Closed LoupVaillant closed 2 years ago
The draft is pretty mature at this point and probably also the largest point of friction because a bunch of IETF protocols will pull it in (e.g. ECVRF in I-D.draft-irtf-cfrg-vrf). Addressing it seems almost imperative.
Fixed now. We may need to flesh it out in the future (Curve448, Ristretto, full RFC compliance…), but I think explaining the general concepts and giving one concrete example would be best.
Right now I based this entirely on libsodium, for two reasons:
To be checked, but I believe what libsodium does not comply with the hash_to_field()
step of the RFC (though it does have an alternative). I think we don't really care here because p is close enough to a power of two that we don't need to take any special precaution.
Why we might want to add that page:
Why we might want to hold our horses: