Closed lmctv closed 6 years ago
This is not planned, sorry.
Sorry if this is coming off rude, but not planned as in "never going to support it" or not planned as in "there are more important issues right now"? A full implementation of Elligator2 is the last piece in the puzzle of building censorship-resistant protocols, I would very much expect it in a library that has this mission statement:
Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. [...] Its goal is to provide all of the core operations needed to build higher-level cryptographic tools.
Just to clarify, if supporting censorship resistance itself is not a goal, that's fine. It's just weird.
A full implementation of Elligator2 is the last piece in the puzzle of building censorship-resistant protocols
@b3nsn0w there are likely a lot more things a well-designed censorship-resistant protocol needs, for example, key blinding or zero-knowledge proofs. Anything more than sending compressed edwards25519 points for the purposes of producing unblinded Ed25519 signatures and you probably don't want to be using its Elligator2 map, but rather one which is more amenable to any protocol that can be expressed in terms of a prime order group, like Ristretto.
The Ristretto Elligator map also affords a unique constant time implementation in terms of the Jacobi quartic.
While #628 added the mapping from uniform bytes to a ed25519 point, the inverse mapping from a point to a element of the uniform bytes range is still missing and we cannot transmit a 'elligatorized' public key.