Decaf/Ristretto

[fscoto]

We still need to figure out and describe how to use Elligator with Decaf/Ristretto. The Ristretto website and I-D.draft-irtf-cfrg-ristretto255-decaf448-00 specify a “one-way map”, so perhaps this is necessarily unidirectional.

[fscoto]

The Internet Draft meanwhile got released as RFC 9496, specifying the hash-to-group operation in § 4.3.4. This reminds me that Decaf and Ristretto work on the encoding/decoding level as well as the point comparison level, assigning points representatives while in internal representation and only cleaning up any possible cofactors in the encode operation.

I fear that properly addressing this issue might involve significant amounts of re-structuring of the existing text and/or a large addendum outlining how Decaf (and its extension Ristretto) function. At this point, it may be reasonable to close this issue as wontfix.

[LoupVaillant]

At this point, it may be reasonable to close this issue as wontfix.

Probably, I’ll think about it. Especially since Decaf uses a different mapping than Elligator2 proper, though based on the same principles.

Though having seen the source code, the mapping is two-way. It’s just that since they seem to pay more attention to PAKE than steganography, the standard advice is to hash-to-group, and map-to-group is little more than an implementation detail.