-
Hey, i was wondering, see subject. i was investigating if and to what extent https://datatracker.ietf.org/doc/rfc9380/ is implemented, according to https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/main/README.md it seems to be in libsodium. and indeed i found https://github.com/jedisct1/libsodium/blob/master/src/libsodium/crypto_core/ed25519/core_h2c.c and - but i am a bit confused it doesn't quite look like the hash-to-group that is used in the voprf irtf/cfrg draft - which i have implemented here https://github.com/stef/liboprf/blob/master/src/oprf.c#L160so my questions, does libsodium:
thanks for all! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
It's in the development branch only, and was developed at the same time as the draft. For Ed25519, it should match the test vectors, and the Zig implementation. For Ristretto, maybe. Ristretto was a last-minute addition to the draft and I don't think it even includes test vectors. This is in my list of things to check before a version including this is tagged. For Curve25519, no, and there's no plan for it. Curve25519 is going to stay limited to DH operations. Keep using your implementation for now :) |
Beta Was this translation helpful? Give feedback.
-
i dunno about ristretto test vectors either in h2c draft, i know there is testvectors in voprf and opaque draft though, even if indirectly. why no support for curve25519? oprfs would benefit from that, we even had people asking about support for curve25519 so that they can use their hsms which support curve25519 but not ristretto. but i guess it is possible to h2c to ed25519 and then convert that into curve25519. anyway, thanks again for all! |
Beta Was this translation helpful? Give feedback.
It's in the development branch only, and was developed at the same time as the draft.
For Ed25519, it should match the test vectors, and the Zig implementation.
For Ristretto, maybe. Ristretto was a last-minute addition to the draft and I don't think it even includes test vectors. This is in my list of things to check before a version including this is tagged.
For Curve25519, no, and there's no plan for it. Curve25519 is going to stay limited to DH operations.
Keep using your implementation for now :)