FROST(Ed448, SHAKE256) feedback

[chris-wood]

From @pornin:

FROST(Ed448, SHAKE256)

H2() is defined as: "H2(m): Implemented by computing H(m),
interpreting the lower 57 bytes as a little-endian integer, and
reducing the resulting integer modulo L". However, this is not
compatible with RFC 8032, which, in section 5.2.6 (step 2),
interprets the full 114-byte output as an integer and reduces it
modulo L. Thus, "the lower 57 bytes" should here become "the
114-byte hash output".
(It is somewhat weird to use 114 bytes here, since 1. for the
challenge part in a Schnorr signature, there is no actual need
for complete uniformity; and 2. the subgroup order is very
close to a power of 2, so even using only 56 bytes here would
still yield a selection indistinguishable from uniformity. But
RFC 8032 is defined to use 114 bytes, so interoperability
dictates that FROST should use the same length.)

See Ed25519 and ristretto255 about the identity point (again, it is
allowed by RFC 8032 but explicitly rejected by the FROST draft).

[kayabaNerve]

This is resolved in https://github.com/cfrg/draft-irtf-cfrg-frost/pull/246 which also resolved other differences which I don't believe were mentioned by this review.

[chris-wood]

Agreed. Closed as having been fixed by #246.