├── .gitattributes
├── LICENSE.md
├── Makefile
├── Pipfile
├── Pipfile.lock
├── README.md
├── draft-irtf-cfrg-ristretto255-decaf448.html
├── draft-irtf-cfrg-ristretto255-decaf448.md
├── draft-irtf-cfrg-ristretto255-decaf448.txt
└── draft-irtf-cfrg-ristretto255-decaf448.xml


/.gitattributes:
--------------------------------------------------------------------------------
1 | draft-irtf-cfrg-ristretto255-decaf448.html linguist-generated=true
2 | draft-irtf-cfrg-ristretto255-decaf448.txt linguist-generated=true
3 | draft-irtf-cfrg-ristretto255-decaf448.xml linguist-generated=true
4 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | This repository relates to activities in the Internet Engineering Task Force
 2 | ([IETF](https://www.ietf.org/)). All material in this repository is considered
 3 | Contributions to the IETF Standards Process, as defined in the intellectual
 4 | property policies of IETF currently designated as
 5 | [BCP 78](https://www.rfc-editor.org/info/bcp78),
 6 | [BCP 79](https://www.rfc-editor.org/info/bcp79) and the
 7 | [IETF Trust Legal Provisions (TLP) Relating to IETF Documents](http://trustee.ietf.org/trust-legal-provisions.html).
 8 | 
 9 | Any edit, commit, pull request, issue, comment or other change made to this
10 | repository constitutes Contributions to the IETF Standards Process
11 | (https://www.ietf.org/).
12 | 
13 | You agree to comply with all applicable IETF policies and procedures, including,
14 | BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being
15 | subject to a Simplified BSD License) in Contributions.
16 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: all
 2 | all: draft-irtf-cfrg-ristretto255-decaf448.txt draft-irtf-cfrg-ristretto255-decaf448.html
 3 | 
 4 | draft-irtf-cfrg-ristretto255-decaf448.txt: draft-irtf-cfrg-ristretto255-decaf448.xml
 5 | 	xml2rfc --v3 -q --no-pagination draft-irtf-cfrg-ristretto255-decaf448.xml
 6 | 
 7 | draft-irtf-cfrg-ristretto255-decaf448.html: draft-irtf-cfrg-ristretto255-decaf448.xml
 8 | 	xml2rfc --v3 -q --html --no-external-js draft-irtf-cfrg-ristretto255-decaf448.xml
 9 | 
10 | draft-irtf-cfrg-ristretto255-decaf448.xml: draft-irtf-cfrg-ristretto255-decaf448.md
11 | 	mmark draft-irtf-cfrg-ristretto255-decaf448.md > draft-irtf-cfrg-ristretto255-decaf448.xml
12 | 


--------------------------------------------------------------------------------
/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | xml2rfc = "*"
 8 | 
 9 | [requires]
10 | python_version = "3.9"
11 | 


--------------------------------------------------------------------------------
/Pipfile.lock:
--------------------------------------------------------------------------------
  1 | {
  2 |     "_meta": {
  3 |         "hash": {
  4 |             "sha256": "3b5c09020f590b9a738155ebe477a8418d06a4e3b851a679d5b1c4a8f5d9a946"
  5 |         },
  6 |         "pipfile-spec": 6,
  7 |         "requires": {
  8 |             "python_version": "3.9"
  9 |         },
 10 |         "sources": [
 11 |             {
 12 |                 "name": "pypi",
 13 |                 "url": "https://pypi.org/simple",
 14 |                 "verify_ssl": true
 15 |             }
 16 |         ]
 17 |     },
 18 |     "default": {
 19 |         "appdirs": {
 20 |             "hashes": [
 21 |                 "sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41",
 22 |                 "sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128"
 23 |             ],
 24 |             "version": "==1.4.4"
 25 |         },
 26 |         "certifi": {
 27 |             "hashes": [
 28 |                 "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
 29 |                 "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
 30 |             ],
 31 |             "markers": "python_version >= '3.6'",
 32 |             "version": "==2022.12.7"
 33 |         },
 34 |         "charset-normalizer": {
 35 |             "hashes": [
 36 |                 "sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6",
 37 |                 "sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1",
 38 |                 "sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e",
 39 |                 "sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373",
 40 |                 "sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62",
 41 |                 "sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230",
 42 |                 "sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be",
 43 |                 "sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c",
 44 |                 "sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0",
 45 |                 "sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448",
 46 |                 "sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f",
 47 |                 "sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649",
 48 |                 "sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d",
 49 |                 "sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0",
 50 |                 "sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706",
 51 |                 "sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a",
 52 |                 "sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59",
 53 |                 "sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23",
 54 |                 "sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5",
 55 |                 "sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb",
 56 |                 "sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e",
 57 |                 "sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e",
 58 |                 "sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c",
 59 |                 "sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28",
 60 |                 "sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d",
 61 |                 "sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41",
 62 |                 "sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974",
 63 |                 "sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce",
 64 |                 "sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f",
 65 |                 "sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1",
 66 |                 "sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d",
 67 |                 "sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8",
 68 |                 "sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017",
 69 |                 "sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31",
 70 |                 "sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7",
 71 |                 "sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8",
 72 |                 "sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e",
 73 |                 "sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14",
 74 |                 "sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd",
 75 |                 "sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d",
 76 |                 "sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795",
 77 |                 "sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b",
 78 |                 "sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b",
 79 |                 "sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b",
 80 |                 "sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203",
 81 |                 "sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f",
 82 |                 "sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19",
 83 |                 "sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1",
 84 |                 "sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a",
 85 |                 "sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac",
 86 |                 "sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9",
 87 |                 "sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0",
 88 |                 "sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137",
 89 |                 "sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f",
 90 |                 "sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6",
 91 |                 "sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5",
 92 |                 "sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909",
 93 |                 "sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f",
 94 |                 "sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0",
 95 |                 "sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324",
 96 |                 "sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755",
 97 |                 "sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb",
 98 |                 "sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854",
 99 |                 "sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c",
100 |                 "sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60",
101 |                 "sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84",
102 |                 "sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0",
103 |                 "sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b",
104 |                 "sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1",
105 |                 "sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531",
106 |                 "sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1",
107 |                 "sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11",
108 |                 "sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326",
109 |                 "sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df",
110 |                 "sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab"
111 |             ],
112 |             "markers": "python_full_version >= '3.7.0'",
113 |             "version": "==3.1.0"
114 |         },
115 |         "configargparse": {
116 |             "hashes": [
117 |                 "sha256:18f6535a2db9f6e02bd5626cc7455eac3e96b9ab3d969d366f9aafd5c5c00fe7",
118 |                 "sha256:1b0b3cbf664ab59dada57123c81eff3d9737e0d11d8cf79e3d6eb10823f1739f"
119 |             ],
120 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
121 |             "version": "==1.5.3"
122 |         },
123 |         "google-i18n-address": {
124 |             "hashes": [
125 |                 "sha256:44ef2ba987b4258ed5248ff0ce818e99807bda2599db99f97a4d549aae83e739",
126 |                 "sha256:97c5a40e96cdd6000a1cf29ed45903557aece3a91755cfcb5dced14005fbd93c"
127 |             ],
128 |             "version": "==2.5.2"
129 |         },
130 |         "html5lib": {
131 |             "hashes": [
132 |                 "sha256:0d78f8fde1c230e99fe37986a60526d7049ed4bf8a9fadbad5f00e22e58e041d",
133 |                 "sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f"
134 |             ],
135 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
136 |             "version": "==1.1"
137 |         },
138 |         "idna": {
139 |             "hashes": [
140 |                 "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
141 |                 "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
142 |             ],
143 |             "markers": "python_version >= '3.5'",
144 |             "version": "==3.4"
145 |         },
146 |         "intervaltree": {
147 |             "hashes": [
148 |                 "sha256:902b1b88936918f9b2a19e0e5eb7ccb430ae45cde4f39ea4b36932920d33952d"
149 |             ],
150 |             "version": "==3.1.0"
151 |         },
152 |         "jinja2": {
153 |             "hashes": [
154 |                 "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852",
155 |                 "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"
156 |             ],
157 |             "markers": "python_version >= '3.7'",
158 |             "version": "==3.1.2"
159 |         },
160 |         "lxml": {
161 |             "hashes": [
162 |                 "sha256:01d36c05f4afb8f7c20fd9ed5badca32a2029b93b1750f571ccc0b142531caf7",
163 |                 "sha256:04876580c050a8c5341d706dd464ff04fd597095cc8c023252566a8826505726",
164 |                 "sha256:05ca3f6abf5cf78fe053da9b1166e062ade3fa5d4f92b4ed688127ea7d7b1d03",
165 |                 "sha256:090c6543d3696cbe15b4ac6e175e576bcc3f1ccfbba970061b7300b0c15a2140",
166 |                 "sha256:0dc313ef231edf866912e9d8f5a042ddab56c752619e92dfd3a2c277e6a7299a",
167 |                 "sha256:0f2b1e0d79180f344ff9f321327b005ca043a50ece8713de61d1cb383fb8ac05",
168 |                 "sha256:13598ecfbd2e86ea7ae45ec28a2a54fb87ee9b9fdb0f6d343297d8e548392c03",
169 |                 "sha256:16efd54337136e8cd72fb9485c368d91d77a47ee2d42b057564aae201257d419",
170 |                 "sha256:1ab8f1f932e8f82355e75dda5413a57612c6ea448069d4fb2e217e9a4bed13d4",
171 |                 "sha256:223f4232855ade399bd409331e6ca70fb5578efef22cf4069a6090acc0f53c0e",
172 |                 "sha256:2455cfaeb7ac70338b3257f41e21f0724f4b5b0c0e7702da67ee6c3640835b67",
173 |                 "sha256:2899456259589aa38bfb018c364d6ae7b53c5c22d8e27d0ec7609c2a1ff78b50",
174 |                 "sha256:2a29ba94d065945944016b6b74e538bdb1751a1db6ffb80c9d3c2e40d6fa9894",
175 |                 "sha256:2a87fa548561d2f4643c99cd13131acb607ddabb70682dcf1dff5f71f781a4bf",
176 |                 "sha256:2e430cd2824f05f2d4f687701144556646bae8f249fd60aa1e4c768ba7018947",
177 |                 "sha256:36c3c175d34652a35475a73762b545f4527aec044910a651d2bf50de9c3352b1",
178 |                 "sha256:3818b8e2c4b5148567e1b09ce739006acfaa44ce3156f8cbbc11062994b8e8dd",
179 |                 "sha256:3ab9fa9d6dc2a7f29d7affdf3edebf6ece6fb28a6d80b14c3b2fb9d39b9322c3",
180 |                 "sha256:3efea981d956a6f7173b4659849f55081867cf897e719f57383698af6f618a92",
181 |                 "sha256:4c8f293f14abc8fd3e8e01c5bd86e6ed0b6ef71936ded5bf10fe7a5efefbaca3",
182 |                 "sha256:5344a43228767f53a9df6e5b253f8cdca7dfc7b7aeae52551958192f56d98457",
183 |                 "sha256:58bfa3aa19ca4c0f28c5dde0ff56c520fbac6f0daf4fac66ed4c8d2fb7f22e74",
184 |                 "sha256:5b4545b8a40478183ac06c073e81a5ce4cf01bf1734962577cf2bb569a5b3bbf",
185 |                 "sha256:5f50a1c177e2fa3ee0667a5ab79fdc6b23086bc8b589d90b93b4bd17eb0e64d1",
186 |                 "sha256:63da2ccc0857c311d764e7d3d90f429c252e83b52d1f8f1d1fe55be26827d1f4",
187 |                 "sha256:6749649eecd6a9871cae297bffa4ee76f90b4504a2a2ab528d9ebe912b101975",
188 |                 "sha256:6804daeb7ef69e7b36f76caddb85cccd63d0c56dedb47555d2fc969e2af6a1a5",
189 |                 "sha256:689bb688a1db722485e4610a503e3e9210dcc20c520b45ac8f7533c837be76fe",
190 |                 "sha256:699a9af7dffaf67deeae27b2112aa06b41c370d5e7633e0ee0aea2e0b6c211f7",
191 |                 "sha256:6b418afe5df18233fc6b6093deb82a32895b6bb0b1155c2cdb05203f583053f1",
192 |                 "sha256:76cf573e5a365e790396a5cc2b909812633409306c6531a6877c59061e42c4f2",
193 |                 "sha256:7b515674acfdcadb0eb5d00d8a709868173acece5cb0be3dd165950cbfdf5409",
194 |                 "sha256:7b770ed79542ed52c519119473898198761d78beb24b107acf3ad65deae61f1f",
195 |                 "sha256:7d2278d59425777cfcb19735018d897ca8303abe67cc735f9f97177ceff8027f",
196 |                 "sha256:7e91ee82f4199af8c43d8158024cbdff3d931df350252288f0d4ce656df7f3b5",
197 |                 "sha256:821b7f59b99551c69c85a6039c65b75f5683bdc63270fec660f75da67469ca24",
198 |                 "sha256:822068f85e12a6e292803e112ab876bc03ed1f03dddb80154c395f891ca6b31e",
199 |                 "sha256:8340225bd5e7a701c0fa98284c849c9b9fc9238abf53a0ebd90900f25d39a4e4",
200 |                 "sha256:85cabf64adec449132e55616e7ca3e1000ab449d1d0f9d7f83146ed5bdcb6d8a",
201 |                 "sha256:880bbbcbe2fca64e2f4d8e04db47bcdf504936fa2b33933efd945e1b429bea8c",
202 |                 "sha256:8d0b4612b66ff5d62d03bcaa043bb018f74dfea51184e53f067e6fdcba4bd8de",
203 |                 "sha256:8e20cb5a47247e383cf4ff523205060991021233ebd6f924bca927fcf25cf86f",
204 |                 "sha256:925073b2fe14ab9b87e73f9a5fde6ce6392da430f3004d8b72cc86f746f5163b",
205 |                 "sha256:998c7c41910666d2976928c38ea96a70d1aa43be6fe502f21a651e17483a43c5",
206 |                 "sha256:9b22c5c66f67ae00c0199f6055705bc3eb3fcb08d03d2ec4059a2b1b25ed48d7",
207 |                 "sha256:9f102706d0ca011de571de32c3247c6476b55bb6bc65a20f682f000b07a4852a",
208 |                 "sha256:a08cff61517ee26cb56f1e949cca38caabe9ea9fbb4b1e10a805dc39844b7d5c",
209 |                 "sha256:a0a336d6d3e8b234a3aae3c674873d8f0e720b76bc1d9416866c41cd9500ffb9",
210 |                 "sha256:a35f8b7fa99f90dd2f5dc5a9fa12332642f087a7641289ca6c40d6e1a2637d8e",
211 |                 "sha256:a38486985ca49cfa574a507e7a2215c0c780fd1778bb6290c21193b7211702ab",
212 |                 "sha256:a5da296eb617d18e497bcf0a5c528f5d3b18dadb3619fbdadf4ed2356ef8d941",
213 |                 "sha256:a6e441a86553c310258aca15d1c05903aaf4965b23f3bc2d55f200804e005ee5",
214 |                 "sha256:a82d05da00a58b8e4c0008edbc8a4b6ec5a4bc1e2ee0fb6ed157cf634ed7fa45",
215 |                 "sha256:ab323679b8b3030000f2be63e22cdeea5b47ee0abd2d6a1dc0c8103ddaa56cd7",
216 |                 "sha256:b1f42b6921d0e81b1bcb5e395bc091a70f41c4d4e55ba99c6da2b31626c44892",
217 |                 "sha256:b23e19989c355ca854276178a0463951a653309fb8e57ce674497f2d9f208746",
218 |                 "sha256:b264171e3143d842ded311b7dccd46ff9ef34247129ff5bf5066123c55c2431c",
219 |                 "sha256:b26a29f0b7fc6f0897f043ca366142d2b609dc60756ee6e4e90b5f762c6adc53",
220 |                 "sha256:b64d891da92e232c36976c80ed7ebb383e3f148489796d8d31a5b6a677825efe",
221 |                 "sha256:b9cc34af337a97d470040f99ba4282f6e6bac88407d021688a5d585e44a23184",
222 |                 "sha256:bc718cd47b765e790eecb74d044cc8d37d58562f6c314ee9484df26276d36a38",
223 |                 "sha256:be7292c55101e22f2a3d4d8913944cbea71eea90792bf914add27454a13905df",
224 |                 "sha256:c83203addf554215463b59f6399835201999b5e48019dc17f182ed5ad87205c9",
225 |                 "sha256:c9ec3eaf616d67db0764b3bb983962b4f385a1f08304fd30c7283954e6a7869b",
226 |                 "sha256:ca34efc80a29351897e18888c71c6aca4a359247c87e0b1c7ada14f0ab0c0fb2",
227 |                 "sha256:ca989b91cf3a3ba28930a9fc1e9aeafc2a395448641df1f387a2d394638943b0",
228 |                 "sha256:d02a5399126a53492415d4906ab0ad0375a5456cc05c3fc0fc4ca11771745cda",
229 |                 "sha256:d17bc7c2ccf49c478c5bdd447594e82692c74222698cfc9b5daae7ae7e90743b",
230 |                 "sha256:d5bf6545cd27aaa8a13033ce56354ed9e25ab0e4ac3b5392b763d8d04b08e0c5",
231 |                 "sha256:d6b430a9938a5a5d85fc107d852262ddcd48602c120e3dbb02137c83d212b380",
232 |                 "sha256:da248f93f0418a9e9d94b0080d7ebc407a9a5e6d0b57bb30db9b5cc28de1ad33",
233 |                 "sha256:da4dd7c9c50c059aba52b3524f84d7de956f7fef88f0bafcf4ad7dde94a064e8",
234 |                 "sha256:df0623dcf9668ad0445e0558a21211d4e9a149ea8f5666917c8eeec515f0a6d1",
235 |                 "sha256:e5168986b90a8d1f2f9dc1b841467c74221bd752537b99761a93d2d981e04889",
236 |                 "sha256:efa29c2fe6b4fdd32e8ef81c1528506895eca86e1d8c4657fda04c9b3786ddf9",
237 |                 "sha256:f1496ea22ca2c830cbcbd473de8f114a320da308438ae65abad6bab7867fe38f",
238 |                 "sha256:f49e52d174375a7def9915c9f06ec4e569d235ad428f70751765f48d5926678c"
239 |             ],
240 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
241 |             "version": "==4.9.2"
242 |         },
243 |         "markupsafe": {
244 |             "hashes": [
245 |                 "sha256:0576fe974b40a400449768941d5d0858cc624e3249dfd1e0c33674e5c7ca7aed",
246 |                 "sha256:085fd3201e7b12809f9e6e9bc1e5c96a368c8523fad5afb02afe3c051ae4afcc",
247 |                 "sha256:090376d812fb6ac5f171e5938e82e7f2d7adc2b629101cec0db8b267815c85e2",
248 |                 "sha256:0b462104ba25f1ac006fdab8b6a01ebbfbce9ed37fd37fd4acd70c67c973e460",
249 |                 "sha256:137678c63c977754abe9086a3ec011e8fd985ab90631145dfb9294ad09c102a7",
250 |                 "sha256:1bea30e9bf331f3fef67e0a3877b2288593c98a21ccb2cf29b74c581a4eb3af0",
251 |                 "sha256:22152d00bf4a9c7c83960521fc558f55a1adbc0631fbb00a9471e097b19d72e1",
252 |                 "sha256:22731d79ed2eb25059ae3df1dfc9cb1546691cc41f4e3130fe6bfbc3ecbbecfa",
253 |                 "sha256:2298c859cfc5463f1b64bd55cb3e602528db6fa0f3cfd568d3605c50678f8f03",
254 |                 "sha256:28057e985dace2f478e042eaa15606c7efccb700797660629da387eb289b9323",
255 |                 "sha256:2e7821bffe00aa6bd07a23913b7f4e01328c3d5cc0b40b36c0bd81d362faeb65",
256 |                 "sha256:2ec4f2d48ae59bbb9d1f9d7efb9236ab81429a764dedca114f5fdabbc3788013",
257 |                 "sha256:340bea174e9761308703ae988e982005aedf427de816d1afe98147668cc03036",
258 |                 "sha256:40627dcf047dadb22cd25ea7ecfe9cbf3bbbad0482ee5920b582f3809c97654f",
259 |                 "sha256:40dfd3fefbef579ee058f139733ac336312663c6706d1163b82b3003fb1925c4",
260 |                 "sha256:4cf06cdc1dda95223e9d2d3c58d3b178aa5dacb35ee7e3bbac10e4e1faacb419",
261 |                 "sha256:50c42830a633fa0cf9e7d27664637532791bfc31c731a87b202d2d8ac40c3ea2",
262 |                 "sha256:55f44b440d491028addb3b88f72207d71eeebfb7b5dbf0643f7c023ae1fba619",
263 |                 "sha256:608e7073dfa9e38a85d38474c082d4281f4ce276ac0010224eaba11e929dd53a",
264 |                 "sha256:63ba06c9941e46fa389d389644e2d8225e0e3e5ebcc4ff1ea8506dce646f8c8a",
265 |                 "sha256:65608c35bfb8a76763f37036547f7adfd09270fbdbf96608be2bead319728fcd",
266 |                 "sha256:665a36ae6f8f20a4676b53224e33d456a6f5a72657d9c83c2aa00765072f31f7",
267 |                 "sha256:6d6607f98fcf17e534162f0709aaad3ab7a96032723d8ac8750ffe17ae5a0666",
268 |                 "sha256:7313ce6a199651c4ed9d7e4cfb4aa56fe923b1adf9af3b420ee14e6d9a73df65",
269 |                 "sha256:7668b52e102d0ed87cb082380a7e2e1e78737ddecdde129acadb0eccc5423859",
270 |                 "sha256:7df70907e00c970c60b9ef2938d894a9381f38e6b9db73c5be35e59d92e06625",
271 |                 "sha256:7e007132af78ea9df29495dbf7b5824cb71648d7133cf7848a2a5dd00d36f9ff",
272 |                 "sha256:835fb5e38fd89328e9c81067fd642b3593c33e1e17e2fdbf77f5676abb14a156",
273 |                 "sha256:8bca7e26c1dd751236cfb0c6c72d4ad61d986e9a41bbf76cb445f69488b2a2bd",
274 |                 "sha256:8db032bf0ce9022a8e41a22598eefc802314e81b879ae093f36ce9ddf39ab1ba",
275 |                 "sha256:99625a92da8229df6d44335e6fcc558a5037dd0a760e11d84be2260e6f37002f",
276 |                 "sha256:9cad97ab29dfc3f0249b483412c85c8ef4766d96cdf9dcf5a1e3caa3f3661cf1",
277 |                 "sha256:a4abaec6ca3ad8660690236d11bfe28dfd707778e2442b45addd2f086d6ef094",
278 |                 "sha256:a6e40afa7f45939ca356f348c8e23048e02cb109ced1eb8420961b2f40fb373a",
279 |                 "sha256:a6f2fcca746e8d5910e18782f976489939d54a91f9411c32051b4aab2bd7c513",
280 |                 "sha256:a806db027852538d2ad7555b203300173dd1b77ba116de92da9afbc3a3be3eed",
281 |                 "sha256:abcabc8c2b26036d62d4c746381a6f7cf60aafcc653198ad678306986b09450d",
282 |                 "sha256:b8526c6d437855442cdd3d87eede9c425c4445ea011ca38d937db299382e6fa3",
283 |                 "sha256:bb06feb762bade6bf3c8b844462274db0c76acc95c52abe8dbed28ae3d44a147",
284 |                 "sha256:c0a33bc9f02c2b17c3ea382f91b4db0e6cde90b63b296422a939886a7a80de1c",
285 |                 "sha256:c4a549890a45f57f1ebf99c067a4ad0cb423a05544accaf2b065246827ed9603",
286 |                 "sha256:ca244fa73f50a800cf8c3ebf7fd93149ec37f5cb9596aa8873ae2c1d23498601",
287 |                 "sha256:cf877ab4ed6e302ec1d04952ca358b381a882fbd9d1b07cccbfd61783561f98a",
288 |                 "sha256:d9d971ec1e79906046aa3ca266de79eac42f1dbf3612a05dc9368125952bd1a1",
289 |                 "sha256:da25303d91526aac3672ee6d49a2f3db2d9502a4a60b55519feb1a4c7714e07d",
290 |                 "sha256:e55e40ff0cc8cc5c07996915ad367fa47da6b3fc091fdadca7f5403239c5fec3",
291 |                 "sha256:f03a532d7dee1bed20bc4884194a16160a2de9ffc6354b3878ec9682bb623c54",
292 |                 "sha256:f1cd098434e83e656abf198f103a8207a8187c0fc110306691a2e94a78d0abb2",
293 |                 "sha256:f2bfb563d0211ce16b63c7cb9395d2c682a23187f54c3d79bfec33e6705473c6",
294 |                 "sha256:f8ffb705ffcf5ddd0e80b65ddf7bed7ee4f5a441ea7d3419e861a12eaf41af58"
295 |             ],
296 |             "markers": "python_version >= '3.7'",
297 |             "version": "==2.1.2"
298 |         },
299 |         "pycountry": {
300 |             "hashes": [
301 |                 "sha256:b2163a246c585894d808f18783e19137cb70a0c18fb36748dc01fc6f109c1646"
302 |             ],
303 |             "markers": "python_version >= '3.6' and python_version < '4'",
304 |             "version": "==22.3.5"
305 |         },
306 |         "pyyaml": {
307 |             "hashes": [
308 |                 "sha256:01b45c0191e6d66c470b6cf1b9531a771a83c1c4208272ead47a3ae4f2f603bf",
309 |                 "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293",
310 |                 "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b",
311 |                 "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57",
312 |                 "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b",
313 |                 "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4",
314 |                 "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07",
315 |                 "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba",
316 |                 "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9",
317 |                 "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287",
318 |                 "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513",
319 |                 "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0",
320 |                 "sha256:432557aa2c09802be39460360ddffd48156e30721f5e8d917f01d31694216782",
321 |                 "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0",
322 |                 "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92",
323 |                 "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f",
324 |                 "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2",
325 |                 "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc",
326 |                 "sha256:81957921f441d50af23654aa6c5e5eaf9b06aba7f0a19c18a538dc7ef291c5a1",
327 |                 "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c",
328 |                 "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86",
329 |                 "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4",
330 |                 "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c",
331 |                 "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34",
332 |                 "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b",
333 |                 "sha256:afa17f5bc4d1b10afd4466fd3a44dc0e245382deca5b3c353d8b757f9e3ecb8d",
334 |                 "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c",
335 |                 "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb",
336 |                 "sha256:bfaef573a63ba8923503d27530362590ff4f576c626d86a9fed95822a8255fd7",
337 |                 "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737",
338 |                 "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3",
339 |                 "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d",
340 |                 "sha256:d4b0ba9512519522b118090257be113b9468d804b19d63c71dbcf4a48fa32358",
341 |                 "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53",
342 |                 "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78",
343 |                 "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803",
344 |                 "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a",
345 |                 "sha256:dbad0e9d368bb989f4515da330b88a057617d16b6a8245084f1b05400f24609f",
346 |                 "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174",
347 |                 "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"
348 |             ],
349 |             "markers": "python_version >= '3.6'",
350 |             "version": "==6.0"
351 |         },
352 |         "requests": {
353 |             "hashes": [
354 |                 "sha256:64299f4909223da747622c030b781c0d7811e359c37124b4bd368fb8c6518baa",
355 |                 "sha256:98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf"
356 |             ],
357 |             "markers": "python_version >= '3.7' and python_version < '4'",
358 |             "version": "==2.28.2"
359 |         },
360 |         "setuptools": {
361 |             "hashes": [
362 |                 "sha256:257de92a9d50a60b8e22abfcbb771571fde0dbf3ec234463212027a4eeecbe9a",
363 |                 "sha256:e728ca814a823bf7bf60162daf9db95b93d532948c4c0bea762ce62f60189078"
364 |             ],
365 |             "markers": "python_version >= '3.7'",
366 |             "version": "==67.6.1"
367 |         },
368 |         "six": {
369 |             "hashes": [
370 |                 "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
371 |                 "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
372 |             ],
373 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
374 |             "version": "==1.16.0"
375 |         },
376 |         "sortedcontainers": {
377 |             "hashes": [
378 |                 "sha256:25caa5a06cc30b6b83d11423433f65d1f9d76c4c6a0c90e3379eaa43b9bfdb88",
379 |                 "sha256:a163dcaede0f1c021485e957a39245190e74249897e2ae4b2aa38595db237ee0"
380 |             ],
381 |             "version": "==2.4.0"
382 |         },
383 |         "urllib3": {
384 |             "hashes": [
385 |                 "sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305",
386 |                 "sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42"
387 |             ],
388 |             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
389 |             "version": "==1.26.15"
390 |         },
391 |         "wcwidth": {
392 |             "hashes": [
393 |                 "sha256:795b138f6875577cd91bba52baf9e445cd5118fd32723b460e30a0af30ea230e",
394 |                 "sha256:a5220780a404dbe3353789870978e472cfe477761f06ee55077256e509b156d0"
395 |             ],
396 |             "version": "==0.2.6"
397 |         },
398 |         "webencodings": {
399 |             "hashes": [
400 |                 "sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78",
401 |                 "sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923"
402 |             ],
403 |             "version": "==0.5.1"
404 |         },
405 |         "xml2rfc": {
406 |             "hashes": [
407 |                 "sha256:33a4a11178c791db25fdf733e04fdc28c3660c94d0fe83b3b2799ef23f547003"
408 |             ],
409 |             "index": "pypi",
410 |             "version": "==3.17.0"
411 |         }
412 |     },
413 |     "develop": {}
414 | }
415 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # The ristretto255 and decaf448 Groups
 2 | 
 3 | This is the working area for the CFRG Internet-Draft,
 4 | "The ristretto255 and decaf448 Groups".
 5 | 
 6 | ## Building the Draft
 7 | 
 8 | The formatted text version of the draft is built from Markdown.
 9 | 
10 | ```sh
11 | $ go install github.com/mmarkdown/mmark/v2@08b8fbb35701dab9a4972e1e29774a13f196ff53
12 | $ pipenv install
13 | $ pipenv run make
14 | ```
15 | 
16 | This requires that you have [`pipenv`](https://pipenv.pypa.io/en/latest/) and
17 | [`mmark`](https://github.com/mmarkdown/mmark) 2.2.5.
18 | 


--------------------------------------------------------------------------------
/draft-irtf-cfrg-ristretto255-decaf448.md:
--------------------------------------------------------------------------------
   1 | %%%
   2 | 
   3 |     Title = "The ristretto255 and decaf448 Groups"
   4 |     abbrev = "ristretto255-decaf448"
   5 |     ipr = "trust200902"
   6 |     category = "info"
   7 |     area = "Internet"
   8 |     workgroup = "Crypto Forum Research Group"
   9 | 
  10 |     [seriesInfo]
  11 |     status = "informational"
  12 |     name = "Internet-Draft"
  13 |     value = "draft-irtf-cfrg-ristretto255-decaf448-08"
  14 |     stream = "IETF"
  15 | 
  16 |     [[author]]
  17 |     initials = "H."
  18 |     surname = "de Valence"
  19 |     fullname = "Henry de Valence"
  20 |     [author.address]
  21 |         email = "ietf@hdevalence.ca"
  22 | 
  23 |     [[author]]
  24 |     initials = "J."
  25 |     surname = "Grigg"
  26 |     fullname = "Jack Grigg"
  27 |     [author.address]
  28 |         email = "ietf@jackgrigg.com"
  29 | 
  30 |     [[author]]
  31 |     initials = "M."
  32 |     surname = "Hamburg"
  33 |     fullname = "Mike Hamburg"
  34 |     [author.address]
  35 |         email = "ietf@shiftleft.org"
  36 | 
  37 |     [[author]]
  38 |     initials = "I."
  39 |     surname = "Lovecruft"
  40 |     fullname = "Isis Lovecruft"
  41 |     [author.address]
  42 |         email = "ietf@en.ciph.re"
  43 | 
  44 |     [[author]]
  45 |     initials = "G."
  46 |     surname = "Tankersley"
  47 |     fullname = "George Tankersley"
  48 |     [author.address]
  49 |         email = "ietf@gtank.cc"
  50 | 
  51 |     [[author]]
  52 |     initials = "F."
  53 |     surname = "Valsorda"
  54 |     fullname = "Filippo Valsorda"
  55 |     [author.address]
  56 |         email = "ietf@filippo.io"
  57 | 
  58 | %%%
  59 | 
  60 | .# Abstract
  61 | This memo specifies two prime-order groups, ristretto255 and decaf448,
  62 | suitable for safely implementing higher-level and complex
  63 | cryptographic protocols. The ristretto255 group can be implemented
  64 | using Curve25519, allowing existing Curve25519 implementations to be
  65 | reused and extended to provide a prime-order group. Likewise, the
  66 | decaf448 group can be implemented using edwards448.
  67 | 
  68 | This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.
  69 | 
  70 | {mainmatter}
  71 | 
  72 | # Introduction
  73 | 
  74 | Decaf [@?Decaf] is a technique for constructing prime-order groups
  75 | with non-malleable encodings from non-prime-order elliptic curves.
  76 | Ristretto extends this technique to support cofactor-8 curves such as
  77 | Curve25519 [@?RFC7748]. In particular, this allows an existing
  78 | Curve25519 library to provide a prime-order group with only a thin
  79 | abstraction layer.
  80 | 
  81 | 
  82 | <reference anchor='Decaf' target='https://www.shiftleft.org/papers/decaf/decaf.pdf'>
  83 |     <front>
  84 |         <title>Decaf: Eliminating cofactors through point
  85 | compression</title>
  86 |         <author initials='M.' surname='Hamburg' fullname='Mike Hamburg'>
  87 |             <organization>Rambus Cryptography Research</organization>
  88 |         </author>
  89 |         <date year='2015'/>
  90 |     </front>
  91 | </reference>
  92 | 
  93 | Many group-based cryptographic protocols require the number of
  94 | elements in the group (the group order) to be prime. Prime-order
  95 | groups are useful because every non-identity element of the group
  96 | is a generator of the entire group. This means the group has a
  97 | cofactor of 1, and all elements are equivalent from the perspective
  98 | of Discrete Log Hardness.
  99 | 
 100 | Edwards curves provide a number of implementation benefits for
 101 | cryptography, such as complete addition formulas with no exceptional
 102 | points and formulas among the fastest known for curve operations.
 103 | However, the group of points on the curve is not of prime order,
 104 | i.e., it has a cofactor larger than 1.
 105 | This abstraction mismatch is usually handled by means of ad-hoc
 106 | protocol tweaks, such as multiplying by the cofactor in an
 107 | appropriate place, or not at all.
 108 | 
 109 | Even for simple protocols such as signatures, these tweaks can cause
 110 | subtle issues. For instance, Ed25519 implementations may have
 111 | different validation behavior between batched and singleton
 112 | verification, and at least as specified in [@RFC8032], the set of
 113 | valid signatures is not defined by the standard.
 114 | 
 115 | For more complex protocols, careful analysis is required as the
 116 | original security proofs may no longer apply, and the tweaks for one
 117 | protocol may have disastrous effects when applied to another (for
 118 | instance, the octuple-spend vulnerability in [@MoneroVuln]).
 119 | 
 120 | Decaf and Ristretto fix this abstraction mismatch in one place for
 121 | all protocols, providing an abstraction to protocol implementors that
 122 | matches the abstraction commonly assumed in protocol specifications,
 123 | while still allowing the use of high-performance curve
 124 | implementations internally. The abstraction layer imposes minor
 125 | overhead, and only in the encoding and decoding phases.
 126 | 
 127 | While Ristretto is a general method, and can be used in conjunction
 128 | with any Edwards curve with cofactor 4 or 8, this document specifies
 129 | the ristretto255 group, which can be implemented using Curve25519,
 130 | and the decaf448 group, which can be implemented using edwards448.
 131 | 
 132 | There are other elliptic curves that can be used internally to
 133 | implement ristretto255 or decaf448, and those implementations would be
 134 | interoperable with a Curve25519- or edwards448-based one, but those
 135 | constructions are out-of-scope for this document.
 136 | 
 137 | The Ristretto construction is described and justified in detail at
 138 | [@RistrettoGroup].
 139 | 
 140 | This document represents the consensus of the Crypto Forum Research Group (CFRG).
 141 | This document is not an IETF product and is not a standard.
 142 | 
 143 | <reference anchor='RistrettoGroup' target='https://ristretto.group'>
 144 |     <front>
 145 |         <title>The Ristretto Group</title>
 146 |         <author initials='H' surname='de Valence' fullname='Henry de Valence'/>
 147 |         <author initials='I' surname='Lovecruft' fullname='isis lovecruft'/>
 148 |         <author initials='T' surname='Arcieri' fullname='Tony Arcieri'/>
 149 |         <author initials='M' surname='Hamburg' fullname='Mike Hamburg'/>
 150 |         <date year='2018'/>
 151 |     </front>
 152 | </reference>
 153 | 
 154 | <reference anchor='MoneroVuln' target='https://jonasnick.github.io/blog/2017/05/23/exploiting-low-order-generators-in-one-time-ring-signatures/'>
 155 |     <front>
 156 |         <title>Exploiting Low Order Generators in One-Time Ring Signatures</title>
 157 |         <author initials='J.' surname='Nick' fullname='Jonas Nick'/>
 158 |         <date year='2017'/>
 159 |     </front>
 160 | </reference>
 161 | 
 162 | # Notation and Conventions Used In This Document
 163 | 
 164 | The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**",
 165 | "**SHALL NOT**", "**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**",
 166 | "**NOT RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this document
 167 | are to be interpreted as described in BCP 14 [@!RFC2119] [@!RFC8174]
 168 | when, and only when, they appear in all capitals, as shown here.
 169 | 
 170 | Readers are cautioned that the term "Curve25519" has varying
 171 | interpretations in the literature, and that the canonical meaning of the
 172 | term has shifted over time. Originally it referred to a specific
 173 | Diffie-Hellman key exchange mechanism. Over time, use shifted, and
 174 | "Curve25519" has been used to refer to either the abstract underlying
 175 | curve, or its concrete representation in Montgomery form, or the
 176 | specific Diffie-Hellman mechanism. This document uses the term
 177 | "Curve25519" to refer to the abstract underlying curve, as recommended
 178 | in [@Naming]. The abstract Edwards form of the curve we refer to here
 179 | as "Curve25519" is in [@?RFC7748] referred to as "edwards25519"
 180 | and its isogenous Montgomery form is referred to as "curve25519".
 181 | 
 182 | Elliptic curve points in this document are represented in extended
 183 | Edwards coordinates in the `(x, y, z, t)` format [@Twisted], also called
 184 | extended homogeneous coordinates in Section 5.1.4 of [@?RFC8032]. Field
 185 | elements are values modulo p, the Curve25519 prime 2^255 - 19 or the
 186 | edwards448 prime 2^448 - 2^224 - 1, as specified in Sections 4.1 and
 187 | 4.2 of [@RFC7748], respectively. All formulas specify field operations
 188 | unless otherwise noted. The symbol ^ denotes exponentiation.
 189 | 
 190 | The `|` symbol represents a constant-time logical OR.
 191 | 
 192 | The notation `array[A:B]` means the elements of `array` from `A`
 193 | to `B-1`. That is, it is exclusive of `B`. Arrays are indexed
 194 | starting from 0.
 195 | 
 196 | A byte is an 8-bit entity (also known as "octet") and a byte string
 197 | is an ordered sequence of bytes. An N-byte string is a byte string of
 198 | N bytes in length.
 199 | 
 200 | Element encodings are presented as hex encoded byte strings with
 201 | whitespace added for readability.
 202 | 
 203 | <reference anchor='Twisted' target='https://eprint.iacr.org/2008/522'>
 204 |     <front>
 205 |         <title>Twisted Edwards Curves Revisited</title>
 206 |         <author initials='H.' surname='Hisil' fullname='Huseyin Hisil'/>
 207 |         <author initials='K. K.' surname='Wong' fullname='Kenneth Koon-Ho Wong'/>
 208 |         <author initials='G.' surname='Carter' fullname='Gary Carter'/>
 209 |         <author initials='E.' surname='Dawson' fullname='Ed Dawson'/>
 210 |         <date year='2008'/>
 211 |     </front>
 212 | </reference>
 213 | 
 214 | <reference anchor='Naming' target='https://mailarchive.ietf.org/arch/msg/cfrg/-9LEdnzVrE5RORux3Oo_oDDRksU/'>
 215 |     <front>
 216 |         <title>[Cfrg] 25519 naming</title>
 217 |         <author initials='D. J.' surname='Bernstein' fullname='Daniel J. Bernstein'/>
 218 |         <date year='2014'/>
 219 |     </front>
 220 | </reference>
 221 | 
 222 | ## Negative field elements
 223 | 
 224 | As in [@RFC8032], given a field element e, define `IS_NEGATIVE(e)` as
 225 | TRUE if the least non-negative integer representing e is odd, and
 226 | FALSE if it is even. This **SHOULD** be implemented in constant time.
 227 | 
 228 | ## Constant time operations
 229 | 
 230 | We assume that the field element implementation supports the following
 231 | operations, which **SHOULD** be implemented in constant time:
 232 | 
 233 | * `CT_EQ(u, v)`: return TRUE if u = v, FALSE otherwise.
 234 | * `CT_SELECT(v IF cond ELSE u)`: return v if cond is TRUE, else return u.
 235 | * `CT_ABS(u)`: return -u if IS_NEGATIVE(u), else return u.
 236 | 
 237 | Note that `CT_ABS` **MAY** be implemented as:
 238 | 
 239 |     CT_SELECT(-u IF IS_NEGATIVE(u) ELSE u)
 240 | 
 241 | # The group abstraction {#interface}
 242 | 
 243 | Ristretto and Decaf implement an abstract prime-order group interface
 244 | that exposes only the behavior that is useful to higher-level protocols,
 245 | without leaking curve-related details and pitfalls.
 246 | 
 247 | Each abstract group exposes operations on abstract element and abstract
 248 | scalar types. The operations defined on these types include: decoding, encoding,
 249 | equality, addition, negation, subtraction and (multi-)scalar multiplication.
 250 | Each abstract group also exposes a deterministic function to derive abstract
 251 | elements from fixed-length byte strings. A description of each of these
 252 | operations is below.
 253 | 
 254 | Decoding is a function from byte strings to abstract elements with
 255 | built-in validation, so that only the canonical encodings of valid
 256 | elements are accepted. The built-in validation avoids the need for
 257 | explicit invalid curve checks.
 258 | 
 259 | Encoding is a function from abstract elements to byte strings.  Internally,
 260 | an abstract element might have more than one possible representation -- for
 261 | example, the implementation might use projective coordinates.  When encoding,
 262 | all equivalent representations of the same element are encoded as identical
 263 | byte strings. Decoding the output of the encoding function always
 264 | succeeds and returns an equivalent element to the encoding input.
 265 | 
 266 | The equality check reports whether two representations of an abstract
 267 | element are equivalent.
 268 | 
 269 | The element derivation function maps deterministically from byte strings of
 270 | a fixed length to abstract elements.  It has two important properties.  First,
 271 | if the input is a uniformly random byte string, then the output is (within
 272 | a negligible statistical distance of) a uniformly random abstract group
 273 | element.  This means the function is suitable for selecting random group
 274 | elements.
 275 | 
 276 | Second, although the element derivation function is many-to-one and therefore
 277 | not strictly invertible, it is not pre-image resistent.  On the contrary,
 278 | given an arbitrary abstract group element `P`, there is an efficient algorithm
 279 | to randomly sample from byte strings that map to `P`.  In some contexts this
 280 | property would be a weakness, but it is important in some contexts: in particular,
 281 | it means that a combination of a cryptographic hash function and the element
 282 | derivation function is suitable for use in algorithms such as
 283 | `hash_to_curve` [@?draft-irtf-cfrg-hash-to-curve-16].
 284 | 
 285 | 
 286 | <reference anchor='draft-irtf-cfrg-hash-to-curve-16'
 287 |    target='https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/'>
 288 |     <front>
 289 |         <title>Hashing to Elliptic Curves</title>
 290 |         <author initials="A." surname="Faz-Hernández" fullname="Armando Faz-Hernández"/>
 291 |         <author initials="S." surname="Scott" fullname="Sam Scott"/>
 292 |         <author initials="N." surname="Sullivan" fullname="Nick Sullivan"/>
 293 |         <author initials="R.S." surname="Wahby" fullname="Riad S. Wahby"/>
 294 |         <author initials="C.A." surname="Wood" fullname="Christopher A. Wood"/>
 295 |         <date year='2022'/>
 296 |     </front>
 297 | </reference>
 298 | 
 299 | Addition is the group operation. The group has an identity element and
 300 | prime order l. Adding together l copies of the same element gives the
 301 | identity. Adding the identity element to
 302 | any element returns that element unchanged. Negation returns an element
 303 | that added to the negation input returns the identity element.
 304 | Subtraction is the addition of a negated element, and scalar
 305 | multiplication is the repeated addition of an element.
 306 | 
 307 | # ristretto255 {#ristretto255}
 308 | 
 309 | ristretto255 is an instantiation of the abstract prime-order group
 310 | interface defined in (#interface). This document describes how to
 311 | implement the ristretto255 prime-order group using Curve25519 points as
 312 | internal representations.
 313 | 
 314 | A "ristretto255 group element" is the abstract element of the prime
 315 | order group. An "element encoding" is the unique reversible encoding
 316 | of a group element. An "internal representation" is a point on the
 317 | curve used to implement ristretto255. Each group element can have
 318 | multiple equivalent internal representations.
 319 | 
 320 | Encoding, decoding, equality, and the element derivation function are defined in
 321 | (#functions255). Element addition, subtraction, negation, and scalar
 322 | multiplication are implemented by applying the corresponding operations
 323 | directly to the internal representation.
 324 | 
 325 | The group order is the same as the order of the Curve25519 prime-order subgroup: 
 326 | 
 327 |     l = 2^252 + 27742317777372353535851937790883648493
 328 | 
 329 | Since ristretto255 is a prime-order group, every element except the
 330 | identity is a generator, but for interoperability a canonical generator
 331 | is selected, which can be internally represented by the Curve25519
 332 | basepoint, enabling reuse of existing precomputation for scalar
 333 | multiplication. This is its encoding as produced by the function
 334 | specified in (#encoding255):
 335 | 
 336 | ```
 337 | e2f2ae0a 6abc4e71 a884a961 c500515f 58e30b6a a582dd8d b6a65945 e08d2d76
 338 | ```
 339 | 
 340 | ## Implementation constants {#constants255}
 341 | 
 342 | This document references the following constant field element values
 343 | that are used for the implementation of group operations.
 344 | 
 345 | * `D` = 37095705934669439343138083508754565189542113879843219016388785533085940283555
 346 |   * This is the Edwards d parameter for Curve25519, as specified in Section 4.1 of [@RFC7748].
 347 | * `SQRT_M1` = 19681161376707505956807079304988542015446066515923890162744021073123829784752
 348 | * `SQRT_AD_MINUS_ONE` = 25063068953384623474111414158702152701244531502492656460079210482610430750235
 349 | * `INVSQRT_A_MINUS_D` = 54469307008909316920995813868745141605393597292927456921205312896311721017578
 350 | * `ONE_MINUS_D_SQ` = 1159843021668779879193775521855586647937357759715417654439879720876111806838
 351 | * `D_MINUS_ONE_SQ` = 40440834346308536858101042469323190826248399146238708352240133220865137265952
 352 | 
 353 | ## Square root of a ratio of field elements {#sqrtratio255}
 354 | 
 355 | The following function is defined on field elements, and is used to
 356 | implement other ristretto255 functions. This function is only used internally
 357 | to implement some of the group operations.
 358 | 
 359 | On input field elements u and v, the function `SQRT_RATIO_M1(u, v)` returns:
 360 | 
 361 | * `(TRUE, +sqrt(u/v))` if u and v are non-zero, and u/v is square;
 362 | * `(TRUE, zero)` if u is zero;
 363 | * `(FALSE, zero)` if v is zero and u is non-zero;
 364 | * `(FALSE, +sqrt(SQRT_M1*(u/v)))` if u and v are non-zero, and u/v is
 365 |   non-square (so `SQRT_M1*(u/v)` is square),
 366 | 
 367 | where `+sqrt(x)` indicates the non-negative square root of x in the
 368 | field.
 369 | 
 370 | The computation is similar to Section 5.1.3 of [@RFC8032], with the
 371 | difference that if the input is non-square, the function returns a
 372 | result with a defined relationship to the inputs. This result is used
 373 | for efficient implementation of the derivation function. The function
 374 | can be refactored from an existing Ed25519 implementation.
 375 | 
 376 | `SQRT_RATIO_M1(u, v)` is defined as follows:
 377 | 
 378 | ```
 379 | r = (u * v^3) * (u * v^7)^((p-5)/8) // Note: (p - 5) / 8 is an integer.
 380 | check = v * r^2
 381 | 
 382 | correct_sign_sqrt   = CT_EQ(check,          u)
 383 | flipped_sign_sqrt   = CT_EQ(check,         -u)
 384 | flipped_sign_sqrt_i = CT_EQ(check, -u*SQRT_M1)
 385 | 
 386 | r_prime = SQRT_M1 * r
 387 | r = CT_SELECT(r_prime IF flipped_sign_sqrt | flipped_sign_sqrt_i ELSE r)
 388 | 
 389 | // Choose the nonnegative square root.
 390 | r = CT_ABS(r)
 391 | 
 392 | was_square = correct_sign_sqrt | flipped_sign_sqrt
 393 | 
 394 | return (was_square, r)
 395 | ```
 396 | 
 397 | ## ristretto255 group operations {#functions255}
 398 | 
 399 | This section describes the implementation of the external functions
 400 | exposed by the ristretto255 prime-order group.
 401 | 
 402 | ### Decode {#decoding255}
 403 | 
 404 | All elements are encoded as 32-byte strings. Decoding proceeds as follows:
 405 | 
 406 | 1. First, interpret the string as an unsigned integer s in little-endian
 407 |    representation. If the length of the string is not 32 bytes, or if
 408 |    the resulting value is >= p, decoding fails.
 409 |    * Note: unlike [@RFC7748] field element decoding, the most significant
 410 |      bit is not masked, and non-canonical values are rejected.
 411 |      The test vectors in (#invalid255) exercise these edge cases.
 412 | 2. If `IS_NEGATIVE(s)` returns TRUE, decoding fails.
 413 | 3. Process s as follows:
 414 | 
 415 | ```
 416 | ss = s^2
 417 | u1 = 1 - ss
 418 | u2 = 1 + ss
 419 | u2_sqr = u2^2
 420 | 
 421 | v = -(D * u1^2) - u2_sqr
 422 | 
 423 | (was_square, invsqrt) = SQRT_RATIO_M1(1, v * u2_sqr)
 424 | 
 425 | den_x = invsqrt * u2
 426 | den_y = invsqrt * den_x * v
 427 | 
 428 | x = CT_ABS(2 * s * den_x)
 429 | y = u1 * den_y
 430 | t = x * y
 431 | ```
 432 | 
 433 | 4. If was\_square is FALSE, or `IS_NEGATIVE(t)` returns TRUE, or y =
 434 |    0, decoding fails. Otherwise, return the group element represented
 435 |    by the internal representation `(x, y, 1, t)` as the result of
 436 |    decoding.
 437 | 
 438 | ### Encode {#encoding255}
 439 | 
 440 | A group element with internal representation `(x0, y0, z0, t0)` is
 441 | encoded as follows:
 442 | 
 443 | 1. Process the internal representation into a field element s as follows:
 444 | 
 445 | ```
 446 | u1 = (z0 + y0) * (z0 - y0)
 447 | u2 = x0 * y0
 448 | 
 449 | // Ignore was_square since this is always square.
 450 | (_, invsqrt) = SQRT_RATIO_M1(1, u1 * u2^2)
 451 | 
 452 | den1 = invsqrt * u1
 453 | den2 = invsqrt * u2
 454 | z_inv = den1 * den2 * t0
 455 | 
 456 | ix0 = x0 * SQRT_M1
 457 | iy0 = y0 * SQRT_M1
 458 | enchanted_denominator = den1 * INVSQRT_A_MINUS_D
 459 | 
 460 | rotate = IS_NEGATIVE(t0 * z_inv)
 461 | 
 462 | // Conditionally rotate x and y.
 463 | x = CT_SELECT(iy0 IF rotate ELSE x0)
 464 | y = CT_SELECT(ix0 IF rotate ELSE y0)
 465 | z = z0
 466 | den_inv = CT_SELECT(enchanted_denominator IF rotate ELSE den2)
 467 | 
 468 | y = CT_SELECT(-y IF IS_NEGATIVE(x * z_inv) ELSE y)
 469 | 
 470 | s = CT_ABS(den_inv * (z - y))
 471 | ```
 472 | 
 473 | 2. Return the 32-byte little-endian encoding of s.  More specifically,
 474 | this is the encoding of the canonical representation of s as an integer
 475 | between 0 and p-1, inclusive.
 476 | 
 477 | Note that decoding and then re-encoding a valid group element will
 478 | yield an identical byte string.
 479 | 
 480 | ### Equals {#equals255}
 481 | 
 482 | The equality function returns TRUE when two internal representations
 483 | correspond to the same group element. Note that internal representations
 484 | **MUST NOT** be compared in any other way than specified here.
 485 | 
 486 | For two internal representations `(x1, y1, z1, t1)` and `(x2, y2, z2, t2)`,
 487 | if
 488 | 
 489 |     (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
 490 | 
 491 | evaluates to TRUE, then return TRUE. Otherwise, return FALSE.
 492 | 
 493 | Note that the equality function always returns TRUE when applied to an
 494 | internal representation and to the internal representation obtained by
 495 | encoding and then re-decoding it. However, the internal
 496 | representations themselves might not be identical.
 497 | 
 498 | Implementations **MAY** also perform byte comparisons on the encodings
 499 | of group elements (produced by (#encoding255)) for an equivalent, although
 500 | less efficient, result.
 501 | 
 502 | ### Element derivation {#from_bytes_uniform255}
 503 | 
 504 | The element derivation function operates on 64-byte strings.
 505 | To obtain such an input from an arbitrary-length byte string, applications
 506 | should use a domain-separated hash construction, the choice of which
 507 | is out-of-scope for this document.
 508 | 
 509 | The element derivation function on an input string b proceeds as follows:
 510 | 
 511 | 1. Compute P1 as `MAP(b[0:32])`.
 512 | 2. Compute P2 as `MAP(b[32:64])`.
 513 | 3. Return P1 + P2.
 514 | 
 515 | The MAP function is defined on 32-byte strings as:
 516 | 
 517 | 1. First, mask the most significant bit in the final byte of the string,
 518 |    and interpret the string as an unsigned integer r in little-endian
 519 |    representation. Reduce r modulo p to obtain a field element t.
 520 |    * Masking the most significant bit is equivalent to interpreting the
 521 |      whole string as an unsigned integer in little-endian representation and then
 522 |      reducing it modulo 2^255.
 523 |    * Note: similarly to [@RFC7748] field element decoding, and unlike
 524 |      field element decoding in (#decoding255), the most significant bit
 525 |      is masked, and non-canonical values are accepted.
 526 | 
 527 | 2. Process t as follows:
 528 | 
 529 | ```
 530 | r = SQRT_M1 * t^2
 531 | u = (r + 1) * ONE_MINUS_D_SQ
 532 | v = (-1 - r*D) * (r + D)
 533 | 
 534 | (was_square, s) = SQRT_RATIO_M1(u, v)
 535 | s_prime = -CT_ABS(s*t)
 536 | s = CT_SELECT(s IF was_square ELSE s_prime)
 537 | c = CT_SELECT(-1 IF was_square ELSE r)
 538 | 
 539 | N = c * (r - 1) * D_MINUS_ONE_SQ - v
 540 | 
 541 | w0 = 2 * s * v
 542 | w1 = N * SQRT_AD_MINUS_ONE
 543 | w2 = 1 - s^2
 544 | w3 = 1 + s^2
 545 | ```
 546 | 
 547 | 3. Return the group element represented by the internal representation
 548 |    `(w0*w3, w2*w1, w1*w3, w0*w2)`.
 549 | 
 550 | ## Scalar field
 551 | 
 552 | The scalars for the ristretto255 group are integers modulo the order l
 553 | of the ristretto255 group. Note that this is the same scalar field as
 554 | Curve25519, allowing existing implementations to be reused.
 555 | 
 556 | Scalars are encoded as 32-byte strings in little-endian order.
 557 | Implementations **SHOULD** check that any scalar s falls in the range
 558 | 0 <= s < l when parsing them and reject non-canonical scalar
 559 | encodings. Implementations **SHOULD** reduce scalars modulo l when
 560 | encoding them as byte strings. Omitting these strict range checks is
 561 | **NOT RECOMMENDED** but is allowed to enable reuse of scalar
 562 | arithmetic implementations in existing Curve25519 libraries.
 563 | 
 564 | Given a uniformly distributed 64-byte string b, implementations can
 565 | obtain a uniformly distributed scalar by interpreting the 64-byte
 566 | string as a 512-bit unsigned integer in little-endian order and reducing the
 567 | integer modulo l, as in [@RFC8032]. To obtain such an input from an
 568 | arbitrary-length byte string, applications should use a domain-separated
 569 | hash construction, the choice of which is out-of-scope for this document.
 570 | 
 571 | # decaf448 {#decaf448}
 572 | 
 573 | decaf448 is an instantiation of the abstract prime-order group
 574 | interface defined in (#interface). This document describes how to
 575 | implement the decaf448 prime-order group using edwards448 points as
 576 | internal representations.
 577 | 
 578 | A "decaf448 group element" is the abstract element of the prime order
 579 | group. An "element encoding" is the unique reversible encoding of a
 580 | group element. An "internal representation" is a point on the curve
 581 | used to implement decaf448. Each group element can have multiple
 582 | equivalent internal representations.
 583 | 
 584 | Encoding, decoding, equality, and the element derivation functions are defined in
 585 | (#functions448). Element addition, subtraction, negation, and scalar
 586 | multiplication are implemented by applying the corresponding operations
 587 | directly to the internal representation.
 588 | 
 589 | The group order is the same as the order of the edwards448 prime-order subgroup: 
 590 | 
 591 |     l = 2^446 -
 592 |       13818066809895115352007386748515426880336692474882178609894547503885
 593 | 
 594 | Since decaf448 is a prime-order group, every element except the
 595 | identity is a generator, but for interoperability a canonical generator
 596 | is selected.  This generator can be internally represented by 2*`B`, where `B` is the edwards448
 597 | basepoint, enabling reuse of existing precomputation for scalar
 598 | multiplication. This is its encoding as produced by the function
 599 | specified in (#encoding448):
 600 | 
 601 | ```
 602 | 66666666 66666666 66666666 66666666 66666666 66666666 66666666
 603 | 33333333 33333333 33333333 33333333 33333333 33333333 33333333
 604 | ```
 605 | 
 606 | This repetitive constant is equal to `1/sqrt(5)` in decaf448's field,
 607 | corresponding to the curve448 base point with x = 5.
 608 | 
 609 | ## Implementation constants {#constants448}
 610 | 
 611 | This document references the following constant field element values
 612 | that are used for the implementation of group operations.
 613 | 
 614 | * `D` = 726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358
 615 |   * This is the Edwards d parameter for edwards448, as specified in
 616 |     Section 4.2 of [@RFC7748], and is equal to -39081 in the field.
 617 | * `ONE_MINUS_D` = 39082
 618 | * `ONE_MINUS_TWO_D` = 78163
 619 | * `SQRT_MINUS_D` = 98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214
 620 | * `INVSQRT_MINUS_D` = 315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716
 621 | 
 622 | ## Square root of a ratio of field elements {#sqrtratio448}
 623 | 
 624 | The following function is defined on field elements, and is used to
 625 | implement other decaf448 functions. This function is only used internally
 626 | to implement some of the group operations.
 627 | 
 628 | On input field elements u and v, the function `SQRT_RATIO_M1(u, v)` returns:
 629 | 
 630 | * `(TRUE, +sqrt(u/v))` if u and v are non-zero, and u/v is square;
 631 | * `(TRUE, zero)` if u is zero;
 632 | * `(FALSE, zero)` if v is zero and u is non-zero;
 633 | * `(FALSE, +sqrt(-u/v))` if u and v are non-zero, and u/v is
 634 |   non-square (so `-(u/v)` is square),
 635 | 
 636 | where `+sqrt(x)` indicates the non-negative square root of x in
 637 | the field.
 638 | 
 639 | The computation is similar to Section 5.2.3 of [@RFC8032], with the
 640 | difference that if the input is non-square, the function returns a
 641 | result with a defined relationship to the inputs. This result is used
 642 | for efficient implementation of the derivation function. The function
 643 | can be refactored from an existing edwards448 implementation.
 644 | 
 645 | `SQRT_RATIO_M1(u, v)` is defined as follows:
 646 | 
 647 | ```
 648 | r = u * (u * v)^((p - 3) / 4) // Note: (p - 3) / 4 is an integer.
 649 | 
 650 | check = v * r^2
 651 | was_square = CT_EQ(check, u)
 652 | 
 653 | // Choose the nonnegative square root.
 654 | r = CT_ABS(r)
 655 | 
 656 | return (was_square, r)
 657 | ```
 658 | 
 659 | ## decaf448 group operations {#functions448}
 660 | 
 661 | This section describes the implementation of the external functions
 662 | exposed by the decaf448 prime-order group.
 663 | 
 664 | ### Decode {#decoding448}
 665 | 
 666 | All elements are encoded as 56-byte strings. Decoding proceeds as follows:
 667 | 
 668 | 1. First, interpret the string as an unsigned integer s in little-endian
 669 |    representation. If the length of the string is not 56 bytes, or if
 670 |    the resulting value is >= p, decoding fails.
 671 |    * Note: unlike [@RFC7748] field element decoding, non-canonical
 672 |      values are rejected. The test vectors in (#invalid448) exercise
 673 |      these edge cases.
 674 | 2. If `IS_NEGATIVE(s)` returns TRUE, decoding fails.
 675 | 3. Process s as follows:
 676 | 
 677 | ```
 678 | ss = s^2
 679 | u1 = 1 + ss
 680 | u2 = u1^2 - 4 * D * ss
 681 | (was_square, invsqrt) = SQRT_RATIO_M1(1, u2 * u1^2)
 682 | u3 = CT_ABS(2 * s * invsqrt * u1 * SQRT_MINUS_D)
 683 | x = u3 * invsqrt * u2 * INVSQRT_MINUS_D
 684 | y = (1 - ss) * invsqrt * u1
 685 | t = x * y
 686 | ```
 687 | 
 688 | 4. If was\_square is FALSE then decoding fails. Otherwise,
 689 |    return the group element represented by the internal representation
 690 |    `(x, y, 1, t)` as the result of decoding.
 691 | 
 692 | ### Encode {#encoding448}
 693 | 
 694 | A group element with internal representation `(x0, y0, z0, t0)` is
 695 | encoded as follows:
 696 | 
 697 | 1. Process the internal representation into a field element s as follows:
 698 | 
 699 | ```
 700 | u1 = (x0 + t0) * (x0 - t0)
 701 | 
 702 | // Ignore was_square since this is always square.
 703 | (_, invsqrt) = SQRT_RATIO_M1(1, u1 * ONE_MINUS_D * x0^2)
 704 | 
 705 | ratio = CT_ABS(invsqrt * u1 * SQRT_MINUS_D)
 706 | u2 = INVSQRT_MINUS_D * ratio * z0 - t0
 707 | s = CT_ABS(ONE_MINUS_D * invsqrt * x0 * u2)
 708 | ```
 709 | 
 710 | 2. Return the 56-byte little-endian encoding of s.  More specifically,
 711 | this is the encoding of the canonical representation of s as an integer
 712 | between 0 and p-1, inclusive.
 713 | 
 714 | Note that decoding and then re-encoding a valid group element will
 715 | yield an identical byte string.
 716 | 
 717 | ### Equals {#equals448}
 718 | 
 719 | The equality function returns TRUE when two internal representations
 720 | correspond to the same group element. Note that internal representations
 721 | **MUST NOT** be compared in any other way than specified here.
 722 | 
 723 | For two internal representations `(x1, y1, z1, t1)` and `(x2, y2, z2, t2)`,
 724 | if
 725 | 
 726 |     x1 * y2 == y1 * x2
 727 | 
 728 | evaluates to TRUE, then return TRUE. Otherwise, return FALSE.
 729 | 
 730 | Note that the equality function always returns TRUE when applied to an
 731 | internal representation and to the internal representation obtained by
 732 | encoding and then re-decoding it. However, the internal
 733 | representations themselves might not be identical.
 734 | 
 735 | Implementations **MAY** also perform byte comparisons on the encodings
 736 | of group elements (produced by (#encoding448)) for an equivalent, although
 737 | less efficient, result.
 738 | 
 739 | ### Element derivation {#from_bytes_uniform448}
 740 | 
 741 | The element derivation function operates on 112-byte strings.
 742 | To obtain such an input from an arbitrary-length byte string, applications
 743 | should use a domain-separated hash construction, the choice of which
 744 | is out-of-scope for this document.
 745 | 
 746 | The element derivation function on an input string b proceeds as follows:
 747 | 
 748 | 1. Compute P1 as `MAP(b[0:56])`.
 749 | 2. Compute P2 as `MAP(b[56:112])`.
 750 | 3. Return P1 + P2.
 751 | 
 752 | The MAP function is defined on 56-byte strings as:
 753 | 
 754 | 1. Interpret the string as an unsigned integer r in little-endian representation.
 755 |    Reduce r modulo p to obtain a field element t.
 756 |    * Note: similarly to [@RFC7748] field element decoding, and unlike
 757 |      field element decoding in (#decoding448), non-canonical values are
 758 |      accepted.
 759 | 
 760 | 2. Process t as follows:
 761 | 
 762 | ```
 763 | r = -t^2
 764 | u0 = d * (r-1)
 765 | u1 = (u0 + 1) * (u0 - r)
 766 | 
 767 | (was_square, v) = SQRT_RATIO_M1(ONE_MINUS_TWO_D, (r + 1) * u1)
 768 | v_prime = CT_SELECT(v IF was_square ELSE t * v)
 769 | sgn     = CT_SELECT(1 IF was_square ELSE -1)
 770 | s = v_prime * (r + 1)
 771 | 
 772 | w0 = 2 * CT_ABS(s)
 773 | w1 = s^2 + 1
 774 | w2 = s^2 - 1
 775 | w3 = v_prime * s * (r - 1) * ONE_MINUS_TWO_D + sgn
 776 | ```
 777 | 
 778 | 3. Return the group element represented by the internal representation
 779 |    `(w0*w3, w2*w1, w1*w3, w0*w2)`.
 780 | 
 781 | ## Scalar field
 782 | 
 783 | The scalars for the decaf448 group are integers modulo the order l
 784 | of the decaf448 group. Note that this is the same scalar field as
 785 | edwards448, allowing existing implementations to be reused.
 786 | 
 787 | Scalars are encoded as 56-byte strings in little-endian order.
 788 | Implementations **SHOULD** check that any scalar s falls in the range
 789 | 0 <= s < l when parsing them and reject non-canonical scalar
 790 | encodings. Implementations **SHOULD** reduce scalars modulo l when
 791 | encoding them as byte strings. Omitting these strict range checks is
 792 | **NOT RECOMMENDED** but is allowed to enable reuse of scalar
 793 | arithmetic implementations in existing edwards448 libraries.
 794 | 
 795 | Given a uniformly distributed 64-byte string b, implementations can
 796 | obtain a uniformly distributed scalar by interpreting the 64-byte
 797 | string as a 512-bit unsigned integer in little-endian order and reducing the
 798 | integer modulo l. To obtain such an input from an arbitrary-length
 799 | byte string, applications should use a domain-separated hash
 800 | construction, the choice of which is out-of-scope for this document.
 801 | 
 802 | # API Considerations {#api}
 803 | 
 804 | ristretto255 and decaf448 are abstractions which implement two prime-order
 805 | groups, and their elements are represented by curve points, but they are
 806 | not curve points. Implementations **SHOULD** reflect that: the type 
 807 | representing an element of the group **SHOULD** be opaque to the caller,
 808 | meaning they do not expose the underlying curve point or field elements.
 809 | Moreover, implementations **SHOULD NOT** expose any internal constants
 810 | or functions used in the implementation of the group operations.
 811 | 
 812 | The reason for this encapsulation is that ristretto255 and decaf448 implementations
 813 | can change their underlying curve without causing any breaking change. The ristretto255
 814 | and decaf448 constructions are carefully designed so that this will be the
 815 | case, as long as implementations do not expose internal representations or
 816 | operate on them except as described in this document. In particular,
 817 | implementations **SHOULD NOT** define any external ristretto255 or decaf448
 818 | interface as operating on arbitrary curve points, and they **SHOULD NOT**
 819 | construct group elements except via decoding, the element derivation function,
 820 | or group operations on other valid group elements per (#interface). They are
 821 | however allowed to apply any optimization strategy to the internal
 822 | representations as long as it doesn't change the exposed behavior of the
 823 | API.
 824 | 
 825 | It is **RECOMMENDED** that implementations do not perform a decoding and
 826 | encoding operation for each group operation, as it is inefficient and
 827 | unnecessary. Implementations **SHOULD** instead provide an opaque type
 828 | to hold the internal representation through multiple operations.
 829 | 
 830 | # IANA Considerations
 831 | 
 832 | This document has no IANA actions.
 833 | 
 834 | # Security Considerations
 835 | 
 836 | The ristretto255 and decaf448 groups provide higher-level protocols with
 837 | the abstraction they expect: a prime-order group. Therefore, it's expected
 838 | to be safer for use in any situation where Curve25519 or edwards448 is used
 839 | to implement a protocol requiring a prime-order group. Note that the safety
 840 | of the abstraction can be defeated by implementations that do not follow
 841 | the guidance in (#api).
 842 | 
 843 | There is no function to test whether an elliptic curve point is a
 844 | valid internal representation of a group element. The decoding
 845 | function always returns a valid internal representation, or an error, and
 846 | allowed operations on valid internal representations return valid
 847 | internal representations. In this way, an implementation can maintain
 848 | the invariant that an internal representation is always valid, so that
 849 | checking is never necessary, and invalid states are unrepresentable.
 850 | 
 851 | # Acknowledgements
 852 | 
 853 | The authors would like to thank Daira Hopwood, Riad S. Wahby, Christopher Wood,
 854 | and Thomas Pornin for their comments on the draft.
 855 | 
 856 | {backmatter}
 857 | 
 858 | # Test vectors for ristretto255
 859 | 
 860 | This section contains test vectors for ristretto255. The octets are
 861 | hex encoded, and whitespace is inserted for readability.
 862 | 
 863 | ## Multiples of the generator
 864 | 
 865 | The following are the encodings of the multiples 0 to 15 of the
 866 | canonical generator, represented as an array of elements. That is,
 867 | the first entry is the encoding of the identity element, and each
 868 | successive entry is obtained by adding the generator to the previous entry.
 869 | 
 870 | ```
 871 | B[ 0]: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 872 | B[ 1]: e2f2ae0a 6abc4e71 a884a961 c500515f 58e30b6a a582dd8d b6a65945 e08d2d76
 873 | B[ 2]: 6a493210 f7499cd1 7fecb510 ae0cea23 a110e8d5 b901f8ac add3095c 73a3b919
 874 | B[ 3]: 94741f5d 5d52755e ce4f23f0 44ee27d5 d1ea1e2b d196b462 166b1615 2a9d0259
 875 | B[ 4]: da808627 73358b46 6ffadfe0 b3293ab3 d9fd53c5 ea6c9553 58f56832 2daf6a57
 876 | B[ 5]: e882b131 016b52c1 d3337080 187cf768 423efccb b517bb49 5ab812c4 160ff44e
 877 | B[ 6]: f64746d3 c92b1305 0ed8d802 36a7f000 7c3b3f96 2f5ba793 d19a601e bb1df403
 878 | B[ 7]: 44f53520 926ec81f bd5a3878 45beb7df 85a96a24 ece18738 bdcfa6a7 822a176d
 879 | B[ 8]: 903293d8 f2287ebe 10e2374d c1a53e0b c887e592 699f02d0 77d5263c dd55601c
 880 | B[ 9]: 02622ace 8f7303a3 1cafc63f 8fc48fdc 16e1c8c8 d234b2f0 d6685282 a9076031
 881 | B[10]: 20706fd7 88b2720a 1ed2a5da d4952b01 f413bcf0 e7564de8 cdc81668 9e2db95f
 882 | B[11]: bce83f8b a5dd2fa5 72864c24 ba1810f9 522bc600 4afe9587 7ac73241 cafdab42
 883 | B[12]: e4549ee1 6b9aa030 99ca208c 67adafca fa4c3f3e 4e5303de 6026e3ca 8ff84460
 884 | B[13]: aa52e000 df2e16f5 5fb1032f c33bc427 42dad6bd 5a8fc0be 0167436c 5948501f
 885 | B[14]: 46376b80 f409b29d c2b5f6f0 c5259199 0896e571 6f41477c d30085ab 7f10301e
 886 | B[15]: e0c418f7 c8d9c4cd d7395b93 ea124f3a d99021bb 681dfc33 02a9d99a 2e53e64e
 887 | ```
 888 | 
 889 | Note that because
 890 | 
 891 |     B[i+1] = B[i] + B[1]
 892 | 
 893 | these test vectors allow testing the encoding function and
 894 | the implementation of addition simultaneously.
 895 | 
 896 | ## Invalid encodings {#invalid255}
 897 | 
 898 | These are examples of encodings that **MUST** be rejected according to
 899 | (#decoding255).
 900 | 
 901 | ```
 902 | # Non-canonical field encodings.
 903 | 00ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
 904 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 905 | f3ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 906 | edffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 907 | 
 908 | # Negative field elements.
 909 | 01000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 910 | 01ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 911 | ed57ffd8 c914fb20 1471d1c3 d245ce3c 746fcbe6 3a3679d5 1b6a516e bebe0e20
 912 | c34c4e18 26e5d403 b78e246e 88aa051c 36ccf0aa febffe13 7d148a2b f9104562
 913 | c940e5a4 404157cf b1628b10 8db051a8 d439e1a4 21394ec4 ebccb9ec 92a8ac78
 914 | 47cfc549 7c53dc8e 61c91d17 fd626ffb 1c49e2bc a94eed05 2281b510 b1117a24
 915 | f1c6165d 33367351 b0da8f6e 4511010c 68174a03 b6581212 c71c0e1d 026c3c72
 916 | 87260f7a 2f124951 18360f02 c26a470f 450dadf3 4a413d21 042b43b9 d93e1309
 917 | 
 918 | # Non-square x^2.
 919 | 26948d35 ca62e643 e26a8317 7332e6b6 afeb9d08 e4268b65 0f1f5bbd 8d81d371
 920 | 4eac077a 713c57b4 f4397629 a4145982 c661f480 44dd3f96 427d40b1 47d9742f
 921 | de6a7b00 deadc788 eb6b6c8d 20c0ae96 c2f20190 78fa604f ee5b87d6 e989ad7b
 922 | bcab477b e20861e0 1e4a0e29 5284146a 510150d9 817763ca f1a6f4b4 22d67042
 923 | 2a292df7 e32cabab bd9de088 d1d1abec 9fc0440f 637ed2fb a145094d c14bea08
 924 | f4a9e534 fc0d216c 44b218fa 0c42d996 35a0127e e2e53c71 2f706096 49fdff22
 925 | 8268436f 8c412619 6cf64b3c 7ddbda90 746a3786 25f9813d d9b84570 77256731
 926 | 2810e5cb c2cc4d4e ece54f61 c6f69758 e289aa7a b440b3cb eaa21995 c2f4232b
 927 | 
 928 | # Negative xy value.
 929 | 3eb858e7 8f5a7254 d8c97311 74a94f76 755fd394 1c0ac937 35c07ba1 4579630e
 930 | a45fdc55 c76448c0 49a1ab33 f17023ed fb2be358 1e9c7aad e8a61252 15e04220
 931 | d483fe81 3c6ba647 ebbfd3ec 41adca1c 6130c2be eee9d9bf 065c8d15 1c5f396e
 932 | 8a2e1d30 050198c6 5a544831 23960ccc 38aef684 8e1ec8f5 f780e852 3769ba32
 933 | 32888462 f8b486c6 8ad7dd96 10be5192 bbeaf3b4 43951ac1 a8118419 d9fa097b
 934 | 22714250 1b9d4355 ccba2904 04bde415 75b03769 3cef1f43 8c47f8fb f35d1165
 935 | 5c37cc49 1da847cf eb9281d4 07efc41e 15144c87 6e0170b4 99a96a22 ed31e01e
 936 | 44542511 7cb8c90e dcbc7c1c c0e74f74 7f2c1efa 5630a967 c64f2877 92a48a4b
 937 | 
 938 | # s = -1, which causes y = 0.
 939 | ecffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 940 | ```
 941 | 
 942 | ## Group elements from byte strings
 943 | 
 944 | The following pairs are inputs to the element derivation function of
 945 | (#from_bytes_uniform255), and their encoded outputs.
 946 | 
 947 | ```
 948 | I: 5d1be09e3d0c82fc538112490e35701979d99e06ca3e2b5b54bffe8b4dc772c1
 949 |    4d98b696a1bbfb5ca32c436cc61c16563790306c79eaca7705668b47dffe5bb6
 950 | O: 3066f82a 1a747d45 120d1740 f1435853 1a8f04bb ffe6a819 f86dfe50 f44a0a46
 951 | 
 952 | I: f116b34b8f17ceb56e8732a60d913dd10cce47a6d53bee9204be8b44f6678b27
 953 |    0102a56902e2488c46120e9276cfe54638286b9e4b3cdb470b542d46c2068d38
 954 | O: f26e5b6f 7d362d2d 2a94c5d0 e7602cb4 773c95a2 e5c31a64 f133189f a76ed61b
 955 | 
 956 | I: 8422e1bbdaab52938b81fd602effb6f89110e1e57208ad12d9ad767e2e25510c
 957 |    27140775f9337088b982d83d7fcf0b2fa1edffe51952cbe7365e95c86eaf325c
 958 | O: 006ccd2a 9e6867e6 a2c5cea8 3d3302cc 9de128dd 2a9a57dd 8ee7b9d7 ffe02826
 959 | 
 960 | I: ac22415129b61427bf464e17baee8db65940c233b98afce8d17c57beeb7876c2
 961 |    150d15af1cb1fb824bbd14955f2b57d08d388aab431a391cfc33d5bafb5dbbaf
 962 | O: f8f0c87c f237953c 5890aec3 99816900 5dae3eca 1fbb0454 8c635953 c817f92a
 963 | 
 964 | I: 165d697a1ef3d5cf3c38565beefcf88c0f282b8e7dbd28544c483432f1cec767
 965 |    5debea8ebb4e5fe7d6f6e5db15f15587ac4d4d4a1de7191e0c1ca6664abcc413
 966 | O: ae81e7de df20a497 e10c304a 765c1767 a42d6e06 029758d2 d7e8ef7c c4c41179
 967 | 
 968 | I: a836e6c9a9ca9f1e8d486273ad56a78c70cf18f0ce10abb1c7172ddd605d7fd2
 969 |    979854f47ae1ccf204a33102095b4200e5befc0465accc263175485f0e17ea5c
 970 | O: e2705652 ff9f5e44 d3e841bf 1c251cf7 dddb77d1 40870d1a b2ed64f1 a9ce8628
 971 | 
 972 | I: 2cdc11eaeb95daf01189417cdddbf95952993aa9cb9c640eb5058d09702c7462
 973 |    2c9965a697a3b345ec24ee56335b556e677b30e6f90ac77d781064f866a3c982
 974 | O: 80bd0726 2511cdde 4863f8a7 434cef69 6750681c b9510eea 557088f7 6d9e5065
 975 | ```
 976 | 
 977 | The following element derivation function inputs all produce the same encoded
 978 | output.
 979 | 
 980 | ```
 981 | I: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 982 |    1200000000000000000000000000000000000000000000000000000000000000
 983 | I: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 984 |    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 985 | I: 0000000000000000000000000000000000000000000000000000000000000080
 986 |    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 987 | I: 0000000000000000000000000000000000000000000000000000000000000000
 988 |    1200000000000000000000000000000000000000000000000000000000000080
 989 | 
 990 | O: 30428279 1023b731 28d277bd cb5c7746 ef2eac08 dde9f298 3379cb8e 5ef0517f
 991 | ```
 992 | 
 993 | ## Square root of a ratio of field elements
 994 | 
 995 | The following are inputs and outputs of `SQRT_RATIO_M1(u, v)` defined
 996 | in (#sqrtratio255). The values are little-endian encodings of field
 997 | elements.
 998 | 
 999 | ```
1000 | u: 0000000000000000000000000000000000000000000000000000000000000000
1001 | v: 0000000000000000000000000000000000000000000000000000000000000000
1002 | was_square: TRUE
1003 | r: 0000000000000000000000000000000000000000000000000000000000000000
1004 | 
1005 | u: 0000000000000000000000000000000000000000000000000000000000000000
1006 | v: 0100000000000000000000000000000000000000000000000000000000000000
1007 | was_square: TRUE
1008 | r: 0000000000000000000000000000000000000000000000000000000000000000
1009 | 
1010 | u: 0100000000000000000000000000000000000000000000000000000000000000
1011 | v: 0000000000000000000000000000000000000000000000000000000000000000
1012 | was_square: FALSE
1013 | r: 0000000000000000000000000000000000000000000000000000000000000000
1014 | 
1015 | u: 0200000000000000000000000000000000000000000000000000000000000000
1016 | v: 0100000000000000000000000000000000000000000000000000000000000000
1017 | was_square: FALSE
1018 | r: 3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54
1019 | 
1020 | u: 0400000000000000000000000000000000000000000000000000000000000000
1021 | v: 0100000000000000000000000000000000000000000000000000000000000000
1022 | was_square: TRUE
1023 | r: 0200000000000000000000000000000000000000000000000000000000000000
1024 | 
1025 | u: 0100000000000000000000000000000000000000000000000000000000000000
1026 | v: 0400000000000000000000000000000000000000000000000000000000000000
1027 | was_square: TRUE
1028 | r: f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
1029 | ```
1030 | 
1031 | # Test vectors for decaf448
1032 | 
1033 | This section contains test vectors for decaf448. The octets are
1034 | hex encoded, and whitespace is inserted for readability.
1035 | 
1036 | ## Multiples of the generator
1037 | 
1038 | The following are the encodings of the multiples 0 to 15 of the
1039 | canonical generator, represented as an array of elements. That is,
1040 | the first entry is the encoding of the identity element, and each
1041 | successive entry is obtained by adding the generator to the previous entry.
1042 | 
1043 | ```
1044 | B[ 0]: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1045 |        00000000 00000000 00000000 00000000 00000000 00000000 00000000
1046 | B[ 1]: 66666666 66666666 66666666 66666666 66666666 66666666 66666666
1047 |        33333333 33333333 33333333 33333333 33333333 33333333 33333333
1048 | B[ 2]: c898eb4f 87f97c56 4c6fd61f c7e49689 314a1f81 8ec85eeb 3bd5514a
1049 |        c816d387 78f69ef3 47a89fca 817e66de fdedce17 8c7cc709 b2116e75
1050 | B[ 3]: a0c09bf2 ba7208fd a0f4bfe3 d0f5b29a 54301230 6d43831b 5adc6fe7
1051 |        f8596fa3 08763db1 5468323b 11cf6e4a eb8c18fe 44678f44 545a69bc
1052 | B[ 4]: b46f1836 aa287c0a 5a5653f0 ec5ef9e9 03f436e2 1c1570c2 9ad9e5f5
1053 |        96da97ee af17150a e30bcb31 74d04bc2 d712c8c7 789d7cb4 fda138f4
1054 | B[ 5]: 1c5bbecf 4741dfaa e79db72d face00ea aac502c2 060934b6 eaaeca6a
1055 |        20bd3da9 e0be8777 f7d02033 d1b15884 232281a4 1fc7f80e ed04af5e
1056 | B[ 6]: 86ff0182 d40f7f9e db786251 5821bd67 bfd6165a 3c44de95 d7df79b8
1057 |        779ccf64 60e3c68b 70c16aaa 280f2d7b 3f22d745 b97a8990 6cfc476c
1058 | B[ 7]: 502bcb68 42eb06f0 e49032ba e87c554c 031d6d4d 2d7694ef bf9c468d
1059 |        48220c50 f8ca2884 3364d70c ee92d6fe 246e6144 8f9db980 8b3b2408
1060 | B[ 8]: 0c9810f1 e2ebd389 caa78937 4d780079 74ef4d17 227316f4 0e578b33
1061 |        6827da3f 6b482a47 94eb6a39 75b971b5 e1388f52 e91ea2f1 bcb0f912
1062 | B[ 9]: 20d41d85 a18d5657 a2964032 1563bbd0 4c2ffbd0 a37a7ba4 3a4f7d26
1063 |        3ce26faf 4e1f74f9 f4b590c6 9229ae57 1fe37fa6 39b5b8eb 48bd9a55
1064 | B[10]: e6b4b8f4 08c7010d 0601e7ed a0c309a1 a42720d6 d06b5759 fdc4e1ef
1065 |        e22d076d 6c44d42f 508d67be 462914d2 8b8edce3 2e709430 5164af17
1066 | B[11]: be88bbb8 6c59c13d 8e9d09ab 98105f69 c2d1dd13 4dbcd3b0 863658f5
1067 |        3159db64 c0e139d1 80f3c89b 8296d0ae 324419c0 6fa87fc7 daaf34c1
1068 | B[12]: a456f936 9769e8f0 8902124a 0314c7a0 6537a06e 32411f4f 93415950
1069 |        a17badfa 7442b621 7434a3a0 5ef45be5 f10bd7b2 ef8ea00c 431edec5
1070 | B[13]: 186e452c 4466aa43 83b4c002 10d52e79 22dbf977 1e8b47e2 29a9b7b7
1071 |        3c8d10fd 7ef0b6e4 1530f91f 24a3ed9a b71fa38b 98b2fe47 46d51d68
1072 | B[14]: 4ae7fdca e9453f19 5a8ead5c be1a7b96 99673b52 c40ab279 27464887
1073 |        be53237f 7f3a21b9 38d40d0e c9e15b1d 5130b13f fed81373 a53e2b43
1074 | B[15]: 841981c3 bfeec3f6 0cfeca75 d9d8dc17 f46cf010 6f2422b5 9aec580a
1075 |        58f34227 2e3a5e57 5a055ddb 051390c5 4c24c6ec b1e0aceb 075f6056
1076 | ```
1077 | 
1078 | ## Invalid encodings {#invalid448}
1079 | 
1080 | These are examples of encodings that **MUST** be rejected according to
1081 | (#decoding448).
1082 | 
1083 | ```
1084 | # Non-canonical field encodings.
1085 | 8e24f838 059ee9fe f1e20912 6defe53d cd74ef9b 6304601c 6966099e
1086 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1087 | 
1088 | 86fcc721 2bd4a0b9 80928666 dc28c444 a605ef38 e09fb569 e28d4443
1089 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1090 | 
1091 | 866d54bd 4c4ff41a 55d4eefd beca73cb d653c7bd 3135b383 708ec0bd
1092 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1093 | 
1094 | 4a380ccd ab9c8636 4a89e77a 464d64f9 157538cf dfa686ad c0d5ece4
1095 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1096 | 
1097 | f22d9d4c 945dd44d 11e0b1d3 d3d358d9 59b4844d 83b08c44 e659d79f
1098 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1099 | 
1100 | 8cdffc68 1aa99e9c 818c8ef4 c3808b58 e86acdef 1ab68c84 77af185b
1101 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1102 | 
1103 | 0e1c12ac 7b5920ef fbd044e8 97c57634 e2d05b5c 27f8fa3d f8a086a1
1104 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1105 | 
1106 | # Negative field elements.
1107 | 15141bd2 121837ef 71a0016b d11be757 507221c2 6542244f 23806f3f
1108 | d3496b7d 4c368262 76f3bf5d eea2c60c 4fa4cec6 9946876d a497e795
1109 | 
1110 | 455d3802 38434ab7 40a56267 f4f46b7d 2eb2dd8e e905e51d 7b0ae8a6
1111 | cb2bae50 1e67df34 ab21fa45 946068c9 f233939b 1d9521a9 98b7cb93
1112 | 
1113 | 810b1d8e 8bf3a9c0 23294bbf d3d905a9 7531709b dc0f4239 0feedd70
1114 | 10f77e98 686d400c 9c86ed25 0ceecd9d e0a18888 ffecda0f 4ea1c60d
1115 | 
1116 | d3af9cc4 1be0e5de 83c0c627 3bedcb93 51970110 044a9a41 c7b9b226
1117 | 7cdb9d7b f4dc9c2f db8bed32 87818460 4f1d9944 305a8df4 274ce301
1118 | 
1119 | 9312bcab 09009e43 30ff89c4 bc1e9e00 0d863efc 3c863d3b 6c507a40
1120 | fd2cdefd e1bf0892 b4b5ed97 80b91ed1 398fb4a7 344c605a a5efda74
1121 | 
1122 | 53d11bce 9e62a29d 63ed82ae 93761bdd 76e38c21 e2822d6e bee5eb1c
1123 | 5b8a03ea f9df749e 2490eda9 d8ac27d1 f71150de 93668074 d18d1c3a
1124 | 
1125 | 697c1aed 3cd88585 15d4be8a c158b229 fe184d79 cb2b06e4 9210a6f3
1126 | a7cd537b cd9bd390 d96c4ab6 a4406da5 d9364072 6285370c fa95df80
1127 | 
1128 | # Non-square x^2.
1129 | 58ad4871 5c9a1025 69b68b88 362a4b06 45781f5a 19eb7e59 c6a4686f
1130 | d0f0750f f42e3d7a f1ab38c2 9d69b670 f3125891 9c9fdbf6 093d06c0
1131 | 
1132 | 8ca37ee2 b15693f0 6e910cf4 3c4e32f1 d5551dda 8b1e48cb 6ddd55e4
1133 | 40dbc7b2 96b60191 9a4e4069 f59239ca 247ff693 f7daa42f 086122b1
1134 | 
1135 | 982c0ec7 f43d9f97 c0a74b36 db0abd9c a6bfb981 23a90782 787242c8
1136 | a523cdc7 6df14a91 0d544711 27e7662a 1059201f 902940cd 39d57af5
1137 | 
1138 | baa9ab82 d07ca282 b968a911 a6c3728d 74bf2fe2 58901925 787f03ee
1139 | 4be7e3cb 6684fd1b cfe5071a 9a974ad2 49a4aaa8 ca812642 16c68574
1140 | 
1141 | 2ed9ffe2 ded67a37 2b181ac5 24996402 c4297062 9db03f5e 8636cbaf
1142 | 6074b523 d154a7a8 c4472c4c 353ab88c d6fec7da 7780834c c5bd5242
1143 | 
1144 | f063769e 4241e76d 815800e4 933a3a14 4327a30e c40758ad 3723a788
1145 | 388399f7 b3f5d45b 6351eb8e ddefda7d 5bff4ee9 20d338a8 b89d8b63
1146 | 
1147 | 5a0104f1 f55d152c eb68bc13 81824998 91d90ee8 f09b4003 8ccc1e07
1148 | cb621fd4 62f781d0 45732a4f 0bda73f0 b2acf943 55424ff0 388d4b9c
1149 | ```
1150 | 
1151 | ## Group elements from uniform byte strings
1152 | 
1153 | The following pairs are inputs to the element derivation function of
1154 | (#from_bytes_uniform448), and their encoded outputs.
1155 | 
1156 | ```
1157 | I: cbb8c991fd2f0b7e1913462d6463e4fd2ce4ccdd28274dc2ca1f4165
1158 |    d5ee6cdccea57be3416e166fd06718a31af45a2f8e987e301be59ae6
1159 |    673e963001dbbda80df47014a21a26d6c7eb4ebe0312aa6fffb8d1b2
1160 |    6bc62ca40ed51f8057a635a02c2b8c83f48fa6a2d70f58a1185902c0
1161 | O: 0c709c96 07dbb01c 94513358 745b7c23 953d03b3 3e39c723 4e268d1d
1162 |    6e24f340 14ccbc22 16b965dd 231d5327 e591dc3c 0e8844cc fd568848
1163 | 
1164 | I: b6d8da654b13c3101d6634a231569e6b85961c3f4b460a08ac4a5857
1165 |    069576b64428676584baa45b97701be6d0b0ba18ac28d443403b4569
1166 |    9ea0fbd1164f5893d39ad8f29e48e399aec5902508ea95e33bc1e9e4
1167 |    620489d684eb5c26bc1ad1e09aba61fabc2cdfee0b6b6862ffc8e55a
1168 | O: 76ab794e 28ff1224 c727fa10 16bf7f1d 329260b7 218a39ae a2fdb17d
1169 |    8bd91190 17b093d6 41cedf74 328c3271 84dc6f2a 64bd90ed dccfcdab
1170 | 
1171 | I: 36a69976c3e5d74e4904776993cbac27d10f25f5626dd45c51d15dcf
1172 |    7b3e6a5446a6649ec912a56895d6baa9dc395ce9e34b868d9fb2c1fc
1173 |    72eb6495702ea4f446c9b7a188a4e0826b1506b0747a6709f37988ff
1174 |    1aeb5e3788d5076ccbb01a4bc6623c92ff147a1e21b29cc3fdd0e0f4
1175 | O: c8d7ac38 4143500e 50890a1c 25d64334 3accce58 4caf2544 f9249b2b
1176 |    f4a69210 82be0e7f 3669bb5e c24535e6 c45621e1 f6dec676 edd8b664
1177 | 
1178 | I: d5938acbba432ecd5617c555a6a777734494f176259bff9dab844c81
1179 |    aadcf8f7abd1a9001d89c7008c1957272c1786a4293bb0ee7cb37cf3
1180 |    988e2513b14e1b75249a5343643d3c5e5545a0c1a2a4d3c685927c38
1181 |    bc5e5879d68745464e2589e000b31301f1dfb7471a4f1300d6fd0f99
1182 | O: 62beffc6 b8ee11cc d79dbaac 8f0252c7 50eb052b 192f41ee ecb12f29
1183 |    79713b56 3caf7d22 588eca5e 80995241 ef963e7a d7cb7962 f343a973
1184 | 
1185 | I: 4dec58199a35f531a5f0a9f71a53376d7b4bdd6bbd2904234a8ea65b
1186 |    bacbce2a542291378157a8f4be7b6a092672a34d85e473b26ccfbd4c
1187 |    dc6739783dc3f4f6ee3537b7aed81df898c7ea0ae89a15b5559596c2
1188 |    a5eeacf8b2b362f3db2940e3798b63203cae77c4683ebaed71533e51
1189 | O: f4ccb31d 263731ab 88bed634 304956d2 603174c6 6da38742 053fa37d
1190 |    d902346c 3862155d 68db63be 87439e3d 68758ad7 268e239d 39c4fd3b
1191 | 
1192 | I: df2aa1536abb4acab26efa538ce07fd7bca921b13e17bc5ebcba7d1b
1193 |    6b733deda1d04c220f6b5ab35c61b6bcb15808251cab909a01465b8a
1194 |    e3fc770850c66246d5a9eae9e2877e0826e2b8dc1bc08009590bc677
1195 |    8a84e919fbd28e02a0f9c49b48dc689eb5d5d922dc01469968ee81b5
1196 | O: 7e79b00e 8e0a76a6 7c0040f6 2713b8b8 c6d6f05e 9c6d0259 2e8a22ea
1197 |    896f5dea cc7c7df5 ed42beae 6fedb900 0285b482 aa504e27 9fd49c32
1198 | 
1199 | I: e9fb440282e07145f1f7f5ecf3c273212cd3d26b836b41b02f108431
1200 |    488e5e84bd15f2418b3d92a3380dd66a374645c2a995976a015632d3
1201 |    6a6c2189f202fc766e1c82f50ad9189be190a1f0e8f9b9e69c9c18cc
1202 |    98fdd885608f68bf0fdedd7b894081a63f70016a8abf04953affbefa
1203 | O: 20b171cb 16be977f 15e013b9 752cf86c 54c631c4 fc8cbf7c 03c4d3ac
1204 |    9b8e8640 e7b0e930 0b987fe0 ab504466 9314f6ed 1650ae03 7db853f1
1205 | ```
1206 | 


--------------------------------------------------------------------------------
/draft-irtf-cfrg-ristretto255-decaf448.txt:
--------------------------------------------------------------------------------
   1 | 
   2 | 
   3 | 
   4 | 
   5 | Crypto Forum Research Group                                H. de Valence
   6 | Internet-Draft                                                          
   7 | Intended status: Informational                                  J. Grigg
   8 | Expires: 29 February 2024                                               
   9 |                                                               M. Hamburg
  10 |                                                                         
  11 |                                                             I. Lovecruft
  12 |                                                                         
  13 |                                                            G. Tankersley
  14 |                                                                         
  15 |                                                              F. Valsorda
  16 |                                                           28 August 2023
  17 | 
  18 | 
  19 |                   The ristretto255 and decaf448 Groups
  20 |                 draft-irtf-cfrg-ristretto255-decaf448-08
  21 | 
  22 | Abstract
  23 | 
  24 |    This memo specifies two prime-order groups, ristretto255 and
  25 |    decaf448, suitable for safely implementing higher-level and complex
  26 |    cryptographic protocols.  The ristretto255 group can be implemented
  27 |    using Curve25519, allowing existing Curve25519 implementations to be
  28 |    reused and extended to provide a prime-order group.  Likewise, the
  29 |    decaf448 group can be implemented using edwards448.
  30 | 
  31 |    This document is a product of the Crypto Forum Research Group (CFRG)
  32 |    in the IRTF.
  33 | 
  34 | Status of This Memo
  35 | 
  36 |    This Internet-Draft is submitted in full conformance with the
  37 |    provisions of BCP 78 and BCP 79.
  38 | 
  39 |    Internet-Drafts are working documents of the Internet Engineering
  40 |    Task Force (IETF).  Note that other groups may also distribute
  41 |    working documents as Internet-Drafts.  The list of current Internet-
  42 |    Drafts is at https://datatracker.ietf.org/drafts/current/.
  43 | 
  44 |    Internet-Drafts are draft documents valid for a maximum of six months
  45 |    and may be updated, replaced, or obsoleted by other documents at any
  46 |    time.  It is inappropriate to use Internet-Drafts as reference
  47 |    material or to cite them other than as "work in progress."
  48 | 
  49 |    This Internet-Draft will expire on 29 February 2024.
  50 | 
  51 | Copyright Notice
  52 | 
  53 |    Copyright (c) 2023 IETF Trust and the persons identified as the
  54 |    document authors.  All rights reserved.
  55 | 
  56 |    This document is subject to BCP 78 and the IETF Trust's Legal
  57 |    Provisions Relating to IETF Documents (https://trustee.ietf.org/
  58 |    license-info) in effect on the date of publication of this document.
  59 |    Please review these documents carefully, as they describe your rights
  60 |    and restrictions with respect to this document.  Code Components
  61 |    extracted from this document must include Revised BSD License text as
  62 |    described in Section 4.e of the Trust Legal Provisions and are
  63 |    provided without warranty as described in the Revised BSD License.
  64 | 
  65 | Table of Contents
  66 | 
  67 |    1.  Introduction
  68 |    2.  Notation and Conventions Used In This Document
  69 |      2.1.  Negative field elements
  70 |      2.2.  Constant time operations
  71 |    3.  The group abstraction
  72 |    4.  ristretto255
  73 |      4.1.  Implementation constants
  74 |      4.2.  Square root of a ratio of field elements
  75 |      4.3.  ristretto255 group operations
  76 |        4.3.1.  Decode
  77 |        4.3.2.  Encode
  78 |        4.3.3.  Equals
  79 |        4.3.4.  Element derivation
  80 |      4.4.  Scalar field
  81 |    5.  decaf448
  82 |      5.1.  Implementation constants
  83 |      5.2.  Square root of a ratio of field elements
  84 |      5.3.  decaf448 group operations
  85 |        5.3.1.  Decode
  86 |        5.3.2.  Encode
  87 |        5.3.3.  Equals
  88 |        5.3.4.  Element derivation
  89 |      5.4.  Scalar field
  90 |    6.  API Considerations
  91 |    7.  IANA Considerations
  92 |    8.  Security Considerations
  93 |    9.  Acknowledgements
  94 |    10. Normative References
  95 |    11. Informative References
  96 |    Appendix A.  Test vectors for ristretto255
  97 |      A.1.  Multiples of the generator
  98 |      A.2.  Invalid encodings
  99 |      A.3.  Group elements from byte strings
 100 |      A.4.  Square root of a ratio of field elements
 101 |    Appendix B.  Test vectors for decaf448
 102 |      B.1.  Multiples of the generator
 103 |      B.2.  Invalid encodings
 104 |      B.3.  Group elements from uniform byte strings
 105 |    Authors' Addresses
 106 | 
 107 | 1.  Introduction
 108 | 
 109 |    Decaf [Decaf] is a technique for constructing prime-order groups with
 110 |    non-malleable encodings from non-prime-order elliptic curves.
 111 |    Ristretto extends this technique to support cofactor-8 curves such as
 112 |    Curve25519 [RFC7748].  In particular, this allows an existing
 113 |    Curve25519 library to provide a prime-order group with only a thin
 114 |    abstraction layer.
 115 | 
 116 |    Many group-based cryptographic protocols require the number of
 117 |    elements in the group (the group order) to be prime.  Prime-order
 118 |    groups are useful because every non-identity element of the group is
 119 |    a generator of the entire group.  This means the group has a cofactor
 120 |    of 1, and all elements are equivalent from the perspective of
 121 |    Discrete Log Hardness.
 122 | 
 123 |    Edwards curves provide a number of implementation benefits for
 124 |    cryptography, such as complete addition formulas with no exceptional
 125 |    points and formulas among the fastest known for curve operations.
 126 |    However, the group of points on the curve is not of prime order,
 127 |    i.e., it has a cofactor larger than 1.  This abstraction mismatch is
 128 |    usually handled by means of ad-hoc protocol tweaks, such as
 129 |    multiplying by the cofactor in an appropriate place, or not at all.
 130 | 
 131 |    Even for simple protocols such as signatures, these tweaks can cause
 132 |    subtle issues.  For instance, Ed25519 implementations may have
 133 |    different validation behavior between batched and singleton
 134 |    verification, and at least as specified in [RFC8032], the set of
 135 |    valid signatures is not defined by the standard.
 136 | 
 137 |    For more complex protocols, careful analysis is required as the
 138 |    original security proofs may no longer apply, and the tweaks for one
 139 |    protocol may have disastrous effects when applied to another (for
 140 |    instance, the octuple-spend vulnerability in [MoneroVuln]).
 141 | 
 142 |    Decaf and Ristretto fix this abstraction mismatch in one place for
 143 |    all protocols, providing an abstraction to protocol implementors that
 144 |    matches the abstraction commonly assumed in protocol specifications,
 145 |    while still allowing the use of high-performance curve
 146 |    implementations internally.  The abstraction layer imposes minor
 147 |    overhead, and only in the encoding and decoding phases.
 148 | 
 149 |    While Ristretto is a general method, and can be used in conjunction
 150 |    with any Edwards curve with cofactor 4 or 8, this document specifies
 151 |    the ristretto255 group, which can be implemented using Curve25519,
 152 |    and the decaf448 group, which can be implemented using edwards448.
 153 | 
 154 |    There are other elliptic curves that can be used internally to
 155 |    implement ristretto255 or decaf448, and those implementations would
 156 |    be interoperable with a Curve25519- or edwards448-based one, but
 157 |    those constructions are out-of-scope for this document.
 158 | 
 159 |    The Ristretto construction is described and justified in detail at
 160 |    [RistrettoGroup].
 161 | 
 162 |    This document represents the consensus of the Crypto Forum Research
 163 |    Group (CFRG).  This document is not an IETF product and is not a
 164 |    standard.
 165 | 
 166 | 2.  Notation and Conventions Used In This Document
 167 | 
 168 |    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 169 |    "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
 170 |    "OPTIONAL" in this document are to be interpreted as described in BCP
 171 |    14 [RFC2119] [RFC8174] when, and only when, they appear in all
 172 |    capitals, as shown here.
 173 | 
 174 |    Readers are cautioned that the term "Curve25519" has varying
 175 |    interpretations in the literature, and that the canonical meaning of
 176 |    the term has shifted over time.  Originally it referred to a specific
 177 |    Diffie-Hellman key exchange mechanism.  Over time, use shifted, and
 178 |    "Curve25519" has been used to refer to either the abstract underlying
 179 |    curve, or its concrete representation in Montgomery form, or the
 180 |    specific Diffie-Hellman mechanism.  This document uses the term
 181 |    "Curve25519" to refer to the abstract underlying curve, as
 182 |    recommended in [Naming].  The abstract Edwards form of the curve we
 183 |    refer to here as "Curve25519" is in [RFC7748] referred to as
 184 |    "edwards25519" and its isogenous Montgomery form is referred to as
 185 |    "curve25519".
 186 | 
 187 |    Elliptic curve points in this document are represented in extended
 188 |    Edwards coordinates in the (x, y, z, t) format [Twisted], also called
 189 |    extended homogeneous coordinates in Section 5.1.4 of [RFC8032].
 190 |    Field elements are values modulo p, the Curve25519 prime 2^255 - 19
 191 |    or the edwards448 prime 2^448 - 2^224 - 1, as specified in Sections
 192 |    4.1 and 4.2 of [RFC7748], respectively.  All formulas specify field
 193 |    operations unless otherwise noted.  The symbol ^ denotes
 194 |    exponentiation.
 195 | 
 196 |    The | symbol represents a constant-time logical OR.
 197 | 
 198 |    The notation array[A:B] means the elements of array from A to B-1.
 199 |    That is, it is exclusive of B.  Arrays are indexed starting from 0.
 200 | 
 201 |    A byte is an 8-bit entity (also known as "octet") and a byte string
 202 |    is an ordered sequence of bytes.  An N-byte string is a byte string
 203 |    of N bytes in length.
 204 | 
 205 |    Element encodings are presented as hex encoded byte strings with
 206 |    whitespace added for readability.
 207 | 
 208 | 2.1.  Negative field elements
 209 | 
 210 |    As in [RFC8032], given a field element e, define IS_NEGATIVE(e) as
 211 |    TRUE if the least non-negative integer representing e is odd, and
 212 |    FALSE if it is even.  This SHOULD be implemented in constant time.
 213 | 
 214 | 2.2.  Constant time operations
 215 | 
 216 |    We assume that the field element implementation supports the
 217 |    following operations, which SHOULD be implemented in constant time:
 218 | 
 219 |    *  CT_EQ(u, v): return TRUE if u = v, FALSE otherwise.
 220 |    *  CT_SELECT(v IF cond ELSE u): return v if cond is TRUE, else return
 221 |       u.
 222 |    *  CT_ABS(u): return -u if IS_NEGATIVE(u), else return u.
 223 | 
 224 |    Note that CT_ABS MAY be implemented as:
 225 | 
 226 |    CT_SELECT(-u IF IS_NEGATIVE(u) ELSE u)
 227 | 
 228 | 3.  The group abstraction
 229 | 
 230 |    Ristretto and Decaf implement an abstract prime-order group interface
 231 |    that exposes only the behavior that is useful to higher-level
 232 |    protocols, without leaking curve-related details and pitfalls.
 233 | 
 234 |    Each abstract group exposes operations on abstract element and
 235 |    abstract scalar types.  The operations defined on these types
 236 |    include: decoding, encoding, equality, addition, negation,
 237 |    subtraction and (multi-)scalar multiplication.  Each abstract group
 238 |    also exposes a deterministic function to derive abstract elements
 239 |    from fixed-length byte strings.  A description of each of these
 240 |    operations is below.
 241 | 
 242 |    Decoding is a function from byte strings to abstract elements with
 243 |    built-in validation, so that only the canonical encodings of valid
 244 |    elements are accepted.  The built-in validation avoids the need for
 245 |    explicit invalid curve checks.
 246 | 
 247 |    Encoding is a function from abstract elements to byte strings.
 248 |    Internally, an abstract element might have more than one possible
 249 |    representation -- for example, the implementation might use
 250 |    projective coordinates.  When encoding, all equivalent
 251 |    representations of the same element are encoded as identical byte
 252 |    strings.  Decoding the output of the encoding function always
 253 |    succeeds and returns an equivalent element to the encoding input.
 254 | 
 255 |    The equality check reports whether two representations of an abstract
 256 |    element are equivalent.
 257 | 
 258 |    The element derivation function maps deterministically from byte
 259 |    strings of a fixed length to abstract elements.  It has two important
 260 |    properties.  First, if the input is a uniformly random byte string,
 261 |    then the output is (within a negligible statistical distance of) a
 262 |    uniformly random abstract group element.  This means the function is
 263 |    suitable for selecting random group elements.
 264 | 
 265 |    Second, although the element derivation function is many-to-one and
 266 |    therefore not strictly invertible, it is not pre-image resistent.  On
 267 |    the contrary, given an arbitrary abstract group element P, there is
 268 |    an efficient algorithm to randomly sample from byte strings that map
 269 |    to P.  In some contexts this property would be a weakness, but it is
 270 |    important in some contexts: in particular, it means that a
 271 |    combination of a cryptographic hash function and the element
 272 |    derivation function is suitable for use in algorithms such as
 273 |    hash_to_curve [draft-irtf-cfrg-hash-to-curve-16].
 274 | 
 275 |    Addition is the group operation.  The group has an identity element
 276 |    and prime order l.  Adding together l copies of the same element
 277 |    gives the identity.  Adding the identity element to any element
 278 |    returns that element unchanged.  Negation returns an element that
 279 |    added to the negation input returns the identity element.
 280 |    Subtraction is the addition of a negated element, and scalar
 281 |    multiplication is the repeated addition of an element.
 282 | 
 283 | 4.  ristretto255
 284 | 
 285 |    ristretto255 is an instantiation of the abstract prime-order group
 286 |    interface defined in Section 3.  This document describes how to
 287 |    implement the ristretto255 prime-order group using Curve25519 points
 288 |    as internal representations.
 289 | 
 290 |    A "ristretto255 group element" is the abstract element of the prime
 291 |    order group.  An "element encoding" is the unique reversible encoding
 292 |    of a group element.  An "internal representation" is a point on the
 293 |    curve used to implement ristretto255.  Each group element can have
 294 |    multiple equivalent internal representations.
 295 | 
 296 |    Encoding, decoding, equality, and the element derivation function are
 297 |    defined in Section 4.3.  Element addition, subtraction, negation, and
 298 |    scalar multiplication are implemented by applying the corresponding
 299 |    operations directly to the internal representation.
 300 | 
 301 |    The group order is the same as the order of the Curve25519 prime-
 302 |    order subgroup:
 303 | 
 304 |    l = 2^252 + 27742317777372353535851937790883648493
 305 | 
 306 |    Since ristretto255 is a prime-order group, every element except the
 307 |    identity is a generator, but for interoperability a canonical
 308 |    generator is selected, which can be internally represented by the
 309 |    Curve25519 basepoint, enabling reuse of existing precomputation for
 310 |    scalar multiplication.  This is its encoding as produced by the
 311 |    function specified in Section 4.3.2:
 312 | 
 313 |  e2f2ae0a 6abc4e71 a884a961 c500515f 58e30b6a a582dd8d b6a65945 e08d2d76
 314 | 
 315 | 4.1.  Implementation constants
 316 | 
 317 |    This document references the following constant field element values
 318 |    that are used for the implementation of group operations.
 319 | 
 320 |    *  D = 37095705934669439343138083508754565189542113879843219016388785
 321 |       533085940283555
 322 |       -  This is the Edwards d parameter for Curve25519, as specified in
 323 |          Section 4.1 of [RFC7748].
 324 |    *  SQRT_M1 = 19681161376707505956807079304988542015446066515923890162
 325 |       744021073123829784752
 326 |    *  SQRT_AD_MINUS_ONE = 2506306895338462347411141415870215270124453150
 327 |       2492656460079210482610430750235
 328 |    *  INVSQRT_A_MINUS_D = 5446930700890931692099581386874514160539359729
 329 |       2927456921205312896311721017578
 330 |    *  ONE_MINUS_D_SQ = 1159843021668779879193775521855586647937357759715
 331 |       417654439879720876111806838
 332 |    *  D_MINUS_ONE_SQ = 4044083434630853685810104246932319082624839914623
 333 |       8708352240133220865137265952
 334 | 
 335 | 4.2.  Square root of a ratio of field elements
 336 | 
 337 |    The following function is defined on field elements, and is used to
 338 |    implement other ristretto255 functions.  This function is only used
 339 |    internally to implement some of the group operations.
 340 | 
 341 |    On input field elements u and v, the function SQRT_RATIO_M1(u, v)
 342 |    returns:
 343 | 
 344 |    *  (TRUE, +sqrt(u/v)) if u and v are non-zero, and u/v is square;
 345 |    *  (TRUE, zero) if u is zero;
 346 |    *  (FALSE, zero) if v is zero and u is non-zero;
 347 |    *  (FALSE, +sqrt(SQRT_M1*(u/v))) if u and v are non-zero, and u/v is
 348 |       non-square (so SQRT_M1*(u/v) is square),
 349 | 
 350 |    where +sqrt(x) indicates the non-negative square root of x in the
 351 |    field.
 352 | 
 353 |    The computation is similar to Section 5.1.3 of [RFC8032], with the
 354 |    difference that if the input is non-square, the function returns a
 355 |    result with a defined relationship to the inputs.  This result is
 356 |    used for efficient implementation of the derivation function.  The
 357 |    function can be refactored from an existing Ed25519 implementation.
 358 | 
 359 |    SQRT_RATIO_M1(u, v) is defined as follows:
 360 | 
 361 | r = (u * v^3) * (u * v^7)^((p-5)/8) // Note: (p - 5) / 8 is an integer.
 362 | check = v * r^2
 363 | 
 364 | correct_sign_sqrt   = CT_EQ(check,          u)
 365 | flipped_sign_sqrt   = CT_EQ(check,         -u)
 366 | flipped_sign_sqrt_i = CT_EQ(check, -u*SQRT_M1)
 367 | 
 368 | r_prime = SQRT_M1 * r
 369 | r = CT_SELECT(r_prime IF flipped_sign_sqrt | flipped_sign_sqrt_i ELSE r)
 370 | 
 371 | // Choose the nonnegative square root.
 372 | r = CT_ABS(r)
 373 | 
 374 | was_square = correct_sign_sqrt | flipped_sign_sqrt
 375 | 
 376 | return (was_square, r)
 377 | 
 378 | 4.3.  ristretto255 group operations
 379 | 
 380 |    This section describes the implementation of the external functions
 381 |    exposed by the ristretto255 prime-order group.
 382 | 
 383 | 4.3.1.  Decode
 384 | 
 385 |    All elements are encoded as 32-byte strings.  Decoding proceeds as
 386 |    follows:
 387 | 
 388 |    1.  First, interpret the string as an unsigned integer s in little-
 389 |        endian representation.  If the length of the string is not 32
 390 |        bytes, or if the resulting value is >= p, decoding fails.
 391 |        *  Note: unlike [RFC7748] field element decoding, the most
 392 |           significant bit is not masked, and non-canonical values are
 393 |           rejected.  The test vectors in Appendix A.2 exercise these
 394 |           edge cases.
 395 |    2.  If IS_NEGATIVE(s) returns TRUE, decoding fails.
 396 |    3.  Process s as follows:
 397 | 
 398 |    ss = s^2
 399 |    u1 = 1 - ss
 400 |    u2 = 1 + ss
 401 |    u2_sqr = u2^2
 402 | 
 403 |    v = -(D * u1^2) - u2_sqr
 404 | 
 405 |    (was_square, invsqrt) = SQRT_RATIO_M1(1, v * u2_sqr)
 406 | 
 407 |    den_x = invsqrt * u2
 408 |    den_y = invsqrt * den_x * v
 409 | 
 410 |    x = CT_ABS(2 * s * den_x)
 411 |    y = u1 * den_y
 412 |    t = x * y
 413 | 
 414 |    4.  If was_square is FALSE, or IS_NEGATIVE(t) returns TRUE, or y = 0,
 415 |        decoding fails.  Otherwise, return the group element represented
 416 |        by the internal representation (x, y, 1, t) as the result of
 417 |        decoding.
 418 | 
 419 | 4.3.2.  Encode
 420 | 
 421 |    A group element with internal representation (x0, y0, z0, t0) is
 422 |    encoded as follows:
 423 | 
 424 |    1.  Process the internal representation into a field element s as
 425 |        follows:
 426 | 
 427 |    u1 = (z0 + y0) * (z0 - y0)
 428 |    u2 = x0 * y0
 429 | 
 430 |    // Ignore was_square since this is always square.
 431 |    (_, invsqrt) = SQRT_RATIO_M1(1, u1 * u2^2)
 432 | 
 433 |    den1 = invsqrt * u1
 434 |    den2 = invsqrt * u2
 435 |    z_inv = den1 * den2 * t0
 436 | 
 437 |    ix0 = x0 * SQRT_M1
 438 |    iy0 = y0 * SQRT_M1
 439 |    enchanted_denominator = den1 * INVSQRT_A_MINUS_D
 440 | 
 441 |    rotate = IS_NEGATIVE(t0 * z_inv)
 442 | 
 443 |    // Conditionally rotate x and y.
 444 |    x = CT_SELECT(iy0 IF rotate ELSE x0)
 445 |    y = CT_SELECT(ix0 IF rotate ELSE y0)
 446 |    z = z0
 447 |    den_inv = CT_SELECT(enchanted_denominator IF rotate ELSE den2)
 448 | 
 449 |    y = CT_SELECT(-y IF IS_NEGATIVE(x * z_inv) ELSE y)
 450 | 
 451 |    s = CT_ABS(den_inv * (z - y))
 452 | 
 453 |    2.  Return the 32-byte little-endian encoding of s.  More
 454 |        specifically, this is the encoding of the canonical
 455 |        representation of s as an integer between 0 and p-1, inclusive.
 456 | 
 457 |    Note that decoding and then re-encoding a valid group element will
 458 |    yield an identical byte string.
 459 | 
 460 | 4.3.3.  Equals
 461 | 
 462 |    The equality function returns TRUE when two internal representations
 463 |    correspond to the same group element.  Note that internal
 464 |    representations MUST NOT be compared in any other way than specified
 465 |    here.
 466 | 
 467 |    For two internal representations (x1, y1, z1, t1) and (x2, y2, z2,
 468 |    t2), if
 469 | 
 470 |    (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
 471 | 
 472 |    evaluates to TRUE, then return TRUE.  Otherwise, return FALSE.
 473 | 
 474 |    Note that the equality function always returns TRUE when applied to
 475 |    an internal representation and to the internal representation
 476 |    obtained by encoding and then re-decoding it.  However, the internal
 477 |    representations themselves might not be identical.
 478 | 
 479 |    Implementations MAY also perform byte comparisons on the encodings of
 480 |    group elements (produced by Section 4.3.2) for an equivalent,
 481 |    although less efficient, result.
 482 | 
 483 | 4.3.4.  Element derivation
 484 | 
 485 |    The element derivation function operates on 64-byte strings.  To
 486 |    obtain such an input from an arbitrary-length byte string,
 487 |    applications should use a domain-separated hash construction, the
 488 |    choice of which is out-of-scope for this document.
 489 | 
 490 |    The element derivation function on an input string b proceeds as
 491 |    follows:
 492 | 
 493 |    1.  Compute P1 as MAP(b[0:32]).
 494 |    2.  Compute P2 as MAP(b[32:64]).
 495 |    3.  Return P1 + P2.
 496 | 
 497 |    The MAP function is defined on 32-byte strings as:
 498 | 
 499 |    1.  First, mask the most significant bit in the final byte of the
 500 |        string, and interpret the string as an unsigned integer r in
 501 |        little-endian representation.  Reduce r modulo p to obtain a
 502 |        field element t.
 503 | 
 504 |        *  Masking the most significant bit is equivalent to interpreting
 505 |           the whole string as an unsigned integer in little-endian
 506 |           representation and then reducing it modulo 2^255.
 507 |        *  Note: similarly to [RFC7748] field element decoding, and
 508 |           unlike field element decoding in Section 4.3.1, the most
 509 |           significant bit is masked, and non-canonical values are
 510 |           accepted.
 511 | 
 512 |    2.  Process t as follows:
 513 | 
 514 |    r = SQRT_M1 * t^2
 515 |    u = (r + 1) * ONE_MINUS_D_SQ
 516 |    v = (-1 - r*D) * (r + D)
 517 | 
 518 |    (was_square, s) = SQRT_RATIO_M1(u, v)
 519 |    s_prime = -CT_ABS(s*t)
 520 |    s = CT_SELECT(s IF was_square ELSE s_prime)
 521 |    c = CT_SELECT(-1 IF was_square ELSE r)
 522 | 
 523 |    N = c * (r - 1) * D_MINUS_ONE_SQ - v
 524 | 
 525 |    w0 = 2 * s * v
 526 |    w1 = N * SQRT_AD_MINUS_ONE
 527 |    w2 = 1 - s^2
 528 |    w3 = 1 + s^2
 529 | 
 530 |    3.  Return the group element represented by the internal
 531 |        representation (w0*w3, w2*w1, w1*w3, w0*w2).
 532 | 
 533 | 4.4.  Scalar field
 534 | 
 535 |    The scalars for the ristretto255 group are integers modulo the order
 536 |    l of the ristretto255 group.  Note that this is the same scalar field
 537 |    as Curve25519, allowing existing implementations to be reused.
 538 | 
 539 |    Scalars are encoded as 32-byte strings in little-endian order.
 540 |    Implementations SHOULD check that any scalar s falls in the range 0
 541 |    <= s < l when parsing them and reject non-canonical scalar encodings.
 542 |    Implementations SHOULD reduce scalars modulo l when encoding them as
 543 |    byte strings.  Omitting these strict range checks is NOT RECOMMENDED
 544 |    but is allowed to enable reuse of scalar arithmetic implementations
 545 |    in existing Curve25519 libraries.
 546 | 
 547 |    Given a uniformly distributed 64-byte string b, implementations can
 548 |    obtain a uniformly distributed scalar by interpreting the 64-byte
 549 |    string as a 512-bit unsigned integer in little-endian order and
 550 |    reducing the integer modulo l, as in [RFC8032].  To obtain such an
 551 |    input from an arbitrary-length byte string, applications should use a
 552 |    domain-separated hash construction, the choice of which is out-of-
 553 |    scope for this document.
 554 | 
 555 | 5.  decaf448
 556 | 
 557 |    decaf448 is an instantiation of the abstract prime-order group
 558 |    interface defined in Section 3.  This document describes how to
 559 |    implement the decaf448 prime-order group using edwards448 points as
 560 |    internal representations.
 561 | 
 562 |    A "decaf448 group element" is the abstract element of the prime order
 563 |    group.  An "element encoding" is the unique reversible encoding of a
 564 |    group element.  An "internal representation" is a point on the curve
 565 |    used to implement decaf448.  Each group element can have multiple
 566 |    equivalent internal representations.
 567 | 
 568 |    Encoding, decoding, equality, and the element derivation functions
 569 |    are defined in Section 5.3.  Element addition, subtraction, negation,
 570 |    and scalar multiplication are implemented by applying the
 571 |    corresponding operations directly to the internal representation.
 572 | 
 573 |    The group order is the same as the order of the edwards448 prime-
 574 |    order subgroup:
 575 | 
 576 |   l = 2^446 -
 577 |     13818066809895115352007386748515426880336692474882178609894547503885
 578 | 
 579 |    Since decaf448 is a prime-order group, every element except the
 580 |    identity is a generator, but for interoperability a canonical
 581 |    generator is selected.  This generator can be internally represented
 582 |    by 2*B, where B is the edwards448 basepoint, enabling reuse of
 583 |    existing precomputation for scalar multiplication.  This is its
 584 |    encoding as produced by the function specified in Section 5.3.2:
 585 | 
 586 |    66666666 66666666 66666666 66666666 66666666 66666666 66666666
 587 |    33333333 33333333 33333333 33333333 33333333 33333333 33333333
 588 | 
 589 |    This repetitive constant is equal to 1/sqrt(5) in decaf448's field,
 590 |    corresponding to the curve448 base point with x = 5.
 591 | 
 592 | 5.1.  Implementation constants
 593 | 
 594 |    This document references the following constant field element values
 595 |    that are used for the implementation of group operations.
 596 | 
 597 |    *  D = 72683872429560689054932380788800453435364136068731806028149019
 598 |       918061232816673077268639638369867654593008888446184363736105349801
 599 |       8326358
 600 |       -  This is the Edwards d parameter for edwards448, as specified in
 601 |          Section 4.2 of [RFC7748], and is equal to -39081 in the field.
 602 |    *  ONE_MINUS_D = 39082
 603 |    *  ONE_MINUS_TWO_D = 78163
 604 |    *  SQRT_MINUS_D = 989442336477322197691770048769290191284175762955299
 605 |       010740998895980437021160012578568021315638965153739277122320928458
 606 |       83226922417596214
 607 |    *  INVSQRT_MINUS_D = 315019913931389607337177038330951043522456072897
 608 |       266928557328499619017160722351061360252776265186336876723201881398
 609 |       623946864393857820716
 610 | 
 611 | 5.2.  Square root of a ratio of field elements
 612 | 
 613 |    The following function is defined on field elements, and is used to
 614 |    implement other decaf448 functions.  This function is only used
 615 |    internally to implement some of the group operations.
 616 | 
 617 |    On input field elements u and v, the function SQRT_RATIO_M1(u, v)
 618 |    returns:
 619 | 
 620 |    *  (TRUE, +sqrt(u/v)) if u and v are non-zero, and u/v is square;
 621 |    *  (TRUE, zero) if u is zero;
 622 |    *  (FALSE, zero) if v is zero and u is non-zero;
 623 |    *  (FALSE, +sqrt(-u/v)) if u and v are non-zero, and u/v is non-
 624 |       square (so -(u/v) is square),
 625 | 
 626 |    where +sqrt(x) indicates the non-negative square root of x in the
 627 |    field.
 628 | 
 629 |    The computation is similar to Section 5.2.3 of [RFC8032], with the
 630 |    difference that if the input is non-square, the function returns a
 631 |    result with a defined relationship to the inputs.  This result is
 632 |    used for efficient implementation of the derivation function.  The
 633 |    function can be refactored from an existing edwards448
 634 |    implementation.
 635 | 
 636 |    SQRT_RATIO_M1(u, v) is defined as follows:
 637 | 
 638 |    r = u * (u * v)^((p - 3) / 4) // Note: (p - 3) / 4 is an integer.
 639 | 
 640 |    check = v * r^2
 641 |    was_square = CT_EQ(check, u)
 642 | 
 643 |    // Choose the nonnegative square root.
 644 |    r = CT_ABS(r)
 645 | 
 646 |    return (was_square, r)
 647 | 
 648 | 5.3.  decaf448 group operations
 649 | 
 650 |    This section describes the implementation of the external functions
 651 |    exposed by the decaf448 prime-order group.
 652 | 
 653 | 5.3.1.  Decode
 654 | 
 655 |    All elements are encoded as 56-byte strings.  Decoding proceeds as
 656 |    follows:
 657 | 
 658 |    1.  First, interpret the string as an unsigned integer s in little-
 659 |        endian representation.  If the length of the string is not 56
 660 |        bytes, or if the resulting value is >= p, decoding fails.
 661 |        *  Note: unlike [RFC7748] field element decoding, non-canonical
 662 |           values are rejected.  The test vectors in Appendix B.2
 663 |           exercise these edge cases.
 664 |    2.  If IS_NEGATIVE(s) returns TRUE, decoding fails.
 665 |    3.  Process s as follows:
 666 | 
 667 |    ss = s^2
 668 |    u1 = 1 + ss
 669 |    u2 = u1^2 - 4 * D * ss
 670 |    (was_square, invsqrt) = SQRT_RATIO_M1(1, u2 * u1^2)
 671 |    u3 = CT_ABS(2 * s * invsqrt * u1 * SQRT_MINUS_D)
 672 |    x = u3 * invsqrt * u2 * INVSQRT_MINUS_D
 673 |    y = (1 - ss) * invsqrt * u1
 674 |    t = x * y
 675 | 
 676 |    4.  If was_square is FALSE then decoding fails.  Otherwise, return
 677 |        the group element represented by the internal representation (x,
 678 |        y, 1, t) as the result of decoding.
 679 | 
 680 | 5.3.2.  Encode
 681 | 
 682 |    A group element with internal representation (x0, y0, z0, t0) is
 683 |    encoded as follows:
 684 | 
 685 |    1.  Process the internal representation into a field element s as
 686 |        follows:
 687 | 
 688 |    u1 = (x0 + t0) * (x0 - t0)
 689 | 
 690 |    // Ignore was_square since this is always square.
 691 |    (_, invsqrt) = SQRT_RATIO_M1(1, u1 * ONE_MINUS_D * x0^2)
 692 | 
 693 |    ratio = CT_ABS(invsqrt * u1 * SQRT_MINUS_D)
 694 |    u2 = INVSQRT_MINUS_D * ratio * z0 - t0
 695 |    s = CT_ABS(ONE_MINUS_D * invsqrt * x0 * u2)
 696 | 
 697 |    2.  Return the 56-byte little-endian encoding of s.  More
 698 |        specifically, this is the encoding of the canonical
 699 |        representation of s as an integer between 0 and p-1, inclusive.
 700 | 
 701 |    Note that decoding and then re-encoding a valid group element will
 702 |    yield an identical byte string.
 703 | 
 704 | 5.3.3.  Equals
 705 | 
 706 |    The equality function returns TRUE when two internal representations
 707 |    correspond to the same group element.  Note that internal
 708 |    representations MUST NOT be compared in any other way than specified
 709 |    here.
 710 | 
 711 |    For two internal representations (x1, y1, z1, t1) and (x2, y2, z2,
 712 |    t2), if
 713 | 
 714 |    x1 * y2 == y1 * x2
 715 | 
 716 |    evaluates to TRUE, then return TRUE.  Otherwise, return FALSE.
 717 | 
 718 |    Note that the equality function always returns TRUE when applied to
 719 |    an internal representation and to the internal representation
 720 |    obtained by encoding and then re-decoding it.  However, the internal
 721 |    representations themselves might not be identical.
 722 | 
 723 |    Implementations MAY also perform byte comparisons on the encodings of
 724 |    group elements (produced by Section 5.3.2) for an equivalent,
 725 |    although less efficient, result.
 726 | 
 727 | 5.3.4.  Element derivation
 728 | 
 729 |    The element derivation function operates on 112-byte strings.  To
 730 |    obtain such an input from an arbitrary-length byte string,
 731 |    applications should use a domain-separated hash construction, the
 732 |    choice of which is out-of-scope for this document.
 733 | 
 734 |    The element derivation function on an input string b proceeds as
 735 |    follows:
 736 | 
 737 |    1.  Compute P1 as MAP(b[0:56]).
 738 |    2.  Compute P2 as MAP(b[56:112]).
 739 |    3.  Return P1 + P2.
 740 | 
 741 |    The MAP function is defined on 56-byte strings as:
 742 | 
 743 |    1.  Interpret the string as an unsigned integer r in little-endian
 744 |        representation.  Reduce r modulo p to obtain a field element t.
 745 | 
 746 |        *  Note: similarly to [RFC7748] field element decoding, and
 747 |           unlike field element decoding in Section 5.3.1, non-canonical
 748 |           values are accepted.
 749 | 
 750 |    2.  Process t as follows:
 751 | 
 752 |    r = -t^2
 753 |    u0 = d * (r-1)
 754 |    u1 = (u0 + 1) * (u0 - r)
 755 | 
 756 |    (was_square, v) = SQRT_RATIO_M1(ONE_MINUS_TWO_D, (r + 1) * u1)
 757 |    v_prime = CT_SELECT(v IF was_square ELSE t * v)
 758 |    sgn     = CT_SELECT(1 IF was_square ELSE -1)
 759 |    s = v_prime * (r + 1)
 760 | 
 761 |    w0 = 2 * CT_ABS(s)
 762 |    w1 = s^2 + 1
 763 |    w2 = s^2 - 1
 764 |    w3 = v_prime * s * (r - 1) * ONE_MINUS_TWO_D + sgn
 765 | 
 766 |    3.  Return the group element represented by the internal
 767 |        representation (w0*w3, w2*w1, w1*w3, w0*w2).
 768 | 
 769 | 5.4.  Scalar field
 770 | 
 771 |    The scalars for the decaf448 group are integers modulo the order l of
 772 |    the decaf448 group.  Note that this is the same scalar field as
 773 |    edwards448, allowing existing implementations to be reused.
 774 | 
 775 |    Scalars are encoded as 56-byte strings in little-endian order.
 776 |    Implementations SHOULD check that any scalar s falls in the range 0
 777 |    <= s < l when parsing them and reject non-canonical scalar encodings.
 778 |    Implementations SHOULD reduce scalars modulo l when encoding them as
 779 |    byte strings.  Omitting these strict range checks is NOT RECOMMENDED
 780 |    but is allowed to enable reuse of scalar arithmetic implementations
 781 |    in existing edwards448 libraries.
 782 | 
 783 |    Given a uniformly distributed 64-byte string b, implementations can
 784 |    obtain a uniformly distributed scalar by interpreting the 64-byte
 785 |    string as a 512-bit unsigned integer in little-endian order and
 786 |    reducing the integer modulo l.  To obtain such an input from an
 787 |    arbitrary-length byte string, applications should use a domain-
 788 |    separated hash construction, the choice of which is out-of-scope for
 789 |    this document.
 790 | 
 791 | 6.  API Considerations
 792 | 
 793 |    ristretto255 and decaf448 are abstractions which implement two prime-
 794 |    order groups, and their elements are represented by curve points, but
 795 |    they are not curve points.  Implementations SHOULD reflect that: the
 796 |    type representing an element of the group SHOULD be opaque to the
 797 |    caller, meaning they do not expose the underlying curve point or
 798 |    field elements.  Moreover, implementations SHOULD NOT expose any
 799 |    internal constants or functions used in the implementation of the
 800 |    group operations.
 801 | 
 802 |    The reason for this encapsulation is that ristretto255 and decaf448
 803 |    implementations can change their underlying curve without causing any
 804 |    breaking change.  The ristretto255 and decaf448 constructions are
 805 |    carefully designed so that this will be the case, as long as
 806 |    implementations do not expose internal representations or operate on
 807 |    them except as described in this document.  In particular,
 808 |    implementations SHOULD NOT define any external ristretto255 or
 809 |    decaf448 interface as operating on arbitrary curve points, and they
 810 |    SHOULD NOT construct group elements except via decoding, the element
 811 |    derivation function, or group operations on other valid group
 812 |    elements per Section 3.  They are however allowed to apply any
 813 |    optimization strategy to the internal representations as long as it
 814 |    doesn't change the exposed behavior of the API.
 815 | 
 816 |    It is RECOMMENDED that implementations do not perform a decoding and
 817 |    encoding operation for each group operation, as it is inefficient and
 818 |    unnecessary.  Implementations SHOULD instead provide an opaque type
 819 |    to hold the internal representation through multiple operations.
 820 | 
 821 | 7.  IANA Considerations
 822 | 
 823 |    This document has no IANA actions.
 824 | 
 825 | 8.  Security Considerations
 826 | 
 827 |    The ristretto255 and decaf448 groups provide higher-level protocols
 828 |    with the abstraction they expect: a prime-order group.  Therefore,
 829 |    it's expected to be safer for use in any situation where Curve25519
 830 |    or edwards448 is used to implement a protocol requiring a prime-order
 831 |    group.  Note that the safety of the abstraction can be defeated by
 832 |    implementations that do not follow the guidance in Section 6.
 833 | 
 834 |    There is no function to test whether an elliptic curve point is a
 835 |    valid internal representation of a group element.  The decoding
 836 |    function always returns a valid internal representation, or an error,
 837 |    and allowed operations on valid internal representations return valid
 838 |    internal representations.  In this way, an implementation can
 839 |    maintain the invariant that an internal representation is always
 840 |    valid, so that checking is never necessary, and invalid states are
 841 |    unrepresentable.
 842 | 
 843 | 9.  Acknowledgements
 844 | 
 845 |    The authors would like to thank Daira Hopwood, Riad S.  Wahby,
 846 |    Christopher Wood, and Thomas Pornin for their comments on the draft.
 847 | 
 848 | 10.  Normative References
 849 | 
 850 |    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
 851 |               Requirement Levels", BCP 14, RFC 2119,
 852 |               DOI 10.17487/RFC2119, March 1997,
 853 |               <https://www.rfc-editor.org/info/rfc2119>.
 854 | 
 855 |    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
 856 |               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
 857 |               May 2017, <https://www.rfc-editor.org/info/rfc8174>.
 858 | 
 859 | 11.  Informative References
 860 | 
 861 |    [Decaf]    Hamburg, M., "Decaf: Eliminating cofactors through point
 862 |               compression", 2015,
 863 |               <https://www.shiftleft.org/papers/decaf/decaf.pdf>.
 864 | 
 865 |    [MoneroVuln]
 866 |               Nick, J., "Exploiting Low Order Generators in One-Time
 867 |               Ring Signatures", 2017,
 868 |               <https://jonasnick.github.io/blog/2017/05/23/exploiting-
 869 |               low-order-generators-in-one-time-ring-signatures/>.
 870 | 
 871 |    [Naming]   Bernstein, D. J., "[Cfrg] 25519 naming", 2014,
 872 |               <https://mailarchive.ietf.org/arch/msg/cfrg/-
 873 |               9LEdnzVrE5RORux3Oo_oDDRksU/>.
 874 | 
 875 |    [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
 876 |               for Security", RFC 7748, DOI 10.17487/RFC7748, January
 877 |               2016, <https://www.rfc-editor.org/info/rfc7748>.
 878 | 
 879 |    [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
 880 |               Signature Algorithm (EdDSA)", RFC 8032,
 881 |               DOI 10.17487/RFC8032, January 2017,
 882 |               <https://www.rfc-editor.org/info/rfc8032>.
 883 | 
 884 |    [RistrettoGroup]
 885 |               de Valence, H., Lovecruft, I., Arcieri, T., and M.
 886 |               Hamburg, "The Ristretto Group", 2018,
 887 |               <https://ristretto.group>.
 888 | 
 889 |    [Twisted]  Hisil, H., Wong, K. K., Carter, G., and E. Dawson,
 890 |               "Twisted Edwards Curves Revisited", 2008,
 891 |               <https://eprint.iacr.org/2008/522>.
 892 | 
 893 |    [draft-irtf-cfrg-hash-to-curve-16]
 894 |               Faz-Hernández, A., Scott, S., Sullivan, N., Wahby, R.S.,
 895 |               and C.A. Wood, "Hashing to Elliptic Curves", 2022,
 896 |               <https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-
 897 |               curve/>.
 898 | 
 899 | Appendix A.  Test vectors for ristretto255
 900 | 
 901 |    This section contains test vectors for ristretto255.  The octets are
 902 |    hex encoded, and whitespace is inserted for readability.
 903 | 
 904 | A.1.  Multiples of the generator
 905 | 
 906 |    The following are the encodings of the multiples 0 to 15 of the
 907 |    canonical generator, represented as an array of elements.  That is,
 908 |    the first entry is the encoding of the identity element, and each
 909 |    successive entry is obtained by adding the generator to the previous
 910 |    entry.
 911 | 
 912 | B[ 0]: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 913 | B[ 1]: e2f2ae0a 6abc4e71 a884a961 c500515f 58e30b6a a582dd8d b6a65945 e08d2d76
 914 | B[ 2]: 6a493210 f7499cd1 7fecb510 ae0cea23 a110e8d5 b901f8ac add3095c 73a3b919
 915 | B[ 3]: 94741f5d 5d52755e ce4f23f0 44ee27d5 d1ea1e2b d196b462 166b1615 2a9d0259
 916 | B[ 4]: da808627 73358b46 6ffadfe0 b3293ab3 d9fd53c5 ea6c9553 58f56832 2daf6a57
 917 | B[ 5]: e882b131 016b52c1 d3337080 187cf768 423efccb b517bb49 5ab812c4 160ff44e
 918 | B[ 6]: f64746d3 c92b1305 0ed8d802 36a7f000 7c3b3f96 2f5ba793 d19a601e bb1df403
 919 | B[ 7]: 44f53520 926ec81f bd5a3878 45beb7df 85a96a24 ece18738 bdcfa6a7 822a176d
 920 | B[ 8]: 903293d8 f2287ebe 10e2374d c1a53e0b c887e592 699f02d0 77d5263c dd55601c
 921 | B[ 9]: 02622ace 8f7303a3 1cafc63f 8fc48fdc 16e1c8c8 d234b2f0 d6685282 a9076031
 922 | B[10]: 20706fd7 88b2720a 1ed2a5da d4952b01 f413bcf0 e7564de8 cdc81668 9e2db95f
 923 | B[11]: bce83f8b a5dd2fa5 72864c24 ba1810f9 522bc600 4afe9587 7ac73241 cafdab42
 924 | B[12]: e4549ee1 6b9aa030 99ca208c 67adafca fa4c3f3e 4e5303de 6026e3ca 8ff84460
 925 | B[13]: aa52e000 df2e16f5 5fb1032f c33bc427 42dad6bd 5a8fc0be 0167436c 5948501f
 926 | B[14]: 46376b80 f409b29d c2b5f6f0 c5259199 0896e571 6f41477c d30085ab 7f10301e
 927 | B[15]: e0c418f7 c8d9c4cd d7395b93 ea124f3a d99021bb 681dfc33 02a9d99a 2e53e64e
 928 | 
 929 |    Note that because
 930 | 
 931 |    B[i+1] = B[i] + B[1]
 932 | 
 933 |    these test vectors allow testing the encoding function and the
 934 |    implementation of addition simultaneously.
 935 | 
 936 | A.2.  Invalid encodings
 937 | 
 938 |    These are examples of encodings that MUST be rejected according to
 939 |    Section 4.3.1.
 940 | 
 941 |  # Non-canonical field encodings.
 942 |  00ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
 943 |  ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 944 |  f3ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 945 |  edffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 946 | 
 947 |  # Negative field elements.
 948 |  01000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 949 |  01ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 950 |  ed57ffd8 c914fb20 1471d1c3 d245ce3c 746fcbe6 3a3679d5 1b6a516e bebe0e20
 951 |  c34c4e18 26e5d403 b78e246e 88aa051c 36ccf0aa febffe13 7d148a2b f9104562
 952 |  c940e5a4 404157cf b1628b10 8db051a8 d439e1a4 21394ec4 ebccb9ec 92a8ac78
 953 |  47cfc549 7c53dc8e 61c91d17 fd626ffb 1c49e2bc a94eed05 2281b510 b1117a24
 954 |  f1c6165d 33367351 b0da8f6e 4511010c 68174a03 b6581212 c71c0e1d 026c3c72
 955 |  87260f7a 2f124951 18360f02 c26a470f 450dadf3 4a413d21 042b43b9 d93e1309
 956 | 
 957 |  # Non-square x^2.
 958 |  26948d35 ca62e643 e26a8317 7332e6b6 afeb9d08 e4268b65 0f1f5bbd 8d81d371
 959 |  4eac077a 713c57b4 f4397629 a4145982 c661f480 44dd3f96 427d40b1 47d9742f
 960 |  de6a7b00 deadc788 eb6b6c8d 20c0ae96 c2f20190 78fa604f ee5b87d6 e989ad7b
 961 |  bcab477b e20861e0 1e4a0e29 5284146a 510150d9 817763ca f1a6f4b4 22d67042
 962 |  2a292df7 e32cabab bd9de088 d1d1abec 9fc0440f 637ed2fb a145094d c14bea08
 963 |  f4a9e534 fc0d216c 44b218fa 0c42d996 35a0127e e2e53c71 2f706096 49fdff22
 964 |  8268436f 8c412619 6cf64b3c 7ddbda90 746a3786 25f9813d d9b84570 77256731
 965 |  2810e5cb c2cc4d4e ece54f61 c6f69758 e289aa7a b440b3cb eaa21995 c2f4232b
 966 | 
 967 |  # Negative xy value.
 968 |  3eb858e7 8f5a7254 d8c97311 74a94f76 755fd394 1c0ac937 35c07ba1 4579630e
 969 |  a45fdc55 c76448c0 49a1ab33 f17023ed fb2be358 1e9c7aad e8a61252 15e04220
 970 |  d483fe81 3c6ba647 ebbfd3ec 41adca1c 6130c2be eee9d9bf 065c8d15 1c5f396e
 971 |  8a2e1d30 050198c6 5a544831 23960ccc 38aef684 8e1ec8f5 f780e852 3769ba32
 972 |  32888462 f8b486c6 8ad7dd96 10be5192 bbeaf3b4 43951ac1 a8118419 d9fa097b
 973 |  22714250 1b9d4355 ccba2904 04bde415 75b03769 3cef1f43 8c47f8fb f35d1165
 974 |  5c37cc49 1da847cf eb9281d4 07efc41e 15144c87 6e0170b4 99a96a22 ed31e01e
 975 |  44542511 7cb8c90e dcbc7c1c c0e74f74 7f2c1efa 5630a967 c64f2877 92a48a4b
 976 | 
 977 |  # s = -1, which causes y = 0.
 978 |  ecffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 979 | 
 980 | A.3.  Group elements from byte strings
 981 | 
 982 |    The following pairs are inputs to the element derivation function of
 983 |    Section 4.3.4, and their encoded outputs.
 984 | 
 985 | I: 5d1be09e3d0c82fc538112490e35701979d99e06ca3e2b5b54bffe8b4dc772c1
 986 |    4d98b696a1bbfb5ca32c436cc61c16563790306c79eaca7705668b47dffe5bb6
 987 | O: 3066f82a 1a747d45 120d1740 f1435853 1a8f04bb ffe6a819 f86dfe50 f44a0a46
 988 | 
 989 | I: f116b34b8f17ceb56e8732a60d913dd10cce47a6d53bee9204be8b44f6678b27
 990 |    0102a56902e2488c46120e9276cfe54638286b9e4b3cdb470b542d46c2068d38
 991 | O: f26e5b6f 7d362d2d 2a94c5d0 e7602cb4 773c95a2 e5c31a64 f133189f a76ed61b
 992 | 
 993 | I: 8422e1bbdaab52938b81fd602effb6f89110e1e57208ad12d9ad767e2e25510c
 994 |    27140775f9337088b982d83d7fcf0b2fa1edffe51952cbe7365e95c86eaf325c
 995 | O: 006ccd2a 9e6867e6 a2c5cea8 3d3302cc 9de128dd 2a9a57dd 8ee7b9d7 ffe02826
 996 | 
 997 | I: ac22415129b61427bf464e17baee8db65940c233b98afce8d17c57beeb7876c2
 998 |    150d15af1cb1fb824bbd14955f2b57d08d388aab431a391cfc33d5bafb5dbbaf
 999 | O: f8f0c87c f237953c 5890aec3 99816900 5dae3eca 1fbb0454 8c635953 c817f92a
1000 | 
1001 | I: 165d697a1ef3d5cf3c38565beefcf88c0f282b8e7dbd28544c483432f1cec767
1002 |    5debea8ebb4e5fe7d6f6e5db15f15587ac4d4d4a1de7191e0c1ca6664abcc413
1003 | O: ae81e7de df20a497 e10c304a 765c1767 a42d6e06 029758d2 d7e8ef7c c4c41179
1004 | 
1005 | I: a836e6c9a9ca9f1e8d486273ad56a78c70cf18f0ce10abb1c7172ddd605d7fd2
1006 |    979854f47ae1ccf204a33102095b4200e5befc0465accc263175485f0e17ea5c
1007 | O: e2705652 ff9f5e44 d3e841bf 1c251cf7 dddb77d1 40870d1a b2ed64f1 a9ce8628
1008 | 
1009 | I: 2cdc11eaeb95daf01189417cdddbf95952993aa9cb9c640eb5058d09702c7462
1010 |    2c9965a697a3b345ec24ee56335b556e677b30e6f90ac77d781064f866a3c982
1011 | O: 80bd0726 2511cdde 4863f8a7 434cef69 6750681c b9510eea 557088f7 6d9e5065
1012 | 
1013 |    The following element derivation function inputs all produce the same
1014 |    encoded output.
1015 | 
1016 | I: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
1017 |    1200000000000000000000000000000000000000000000000000000000000000
1018 | I: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
1019 |    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
1020 | I: 0000000000000000000000000000000000000000000000000000000000000080
1021 |    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
1022 | I: 0000000000000000000000000000000000000000000000000000000000000000
1023 |    1200000000000000000000000000000000000000000000000000000000000080
1024 | 
1025 | O: 30428279 1023b731 28d277bd cb5c7746 ef2eac08 dde9f298 3379cb8e 5ef0517f
1026 | 
1027 | A.4.  Square root of a ratio of field elements
1028 | 
1029 |    The following are inputs and outputs of SQRT_RATIO_M1(u, v) defined
1030 |    in Section 4.2.  The values are little-endian encodings of field
1031 |    elements.
1032 | 
1033 |    u: 0000000000000000000000000000000000000000000000000000000000000000
1034 |    v: 0000000000000000000000000000000000000000000000000000000000000000
1035 |    was_square: TRUE
1036 |    r: 0000000000000000000000000000000000000000000000000000000000000000
1037 | 
1038 |    u: 0000000000000000000000000000000000000000000000000000000000000000
1039 |    v: 0100000000000000000000000000000000000000000000000000000000000000
1040 |    was_square: TRUE
1041 |    r: 0000000000000000000000000000000000000000000000000000000000000000
1042 | 
1043 |    u: 0100000000000000000000000000000000000000000000000000000000000000
1044 |    v: 0000000000000000000000000000000000000000000000000000000000000000
1045 |    was_square: FALSE
1046 |    r: 0000000000000000000000000000000000000000000000000000000000000000
1047 | 
1048 |    u: 0200000000000000000000000000000000000000000000000000000000000000
1049 |    v: 0100000000000000000000000000000000000000000000000000000000000000
1050 |    was_square: FALSE
1051 |    r: 3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54
1052 | 
1053 |    u: 0400000000000000000000000000000000000000000000000000000000000000
1054 |    v: 0100000000000000000000000000000000000000000000000000000000000000
1055 |    was_square: TRUE
1056 |    r: 0200000000000000000000000000000000000000000000000000000000000000
1057 | 
1058 |    u: 0100000000000000000000000000000000000000000000000000000000000000
1059 |    v: 0400000000000000000000000000000000000000000000000000000000000000
1060 |    was_square: TRUE
1061 |    r: f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
1062 | 
1063 | Appendix B.  Test vectors for decaf448
1064 | 
1065 |    This section contains test vectors for decaf448.  The octets are hex
1066 |    encoded, and whitespace is inserted for readability.
1067 | 
1068 | B.1.  Multiples of the generator
1069 | 
1070 |    The following are the encodings of the multiples 0 to 15 of the
1071 |    canonical generator, represented as an array of elements.  That is,
1072 |    the first entry is the encoding of the identity element, and each
1073 |    successive entry is obtained by adding the generator to the previous
1074 |    entry.
1075 | 
1076 |    B[ 0]: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1077 |           00000000 00000000 00000000 00000000 00000000 00000000 00000000
1078 |    B[ 1]: 66666666 66666666 66666666 66666666 66666666 66666666 66666666
1079 |           33333333 33333333 33333333 33333333 33333333 33333333 33333333
1080 |    B[ 2]: c898eb4f 87f97c56 4c6fd61f c7e49689 314a1f81 8ec85eeb 3bd5514a
1081 |           c816d387 78f69ef3 47a89fca 817e66de fdedce17 8c7cc709 b2116e75
1082 |    B[ 3]: a0c09bf2 ba7208fd a0f4bfe3 d0f5b29a 54301230 6d43831b 5adc6fe7
1083 |           f8596fa3 08763db1 5468323b 11cf6e4a eb8c18fe 44678f44 545a69bc
1084 |    B[ 4]: b46f1836 aa287c0a 5a5653f0 ec5ef9e9 03f436e2 1c1570c2 9ad9e5f5
1085 |           96da97ee af17150a e30bcb31 74d04bc2 d712c8c7 789d7cb4 fda138f4
1086 |    B[ 5]: 1c5bbecf 4741dfaa e79db72d face00ea aac502c2 060934b6 eaaeca6a
1087 |           20bd3da9 e0be8777 f7d02033 d1b15884 232281a4 1fc7f80e ed04af5e
1088 |    B[ 6]: 86ff0182 d40f7f9e db786251 5821bd67 bfd6165a 3c44de95 d7df79b8
1089 |           779ccf64 60e3c68b 70c16aaa 280f2d7b 3f22d745 b97a8990 6cfc476c
1090 |    B[ 7]: 502bcb68 42eb06f0 e49032ba e87c554c 031d6d4d 2d7694ef bf9c468d
1091 |           48220c50 f8ca2884 3364d70c ee92d6fe 246e6144 8f9db980 8b3b2408
1092 |    B[ 8]: 0c9810f1 e2ebd389 caa78937 4d780079 74ef4d17 227316f4 0e578b33
1093 |           6827da3f 6b482a47 94eb6a39 75b971b5 e1388f52 e91ea2f1 bcb0f912
1094 |    B[ 9]: 20d41d85 a18d5657 a2964032 1563bbd0 4c2ffbd0 a37a7ba4 3a4f7d26
1095 |           3ce26faf 4e1f74f9 f4b590c6 9229ae57 1fe37fa6 39b5b8eb 48bd9a55
1096 |    B[10]: e6b4b8f4 08c7010d 0601e7ed a0c309a1 a42720d6 d06b5759 fdc4e1ef
1097 |           e22d076d 6c44d42f 508d67be 462914d2 8b8edce3 2e709430 5164af17
1098 |    B[11]: be88bbb8 6c59c13d 8e9d09ab 98105f69 c2d1dd13 4dbcd3b0 863658f5
1099 |           3159db64 c0e139d1 80f3c89b 8296d0ae 324419c0 6fa87fc7 daaf34c1
1100 |    B[12]: a456f936 9769e8f0 8902124a 0314c7a0 6537a06e 32411f4f 93415950
1101 |           a17badfa 7442b621 7434a3a0 5ef45be5 f10bd7b2 ef8ea00c 431edec5
1102 |    B[13]: 186e452c 4466aa43 83b4c002 10d52e79 22dbf977 1e8b47e2 29a9b7b7
1103 |           3c8d10fd 7ef0b6e4 1530f91f 24a3ed9a b71fa38b 98b2fe47 46d51d68
1104 |    B[14]: 4ae7fdca e9453f19 5a8ead5c be1a7b96 99673b52 c40ab279 27464887
1105 |           be53237f 7f3a21b9 38d40d0e c9e15b1d 5130b13f fed81373 a53e2b43
1106 |    B[15]: 841981c3 bfeec3f6 0cfeca75 d9d8dc17 f46cf010 6f2422b5 9aec580a
1107 |           58f34227 2e3a5e57 5a055ddb 051390c5 4c24c6ec b1e0aceb 075f6056
1108 | 
1109 | B.2.  Invalid encodings
1110 | 
1111 |    These are examples of encodings that MUST be rejected according to
1112 |    Section 5.3.1.
1113 | 
1114 |    # Non-canonical field encodings.
1115 |    8e24f838 059ee9fe f1e20912 6defe53d cd74ef9b 6304601c 6966099e
1116 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1117 | 
1118 |    86fcc721 2bd4a0b9 80928666 dc28c444 a605ef38 e09fb569 e28d4443
1119 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1120 | 
1121 |    866d54bd 4c4ff41a 55d4eefd beca73cb d653c7bd 3135b383 708ec0bd
1122 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1123 | 
1124 |    4a380ccd ab9c8636 4a89e77a 464d64f9 157538cf dfa686ad c0d5ece4
1125 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1126 | 
1127 |    f22d9d4c 945dd44d 11e0b1d3 d3d358d9 59b4844d 83b08c44 e659d79f
1128 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1129 | 
1130 |    8cdffc68 1aa99e9c 818c8ef4 c3808b58 e86acdef 1ab68c84 77af185b
1131 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1132 | 
1133 |    0e1c12ac 7b5920ef fbd044e8 97c57634 e2d05b5c 27f8fa3d f8a086a1
1134 |    ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1135 | 
1136 |    # Negative field elements.
1137 |    15141bd2 121837ef 71a0016b d11be757 507221c2 6542244f 23806f3f
1138 |    d3496b7d 4c368262 76f3bf5d eea2c60c 4fa4cec6 9946876d a497e795
1139 | 
1140 |    455d3802 38434ab7 40a56267 f4f46b7d 2eb2dd8e e905e51d 7b0ae8a6
1141 |    cb2bae50 1e67df34 ab21fa45 946068c9 f233939b 1d9521a9 98b7cb93
1142 | 
1143 |    810b1d8e 8bf3a9c0 23294bbf d3d905a9 7531709b dc0f4239 0feedd70
1144 |    10f77e98 686d400c 9c86ed25 0ceecd9d e0a18888 ffecda0f 4ea1c60d
1145 | 
1146 |    d3af9cc4 1be0e5de 83c0c627 3bedcb93 51970110 044a9a41 c7b9b226
1147 |    7cdb9d7b f4dc9c2f db8bed32 87818460 4f1d9944 305a8df4 274ce301
1148 | 
1149 |    9312bcab 09009e43 30ff89c4 bc1e9e00 0d863efc 3c863d3b 6c507a40
1150 |    fd2cdefd e1bf0892 b4b5ed97 80b91ed1 398fb4a7 344c605a a5efda74
1151 | 
1152 |    53d11bce 9e62a29d 63ed82ae 93761bdd 76e38c21 e2822d6e bee5eb1c
1153 |    5b8a03ea f9df749e 2490eda9 d8ac27d1 f71150de 93668074 d18d1c3a
1154 | 
1155 |    697c1aed 3cd88585 15d4be8a c158b229 fe184d79 cb2b06e4 9210a6f3
1156 |    a7cd537b cd9bd390 d96c4ab6 a4406da5 d9364072 6285370c fa95df80
1157 | 
1158 |    # Non-square x^2.
1159 |    58ad4871 5c9a1025 69b68b88 362a4b06 45781f5a 19eb7e59 c6a4686f
1160 |    d0f0750f f42e3d7a f1ab38c2 9d69b670 f3125891 9c9fdbf6 093d06c0
1161 | 
1162 |    8ca37ee2 b15693f0 6e910cf4 3c4e32f1 d5551dda 8b1e48cb 6ddd55e4
1163 |    40dbc7b2 96b60191 9a4e4069 f59239ca 247ff693 f7daa42f 086122b1
1164 | 
1165 |    982c0ec7 f43d9f97 c0a74b36 db0abd9c a6bfb981 23a90782 787242c8
1166 |    a523cdc7 6df14a91 0d544711 27e7662a 1059201f 902940cd 39d57af5
1167 | 
1168 |    baa9ab82 d07ca282 b968a911 a6c3728d 74bf2fe2 58901925 787f03ee
1169 |    4be7e3cb 6684fd1b cfe5071a 9a974ad2 49a4aaa8 ca812642 16c68574
1170 | 
1171 |    2ed9ffe2 ded67a37 2b181ac5 24996402 c4297062 9db03f5e 8636cbaf
1172 |    6074b523 d154a7a8 c4472c4c 353ab88c d6fec7da 7780834c c5bd5242
1173 | 
1174 |    f063769e 4241e76d 815800e4 933a3a14 4327a30e c40758ad 3723a788
1175 |    388399f7 b3f5d45b 6351eb8e ddefda7d 5bff4ee9 20d338a8 b89d8b63
1176 | 
1177 |    5a0104f1 f55d152c eb68bc13 81824998 91d90ee8 f09b4003 8ccc1e07
1178 |    cb621fd4 62f781d0 45732a4f 0bda73f0 b2acf943 55424ff0 388d4b9c
1179 | 
1180 | B.3.  Group elements from uniform byte strings
1181 | 
1182 |    The following pairs are inputs to the element derivation function of
1183 |    Section 5.3.4, and their encoded outputs.
1184 | 
1185 |    I: cbb8c991fd2f0b7e1913462d6463e4fd2ce4ccdd28274dc2ca1f4165
1186 |       d5ee6cdccea57be3416e166fd06718a31af45a2f8e987e301be59ae6
1187 |       673e963001dbbda80df47014a21a26d6c7eb4ebe0312aa6fffb8d1b2
1188 |       6bc62ca40ed51f8057a635a02c2b8c83f48fa6a2d70f58a1185902c0
1189 |    O: 0c709c96 07dbb01c 94513358 745b7c23 953d03b3 3e39c723 4e268d1d
1190 |       6e24f340 14ccbc22 16b965dd 231d5327 e591dc3c 0e8844cc fd568848
1191 | 
1192 |    I: b6d8da654b13c3101d6634a231569e6b85961c3f4b460a08ac4a5857
1193 |       069576b64428676584baa45b97701be6d0b0ba18ac28d443403b4569
1194 |       9ea0fbd1164f5893d39ad8f29e48e399aec5902508ea95e33bc1e9e4
1195 |       620489d684eb5c26bc1ad1e09aba61fabc2cdfee0b6b6862ffc8e55a
1196 |    O: 76ab794e 28ff1224 c727fa10 16bf7f1d 329260b7 218a39ae a2fdb17d
1197 |       8bd91190 17b093d6 41cedf74 328c3271 84dc6f2a 64bd90ed dccfcdab
1198 | 
1199 |    I: 36a69976c3e5d74e4904776993cbac27d10f25f5626dd45c51d15dcf
1200 |       7b3e6a5446a6649ec912a56895d6baa9dc395ce9e34b868d9fb2c1fc
1201 |       72eb6495702ea4f446c9b7a188a4e0826b1506b0747a6709f37988ff
1202 |       1aeb5e3788d5076ccbb01a4bc6623c92ff147a1e21b29cc3fdd0e0f4
1203 |    O: c8d7ac38 4143500e 50890a1c 25d64334 3accce58 4caf2544 f9249b2b
1204 |       f4a69210 82be0e7f 3669bb5e c24535e6 c45621e1 f6dec676 edd8b664
1205 | 
1206 |    I: d5938acbba432ecd5617c555a6a777734494f176259bff9dab844c81
1207 |       aadcf8f7abd1a9001d89c7008c1957272c1786a4293bb0ee7cb37cf3
1208 |       988e2513b14e1b75249a5343643d3c5e5545a0c1a2a4d3c685927c38
1209 |       bc5e5879d68745464e2589e000b31301f1dfb7471a4f1300d6fd0f99
1210 |    O: 62beffc6 b8ee11cc d79dbaac 8f0252c7 50eb052b 192f41ee ecb12f29
1211 |       79713b56 3caf7d22 588eca5e 80995241 ef963e7a d7cb7962 f343a973
1212 | 
1213 |    I: 4dec58199a35f531a5f0a9f71a53376d7b4bdd6bbd2904234a8ea65b
1214 |       bacbce2a542291378157a8f4be7b6a092672a34d85e473b26ccfbd4c
1215 |       dc6739783dc3f4f6ee3537b7aed81df898c7ea0ae89a15b5559596c2
1216 |       a5eeacf8b2b362f3db2940e3798b63203cae77c4683ebaed71533e51
1217 |    O: f4ccb31d 263731ab 88bed634 304956d2 603174c6 6da38742 053fa37d
1218 |       d902346c 3862155d 68db63be 87439e3d 68758ad7 268e239d 39c4fd3b
1219 | 
1220 |    I: df2aa1536abb4acab26efa538ce07fd7bca921b13e17bc5ebcba7d1b
1221 |       6b733deda1d04c220f6b5ab35c61b6bcb15808251cab909a01465b8a
1222 |       e3fc770850c66246d5a9eae9e2877e0826e2b8dc1bc08009590bc677
1223 |       8a84e919fbd28e02a0f9c49b48dc689eb5d5d922dc01469968ee81b5
1224 |    O: 7e79b00e 8e0a76a6 7c0040f6 2713b8b8 c6d6f05e 9c6d0259 2e8a22ea
1225 |       896f5dea cc7c7df5 ed42beae 6fedb900 0285b482 aa504e27 9fd49c32
1226 | 
1227 |    I: e9fb440282e07145f1f7f5ecf3c273212cd3d26b836b41b02f108431
1228 |       488e5e84bd15f2418b3d92a3380dd66a374645c2a995976a015632d3
1229 |       6a6c2189f202fc766e1c82f50ad9189be190a1f0e8f9b9e69c9c18cc
1230 |       98fdd885608f68bf0fdedd7b894081a63f70016a8abf04953affbefa
1231 |    O: 20b171cb 16be977f 15e013b9 752cf86c 54c631c4 fc8cbf7c 03c4d3ac
1232 |       9b8e8640 e7b0e930 0b987fe0 ab504466 9314f6ed 1650ae03 7db853f1
1233 | 
1234 | Authors' Addresses
1235 | 
1236 |    Henry de Valence
1237 |    Email: ietf@hdevalence.ca
1238 | 
1239 | 
1240 |    Jack Grigg
1241 |    Email: ietf@jackgrigg.com
1242 | 
1243 | 
1244 |    Mike Hamburg
1245 |    Email: ietf@shiftleft.org
1246 | 
1247 | 
1248 |    Isis Lovecruft
1249 |    Email: ietf@en.ciph.re
1250 | 
1251 | 
1252 |    George Tankersley
1253 |    Email: ietf@gtank.cc
1254 | 
1255 | 
1256 |    Filippo Valsorda
1257 |    Email: ietf@filippo.io
1258 | 


--------------------------------------------------------------------------------
/draft-irtf-cfrg-ristretto255-decaf448.xml:
--------------------------------------------------------------------------------
   1 | <?xml version="1.0" encoding="utf-8"?>
   2 | <!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
   3 | <rfc version="3" ipr="trust200902" docName="draft-irtf-cfrg-ristretto255-decaf448-08" submissionType="IETF" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true" consensus="true">
   4 | 
   5 | <front>
   6 | <title abbrev="ristretto255-decaf448">The ristretto255 and decaf448 Groups</title><seriesInfo value="draft-irtf-cfrg-ristretto255-decaf448-08" stream="IETF" status="informational" name="Internet-Draft"></seriesInfo>
   7 | <author initials="H." surname="de Valence" fullname="Henry de Valence"><organization></organization><address><postal><street></street>
   8 | </postal><email>ietf@hdevalence.ca</email>
   9 | </address></author><author initials="J." surname="Grigg" fullname="Jack Grigg"><organization></organization><address><postal><street></street>
  10 | </postal><email>ietf@jackgrigg.com</email>
  11 | </address></author><author initials="M." surname="Hamburg" fullname="Mike Hamburg"><organization></organization><address><postal><street></street>
  12 | </postal><email>ietf@shiftleft.org</email>
  13 | </address></author><author initials="I." surname="Lovecruft" fullname="Isis Lovecruft"><organization></organization><address><postal><street></street>
  14 | </postal><email>ietf@en.ciph.re</email>
  15 | </address></author><author initials="G." surname="Tankersley" fullname="George Tankersley"><organization></organization><address><postal><street></street>
  16 | </postal><email>ietf@gtank.cc</email>
  17 | </address></author><author initials="F." surname="Valsorda" fullname="Filippo Valsorda"><organization></organization><address><postal><street></street>
  18 | </postal><email>ietf@filippo.io</email>
  19 | </address></author><date/>
  20 | <area>Internet</area>
  21 | <workgroup>Crypto Forum Research Group</workgroup>
  22 | 
  23 | <abstract>
  24 | <t>This memo specifies two prime-order groups, ristretto255 and decaf448,
  25 | suitable for safely implementing higher-level and complex
  26 | cryptographic protocols. The ristretto255 group can be implemented
  27 | using Curve25519, allowing existing Curve25519 implementations to be
  28 | reused and extended to provide a prime-order group. Likewise, the
  29 | decaf448 group can be implemented using edwards448.</t>
  30 | <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
  31 | </abstract>
  32 | 
  33 | </front>
  34 | 
  35 | <middle>
  36 | 
  37 | <section anchor="introduction"><name>Introduction</name>
  38 | <t>Decaf <xref target="Decaf"></xref> is a technique for constructing prime-order groups
  39 | with non-malleable encodings from non-prime-order elliptic curves.
  40 | Ristretto extends this technique to support cofactor-8 curves such as
  41 | Curve25519 <xref target="RFC7748"></xref>. In particular, this allows an existing
  42 | Curve25519 library to provide a prime-order group with only a thin
  43 | abstraction layer.</t>
  44 | <t>Many group-based cryptographic protocols require the number of
  45 | elements in the group (the group order) to be prime. Prime-order
  46 | groups are useful because every non-identity element of the group
  47 | is a generator of the entire group. This means the group has a
  48 | cofactor of 1, and all elements are equivalent from the perspective
  49 | of Discrete Log Hardness.</t>
  50 | <t>Edwards curves provide a number of implementation benefits for
  51 | cryptography, such as complete addition formulas with no exceptional
  52 | points and formulas among the fastest known for curve operations.
  53 | However, the group of points on the curve is not of prime order,
  54 | i.e., it has a cofactor larger than 1.
  55 | This abstraction mismatch is usually handled by means of ad-hoc
  56 | protocol tweaks, such as multiplying by the cofactor in an
  57 | appropriate place, or not at all.</t>
  58 | <t>Even for simple protocols such as signatures, these tweaks can cause
  59 | subtle issues. For instance, Ed25519 implementations may have
  60 | different validation behavior between batched and singleton
  61 | verification, and at least as specified in <xref target="RFC8032"></xref>, the set of
  62 | valid signatures is not defined by the standard.</t>
  63 | <t>For more complex protocols, careful analysis is required as the
  64 | original security proofs may no longer apply, and the tweaks for one
  65 | protocol may have disastrous effects when applied to another (for
  66 | instance, the octuple-spend vulnerability in <xref target="MoneroVuln"></xref>).</t>
  67 | <t>Decaf and Ristretto fix this abstraction mismatch in one place for
  68 | all protocols, providing an abstraction to protocol implementors that
  69 | matches the abstraction commonly assumed in protocol specifications,
  70 | while still allowing the use of high-performance curve
  71 | implementations internally. The abstraction layer imposes minor
  72 | overhead, and only in the encoding and decoding phases.</t>
  73 | <t>While Ristretto is a general method, and can be used in conjunction
  74 | with any Edwards curve with cofactor 4 or 8, this document specifies
  75 | the ristretto255 group, which can be implemented using Curve25519,
  76 | and the decaf448 group, which can be implemented using edwards448.</t>
  77 | <t>There are other elliptic curves that can be used internally to
  78 | implement ristretto255 or decaf448, and those implementations would be
  79 | interoperable with a Curve25519- or edwards448-based one, but those
  80 | constructions are out-of-scope for this document.</t>
  81 | <t>The Ristretto construction is described and justified in detail at
  82 | <xref target="RistrettoGroup"></xref>.</t>
  83 | <t>This document represents the consensus of the Crypto Forum Research Group (CFRG).
  84 | This document is not an IETF product and is not a standard.</t>
  85 | </section>
  86 | 
  87 | <section anchor="notation-and-conventions-used-in-this-document"><name>Notation and Conventions Used In This Document</name>
  88 | <t>The key words &quot;<bcp14>MUST</bcp14>&quot;, &quot;<bcp14>MUST NOT</bcp14>&quot;, &quot;<bcp14>REQUIRED</bcp14>&quot;, &quot;<bcp14>SHALL</bcp14>&quot;,
  89 | &quot;<bcp14>SHALL NOT</bcp14>&quot;, &quot;<bcp14>SHOULD</bcp14>&quot;, &quot;<bcp14>SHOULD NOT</bcp14>&quot;, &quot;<bcp14>RECOMMENDED</bcp14>&quot;,
  90 | &quot;<bcp14>NOT RECOMMENDED</bcp14>&quot;, &quot;<bcp14>MAY</bcp14>&quot;, and &quot;<bcp14>OPTIONAL</bcp14>&quot; in this document
  91 | are to be interpreted as described in BCP 14 <xref target="RFC2119"></xref> <xref target="RFC8174"></xref>
  92 | when, and only when, they appear in all capitals, as shown here.</t>
  93 | <t>Readers are cautioned that the term &quot;Curve25519&quot; has varying
  94 | interpretations in the literature, and that the canonical meaning of the
  95 | term has shifted over time. Originally it referred to a specific
  96 | Diffie-Hellman key exchange mechanism. Over time, use shifted, and
  97 | &quot;Curve25519&quot; has been used to refer to either the abstract underlying
  98 | curve, or its concrete representation in Montgomery form, or the
  99 | specific Diffie-Hellman mechanism. This document uses the term
 100 | &quot;Curve25519&quot; to refer to the abstract underlying curve, as recommended
 101 | in <xref target="Naming"></xref>. The abstract Edwards form of the curve we refer to here
 102 | as &quot;Curve25519&quot; is in <xref target="RFC7748"></xref> referred to as &quot;edwards25519&quot;
 103 | and its isogenous Montgomery form is referred to as &quot;curve25519&quot;.</t>
 104 | <t>Elliptic curve points in this document are represented in extended
 105 | Edwards coordinates in the <tt>(x, y, z, t)</tt> format <xref target="Twisted"></xref>, also called
 106 | extended homogeneous coordinates in Section 5.1.4 of <xref target="RFC8032"></xref>. Field
 107 | elements are values modulo p, the Curve25519 prime 2^255 - 19 or the
 108 | edwards448 prime 2^448 - 2^224 - 1, as specified in Sections 4.1 and
 109 | 4.2 of <xref target="RFC7748"></xref>, respectively. All formulas specify field operations
 110 | unless otherwise noted. The symbol ^ denotes exponentiation.</t>
 111 | <t>The <tt>|</tt> symbol represents a constant-time logical OR.</t>
 112 | <t>The notation <tt>array[A:B]</tt> means the elements of <tt>array</tt> from <tt>A</tt>
 113 | to <tt>B-1</tt>. That is, it is exclusive of <tt>B</tt>. Arrays are indexed
 114 | starting from 0.</t>
 115 | <t>A byte is an 8-bit entity (also known as &quot;octet&quot;) and a byte string
 116 | is an ordered sequence of bytes. An N-byte string is a byte string of
 117 | N bytes in length.</t>
 118 | <t>Element encodings are presented as hex encoded byte strings with
 119 | whitespace added for readability.</t>
 120 | 
 121 | <section anchor="negative-field-elements"><name>Negative field elements</name>
 122 | <t>As in <xref target="RFC8032"></xref>, given a field element e, define <tt>IS_NEGATIVE(e)</tt> as
 123 | TRUE if the least non-negative integer representing e is odd, and
 124 | FALSE if it is even. This <bcp14>SHOULD</bcp14> be implemented in constant time.</t>
 125 | </section>
 126 | 
 127 | <section anchor="constant-time-operations"><name>Constant time operations</name>
 128 | <t>We assume that the field element implementation supports the following
 129 | operations, which <bcp14>SHOULD</bcp14> be implemented in constant time:</t>
 130 | 
 131 | <ul spacing="compact">
 132 | <li><tt>CT_EQ(u, v)</tt>: return TRUE if u = v, FALSE otherwise.</li>
 133 | <li><tt>CT_SELECT(v IF cond ELSE u)</tt>: return v if cond is TRUE, else return u.</li>
 134 | <li><tt>CT_ABS(u)</tt>: return -u if IS_NEGATIVE(u), else return u.</li>
 135 | </ul>
 136 | <t>Note that <tt>CT_ABS</tt> <bcp14>MAY</bcp14> be implemented as:</t>
 137 | 
 138 | <artwork><![CDATA[CT_SELECT(-u IF IS_NEGATIVE(u) ELSE u)
 139 | ]]>
 140 | </artwork>
 141 | </section>
 142 | </section>
 143 | 
 144 | <section anchor="interface"><name>The group abstraction</name>
 145 | <t>Ristretto and Decaf implement an abstract prime-order group interface
 146 | that exposes only the behavior that is useful to higher-level protocols,
 147 | without leaking curve-related details and pitfalls.</t>
 148 | <t>Each abstract group exposes operations on abstract element and abstract
 149 | scalar types. The operations defined on these types include: decoding, encoding,
 150 | equality, addition, negation, subtraction and (multi-)scalar multiplication.
 151 | Each abstract group also exposes a deterministic function to derive abstract
 152 | elements from fixed-length byte strings. A description of each of these
 153 | operations is below.</t>
 154 | <t>Decoding is a function from byte strings to abstract elements with
 155 | built-in validation, so that only the canonical encodings of valid
 156 | elements are accepted. The built-in validation avoids the need for
 157 | explicit invalid curve checks.</t>
 158 | <t>Encoding is a function from abstract elements to byte strings.  Internally,
 159 | an abstract element might have more than one possible representation -- for
 160 | example, the implementation might use projective coordinates.  When encoding,
 161 | all equivalent representations of the same element are encoded as identical
 162 | byte strings. Decoding the output of the encoding function always
 163 | succeeds and returns an equivalent element to the encoding input.</t>
 164 | <t>The equality check reports whether two representations of an abstract
 165 | element are equivalent.</t>
 166 | <t>The element derivation function maps deterministically from byte strings of
 167 | a fixed length to abstract elements.  It has two important properties.  First,
 168 | if the input is a uniformly random byte string, then the output is (within
 169 | a negligible statistical distance of) a uniformly random abstract group
 170 | element.  This means the function is suitable for selecting random group
 171 | elements.</t>
 172 | <t>Second, although the element derivation function is many-to-one and therefore
 173 | not strictly invertible, it is not pre-image resistent.  On the contrary,
 174 | given an arbitrary abstract group element <tt>P</tt>, there is an efficient algorithm
 175 | to randomly sample from byte strings that map to <tt>P</tt>.  In some contexts this
 176 | property would be a weakness, but it is important in some contexts: in particular,
 177 | it means that a combination of a cryptographic hash function and the element
 178 | derivation function is suitable for use in algorithms such as
 179 | <tt>hash_to_curve</tt> <xref target="draft-irtf-cfrg-hash-to-curve-16"></xref>.</t>
 180 | <t>Addition is the group operation. The group has an identity element and
 181 | prime order l. Adding together l copies of the same element gives the
 182 | identity. Adding the identity element to
 183 | any element returns that element unchanged. Negation returns an element
 184 | that added to the negation input returns the identity element.
 185 | Subtraction is the addition of a negated element, and scalar
 186 | multiplication is the repeated addition of an element.</t>
 187 | </section>
 188 | 
 189 | <section anchor="ristretto255"><name>ristretto255</name>
 190 | <t>ristretto255 is an instantiation of the abstract prime-order group
 191 | interface defined in <xref target="interface"></xref>. This document describes how to
 192 | implement the ristretto255 prime-order group using Curve25519 points as
 193 | internal representations.</t>
 194 | <t>A &quot;ristretto255 group element&quot; is the abstract element of the prime
 195 | order group. An &quot;element encoding&quot; is the unique reversible encoding
 196 | of a group element. An &quot;internal representation&quot; is a point on the
 197 | curve used to implement ristretto255. Each group element can have
 198 | multiple equivalent internal representations.</t>
 199 | <t>Encoding, decoding, equality, and the element derivation function are defined in
 200 | <xref target="functions255"></xref>. Element addition, subtraction, negation, and scalar
 201 | multiplication are implemented by applying the corresponding operations
 202 | directly to the internal representation.</t>
 203 | <t>The group order is the same as the order of the Curve25519 prime-order subgroup:</t>
 204 | 
 205 | <artwork><![CDATA[l = 2^252 + 27742317777372353535851937790883648493
 206 | ]]>
 207 | </artwork>
 208 | <t>Since ristretto255 is a prime-order group, every element except the
 209 | identity is a generator, but for interoperability a canonical generator
 210 | is selected, which can be internally represented by the Curve25519
 211 | basepoint, enabling reuse of existing precomputation for scalar
 212 | multiplication. This is its encoding as produced by the function
 213 | specified in <xref target="encoding255"></xref>:</t>
 214 | 
 215 | <artwork><![CDATA[e2f2ae0a 6abc4e71 a884a961 c500515f 58e30b6a a582dd8d b6a65945 e08d2d76
 216 | ]]>
 217 | </artwork>
 218 | 
 219 | <section anchor="constants255"><name>Implementation constants</name>
 220 | <t>This document references the following constant field element values
 221 | that are used for the implementation of group operations.</t>
 222 | 
 223 | <ul spacing="compact">
 224 | <li><t><tt>D</tt> = 37095705934669439343138083508754565189542113879843219016388785533085940283555</t>
 225 | 
 226 | <ul spacing="compact">
 227 | <li>This is the Edwards d parameter for Curve25519, as specified in Section 4.1 of <xref target="RFC7748"></xref>.</li>
 228 | </ul></li>
 229 | <li><tt>SQRT_M1</tt> = 19681161376707505956807079304988542015446066515923890162744021073123829784752</li>
 230 | <li><tt>SQRT_AD_MINUS_ONE</tt> = 25063068953384623474111414158702152701244531502492656460079210482610430750235</li>
 231 | <li><tt>INVSQRT_A_MINUS_D</tt> = 54469307008909316920995813868745141605393597292927456921205312896311721017578</li>
 232 | <li><tt>ONE_MINUS_D_SQ</tt> = 1159843021668779879193775521855586647937357759715417654439879720876111806838</li>
 233 | <li><tt>D_MINUS_ONE_SQ</tt> = 40440834346308536858101042469323190826248399146238708352240133220865137265952</li>
 234 | </ul>
 235 | </section>
 236 | 
 237 | <section anchor="sqrtratio255"><name>Square root of a ratio of field elements</name>
 238 | <t>The following function is defined on field elements, and is used to
 239 | implement other ristretto255 functions. This function is only used internally
 240 | to implement some of the group operations.</t>
 241 | <t>On input field elements u and v, the function <tt>SQRT_RATIO_M1(u, v)</tt> returns:</t>
 242 | 
 243 | <ul spacing="compact">
 244 | <li><tt>(TRUE, +sqrt(u/v))</tt> if u and v are non-zero, and u/v is square;</li>
 245 | <li><tt>(TRUE, zero)</tt> if u is zero;</li>
 246 | <li><tt>(FALSE, zero)</tt> if v is zero and u is non-zero;</li>
 247 | <li><tt>(FALSE, +sqrt(SQRT_M1*(u/v)))</tt> if u and v are non-zero, and u/v is
 248 | non-square (so <tt>SQRT_M1*(u/v)</tt> is square),</li>
 249 | </ul>
 250 | <t>where <tt>+sqrt(x)</tt> indicates the non-negative square root of x in the
 251 | field.</t>
 252 | <t>The computation is similar to Section 5.1.3 of <xref target="RFC8032"></xref>, with the
 253 | difference that if the input is non-square, the function returns a
 254 | result with a defined relationship to the inputs. This result is used
 255 | for efficient implementation of the derivation function. The function
 256 | can be refactored from an existing Ed25519 implementation.</t>
 257 | <t><tt>SQRT_RATIO_M1(u, v)</tt> is defined as follows:</t>
 258 | 
 259 | <artwork><![CDATA[r = (u * v^3) * (u * v^7)^((p-5)/8) // Note: (p - 5) / 8 is an integer.
 260 | check = v * r^2
 261 | 
 262 | correct_sign_sqrt   = CT_EQ(check,          u)
 263 | flipped_sign_sqrt   = CT_EQ(check,         -u)
 264 | flipped_sign_sqrt_i = CT_EQ(check, -u*SQRT_M1)
 265 | 
 266 | r_prime = SQRT_M1 * r
 267 | r = CT_SELECT(r_prime IF flipped_sign_sqrt | flipped_sign_sqrt_i ELSE r)
 268 | 
 269 | // Choose the nonnegative square root.
 270 | r = CT_ABS(r)
 271 | 
 272 | was_square = correct_sign_sqrt | flipped_sign_sqrt
 273 | 
 274 | return (was_square, r)
 275 | ]]>
 276 | </artwork>
 277 | </section>
 278 | 
 279 | <section anchor="functions255"><name>ristretto255 group operations</name>
 280 | <t>This section describes the implementation of the external functions
 281 | exposed by the ristretto255 prime-order group.</t>
 282 | 
 283 | <section anchor="decoding255"><name>Decode</name>
 284 | <t>All elements are encoded as 32-byte strings. Decoding proceeds as follows:</t>
 285 | 
 286 | <ol spacing="compact">
 287 | <li><t>First, interpret the string as an unsigned integer s in little-endian
 288 | representation. If the length of the string is not 32 bytes, or if
 289 | the resulting value is &gt;= p, decoding fails.</t>
 290 | 
 291 | <ul spacing="compact">
 292 | <li>Note: unlike <xref target="RFC7748"></xref> field element decoding, the most significant
 293 | bit is not masked, and non-canonical values are rejected.
 294 | The test vectors in <xref target="invalid255"></xref> exercise these edge cases.</li>
 295 | </ul></li>
 296 | <li>If <tt>IS_NEGATIVE(s)</tt> returns TRUE, decoding fails.</li>
 297 | <li>Process s as follows:</li>
 298 | </ol>
 299 | 
 300 | <artwork><![CDATA[ss = s^2
 301 | u1 = 1 - ss
 302 | u2 = 1 + ss
 303 | u2_sqr = u2^2
 304 | 
 305 | v = -(D * u1^2) - u2_sqr
 306 | 
 307 | (was_square, invsqrt) = SQRT_RATIO_M1(1, v * u2_sqr)
 308 | 
 309 | den_x = invsqrt * u2
 310 | den_y = invsqrt * den_x * v
 311 | 
 312 | x = CT_ABS(2 * s * den_x)
 313 | y = u1 * den_y
 314 | t = x * y
 315 | ]]>
 316 | </artwork>
 317 | 
 318 | <ol spacing="compact" start="4">
 319 | <li>If was_square is FALSE, or <tt>IS_NEGATIVE(t)</tt> returns TRUE, or y =
 320 | 0, decoding fails. Otherwise, return the group element represented
 321 | by the internal representation <tt>(x, y, 1, t)</tt> as the result of
 322 | decoding.</li>
 323 | </ol>
 324 | </section>
 325 | 
 326 | <section anchor="encoding255"><name>Encode</name>
 327 | <t>A group element with internal representation <tt>(x0, y0, z0, t0)</tt> is
 328 | encoded as follows:</t>
 329 | 
 330 | <ol spacing="compact">
 331 | <li>Process the internal representation into a field element s as follows:</li>
 332 | </ol>
 333 | 
 334 | <artwork><![CDATA[u1 = (z0 + y0) * (z0 - y0)
 335 | u2 = x0 * y0
 336 | 
 337 | // Ignore was_square since this is always square.
 338 | (_, invsqrt) = SQRT_RATIO_M1(1, u1 * u2^2)
 339 | 
 340 | den1 = invsqrt * u1
 341 | den2 = invsqrt * u2
 342 | z_inv = den1 * den2 * t0
 343 | 
 344 | ix0 = x0 * SQRT_M1
 345 | iy0 = y0 * SQRT_M1
 346 | enchanted_denominator = den1 * INVSQRT_A_MINUS_D
 347 | 
 348 | rotate = IS_NEGATIVE(t0 * z_inv)
 349 | 
 350 | // Conditionally rotate x and y.
 351 | x = CT_SELECT(iy0 IF rotate ELSE x0)
 352 | y = CT_SELECT(ix0 IF rotate ELSE y0)
 353 | z = z0
 354 | den_inv = CT_SELECT(enchanted_denominator IF rotate ELSE den2)
 355 | 
 356 | y = CT_SELECT(-y IF IS_NEGATIVE(x * z_inv) ELSE y)
 357 | 
 358 | s = CT_ABS(den_inv * (z - y))
 359 | ]]>
 360 | </artwork>
 361 | 
 362 | <ol spacing="compact" start="2">
 363 | <li>Return the 32-byte little-endian encoding of s.  More specifically,
 364 | this is the encoding of the canonical representation of s as an integer
 365 | between 0 and p-1, inclusive.</li>
 366 | </ol>
 367 | <t>Note that decoding and then re-encoding a valid group element will
 368 | yield an identical byte string.</t>
 369 | </section>
 370 | 
 371 | <section anchor="equals255"><name>Equals</name>
 372 | <t>The equality function returns TRUE when two internal representations
 373 | correspond to the same group element. Note that internal representations
 374 | <bcp14>MUST NOT</bcp14> be compared in any other way than specified here.</t>
 375 | <t>For two internal representations <tt>(x1, y1, z1, t1)</tt> and <tt>(x2, y2, z2, t2)</tt>,
 376 | if</t>
 377 | 
 378 | <artwork><![CDATA[(x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
 379 | ]]>
 380 | </artwork>
 381 | <t>evaluates to TRUE, then return TRUE. Otherwise, return FALSE.</t>
 382 | <t>Note that the equality function always returns TRUE when applied to an
 383 | internal representation and to the internal representation obtained by
 384 | encoding and then re-decoding it. However, the internal
 385 | representations themselves might not be identical.</t>
 386 | <t>Implementations <bcp14>MAY</bcp14> also perform byte comparisons on the encodings
 387 | of group elements (produced by <xref target="encoding255"></xref>) for an equivalent, although
 388 | less efficient, result.</t>
 389 | </section>
 390 | 
 391 | <section anchor="from_bytes_uniform255"><name>Element derivation</name>
 392 | <t>The element derivation function operates on 64-byte strings.
 393 | To obtain such an input from an arbitrary-length byte string, applications
 394 | should use a domain-separated hash construction, the choice of which
 395 | is out-of-scope for this document.</t>
 396 | <t>The element derivation function on an input string b proceeds as follows:</t>
 397 | 
 398 | <ol spacing="compact">
 399 | <li>Compute P1 as <tt>MAP(b[0:32])</tt>.</li>
 400 | <li>Compute P2 as <tt>MAP(b[32:64])</tt>.</li>
 401 | <li>Return P1 + P2.</li>
 402 | </ol>
 403 | <t>The MAP function is defined on 32-byte strings as:</t>
 404 | 
 405 | <ol>
 406 | <li><t>First, mask the most significant bit in the final byte of the string,
 407 | and interpret the string as an unsigned integer r in little-endian
 408 | representation. Reduce r modulo p to obtain a field element t.</t>
 409 | 
 410 | <ul spacing="compact">
 411 | <li>Masking the most significant bit is equivalent to interpreting the
 412 | whole string as an unsigned integer in little-endian representation and then
 413 | reducing it modulo 2^255.</li>
 414 | <li>Note: similarly to <xref target="RFC7748"></xref> field element decoding, and unlike
 415 | field element decoding in <xref target="decoding255"></xref>, the most significant bit
 416 | is masked, and non-canonical values are accepted.</li>
 417 | </ul></li>
 418 | <li><t>Process t as follows:</t>
 419 | </li>
 420 | </ol>
 421 | 
 422 | <artwork><![CDATA[r = SQRT_M1 * t^2
 423 | u = (r + 1) * ONE_MINUS_D_SQ
 424 | v = (-1 - r*D) * (r + D)
 425 | 
 426 | (was_square, s) = SQRT_RATIO_M1(u, v)
 427 | s_prime = -CT_ABS(s*t)
 428 | s = CT_SELECT(s IF was_square ELSE s_prime)
 429 | c = CT_SELECT(-1 IF was_square ELSE r)
 430 | 
 431 | N = c * (r - 1) * D_MINUS_ONE_SQ - v
 432 | 
 433 | w0 = 2 * s * v
 434 | w1 = N * SQRT_AD_MINUS_ONE
 435 | w2 = 1 - s^2
 436 | w3 = 1 + s^2
 437 | ]]>
 438 | </artwork>
 439 | 
 440 | <ol spacing="compact" start="3">
 441 | <li>Return the group element represented by the internal representation
 442 | <tt>(w0*w3, w2*w1, w1*w3, w0*w2)</tt>.</li>
 443 | </ol>
 444 | </section>
 445 | </section>
 446 | 
 447 | <section anchor="scalar-field"><name>Scalar field</name>
 448 | <t>The scalars for the ristretto255 group are integers modulo the order l
 449 | of the ristretto255 group. Note that this is the same scalar field as
 450 | Curve25519, allowing existing implementations to be reused.</t>
 451 | <t>Scalars are encoded as 32-byte strings in little-endian order.
 452 | Implementations <bcp14>SHOULD</bcp14> check that any scalar s falls in the range
 453 | 0 &lt;= s &lt; l when parsing them and reject non-canonical scalar
 454 | encodings. Implementations <bcp14>SHOULD</bcp14> reduce scalars modulo l when
 455 | encoding them as byte strings. Omitting these strict range checks is
 456 | <bcp14>NOT RECOMMENDED</bcp14> but is allowed to enable reuse of scalar
 457 | arithmetic implementations in existing Curve25519 libraries.</t>
 458 | <t>Given a uniformly distributed 64-byte string b, implementations can
 459 | obtain a uniformly distributed scalar by interpreting the 64-byte
 460 | string as a 512-bit unsigned integer in little-endian order and reducing the
 461 | integer modulo l, as in <xref target="RFC8032"></xref>. To obtain such an input from an
 462 | arbitrary-length byte string, applications should use a domain-separated
 463 | hash construction, the choice of which is out-of-scope for this document.</t>
 464 | </section>
 465 | </section>
 466 | 
 467 | <section anchor="decaf448"><name>decaf448</name>
 468 | <t>decaf448 is an instantiation of the abstract prime-order group
 469 | interface defined in <xref target="interface"></xref>. This document describes how to
 470 | implement the decaf448 prime-order group using edwards448 points as
 471 | internal representations.</t>
 472 | <t>A &quot;decaf448 group element&quot; is the abstract element of the prime order
 473 | group. An &quot;element encoding&quot; is the unique reversible encoding of a
 474 | group element. An &quot;internal representation&quot; is a point on the curve
 475 | used to implement decaf448. Each group element can have multiple
 476 | equivalent internal representations.</t>
 477 | <t>Encoding, decoding, equality, and the element derivation functions are defined in
 478 | <xref target="functions448"></xref>. Element addition, subtraction, negation, and scalar
 479 | multiplication are implemented by applying the corresponding operations
 480 | directly to the internal representation.</t>
 481 | <t>The group order is the same as the order of the edwards448 prime-order subgroup:</t>
 482 | 
 483 | <artwork><![CDATA[l = 2^446 -
 484 |   13818066809895115352007386748515426880336692474882178609894547503885
 485 | ]]>
 486 | </artwork>
 487 | <t>Since decaf448 is a prime-order group, every element except the
 488 | identity is a generator, but for interoperability a canonical generator
 489 | is selected.  This generator can be internally represented by 2*<tt>B</tt>, where <tt>B</tt> is the edwards448
 490 | basepoint, enabling reuse of existing precomputation for scalar
 491 | multiplication. This is its encoding as produced by the function
 492 | specified in <xref target="encoding448"></xref>:</t>
 493 | 
 494 | <artwork><![CDATA[66666666 66666666 66666666 66666666 66666666 66666666 66666666
 495 | 33333333 33333333 33333333 33333333 33333333 33333333 33333333
 496 | ]]>
 497 | </artwork>
 498 | <t>This repetitive constant is equal to <tt>1/sqrt(5)</tt> in decaf448's field,
 499 | corresponding to the curve448 base point with x = 5.</t>
 500 | 
 501 | <section anchor="constants448"><name>Implementation constants</name>
 502 | <t>This document references the following constant field element values
 503 | that are used for the implementation of group operations.</t>
 504 | 
 505 | <ul spacing="compact">
 506 | <li><t><tt>D</tt> = 726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358</t>
 507 | 
 508 | <ul spacing="compact">
 509 | <li>This is the Edwards d parameter for edwards448, as specified in
 510 | Section 4.2 of <xref target="RFC7748"></xref>, and is equal to -39081 in the field.</li>
 511 | </ul></li>
 512 | <li><tt>ONE_MINUS_D</tt> = 39082</li>
 513 | <li><tt>ONE_MINUS_TWO_D</tt> = 78163</li>
 514 | <li><tt>SQRT_MINUS_D</tt> = 98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214</li>
 515 | <li><tt>INVSQRT_MINUS_D</tt> = 315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716</li>
 516 | </ul>
 517 | </section>
 518 | 
 519 | <section anchor="sqrtratio448"><name>Square root of a ratio of field elements</name>
 520 | <t>The following function is defined on field elements, and is used to
 521 | implement other decaf448 functions. This function is only used internally
 522 | to implement some of the group operations.</t>
 523 | <t>On input field elements u and v, the function <tt>SQRT_RATIO_M1(u, v)</tt> returns:</t>
 524 | 
 525 | <ul spacing="compact">
 526 | <li><tt>(TRUE, +sqrt(u/v))</tt> if u and v are non-zero, and u/v is square;</li>
 527 | <li><tt>(TRUE, zero)</tt> if u is zero;</li>
 528 | <li><tt>(FALSE, zero)</tt> if v is zero and u is non-zero;</li>
 529 | <li><tt>(FALSE, +sqrt(-u/v))</tt> if u and v are non-zero, and u/v is
 530 | non-square (so <tt>-(u/v)</tt> is square),</li>
 531 | </ul>
 532 | <t>where <tt>+sqrt(x)</tt> indicates the non-negative square root of x in
 533 | the field.</t>
 534 | <t>The computation is similar to Section 5.2.3 of <xref target="RFC8032"></xref>, with the
 535 | difference that if the input is non-square, the function returns a
 536 | result with a defined relationship to the inputs. This result is used
 537 | for efficient implementation of the derivation function. The function
 538 | can be refactored from an existing edwards448 implementation.</t>
 539 | <t><tt>SQRT_RATIO_M1(u, v)</tt> is defined as follows:</t>
 540 | 
 541 | <artwork><![CDATA[r = u * (u * v)^((p - 3) / 4) // Note: (p - 3) / 4 is an integer.
 542 | 
 543 | check = v * r^2
 544 | was_square = CT_EQ(check, u)
 545 | 
 546 | // Choose the nonnegative square root.
 547 | r = CT_ABS(r)
 548 | 
 549 | return (was_square, r)
 550 | ]]>
 551 | </artwork>
 552 | </section>
 553 | 
 554 | <section anchor="functions448"><name>decaf448 group operations</name>
 555 | <t>This section describes the implementation of the external functions
 556 | exposed by the decaf448 prime-order group.</t>
 557 | 
 558 | <section anchor="decoding448"><name>Decode</name>
 559 | <t>All elements are encoded as 56-byte strings. Decoding proceeds as follows:</t>
 560 | 
 561 | <ol spacing="compact">
 562 | <li><t>First, interpret the string as an unsigned integer s in little-endian
 563 | representation. If the length of the string is not 56 bytes, or if
 564 | the resulting value is &gt;= p, decoding fails.</t>
 565 | 
 566 | <ul spacing="compact">
 567 | <li>Note: unlike <xref target="RFC7748"></xref> field element decoding, non-canonical
 568 | values are rejected. The test vectors in <xref target="invalid448"></xref> exercise
 569 | these edge cases.</li>
 570 | </ul></li>
 571 | <li>If <tt>IS_NEGATIVE(s)</tt> returns TRUE, decoding fails.</li>
 572 | <li>Process s as follows:</li>
 573 | </ol>
 574 | 
 575 | <artwork><![CDATA[ss = s^2
 576 | u1 = 1 + ss
 577 | u2 = u1^2 - 4 * D * ss
 578 | (was_square, invsqrt) = SQRT_RATIO_M1(1, u2 * u1^2)
 579 | u3 = CT_ABS(2 * s * invsqrt * u1 * SQRT_MINUS_D)
 580 | x = u3 * invsqrt * u2 * INVSQRT_MINUS_D
 581 | y = (1 - ss) * invsqrt * u1
 582 | t = x * y
 583 | ]]>
 584 | </artwork>
 585 | 
 586 | <ol spacing="compact" start="4">
 587 | <li>If was_square is FALSE then decoding fails. Otherwise,
 588 | return the group element represented by the internal representation
 589 | <tt>(x, y, 1, t)</tt> as the result of decoding.</li>
 590 | </ol>
 591 | </section>
 592 | 
 593 | <section anchor="encoding448"><name>Encode</name>
 594 | <t>A group element with internal representation <tt>(x0, y0, z0, t0)</tt> is
 595 | encoded as follows:</t>
 596 | 
 597 | <ol spacing="compact">
 598 | <li>Process the internal representation into a field element s as follows:</li>
 599 | </ol>
 600 | 
 601 | <artwork><![CDATA[u1 = (x0 + t0) * (x0 - t0)
 602 | 
 603 | // Ignore was_square since this is always square.
 604 | (_, invsqrt) = SQRT_RATIO_M1(1, u1 * ONE_MINUS_D * x0^2)
 605 | 
 606 | ratio = CT_ABS(invsqrt * u1 * SQRT_MINUS_D)
 607 | u2 = INVSQRT_MINUS_D * ratio * z0 - t0
 608 | s = CT_ABS(ONE_MINUS_D * invsqrt * x0 * u2)
 609 | ]]>
 610 | </artwork>
 611 | 
 612 | <ol spacing="compact" start="2">
 613 | <li>Return the 56-byte little-endian encoding of s.  More specifically,
 614 | this is the encoding of the canonical representation of s as an integer
 615 | between 0 and p-1, inclusive.</li>
 616 | </ol>
 617 | <t>Note that decoding and then re-encoding a valid group element will
 618 | yield an identical byte string.</t>
 619 | </section>
 620 | 
 621 | <section anchor="equals448"><name>Equals</name>
 622 | <t>The equality function returns TRUE when two internal representations
 623 | correspond to the same group element. Note that internal representations
 624 | <bcp14>MUST NOT</bcp14> be compared in any other way than specified here.</t>
 625 | <t>For two internal representations <tt>(x1, y1, z1, t1)</tt> and <tt>(x2, y2, z2, t2)</tt>,
 626 | if</t>
 627 | 
 628 | <artwork><![CDATA[x1 * y2 == y1 * x2
 629 | ]]>
 630 | </artwork>
 631 | <t>evaluates to TRUE, then return TRUE. Otherwise, return FALSE.</t>
 632 | <t>Note that the equality function always returns TRUE when applied to an
 633 | internal representation and to the internal representation obtained by
 634 | encoding and then re-decoding it. However, the internal
 635 | representations themselves might not be identical.</t>
 636 | <t>Implementations <bcp14>MAY</bcp14> also perform byte comparisons on the encodings
 637 | of group elements (produced by <xref target="encoding448"></xref>) for an equivalent, although
 638 | less efficient, result.</t>
 639 | </section>
 640 | 
 641 | <section anchor="from_bytes_uniform448"><name>Element derivation</name>
 642 | <t>The element derivation function operates on 112-byte strings.
 643 | To obtain such an input from an arbitrary-length byte string, applications
 644 | should use a domain-separated hash construction, the choice of which
 645 | is out-of-scope for this document.</t>
 646 | <t>The element derivation function on an input string b proceeds as follows:</t>
 647 | 
 648 | <ol spacing="compact">
 649 | <li>Compute P1 as <tt>MAP(b[0:56])</tt>.</li>
 650 | <li>Compute P2 as <tt>MAP(b[56:112])</tt>.</li>
 651 | <li>Return P1 + P2.</li>
 652 | </ol>
 653 | <t>The MAP function is defined on 56-byte strings as:</t>
 654 | 
 655 | <ol>
 656 | <li><t>Interpret the string as an unsigned integer r in little-endian representation.
 657 | Reduce r modulo p to obtain a field element t.</t>
 658 | 
 659 | <ul spacing="compact">
 660 | <li>Note: similarly to <xref target="RFC7748"></xref> field element decoding, and unlike
 661 | field element decoding in <xref target="decoding448"></xref>, non-canonical values are
 662 | accepted.</li>
 663 | </ul></li>
 664 | <li><t>Process t as follows:</t>
 665 | </li>
 666 | </ol>
 667 | 
 668 | <artwork><![CDATA[r = -t^2
 669 | u0 = d * (r-1)
 670 | u1 = (u0 + 1) * (u0 - r)
 671 | 
 672 | (was_square, v) = SQRT_RATIO_M1(ONE_MINUS_TWO_D, (r + 1) * u1)
 673 | v_prime = CT_SELECT(v IF was_square ELSE t * v)
 674 | sgn     = CT_SELECT(1 IF was_square ELSE -1)
 675 | s = v_prime * (r + 1)
 676 | 
 677 | w0 = 2 * CT_ABS(s)
 678 | w1 = s^2 + 1
 679 | w2 = s^2 - 1
 680 | w3 = v_prime * s * (r - 1) * ONE_MINUS_TWO_D + sgn
 681 | ]]>
 682 | </artwork>
 683 | 
 684 | <ol spacing="compact" start="3">
 685 | <li>Return the group element represented by the internal representation
 686 | <tt>(w0*w3, w2*w1, w1*w3, w0*w2)</tt>.</li>
 687 | </ol>
 688 | </section>
 689 | </section>
 690 | 
 691 | <section anchor="scalar-field-1"><name>Scalar field</name>
 692 | <t>The scalars for the decaf448 group are integers modulo the order l
 693 | of the decaf448 group. Note that this is the same scalar field as
 694 | edwards448, allowing existing implementations to be reused.</t>
 695 | <t>Scalars are encoded as 56-byte strings in little-endian order.
 696 | Implementations <bcp14>SHOULD</bcp14> check that any scalar s falls in the range
 697 | 0 &lt;= s &lt; l when parsing them and reject non-canonical scalar
 698 | encodings. Implementations <bcp14>SHOULD</bcp14> reduce scalars modulo l when
 699 | encoding them as byte strings. Omitting these strict range checks is
 700 | <bcp14>NOT RECOMMENDED</bcp14> but is allowed to enable reuse of scalar
 701 | arithmetic implementations in existing edwards448 libraries.</t>
 702 | <t>Given a uniformly distributed 64-byte string b, implementations can
 703 | obtain a uniformly distributed scalar by interpreting the 64-byte
 704 | string as a 512-bit unsigned integer in little-endian order and reducing the
 705 | integer modulo l. To obtain such an input from an arbitrary-length
 706 | byte string, applications should use a domain-separated hash
 707 | construction, the choice of which is out-of-scope for this document.</t>
 708 | </section>
 709 | </section>
 710 | 
 711 | <section anchor="api"><name>API Considerations</name>
 712 | <t>ristretto255 and decaf448 are abstractions which implement two prime-order
 713 | groups, and their elements are represented by curve points, but they are
 714 | not curve points. Implementations <bcp14>SHOULD</bcp14> reflect that: the type
 715 | representing an element of the group <bcp14>SHOULD</bcp14> be opaque to the caller,
 716 | meaning they do not expose the underlying curve point or field elements.
 717 | Moreover, implementations <bcp14>SHOULD NOT</bcp14> expose any internal constants
 718 | or functions used in the implementation of the group operations.</t>
 719 | <t>The reason for this encapsulation is that ristretto255 and decaf448 implementations
 720 | can change their underlying curve without causing any breaking change. The ristretto255
 721 | and decaf448 constructions are carefully designed so that this will be the
 722 | case, as long as implementations do not expose internal representations or
 723 | operate on them except as described in this document. In particular,
 724 | implementations <bcp14>SHOULD NOT</bcp14> define any external ristretto255 or decaf448
 725 | interface as operating on arbitrary curve points, and they <bcp14>SHOULD NOT</bcp14>
 726 | construct group elements except via decoding, the element derivation function,
 727 | or group operations on other valid group elements per <xref target="interface"></xref>. They are
 728 | however allowed to apply any optimization strategy to the internal
 729 | representations as long as it doesn't change the exposed behavior of the
 730 | API.</t>
 731 | <t>It is <bcp14>RECOMMENDED</bcp14> that implementations do not perform a decoding and
 732 | encoding operation for each group operation, as it is inefficient and
 733 | unnecessary. Implementations <bcp14>SHOULD</bcp14> instead provide an opaque type
 734 | to hold the internal representation through multiple operations.</t>
 735 | </section>
 736 | 
 737 | <section anchor="iana-considerations"><name>IANA Considerations</name>
 738 | <t>This document has no IANA actions.</t>
 739 | </section>
 740 | 
 741 | <section anchor="security-considerations"><name>Security Considerations</name>
 742 | <t>The ristretto255 and decaf448 groups provide higher-level protocols with
 743 | the abstraction they expect: a prime-order group. Therefore, it's expected
 744 | to be safer for use in any situation where Curve25519 or edwards448 is used
 745 | to implement a protocol requiring a prime-order group. Note that the safety
 746 | of the abstraction can be defeated by implementations that do not follow
 747 | the guidance in <xref target="api"></xref>.</t>
 748 | <t>There is no function to test whether an elliptic curve point is a
 749 | valid internal representation of a group element. The decoding
 750 | function always returns a valid internal representation, or an error, and
 751 | allowed operations on valid internal representations return valid
 752 | internal representations. In this way, an implementation can maintain
 753 | the invariant that an internal representation is always valid, so that
 754 | checking is never necessary, and invalid states are unrepresentable.</t>
 755 | </section>
 756 | 
 757 | <section anchor="acknowledgements"><name>Acknowledgements</name>
 758 | <t>The authors would like to thank Daira Hopwood, Riad S. Wahby, Christopher Wood,
 759 | and Thomas Pornin for their comments on the draft.</t>
 760 | </section>
 761 | 
 762 | </middle>
 763 | 
 764 | <back>
 765 | <references><name>Normative References</name>
 766 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
 767 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
 768 | </references>
 769 | <references><name>Informative References</name>
 770 | <reference anchor="Decaf" target="https://www.shiftleft.org/papers/decaf/decaf.pdf">
 771 |   <front>
 772 |     <title>Decaf: Eliminating cofactors through point&#xA;compression</title>
 773 |     <author fullname="Mike Hamburg" initials="M." surname="Hamburg">
 774 |       <organization>Rambus Cryptography Research</organization>
 775 |     </author>
 776 |     <date year="2015"></date>
 777 |   </front>
 778 | </reference>
 779 | <reference anchor="MoneroVuln" target="https://jonasnick.github.io/blog/2017/05/23/exploiting-low-order-generators-in-one-time-ring-signatures/">
 780 |   <front>
 781 |     <title>Exploiting Low Order Generators in One-Time Ring Signatures</title>
 782 |     <author fullname="Jonas Nick" initials="J." surname="Nick"></author>
 783 |     <date year="2017"></date>
 784 |   </front>
 785 | </reference>
 786 | <reference anchor="Naming" target="https://mailarchive.ietf.org/arch/msg/cfrg/-9LEdnzVrE5RORux3Oo_oDDRksU/">
 787 |   <front>
 788 |     <title>[Cfrg] 25519 naming</title>
 789 |     <author fullname="Daniel J. Bernstein" initials="D. J." surname="Bernstein"></author>
 790 |     <date year="2014"></date>
 791 |   </front>
 792 | </reference>
 793 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/>
 794 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml"/>
 795 | <reference anchor="RistrettoGroup" target="https://ristretto.group">
 796 |   <front>
 797 |     <title>The Ristretto Group</title>
 798 |     <author fullname="Henry de Valence" initials="H" surname="de Valence"></author>
 799 |     <author fullname="isis lovecruft" initials="I" surname="Lovecruft"></author>
 800 |     <author fullname="Tony Arcieri" initials="T" surname="Arcieri"></author>
 801 |     <author fullname="Mike Hamburg" initials="M" surname="Hamburg"></author>
 802 |     <date year="2018"></date>
 803 |   </front>
 804 | </reference>
 805 | <reference anchor="Twisted" target="https://eprint.iacr.org/2008/522">
 806 |   <front>
 807 |     <title>Twisted Edwards Curves Revisited</title>
 808 |     <author fullname="Huseyin Hisil" initials="H." surname="Hisil"></author>
 809 |     <author fullname="Kenneth Koon-Ho Wong" initials="K. K." surname="Wong"></author>
 810 |     <author fullname="Gary Carter" initials="G." surname="Carter"></author>
 811 |     <author fullname="Ed Dawson" initials="E." surname="Dawson"></author>
 812 |     <date year="2008"></date>
 813 |   </front>
 814 | </reference>
 815 | <reference anchor="draft-irtf-cfrg-hash-to-curve-16" target="https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/">
 816 |   <front>
 817 |     <title>Hashing to Elliptic Curves</title>
 818 |     <author fullname="Armando Faz-Hernández" initials="A." surname="Faz-Hernández"></author>
 819 |     <author fullname="Sam Scott" initials="S." surname="Scott"></author>
 820 |     <author fullname="Nick Sullivan" initials="N." surname="Sullivan"></author>
 821 |     <author fullname="Riad S. Wahby" initials="R.S." surname="Wahby"></author>
 822 |     <author fullname="Christopher A. Wood" initials="C.A." surname="Wood"></author>
 823 |     <date year="2022"></date>
 824 |   </front>
 825 | </reference>
 826 | </references>
 827 | 
 828 | <section anchor="test-vectors-for-ristretto255"><name>Test vectors for ristretto255</name>
 829 | <t>This section contains test vectors for ristretto255. The octets are
 830 | hex encoded, and whitespace is inserted for readability.</t>
 831 | 
 832 | <section anchor="multiples-of-the-generator"><name>Multiples of the generator</name>
 833 | <t>The following are the encodings of the multiples 0 to 15 of the
 834 | canonical generator, represented as an array of elements. That is,
 835 | the first entry is the encoding of the identity element, and each
 836 | successive entry is obtained by adding the generator to the previous entry.</t>
 837 | 
 838 | <artwork><![CDATA[B[ 0]: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 839 | B[ 1]: e2f2ae0a 6abc4e71 a884a961 c500515f 58e30b6a a582dd8d b6a65945 e08d2d76
 840 | B[ 2]: 6a493210 f7499cd1 7fecb510 ae0cea23 a110e8d5 b901f8ac add3095c 73a3b919
 841 | B[ 3]: 94741f5d 5d52755e ce4f23f0 44ee27d5 d1ea1e2b d196b462 166b1615 2a9d0259
 842 | B[ 4]: da808627 73358b46 6ffadfe0 b3293ab3 d9fd53c5 ea6c9553 58f56832 2daf6a57
 843 | B[ 5]: e882b131 016b52c1 d3337080 187cf768 423efccb b517bb49 5ab812c4 160ff44e
 844 | B[ 6]: f64746d3 c92b1305 0ed8d802 36a7f000 7c3b3f96 2f5ba793 d19a601e bb1df403
 845 | B[ 7]: 44f53520 926ec81f bd5a3878 45beb7df 85a96a24 ece18738 bdcfa6a7 822a176d
 846 | B[ 8]: 903293d8 f2287ebe 10e2374d c1a53e0b c887e592 699f02d0 77d5263c dd55601c
 847 | B[ 9]: 02622ace 8f7303a3 1cafc63f 8fc48fdc 16e1c8c8 d234b2f0 d6685282 a9076031
 848 | B[10]: 20706fd7 88b2720a 1ed2a5da d4952b01 f413bcf0 e7564de8 cdc81668 9e2db95f
 849 | B[11]: bce83f8b a5dd2fa5 72864c24 ba1810f9 522bc600 4afe9587 7ac73241 cafdab42
 850 | B[12]: e4549ee1 6b9aa030 99ca208c 67adafca fa4c3f3e 4e5303de 6026e3ca 8ff84460
 851 | B[13]: aa52e000 df2e16f5 5fb1032f c33bc427 42dad6bd 5a8fc0be 0167436c 5948501f
 852 | B[14]: 46376b80 f409b29d c2b5f6f0 c5259199 0896e571 6f41477c d30085ab 7f10301e
 853 | B[15]: e0c418f7 c8d9c4cd d7395b93 ea124f3a d99021bb 681dfc33 02a9d99a 2e53e64e
 854 | ]]>
 855 | </artwork>
 856 | <t>Note that because</t>
 857 | 
 858 | <artwork><![CDATA[B[i+1] = B[i] + B[1]
 859 | ]]>
 860 | </artwork>
 861 | <t>these test vectors allow testing the encoding function and
 862 | the implementation of addition simultaneously.</t>
 863 | </section>
 864 | 
 865 | <section anchor="invalid255"><name>Invalid encodings</name>
 866 | <t>These are examples of encodings that <bcp14>MUST</bcp14> be rejected according to
 867 | <xref target="decoding255"></xref>.</t>
 868 | 
 869 | <artwork><![CDATA[# Non-canonical field encodings.
 870 | 00ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
 871 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 872 | f3ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 873 | edffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 874 | 
 875 | # Negative field elements.
 876 | 01000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 877 | 01ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 878 | ed57ffd8 c914fb20 1471d1c3 d245ce3c 746fcbe6 3a3679d5 1b6a516e bebe0e20
 879 | c34c4e18 26e5d403 b78e246e 88aa051c 36ccf0aa febffe13 7d148a2b f9104562
 880 | c940e5a4 404157cf b1628b10 8db051a8 d439e1a4 21394ec4 ebccb9ec 92a8ac78
 881 | 47cfc549 7c53dc8e 61c91d17 fd626ffb 1c49e2bc a94eed05 2281b510 b1117a24
 882 | f1c6165d 33367351 b0da8f6e 4511010c 68174a03 b6581212 c71c0e1d 026c3c72
 883 | 87260f7a 2f124951 18360f02 c26a470f 450dadf3 4a413d21 042b43b9 d93e1309
 884 | 
 885 | # Non-square x^2.
 886 | 26948d35 ca62e643 e26a8317 7332e6b6 afeb9d08 e4268b65 0f1f5bbd 8d81d371
 887 | 4eac077a 713c57b4 f4397629 a4145982 c661f480 44dd3f96 427d40b1 47d9742f
 888 | de6a7b00 deadc788 eb6b6c8d 20c0ae96 c2f20190 78fa604f ee5b87d6 e989ad7b
 889 | bcab477b e20861e0 1e4a0e29 5284146a 510150d9 817763ca f1a6f4b4 22d67042
 890 | 2a292df7 e32cabab bd9de088 d1d1abec 9fc0440f 637ed2fb a145094d c14bea08
 891 | f4a9e534 fc0d216c 44b218fa 0c42d996 35a0127e e2e53c71 2f706096 49fdff22
 892 | 8268436f 8c412619 6cf64b3c 7ddbda90 746a3786 25f9813d d9b84570 77256731
 893 | 2810e5cb c2cc4d4e ece54f61 c6f69758 e289aa7a b440b3cb eaa21995 c2f4232b
 894 | 
 895 | # Negative xy value.
 896 | 3eb858e7 8f5a7254 d8c97311 74a94f76 755fd394 1c0ac937 35c07ba1 4579630e
 897 | a45fdc55 c76448c0 49a1ab33 f17023ed fb2be358 1e9c7aad e8a61252 15e04220
 898 | d483fe81 3c6ba647 ebbfd3ec 41adca1c 6130c2be eee9d9bf 065c8d15 1c5f396e
 899 | 8a2e1d30 050198c6 5a544831 23960ccc 38aef684 8e1ec8f5 f780e852 3769ba32
 900 | 32888462 f8b486c6 8ad7dd96 10be5192 bbeaf3b4 43951ac1 a8118419 d9fa097b
 901 | 22714250 1b9d4355 ccba2904 04bde415 75b03769 3cef1f43 8c47f8fb f35d1165
 902 | 5c37cc49 1da847cf eb9281d4 07efc41e 15144c87 6e0170b4 99a96a22 ed31e01e
 903 | 44542511 7cb8c90e dcbc7c1c c0e74f74 7f2c1efa 5630a967 c64f2877 92a48a4b
 904 | 
 905 | # s = -1, which causes y = 0.
 906 | ecffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff7f
 907 | ]]>
 908 | </artwork>
 909 | </section>
 910 | 
 911 | <section anchor="group-elements-from-byte-strings"><name>Group elements from byte strings</name>
 912 | <t>The following pairs are inputs to the element derivation function of
 913 | <xref target="from_bytes_uniform255"></xref>, and their encoded outputs.</t>
 914 | 
 915 | <artwork><![CDATA[I: 5d1be09e3d0c82fc538112490e35701979d99e06ca3e2b5b54bffe8b4dc772c1
 916 |    4d98b696a1bbfb5ca32c436cc61c16563790306c79eaca7705668b47dffe5bb6
 917 | O: 3066f82a 1a747d45 120d1740 f1435853 1a8f04bb ffe6a819 f86dfe50 f44a0a46
 918 | 
 919 | I: f116b34b8f17ceb56e8732a60d913dd10cce47a6d53bee9204be8b44f6678b27
 920 |    0102a56902e2488c46120e9276cfe54638286b9e4b3cdb470b542d46c2068d38
 921 | O: f26e5b6f 7d362d2d 2a94c5d0 e7602cb4 773c95a2 e5c31a64 f133189f a76ed61b
 922 | 
 923 | I: 8422e1bbdaab52938b81fd602effb6f89110e1e57208ad12d9ad767e2e25510c
 924 |    27140775f9337088b982d83d7fcf0b2fa1edffe51952cbe7365e95c86eaf325c
 925 | O: 006ccd2a 9e6867e6 a2c5cea8 3d3302cc 9de128dd 2a9a57dd 8ee7b9d7 ffe02826
 926 | 
 927 | I: ac22415129b61427bf464e17baee8db65940c233b98afce8d17c57beeb7876c2
 928 |    150d15af1cb1fb824bbd14955f2b57d08d388aab431a391cfc33d5bafb5dbbaf
 929 | O: f8f0c87c f237953c 5890aec3 99816900 5dae3eca 1fbb0454 8c635953 c817f92a
 930 | 
 931 | I: 165d697a1ef3d5cf3c38565beefcf88c0f282b8e7dbd28544c483432f1cec767
 932 |    5debea8ebb4e5fe7d6f6e5db15f15587ac4d4d4a1de7191e0c1ca6664abcc413
 933 | O: ae81e7de df20a497 e10c304a 765c1767 a42d6e06 029758d2 d7e8ef7c c4c41179
 934 | 
 935 | I: a836e6c9a9ca9f1e8d486273ad56a78c70cf18f0ce10abb1c7172ddd605d7fd2
 936 |    979854f47ae1ccf204a33102095b4200e5befc0465accc263175485f0e17ea5c
 937 | O: e2705652 ff9f5e44 d3e841bf 1c251cf7 dddb77d1 40870d1a b2ed64f1 a9ce8628
 938 | 
 939 | I: 2cdc11eaeb95daf01189417cdddbf95952993aa9cb9c640eb5058d09702c7462
 940 |    2c9965a697a3b345ec24ee56335b556e677b30e6f90ac77d781064f866a3c982
 941 | O: 80bd0726 2511cdde 4863f8a7 434cef69 6750681c b9510eea 557088f7 6d9e5065
 942 | ]]>
 943 | </artwork>
 944 | <t>The following element derivation function inputs all produce the same encoded
 945 | output.</t>
 946 | 
 947 | <artwork><![CDATA[I: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 948 |    1200000000000000000000000000000000000000000000000000000000000000
 949 | I: edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 950 |    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 951 | I: 0000000000000000000000000000000000000000000000000000000000000080
 952 |    ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f
 953 | I: 0000000000000000000000000000000000000000000000000000000000000000
 954 |    1200000000000000000000000000000000000000000000000000000000000080
 955 | 
 956 | O: 30428279 1023b731 28d277bd cb5c7746 ef2eac08 dde9f298 3379cb8e 5ef0517f
 957 | ]]>
 958 | </artwork>
 959 | </section>
 960 | 
 961 | <section anchor="square-root-of-a-ratio-of-field-elements"><name>Square root of a ratio of field elements</name>
 962 | <t>The following are inputs and outputs of <tt>SQRT_RATIO_M1(u, v)</tt> defined
 963 | in <xref target="sqrtratio255"></xref>. The values are little-endian encodings of field
 964 | elements.</t>
 965 | 
 966 | <artwork><![CDATA[u: 0000000000000000000000000000000000000000000000000000000000000000
 967 | v: 0000000000000000000000000000000000000000000000000000000000000000
 968 | was_square: TRUE
 969 | r: 0000000000000000000000000000000000000000000000000000000000000000
 970 | 
 971 | u: 0000000000000000000000000000000000000000000000000000000000000000
 972 | v: 0100000000000000000000000000000000000000000000000000000000000000
 973 | was_square: TRUE
 974 | r: 0000000000000000000000000000000000000000000000000000000000000000
 975 | 
 976 | u: 0100000000000000000000000000000000000000000000000000000000000000
 977 | v: 0000000000000000000000000000000000000000000000000000000000000000
 978 | was_square: FALSE
 979 | r: 0000000000000000000000000000000000000000000000000000000000000000
 980 | 
 981 | u: 0200000000000000000000000000000000000000000000000000000000000000
 982 | v: 0100000000000000000000000000000000000000000000000000000000000000
 983 | was_square: FALSE
 984 | r: 3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54
 985 | 
 986 | u: 0400000000000000000000000000000000000000000000000000000000000000
 987 | v: 0100000000000000000000000000000000000000000000000000000000000000
 988 | was_square: TRUE
 989 | r: 0200000000000000000000000000000000000000000000000000000000000000
 990 | 
 991 | u: 0100000000000000000000000000000000000000000000000000000000000000
 992 | v: 0400000000000000000000000000000000000000000000000000000000000000
 993 | was_square: TRUE
 994 | r: f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f
 995 | ]]>
 996 | </artwork>
 997 | </section>
 998 | </section>
 999 | 
1000 | <section anchor="test-vectors-for-decaf448"><name>Test vectors for decaf448</name>
1001 | <t>This section contains test vectors for decaf448. The octets are
1002 | hex encoded, and whitespace is inserted for readability.</t>
1003 | 
1004 | <section anchor="multiples-of-the-generator-1"><name>Multiples of the generator</name>
1005 | <t>The following are the encodings of the multiples 0 to 15 of the
1006 | canonical generator, represented as an array of elements. That is,
1007 | the first entry is the encoding of the identity element, and each
1008 | successive entry is obtained by adding the generator to the previous entry.</t>
1009 | 
1010 | <artwork><![CDATA[B[ 0]: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1011 |        00000000 00000000 00000000 00000000 00000000 00000000 00000000
1012 | B[ 1]: 66666666 66666666 66666666 66666666 66666666 66666666 66666666
1013 |        33333333 33333333 33333333 33333333 33333333 33333333 33333333
1014 | B[ 2]: c898eb4f 87f97c56 4c6fd61f c7e49689 314a1f81 8ec85eeb 3bd5514a
1015 |        c816d387 78f69ef3 47a89fca 817e66de fdedce17 8c7cc709 b2116e75
1016 | B[ 3]: a0c09bf2 ba7208fd a0f4bfe3 d0f5b29a 54301230 6d43831b 5adc6fe7
1017 |        f8596fa3 08763db1 5468323b 11cf6e4a eb8c18fe 44678f44 545a69bc
1018 | B[ 4]: b46f1836 aa287c0a 5a5653f0 ec5ef9e9 03f436e2 1c1570c2 9ad9e5f5
1019 |        96da97ee af17150a e30bcb31 74d04bc2 d712c8c7 789d7cb4 fda138f4
1020 | B[ 5]: 1c5bbecf 4741dfaa e79db72d face00ea aac502c2 060934b6 eaaeca6a
1021 |        20bd3da9 e0be8777 f7d02033 d1b15884 232281a4 1fc7f80e ed04af5e
1022 | B[ 6]: 86ff0182 d40f7f9e db786251 5821bd67 bfd6165a 3c44de95 d7df79b8
1023 |        779ccf64 60e3c68b 70c16aaa 280f2d7b 3f22d745 b97a8990 6cfc476c
1024 | B[ 7]: 502bcb68 42eb06f0 e49032ba e87c554c 031d6d4d 2d7694ef bf9c468d
1025 |        48220c50 f8ca2884 3364d70c ee92d6fe 246e6144 8f9db980 8b3b2408
1026 | B[ 8]: 0c9810f1 e2ebd389 caa78937 4d780079 74ef4d17 227316f4 0e578b33
1027 |        6827da3f 6b482a47 94eb6a39 75b971b5 e1388f52 e91ea2f1 bcb0f912
1028 | B[ 9]: 20d41d85 a18d5657 a2964032 1563bbd0 4c2ffbd0 a37a7ba4 3a4f7d26
1029 |        3ce26faf 4e1f74f9 f4b590c6 9229ae57 1fe37fa6 39b5b8eb 48bd9a55
1030 | B[10]: e6b4b8f4 08c7010d 0601e7ed a0c309a1 a42720d6 d06b5759 fdc4e1ef
1031 |        e22d076d 6c44d42f 508d67be 462914d2 8b8edce3 2e709430 5164af17
1032 | B[11]: be88bbb8 6c59c13d 8e9d09ab 98105f69 c2d1dd13 4dbcd3b0 863658f5
1033 |        3159db64 c0e139d1 80f3c89b 8296d0ae 324419c0 6fa87fc7 daaf34c1
1034 | B[12]: a456f936 9769e8f0 8902124a 0314c7a0 6537a06e 32411f4f 93415950
1035 |        a17badfa 7442b621 7434a3a0 5ef45be5 f10bd7b2 ef8ea00c 431edec5
1036 | B[13]: 186e452c 4466aa43 83b4c002 10d52e79 22dbf977 1e8b47e2 29a9b7b7
1037 |        3c8d10fd 7ef0b6e4 1530f91f 24a3ed9a b71fa38b 98b2fe47 46d51d68
1038 | B[14]: 4ae7fdca e9453f19 5a8ead5c be1a7b96 99673b52 c40ab279 27464887
1039 |        be53237f 7f3a21b9 38d40d0e c9e15b1d 5130b13f fed81373 a53e2b43
1040 | B[15]: 841981c3 bfeec3f6 0cfeca75 d9d8dc17 f46cf010 6f2422b5 9aec580a
1041 |        58f34227 2e3a5e57 5a055ddb 051390c5 4c24c6ec b1e0aceb 075f6056
1042 | ]]>
1043 | </artwork>
1044 | </section>
1045 | 
1046 | <section anchor="invalid448"><name>Invalid encodings</name>
1047 | <t>These are examples of encodings that <bcp14>MUST</bcp14> be rejected according to
1048 | <xref target="decoding448"></xref>.</t>
1049 | 
1050 | <artwork><![CDATA[# Non-canonical field encodings.
1051 | 8e24f838 059ee9fe f1e20912 6defe53d cd74ef9b 6304601c 6966099e
1052 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1053 | 
1054 | 86fcc721 2bd4a0b9 80928666 dc28c444 a605ef38 e09fb569 e28d4443
1055 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1056 | 
1057 | 866d54bd 4c4ff41a 55d4eefd beca73cb d653c7bd 3135b383 708ec0bd
1058 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1059 | 
1060 | 4a380ccd ab9c8636 4a89e77a 464d64f9 157538cf dfa686ad c0d5ece4
1061 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1062 | 
1063 | f22d9d4c 945dd44d 11e0b1d3 d3d358d9 59b4844d 83b08c44 e659d79f
1064 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1065 | 
1066 | 8cdffc68 1aa99e9c 818c8ef4 c3808b58 e86acdef 1ab68c84 77af185b
1067 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1068 | 
1069 | 0e1c12ac 7b5920ef fbd044e8 97c57634 e2d05b5c 27f8fa3d f8a086a1
1070 | ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
1071 | 
1072 | # Negative field elements.
1073 | 15141bd2 121837ef 71a0016b d11be757 507221c2 6542244f 23806f3f
1074 | d3496b7d 4c368262 76f3bf5d eea2c60c 4fa4cec6 9946876d a497e795
1075 | 
1076 | 455d3802 38434ab7 40a56267 f4f46b7d 2eb2dd8e e905e51d 7b0ae8a6
1077 | cb2bae50 1e67df34 ab21fa45 946068c9 f233939b 1d9521a9 98b7cb93
1078 | 
1079 | 810b1d8e 8bf3a9c0 23294bbf d3d905a9 7531709b dc0f4239 0feedd70
1080 | 10f77e98 686d400c 9c86ed25 0ceecd9d e0a18888 ffecda0f 4ea1c60d
1081 | 
1082 | d3af9cc4 1be0e5de 83c0c627 3bedcb93 51970110 044a9a41 c7b9b226
1083 | 7cdb9d7b f4dc9c2f db8bed32 87818460 4f1d9944 305a8df4 274ce301
1084 | 
1085 | 9312bcab 09009e43 30ff89c4 bc1e9e00 0d863efc 3c863d3b 6c507a40
1086 | fd2cdefd e1bf0892 b4b5ed97 80b91ed1 398fb4a7 344c605a a5efda74
1087 | 
1088 | 53d11bce 9e62a29d 63ed82ae 93761bdd 76e38c21 e2822d6e bee5eb1c
1089 | 5b8a03ea f9df749e 2490eda9 d8ac27d1 f71150de 93668074 d18d1c3a
1090 | 
1091 | 697c1aed 3cd88585 15d4be8a c158b229 fe184d79 cb2b06e4 9210a6f3
1092 | a7cd537b cd9bd390 d96c4ab6 a4406da5 d9364072 6285370c fa95df80
1093 | 
1094 | # Non-square x^2.
1095 | 58ad4871 5c9a1025 69b68b88 362a4b06 45781f5a 19eb7e59 c6a4686f
1096 | d0f0750f f42e3d7a f1ab38c2 9d69b670 f3125891 9c9fdbf6 093d06c0
1097 | 
1098 | 8ca37ee2 b15693f0 6e910cf4 3c4e32f1 d5551dda 8b1e48cb 6ddd55e4
1099 | 40dbc7b2 96b60191 9a4e4069 f59239ca 247ff693 f7daa42f 086122b1
1100 | 
1101 | 982c0ec7 f43d9f97 c0a74b36 db0abd9c a6bfb981 23a90782 787242c8
1102 | a523cdc7 6df14a91 0d544711 27e7662a 1059201f 902940cd 39d57af5
1103 | 
1104 | baa9ab82 d07ca282 b968a911 a6c3728d 74bf2fe2 58901925 787f03ee
1105 | 4be7e3cb 6684fd1b cfe5071a 9a974ad2 49a4aaa8 ca812642 16c68574
1106 | 
1107 | 2ed9ffe2 ded67a37 2b181ac5 24996402 c4297062 9db03f5e 8636cbaf
1108 | 6074b523 d154a7a8 c4472c4c 353ab88c d6fec7da 7780834c c5bd5242
1109 | 
1110 | f063769e 4241e76d 815800e4 933a3a14 4327a30e c40758ad 3723a788
1111 | 388399f7 b3f5d45b 6351eb8e ddefda7d 5bff4ee9 20d338a8 b89d8b63
1112 | 
1113 | 5a0104f1 f55d152c eb68bc13 81824998 91d90ee8 f09b4003 8ccc1e07
1114 | cb621fd4 62f781d0 45732a4f 0bda73f0 b2acf943 55424ff0 388d4b9c
1115 | ]]>
1116 | </artwork>
1117 | </section>
1118 | 
1119 | <section anchor="group-elements-from-uniform-byte-strings"><name>Group elements from uniform byte strings</name>
1120 | <t>The following pairs are inputs to the element derivation function of
1121 | <xref target="from_bytes_uniform448"></xref>, and their encoded outputs.</t>
1122 | 
1123 | <artwork><![CDATA[I: cbb8c991fd2f0b7e1913462d6463e4fd2ce4ccdd28274dc2ca1f4165
1124 |    d5ee6cdccea57be3416e166fd06718a31af45a2f8e987e301be59ae6
1125 |    673e963001dbbda80df47014a21a26d6c7eb4ebe0312aa6fffb8d1b2
1126 |    6bc62ca40ed51f8057a635a02c2b8c83f48fa6a2d70f58a1185902c0
1127 | O: 0c709c96 07dbb01c 94513358 745b7c23 953d03b3 3e39c723 4e268d1d
1128 |    6e24f340 14ccbc22 16b965dd 231d5327 e591dc3c 0e8844cc fd568848
1129 | 
1130 | I: b6d8da654b13c3101d6634a231569e6b85961c3f4b460a08ac4a5857
1131 |    069576b64428676584baa45b97701be6d0b0ba18ac28d443403b4569
1132 |    9ea0fbd1164f5893d39ad8f29e48e399aec5902508ea95e33bc1e9e4
1133 |    620489d684eb5c26bc1ad1e09aba61fabc2cdfee0b6b6862ffc8e55a
1134 | O: 76ab794e 28ff1224 c727fa10 16bf7f1d 329260b7 218a39ae a2fdb17d
1135 |    8bd91190 17b093d6 41cedf74 328c3271 84dc6f2a 64bd90ed dccfcdab
1136 | 
1137 | I: 36a69976c3e5d74e4904776993cbac27d10f25f5626dd45c51d15dcf
1138 |    7b3e6a5446a6649ec912a56895d6baa9dc395ce9e34b868d9fb2c1fc
1139 |    72eb6495702ea4f446c9b7a188a4e0826b1506b0747a6709f37988ff
1140 |    1aeb5e3788d5076ccbb01a4bc6623c92ff147a1e21b29cc3fdd0e0f4
1141 | O: c8d7ac38 4143500e 50890a1c 25d64334 3accce58 4caf2544 f9249b2b
1142 |    f4a69210 82be0e7f 3669bb5e c24535e6 c45621e1 f6dec676 edd8b664
1143 | 
1144 | I: d5938acbba432ecd5617c555a6a777734494f176259bff9dab844c81
1145 |    aadcf8f7abd1a9001d89c7008c1957272c1786a4293bb0ee7cb37cf3
1146 |    988e2513b14e1b75249a5343643d3c5e5545a0c1a2a4d3c685927c38
1147 |    bc5e5879d68745464e2589e000b31301f1dfb7471a4f1300d6fd0f99
1148 | O: 62beffc6 b8ee11cc d79dbaac 8f0252c7 50eb052b 192f41ee ecb12f29
1149 |    79713b56 3caf7d22 588eca5e 80995241 ef963e7a d7cb7962 f343a973
1150 | 
1151 | I: 4dec58199a35f531a5f0a9f71a53376d7b4bdd6bbd2904234a8ea65b
1152 |    bacbce2a542291378157a8f4be7b6a092672a34d85e473b26ccfbd4c
1153 |    dc6739783dc3f4f6ee3537b7aed81df898c7ea0ae89a15b5559596c2
1154 |    a5eeacf8b2b362f3db2940e3798b63203cae77c4683ebaed71533e51
1155 | O: f4ccb31d 263731ab 88bed634 304956d2 603174c6 6da38742 053fa37d
1156 |    d902346c 3862155d 68db63be 87439e3d 68758ad7 268e239d 39c4fd3b
1157 | 
1158 | I: df2aa1536abb4acab26efa538ce07fd7bca921b13e17bc5ebcba7d1b
1159 |    6b733deda1d04c220f6b5ab35c61b6bcb15808251cab909a01465b8a
1160 |    e3fc770850c66246d5a9eae9e2877e0826e2b8dc1bc08009590bc677
1161 |    8a84e919fbd28e02a0f9c49b48dc689eb5d5d922dc01469968ee81b5
1162 | O: 7e79b00e 8e0a76a6 7c0040f6 2713b8b8 c6d6f05e 9c6d0259 2e8a22ea
1163 |    896f5dea cc7c7df5 ed42beae 6fedb900 0285b482 aa504e27 9fd49c32
1164 | 
1165 | I: e9fb440282e07145f1f7f5ecf3c273212cd3d26b836b41b02f108431
1166 |    488e5e84bd15f2418b3d92a3380dd66a374645c2a995976a015632d3
1167 |    6a6c2189f202fc766e1c82f50ad9189be190a1f0e8f9b9e69c9c18cc
1168 |    98fdd885608f68bf0fdedd7b894081a63f70016a8abf04953affbefa
1169 | O: 20b171cb 16be977f 15e013b9 752cf86c 54c631c4 fc8cbf7c 03c4d3ac
1170 |    9b8e8640 e7b0e930 0b987fe0 ab504466 9314f6ed 1650ae03 7db853f1
1171 | ]]>
1172 | </artwork>
1173 | </section>
1174 | </section>
1175 | 
1176 | </back>
1177 | 
1178 | </rfc>
1179 | 


--------------------------------------------------------------------------------