Inconsistency between OPRF ciphersuites in draft-irtf-cfrg-voprf and draft-irtf-cfrg-opaque

[rot256]

draft-irtf-cfrg-voprf lists the following OPRF instanciations:

OPRF(ristretto255, SHA-256) OPRF(decaf448, SHA-512) OPRF(P-256, SHA-256) OPRF(P-384, SHA-512) OPRF(P-521, SHA-512)

However section 5 of draft-irtf-cfrg-opaque, says:

An OPAQUE configuration is a tuple (OPRF, Hash, MHF, EnvelopeMode). The OPAQUE OPRF protocol is drawn from the "base mode" variant of [I-D.irtf-cfrg-voprf]. The following OPRF ciphersuites are supported:

• OPRF(ristretto255, SHA-512)
• OPRF(decaf448, SHA-512)
• OPRF(P-256, SHA-256)
• OPRF(P-384, SHA-512)
• OPRF(P-521, SHA-512)

It seems like it should be SHA-256 in both places (targeting 128-bits of security)?

[chris-wood]

The editor's copy of draft-irtf-cfrg-voprf uses OPRF(ristretto255, SHA-512), which is why OPAQUE uses it. We chose SHA-512 because implementations using ristretto255 are more likely to also have a SHA-512 implementation (due to Ed25519 requiring SHA-512). See this PR and related issue(s).