Elligator2 mapping for curve25519 #336
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
huitseeker
force-pushed
the
elligator2
branch
from
2e0f429
to
d630ac3
Compare
This implementation: - is agnostic on the hash used to pick a field element, even though SHA512 is commonly used, - follows https://tools.ietf.org/id/draft-irtf-cfrg-hash-to-curve-10.html closely - tests the outputs of the function using libsignal's implementation.
huitseeker
force-pushed
the
elligator2
branch
from
d630ac3
to
8aa1458
Compare
isislovecruft
approved these changes
Jan 8, 2021
There was a problem hiding this comment.
Hi @huitseeker, thanks for the PR.
I'm in favour of merging this for 3.1. I think my only slight preference would be for the function to be called something like elligator2_encode, so that if we ever implement the reverse map we have an intuitive naming option available.
@cathieyun @oleganza @hdevalence Any opinions?
leaves an obvious name open for the reverse mapping
isislovecruft
added a commit
to isislovecruft/curve25519-dalek
that referenced
this pull request
Apr 13, 2021
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This present PR:
expand_message_xmdexpansion¹)While I'm a fan of Ristretto and would definitely advocate for its use over mapping-to-curve25519 in most situations, this present mapping is still useful in cases where compatibility with other libraries is required — the present mapping is compatible with the one performed in libsignal and passes its test vectors.
¹: While this uses an HKDF, I'm happy to attach an implementation of
expand_message_xmd(here for, essentially, domain separation) should it be requested.Fixes #188