commit 1f84685cb24e13a28800d4197a4f57739ec9a766
parent 6f10de09ac3e708c66e675ed6ece9938aa5ef9e3
Author: Pedram Fardzadeh <p.fardzadeh@protonmail.com>
Date: Mon, 15 Jul 2024 21:51:38 +0200
Elligator test vectors in Appendix
Diffstat:
1 file changed, 69 insertions(+), 4 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -269,8 +269,11 @@ KeyGenElligator():
In order for the square root operation sqrt within the encoding function to work deterministically, we need to
define the notion of positive and negative numbers within the field. There are multiple valid ways to partition
the field elements, but a common choice is to define the set {0,..., (P-1)/2} as the set of positive numbers,
- and {(P-1)/2 + 1,…,P−1} as the set of the negative numbers. The elligator implementations of both peers <bcp14>MUST</bcp14>
- use the same definition regarding positive and negative numbers to be interoperable.
+ and {(P-1)/2 + 1,…,P−1} as the set of the negative numbers. The encoding function also requires a non-square number
+ U of the finite field. While U could be chosen arbitrarily, small numbers like sqrt(-1) are preferred due to reduce
+ computation.
+ The elligator implementations of both peers <bcp14>MUST</bcp14>
+ use the same definition regarding positive and negative numbers and U to be interoperable.
The encoding function algorithm is:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
@@ -1636,5 +1639,66 @@ SetupCipher(REC_ID, MSK):
</front>
</reference>
</references>
- </back>
- </rfc>
+
+
+ <section>
+ <name>Elligator implementation</name>
+ <t>
+ This section provides test vectors for the different Elligator functions and should aid in verifying implementations.
+ Note that Elligator has two parameters: the set of positive and negative numbers, and a non-square number U
+ within the finite field, as described in <xref target=""/>. The displayed test vectors assume that the set of positive
+ numbers is defined as {0,...,(P-1)/2}, the set of negative numbers as {(P-1)/2 + 1,...,P−1} and U is the non-square number
+ sqrt(-1). Unless indicated otherwise, the test vectors are provided as little-endian hexadecimal byte arrays.
+ </t>
+ <section>
+ <name>ElligatorEnc():</name>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ Ephemeral public key (little-endian):
+ 99 9b 59 1b 66 97 d0 74
+ f2 66 19 22 77 d5 54 de
+ c3 c2 4c 2e f6 10 81 01
+ f6 3d 94 f7 ff f3 a0 13
+
+ Representative (little-endian):
+ 99 9b 59 1b 66 97 d0 74
+ f2 66 19 22 77 d5 54 de
+ c3 c2 4c 2e f6 10 81 01
+ f6 3d 94 f7 ff f3 a0 13
+ ]]></artwork>
+ </section>
+ <section>
+ <name>ElligatorDec():</name>
+ <t>
+ The Most Significant Bit (MSB) and the second MSB of the representative should be randomly flipped (serialized) before
+ transmission. The resulting public key for both the original (unserialized) representative and the serialized representative
+ must be the same.
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ Representative unserialized (little-endian):
+ 95 a1 60 19 04 1d be fe
+ d9 83 20 48 ed e1 19 28
+ d9 03 65 f2 4a 38 aa 7a
+ ef 1b 97 e2 39 54 10 1b
+
+ Representative serialized (little-endian):
+ 95 a1 60 19 04 1d be fe
+ d9 83 20 48 ed e1 19 28
+ d9 03 65 f2 4a 38 aa 7a
+ ef 1b 97 e2 39 54 10 9b
+
+ Ephemeral public key (little-endian):
+ 79 4f 05 ba 3e 3a 72 95
+ 80 22 46 8c 88 98 1e 0b
+ e5 78 2b e1 e1 14 5c e2
+ c3 c6 fd e1 6d ed 53 63
+ ]]></artwork>
+ </section>
+ <section>
+ <name>Encaps():</name>
+ </section>
+ <section>
+ <name>Decaps():</name>
+ </section>
+ </section>
+ </back>
+</rfc>
+\ No newline at end of file
