Open fscoto opened 3 years ago
The Internet Draft meanwhile got released as RFC 9496, specifying the hash-to-group operation in § 4.3.4. This reminds me that Decaf and Ristretto work on the encoding/decoding level as well as the point comparison level, assigning points representatives while in internal representation and only cleaning up any possible cofactors in the encode operation.
I fear that properly addressing this issue might involve significant amounts of re-structuring of the existing text and/or a large addendum outlining how Decaf (and its extension Ristretto) function. At this point, it may be reasonable to close this issue as wontfix.
At this point, it may be reasonable to close this issue as wontfix.
Probably, I’ll think about it. Especially since Decaf uses a different mapping than Elligator2 proper, though based on the same principles.
Though having seen the source code, the mapping is two-way. It’s just that since they seem to pay more attention to PAKE than steganography, the standard advice is to hash-to-group, and map-to-group is little more than an implementation detail.
We still need to figure out and describe how to use Elligator with Decaf/Ristretto. The Ristretto website and I-D.draft-irtf-cfrg-ristretto255-decaf448-00 specify a “one-way map”, so perhaps this is necessarily unidirectional.