5 daf810359e7bc36452684784a64952c343c52e5124cd1f71d474d5
197fefc571a92929c9084ffe1112cf5eea5192ebff330b 197fefc571a92929c9084ffe1112cf5eea5192ebff330b
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexofshake128" numbered="true" toc="default"> <section anchor="expandmessagexofshake128">
<name>expand_message_xof(SHAKE128)</name> <name>expand_message_xof(SHAKE128)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xof name = expand_message_xof
DST = QUUX-V01-CS02-with-expander-SHAKE128 DST = QUUX-V01-CS02-with-expander-SHAKE128
hash = SHAKE128 hash = SHAKE128
k = 128 k = 128
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348414b4531323824 722d5348414b4531323824
msg_prime = 0020515555582d5630312d435330322d776974682d657870616e msg_prime = 0020515555582d5630312d435330322d776974682d657870616e
skipping to change at line 8092 skipping to change at line 7770
61616161610080515555582d5630312d435330322d776974682d65 61616161610080515555582d5630312d435330322d776974682d65
7870616e6465722d5348414b4531323824 7870616e6465722d5348414b4531323824
uniform_bytes = 9d763a5ce58f65c91531b4100c7266d479a5d9777ba76169 uniform_bytes = 9d763a5ce58f65c91531b4100c7266d479a5d9777ba76169
3d052acd37d149e7ac91c796a10b919cd74a591a1e38719fb91b72 3d052acd37d149e7ac91c796a10b919cd74a591a1e38719fb91b72
03e2af31eac3bff7ead2c195af7d88b8bc0a8adf3d1e90ab9bed6d 03e2af31eac3bff7ead2c195af7d88b8bc0a8adf3d1e90ab9bed6d
dc2b7f655dd86c730bdeaea884e73741097142c92f0e3fc1811b69 dc2b7f655dd86c730bdeaea884e73741097142c92f0e3fc1811b69
9ba593c7fbd81da288a29d423df831652e3a01a9374999 9ba593c7fbd81da288a29d423df831652e3a01a9374999
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexofshake128-long-dst" numbered="true" toc="d <section anchor="expandmessagexofshake128-long-dst">
efault"> <name>expand_message_xof(SHAKE128) (Long DST)</name>
<name>expand_message_xof(SHAKE128) (long DST)</name> <artwork><![CDATA[
<artwork name="" type="" align="left" alt=""><![CDATA[
name = expand_message_xof name = expand_message_xof
DST = QUUX-V01-CS02-with-expander-SHAKE128-long-DST-11111111 DST = QUUX-V01-CS02-with-expander-SHAKE128-long-DST-11111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 1111111111111111111111111111111111111111
hash = SHAKE128 hash = SHAKE128
k = 128 k = 128
msg = msg =
skipping to change at line 8281 skipping to change at line 7959
61616161610080acb9736c0867fdfbd6385519b90fc8c034b5af04 61616161610080acb9736c0867fdfbd6385519b90fc8c034b5af04
a958973212950132d035792f20 a958973212950132d035792f20
uniform_bytes = 945373f0b3431a103333ba6a0a34f1efab2702efde41754c uniform_bytes = 945373f0b3431a103333ba6a0a34f1efab2702efde41754c
4cb1d5216d5b0a92a67458d968562bde7fa6310a83f53dda138368 4cb1d5216d5b0a92a67458d968562bde7fa6310a83f53dda138368
0a276a283438d58ceebfa7ab7ba72499d4a3eddc860595f63c93b1 0a276a283438d58ceebfa7ab7ba72499d4a3eddc860595f63c93b1
c5e823ea41fc490d938398a26db28f61857698553e93f0574eb8c5 c5e823ea41fc490d938398a26db28f61857698553e93f0574eb8c5
017bfed6249491f9976aaa8d23d9485339cc85ca329308 017bfed6249491f9976aaa8d23d9485339cc85ca329308
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexofshake256" numbered="true" toc="default"> <section anchor="expandmessagexofshake256">
<name>expand_message_xof(SHAKE256)</name> <name>expand_message_xof(SHAKE256)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xof name = expand_message_xof
DST = QUUX-V01-CS02-with-expander-SHAKE256 DST = QUUX-V01-CS02-with-expander-SHAKE256
hash = SHAKE256 hash = SHAKE256
k = 256 k = 256
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348414b4532353624 722d5348414b4532353624
msg_prime = 0020515555582d5630312d435330322d776974682d657870616e msg_prime = 0020515555582d5630312d435330322d776974682d657870616e
skipping to change at line 8469 skipping to change at line 8147
7870616e6465722d5348414b4532353624 7870616e6465722d5348414b4532353624
uniform_bytes = 09afc76d51c2cccbc129c2315df66c2be7295a231203b8ab uniform_bytes = 09afc76d51c2cccbc129c2315df66c2be7295a231203b8ab
2dd7f95c2772c68e500bc72e20c602abc9964663b7a03a389be128 2dd7f95c2772c68e500bc72e20c602abc9964663b7a03a389be128
c56971ce81001a0b875e7fd17822db9d69792ddf6a23a151bf4700 c56971ce81001a0b875e7fd17822db9d69792ddf6a23a151bf4700
79c518279aef3e75611f8f828994a9988f4a8a256ddb8bae161e65 79c518279aef3e75611f8f828994a9988f4a8a256ddb8bae161e65
8d5a2a09bcfe839c6396dc06ee5c8ff3c22d3b1f9deb7e 8d5a2a09bcfe839c6396dc06ee5c8ff3c22d3b1f9deb7e
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<!-- ##markdown-source:
<section anchor="acknowledgements" numbered="false">
<t>The authors would like to thank <contact fullname="Adam Langley"/> for
his detailed writeup of Elligator 2 with
Curve25519 <xref target="L13"/>;
<contact fullname="Dan Boneh"/>, <contact fullname="Benjamin Lipp"/>, <contact f
ullname="Christopher Patton"/>, and <contact fullname="Leonid Reyzin"/> for educ
ational discussions; and
<contact fullname="David Benjamin"/>, <contact fullname="Daniel Bourdrez"/>, <co
ntact fullname="Frank Denis"/>, <contact fullname="Sean Devlin"/>, <contact full
name="Justin Drake"/>, <contact fullname="Bjoern Haase"/>, <contact fullname="Mi
ke Hamburg"/>, <contact fullname="Dan Harkins"/>, <contact fullname="Daira Hopwo
od"/>, <contact fullname="Thomas Icart"/>, <contact fullname="Andy Polyakov"/>,
<contact fullname="Thomas Pornin"/>, <contact fullname="Mamy Ratsimbazafy"/>, <c
ontact fullname="Michael Scott"/>,
<contact fullname="Filippo Valsorda"/>, and <contact fullname="Mathy Vanhoef"/>
for helpful reviews and feedback.</t>
<section anchor="contributors" numbered="false">
<contact fullname="Sharon Goldberg">
<organization>Boston University</organization>
<contact fullname="Ela Lee">
<organization>Royal Holloway, University of London</organization>
<contact fullname="Michele Orru">
</rfc> </rfc>
 End of changes. 878 change blocks. 
4406 lines changed or deleted 1806 lines changed or added

This html diff was produced by rfcdiff 1.48.