RFC9381 ECVRF implementation

[iquerejeta]

Implementation of RFC9381.

Made a change to ed25519_ref10 for performance reasons. Mainly, I have included a variable base variable time scalar multiplication (to compute a * U + b * V for variable U and V).

Implements #1177

[jedisct1]

https://www.rfc-editor.org/rfc/rfc9381.pdf

[iquerejeta]

@jedisct1 , does this mean that we are good to push this forward? If yes, I'll make a pass to make sure that the implemented version is what got finalised in the draft, and mark it as ready.

[jedisct1]

@iquerejeta Yes :)

[iquerejeta]

Got some trouble reproducing the undefined reference to 'crypto_core_ed25519_scalar_negate' and undefined reference to 'crypto_core_ed25519_scalar_negate' errors locally. I made sure I was configuring with the same call as the CI action:

env CPPFLAGS="-DDEV_MODE=1" ./configure --disable-dependency-tracking --enable-minimal

But couldn't reproduce it.

This is the failing action https://github.com/jedisct1/libsodium/actions/runs/6095043654

[iquerejeta]

So, I've managed to reproduce them, but no progress in debugging. I'll try again tomorrow. Any idea why we might have

Undefined symbols for architecture arm64:
...
ld: symbol(s) not found for architecture arm64

type errors for symbols that are exposed in the public API when called within the library?

[jedisct1]

Errrrr... this is super weird.

How did you manage to reproduce it? Is it non-deterministic?

[jedisct1]

Actually it's not weird.

The core_ed25519 functions are not available in MINIMAL builds.

[iquerejeta]

Ok, makes sense. What is your preferred way forward? To have core_ed25519 exposed in the MINIMAL build, or instead have from_string and scalar_negate as part of ed25519_ref10.c? Seeing how the library is organised, I presume the second, but just want to check with you before making further changes.

[jedisct1]

Yeah, I agree that the second option looks better.