CFRG A. Faz-Hernandez Internet-Draft Cloudflare Intended status: Informational S. Scott Expires: 29 October 2020 Cornell Tech N. Sullivan Cloudflare R.S. Wahby Stanford University C.A. Wood Cloudflare 27 April 2020 Hashing to Elliptic Curves draft-irtf-cfrg-hash-to-curve-07 Abstract This document specifies a number of algorithms that may be used to encode or hash an arbitrary string to a point on an elliptic curve. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 29 October 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Faz-Hernandez, et al. Expires 29 October 2020 [Page 1] Internet-Draft hash-to-curve April 2020 extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 5 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Elliptic curves . . . . . . . . . . . . . . . . . . . . . 6 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.1. Mappings . . . . . . . . . . . . . . . . . . . . . . 7 2.2.2. Encodings . . . . . . . . . . . . . . . . . . . . . . 8 2.2.3. Random oracle encodings . . . . . . . . . . . . . . . 8 2.2.4. Serialization . . . . . . . . . . . . . . . . . . . . 9 2.2.5. Domain separation . . . . . . . . . . . . . . . . . . 9 3. Encoding byte strings to elliptic curves . . . . . . . . . . 10 3.1. Domain separation requirements . . . . . . . . . . . . . 11 4. Utility Functions . . . . . . . . . . . . . . . . . . . . . . 12 4.1. The sgn0 function . . . . . . . . . . . . . . . . . . . . 14 5. Hashing to a Finite Field . . . . . . . . . . . . . . . . . . 15 5.1. Security considerations . . . . . . . . . . . . . . . . . 16 5.2. hash_to_field implementation . . . . . . . . . . . . . . 16 5.3. expand_message . . . . . . . . . . . . . . . . . . . . . 17 5.3.1. expand_message_xmd . . . . . . . . . . . . . . . . . 18 5.3.2. expand_message_xof . . . . . . . . . . . . . . . . . 20 5.3.3. Using DSTs longer than 255 bytes . . . . . . . . . . 20 5.3.4. Defining other expand_message variants . . . . . . . 21 6. Deterministic Mappings . . . . . . . . . . . . . . . . . . . 22 6.1. Choosing a mapping function . . . . . . . . . . . . . . . 22 6.2. Interface . . . . . . . . . . . . . . . . . . . . . . . . 22 6.3. Notation . . . . . . . . . . . . . . . . . . . . . . . . 23 6.4. Sign of the resulting point . . . . . . . . . . . . . . . 23 6.5. Exceptional cases . . . . . . . . . . . . . . . . . . . . 23 6.6. Mappings for Weierstrass curves . . . . . . . . . . . . . 24 6.6.1. Shallue-van de Woestijne Method . . . . . . . . . . . 24 6.6.2. Simplified Shallue-van de Woestijne-Ulas Method . . . 26 6.6.3. Simplified SWU for AB == 0 . . . . . . . . . . . . . 28 6.7. Mappings for Montgomery curves . . . . . . . . . . . . . 29 6.7.1. Elligator 2 Method . . . . . . . . . . . . . . . . . 30 6.8. Mappings for Twisted Edwards curves . . . . . . . . . . . 31 6.8.1. Rational maps from Montgomery to twisted Edwards curves . . . . . . . . . . . . . . . . . . . . . . . 32 6.8.2. Elligator 2 Method . . . . . . . . . . . . . . . . . 33 7. Clearing the cofactor . . . . . . . . . . . . . . . . . . . . 34 8. Suites for Hashing . . . . . . . . . . . . . . . . . . . . . 35 8.1. Implementing a hash-to-curve suite . . . . . . . . . . . 37 8.2. Suites for NIST P-256 . . . . . . . . . . . . . . . . . . 38 Faz-Hernandez, et al. Expires 29 October 2020 [Page 2] Internet-Draft hash-to-curve April 2020 8.3. Suites for NIST P-384 . . . . . . . . . . . . . . . . . . 39 8.4. Suites for NIST P-521 . . . . . . . . . . . . . . . . . . 40 8.5. Suites for curve25519 and edwards25519 . . . . . . . . . 41 8.6. Suites for curve448 and edwards448 . . . . . . . . . . . 42 8.7. Suites for secp256k1 . . . . . . . . . . . . . . . . . . 43 8.8. Suites for BLS12-381 . . . . . . . . . . . . . . . . . . 45 8.8.1. BLS12-381 G1 . . . . . . . . . . . . . . . . . . . . 45 8.8.2. BLS12-381 G2 . . . . . . . . . . . . . . . . . . . . 46 8.9. Defining a new hash-to-curve suite . . . . . . . . . . . 48 8.10. Suite ID naming conventions . . . . . . . . . . . . . . . 48 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 10. Security Considerations . . . . . . . . . . . . . . . . . . . 50 10.1. hash_to_field security . . . . . . . . . . . . . . . . . 51 10.2. expand_message_xmd security . . . . . . . . . . . . . . 51 10.3. Target Security Levels . . . . . . . . . . . . . . . . . 52 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 53 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 13.1. Normative References . . . . . . . . . . . . . . . . . . 53 13.2. Informative References . . . . . . . . . . . . . . . . . 54 Appendix A. Related Work . . . . . . . . . . . . . . . . . . . . 60 Appendix B. Rational maps . . . . . . . . . . . . . . . . . . . 62 B.1. Twisted Edwards to Montgomery curves . . . . . . . . . . 62 B.2. Montgomery to Weierstrass curves . . . . . . . . . . . . 63 Appendix C. Isogeny maps for Suites . . . . . . . . . . . . . . 64 C.1. 3-isogeny map for secp256k1 . . . . . . . . . . . . . . . 64 C.2. 11-isogeny map for BLS12-381 G1 . . . . . . . . . . . . . 66 C.3. 3-isogeny map for BLS12-381 G2 . . . . . . . . . . . . . 70 Appendix D. Sample Code . . . . . . . . . . . . . . . . . . . . 71 D.1. Interface and projective coordinate systems . . . . . . . 71 D.2. Simplified SWU . . . . . . . . . . . . . . . . . . . . . 72 D.2.1. q = 3 (mod 4) . . . . . . . . . . . . . . . . . . . . 72 D.2.2. q = 5 (mod 8) . . . . . . . . . . . . . . . . . . . . 74 D.2.3. q = 9 (mod 16) . . . . . . . . . . . . . . . . . . . 75 D.3. Elligator 2 . . . . . . . . . . . . . . . . . . . . . . . 77 D.3.1. curve25519 (q = 5 (mod 8), K = 1) . . . . . . . . . . 77 D.3.2. edwards25519 . . . . . . . . . . . . . . . . . . . . 78 D.3.3. curve448 (q = 3 (mod 4), K = 1) . . . . . . . . . . . 79 D.3.4. edwards448 . . . . . . . . . . . . . . . . . . . . . 80 D.3.5. q = 3 (mod 4) . . . . . . . . . . . . . . . . . . . . 82 D.3.6. q = 5 (mod 8) . . . . . . . . . . . . . . . . . . . . 84 D.4. Cofactor Clearing for BLS12-381 G2 . . . . . . . . . . . 85 Appendix E. Scripts for parameter generation . . . . . . . . . . 87 E.1. Finding Z for the Shallue and van de Woestijne map . . . 87 E.2. Finding Z for Simplified SWU . . . . . . . . . . . . . . 88 E.3. Finding Z for Elligator 2 . . . . . . . . . . . . . . . . 89 Appendix F. sqrt and is_square functions . . . . . . . . . . . . 89 F.1. q = 3 (mod 4) . . . . . . . . . . . . . . . . . . . . . . 90 Faz-Hernandez, et al. Expires 29 October 2020 [Page 3] Internet-Draft hash-to-curve April 2020 F.2. q = 5 (mod 8) . . . . . . . . . . . . . . . . . . . . . . 90 F.3. q = 9 (mod 16) . . . . . . . . . . . . . . . . . . . . . 90 F.4. Constant-time Tonelli-Shanks algorithm . . . . . . . . . 91 F.5. is_square for F = GF(p^2) . . . . . . . . . . . . . . . . 92 Appendix G. Test vectors . . . . . . . . . . . . . . . . . . . . 93 G.1. NIST P-256 . . . . . . . . . . . . . . . . . . . . . . . 93 G.1.1. P256_XMD:SHA-256_SSWU_RO_ . . . . . . . . . . . . . . 93 G.1.2. P256_XMD:SHA-256_SSWU_NU_ . . . . . . . . . . . . . . 95 G.1.3. P256_XMD:SHA-256_SVDW_RO_ . . . . . . . . . . . . . . 96 G.1.4. P256_XMD:SHA-256_SVDW_NU_ . . . . . . . . . . . . . . 98 G.2. NIST P-384 . . . . . . . . . . . . . . . . . . . . . . . 99 G.2.1. P384_XMD:SHA-512_SSWU_RO_ . . . . . . . . . . . . . . 99 G.2.2. P384_XMD:SHA-512_SSWU_NU_ . . . . . . . . . . . . . . 101 G.2.3. P384_XMD:SHA-512_SVDW_RO_ . . . . . . . . . . . . . . 103 G.2.4. P384_XMD:SHA-512_SVDW_NU_ . . . . . . . . . . . . . . 104 G.3. NIST P-521 . . . . . . . . . . . . . . . . . . . . . . . 106 G.3.1. P521_XMD:SHA-512_SSWU_RO_ . . . . . . . . . . . . . . 106 G.3.2. P521_XMD:SHA-512_SSWU_NU_ . . . . . . . . . . . . . . 108 G.3.3. P521_XMD:SHA-512_SVDW_RO_ . . . . . . . . . . . . . . 110 G.3.4. P521_XMD:SHA-512_SVDW_NU_ . . . . . . . . . . . . . . 112 G.4. curve25519 . . . . . . . . . . . . . . . . . . . . . . . 114 G.4.1. curve25519_XMD:SHA-256_ELL2_RO_ . . . . . . . . . . . 114 G.4.2. curve25519_XMD:SHA-256_ELL2_NU_ . . . . . . . . . . . 116 G.4.3. curve25519_XMD:SHA-512_ELL2_RO_ . . . . . . . . . . . 117 G.4.4. curve25519_XMD:SHA-512_ELL2_NU_ . . . . . . . . . . . 119 G.5. edwards25519 . . . . . . . . . . . . . . . . . . . . . . 120 G.5.1. edwards25519_XMD:SHA-256_ELL2_RO_ . . . . . . . . . . 120 G.5.2. edwards25519_XMD:SHA-256_ELL2_NU_ . . . . . . . . . . 122 G.5.3. edwards25519_XMD:SHA-512_ELL2_RO_ . . . . . . . . . . 123 G.5.4. edwards25519_XMD:SHA-512_ELL2_NU_ . . . . . . . . . . 125 G.6. curve448 . . . . . . . . . . . . . . . . . . . . . . . . 126 G.6.1. curve448_XMD:SHA-512_ELL2_RO_ . . . . . . . . . . . . 126 G.6.2. curve448_XMD:SHA-512_ELL2_NU_ . . . . . . . . . . . . 129 G.7. edwards448 . . . . . . . . . . . . . . . . . . . . . . . 131 G.7.1. edwards448_XMD:SHA-512_ELL2_RO_ . . . . . . . . . . . 131 G.7.2. edwards448_XMD:SHA-512_ELL2_NU_ . . . . . . . . . . . 133 G.8. secp256k1 . . . . . . . . . . . . . . . . . . . . . . . . 135 G.8.1. secp256k1_XMD:SHA-256_SSWU_RO_ . . . . . . . . . . . 135 G.8.2. secp256k1_XMD:SHA-256_SSWU_NU_ . . . . . . . . . . . 137 G.8.3. secp256k1_XMD:SHA-256_SVDW_RO_ . . . . . . . . . . . 138 G.8.4. secp256k1_XMD:SHA-256_SVDW_NU_ . . . . . . . . . . . 140 G.9. BLS12-381 G1 . . . . . . . . . . . . . . . . . . . . . . 141 G.9.1. BLS12381G1_XMD:SHA-256_SSWU_RO_ . . . . . . . . . . . 141 G.9.2. BLS12381G1_XMD:SHA-256_SSWU_NU_ . . . . . . . . . . . 143 G.9.3. BLS12381G1_XMD:SHA-256_SVDW_RO_ . . . . . . . . . . . 144 G.9.4. BLS12381G1_XMD:SHA-256_SVDW_NU_ . . . . . . . . . . . 146 G.10. BLS12-381 G2 . . . . . . . . . . . . . . . . . . . . . . 147 G.10.1. BLS12381G2_XMD:SHA-256_SSWU_RO_ . . . . . . . . . . 147 Faz-Hernandez, et al. Expires 29 October 2020 [Page 4] Internet-Draft hash-to-curve April 2020 G.10.2. BLS12381G2_XMD:SHA-256_SSWU_NU_ . . . . . . . . . . 150 G.10.3. BLS12381G2_XMD:SHA-256_SVDW_RO_ . . . . . . . . . . 153 G.10.4. BLS12381G2_XMD:SHA-256_SVDW_NU_ . . . . . . . . . . 156 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 158 1. Introduction Many cryptographic protocols require a procedure that encodes an arbitrary input, e.g., a password, to a point on an elliptic curve. This procedure is known as hashing to an elliptic curve. Prominent examples of cryptosystems that hash to elliptic curves include Simple Password Exponential Key Exchange [J96], Password Authenticated Key Exchange [BMP00], Identity-Based Encryption [BF01] and Boneh-Lynn- Shacham signatures [BLS01]. Unfortunately for implementors, the precise hash function that is suitable for a given scheme is not necessarily included in the description of the protocol. Compounding this problem is the need to pick a suitable curve for the specific protocol. This document aims to bridge this gap by providing a comprehensive set of recommended algorithms for a range of curve types. Each algorithm conforms to a common interface: it takes as input an arbitrary-length byte string and produces as output a point on an elliptic curve. We provide implementation details for each algorithm, describe the security rationale behind each recommendation, and give guidance for elliptic curves that are not explicitly covered. Readers wishing to quickly specify or implement a conforming hash function should consult Section 8, which lists recommended hash-to- curve suites and describes both how to implement an existing suite and how to specify a new one. This document does not cover rejection sampling methods, sometimes known as "try-and-increment" or "hunt-and-peck," because the goal is to describe algorithms that can plausibly be made constant time. Use of these rejection methods is NOT RECOMMENDED, because they have been a perennial cause of side-channel vulnerabilities. 1.1. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Background Faz-Hernandez, et al. Expires 29 October 2020 [Page 5] Internet-Draft hash-to-curve April 2020 2.1. Elliptic curves The following is a brief definition of elliptic curves, with an emphasis on important parameters and their relation to hashing to curves. For further reference on elliptic curves, consult [CFADLNV05] or [W08]. Let F be the finite field GF(q) of prime characteristic p > 3. (This document does not consider elliptic curves over fields of characteristic 2 or 3.) In most cases F is a prime field, so q = p. Otherwise, F is an extension field, so q = p^m for an integer m > 1. This document writes elements of extension fields in a primitive element or polynomial basis, i.e., as a vector of m elements of GF(p) written in ascending order by degree. The entries of this vector are indexed in ascending order starting from 1, i.e., x = (x_1, x_2, ..., x_m). For example, if q = p^2 and the primitive element basis is (1, I), then x = (a, b) corresponds to the element a + b * I, where x_1 = a and x_2 = b. An elliptic curve E is specified by an equation in two variables and a finite field F. An elliptic curve equation takes one of several standard forms, including (but not limited to) Weierstrass, Montgomery, and Edwards. The curve E induces an algebraic group whose elements are those points with coordinates (x, y) satisfying the curve equation, and where x and y are elements of F. This group has order n, meaning that there are n distinct points. This document uses additive notation for the elliptic curve group operation. For security reasons, groups of prime order MUST be used. Elliptic curves induce subgroups of prime order. Let G be a subgroup of the curve of prime order r, where n = h * r. In this equation, h is an integer called the cofactor. An algorithm that takes as input an arbitrary point on the curve E and produces as output a point in the subgroup G of E is said to "clear the cofactor." Such algorithms are discussed in Section 7. Certain hash-to-curve algorithms restrict the form of the curve equation, the characteristic of the field, and/or the parameters of the curve. For each algorithm presented, this document lists the relevant restrictions. Summary of quantities: Faz-Hernandez, et al. Expires 29 October 2020 [Page 6] Internet-Draft hash-to-curve April 2020 +--------+----------------------------------+----------------------+ | Symbol | Meaning | Relevance | +========+==================================+======================+ | F,q,p | Finite field F of characteristic | For prime fields, q | | | p and #F = q = p^m. | = p; otherwise, q = | | | | p^m and m>1. | +--------+----------------------------------+----------------------+ | E | Elliptic curve. | E is specified by an | | | | equation and a field | | | | F. | +--------+----------------------------------+----------------------+ | n | Number of points on the elliptic | n = h * r, for h and | | | curve E. | r defined below. | +--------+----------------------------------+----------------------+ | G | A subgroup of the elliptic | Destination group to | | | curve. | which byte strings | | | | are encoded. | +--------+----------------------------------+----------------------+ | r | Order of G. | This number MUST be | | | | prime. | +--------+----------------------------------+----------------------+ | h | Cofactor, h >= 1. | An integer | | | | satisfying n = h * | | | | r. | +--------+----------------------------------+----------------------+ Table 1 2.2. Terminology In this section, we define important terms used in the rest of this document. 2.2.1. Mappings A mapping is a deterministic function from an element of the field F to a point on an elliptic curve E defined over F. In general, the set of all points that a mapping can produce over all possible inputs may be only a subset of the points on an elliptic curve (i.e., the mapping may not be surjective). In addition, a mapping may output the same point for two or more distinct inputs (i.e., the mapping may not be injective). For example, consider a mapping from F to an elliptic curve having n points: if the number of elements of F is not equal to n, then this mapping cannot be bijective (i.e., both injective and surjective) since it is defined to be deterministic. Faz-Hernandez, et al. Expires 29 October 2020 [Page 7] Internet-Draft hash-to-curve April 2020 Mappings may also be invertible, meaning that there is an efficient algorithm that, for any point P output by the mapping, outputs an x in F such that applying the mapping to x outputs P. Some of the mappings given in Section 6 are invertible, but this document does not discuss inversion algorithms. 2.2.2. Encodings Encodings are closely related to mappings. Like a mapping, an encoding is a function that outputs a point on an elliptic curve. In contrast to a mapping, however, the input to an encoding is an arbitrary string. Encodings can be deterministic or probabilistic. Deterministic encodings are preferred for security, because probabilistic ones are more likely to leak information through side channels. This document constructs deterministic encodings by composing a hash function H with a deterministic mapping. In particular, H takes as input an arbitrary string and outputs an element of F. The deterministic mapping takes that element as input and outputs a point on an elliptic curve E defined over F. Since the hash function H takes arbitrary strings as inputs, it cannot be injective: the set of inputs is larger than the set of outputs, so there must be distinct inputs that give the same output (i.e., there must be collisions). Thus, any encoding built from H is also not injective. Like mappings, encodings may be invertible, meaning that there is an efficient algorithm that, for any point P output by the encoding, outputs a string s such that applying the encoding to s outputs P. The hash function used by all encodings specified in this document (Section 5) is not invertible; thus, the encodings are also not invertible. 2.2.3. Random oracle encodings Two different types of encodings are possible: nonuniform encodings, whose output distribution is not uniformly random, and random oracle encodings, whose output distribution is indistinguishable from uniformly random. Some protocols require a random oracle for security, while others can be securely instantiated with a nonuniform encoding. When the required encoding is not clear, applications SHOULD use a random oracle. Faz-Hernandez, et al. Expires 29 October 2020 [Page 8] Internet-Draft hash-to-curve April 2020 Care is required when constructing a random oracle from a mapping function. A simple but insecure approach is to use the output of a cryptographically secure hash function H as the input to the mapping. Because in general the mapping is not surjective, the output of this construction is distinguishable from uniformly random, i.e., it does not behave like a random oracle. Brier et al. [BCIMRT10] describe two generic methods for constructing random oracle encodings. Farashahi et al. [FFSTV13] and Tibouchi and Kim [TK17] refine the analysis of one of these constructions. That construction is described in Section 3. (In more detail: both constructions are indifferentiable from a random oracle [MRH04] when instantiated with appropriate hash functions modeled as random oracles. See Section 10 for further discussion.) 2.2.4. Serialization A procedure related to encoding is the conversion of an elliptic curve point to a bit string. This is called serialization, and is typically used for compactly storing or transmitting points. The reverse operation, deserialization, converts a bit string to an elliptic curve point. For example, [SEC1] and [p1363a] give standard methods for serialization and deserialization. Deserialization is different from encoding in that only certain strings (namely, those output by the serialization procedure) can be deserialized. In contrast, this document is concerned with encodings from arbitrary strings to elliptic curve points. This document does not cover serialization or deserialization. 2.2.5. Domain separation Cryptographic protocols that use random oracles are often analyzed under the assumption that random oracles answer only queries generated by that protocol. In practice, this assumption does not hold if two protocols query the same random oracle. Concretely, consider protocols P1 and P2 that query random oracle RO: if P1 and P2 both query RO on the same value x, the security analysis of one or both protocols may be invalidated. A common approach to addressing this issue is called domain separation, which allows a single random oracle to simulate multiple, independent oracles. This is effected by ensuring that each simulated oracle sees queries that are distinct from those seen by all other simulated oracles. For example, to simulate two oracles RO1 and RO2 given a single oracle RO, one might define Faz-Hernandez, et al. Expires 29 October 2020 [Page 9] Internet-Draft hash-to-curve April 2020 RO1(x) := RO("RO1" || x) RO2(x) := RO("RO2" || x) In this example, "RO1" and "RO2" are called domain separation tags; they ensure that queries to RO1 and RO2 cannot result in identical queries to RO. Thus, it is safe to treat RO1 and RO2 as independent oracles. 3. Encoding byte strings to elliptic curves This section presents a general framework for encoding byte strings to points on an elliptic curve. To construct these encodings, we rely on three basic functions: * The function hash_to_field, {0, 1}^* x {1, 2, ...} -> (F, F, ...), hashes arbitrary-length byte strings to a list of one or more elements of a finite field; its implementation is defined in Section 5. * The function map_to_curve, F -> E, calculates a point on the elliptic curve E from an element of the finite field F over which E is defined. Section 6 describes mappings for a range of curve families. * The function clear_cofactor, E -> G, sends any point on the curve E to the subgroup G of E. Section 7 describes methods to perform this operation. We describe two high-level encoding functions (Section 2.2.2). Although these functions have the same interface, the distributions of their outputs are different. * Nonuniform encoding (encode_to_curve). This function encodes byte strings to points in G. The distribution of the output is not uniformly random in G. encode_to_curve(msg) Input: msg, an arbitrary-length byte string. Output: P, a point in G. Steps: 1. u = hash_to_field(msg, 1) 2. Q = map_to_curve(u[0]) 3. P = clear_cofactor(Q) 4. return P Faz-Hernandez, et al. Expires 29 October 2020 [Page 10] Internet-Draft hash-to-curve April 2020 * Random oracle encoding (hash_to_curve). This function encodes byte strings to points in G. This function is suitable for applications requiring a random oracle returning points in G, provided that map_to_curve is "well distributed" ([FFSTV13], Def. 1). All of the map_to_curve functions defined in Section 6 meet this requirement. hash_to_curve(msg) Input: msg, an arbitrary-length byte string. Output: P, a point in G. Steps: 1. u = hash_to_field(msg, 2) 2. Q0 = map_to_curve(u[0]) 3. Q1 = map_to_curve(u[1]) 4. R = Q0 + Q1 # Point addition 5. P = clear_cofactor(R) 6. return P Instances of these functions are given in Section 8, which defines a list of suites that specify a full set of parameters matching elliptic curves and algorithms. 3.1. Domain separation requirements All uses of the encoding functions defined in this document MUST include domain separation (Section 2.2.5) to avoid interfering with other uses of similar functionality. Protocols that instantiate multiple, independent hash functions based on either hash_to_curve or encode_to_curve MUST enforce domain separation between those hash functions. This requirement applies both in the case of multiple hashes to the same curve and in the case of multiple hashes to different curves. (This is because the hash_to_field primitive (Section 5) requires domain separation to guarantee independent outputs.) Domain separation is enforced with a domain separation tag (DST), which is a byte string. Care is required when selecting and using a domain separation tag. The following requirements apply: 1. Tags MUST be supplied as the DST parameter to hash_to_field, as described in Section 5. 2. Tags MUST begin with a fixed protocol identification string. This identification string should be unique to the protocol. Faz-Hernandez, et al. Expires 29 October 2020 [Page 11] Internet-Draft hash-to-curve April 2020 3. Tags SHOULD include a protocol version number. 4. For protocols that define multiple ciphersuites, each ciphersuite's tag MUST be different. For this purpose, it is RECOMMENDED to include a ciphersuite identifier in each tag. 5. For protocols that use multiple encodings, either to the same curve or to different curves, each encoding MUST use a different tag. For this purpose, it is RECOMMENDED to include the encoding's Suite ID (Section 8) in the domain separation tag. For independent encodings based on the same suite, each tag should also include a distinct identifier, e.g., "ENC1" and "ENC2". As an example, consider a fictional protocol named Quux that defines several different ciphersuites. A reasonable choice of tag is "QUUX- V-CS", where and are two-digit numbers indicating the version and ciphersuite, respectively. As another example, consider a fictional protocol named Baz that requires two independent random oracles, where one oracle outputs points on the curve E1 and the other outputs points on the curve E2. Reasonable choices of tags for the E1 and E2 oracles are "BAZ-V- CS-E1" and "BAZ-V-CS-E2", respectively, where and are as described above. 4. Utility Functions Algorithms in this document make use of utility functions described below. For security reasons, all field operations, comparisons, and assignments MUST be implemented in constant time (i.e., execution time MUST NOT depend on the values of the inputs), and without branching. Guidance on implementing these low-level operations in constant time is beyond the scope of this document. * CMOV(a, b, c): If c is False, CMOV returns a, otherwise it returns b. To prevent against timing attacks, this operation must run in constant time, without revealing the value of c. Commonly, implementations assume that the selector c is 1 for True or 0 for False. In this case, given a bit string C, the desired selector c can be computed by OR-ing all bits of C together. The resulting selector will be either 0 if all bits of C are zero, or 1 if at least one bit of C is 1. Faz-Hernandez, et al. Expires 29 October 2020 [Page 12] Internet-Draft hash-to-curve April 2020 * is_square(x): This function returns True whenever the value x is a square in the field F. By Euler's criterion, this function can be calculated in constant time as is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F; { False, otherwise. In certain extension fields, is\_square can be computed in constant time more quickly than by the above exponentiation. {{AR13}} and {{S85}} describe optimized methods for extension fields. {{appx-sqrt-issq}} gives an optimized straight-line method for GF(p^2). * sqrt(x): The sqrt operation is a multi-valued function, i.e. there exist two roots of x in the field F whenever x is square. To maintain compatibility across implementations while allowing implementors leeway for optimizations, this document does not require sqrt() to return a particular value. Instead, as explained in Section 6.4, any higher-level function that computes square roots also specifies how to determine the sign of the result. The preferred way of computing square roots is to fix a deterministic algorithm particular to F. We give several algorithms in Appendix F. Regardless of the method chosen, the sqrt function should be implemented in a way that resists timing side channels, i.e., in constant time. * sgn0(x): This function returns either 0 or 1 indicating the "sign" of x, where sgn0(x) == 1 just when x is "negative". (In other words, this function always considers 0 to be positive.) Section 4.1 defines this function and discusses its implementation. * inv0(x): This function returns the multiplicative inverse of x in F, extended to all of F by fixing inv0(0) == 0. To implement inv0 in constant time, compute inv0(x) := x^(q - 2). Notice on input 0, the output is 0 as required. * I2OSP and OS2IP: These functions are used to convert a byte string to and from a non-negative integer as described in [RFC8017]. * a || b: denotes the concatenation of strings a and b. * substr(str, sstart, slen): for a byte string str, this function returns the slen-byte substring starting at position sstart; positions are zero indexed. For example, substr("ABCDEFG", 2, 3) == "CDE". Faz-Hernandez, et al. Expires 29 October 2020 [Page 13] Internet-Draft hash-to-curve April 2020 * len(str): for a byte string str, this function returns the length of str in bytes. For example, len("ABC") == 3. * strxor(str1, str2): for byte strings str1 and str2, strxor(str1, str2) returns the bitwise XOR of the two strings. For example, strxor("abc", "XYZ") == "9;9" (the strings in this example are ASCII literals, but strxor is defined for arbitrary byte strings). In this document, strxor is only applied to inputs of equal length. 4.1. The sgn0 function This section defines a generic sgn0 implementation that applies to any field F = GF(p^m). It also gives simplified implementations for the cases F = GF(p) and F = GF(p^2). See Section 2.1 for a discussion of representing elements of extension fields as vectors. sgn0(x) Parameters: - F, a finite field of characteristic p and order q = p^m. - p, the characteristic of F (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above). Input: x, an element of F. Output: 0 or 1. Notation: - x_i is the i'th element of the vector representation of x. - OR and AND are logical operators. Short-circuit operators MUST be avoided in constant-time implementations. Steps: 1. sign = 0 2. zero = 1 3. for i in (1, 2, ..., m): 4. sign_i = x_i mod 2 5. zero_i = x_i == 0 6. sign = sign OR (zero AND sign_i) 7. zero = zero AND zero_i 6. return sign Note that any valid sgn0 function for extension fields must iterate over the entire vector representation of the input element. To see why, imagine a function sgn0* that ignores the final entry in its input vector, and consider a field element x = (0, x_2). Since sgn0* Faz-Hernandez, et al. Expires 29 October 2020 [Page 14] Internet-Draft hash-to-curve April 2020 ignores x_2, sgn0*(x) == sgn0*(-x), which is incorrect when x_2 != 0. A similar argument applies to any entry of the vector representation of x. When m == 1, sgn0 can be significantly simplified: sgn0_m_eq_1(x) Input: x, an element of GF(p). Output: 0 or 1. Steps: 1. return x mod 2 The case m == 2 is only slightly more complicated: sgn0_m_eq_2(x) Input: x an element of GF(p^2). Output: 0 or 1. Notation: - OR and AND are logical operators. Short-circuit operators MUST be avoided in constant-time implementations. Steps: 1. sign_0 = x_0 mod 2 2. zero_0 = x_0 == 0 3. sign_1 = x_1 mod 2 4. return sign_0 OR (zero_0 AND sign_1) 5. Hashing to a Finite Field The hash_to_field function hashes a byte string msg of any length into one or more elements of a field F. This function works in two steps: it first hashes the input byte string to produce a pseudorandom byte string, and then interprets this pseudorandom byte string as one or more elements of F. For the first step, hash_to_field calls an auxiliary function expand_message. This document defines two variants of expand_message, one appropriate for hash functions like SHA-2 [FIPS180-4] or SHA-3 [FIPS202], and one appropriate for extensible- output functions like SHAKE-128 [FIPS202]. Security considerations for each expand_message variant are discussed below (Section 5.3.1, Section 5.3.2). Faz-Hernandez, et al. Expires 29 October 2020 [Page 15] Internet-Draft hash-to-curve April 2020 Implementors MUST NOT use rejection sampling to generate a uniformly random element of F. The reason is that rejection sampling procedures are difficult to implement in constant time, and later well-meaning "optimizations" may silently render an implementation non-constant-time. 5.1. Security considerations The hash_to_field function is designed to be indifferentiable from a random oracle [MRH04] when expand_message (Section 5.3) is modeled as a random oracle (see Section 10.1). Ensuring indifferentiability requires care; to see why, consider a prime p that is close to 3/4 * 2^256. Reducing a random 256-bit integer modulo this p yields a value that is in the range [0, p / 3] with probability roughly 1/2, meaning that this value is statistically far from uniform in [0, p - 1]. To control bias, hash_to_field instead uses pseudorandom integers whose length is at least ceil(log2(p)) + k bits, where k is the target security level for the suite in bits. (Note that k is an upper bound on the security level for the corresponding curve. See Section 10.3 for more details.) Reducing such integers mod p gives bias at most 2^-k for any p; this bias is appropriate when targeting k-bit security. To obtain such integers, hash_to_field uses expand_message to obtain L pseudorandom bytes, where L = ceil((ceil(log2(p)) + k) / 8); this byte string is then interpreted as an integer via OS2IP [RFC8017]. For example, for a 255-bit prime p, and k = 128-bit security, L = ceil((255 + 128) / 8) = 48 bytes. 5.2. hash_to_field implementation The following procedure implements hash_to_field. The expand_message parameter to this function MUST conform to the requirements given below (Section 5.3). Section 3.1 discusses requirements for domain separation and recommendations for choosing DST, the domain separation tag. This is the REQUIRED method for applying domain separation. Faz-Hernandez, et al. Expires 29 October 2020 [Page 16] Internet-Draft hash-to-curve April 2020 hash_to_field(msg, count) Parameters: - DST, a domain separation tag (see discussion above). - F, a finite field of characteristic p and order q = p^m. - p, the characteristic of F (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above). - L = ceil((ceil(log2(p)) + k) / 8), where k is the security parameter of the suite (e.g., k = 128). - expand_message, a function that expands a byte string and domain separation tag into a pseudorandom byte string (see discussion above). Inputs: - msg is a byte string containing the message to hash. - count is the number of elements of F to output. Outputs: - (u_0, ..., u_(count - 1)), a list of field elements. Steps: 1. len_in_bytes = count * m * L 2. pseudo_random_bytes = expand_message(msg, DST, len_in_bytes) 3. for i in (0, ..., count - 1): 4. for j in (0, ..., m - 1): 5. elm_offset = L * (j + i * m) 6. tv = substr(pseudo_random_bytes, elm_offset, L) 7. e_j = OS2IP(tv) mod p 8. u_i = (e_0, ..., e_(m - 1)) 9. return (u_0, ..., u_(count - 1)) 5.3. expand_message expand_message is a function that generates a pseudorandom byte string. It takes three arguments: * msg, a byte string containing the message to hash, * DST, a byte string that acts as a domain separation tag, and * len_in_bytes, the number of bytes to be generated. This document defines two variants of expand_message: * expand_message_xmd (Section 5.3.1) is appropriate for use with a wide range of hash functions, including SHA-2 [FIPS180-4], SHA-3 [FIPS202], BLAKE2 [RFC7693], and others. Faz-Hernandez, et al. Expires 29 October 2020 [Page 17] Internet-Draft hash-to-curve April 2020 * expand_message_xof (Section 5.3.2) is appropriate for use with extensible-output functions (XOFs) including functions in the SHAKE [FIPS202] or BLAKE2X [BLAKE2X] families. These variants should suffice for the vast majority of use cases, but other variants are possible; Section 5.3.4 discusses requirements. 5.3.1. expand_message_xmd The expand_message_xmd function produces a pseudorandom byte string using a cryptographic hash function H that outputs b bits. For security, H must meet the following requirements: * The number of bits output by H MUST be b >= 2 * k, for k the target security level in bits. This ensures k-bit collision resistance. * H MAY be a Merkle-Damgaard hash function like SHA-2. In this case, security holds when the underlying compression function is modeled as a random oracle [CDMP05]. (See Section 10.2 for discussion.) * H MAY be a sponge-based hash function like SHA-3 or BLAKE2. In this case, security holds when the inner function is modeled as a random transformation or as a random permutation [BDPV08]. * Otherwise, H MUST be a hash function that has been proved indifferentiable from a random oracle [MRH04] under a widely accepted cryptographic assumption. SHA-2 [FIPS180-4] and SHA-3 [FIPS202] are typical and RECOMMENDED choices. As an example, for the 128-bit security level, b >= 256 bits and either SHA-256 or SHA3-256 would be an appropriate choice. The following procedure implements expand_message_xmd. Faz-Hernandez, et al. Expires 29 October 2020 [Page 18] Internet-Draft hash-to-curve April 2020 expand_message_xmd(msg, DST, len_in_bytes) Parameters: - H, a hash function (see requirements above). - b_in_bytes, ceil(b / 8) for b the output size of H in bits. For example, for b = 256, b_in_bytes = 32. - r_in_bytes, the input block size of H, measured in bytes. For example, for SHA-256, r_in_bytes = 64. Input: - msg, a byte string. - DST, a byte string of at most 255 bytes. See below for information on using longer DSTs. - len_in_bytes, the length of the requested output in bytes. Output: - pseudo_random_bytes, a byte string Steps: 1. ell = ceil(len_in_bytes / b_in_bytes) 2. ABORT if ell > 255 3. DST_prime = DST || I2OSP(len(DST), 1) 4. Z_pad = I2OSP(0, r_in_bytes) 5. l_i_b_str = I2OSP(len_in_bytes, 2) 6. b_0 = H(Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime) 7. b_1 = H(b_0 || I2OSP(1, 1) || DST_prime) 8. for i in (2, ..., ell): 9. b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) 10. pseudo_random_bytes = b_1 || ... || b_ell 11. return substr(pseudo_random_bytes, 0, len_in_bytes) Note that the string Z_pad is prepended to msg when computing b_0 (step 6). This is necessary for security when H is a Merkle-Damgaard hash, e.g., SHA-2 (see Section 10.2). Hashing this additional data means that the cost of computing b_0 is higher than the cost of simply computing H(msg). In most settings this overhead is negligible, because the cost of evaluating H is much less than the other costs involved in hashing to a curve. It is possible, however, to entirely avoid this overhead by taking advantage of the fact that Z_pad depends only on H, and not on the arguments to expand_message_xmd. To do so, first precompute and save the internal state of H after ingesting Z_pad; and then, when computing b_0, initialize H using the saved state. Further details are beyond the scope of this document. Faz-Hernandez, et al. Expires 29 October 2020 [Page 19] Internet-Draft hash-to-curve April 2020 5.3.2. expand_message_xof The expand_message_xof function produces a pseudorandom byte string using an extensible-output function (XOF) H. For security, H must meet the following criteria: * The collision resistance of H MUST be at least k bits. * H MUST be an XOF that has been proved indifferentiable from a random oracle under a reasonable cryptographic assumption. The SHAKE [FIPS202] XOF family is a typical and RECOMMENDED choice. As an example, for 128-bit security, SHAKE-128 would be an appropriate choice. The following procedure implements expand_message_xof. expand_message_xof(msg, DST, len_in_bytes) Parameters: - H, an extensible-output function. H(m, d) hashes message m and returns d bytes. Input: - msg, a byte string. - DST, a byte string of at most 255 bytes. See below for information on using longer DSTs. - len_in_bytes, the length of the requested output in bytes. Output: - pseudo_random_bytes, a byte string Steps: 1. DST_prime = DST || I2OSP(len(DST), 1) 2. msg_prime = msg || I2OSP(len_in_bytes, 2) || DST_prime 3. pseudo_random_bytes = H(msg_prime, len_in_bytes) 4. return pseudo_random_bytes 5.3.3. Using DSTs longer than 255 bytes The expand_message variants defined in this section accept domain separation tags of at most 255 bytes. If a domain separation tag longer than 255 bytes must be used (e.g., because of requirements imposed by an invoking protocol), implementors MUST compute a short domain separation tag by hashing, as follows: * For expand_message_xmd using hash function H, DST is computed as Faz-Hernandez, et al. Expires 29 October 2020 [Page 20] Internet-Draft hash-to-curve April 2020 DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST) * For expand_message_xof using extensible-output function H, DST is computed as DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8)) Here, a_very_long_DST is the DST whose length is greater than 255 bytes, "H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal, and k is the target security level in bits. 5.3.4. Defining other expand_message variants When defining a new expand_message variant, the most important consideration is that hash_to_field models expand_message as a random oracle. Thus, implementors SHOULD prove indifferentiability from a random oracle under an appropriate assumption about the underlying cryptographic primitives. In addition, expand_message variants: * MUST give collision resistance commensurate with the security level of the target elliptic curve. * MUST be built on primitives designed for use in applications requiring cryptographic randomness. As examples, a secure stream cipher is an appropriate primitive, whereas a Mersenne twister pseudorandom number generator is not. * MUST NOT use any form of rejection sampling. * MUST give independent values for distinct (msg, DST, length) inputs. Meeting this requirement is slightly subtle. As a simplified example, hashing the concatenation msg || DST does not work, because in this case distinct (msg, DST) pairs whose concatenations are equal will return the same output (e.g., ("AB", "CDEF") and ("ABC", "DEF")). The variants defined in this document use a suffix-free encoding of DST to avoid this issue. * MUST use the domain separation tag DST to ensure that invocations of cryptographic primitives inside of expand_message are domain separated from invocations outside of expand_message. For example, if the expand_message variant uses a hash function H, an encoding of DST MUST be either prepended or appended to the input to each invocation of H (appending is the RECOMMENDED approach). * SHOULD read msg exactly once, for efficiency when msg is long. Faz-Hernandez, et al. Expires 29 October 2020 [Page 21] Internet-Draft hash-to-curve April 2020 In addition, an expand_message variant MUST specify a unique EXP_TAG that identifies that variant in a Suite ID. See Section 8.10 for more information. 6. Deterministic Mappings The mappings in this section are suitable for constructing either nonuniform or random oracle encodings using the constructions of Section 3. Certain mappings restrict the form of the curve or its parameters. For each mapping presented, this document lists the relevant restrictions. Note that mappings in this section are not interchangeable: different mappings will almost certainly output different points when evaluated on the same input. 6.1. Choosing a mapping function This section gives brief guidelines on choosing a mapping function for a given elliptic curve. Note that the suites given in Section 8 are recommended mappings for the respective curves. If the target elliptic curve is a Montgomery curve (Section 6.7), the Elligator 2 method (Section 6.7.1) is recommended. Similarly, if the target elliptic curve is a twisted Edwards curve (Section 6.8), the twisted Edwards Elligator 2 method (Section 6.8.2) is recommended. The remaining cases are Weierstrass curves. For curves supported by the Simplified SWU method (Section 6.6.2), that mapping is the recommended one. Otherwise, the Simplified SWU method for AB == 0 (Section 6.6.3) is recommended if the goal is best performance, while the Shallue-van de Woestijne method (Section 6.6.1) is recommended if the goal is simplicity of implementation. (The reason for this distinction is that the Simplified SWU method for AB == 0 requires implementing an isogeny map in addition to the mapping function, while the Shallue-van de Woestijne method does not.) The Shallue-van de Woestijne method (Section 6.6.1) works with any curve, and may be used in cases where a generic mapping is required. Note, however, that this mapping is almost always more computationally expensive than the curve-specific recommendations above. 6.2. Interface The generic interface shared by all mappings in this section is as follows: Faz-Hernandez, et al. Expires 29 October 2020 [Page 22] Internet-Draft hash-to-curve April 2020 (x, y) = map_to_curve(u) The input u and outputs x and y are elements of the field F. The coordinates (x, y) specify a point on an elliptic curve defined over F. Note that the point (x, y) is not a uniformly random point. If uniformity is required for security, the random oracle construction of Section 3 MUST be used instead. 6.3. Notation As a rough guide, the following conventions are used in pseudocode: * All arithmetic operations are performed over a field F, unless explicitly stated otherwise. * u: the input to the mapping function. This is an element of F produced by the hash_to_field function. * (x, y), (s, t), (v, w): the affine coordinates of the point output by the mapping. Indexed variables (e.g., x1, y2, ...) are used for candidate values. * tv1, tv2, ...: reusable temporary variables. * c1, c2, ...: constant values, which can be computed in advance. 6.4. Sign of the resulting point In general, elliptic curves have equations of the form y^2 = g(x). Most of the mappings in this section first identify an x such that g(x) is square, then take a square root to find y. Since there are two square roots when g(x) != 0, this results in an ambiguity regarding the sign of y. To resolve this ambiguity, the mappings in this section specify the sign of the y-coordinate in terms of the input to the mapping function. Two main reasons support this approach. First, this covers elliptic curves over any field in a uniform way, and second, it gives implementors leeway to optimize their square-root implementations. 6.5. Exceptional cases Mappings may have have exceptional cases, i.e., inputs u on which the mapping is undefined. These cases must be handled carefully, especially for constant-time implementations. Faz-Hernandez, et al. Expires 29 October 2020 [Page 23] Internet-Draft hash-to-curve April 2020 For each mapping in this section, we discuss the exceptional cases and show how to handle them in constant time. Note that all implementations SHOULD use inv0 (Section 4) to compute multiplicative inverses, to avoid exceptional cases that result from attempting to compute the inverse of 0. 6.6. Mappings for Weierstrass curves The mappings in this section apply to a target curve E defined by the equation y^2 = g(x) = x^3 + A * x + B where 4 * A^3 + 27 * B^2 != 0. 6.6.1. Shallue-van de Woestijne Method Shallue and van de Woestijne [SW06] describe a mapping that applies to essentially any elliptic curve. (Note, however, that this mapping is more expensive to evaluate than the other mappings in this document.) The parameterization given below is for Weierstrass curves; its derivation is detailed in [W19]. This parameterization also works for Montgomery (Section 6.7) and twisted Edwards (Section 6.8) curves via the rational maps given in Appendix B: first evaluate the Shallue-van de Woestijne mapping to an equivalent Weierstrass curve, then map that point to the target Montgomery or twisted Edwards curve using the corresponding rational map. Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B. Constants: * A and B, the parameter of the Weierstrass curve. * Z, a non-zero element of F meeting the below criteria. Appendix E.1 gives a Sage [SAGE] script that outputs the RECOMMENDED Z. 1. g(Z) != 0 in F. 2. -(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F. 3. -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F. 4. At least one of g(Z) and g(-Z / 2) is square in F. Faz-Hernandez, et al. Expires 29 October 2020 [Page 24] Internet-Draft hash-to-curve April 2020 Sign of y: Inputs u and -u give the same x-coordinate for many values of u. Thus, we set sgn0(y) == sgn0(u). Exceptions: The exceptional cases for u occur when (1 + u^2 * g(Z)) * (1 - u^2 * g(Z)) == 0. The restrictions on Z given above ensure that implementations that use inv0 to invert this product are exception free. Operations: 1. tv1 = u^2 * g(Z) 2. tv2 = 1 + tv1 3. tv1 = 1 - tv1 4. tv3 = inv0(tv1 * tv2) 5. tv4 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) 6. If sgn0(tv4) == 1, set tv4 = -tv4 # sgn0(tv4) MUST equal 0 7. tv5 = u * tv1 * tv3 * tv4 8. x1 = -Z / 2 - tv5 9. x2 = -Z / 2 + tv5 10. x3 = Z - 4 * g(Z) * (tv2^2 * tv3)^2 / (3 * Z^2 + 4 * A) 11. If is_square(g(x1)), set x = x1 and y = sqrt(g(x1)) 12. Else If is_square(g(x2)), set x = x2 and y = sqrt(g(x2)) 13. Else set x = x3 and y = sqrt(g(x3)) 14. If sgn0(u) != sgn0(y), set y = -y 15. return (x, y) 6.6.1.1. Implementation The following procedure implements the Shallue and van de Woestijne method in a straight-line fashion. map_to_curve_svdw(u) Input: u, an element of F. Output: (x, y), a point on E. Constants: 1. c1 = g(Z) 2. c2 = -Z / 2 3. c3 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # sgn0(c3) MUST equal 0 4. c4 = -4 * g(Z) / (3 * Z^2 + 4 * A) Steps: 1. tv1 = u^2 2. tv1 = tv1 * c1 3. tv2 = 1 + tv1 4. tv1 = 1 - tv1 5. tv3 = tv1 * tv2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 25] Internet-Draft hash-to-curve April 2020 6. tv3 = inv0(tv3) 7. tv4 = u * tv1 8. tv4 = tv4 * tv3 9. tv4 = tv4 * c3 10. x1 = c2 - tv4 11. gx1 = x1^2 12. gx1 = gx1 + A 13. gx1 = gx1 * x1 14. gx1 = gx1 + B 15. e1 = is_square(gx1) 16. x2 = c2 + tv4 17. gx2 = x2^2 18. gx2 = gx2 + A 19. gx2 = gx2 * x2 20. gx2 = gx2 + B 21. e2 = is_square(gx2) AND NOT e1 # Avoid short-circuit logic ops 22. x3 = tv2^2 23. x3 = x3 * tv3 24. x3 = x3^2 25. x3 = x3 * c4 26. x3 = x3 + Z 27. x = CMOV(x3, x1, e1) # x = x1 if gx1 is square, else x = x3 28. x = CMOV(x, x2, e2) # x = x2 if gx2 is square and gx1 is not 29. gx = x^2 30. gx = gx + A 31. gx = gx * x 32. gx = gx + B 33. y = sqrt(gx) 34. e3 = sgn0(u) == sgn0(y) 35. y = CMOV(-y, y, e3) # Select correct sign of y 36. return (x, y) 6.6.2. Simplified Shallue-van de Woestijne-Ulas Method The function map_to_curve_simple_swu(u) implements a simplification of the Shallue-van de Woestijne-Ulas mapping [U07] described by Brier et al. [BCIMRT10], which they call the "simplified SWU" map. Wahby and Boneh [WB19] generalize and optimize this mapping. Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B where A != 0 and B != 0. Constants: * A and B, the parameters of the Weierstrass curve. Faz-Hernandez, et al. Expires 29 October 2020 [Page 26] Internet-Draft hash-to-curve April 2020 * Z, an element of F meeting the below criteria. Appendix E.2 gives a Sage [SAGE] script that outputs the RECOMMENDED Z. The criteria are: 1. Z is non-square in F, 2. Z != -1 in F, 3. the polynomial g(x) - Z is irreducible over F, and 4. g(B / (Z * A)) is square in F. Sign of y: Inputs u and -u give the same x-coordinate. Thus, we set sgn0(y) == sgn0(u). Exceptions: The exceptional cases are values of u such that Z^2 * u^4 + Z * u^2 == 0. This includes u == 0, and may include other values depending on Z. Implementations must detect this case and set x1 = B / (Z * A), which guarantees that g(x1) is square by the condition on Z given above. Operations: 1. tv1 = inv0(Z^2 * u^4 + Z * u^2) 2. x1 = (-B / A) * (1 + tv1) 3. If tv1 == 0, set x1 = B / (Z * A) 4. gx1 = x1^3 + A * x1 + B 5. x2 = Z * u^2 * x1 6. gx2 = x2^3 + A * x2 + B 7. If is_square(gx1), set x = x1 and y = sqrt(gx1) 8. Else set x = x2 and y = sqrt(gx2) 9. If sgn0(u) != sgn0(y), set y = -y 10. return (x, y) 6.6.2.1. Implementation The following procedure implements the simplified SWU mapping in a straight-line fashion. Appendix D.2 gives optimized straight-line procedures that apply to many curves. For more information on optimizing this mapping, see [WB19] Section 4 or the example code found at [hash2curve-repo]. Faz-Hernandez, et al. Expires 29 October 2020 [Page 27] Internet-Draft hash-to-curve April 2020 map_to_curve_simple_swu(u) Input: u, an element of F. Output: (x, y), a point on E. Constants: 1. c1 = -B / A 2. c2 = -1 / Z Steps: 1. tv1 = Z * u^2 2. tv2 = tv1^2 3. x1 = tv1 + tv2 4. x1 = inv0(x1) 5. e1 = x1 == 0 6. x1 = x1 + 1 7. x1 = CMOV(x1, c2, e1) # If (tv1 + tv2) == 0, set x1 = -1 / Z 8. x1 = x1 * c1 # x1 = (-B / A) * (1 + (1 / (Z^2 * u^4 + Z * u^2))) 9. gx1 = x1^2 10. gx1 = gx1 + A 11. gx1 = gx1 * x1 12. gx1 = gx1 + B # gx1 = g(x1) = x1^3 + A * x1 + B 13. x2 = tv1 * x1 # x2 = Z * u^2 * x1 14. tv2 = tv1 * tv2 15. gx2 = gx1 * tv2 # gx2 = (Z * u^2)^3 * gx1 16. e2 = is_square(gx1) 17. x = CMOV(x2, x1, e2) # If is_square(gx1), x = x1, else x = x2 18. y2 = CMOV(gx2, gx1, e2) # If is_square(gx1), y2 = gx1, else y2 = gx2 19. y = sqrt(y2) 20. e3 = sgn0(u) == sgn0(y) # Fix sign of y 21. y = CMOV(-y, y, e3) 22. return (x, y) 6.6.3. Simplified SWU for AB == 0 Wahby and Boneh [WB19] show how to adapt the simplified SWU mapping to Weierstrass curves having A == 0 or B == 0, which the mapping of Section 6.6.2 does not support. (The case A == B == 0 is excluded because y^2 = x^3 is not an elliptic curve.) This method applies to curves like secp256k1 [SEC2] and to pairing- friendly curves in the Barreto-Lynn-Scott [BLS03], Barreto-Naehrig [BN05], and other families. This method requires finding another elliptic curve E' given by the equation y'^2 = g'(x') = x'^3 + A' * x' + B' Faz-Hernandez, et al. Expires 29 October 2020 [Page 28] Internet-Draft hash-to-curve April 2020 that is isogenous to E and has A' != 0 and B' != 0. (One might do this, for example, using [SAGE]; for details, see [WB19], Appendix A.) This isogeny defines a map iso_map(x', y') that takes as input a point on E' and produces as output a point on E. Once E' and iso_map are identified, this mapping works as follows: on input u, first apply the simplified SWU mapping to get a point on E', then apply the isogeny map to that point to get a point on E. Note that iso_map is a group homomorphism, meaning that point addition commutes with iso_map. Thus, when using this mapping in the hash_to_curve construction of Section 3, one can effect a small optimization by first mapping u0 and u1 to E', adding the resulting points on E', and then applying iso_map to the sum. This gives the same result while requiring only one evaluation of iso_map. Preconditions: An elliptic curve E' with A' != 0 and B' != 0 that is isogenous to the target curve E with isogeny map iso_map from E' to E. Helper functions: * map_to_curve_simple_swu is the mapping of Section 6.6.2 to E' * iso_map is the isogeny map from E' to E Sign of y: for this map, the sign is determined by map_to_curve_simple_swu. No further sign adjustments are necessary. Exceptions: map_to_curve_simple_swu handles its exceptional cases. Exceptional cases of iso_map MUST return the identity point on E. Operations: 1. (x', y') = map_to_curve_simple_swu(u) # (x', y') is on E' 2. (x, y) = iso_map(x', y') # (x, y) is on E 3. return (x, y) See [hash2curve-repo] or [WB19], Section 4.3 for details on implementing the isogeny map. 6.7. Mappings for Montgomery curves The mapping defined in this section applies to a target curve M defined by the equation K * t^2 = s^3 + J * s^2 + s Faz-Hernandez, et al. Expires 29 October 2020 [Page 29] Internet-Draft hash-to-curve April 2020 6.7.1. Elligator 2 Method Preconditions: A Montgomery curve K * t^2 = s^3 + J * s^2 + s where J != 0, K != 0, and (J^2 - 4) / K^2 is non-zero and non-square in F. Constants: * J and K, the parameters of the elliptic curve. * Z, a non-square element of F. Appendix E.3 gives a Sage [SAGE] script that outputs the RECOMMENDED Z. Sign of t: Inputs u and -u give the same s-coordinate. Thus, we set sgn0(t) == sgn0(u). Exceptions: The exceptional case is Z * u^2 == -1, i.e., 1 + Z * u^2 == 0. Implementations must detect this case and set x1 = -(J / K). Note that this can only happen when q = 3 (mod 4). Operations: 1. x1 = -(J / K) * inv0(1 + Z * u^2) 2. If x1 == 0, set x1 = -(J / K) 3. gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2 4. x2 = -x1 - (J / K) 5. gx2 = x2^3 + (J / K) * x2^2 + x2 / K^2 6. If is_square(gx1), set x = x1 and y = sqrt(gx1) 7. Else set x = x2 and y = sqrt(gx2) 8. s = x * K 9. t = y * K 10. If sgn0(u) != sgn0(t), set t = -t 11. return (s, t) 6.7.1.1. Implementation The following procedure implements Elligator 2 in a straight-line fashion. Appendix D.3 gives optimized straight-line procedures that apply to many curves, including curve25519 and curve448 [RFC7748]. Faz-Hernandez, et al. Expires 29 October 2020 [Page 30] Internet-Draft hash-to-curve April 2020 map_to_curve_elligator2(u) Input: u, an element of F. Output: (s, t), a point on M. Constants: 1. c1 = J / K 2. c2 = 1 / K^2 Steps: 1. tv1 = u^2 2. tv1 = Z * tv1 # Z * u^2 3. e1 = tv1 == -1 # exceptional case: Z * u^2 == -1 4. tv1 = CMOV(tv1, 0, e1) # if tv1 == -1, set tv1 = 0 5. x1 = tv1 + 1 6. x1 = inv0(x1) 7. x1 = -c1 * x1 # x1 = -(J / K) / (1 + Z * u^2) 8. gx1 = x1 + c1 9. gx1 = gx1 * x1 10. gx1 = gx1 + c2 11. gx1 = gx1 * x1 # gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2 12. x2 = -x1 - c1 13. gx2 = tv1 * gx1 14. e2 = is_square(gx1) 15. x = CMOV(x2, x1, e2) # If is_square(gx1), x = x1, else x = x2 16. y2 = CMOV(gx2, gx1, e2) # If is_square(gx1), y2 = gx1, else y2 = gx2 17. y = sqrt(y2) 18. s = x * K 19. t = y * K 20. e3 = sgn0(u) == sgn0(t) # Fix sign of t 21. t = CMOV(-t, t, e3) 22. return (s, t) 6.8. Mappings for Twisted Edwards curves Twisted Edwards curves (a class of curves that includes Edwards curves) are given by the equation a * v^2 + w^2 = 1 + d * v^2 * w^2 with a != 0, d != 0, and a != d [BBJLP08]. These curves are closely related to Montgomery curves (Section 6.7): every twisted Edwards curve is birationally equivalent to a Montgomery curve ([BBJLP08], Theorem 3.2). This equivalence yields an efficient way of hashing to a twisted Edwards curve: first, hash to an equivalent Montgomery curve, then transform the result into a point on the twisted Edwards curve via a rational map. This method Faz-Hernandez, et al. Expires 29 October 2020 [Page 31] Internet-Draft hash-to-curve April 2020 of hashing to a twisted Edwards curve thus requires identifying a corresponding Montgomery curve and rational map. We describe how to identify such a curve and map immediately below. 6.8.1. Rational maps from Montgomery to twisted Edwards curves There are two ways to identify the correct Montgomery curve and rational map for use when hashing to a given twisted Edwards curve. When hashing to a standardized twisted Edwards curve for which a corresponding Montgomery form and rational map are also standardized, the standard Montgomery form and rational map MUST be used to ensure compatibility with existing software. Two such standardized curves are the edwards25519 and edwards448 curves, which correspond to the Montgomery curves curve25519 and curve448, respectively. For both of these curves, [RFC7748] lists both the Montgomery and twisted Edwards forms and gives the corresponding rational maps. The rational map for edwards25519 ([RFC7748], Section 4.1) uses the constant sqrt_neg_486664 = sqrt(-486664) (mod 2^255 - 19). To ensure compatibility, this constant MUST be chosen such that sgn0(sqrt_neg_486664) == 0. Analogous ambiguities in other standardized rational maps MUST be resolved in the same way: for any constant c whose sign is ambiguous, c MUST be chosen such that sgn0(c) == 0. The 4-isogeny map from curve448 to edwards448 ([RFC7748], Section 4.2) is unambiguous with respect to sign. When defining new twisted Edwards curves, a Montgomery equivalent and rational map SHOULD be specified, and the sign of the rational map SHOULD be stated unambiguously. When hashing to a twisted Edwards curve that does not have a standardized Montgomery form or rational map, the following procedure MUST be used to derive them. For a twisted Edwards curve given by a * v^2 + w^2 = 1 + d * v^2 * w^2 first compute J and K, the parameters of the equivalent Montgomery curve given by K * t^2 = s^3 + J * s^2 + s as follows: * J = 2 * (a + d) / (a - d) Faz-Hernandez, et al. Expires 29 October 2020 [Page 32] Internet-Draft hash-to-curve April 2020 * K = 4 / (a - d) Note that this curve has the form required by the Elligator 2 mapping of Section 6.7.1. The rational map from the point (s, t) on this Montgomery curve to the point (v, w) on the twisted Edwards curve is given by * v = s / t * w = (s - 1) / (s + 1) (For completeness, we give the inverse map in Appendix B.1. Note that the inverse map is not used when hashing to a twisted Edwards curve.) Rational maps may be undefined on certain inputs, e.g., when the denominator of one of the rational functions is zero. In the map described above, the exceptional cases are t == 0 or s == -1. Implementations MUST detect exceptional cases and return the value (v, w) = (0, 1), which is the identity point on all twisted Edwards curves. The following straight-line implementation of the above rational map handles the exceptional cases. Implementations of other rational maps (e.g., the ones give in [RFC7748]) are analogous. rational_map(s, t) Input: (s, t), a point on the curve K * t^2 = s^3 + J * s^2 + s. Output: (v, w), a point on an equivalent twisted Edwards curve. 1. tv1 = s + 1 2. tv2 = tv1 * t # (s + 1) * t 3. tv2 = inv0(tv2) # 1 / ((s + 1) * t) 4. v = tv2 * tv1 # 1 / t 5. v = v * s # s / t 6. w = tv2 * t # 1 / (s + 1) 7. tv1 = s - 1 8. w = w * tv1 # (s - 1) / (s + 1) 9. e = tv2 == 0 10. w = CMOV(w, 1, e) # handle exceptional case 11. return (v, w) 6.8.2. Elligator 2 Method Preconditions: A twisted Edwards curve E and an equivalent Montgomery curve M meeting the requirements in Section 6.8.1. Faz-Hernandez, et al. Expires 29 October 2020 [Page 33] Internet-Draft hash-to-curve April 2020 Helper functions: * map_to_curve_elligator2 is the mapping of Section 6.7.1 to the curve M. * rational_map is a function that takes a point (s, t) on M and returns a point (v, w) on E, as defined in Section 6.8.1. Sign of t (and v): for this map, the sign is determined by map_to_curve_elligator2. No further sign adjustments are required. Exceptions: The exceptions for the Elligator 2 mapping are as given in Section 6.7.1. The exceptions for the rational map are as given in Section 6.8.1. No other exceptions are possible. The following procedure implements the Elligator 2 mapping for a twisted Edwards curve. (Note that the output point is denoted (v, w) because it is a point on the target twisted Edwards curve.) map_to_curve_elligator2_edwards(u) Input: u, an element of F. Output: (v, w), a point on E. 1. (s, t) = map_to_curve_elligator2(u) # (s, t) is on M 2. (v, w) = rational_map(s, t) # (v, w) is on E 3. return (v, w) 7. Clearing the cofactor The mappings of Section 6 always output a point on the elliptic curve, i.e., a point in a group of order h * r (Section 2.1). Obtaining a point in G may require a final operation commonly called "clearing the cofactor," which takes as input any point on the curve. The cofactor can always be cleared via scalar multiplication by h. For elliptic curves where h = 1, i.e., the curves with a prime number of points, no operation is required. This applies, for example, to the NIST curves P-256, P-384, and P-521 [FIPS186-4]. In some cases, it is possible to clear the cofactor via a faster method than scalar multiplication by h. These methods are equivalent to (but usually faster than) multiplication by some scalar h_eff whose value is determined by the method and the curve. Examples of fast cofactor clearing methods include the following: Faz-Hernandez, et al. Expires 29 October 2020 [Page 34] Internet-Draft hash-to-curve April 2020 * For certain pairing-friendly curves having subgroup G2 over an extension field, Scott et al. [SBCDK09] describe a method for fast cofactor clearing that exploits an efficiently-computable endomorphism. Fuentes-Castaneda et al. [FKR11] propose an alternative method that is sometimes more efficient. Budroni and Pintore [BP17] give concrete instantiations of these methods for Barreto-Lynn-Scott pairing-friendly curves [BLS03]. This method is described for the specific case of BLS12-381 in Appendix D.4. * Wahby and Boneh ([WB19], Section 5) describe a trick due to Scott for fast cofactor clearing on any elliptic curve for which the prime factorization of h and the structure of the elliptic curve group meet certain conditions. The clear_cofactor function is parameterized by a scalar h_eff. Specifically, clear_cofactor(P) := h_eff * P where * represents scalar multiplication. When a curve does not support a fast cofactor clearing method, h_eff = h and the cofactor MUST be cleared via scalar multiplication. When a curve admits a fast cofactor clearing method, clear_cofactor MAY be evaluated either via that method or via scalar multiplication by the equivalent h_eff; these two methods give the same result. Note that in this case scalar multiplication by the cofactor h does not generally give the same result as the fast method, and SHOULD NOT be used. 8. Suites for Hashing This section lists recommended suites for hashing to standard elliptic curves. A hash-to-curve suite fully specifies the procedure for hashing byte strings to points on a specific elliptic curve group. Section 8.1 describes how to implement a suite. Designers specifying a protocol that requires hashing to an elliptic curve should either choose an existing suite or specify a new one as described in Section 8.9. All protocols and applications using a hash-to-curve suite MUST choose a domain separation tag (DST) in accordance with the guidelines in Section 3.1. In addition, protocols and applications whose security requires a random oracle that returns points on the target curve MUST use a suite whose encoding type is hash_to_curve; see Section 3 and immediately below for more information. Faz-Hernandez, et al. Expires 29 October 2020 [Page 35] Internet-Draft hash-to-curve April 2020 A hash-to-curve suite comprises the following parameters: * Suite ID, a short name used to refer to a given suite. Section 8.10 discusses the naming conventions for suite IDs. * encoding type, either random oracle (hash_to_curve) or nonuniform (encode_to_curve). See Section 3 for definitions of these encoding types. * E, the target elliptic curve over a field F. * p, the characteristic of the field F. * m, the extension degree of the field F. * k, the target security level of the suite in bits. (See Section 10.3 for discussion.) * L, the length parameter for hash_to_field (Section 5.1). * expand_message, one of the variants specified in Section 5.3 plus any parameters required for the specified variant (for example, H, the underlying hash function). * f, a mapping function from Section 6. * h_eff, the scalar parameter for clear_cofactor (Section 7). In addition to the above parameters, the mapping f may require additional parameters Z, M, rational_map, E', and/or iso_map. These MUST be specified when applicable. The below table lists the curves for which suites are defined and the subsection that gives the corresponding parameters. Faz-Hernandez, et al. Expires 29 October 2020 [Page 36] Internet-Draft hash-to-curve April 2020 +---------------------------+-------------+ | E | Section | +===========================+=============+ | NIST P-256 | Section 8.2 | +---------------------------+-------------+ | NIST P-384 | Section 8.3 | +---------------------------+-------------+ | NIST P-521 | Section 8.4 | +---------------------------+-------------+ | curve25519 / edwards25519 | Section 8.5 | +---------------------------+-------------+ | curve448 / edwards448 | Section 8.6 | +---------------------------+-------------+ | secp256k1 | Section 8.7 | +---------------------------+-------------+ | BLS12-381 | Section 8.8 | +---------------------------+-------------+ Table 2 8.1. Implementing a hash-to-curve suite A hash-to-curve suite requires the following functions. Note that some of these require utility functions from Section 4. 1. Base field arithmetic operations for the target elliptic curve, e.g., addition, multiplication, and square root. 2. Elliptic curve point operations for the target curve, e.g., point addition and scalar multiplication. 3. The hash-to-field function; see Section 5. This includes the expand_message variant (Section 5.3) and any constituent hash function or XOF. 4. The suite-specified mapping function; see the corresponding subsection of Section 6. 5. A cofactor clearing function; see Section 7. This may be implemented as scalar multiplication by h_eff or as a faster equivalent method. 6. The desired encoding function; see Section 3. This is either hash_to_curve or encode_to_curve. Faz-Hernandez, et al. Expires 29 October 2020 [Page 37] Internet-Draft hash-to-curve April 2020 8.2. Suites for NIST P-256 This section defines ciphersuites for the NIST P-256 elliptic curve [FIPS186-4]. P256_XMD:SHA-256_SSWU_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: y^2 = x^3 + A * x + B, where - A = -3 - B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e2 7d2604b * p: 2^256 - 2^224 + 2^192 + 2^96 - 1 * m: 1 * k: 128 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-256 * L: 48 * f: Simplified SWU method, Section 6.6.2 * Z: -10 * h_eff: 1 P256_XMD:SHA-256_SVDW_RO_ is identical to P256_XMD:SHA-256_SSWU_RO_, except for the following parameters: * f: Shallue-van de Woestijne method, Section 6.6.1 * Z: -3 P256_XMD:SHA-256_SSWU_NU_ is identical to P256_XMD:SHA-256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3). P256_XMD:SHA-256_SVDW_NU_ is identical to P256_XMD:SHA-256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3). Faz-Hernandez, et al. Expires 29 October 2020 [Page 38] Internet-Draft hash-to-curve April 2020 An optimized example implementation of the Simplified SWU mapping to P-256 is given in Appendix D.2.1. 8.3. Suites for NIST P-384 This section defines ciphersuites for the NIST P-384 elliptic curve [FIPS186-4]. P384_XMD:SHA-512_SSWU_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: y^2 = x^3 + A * x + B, where - A = -3 - B = 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5 013875ac656398d8a2ed19d2a85c8edd3ec2aef * p: 2^384 - 2^128 - 2^96 + 2^32 - 1 * m: 1 * k: 192 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-512 * L: 72 * f: Simplified SWU method, Section 6.6.2 * Z: -12 * h_eff: 1 P384_XMD:SHA-512_SVDW_RO_ is identical to P384_XMD:SHA-512_SSWU_RO_, except for the following parameters: * f: Shallue-van de Woestijne method, Section 6.6.1 * Z: -1 P384_XMD:SHA-512_SSWU_NU_ is identical to P384_XMD:SHA-512_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3). Faz-Hernandez, et al. Expires 29 October 2020 [Page 39] Internet-Draft hash-to-curve April 2020 P384_XMD:SHA-512_SVDW_NU_ is identical to P384_XMD:SHA-512_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3). An optimized example implementation of the Simplified SWU mapping to P-384 is given in Appendix D.2.1. 8.4. Suites for NIST P-521 This section defines ciphersuites for the NIST P-521 elliptic curve [FIPS186-4]. P521_XMD:SHA-512_SSWU_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: y^2 = x^3 + A * x + B, where - A = -3 - B = 0x51953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b4899 18ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451f d46b503f00 * p: 2^521 - 1 * m: 1 * k: 256 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-512 * L: 98 * f: Simplified SWU method, Section 6.6.2 * Z: -4 * h_eff: 1 P521_XMD:SHA-512_SVDW_RO_ is identical to P521_XMD:SHA-512_SSWU_RO_, except for the following parameters: * f: Shallue-van de Woestijne method, Section 6.6.1 * Z: 1 Faz-Hernandez, et al. Expires 29 October 2020 [Page 40] Internet-Draft hash-to-curve April 2020 P521_XMD:SHA-512_SSWU_NU_ is identical to P512_XMD:SHA-512_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3). P521_XMD:SHA-512_SVDW_NU_ is identical to P512_XMD:SHA-512_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3). An optimized example implementation of the Simplified SWU mapping to P-521 is given in Appendix D.2.1. 8.5. Suites for curve25519 and edwards25519 This section defines ciphersuites for curve25519 and edwards25519 [RFC7748]. curve25519_XMD:SHA-256_ELL2_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: K * t^2 = s^3 + J * s^2 + s, where - J = 486662 - K = 1 * p: 2^255 - 19 * m: 1 * k: 128 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-256 * L: 48 * f: Elligator 2 method, Section 6.7.1 * Z: 2 * h_eff: 8 edwards25519_XMD:SHA-256_ELL2_RO_ is identical to curve25519_XMD:SHA- 256_ELL2_RO_, except for the following parameters: * E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where - a = -1 Faz-Hernandez, et al. Expires 29 October 2020 [Page 41] Internet-Draft hash-to-curve April 2020 - d = 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca1 35978a3 * f: Twisted Edwards Elligator 2 method, Section 6.8.2 * M: curve25519 defined in [RFC7748], Section 4.1 * rational_map: the birational map defined in [RFC7748], Section 4.1 curve25519_XMD:SHA-256_ELL2_NU_ is identical to curve25519_XMD:SHA- 256_ELL2_RO_, except that the encoding type is encode_to_curve (Section 3). edwards25519_XMD:SHA-256_ELL2_NU_ is identical to edwards25519_XMD:SHA-256_ELL2_RO_, except that ene encoding type is encode_to_curve (Section 3). curve25519_XMD:SHA-512_ELL2_RO_ is identical to curve25519_XMD:SHA- 256_ELL2_RO_, except that H is SHA-512. curve25519_XMD:SHA-512_ELL2_NU_ is identical to curve25519_XMD:SHA- 256_ELL2_NU_, except that H is SHA-512. edwards25519_XMD:SHA-512_ELL2_RO_ is identical to edwards25519_XMD:SHA-256_ELL2_RO_, except that H is SHA-512. edwards25519_XMD:SHA-512_ELL2_NU_ is identical to edwards25519_XMD:SHA-256_ELL2_NU_, except that H is SHA-512. Optimized example implementations of the above mappings are given in Appendix D.3.1 and Appendix D.3.2. 8.6. Suites for curve448 and edwards448 This section defines ciphersuites for curve448 and edwards448 [RFC7748]. curve448_XMD:SHA-512_ELL2_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: K * t^2 = s^3 + J * s^2 + s, where - J = 156326 - K = 1 * p: 2^448 - 2^224 - 1 Faz-Hernandez, et al. Expires 29 October 2020 [Page 42] Internet-Draft hash-to-curve April 2020 * m: 1 * k: 224 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-512 * L: 84 * f: Elligator 2 method, Section 6.7.1 * Z: -1 * h_eff: 4 edwards448_XMD:SHA-512_ELL2_RO_ is identical to curve448_XMD:SHA- 512_ELL2_RO_, except for the following parameters: * E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where - a = 1 - d = -39081 * f: Twisted Edwards Elligator 2 method, Section 6.8.2 * M: curve448, defined in [RFC7748], Section 4.2 * rational_map: the 4-isogeny map defined in [RFC7748], Section 4.2 curve448_XMD:SHA-512_ELL2_NU_ is identical to curve448_XMD:SHA- 512_ELL2_RO_, except that the encoding type is encode_to_curve (Section 3). edwards448_XMD:SHA-512_ELL2_NU_ is identical to edwards448_XMD:SHA- 512_ELL2_RO_, except that the encoding type is encode_to_curve (Section 3). Optimized example implementations of the above mappings are given in Appendix D.3.3 and Appendix D.3.4. 8.7. Suites for secp256k1 This section defines ciphersuites for the secp256k1 elliptic curve [SEC2]. secp256k1_XMD:SHA-256_SSWU_RO_ is defined as follows: Faz-Hernandez, et al. Expires 29 October 2020 [Page 43] Internet-Draft hash-to-curve April 2020 * encoding type: hash_to_curve (Section 3) * E: y^2 = x^3 + 7 * p: 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1 * m: 1 * k: 128 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-256 * L: 48 * f: Simplified SWU for AB == 0, Section 6.6.3 * Z: -11 * E': y'^2 = x'^3 + A' * x' + B', where - A': 0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01 a444533 - B': 1771 * iso_map: the 3-isogeny map from E' to E given in Appendix C.1 * h_eff: 1 secp256k1_XMD:SHA-256_SVDW_RO_ is identical to secp256k1_XMD:SHA- 256_SSWU_RO_, except for the following parameters: * f: Shallue-van de Woestijne method, Section 6.6.1 * Z: 1 * E' is not required for this suite * iso_map is not required for this suite secp256k1_XMD:SHA-256_SSWU_NU_ is identical to secp256k1_XMD:SHA- 256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3). Faz-Hernandez, et al. Expires 29 October 2020 [Page 44] Internet-Draft hash-to-curve April 2020 secp256k1_XMD:SHA-256_SVDW_NU_ is identical to secp256k1_XMD:SHA- 256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3). An optimized example implementation of the Simplified SWU mapping to the curve E' isogenous to secp256k1 is given in Appendix D.2.1. 8.8. Suites for BLS12-381 This section defines ciphersuites for groups G1 and G2 of the BLS12-381 elliptic curve [BLS12-381]. The curve parameters in this section match the ones listed in [I-D.irtf-cfrg-pairing-friendly-curves], Appendix C. 8.8.1. BLS12-381 G1 BLS12381G1_XMD:SHA-256_SSWU_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: y^2 = x^3 + 4 * p: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f 6241eabfffeb153ffffb9feffffffffaaab * m: 1 * k: 128 * expand_message: expand_message_xmd (Section 5.3.1) * H: SHA-256 * L: 64 * f: Simplified SWU for AB == 0, Section 6.6.3 * Z: 11 * E': y'^2 = x'^3 + A' * x' + B', where - A' = 0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aef d881ac98936f8da0e0f97f5cf428082d584c1d - B' = 0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14f cef35ef55a23215a316ceaa5d1cc48e98e172be0 * iso_map: the 11-isogeny map from E' to E given in Appendix C.2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 45] Internet-Draft hash-to-curve April 2020 * h_eff: 0xd201000000010001 BLS12381G1_XMD:SHA-256_SVDW_RO_ is identical to BLS12381G1_XMD:SHA- 256_SSWU_RO_, except for the following parameters: * f: Shallue-van de Woestijne method, Section 6.6.1 * Z: -3 * E' is not required for this suite * iso_map is not required for this suite BLS12381G1_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G1_XMD:SHA- 256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3). BLS12381G1_XMD:SHA-256_SVDW_NU_ is identical to BLS12381G1_XMD:SHA- 256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3). Note that the h_eff values for these suites are chosen for compatibility with the fast cofactor clearing method described by Scott ([WB19] Section 5). An optimized example implementation of the Simplified SWU mapping to the curve E' isogenous to BLS12-381 G1 is given in Appendix D.2.1. 8.8.2. BLS12-381 G2 BLS12381G2_XMD:SHA-256_SSWU_RO_ is defined as follows: * encoding type: hash_to_curve (Section 3) * E: y^2 = x^3 + 4 * (1 + I) * base field F is GF(p^m), where - p: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6 b0f6241eabfffeb153ffffb9feffffffffaaab - m: 2 - (1, I) is the basis for F, where I^2 + 1 == 0 in F * k: 128 * expand_message: expand_message_xmd (Section 5.3.1) Faz-Hernandez, et al. Expires 29 October 2020 [Page 46] Internet-Draft hash-to-curve April 2020 * H: SHA-256 * L: 64 * f: Simplified SWU for AB == 0, Section 6.6.3 * Z: -(2 + I) * E': y'^2 = x'^3 + A' * x' + B', where - A' = 240 * I - B' = 1012 * (1 + I) * iso_map: the isogeny map from E' to E given in Appendix C.3 * h_eff: 0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff0315 08ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689 f6a359894c0adebbf6b4e8020005aaa95551 BLS12381G2_XMD:SHA-256_SVDW_RO_ is identical to BLS12381G2_XMD:SHA- 256_SSWU_RO_, except for the following parameters: * f: Shallue-van de Woestijne method, Section 6.6.1 * Z: I * E' is not required for this suite * iso_map is not required for this suite BLS12381G2_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G2_XMD:SHA- 256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3). BLS12381G2_XMD:SHA-256_SVDW_NU_ is identical to BLS12381G2_XMD:SHA- 256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3). Note that the h_eff values for these suites are chosen for compatibility with the fast cofactor clearing method described by Budroni and Pintore ([BP17], Section 4.1), and summarized in Appendix D.4. An optimized example implementation of the Simplified SWU mapping to the curve E' isogenous to BLS12-381 G2 is given in Appendix D.2.3. Faz-Hernandez, et al. Expires 29 October 2020 [Page 47] Internet-Draft hash-to-curve April 2020 8.9. Defining a new hash-to-curve suite The RECOMMENDED way to define a new hash-to-curve suite is: 1. E, F, p, and m are determined by the elliptic curve and its base field. 2. k is an upper bound on the target security level of the suite (Section 10.3). A reasonable choice of k is ceil(log2(r) / 2), where r is the order of the subgroup G of the curve E (Section 2.1). 3. Choose encoding type, either hash_to_curve or encode_to_curve (Section 3). 4. Compute L as described in Section 5.1. 5. Choose an expand_message variant from Section 5.3 plus any underlying cryptographic primitives (e.g., a hash function H). 6. Choose a mapping following the guidelines in Section 6.1, and select any required parameters for that mapping. 7. Choose h_eff to be either the cofactor of E or, if a fast cofactor clearing method is to be used, a value appropriate to that method as discussed in Section 7. 8. Construct a Suite ID following the guidelines in Section 8.10. When hashing to an elliptic curve not listed in this section, corresponding hash-to-curve suites SHOULD be fully specified as described above. 8.10. Suite ID naming conventions Suite IDs MUST be constructed as follows: CURVE_ID || "_" || HASH_ID || "_" || MAP_ID || "_" || ENC_VAR || "_" The fields CURVE_ID, HASH_ID, MAP_ID, and ENC_VAR are ASCII-encoded strings of at most 64 characters each. Fields MUST contain only ASCII characters between 0x21 and 0x7E (inclusive) other underscore (i.e., 0x5f). As indicated above, each field (including the last) is followed by an underscore ("_", ASCII 0x5f). This helps to ensure that Suite IDs are prefix free. Suite IDs MUST include the final underscore and MUST NOT include any characters after the final underscore. Faz-Hernandez, et al. Expires 29 October 2020 [Page 48] Internet-Draft hash-to-curve April 2020 Suite ID fields MUST be chosen as follows: * CURVE_ID: a human-readable representation of the target elliptic curve. * HASH_ID: a human-readable representation of the expand_message function and any underlying hash primitives used in hash_to_field (Section 5). This field MUST be constructed as follows: EXP_TAG || ":" || HASH_NAME EXP_TAG indicates the expand_message variant: - "XMD" for expand_message_xmd (Section 5.3.1). - "XOF" for expand_message_xof (Section 5.3.2). HASH_NAME is a human-readable name for the underlying hash primitive. As examples: 1. For expand_message_xof (Section 5.3.2) with SHAKE-128, HASH_ID is "XOF:SHAKE-128". 2. For expand_message_xmd (Section 5.3.1) with SHA3-256, HASH_ID is "XMD:SHA3-256". * MAP_ID: a human-readable representation of the map_to_curve function as defined in Section 6. These are defined as follows: - "SVDW" for or Shallue and van de Woestijne (Section 6.6.1). - "SSWU" for Simplified SWU (Section 6.6.2, Section 6.6.3). - "ELL2" for Elligator 2 (Section 6.7.1, Section 6.8.2). * ENC_VAR: a string indicating the encoding type and other information. The first two characters of this string indicate whether the suite represents a hash_to_curve or an encode_to_curve operation (Section 3), as follows: - If ENC_VAR begins with "RO", the suite uses hash_to_curve. - If ENC_VAR begins with "NU", the suite uses encode_to_curve. - ENC_VAR MUST NOT begin with any other string. Faz-Hernandez, et al. Expires 29 October 2020 [Page 49] Internet-Draft hash-to-curve April 2020 ENC_VAR MAY also be used to encode other information used to identify variants, for example, a version number. The RECOMMENDED way to do so is to add one or more subfields separated by colons. For example, "RO:V02" is an appropriate ENC_VAR value for the second version of a random-oracle suite, while "RO:V02:FOO01:BAR17" might be used to indicate a variant of that suite. 9. IANA Considerations This document has no IANA actions. 10. Security Considerations When constant-time implementations are required, all basic operations and utility functions must be implemented in constant time, as discussed in Section 4. In some applications (e.g., embedded systems), leakage through other side channels (e.g., power or electromagnetic side channels) may be pertinent. Defending against such leakage is outside the scope of this document, because the nature of the leakage and the appropriate defense depends on the protocol from which a hash-to-curve function is invoked. Section 3.1 describes considerations related to domain separation. Section 5 describes considerations for uniformly hashing to field elements; see Section 10.1 and Section 10.2 for further discussion. Each encoding type (Section 3) accepts an arbitrary byte string and maps it to a pseudorandom point on the curve. Note, however, that directly evaluating the mappings of Section 6 produces an output that is distinguishable from random. When the hash_to_curve function (Section 3) is instantiated with a hash_to_field function that is indifferentiable from a random oracle (Section 5), the resulting function is indifferentiable from a random oracle ([FFSTV13], [LBB19], [MRH04]). In most cases such a function can be safely used in protocols whose security analysis assumes a random oracle that outputs points on an elliptic curve. As Ristenpart et al. discuss in [RSS11], however, not all security proofs that rely on random oracles continue to hold when those oracles are replaced by indifferentiable functionalities. This limitation should be considered when analyzing the security of protocols relying on the hash_to_curve function. When hashing passwords using any function described in this document, an adversary who learns the output of the hash function (or potentially any intermediate value, e.g., the output of Faz-Hernandez, et al. Expires 29 October 2020 [Page 50] Internet-Draft hash-to-curve April 2020 hash_to_field) may be able to carry out a dictionary attack. To mitigate such attacks, it is recommended to first execute a more costly key derivation function (e.g., PBKDF2 [RFC2898] or scrypt [RFC7914]) on the password, then hash the output of that function to the target elliptic curve. For collision resistance, the hash underlying the key derivation function should be chosen according to the guidelines listed in Section 5.3. 10.1. hash_to_field security The hash_to_field function defined in Section 5 is indifferentiable from a random oracle [MRH04] when expand_message (Section 5.3) is modeled as a random oracle. By composability of indifferentiability proofs, this also holds when expand_message is proved indifferentiable from a random oracle relative to an underlying primitive that is modeled as a random oracle. When following the guidelines in Section 5.3, both variants of expand_message defined in that section meet this requirement (see also Section 10.2). We very briefly sketch the indifferentiability argument for hash_to_field. Notice that each integer mod p that hash_to_field returns (i.e., each element of the vector representation of F) is a member of an equivalence class of roughly 2^k integers of length log2(p) + k bits, all of which are equal modulo p. For each integer mod p that hash_to_field returns, the simulator samples one member of this equivalence class at random and outputs the byte string returned by I2OSP. (Notice that this is essentially the inverse of the hash_to_field procedure.) Finally, the expand_message variants in this document (Section 5.3) always append the domain separation tag DST to the strings hashed by H, the underlying hash or extensible output function. This means that invocations of H outside of hash_to_field can be separated from those inside of hash_to_field by appending a tag distinct from DST to their inputs. Other expand_message variants that follow the guidelines in Section 5.3.4 are expected to have similar properties, but these should be analyzed on a case-by-case basis. 10.2. expand_message_xmd security The expand_message_xmd function defined in Section 5.3.1 is indifferentiable from a random oracle [MRH04] when one of the following holds: 1. H is indifferentiable from a random oracle, 2. H is a sponge-based hash function whose inner function is modeled as a random transformation or random permutation [BDPV08], or Faz-Hernandez, et al. Expires 29 October 2020 [Page 51] Internet-Draft hash-to-curve April 2020 3. H is a Merkle-Damgaard hash function whose compression function is modeled as a random oracle [CDMP05]. For cases (1) and (2), the indifferentiability of expand_message_xmd follows directly from the indifferentiability of H. For case (3), i.e., for H a Merkle-Damgaard hash function, indifferentiability follows from [CDMP05], Theorem 3.5. In particular, expand_message_xmd computes b_0 by prepending one block of 0-bytes to the message and auxiliary information (length, counter, and DST). Then, each of the output blocks b_i, i >= 1 in expand_message_xmd is the result of invoking H on a unique, prefix- free encoding of b_0. This is true, first, because the length of the input to all such invocations is equal and fixed by the choice of H and DST, and second, because each such input has a unique suffix (because of the inclusion of the counter byte I2OSP(i, 1)). The essential difference between the construction of [CDMP05] and expand_message_xmd is that the latter hashes a counter appended to strxor(b_0, b_(i - 1)) (step 9) rather than to b_0. This approach increases the Hamming distance between inputs to different invocations of H, which reduces the likelihood that nonidealities in H affect the distribution of the b_i values. 10.3. Target Security Levels Each ciphersuite specifies a target security level (in bits) for the underlying curve. This parameter ensures the corresponding hash_to_field instantiation is conservative and correct. We stress that this parameter is only an upper bound on the security level of the curve. It is neither a guarantee nor endorsement of its longevity. Mathematical and cryptographic advancements may lower the security level for any curve. In such cases, applications SHOULD choose curves and, consequently, ciphersuites with higher security levels. 11. Acknowledgements The authors would like to thank Adam Langley for his detailed writeup of Elligator 2 with Curve25519 [L13]; Dan Boneh, Christopher Patton, and Benjamin Lipp for educational discussions; and David Benjamin, Frank Denis, Sean Devlin, Justin Drake, Dan Harkins, Thomas Icart, Andy Polyakov, Leonid Reyzin, Michael Scott, and Mathy Vanhoef for helpful feedback. Faz-Hernandez, et al. Expires 29 October 2020 [Page 52] Internet-Draft hash-to-curve April 2020 12. Contributors * Sharon Goldberg Boston University goldbe@cs.bu.edu * Ela Lee Royal Holloway, University of London Ela.Lee.2010@live.rhul.ac.uk * Michele Orru michele.orru@ens.fr 13. References 13.1. Normative References [I-D.irtf-cfrg-pairing-friendly-curves] Sakemi, Y., Kobayashi, T., and T. Saito, "Pairing-Friendly Curves", Work in Progress, Internet-Draft, draft-irtf- cfrg-pairing-friendly-curves-03, 27 March 2020, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, DOI 10.17487/RFC2898, September 2000, . [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, . [RFC7914] Percival, C. and S. Josefsson, "The scrypt Password-Based Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914, August 2016, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 53] Internet-Draft hash-to-curve April 2020 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . 13.2. Informative References [AFQTZ14] Aranha, D.F., Fouque, P.A., Qian, C., Tibouchi, M., and J.C. Zapalowicz, "Binary Elligator squared", DOI 10.1007/978-3-319-13051-4_2, pages 20-37, In Selected Areas in Cryptography - SAC 2014, 2014, . [AR13] Adj, G. and F. Rodriguez-Henriquez, "Square Root Computation over Even Extension Fields", DOI 10.1109/TC.2013.145, pages 2829-2841, In IEEE Transactions on Computers. vol 63 issue 11, November 2014, . [BBJLP08] Bernstein, D.J., Birkner, P., Joye, M., Lange, T., and C. Peters, "Twisted Edwards curves", DOI 10.1007/978-3-540-68164-9_26, pages 389-405, In AFRICACRYPT 2008, 2008, . [BCIMRT10] Brier, E., Coron, J-S., Icart, T., Madore, D., Randriam, H., and M. Tibouchi, "Efficient Indifferentiable Hashing into Ordinary Elliptic Curves", DOI 10.1007/978-3-642-14623-7_13, pages 237-254, In Advances in Cryptology - CRYPTO 2010, 2010, . [BDPV08] Bertoni,, G., Daemen, J., Peeters, M., and G. Van Assche, "On the Indifferentiability of the Sponge Construction", DOI 10.1007/978-3-540-78967-3_11, pages 181-197, In Advances in Cryptology - EUROCRYPT 2008, 2008, . [BF01] Boneh, D. and M. Franklin, "Identity-based encryption from the Weil pairing", DOI 10.1007/3-540-44647-8_13, pages 213-229, In Advances in Cryptology - CRYPTO 2001, August 2001, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 54] Internet-Draft hash-to-curve April 2020 [BHKL13] Bernstein, D.J., Hamburg, M., Krasnova, A., and T. Lange, "Elligator: elliptic-curve points indistinguishable from uniform random strings", DOI 10.1145/2508859.2516734, pages 967-980, In Proceedings of the 2013 ACM SIGSAC conference on computer and communications security., November 2013, . [BLAKE2X] Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., and C. Winnerlein, "BLAKE2X", December 2016, . [BLMP19] Bernstein, D.J., Lange, T., Martindale, C., and L. Panny, "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies", DOI 10.1007/978-3-030-17656-3, In Advances in Cryptology - EUROCRYPT 2019, 2019, . [BLS01] Boneh, D., Lynn, B., and H. Shacham, "Short signatures from the Weil pairing", DOI 10.1007/s00145-004-0314-9, pages 297-319, In Journal of Cryptology, vol 17, July 2004, . [BLS03] Barreto, P., Lynn, B., and M. Scott, "Constructing Elliptic Curves with Prescribed Embedding Degrees", DOI 10.1007/3-540-36413-7_19, pages 257-267, In Security in Communication Networks, 2003, . [BLS12-381] Bowe, S., "BLS12-381: New zk-SNARK Elliptic Curve Construction", March 2017, . [BMP00] Boyko, V., MacKenzie, P.D., and S. Patel, "Provably secure password-authenticated key exchange using Diffie-Hellman", DOI 10.1007/3-540-45539-6_12, pages 156-171, In Advances in Cryptology - EUROCRYPT 2000, May 2000, . [BN05] Barreto, P. and M. Naehrig, "Pairing-Friendly Elliptic Curves of Prime Order", DOI 10.1007/11693383_22, pages 319-331, In Selected Areas in Cryptography 2005, 2006, . [BP17] Budroni, A. and F. Pintore, "Efficient hash maps to G2 on BLS curves", ePrint 2017/419, May 2017, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 55] Internet-Draft hash-to-curve April 2020 [C93] Cohen, H., "A Course in Computational Algebraic Number Theory", ISBN 9783642081422, publisher Springer-Verlag, 1993, . [CDMP05] Coron, J-S., Dodis, Y., Malinaud, C., and P. Puniya, "Merkle-Damgaard Revisited: How to Construct a Hash Function", DOI 10.1007/11535218_26, pages 430-448, In Advances in Cryptology - CRYPTO 2005, 2005, . [CFADLNV05] Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., and F. Vercauteren, "Handbook of Elliptic and Hyperelliptic Curve Cryptography", ISBN 9781584885184, publisher Chapman and Hall / CRC, 2005, . [CK11] Couveignes, J. and J. Kammerer, "The geometry of flex tangents to a cubic curve and its parameterizations", DOI 10.1016/j.jsc.2011.11.003, pages 266-281, In Journal of Symbolic Computation, vol 47 issue 3, 2012, . [F11] Farashahi, R.R., "Hashing into Hessian curves", DOI 10.1007/978-3-642-21969-6_17, pages 278-289, In AFRICACRYPT 2011, 2011, . [FFSTV13] Farashahi, R.R., Fouque, P.A., Shparlinski, I.E., Tibouch, M., and J.F. Voloch, "Indifferentiable deterministic hashing to elliptic and hyperelliptic curves", DOI 10.1090/S0025-5718-2012-02606-8, pages 491-512, In Math. Comp. vol 82, 2013, . [FIPS180-4] National Institute of Standards and Technology (NIST), "Secure Hash Standard (SHS)", August 2015, . [FIPS186-4] National Institute of Standards and Technology (NIST), "FIPS Publication 186-4: Digital Signature Standard", July 2013, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 56] Internet-Draft hash-to-curve April 2020 [FIPS202] National Institute of Standards and Technology (NIST), "SHA-3 Standard: Permutation-Based Hash and Extendable- Output Functions", August 2015, . [FJT13] Fouque, P-A., Joux, A., and M. Tibouchi, "Injective encodings to elliptic curves", DOI 10.1007/978-3-642-39059-3_14, pages 203-218, In ACISP 2013, 2013, . [FKR11] Fuentes-Castaneda, L., Knapp, E., and F. Rodriguez- Henriquez, "Fast Hashing to G2 on Pairing-Friendly Curves", DOI 10.1007/978-3-642-28496-0_25, pages 412-430, In Selected Areas in Cryptography, 2011, . [FSV09] Farashahi, R.R., Shparlinski, I.E., and J.F. Voloch, "On hashing into elliptic curves", DOI 10.1515/JMC.2009.022, pages 353-360, In Journal of Mathematical Cryptology, vol 3 no 4, 2009, . [FT10] Fouque, P-A. and M. Tibouchi, "Estimating the size of the image of deterministic hash functions to elliptic curves.", DOI 10.1007/978-3-642-14712-8_5, pages 81-91, In Progress in Cryptology - LATINCRYPT 2010, 2010, . [FT12] Fouque, P-A. and M. Tibouchi, "Indifferentiable Hashing to Barreto-Naehrig Curves", DOI 10.1007/978-3-642-33481-8_1, pages 1-7, In Progress in Cryptology - LATINCRYPT 2012, 2012, . [hash2curve-repo] "Hashing to Elliptic Curves - GitHub repository", 2019, . [Icart09] Icart, T., "How to Hash into Elliptic Curves", DOI 10.1007/978-3-642-03356-8_18, pages 303-316, In Advances in Cryptology - CRYPTO 2009, 2009, . [J96] Jablon, D.P., "Strong password-only authenticated key exchange", DOI 10.1145/242896.242897, pages 5-26, In SIGCOMM Computer Communication Review, vol 26 issue 5, 1996, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 57] Internet-Draft hash-to-curve April 2020 [jubjub-fq] "zkcrypto/jubjub - fq.rs", 2019, . [KLR10] Kammerer, J., Lercier, R., and G. Renault, "Encoding points on hyperelliptic curves over finite fields in deterministic polynomial time", DOI 10.1007/978-3-642-17455-1_18, pages 278-297, In PAIRING 2010, 2010, . [L13] Langley, A., "Implementing Elligator for Curve25519", 2013, . [LBB19] Lipp, B., Blanchet, B., and K. Bhargavan, "A Mechanised Proof of the WireGuard Virtual Private Network Protocol", In INRIA Research Report No. 9269, April 2019, . [MRH04] Maurer, U., Renner, R., and C. Holenstein, "Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology", DOI 10.1007/978-3-540-24638-1_2, pages 21-39, In TCC 2004: Theory of Cryptography, February 2004, . [p1363a] IEEE Computer Society, "IEEE Standard Specifications for Public-Key Cryptography---Amendment 1: Additional Techniques", March 2004, . [RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)", RFC 7693, DOI 10.17487/RFC7693, November 2015, . [RSS11] Ristenpart, T., Shacham, H., and T. Shrimpton, "Careful with Composition: Limitations of the Indifferentiability Framework", DOI 10.1007/978-3-642-20465-4_27, pages 487-506, In Advances in Cryptology - EUROCRYPT 2011, May 2011, . [S05] Skalba, M., "Points on elliptic curves over finite fields", DOI 10.4064/aa117-3-7, pages 293-301, In Acta Arithmetica, vol 117 no 3, 2005, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 58] Internet-Draft hash-to-curve April 2020 [S85] Schoof, R., "Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p", DOI 10.1090/S0025-5718-1985-0777280-6, pages 483-494, In Mathematics of Computation vol 44 issue 170, April 1985, . [SAGE] The Sage Developers, "SageMath, the Sage Mathematics Software System", 2019, . [SBCDK09] Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., and E.J. Kachisa, "Fast Hashing to G2 on Pairing- Friendly Curves", DOI 10.1007/978-3-642-03298-1_8, pages 102-113, In Pairing-Based Cryptography - Pairing 2009, 2009, . [SEC1] Standards for Efficient Cryptography Group (SECG), "SEC 1: Elliptic Curve Cryptography", May 2009, . [SEC2] Standards for Efficient Cryptography Group (SECG), "SEC 2: Recommended Elliptic Curve Domain Parameters", January 2010, . [SS04] Schinzel, A. and M. Skalba, "On equations y^2 = x^n + k in a finite field.", DOI 10.4064/ba52-3-1, pages 223-226, In Bulletin Polish Acad. Sci. Math. vol 52, no 3, 2004, . [SW06] Shallue, A. and C. van de Woestijne, "Construction of rational points on elliptic curves over finite fields", DOI 10.1007/11792086_36, pages 510-524, In Algorithmic Number Theory. ANTS 2006., 2006, . [T14] Tibouchi, M., "Elligator squared: Uniform points on elliptic curves of prime order as uniform random strings", DOI 10.1007/978-3-662-45472-5_10, pages 139-156, In Financial Cryptography and Data Security - FC 2014, 2014, . [TK17] Tibouchi, M. and T. Kim, "Improved elliptic curve hashing and point representation", DOI 10.1007/s10623-016-0288-2, pages 161-177, In Designs, Codes, and Cryptography, vol 82, 2017, . Faz-Hernandez, et al. Expires 29 October 2020 [Page 59] Internet-Draft hash-to-curve April 2020 [U07] Ulas, M., "Rational points on certain hyperelliptic curves over finite fields", DOI 10.4064/ba55-2-1, pages 97-104, In Bulletin Polish Acad. Sci. Math. vol 55, no 2, 2007, . [W08] Washington, L.C., "Elliptic curves: Number theory and cryptography", ISBN 9781420071467, publisher Chapman and Hall / CRC, edition 2nd, 2008, . [W19] Wahby, R.S., "An explicit, generic parameterization for the Shallue--van de Woestijne map", 2019, . [WB19] Wahby, R.S. and D. Boneh, "Fast and simple constant-time hashing to the BLS12-381 elliptic curve", DOI 10.13154/tches.v2019.i4.154-179, ePrint 2019/403, issue 4, volume 2019, In IACR Trans. CHES, August 2019, . [x9.62] ANSI, "Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI X9.62-1998, September 1998. Appendix A. Related Work The problem of mapping arbitrary bit strings to elliptic curve points has been the subject of both practical and theoretical research. This section briefly describes the background and research results that underly the recommendations in this document. This section is provided for informational purposes only. A naive but generally insecure method of mapping a string msg to a point on an elliptic curve E having n points is to first fix a point P that generates the elliptic curve group, and a hash function Hn from bit strings to integers less than n; then compute Hn(msg) * P, where the * operator represents scalar multiplication. The reason this approach is insecure is that the resulting point has a known discrete log relationship to P. Thus, except in cases where this method is specified by the protocol, it must not be used; doing so risks catastrophic security failures. Boneh et al. [BLS01] describe an encoding method they call MapToGroup, which works roughly as follows: first, use the input string to initialize a pseudorandom number generator, then use the generator to produce a pseudorandom value x in F. If x is the x-coordinate of a point on the elliptic curve, output that point. Faz-Hernandez, et al. Expires 29 October 2020 [Page 60] Internet-Draft hash-to-curve April 2020 Otherwise, generate a new pseudorandom value x in F and try again. Since a random value x in F has probability about 1/2 of corresponding to a point on the curve, the expected number of tries is just two. However, the running time of this method depends on the input string, which means that it is not safe to use in protocols sensitive to timing side channels. Schinzel and Skalba [SS04] introduce a method of constructing elliptic curve points deterministically, for a restricted class of curves and a very small number of points. Skalba [S05] generalizes this construction to more curves and more points on those curves. Shallue and van de Woestijne [SW06] further generalize and simplify Skalba's construction, yielding concretely efficient maps to a constant fraction of the points on almost any curve. Fouque and Tibouchi [FT12] give a parameterization of this mapping for Barreto- Naehrig pairing-friendly curves [BN05]. Ulas [U07] describes a simpler version of the Shallue-van de Woestijne map, and Brier et al. [BCIMRT10] give a further simplification, which the authors call the "simplified SWU" map. That simplified map applies only to fields of characteristic p = 3 (mod 4); Wahby and Boneh [WB19] generalize to fields of any characteristic, and give further optimizations. Boneh and Franklin give a deterministic algorithm mapping to certain supersingular curves over fields of characteristic p = 2 (mod 3) [BF01]. Icart gives another deterministic algorithm which maps to any curve over a field of characteristic p = 2 (mod 3) [Icart09]. Several extensions and generalizations follow this work, including [FSV09], [FT10], [KLR10], [F11], and [CK11]. Following the work of Farashahi [F11], Fouque et al. [FJT13] describe a mapping to curves over fields of characteristic p = 3 (mod 4) having a number of points divisible by 4. Bernstein et al. [BHKL13] optimize this mapping and describe a related mapping that they call "Elligator 2," which applies to any curve over a field of odd characteristic having a point of order 2. This includes Curve25519 and Curve448, both of which are CFRG-recommended curves [RFC7748]. Bernstein et al. [BLMP19] extend the Elligator 2 map to a class of supersingular curves over fields of characteristic p = 3 (mod 4). An important caveat regarding all of the above deterministic mapping functions is that none of them map to the entire curve, but rather to some fraction of the points. This means that they cannot be used directly to construct a random oracle that outputs points on the curve. Faz-Hernandez, et al. Expires 29 October 2020 [Page 61] Internet-Draft hash-to-curve April 2020 Brier et al. [BCIMRT10] give two solutions to this problem. The first, which Brier et al. prove applies to Icart's method, computes f(H0(msg)) + f(H1(msg)) for two distinct hash functions H0 and H1 from bit strings to F and a mapping f from F to the elliptic curve E. The second, which applies to essentially all deterministic mappings but is more costly, computes f(H0(msg)) + H2(msg) * P, for P a generator of the elliptic curve group and H2 a hash from bit strings to integers modulo r, the order of the elliptic curve group. Farashahi et al. [FFSTV13] improve the analysis of the first method, showing that it applies to essentially all deterministic mappings. Tibouchi and Kim [TK17] further refine the analysis and describe additional optimizations. Complementary to the problem of mapping from bit strings to elliptic curve points, Bernstein et al. [BHKL13] study the problem of mapping from elliptic curve points to uniformly random bit strings, giving solutions for a class of curves including Montgomery and twisted Edwards curves. Tibouchi [T14] and Aranha et al. [AFQTZ14] generalize these results. This document does not deal with this complementary problem. Appendix B. Rational maps This section gives several useful rational maps. B.1. Twisted Edwards to Montgomery curves This section gives a generic birational map between twisted Edwards and Montgomery curves. This birational map comprises the rational map specified in Section 6.8.1 and its inverse. The twisted Edwards curve a * v^2 + w^2 = 1 + d * v^2 * w^2 is birationally equivalent to the Montgomery curve K * t^2 = s^3 + J * s^2 + s by the following mappings ([BBJLP08], Theorem 3.2). To convert from twisted Edwards to Montgomery form, the mapping is * J = 2 * (a + d) / (a - d) * K = 4 / (a - d) * s = (1 + w) / (1 - w) Faz-Hernandez, et al. Expires 29 October 2020 [Page 62] Internet-Draft hash-to-curve April 2020 * t = (1 + w) / (v * (1 - w)) This mapping is defined when a != d, which is guaranteed by the definition of twisted Edwards curves. The mapping is undefined when v == 0 or w == 1. If (v, w) == (0, -1), return the point (s, t) = (0, 0). For all other undefined inputs, return the identity point on the Montgomery curve. (This follows from [BBJLP08], Section 3.) To convert from Montgomery to twisted Edwards form, the mapping is * a = (J + 2) / K * d = (J - 2) / K * v = s / t * w = (s - 1) / (s + 1) This mapping is defined when J != 2, J != -2, and K != 0; all Montgomery curves meet these criteria. The mapping is undefined when t == 0 or s == -1. If (s, t) == (0, 0), return the point (v, w) = (0, -1). For all other undefined inputs, return the identity point on the twisted Edwards curve, namely, (v, w) = (0, 1). (This follows from [BBJLP08], Section 3.) (Note that Section 6.8.1 gives a simpler rule for handling undefined inputs to this rational map: always return the identity point. The simpler rule gives the same result when used as part of an encoding function (Section 3), because the cofactor clearing step will always map the point (v, w) = (0, -1) to the identity point.) Composing the mapping of this section with the mapping from Montgomery to Weierstrass curves in Appendix B.2 yields a mapping from twisted Edwards curves to Weierstrass curves, which is the form required by the mappings in Section 6.6. This composition of mappings can be used to apply the Shallue-van de Woestijne (Section 6.6.1) or Simplified SWU (Section 6.6.2) method to twisted Edwards curves. B.2. Montgomery to Weierstrass curves The rational map from the point (s, t) on the Montgomery curve K * t^2 = s^3 + J * s^2 + s to the point (x, y) on the equivalent Weierstrass curve y^2 = x^3 + A * x + B Faz-Hernandez, et al. Expires 29 October 2020 [Page 63] Internet-Draft hash-to-curve April 2020 is given by: * A = (3 - J^2) / (3 * K^2) * B = (2 * J^3 - 9 * J) / (27 * K^3) * x = (3 * s + J) / (3 * K) * y = t / K The inverse map, from the point (x, y) to the point (s, t), is given by * s = (3 * K * x - J) / 3 * t = y * K This mapping can be used to apply the Shallue-van de Woestijne (Section 6.6.1) or Simplified SWU (Section 6.6.2) method to Montgomery curves. Appendix C. Isogeny maps for Suites This section specifies the isogeny maps for the secp256k1 and BLS12-381 suites listed in Section 8. These maps are given in terms of affine coordinates. Wahby and Boneh ([WB19], Section 4.3) show how to evaluate these maps in a projective coordinate system (Appendix D.1), which avoids modular inversions. Refer to the draft repository [hash2curve-repo] for a Sage [SAGE] script that constructs these isogenies. C.1. 3-isogeny map for secp256k1 This section specifies the isogeny map for the secp256k1 suite listed in Section 8.7. The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions: * x = x_num / x_den, where - x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1,0) - x_den = x'^2 + k_(2,1) * x' + k_(2,0) Faz-Hernandez, et al. Expires 29 October 2020 [Page 64] Internet-Draft hash-to-curve April 2020 * y = y' * y_num / y_den, where - y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3,0) - y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0) The constants used to compute x_num are as follows: * k_(1,0) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7 * k_(1,1) = 0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581 * k_(1,2) = 0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262 * k_(1,3) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c The constants used to compute x_den are as follows: * k_(2,0) = 0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b * k_(2,1) = 0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14 The constants used to compute y_num are as follows: * k_(3,0) = 0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c * k_(3,1) = 0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3 * k_(3,2) = 0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931 * k_(3,3) = 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84 The constants used to compute y_den are as follows: * k_(4,0) = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b Faz-Hernandez, et al. Expires 29 October 2020 [Page 65] Internet-Draft hash-to-curve April 2020 * k_(4,1) = 0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573 * k_(4,2) = 0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f C.2. 11-isogeny map for BLS12-381 G1 The 11-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions: * x = x_num / x_den, where - x_num = k_(1,11) * x'^11 + k_(1,10) * x'^10 + k_(1,9) * x'^9 + ... + k_(1,0) - x_den = x'^10 + k_(2,9) * x'^9 + k_(2,8) * x'^8 + ... + k_(2,0) * y = y' * y_num / y_den, where - y_num = k_(3,15) * x'^15 + k_(3,14) * x'^14 + k_(3,13) * x'^13 + ... + k_(3,0) - y_den = x'^15 + k_(4,14) * x'^14 + k_(4,13) * x'^13 + ... + k_(4,0) The constants used to compute x_num are as follows: * k_(1,0) = 0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b 56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7 * k_(1,1) = 0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e3 3c70d1e86b4838f2a6f318c356e834eef1b3cb83bb * k_(1,2) = 0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e50 1ec68e25c958c3e3d2a09729fe0179f9dac9edcb0 * k_(1,3) = 0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b332 89f1b330835336e25ce3107193c5b388641d9b6861 * k_(1,4) = 0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb6 5982fac18985a286f301e77c451154ce9ac8895d9 * k_(1,5) = 0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab 9097e68f90a0870d2dcae73d19cd13c1c66f652983 * k_(1,6) = 0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e21 8f9c86b2a8da25128c1052ecaddd7f225a139ed84 Faz-Hernandez, et al. Expires 29 October 2020 [Page 66] Internet-Draft hash-to-curve April 2020 * k_(1,7) = 0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c6 2ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e * k_(1,8) = 0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c 928c5d1de4fa295f296b74e956d71986a8497e317 * k_(1,9) = 0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314 baf4bb1b7fa3190b2edc0327797f241067be390c9e * k_(1,10) = 0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af 36003b14866f69b771f8c285decca67df3f1605fb7b * k_(1,11) = 0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf 1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229 The constants used to compute x_den are as follows: * k_(2,0) = 0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c95886 17fc8ac62b558d681be343df8993cf9fa40d21b1c * k_(2,1) = 0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2 588c48bf5713daa8846cb026e9e5c8276ec82b3bff * k_(2,2) = 0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e0 0b11aceacd6a3d0967c94fedcfcc239ba5cb83e19 * k_(2,3) = 0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8a bc28d6fd04976d5243eecf5c4130de8938dc62cd8 * k_(2,4) = 0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44 e833b306da9bd29ba81f35781d539d395b3532a21e * k_(2,5) = 0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bce f24b8982f7400d24bc4228f11c02df9a29f6304a5 * k_(2,6) = 0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073 062aede9cea73b3538f0de06cec2574496ee84a3a * k_(2,7) = 0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1 cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e * k_(2,8) = 0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da 67f39883503826692abba43704776ec3a79a1d641 * k_(2,9) = 0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533 978f31c1593174e4b4b7865002d6384d168ecdd0a The constants used to compute y_num are as follows: Faz-Hernandez, et al. Expires 29 October 2020 [Page 67] Internet-Draft hash-to-curve April 2020 * k_(3,0) = 0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6 c956543d3cd0c7aee9b3ba3c2be9845719707bb33 * k_(3,1) = 0x134996a104ee5811d51036d776fb46831223e96c254f383d0f9063 43eb67ad34d6c56711962fa8bfe097e75a2e41c696 * k_(3,2) = 0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b 91400da7d26d521628b00523b8dfe240c72de1f6 * k_(3,3) = 0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3e c03251cf9de405aba9ec61deca6355c77b0e5f4cb * k_(3,4) = 0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd 221351adc2ee7f8dc099040a841b6daecf2e8fedb * k_(3,5) = 0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c 3d3ad5544e203f6326c95a807299b23ab13633a5f0 * k_(3,6) = 0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413 c4d634f3747a87ac2460f415ec961f8855fe9d6f2 * k_(3,7) = 0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da 6c26c842642f64550fedfe935a15e4ca31870fb29 * k_(3,8) = 0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6 a1f20cabe69d65201c78607a360370e577bdba587 * k_(3,9) = 0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7 ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30 * k_(3,10) = 0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183 e416389e61031bf3a5cce3fbafce813711ad011c132 * k_(3,11) = 0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bf e7f911f643249d9cdf41b44d606ce07c8a4d0074d8e * k_(3,12) = 0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710 e807b4633f06c851c1919211f20d4c04f00b971ef8 * k_(3,13) = 0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e663 2d3c40659cc6cf90ad1c232a6442d9d3f5db980133 * k_(3,14) = 0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f 5d396a7ce46ba1049b6579afb7866b1e715475224b * k_(3,15) = 0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add 4fa95af01b2b665027efec01c7704b456be69c8b604 Faz-Hernandez, et al. Expires 29 October 2020 [Page 68] Internet-Draft hash-to-curve April 2020 The constants used to compute y_den are as follows: * k_(4,0) = 0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec323 2b5be72e7a07f3688ef60c206d01479253b03663c1 * k_(4,1) = 0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a103 56f453e01f78a4260763529e3532f6102c2e49a03d * k_(4,2) = 0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5d d279cd2eca6757cd636f96f891e2538b53dbf67f2 * k_(4,3) = 0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da4 89e726af41727364f2c28297ada8d26d98445f5416 * k_(4,4) = 0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0 fc9dec916a20b15dc0fd2ededda39142311a5001d * k_(4,5) = 0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87 b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac * k_(4,6) = 0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365 bc400a0051d5fa9c01a58b1fb93d1a1399126a775c * k_(4,7) = 0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34f d206357132b920f5b00801dee460ee415a15812ed9 * k_(4,8) = 0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc575 0c4bf39b4852cfe2f7bb9248836b233d9d55535d4a * k_(4,9) = 0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb530859 2e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55 * k_(4,10) = 0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b 36e636a5c871a5c29f4f83060400f8b49cba8f6aa8 * k_(4,11) = 0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a 88cea7913516f968986f7ebbea9684b529e2561092 * k_(4,12) = 0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5cee f9a00d9b8693000763e3b90ac11e99b138573345cc * k_(4,13) = 0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748d f27942480e420517bd8714cc80d1fadc1326ed06f7 * k_(4,14) = 0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efc d6356caa205ca2f570f13497804415473a1d634b8f Faz-Hernandez, et al. Expires 29 October 2020 [Page 69] Internet-Draft hash-to-curve April 2020 C.3. 3-isogeny map for BLS12-381 G2 The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions: * x = x_num / x_den, where - x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1,0) - x_den = x'^2 + k_(2,1) * x' + k_(2,0) * y = y' * y_num / y_den, where - y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3,0) - y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0) The constants used to compute x_num are as follows: * k_(1,0) = 0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b5842 3c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6 + 0x5c759507e8e333ebb5b7 a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaa aaaaa97d6 * I * k_(1,1) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 6b4f20a4181472aaa9cb8d555526a9ffffffffc71a * I * k_(1,2) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 6b4f20a4181472aaa9cb8d555526a9ffffffffc71e + 0x8ab05f8bdd54cde1909 37e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ff ffffffe38d * I * k_(1,3) = 0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d610 8f142b85757098e38d0f671c7188e2aaaaaaaa5ed1 The constants used to compute x_den are as follows: * k_(2,0) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 a0f6b0f6241eabfffeb153ffffb9feffffffffaa63 * I * k_(2,1) = 0xc + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf 6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f * I The constants used to compute y_num are as follows: Faz-Hernandez, et al. Expires 29 October 2020 [Page 70] Internet-Draft hash-to-curve April 2020 * k_(3,0) = 0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439 d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706 + 0x1530477c7ab4113b59a 4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc 71c71c6d706 * I * k_(3,1) = 0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b5842 3c50ae15d5c2638e343d9c71c6238aaaaaaaa97be * I * k_(3,2) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 6b4f20a4181472aaa9cb8d555526a9ffffffffc71c + 0x8ab05f8bdd54cde1909 37e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ff ffffffe38f * I * k_(3,3) = 0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977 c69aa274524e79097a56dc4bd9e1b371c71c718b10 The constants used to compute y_den are as follows: * k_(4,0) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb + 0x1a0111ea397fe69a4b1 ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9fef fffffffa8fb * I * k_(4,1) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3 * I * k_(4,2) = 0x12 + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512b f6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99 * I Appendix D. Sample Code This section gives sample implementations optimized for some of the elliptic curves listed in Section 8. Sample Sage [SAGE] code for each algorithm can also be found in the draft repository [hash2curve-repo]. D.1. Interface and projective coordinate systems The sample code in this section uses a different interface than the mappings of Section 6. Specifically, each mapping function in this section has the following signature: (xn, xd, yn, yd) = map_to_curve(u) The resulting point (x, y) is given by (xn / xd, yn / yd). Faz-Hernandez, et al. Expires 29 October 2020 [Page 71] Internet-Draft hash-to-curve April 2020 The reason for this modified interface is that it enables further optimizations when working with points in a projective coordinate system. This is desirable, for example, when the resulting point will be immediately multiplied by a scalar, since most scalar multiplication algorithms operate on projective points. The following are two commonly used projective coordinate systems and the corresponding conversions: * A point (X, Y, Z) in homogeneous projective coordinates corresponds to the affine point (x, y) = (X / Z, Y / Z); the inverse conversion is given by (X, Y, Z) = (x, y, 1). To convert (xn, xd, yn, yd) to homogeneous projective coordinates, compute (X, Y, Z) = (xn * yd, yn * xd, xd * yd). * A point (X', Y', Z') in Jacobian projective coordinates corresponds to the affine point (x, y) = (X' / Z'^2, Y' / Z'^3); the inverse conversion is given by (X', Y', Z') = (x, y, 1). To convert (xn, xd, yn, yd) to Jacobian projective coordinates, compute (X', Y', Z') = (xn * xd * yd^2, yn * yd^2 * xd^3, xd * yd). D.2. Simplified SWU D.2.1. q = 3 (mod 4) The following is a straight-line implementation of the Simplified SWU mapping that applies to any curve over GF(q) where q = 3 (mod 4). This includes the ciphersuites for NIST curves P-256, P-384, and P-521 [FIPS186-4] given in Section 8. It also includes the curves isogenous to secp256k1 (Section 8.7) and BLS12-381 G1 (Section 8.8.1). The implementations for these curves differ only in the constants and the base field. The constant definitions below are given in terms of the parameters for the Simplified SWU mapping; for parameter values for the curves listed above, see Section 8.2 (P-256), Section 8.3 (P-384), Section 8.4 (P-521), Section 8.7 (E' isogenous to secp256k1), and Section 8.8.1 (E' isogenous to BLS12-381 G1). Faz-Hernandez, et al. Expires 29 October 2020 [Page 72] Internet-Draft hash-to-curve April 2020 map_to_curve_simple_swu_3mod4(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on the target curve. Constants: 1. c1 = (q - 3) / 4 # Integer arithmetic 2. c2 = sqrt(-Z^3) Steps: 1. tv1 = u^2 2. tv3 = Z * tv1 3. tv2 = tv3^2 4. xd = tv2 + tv3 5. x1n = xd + 1 6. x1n = x1n * B 7. xd = -A * xd 8. e1 = xd == 0 9. xd = CMOV(xd, Z * A, e1) # If xd == 0, set xd = Z * A 10. tv2 = xd^2 11. gxd = tv2 * xd # gxd == xd^3 12. tv2 = A * tv2 13. gx1 = x1n^2 14. gx1 = gx1 + tv2 # x1n^2 + A * xd^2 15. gx1 = gx1 * x1n # x1n^3 + A * x1n * xd^2 16. tv2 = B * gxd 17. gx1 = gx1 + tv2 # x1n^3 + A * x1n * xd^2 + B * xd^3 18. tv4 = gxd^2 19. tv2 = gx1 * gxd 20. tv4 = tv4 * tv2 # gx1 * gxd^3 21. y1 = tv4^c1 # (gx1 * gxd^3)^((q - 3) / 4) 22. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((q - 3) / 4) 23. x2n = tv3 * x1n # x2 = x2n / xd = Z * u^2 * x1n / xd 24. y2 = y1 * c2 # y2 = y1 * sqrt(-Z^3) 25. y2 = y2 * tv1 26. y2 = y2 * u 27. tv2 = y1^2 28. tv2 = tv2 * gxd 29. e2 = tv2 == gx1 30. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 31. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 32. e3 = sgn0(u) == sgn0(y) # Fix sign of y 33. y = CMOV(-y, y, e3) 34. return (xn, xd, y, 1) Faz-Hernandez, et al. Expires 29 October 2020 [Page 73] Internet-Draft hash-to-curve April 2020 D.2.2. q = 5 (mod 8) The following is a straight-line implementation of the Simplified SWU mapping that applied to any curve over GF(q) where q = 5 (mod 8). map_to_curve_simple_sswu_5mod8(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on the target curve. Constants: 1. c1 = (q - 5) / 8 # Integer arithmetic 2. c2 = sqrt(-1) 3. c3 = sqrt(Z^3 / c2) Steps: 1. tv1 = u^2 2. tv3 = Z * tv1 3. tv5 = tv3^2 4. xd = tv5 + tv3 5. x1n = xd + 1 6. x1n = x1n * B 7. xd = -A * xd 8. e1 = xd == 0 9. xd = CMOV(xd, Z * A, e1) # If xd == 0, set xd = Z * A 10. tv2 = xd^2 11. gxd = tv2 * xd # gxd == xd^3 12. tv2 = A * tv2 13. gx1 = x1n^2 14. gx1 = gx1 + tv2 # x1n^2 + A * xd^2 15. gx1 = gx1 * x1n # x1n^3 + A * x1n * xd^2 16. tv2 = B * gxd 17. gx1 = gx1 + tv2 # x1n^3 + A * x1n * xd^2 + B * xd^3 18. tv4 = gxd^2 19. tv2 = tv4 * gxd # gxd^3 20. tv4 = tv4^2 # gxd^4 21. tv2 = tv2 * gx1 # gx1 * gxd^3 22. tv4 = tv4 * tv2 # gx1 * gxd^7 23. y = tv4^c1 # (gx1 * gxd^7)^((q - 5) / 8) 24. y = y * tv2 # This is almost sqrt(gx1) 25. tv4 = y * c2 # check the two possible sqrts 26. tv2 = tv4^2 27. tv2 = tv2 * gxd 28. e2 = tv2 == gx1 29. y = CMOV(y, tv4, e2) 30. gx2 = gx1 * tv5 31. gx2 = gx2 * tv3 # gx2 = gx1 * Z^3 * u^6 Faz-Hernandez, et al. Expires 29 October 2020 [Page 74] Internet-Draft hash-to-curve April 2020 32. tv1 = y * tv1 33. tv1 = tv1 * u # This is almost sqrt(gx2) 34. tv1 = tv1 * c3 # check the two possible sqrts 35. tv4 = tv1 * c2 36. tv2 = tv4^2 37. tv2 = tv2 * gxd 38. e3 = tv2 == gx2 39. tv1 = CMOV(tv1, tv4, e3) 40. tv2 = y^2 41. tv2 = tv2 * gxd 42. e4 = tv2 == gx1 43. y = CMOV(tv1, y, e4) # choose correct y-coordinate 44. tv2 = tv3 * x1n # x2n = x2n / xd = Z * u^2 * x1n / xd 45. xn = CMOV(tv2, x1n, e4) # choose correct x-coordinate 46. e5 = sgn0(u) == sgn0(y) # Fix sign of y 47. y = CMOV(-y, y, e5) 48. return (xn, xd, y, 1) D.2.3. q = 9 (mod 16) The following is a straight-line implementation of the Simplified SWU mapping that applies to any curve over GF(q) where q = 9 (mod 16). This includes the curve isogenous to BLS12-381 G2 (Section 8.8.2). map_to_curve_simple_swu_9mod16(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on the target curve. Constants: 1. c1 = (q - 9) / 16 # Integer arithmetic 2. c2 = sqrt(-1) 3. c3 = sqrt(c2) 4. c4 = sqrt(Z^3 / c3) 5. c5 = sqrt(Z^3 / (c2 * c3)) Steps: 1. tv1 = u^2 2. tv3 = Z * tv1 3. tv5 = tv3^2 4. xd = tv5 + tv3 5. x1n = xd + 1 6. x1n = x1n * B 7. xd = -A * xd 8. e1 = xd == 0 9. xd = CMOV(xd, Z * A, e1) # If xd == 0, set xd = Z * A 10. tv2 = xd^2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 75] Internet-Draft hash-to-curve April 2020 11. gxd = tv2 * xd # gxd == xd^3 12. tv2 = A * tv2 13. gx1 = x1n^2 14. gx1 = gx1 + tv2 # x1n^2 + A * xd^2 15. gx1 = gx1 * x1n # x1n^3 + A * x1n * xd^2 16. tv2 = B * gxd 17. gx1 = gx1 + tv2 # x1n^3 + A * x1n * xd^2 + B * xd^3 18. tv4 = gxd^2 19. tv2 = tv4 * gxd # gxd^3 20. tv4 = tv4^2 # gxd^4 21. tv2 = tv2 * tv4 # gxd^7 22. tv2 = tv2 * gx1 # gx1 * gxd^7 23. tv4 = tv4^2 # gxd^8 24. tv4 = tv2 * tv4 # gx1 * gxd^15 25. y = tv4^c1 # (gx1 * gxd^15)^((q - 9) / 16) 26. y = y * tv2 # This is almost sqrt(gx1) 27. tv4 = y * c2 # check the four possible sqrts 28. tv2 = tv4^2 29. tv2 = tv2 * gxd 30. e2 = tv2 == gx1 31. y = CMOV(y, tv4, e2) 32. tv4 = y * c3 33. tv2 = tv4^2 34. tv2 = tv2 * gxd 35. e3 = tv2 == gx1 36. y = CMOV(y, tv4, e3) 37. tv4 = tv4 * c2 38. tv2 = tv4^2 39. tv2 = tv2 * gxd 40. e4 = tv2 == gx1 41. y = CMOV(y, tv4, e4) # if x1 is square, this is its sqrt 42. gx2 = gx1 * tv5 43. gx2 = gx2 * tv3 # gx2 = gx1 * Z^3 * u^6 44. tv5 = y * tv1 45. tv5 = tv5 * u # This is almost sqrt(gx2) 46. tv1 = tv5 * c4 # check the four possible sqrts 47. tv4 = tv1 * c2 48. tv2 = tv4^2 49. tv2 = tv2 * gxd 50. e5 = tv2 == gx2 51. tv1 = CMOV(tv1, tv4, e5) 52. tv4 = tv5 * c5 53. tv2 = tv4^2 54. tv2 = tv2 * gxd 55. e6 = tv2 == gx2 56. tv1 = CMOV(tv1, tv4, e6) 57. tv4 = tv4 * c2 58. tv2 = tv4^2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 76] Internet-Draft hash-to-curve April 2020 59. tv2 = tv2 * gxd 60. e7 = tv2 == gx2 61. tv1 = CMOV(tv1, tv4, e7) 62. tv2 = y^2 63. tv2 = tv2 * gxd 64. e8 = tv2 == gx1 65. y = CMOV(tv1, y, e8) # choose correct y-coordinate 66. tv2 = tv3 * x1n # x2n = x2n / xd = Z * u^2 * x1n / xd 67. xn = CMOV(tv2, x1n, e8) # choose correct x-coordinate 68. e9 = sgn0(u) == sgn0(y) # Fix sign of y 69. y = CMOV(-y, y, e9) 70. return (xn, xd, y, 1) D.3. Elligator 2 D.3.1. curve25519 (q = 5 (mod 8), K = 1) The following is a straight-line implementation of Elligator 2 for curve25519 [RFC7748] as specified in Section 8.5. This implementation can also be used for any Montgomery curve with K = 1 over GF(q) where q = 5 (mod 8). map_to_curve_elligator2_curve25519(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on curve25519. Constants: 1. c1 = (q + 3) / 8 # Integer arithmetic 2. c2 = 2^c1 3. c3 = sqrt(-1) 4. c4 = (q - 5) / 8 # Integer arithmetic Steps: 1. tv1 = u^2 2. tv1 = 2 * tv1 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2) 5. tv2 = xd^2 6. gxd = tv2 * xd # gxd = xd^3 7. gx1 = J * tv1 # x1n + J * xd 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2 11. tv3 = gxd^2 12. tv2 = tv3^2 # gxd^4 Faz-Hernandez, et al. Expires 29 October 2020 [Page 77] Internet-Draft hash-to-curve April 2020 13. tv3 = tv3 * gxd # gxd^3 14. tv3 = tv3 * gx1 # gx1 * gxd^3 15. tv2 = tv2 * tv3 # gx1 * gxd^7 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8) 17. y11 = y11 * tv3 # gx1 * gxd^3 * (gx1 * gxd^7)^((p - 5) / 8) 18. y12 = y11 * c3 19. tv2 = y11^2 20. tv2 = tv2 * gxd 21. e1 = tv2 == gx1 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd 24. y21 = y11 * u 25. y21 = y21 * c2 26. y22 = y21 * c3 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1) 28. tv2 = y21^2 29. tv2 = tv2 * gxd 30. e2 = tv2 == gx2 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt 32. tv2 = y1^2 33. tv2 = tv2 * gxd 34. e3 = tv2 == gx1 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 37. e4 = sgn0(u) == sgn0(y) # Fix sign of y 38. y = CMOV(-y, y, e4) 39. return (xn, xd, y, 1) D.3.2. edwards25519 The following is a straight-line implementation of Elligator 2 for edwards25519 [RFC7748] as specified in Section 8.5. The subroutine map_to_curve_elligator2_curve25519 is defined in Appendix D.3.1. Faz-Hernandez, et al. Expires 29 October 2020 [Page 78] Internet-Draft hash-to-curve April 2020 map_to_curve_elligator2_edwards25519(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on edwards25519. Constants: 1. c1 = sqrt(-486664) # sgn0(c1) MUST equal 0 Steps: 1. (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u) 2. xn = xMn * yMd 3. xn = xn * c1 4. xd = xMd * yMn # xn / xd = c1 * xM / yM 5. yn = xMn - xMd 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d) 7. tv1 = xd * yd 8. e = tv1 == 0 9. xn = CMOV(xn, 0, e) 10. xd = CMOV(xd, 1, e) 11. yn = CMOV(yn, 1, e) 12. yd = CMOV(yd, 1, e) 13. return (xn, xd, yn, yd) D.3.3. curve448 (q = 3 (mod 4), K = 1) The following is a straight-line implementation of Elligator 2 for curve448 [RFC7748] as specified in Section 8.6. This implementation can also be used for any Montgomery curve with K = 1 over GF(q) where q = 3 (mod 4). Faz-Hernandez, et al. Expires 29 October 2020 [Page 79] Internet-Draft hash-to-curve April 2020 map_to_curve_elligator2_curve448(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on curve448. Constants: 1. c1 = (q - 3) / 4 # Integer arithmetic Steps: 1. tv1 = u^2 2. e1 = tv1 == 1 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0 4. xd = 1 - tv1 5. x1n = -J 6. tv2 = xd^2 7. gxd = tv2 * xd # gxd = xd^3 8. gx1 = -J * tv1 # x1n + J * xd 9. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd 10. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2 11. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2 12. tv3 = gxd^2 13. tv2 = gx1 * gxd # gx1 * gxd 14. tv3 = tv3 * tv2 # gx1 * gxd^3 15. y1 = tv3^c1 # (gx1 * gxd^3)^((p - 3) / 4) 16. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4) 17. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd 18. y2 = y1 * u 19. y2 = CMOV(y2, 0, e1) 20. tv2 = y1^2 21. tv2 = tv2 * gxd 22. e2 = tv2 == gx1 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 25. e3 = sgn0(u) == sgn0(y) # Fix sign of y 26. y = CMOV(-y, y, e3) 27. return (xn, xd, y, 1) D.3.4. edwards448 The following is a straight-line implementation of Elligator 2 for edwards448 [RFC7748] as specified in Section 8.6. The subroutine map_to_curve_elligator2_curve448 is defined in Appendix D.3.3. Faz-Hernandez, et al. Expires 29 October 2020 [Page 80] Internet-Draft hash-to-curve April 2020 map_to_curve_elligator2_edwards448(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on edwards448. Steps: 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u) 2. xn2 = xn^2 3. xd2 = xd^2 4. xd4 = xd2^2 5. yn2 = yn^2 6. yd2 = yd^2 7. xEn = xn2 - xd2 8. tv2 = xEn - xd2 9. xEn = xEn * xd2 10. xEn = xEn * yd 11. xEn = xEn * yn 12. xEn = xEn * 4 13. tv2 = tv2 * xn2 14. tv2 = tv2 * yd2 15. tv3 = 4 * yn2 16. tv1 = tv3 + yd2 17. tv1 = tv1 * xd4 18. xEd = tv1 + tv2 19. tv2 = tv2 * xn 20. tv4 = xn * xd4 21. yEn = tv3 - yd2 22. yEn = yEn * tv4 23. yEn = yEn - tv2 24. tv1 = xn2 + xd2 25. tv1 = tv1 * xd2 26. tv1 = tv1 * xd 27. tv1 = tv1 * yn2 28. tv1 = -2 * tv1 29. yEd = tv2 + tv1 30. tv4 = tv4 * yd2 31. yEd = yEd + tv4 32. tv1 = xEd * yEd 33. e = tv1 == 0 34. xEn = CMOV(xEn, 0, e) 35. xEd = CMOV(xEd, 1, e) 36. yEn = CMOV(yEn, 1, e) 37. yEd = CMOV(yEd, 1, e) 38. return (xEn, xEd, yEn, yEd) Faz-Hernandez, et al. Expires 29 October 2020 [Page 81] Internet-Draft hash-to-curve April 2020 D.3.5. q = 3 (mod 4) The following is a straight-line implementation of Elligator 2 that applies to any curve over GF(q) where q = 3 (mod 4). For curves where K = 1, the implementation given in Appendix D.3.3 gives identical results with slightly reduced cost. Faz-Hernandez, et al. Expires 29 October 2020 [Page 82] Internet-Draft hash-to-curve April 2020 map_to_curve_elligator2_3mod4(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on the target curve. Constants: 1. c1 = (q - 3) / 4 # Integer arithmetic 2. c2 = K^2 Steps: 1. tv1 = u^2 2. e1 = tv1 == 1 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0 4. xd = 1 - tv1 5. xd = xd * K 6. x1n = -J # x1 = x1n / xd = -J / (K * (1 + 2 * u^2)) 7. tv2 = xd^2 8. gxd = tv2 * xd 9. gxd = gxd * c2 # gxd = xd^3 * K^2 10. gx1 = x1n * K 11. tv3 = xd * J 12. tv3 = gx1 + tv3 # x1n * K + xd * J 13. gx1 = gx1 * tv3 # K^2 * x1n^2 + J * K * x1n * xd 14. gx1 = gx1 + tv2 # K^2 * x1n^2 + J * K * x1n * xd + xd^2 15. gx1 = gx1 * x1n # K^2 * x1n^3 + J * K * x1n^2 * xd + x1n * xd^2 16. tv3 = gxd^2 17. tv2 = gx1 * gxd # gx1 * gxd 18. tv3 = tv3 * tv2 # gx1 * gxd^3 19. y1 = tv3^c1 # (gx1 * gxd^3)^((q - 3) / 4) 20. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((q - 3) / 4) 21. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd 22. y2 = y1 * u 23. y2 = CMOV(y2, 0, e1) 24. tv2 = y1^2 25. tv2 = tv2 * gxd 26. e2 = tv2 == gx1 27. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 28. xn = xn * K 29. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 30. y = y * K 31. e3 = sgn0(u) == sgn0(y) # Fix sign of y 32. y = CMOV(-y, y, e3) 33. return (xn, xd, y, 1) Faz-Hernandez, et al. Expires 29 October 2020 [Page 83] Internet-Draft hash-to-curve April 2020 D.3.6. q = 5 (mod 8) The following is a straight-line implementation of Elligator 2 that applies to any curve over GF(q) where q = 5 (mod 8). For curves where K = 1, the implementation given in Appendix D.3.1 gives identical results with slightly reduced cost. map_to_curve_elligator2_5mod8(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on the target curve. Constants: 1. c1 = (q + 3) / 8 # Integer arithmetic 2. c2 = 2^c1 3. c3 = sqrt(-1) 4. c4 = (q - 5) / 8 # Integer arithmetic 5. c5 = K^2 Steps: 1. tv1 = u^2 2. tv1 = 2 * tv1 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not 4. xd = xd * K 5. x1n = -J # x1 = x1n / xd = -J / (K * (1 + 2 * u^2)) 6. tv2 = xd^2 7. gxd = tv2 * xd 8. gxd = gxd * c5 # gxd = xd^3 * K^2 9. gx1 = x1n * K 10. tv3 = xd * J 11. tv3 = gx1 + tv3 # x1n * K + xd * J 12. gx1 = gx1 * tv3 # K^2 * x1n^2 + J * K * x1n * xd 13. gx1 = gx1 + tv2 # K^2 * x1n^2 + J * K * x1n * xd + xd^2 14. gx1 = gx1 * x1n # K^2 * x1n^3 + J * K * x1n^2 * xd + x1n * xd^2 15. tv3 = gxd^2 16. tv2 = tv3^2 # gxd^4 17. tv3 = tv3 * gxd # gxd^3 18. tv3 = tv3 * gx1 # gx1 * gxd^3 19. tv2 = tv2 * tv3 # gx1 * gxd^7 20. y11 = tv2^c4 # (gx1 * gxd^7)^((q - 5) / 8) 21. y11 = y11 * tv3 # gx1 * gxd^3 * (gx1 * gxd^7)^((q - 5) / 8) 22. y12 = y11 * c3 23. tv2 = y11^2 24. tv2 = tv2 * gxd 25. e1 = tv2 == gx1 26. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt Faz-Hernandez, et al. Expires 29 October 2020 [Page 84] Internet-Draft hash-to-curve April 2020 27. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd 28. y21 = y11 * u 29. y21 = y21 * c2 30. y22 = y21 * c3 31. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1) 32. tv2 = y21^2 33. tv2 = tv2 * gxd 34. e2 = tv2 == gx2 35. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt 36. tv2 = y1^2 37. tv2 = tv2 * gxd 38. e3 = tv2 == gx1 39. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 40. xn = xn * K 41. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 42. y = y * K 43. e4 = sgn0(u) == sgn0(y) # Fix sign of y 44. y = CMOV(-y, y, e4) 45. return (xn, xd, y, 1) D.4. Cofactor Clearing for BLS12-381 G2 The curve BLS12-381, whose parameters are defined in Section 8.8.2, admits an efficiently-computable endomorphism psi that can be used to speed up cofactor clearing for G2 [SBCDK09] [FKR11] [BP17] (see also Section 7). This section implements the endomorphism psi and a fast cofactor clearing method described by Budroni and Pintore [BP17]. The functions in this section operate on points whose coordinates are represented as ratios, i.e., (xn, xd, yn, yd) corresponds to the point (xn / xd, yn / yd); see Appendix D.1 for further discussion of projective coordinates. When points are represented in affine coordinates, one can simply ignore the denominators (xd == 1 and yd == 1). The following function computes the Frobenius endomorphism for an element of F = GF(p^2) with basis (1, I), where I^2 + 1 == 0 in F. (This is the base field of the elliptic curve E defined in Section 8.8.2.) Faz-Hernandez, et al. Expires 29 October 2020 [Page 85] Internet-Draft hash-to-curve April 2020 frobenius(x) Input: x, an element of GF(p^2). Output: a, an element of GF(p^2). Notation: x = x0 + I * x1, where x0 and x1 are elements of GF(p). Steps: 1. a = x0 - I * x1 2. return a The following function computes the endomorphism psi for points on the elliptic curve E defined in Section 8.8.2. psi(xn, xd, yn, yd) Input: P, the point (xn / xd, yn / yd) on the curve E (see above). Output: Q, a point on the same curve. Constants: 1. c1 = 1 / (1 + I)^((p - 1) / 3) # in GF(p^2) 2. c2 = 1 / (1 + I)^((p - 1) / 2) # in GF(p^2) Steps: 1. qxn = c1 * frobenius(xn) 2. qxd = frobenius(xd) 3. qyn = c2 * frobenius(yn) 4. qyd = frobenius(yd) 5. return (qxn, qxd, qyn, qyd) The following function efficiently computes psi(psi(P)). psi2(xn, xd, yn, yd) Input: P, the point (xn / xd, yn / yd) on the curve E (see above). Output: Q, a point on the same curve. Constants: 1. c1 = 1 / 2^((p - 1) / 3) # in GF(p^2) Steps: 1. qxn = c1 * xn 2. qyn = -yn 3. return (qxn, xd, qyn, yd) Faz-Hernandez, et al. Expires 29 October 2020 [Page 86] Internet-Draft hash-to-curve April 2020 The following function maps any point on the elliptic curve E (Section 8.8.2) into the prime-order subgroup G2. This function returns a point equal to h_eff * G2, where h_eff is the parameter given in Section 8.8.2. clear_cofactor_bls12381_g2(P) Input: P, the point (xn / xd, yn / yd) on the curve E (see above). Output: Q, a point in the subgroup G2 of BLS12-381. Constants: 1. c1 = -15132376222941642752 # the BLS parameter for BLS12-381 # i.e., -0xd201000000010000 Notation: in this procedure, + and - represent elliptic curve point addition and subtraction, respectively, and * represents scalar multiplication. Steps: 1. t1 = c1 * P 2. t2 = psi(P) 3. t3 = 2 * P 4. t3 = psi2(t3) 5. t3 = t3 - t2 6. t2 = t1 + t2 7. t2 = c1 * t2 8. t3 = t3 + t2 9. t3 = t3 - t1 10. Q = t3 - P 11. return Q Appendix E. Scripts for parameter generation This section gives Sage [SAGE] scripts used to generate parameters for the mappings of Section 6. E.1. Finding Z for the Shallue and van de Woestijne map The below function outputs an appropriate Z for the Shallue and van de Woestijne map (Section 6.6.1). Faz-Hernandez, et al. Expires 29 October 2020 [Page 87] Internet-Draft hash-to-curve April 2020 # Arguments: # - F, a field object, e.g., F = GF(2^521 - 1) # - A and B, the coefficients of the curve equation y^2 = x^3 + A * x + B def find_z_svdw(F, A, B): g = lambda x: F(x)^3 + F(A) * F(x) + F(B) h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z)) ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): if g(Z_cand) == F(0): # Criterion 1: g(Z) != 0 in F. continue if h(Z_cand) == F(0): # Criterion 2: -(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F. continue if not h(Z_cand).is_square(): # Criterion 3: -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F. continue if g(Z_cand).is_square() or g(-Z_cand / F(2)).is_square(): # Criterion 4: At least one of g(Z) and g(-Z / 2) is square in F. return Z_cand ctr += 1 E.2. Finding Z for Simplified SWU The below function outputs an appropriate Z for the Simplified SWU map (Section 6.6.2). Faz-Hernandez, et al. Expires 29 October 2020 [Page 88] Internet-Draft hash-to-curve April 2020 # Arguments: # - F, a field object, e.g., F = GF(2^521 - 1) # - A and B, the coefficients of the curve equation y^2 = x^3 + A * x + B def find_z_sswu(F, A, B): R. = F[] # Polynomial ring over F g = xx^3 + F(A) * xx + F(B) # y^2 = g(x) = x^3 + A * x + B ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): if Z_cand.is_square(): # Criterion 1: Z is non-square in F. continue if Z_cand == F(-1): # Criterion 2: Z != -1 in F. continue if not (g - Z_cand).is_irreducible(): # Criterion 3: g(x) - Z is irreducible over F. continue if g(B / (Z_cand * A)).is_square(): # Criterion 4: g(B / (Z * A)) is square in F. return Z_cand ctr += 1 E.3. Finding Z for Elligator 2 The below function outputs an appropriate Z for the Elligator 2 map (Section 6.7.1). # Argument: # - F, a field object, e.g., F = GF(2^255 - 19) def find_z_ell2(F): ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): if Z_cand.is_square(): # Z must be a non-square in F. continue return Z_cand ctr += 1 Appendix F. sqrt and is_square functions This section defines special-purpose sqrt functions for the three most common cases, q = 3 (mod 4), q = 5 (mod 8), and q = 9 (mod 16), plus a generic constant-time algorithm that works for any prime modulus. In addition, it gives an optimized is_square method for GF(p^2). Faz-Hernandez, et al. Expires 29 October 2020 [Page 89] Internet-Draft hash-to-curve April 2020 F.1. q = 3 (mod 4) sqrt_3mod4(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input: x, an element of F. Output: z, an element of F such that (z^2) == x, if x is square in F. Constants: 1. c1 = (q + 1) / 4 # Integer arithmetic Procedure: 1. return x^c1 F.2. q = 5 (mod 8) sqrt_5mod8(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input: x, an element of F. Output: z, an element of F such that (z^2) == x, if x is square in F. Constants: 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 2. c2 = (q + 3) / 8 # Integer arithmetic Procedure: 1. tv1 = x^c2 2. tv2 = tv1 * c1 3. e = (tv1^2) == x 4. z = CMOV(tv2, tv1, e) 5. return z F.3. q = 9 (mod 16) Faz-Hernandez, et al. Expires 29 October 2020 [Page 90] Internet-Draft hash-to-curve April 2020 sqrt_9mod16(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input: x, an element of F. Output: z, an element of F such that (z^2) == x, if x is square in F. Constants: 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F 4. c4 = (q + 7) / 16 # Integer arithmetic Procedure: 1. tv1 = x^c4 2. tv2 = c1 * tv1 3. tv3 = c2 * tv1 4. tv4 = c3 * tv1 5. e1 = (tv2^2) == x 6. e2 = (tv3^2) == x 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x 9. e3 = (tv2^2) == x 10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2 11. return z F.4. Constant-time Tonelli-Shanks algorithm This algorithm is a constant-time version of the classic Tonelli- Shanks algorithm ([C93], Algorithm 1.5.1) due to Sean Bowe, Jack Grigg, and Eirik Ogilvie-Wigley [jubjub-fq], adapted and optimized by Michael Scott. This algorithm applies to GF(p) for any p. Note, however, that the special-purpose algorithms given in the prior sections are faster, when they apply. Faz-Hernandez, et al. Expires 29 October 2020 [Page 91] Internet-Draft hash-to-curve April 2020 sqrt_ts_ct(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input x, an element of F. Output: z, an element of F such that z^2 == x, if x is square in F. Constants: 1. c1, the largest integer such that 2^c1 divides q - 1. 2. c2 = (q - 1) / (2^c1) # Integer arithmetic 3. c3 = (c2 - 1) / 2 # Integer arithmetic 4. c4, a non-square value in F 5. c5 = c4^c2 in F Procedure: 1. z = x^c3 2. t = z * z * x 3. z = z * x 4. b = t 5. c = c5 6. for i in (c1, c1 - 1, ..., 2): 7. for j in (1, 2, ..., i - 2): 8. b = b * b 9. z = CMOV(z, z * c, b != 1) 10. c = c * c 11. t = CMOV(t, t * c, b != 1) 12. b = t 13. return z F.5. is_square for F = GF(p^2) The following is_square method applies to any field F = GF(p^2) with basis (1, I) represented as described in Section 2.1, i.e., an element x = (x_1, x_2) = x_1 + x_2 * I. Other optimizations of this type are possible in other even-order extension fields; see [AR13]. Faz-Hernandez, et al. Expires 29 October 2020 [Page 92] Internet-Draft hash-to-curve April 2020 is_square(x) Parameters: - F, an extension field of characteristic p and order q = p^2 with basis (1, I). Input: x, an element of F. Output: True if x is square in F, and False otherwise. Constants: 1. c1 = (p - 1) / 2 # Integer arithmetic Procedure: 1. tv1 = x_1^2 2. tv2 = I * x_2 3. tv2 = tv2^2 4. tv1 = tv1 - tv2 5. tv1 = tv1^c1 6. e1 = tv1 != -1 # Note: -1 in F 7. return e1 Appendix G. Test vectors This section gives test vectors for each suite defined in Section 8. The test vectors in this section were generated using code that is available from [hash2curve-repo]. Each test vector in this section lists values computed by the appropriate encoding function, with variable names defined as in Section 3. For example, for a suite whose encoding type is random oracle, the test vector gives the value for msg, u, Q0, Q1, and the output point P. G.1. NIST P-256 G.1.1. P256_XMD:SHA-256_SSWU_RO_ suite = P256_XMD:SHA-256_SSWU_RO_ dst = P256_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 8575f9b7010b101a3114486e51fc5b708f48ef7fa10aa00d834b15 7574e11074 P.y = e985633ce74378627e9a4295d2997c8ed959b67b6762fdea72aca9 9343f3a949 u[0] = 64d747d0cbe9e2c9ef0ff12bbeeac4744f37d76a9146ee2219d3df 820e8452f8 u[1] = d27ee4c85602a83dc321b36a183872dc484256a53ae2df3cf5e356 Faz-Hernandez, et al. Expires 29 October 2020 [Page 93] Internet-Draft hash-to-curve April 2020 1820a8685f Q0.x = 2ff87ed27a17062ad0721f97cadd2d0e54901745ca9101e324f746 0d05f0571b Q0.y = 8185395060bf793fad9fbd39c264da5da111a86ec3cf3a116833c4 9719039022 Q1.x = 3c0ecdd0372e8e702bca9ec05282a8a016c41e4b1ac65ff76b4a61 66b5ebd514 Q1.y = 4f6af85bc6701e3a6b8c13bec0ce517478eae5abf5370ac81cec95 d21dd588b3 msg = abc P.x = 68d876b1f5f6419f73b94502a28c7aef3f2e8619f4dcdfd7a91b34 f6e3fd8fc8 P.y = 79a4f8914923b6e202b07b96b53b5bff92477cc5217dddd86226b7 0610275059 u[0] = 9807c1a5f0d51793429275edb22cd301b360f9ae11c3374f0e6146 6165bf0b37 u[1] = d7c39c44030d3f3fe2aa49f76a5d5c9bc91b078589d43e2cea8928 de7652cd7a Q0.x = 3f0d3a7eb427097aebfc52ef7fa4250b6a6bfc581bedf7775f6880 e66587cc26 Q0.y = 47235d010aeea2c3e3d131577a3f3b3513e738790d03330dc88502 c506e2d3ed Q1.x = fcded73f3d1f12feda61a1e64e6c79e00c0da1f1f164e290e34dc2 60e09d028a Q1.y = d7d517e5e1eb3f813e0584d2d1d74f13ad44cf92f692b7021b1e0c ee9387b882 msg = abcdef0123456789 P.x = 710ecff129f51971437622b6c72a30d74d15894df3641c46bf0b0e d70bca7b6c P.y = b3b1632ef6b34114ad4d8f5bb3f7f7e3513a0c4514f7177632f097 89db080b41 u[0] = f2c09ac7340a2bb6b89a2be5868bc8ff8cd30375461426d46ff9d6 bdb6245f99 u[1] = c255967a8bb4d17edeba2affbce618b50cc8d77908657106c898f0 dce498cfc7 Q0.x = 2c295d2ae5520ccb41b441d5ddf3d8c39ced0140061e9c7d3058be 2b91a30e2f Q0.y = 38b2974d4b008b586aeb030013281a36c4cd2c50f31ecd48b2b251 be954b35bd Q1.x = 648dca4a2cdf36e139023937f826cfed14b5589f7176f0c19c6366 d265aaa7fc Q1.y = acbf1559c9d8077b76f04a346cb512dace28ac1e890913ea0f8395 c3b3aaf4a3 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 94] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = a5db1f4140a102d702214d59e05619dddeec05db546d35b35d03a2 f0d47a1898 P.y = 27c7d0fa5edae824efb39039205ace6fa6fdc4bf3633155bf6db01 eca243c4ca u[0] = 62e9dd8c58bac00646d654c96a8083c9062d0b6c8a02059bd0384a f0e52a855f u[1] = b651df8d40fbb5d2ef0c5887dd5c82a5cc04ce07579907c66afb1c de2993da00 Q0.x = 654b7b18a3ef2637585259d07c94391cc06048011ee07c8e0225b8 19216701ed Q0.y = 0658146b06a4bdfa543ee347bc51980e12bee80a40ea22eaf0cba1 34565f2f5b Q1.x = 2d148869fb30215e36d61d9abaac07e493eea6f1dfeffb89e326ac 686de77efb Q1.y = c590a7d337c2cdd5cae6329f5eea563ebac10ea5da7fcc7bea9ef6 1fc8dd749c G.1.2. P256_XMD:SHA-256_SSWU_NU_ suite = P256_XMD:SHA-256_SSWU_NU_ dst = P256_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 2063ed79bfbd8dcb7ee0ea2f3a0859490e314bc44c52818810e705 0fc2fef9d2 P.y = b1b8d127e418d55f3e24aff4dd3b93f87b0f9010b57750ae536436 9a282b0c01 u[0] = 8edbab803386a426e41ed452e269ecaf7963fcf2428572122fd806 f8124a74c1 Q.x = 2063ed79bfbd8dcb7ee0ea2f3a0859490e314bc44c52818810e705 0fc2fef9d2 Q.y = b1b8d127e418d55f3e24aff4dd3b93f87b0f9010b57750ae536436 9a282b0c01 msg = abc P.x = fa966fde8359c530de36964554878add0d66ab91a4941c778a6ca2 ef940f51da P.y = a443c5d7acb4584c5482744d7c277c402f974ecb3c5a9e6cc32891 a7d4395cc1 u[0] = 5e62db94e1b65baef703b29e9ec76229d425ec11f68fd282665089 Faz-Hernandez, et al. Expires 29 October 2020 [Page 95] Internet-Draft hash-to-curve April 2020 2e94f41617 Q.x = fa966fde8359c530de36964554878add0d66ab91a4941c778a6ca2 ef940f51da Q.y = a443c5d7acb4584c5482744d7c277c402f974ecb3c5a9e6cc32891 a7d4395cc1 msg = abcdef0123456789 P.x = 1f629999e7ae72560ef6753c174e59e8cbb8012dd19ab422e07c43 8dcf50496c P.y = 307d198488b34f1c901b83e80eac513a91b2deb18723bb971adb7d ca8e3d406a u[0] = 2b65b29127cfcc0d932b0353989def6f9eff7d8fc439b24ba96a33 16d5b9c51e Q.x = 1f629999e7ae72560ef6753c174e59e8cbb8012dd19ab422e07c43 8dcf50496c Q.y = 307d198488b34f1c901b83e80eac513a91b2deb18723bb971adb7d ca8e3d406a msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 191231cd9517dfa132816a24860f55db605e4f5a190ffebf0b9bbb 232fd5ae88 P.y = f4aa03d54f7c2da1da7d597678825bc929d339d1c9bf43edfe1461 b7c4862ce2 u[0] = 0fb249d711473b504acf7a1e6a87e31d26f4a7aec11ff673e7ae3b 80f421b958 Q.x = 191231cd9517dfa132816a24860f55db605e4f5a190ffebf0b9bbb 232fd5ae88 Q.y = f4aa03d54f7c2da1da7d597678825bc929d339d1c9bf43edfe1461 b7c4862ce2 G.1.3. P256_XMD:SHA-256_SVDW_RO_ suite = P256_XMD:SHA-256_SVDW_RO_ dst = P256_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = e588f8f8b27bc31add08582a9e582a78155799a16ee380ce1f13e8 5e4bb149cc P.y = a3b1d90e477f50ce7b8e4a84eee48d133a0ffa52030fb9d3f57e5f Faz-Hernandez, et al. Expires 29 October 2020 [Page 96] Internet-Draft hash-to-curve April 2020 1fe89fc42f u[0] = ec15c0491824d9846a638fb827a63ee921f9bc93c1ba53491354ca e7909625ad u[1] = c6a6e566680f9d346249644bb7d7c80043647c0c2c8c6ef04424e8 fd0289578a Q0.x = b016e67640b890e19ed1961fc383924744c7a2a75cd7e2bb81009d b0fd19db2a Q0.y = 38acfcc7b59b060cbdabda5fd0de9e260f06d3fd77c34ee3bf2704 9318db616d Q1.x = 3a74ee59421938c749dbd373c3b75e8bcc6e9514ecfb1cc31abfb7 3cdfa00d5c Q1.y = fd16449915c9cdf34b42ce44b32167e3da957bf52ff34a0366f3d0 729f447908 msg = abc P.x = 05b9426f33b06d10dc91063f4ccdb46d72ea75d617907b476dde40 25494acf20 P.y = 535125b006b3c5dd38727cd9740dad2300fe5f0b1f951cee602ca2 688c3d4a84 u[0] = ea1cd7d1f59817c4714f3edca0c846f3f6c8efd72e5d3d29131145 3af0a83a1a u[1] = 9a09c108e76a40352a56d49af20d8960f222c5933ef509b7fcc785 df4644159d Q0.x = a2ea1a07417e4bdefaa437cf8f3de156a365afe9a810773b2de41e 450ba335fb Q0.y = fae37243d761ce9f04210debb40753de7409f41e4522ba13df8cae 4ebd738b12 Q1.x = de2cc68b0637bbc4c2c2462b2a878636ae43c62a8867be7694f4d7 22fda24fe8 Q1.y = dfcefbf3127df772ee0bee040cea304da5a0eb9f9d1c1665e1f9bf 560b60c797 msg = abcdef0123456789 P.x = 929e0db7c57e1a635bc6d72b4a073ed6a1472d0f9a00ebdc1e53ce ca97bfb965 P.y = 16a0556054c6b1f2a947c13494cbfed68370864e05b53dcdc6cc70 8798c4dea7 u[0] = d9c9ece6f9561b3aca9348b378f420a893d0ffaf4ac691750d1a67 581c396166 u[1] = fc1152c1b6a74dcf471514e77a684bb864b03a5e1733f77f981daa e35c841ca3 Q0.x = 60f1be2d2d881ed95b271719fca4699e4f78160c68939e2e225e58 e4c0eadecd Q0.y = bde74f03c94f63723a96b41e77af588f9d9a7b8ab15b5524fd10d7 eec7c2a62a Q1.x = 73abafebf24c5ac74dd5986fad52192b5286dab229a5e564c85d6e 822482a84c Q1.y = 2041a8773b2fd0977d2be6b7d4b6ab8246edd20e0f701c4f0b0b7f Faz-Hernandez, et al. Expires 29 October 2020 [Page 97] Internet-Draft hash-to-curve April 2020 6b0981b55d msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 59a2024d97262ea520a004f765e456340f2dfe1998b92eccc4c7a8 a53e3e52da P.y = c1c81b00fb2495f9ab309cd7195bfdc3920fcef7b88fe6378e507a cf74b0f2df u[0] = 7b78a2106038ed4a4f753e654653902dd742f20b9d0a8d8fe135d7 a913088555 u[1] = 8f4a4ac7f5bd125988fd06b009ea6ccb604d113ec90e4e036bd75d 75112a30e0 Q0.x = a2d85aafeae2e7d3020c500792a367d7ea3c4aa545e41b8d3e564c dd6f65d263 Q0.y = 83c1afe4d75821f2bf11ec4de4b4d4521c23063fa5e844f5d4bc35 75a2000afb Q1.x = 0f6f15762d9fe5ae1e3f4a947b8472081a63a14d2c1c61b89e6ee7 d0d3eb91e3 Q1.y = 351d7c3f77ff7b54a31695b9f9eddd3e6704ef0f46541afd2ecc22 2bfd117df0 G.1.4. P256_XMD:SHA-256_SVDW_NU_ suite = P256_XMD:SHA-256_SVDW_NU_ dst = P256_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = b9423285524c58ba246ee15051b0f733c0b6fcdfc1c35d3c8ed91f 88aaf25295 P.y = baa9f3cb38c5f5753147d1b5f69134db082f6f956c1fb4f6351bca df37dbf010 u[0] = 692c69b60b94d805abbe8d842bbb11aa2ee8837eda4e55c308c542 f05b32c7d8 Q.x = b9423285524c58ba246ee15051b0f733c0b6fcdfc1c35d3c8ed91f 88aaf25295 Q.y = baa9f3cb38c5f5753147d1b5f69134db082f6f956c1fb4f6351bca df37dbf010 msg = abc P.x = 0544b1108806636509e87247b8d2e310c80f707abeb8cada37a6b1 Faz-Hernandez, et al. Expires 29 October 2020 [Page 98] Internet-Draft hash-to-curve April 2020 316a744438 P.y = d901c5f3dcb39028bbe16f047bf4ed1ca9fc487ea7f5df3534473b eb479de176 u[0] = d65d2b55cb3f98ee6a0c76fc71295683f1e2059e30177f35872107 9a3525f7c2 Q.x = 0544b1108806636509e87247b8d2e310c80f707abeb8cada37a6b1 316a744438 Q.y = d901c5f3dcb39028bbe16f047bf4ed1ca9fc487ea7f5df3534473b eb479de176 msg = abcdef0123456789 P.x = 7dcb64eca5e99c0e37c8c3bc45e474024ac01b5a1813e4e2bc5ff3 23cc1790a8 P.y = 4b7bace437e9d02449219ab0b9d72b33cee06d6d4acefd6a371868 3ceee0f654 u[0] = 13094242936f400da03b5e0feadc87746880c8edeb3a2512a4d81d b0a0812c9c Q.x = 7dcb64eca5e99c0e37c8c3bc45e474024ac01b5a1813e4e2bc5ff3 23cc1790a8 Q.y = 4b7bace437e9d02449219ab0b9d72b33cee06d6d4acefd6a371868 3ceee0f654 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 000455b8eec7b0c90718089b54d314e5db5376e266ed1b44a540b7 33b2418f71 P.y = 46780be39a0fe9abd61d20cfaf62fc14170a65df2004384f1895b1 ca877e75f8 u[0] = 0309c00ab87668277f40715c5b2ec71c411f42e51a94147b3816fa 4b4a921182 Q.x = 000455b8eec7b0c90718089b54d314e5db5376e266ed1b44a540b7 33b2418f71 Q.y = 46780be39a0fe9abd61d20cfaf62fc14170a65df2004384f1895b1 ca877e75f8 G.2. NIST P-384 G.2.1. P384_XMD:SHA-512_SSWU_RO_ Faz-Hernandez, et al. Expires 29 October 2020 [Page 99] Internet-Draft hash-to-curve April 2020 suite = P384_XMD:SHA-512_SSWU_RO_ dst = P384_XMD:SHA-512_SSWU_RO_TESTGEN msg = P.x = 2fc0b9efdd63a8e43b4db88dc12f03c798f6fd91bccac0c9096185 4386e58fdc54fc2a01f0f358759054ce1f9b762025 P.y = 949b936fabb72cdb02cd7980b86cb6a3adf286658e81301648851d b8a49d9bec00ccb57698d559fc5960fa5030a8e54b u[0] = ab14bc1f0c4b0cc898c34b728e751864c63fb5b6e5adb2f799ff17 d97cf5a7d45fdb1346f1524990bebaf1674d747e52 u[1] = 3ac15e88659dedbb85dad929a507aaf02772d1f34033d019db223f 80a4e8e6c5904df4e7cfe849daee65525f981ab3ff Q0.x = bc9c19747b1b74aa23c6d39e6c07e5ae27c78be891817126ffe4f5 c36d84cda2c48df2e5b02df15dee9771886023caca Q0.y = 7f42e75258a8e27d88dd6909bca0c4540df45dcfc818dcc9e9153f afba675a66ff152bcae4cf3731a318d22bceafbe7c Q1.x = 8c0b4ca5527116cd5b20c70f101be4b697a208c70c820e711de270 6bd9f71d0abbc257d3aa8754a82e1c3b4dcd362b90 Q1.y = c4d505548cabb89ceb75f357673e0a5f6f4b6a23bab2599638eede f5e482bd7572f68bda347675288e15011caab567af msg = abc P.x = 4f3338035391e8ce8ce40c974136f0edc97f392ffd44a643338741 8ed1b8c2603487e1688ec151f048fbc6b2c138c92f P.y = 152b90aef6558be328a3168855fb1906452e7167b0f7c8a56ff9d4 fa87d6fb522cdf8e409db54418b2c764fd26260757 u[0] = 41f0534d80c825b0183b695adcad5b0c1384b13524fb2bea5b035f 39ebc0fe06d789c1df0f01c73b51c8d97552eb11f6 u[1] = e0163aa0e843052f7745ed697e13bb84cd9cbe1238ab1190439558 abfc5453fcf8122e26bef442c76536eb98eb156bd8 Q0.x = 6abb8382e51eb51dc2ea244c99e74c7feebf92543a0931d24dcba3 af8ac464d9eef2c457c4de129dc8996f8dca20fa4a Q0.y = 2d846ed06515798e7c0c1bc004634faa2a67d66cfce8cf270933ef 3277b2126b4743aa27c277547b41ae806b7bc969a0 Q1.x = ec39d09f9da811a91359568ebaac56d7fa2c350ca71f0eb779ca82 4972ebf87fd57c97fcf5ac2ddd43abcfd6447af7c3 Q1.y = 89c7f276887a0aac50dbd5ae92378f232af0e3345b9d8bc15d8e54 4be31982b7c4f87c06330913ba5201ea9d44d3022c msg = abcdef0123456789 P.x = e9e5d7ac397e123d060ad44301cbc8eb972f6e64ebcff29dcc9b9a 10357902aace2240c580fec85e5b427d98b4e80703 P.y = 916cb8963521ad75105be43cc4148e5a5bbb4fcf107f1577e4f7fa 3ca58cd786aa76890c8e687d2353393bc16c78ec4d u[0] = 265f32a0d11fdb82e900a6422109f8972cbf50cb39d179f63046ac 98f6764d2b3cf9855410d03af9c613258dbb41287f u[1] = e6b037dc208159955014122754cf1fd9fab4a17ff1f6c10eb6ac13 170a172c6a1142f19e00d248d9c9c419a37fc0418a Faz-Hernandez, et al. Expires 29 October 2020 [Page 100] Internet-Draft hash-to-curve April 2020 Q0.x = f44d78de978e450d111612c589fce6a27a0036ffa6d21f46f287ba 197572b3c12254df2baca2549e0f39a77528a838d4 Q0.y = cc95a7be082257eb373903050fbe2cb0c78722388e0a3529416b58 52ae7753865569977e9809cd7cf33cd2fb33baeb05 Q1.x = 9e1a76bf4a72907173edc711c4f40ea7f8560bb646d3689ad00e56 f08937a26e97b03fd2ae1724a5adef8f5390a0d998 Q1.y = 7e4d9c09383276eeb2e1e109741722809c0906f9d33d9d6de5e729 4146a7dd68f1f6bbae1efadfa208c5f16df0beeab4 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 41941db59a7b8b633bd5bfa462f1e29a9f18e5a341445d90fc6eb9 37f2913224287b9dfb64742851f760eb14ca115ff9 P.y = 1510e764f1be968d661b7aaecb26a6d38c98e5205ca150f0ae426d 2c3983c68e3a9ffb283c6ae4891d891b5705500475 u[0] = d734f57a2dd312a14fbc3b24e212cd2ea5fea1d112b33a6971f7a9 a7f155733cd4d772a0b9da0eb55285474be2673457 u[1] = b0acaaa63b9595ff20df1f998fd8a7fadb99848ed216e425cf6b30 04f83e5526a8fb353e36e3e85501944aa6d971a384 Q0.x = 66a61cb562094dd9b95b36f6d815edfc016505f8aacc9ec2e720a4 3798337c04bba091f8c655d0b7566d44d2e13921ef Q0.y = 9c261e6b3033f8db5bc59e80e03c131c48486d4f20c14b45424213 9829077749b2f1c402cc70a92f0d4ac0e20d3d88bf Q1.x = 4f6f2ee8f69a424ea27e60e01f080433794039ab1bfb1d0855c421 507d5da32da993214b5859922e4f9d8c4bc9660296 Q1.y = 3d64f2bb5f58267726f8800336f30f7158a35c4d9de9f007eb4c3e 17fc2498cd3d1e1c591c366df7215ab12a63f8a4be G.2.2. P384_XMD:SHA-512_SSWU_NU_ suite = P384_XMD:SHA-512_SSWU_NU_ dst = P384_XMD:SHA-512_SSWU_NU_TESTGEN msg = P.x = 282c229de87de2ede60fadd3098b64e85d9b0c341a8e9222dd7af1 f357b1df7197998dd4eb3a547248c97c714c1a0880 P.y = 462ae18c61d23a72547879953ac451510328045322335d526107c7 315d31ed3fbc5c896b15ec6dd7bc1e7f4a9ea4dd14 u[0] = 10ed901f7dbe77bd3d90cec721c7c62c59060fae20b8307b78a51e 0244c29c419b2ef552ae8dff9f5b118a0ed9f81fd4 Faz-Hernandez, et al. Expires 29 October 2020 [Page 101] Internet-Draft hash-to-curve April 2020 Q.x = 282c229de87de2ede60fadd3098b64e85d9b0c341a8e9222dd7af1 f357b1df7197998dd4eb3a547248c97c714c1a0880 Q.y = 462ae18c61d23a72547879953ac451510328045322335d526107c7 315d31ed3fbc5c896b15ec6dd7bc1e7f4a9ea4dd14 msg = abc P.x = 4f6228f8b3ff0e86957d74d6a2df00e24653148f6ac0360b28b796 9702384868eaa308883806c150af66daa610e7d71b P.y = 5a0d9456eed2738378a98385af9b6a648d7a4b3ceba45420c729c3 6800394b7f0efb6b02a76aba95ced61cf01314baa6 u[0] = 0e510df813d72e87df593ef79d3757cf4880d850b974778d8a5493 30af7ef94222da533dc6be80bb867f14d4e391cd2c Q.x = 4f6228f8b3ff0e86957d74d6a2df00e24653148f6ac0360b28b796 9702384868eaa308883806c150af66daa610e7d71b Q.y = 5a0d9456eed2738378a98385af9b6a648d7a4b3ceba45420c729c3 6800394b7f0efb6b02a76aba95ced61cf01314baa6 msg = abcdef0123456789 P.x = 5c9a982801f4d866d5c6d2843075685f18caf87a2907eca449dfaf ac57efbd54e6ff5a2864159f8e682eab389efcb135 P.y = 2008b066577dab2fb24e4f5f979841f0d5088176300c7512098c8f dbe23aebc74d450582dd2945c6486697c5a46d2c77 u[0] = ceaf515369a05d358855001d658fe13e3bdb237e1f6462c2220919 ed061cdf20741d5b4f398600f237c1639a834469bb Q.x = 5c9a982801f4d866d5c6d2843075685f18caf87a2907eca449dfaf ac57efbd54e6ff5a2864159f8e682eab389efcb135 Q.y = 2008b066577dab2fb24e4f5f979841f0d5088176300c7512098c8f dbe23aebc74d450582dd2945c6486697c5a46d2c77 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = c4a8232a094625182f606e885f289f5a30e7c59f2af317485517e6 ca62369fc329d208efddb90e0c3c63c6eb9794afc3 P.y = 9f99857a0027fd41b5d1a53c767eba450c95c9a8b2008a88f01d3e 84b5cb6c9139596ca0a058a92c3edccb7a354d0c04 u[0] = 1952efaf08b01749619b66d186453313a8c9802eca5f82428e0326 359ceb09277bb300a9e3eef96a245441689eb9b7ae Q.x = c4a8232a094625182f606e885f289f5a30e7c59f2af317485517e6 ca62369fc329d208efddb90e0c3c63c6eb9794afc3 Q.y = 9f99857a0027fd41b5d1a53c767eba450c95c9a8b2008a88f01d3e Faz-Hernandez, et al. Expires 29 October 2020 [Page 102] Internet-Draft hash-to-curve April 2020 84b5cb6c9139596ca0a058a92c3edccb7a354d0c04 G.2.3. P384_XMD:SHA-512_SVDW_RO_ suite = P384_XMD:SHA-512_SVDW_RO_ dst = P384_XMD:SHA-512_SVDW_RO_TESTGEN msg = P.x = 3fd8cf53fd14ba7e185a3a1160789f4d38d32f1fe85cf5e0a03c72 cd2380939202b3718628d85a8ccaa93a41aa636743 P.y = 949c71aa985807aff4303459ae18b2c2714b04b48344d5ec6aefc7 f4fc73a1f7be83f82b5b38ddb37b63a10836ed11ee u[0] = f226bf73a909851c20996f2561c3c5434a727bbcdc8d11d6601618 24d636b34e2cab0a9edd470d1ebf512c3fd589e77a u[1] = 10f336e01b162e0f6c17fec01dfa409b3090fc5e96bf31fdcddacc b2a1a3a33c0e84c71f341d5ff7aa3945a934f5aeae Q0.x = 9f00baa27bbcec863af811a9d3eb074b981395cc012f219f17c152 1d3db5b657500665df96977e676223ac1d27e861bd Q0.y = ce0f52132e3bb8ddbf895ff03bf3360abbfad127f4ae3641cac8c3 ba2996413b86b36537902f5e3230e60e2cf26fc086 Q1.x = 98d32c373d697b3ab9a426eb73822281e35ce995697b19a39310cf fc99c56382413176c9d5244ec8f6c33ad9ca539b21 Q1.y = d42d7ce5eaf369b7583a8fa5bd492cffa6a1d7839caf526bd333ef f8b179462de3024c5ec00d87aaa3d7ddba7dff75f6 msg = abc P.x = d0cbd41df03276c3676366fa53617c3a31909d427d56d0ff0eba83 489c227895bd00c01d0132301ba9c47f264f33c7fa P.y = dc16ed4189e00ff325abd77ca388a41a9c35c7c5de536e0021b481 59e4c54fe90665af0cd8c9768f7d485ade3ed16fcd u[0] = 73102b858bb7c267aacd0991d6d974fcef5b0a34a555986356a811 9a8589e223246dffd1cf0e134a501a1f16e04ed5a2 u[1] = f3f98bf0deaad74f8f34499c51164c78417128a5afe7360a8b7d86 edeaa4f66cea62d6c5cc409fc609fafa2fd0a96bee Q0.x = 12cceb16291b89dc384ac78126dc0cdca0e14b5f197e5cdf4a7346 3b56e94e92a7b7d85302844009ba3d1f1225624664 Q0.y = 6e3d631e73c22b2e2cc3ae026754fb38d80076a92e20a7c4ad90a1 10eb715abd07ea59ce27bf09b4a2aea487dfefa3c0 Q1.x = b94c1c7bd6ade5cb3a8e816168285c556f85f58f59bbc9117ea6f5 1ad713e82a54902ddeeb7e0aec1592ac6ba8366c44 Q1.y = 03e6cef88080412b68e670448f4e23066d95a28438269dabb0f250 8f715653aa626e77265f87a2ba130c3622f9ee91bc msg = abcdef0123456789 P.x = 32f09527ae2ebe6d0b037d1169c75827e71a69b10b89a605b4ebb5 aaf408d1d83151f4de783d5e7e3856a4f9085146bc P.y = 0278c6e9c9a76525b54792009da65c30ebf36251e40638f31be4ce 5e0eeac22758a249de14e08f3199a231f5659f1e36 Faz-Hernandez, et al. Expires 29 October 2020 [Page 103] Internet-Draft hash-to-curve April 2020 u[0] = af10f3f11f7ff09e02834c9050eecb33ed1357bdfb7fed9ccca5f3 705ce26a001af9b53e99a9afa495668eb07a8d4e5f u[1] = 4e8de300fb3cf4e2d50e07b81cdcf5115cad83a5345f2ed42236c3 7b44fe5af86ed68976cf6a6e118634ac9020ec2ec9 Q0.x = a0238661a4a72fcedd68d85848583f6f58197aca8b3f6ae6d4f96a 6af917a4f5d31d8ecda8e5815c6165a86678492d12 Q0.y = 4ae6669a00bcc9bdd393403d1d3931b3c0c32d52df0e446f43ac10 b4e423df601cba755302f0210314ec1fc19c8a9aad Q1.x = 63d27039e6d9437ee12d330e157614422520169b64eddcde0e7700 2a162125154328327057a916120d320cba6a13b561 Q1.y = 2b82829a8bd6b9090695cd1d737e2ce731eef89f7d22d8905f26a6 4f67a27f2df8e307eeb58ed0f77cfec265435a1409 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 46694a9417bd7d83b173e1b2e31c5888c4d4c31d4c4cec1cd97b99 7223e56045437a734902ebf531f94f55ec6573f3e7 P.y = a17f4ddabad1031c2097915b3355430ce6ecd7c29fa1de61428cb2 cc95c9a27975ea3b80e4b19a47e0b109d4a07d7c06 u[0] = 393a5f78effa24fbda9791791ae9aad75c4e9bddc07768fefe04df 6947f3f5201f2dc695d01e204ca643104e2ce83ab6 u[1] = 315a3ebdc59e7cca40de6c6e94f76bbd9bc96462481f5796b8ae4c a315d61ab3e9e5ed3bc0d115c17b488e4308b0f6b1 Q0.x = d52401936488b9639ddc8f8e7100dd1f471b0364f8816b8d60952b e83686ff892fa4fc4cb6f79f184b5e48e84ce8947e Q0.y = 6238d99fb40417e0fdc0b21682d708eefa5323a358b4c1526e0d7f b01550a2c45666ec68777e834f06d84b5a42d0d48c Q1.x = 99ab0b8adb888b0df731bcb1c7873925e0e4ac52ffd5165ad91c54 8d7bfa210b2a2acea9a80b51aa3b509c907ae5c2b3 Q1.y = 781facfb166e147783f0d38372ae9250a88b73cd64f43a42a268e0 9574721b337a6551c9f8a49fd16ccdbeaf80cf0ac1 G.2.4. P384_XMD:SHA-512_SVDW_NU_ suite = P384_XMD:SHA-512_SVDW_NU_ dst = P384_XMD:SHA-512_SVDW_NU_TESTGEN msg = P.x = 5299e9a85487e4dec585e65e599404930a5da9bb066aa2dd113e85 a1ad997c5c08fc608541061f625ced15c3bd1b664d Faz-Hernandez, et al. Expires 29 October 2020 [Page 104] Internet-Draft hash-to-curve April 2020 P.y = bfaf66411a2c174ffec3fea29e5400746b02752825cb3f7e6d53fe 785b163f97bd6fdf4651bd36dd495e8be1981e3a39 u[0] = c71421fa6c7bb09dc9daaf386739c943b1fca1b9078aa45e9fb29b 1abcff470e42eea415296ad5fedf2733a798aa5461 Q.x = 5299e9a85487e4dec585e65e599404930a5da9bb066aa2dd113e85 a1ad997c5c08fc608541061f625ced15c3bd1b664d Q.y = bfaf66411a2c174ffec3fea29e5400746b02752825cb3f7e6d53fe 785b163f97bd6fdf4651bd36dd495e8be1981e3a39 msg = abc P.x = d5202a7dee020f95018f1b9fe432eae0a78fbe790a06213062ba2d 733d233687403ca1ae03e49921877bd87706aff4d9 P.y = 20006950646d8eefaf1bf6c78d2d9a30a48a8a1f8def944146544d 3aef6f1465b4bdc6d4a8c036990f72b8ec2f159023 u[0] = 3ec8c4727f848b22e90089c39e2ec409299ec989c174432be7a9e3 e9682298467d6e50fc4d5f08d9532d312305a2aabb Q.x = d5202a7dee020f95018f1b9fe432eae0a78fbe790a06213062ba2d 733d233687403ca1ae03e49921877bd87706aff4d9 Q.y = 20006950646d8eefaf1bf6c78d2d9a30a48a8a1f8def944146544d 3aef6f1465b4bdc6d4a8c036990f72b8ec2f159023 msg = abcdef0123456789 P.x = 40dbd6b7a8e65b6765964fc16fa20b5354e940863a3e3c60b26e8e 6a96357d4238ceab51997faf35d84a526e924b2c5b P.y = 544ed4cb206929743969f2b4f69d915584e242086d3a2bd764119c 21c14725b3e5ee2a0f1f90ee82dd6bbe2d45b98a9f u[0] = 2417f204dcb6e4bf0cca697e68e871d6582344eec6c4ecce4f69f8 3c54659572219d3a4d5a75829b4645fe8d0bacc85d Q.x = 40dbd6b7a8e65b6765964fc16fa20b5354e940863a3e3c60b26e8e 6a96357d4238ceab51997faf35d84a526e924b2c5b Q.y = 544ed4cb206929743969f2b4f69d915584e242086d3a2bd764119c 21c14725b3e5ee2a0f1f90ee82dd6bbe2d45b98a9f msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 005584e50067c6993ebea12981462c8831a763b7fec6b23b52baff 61ced7ce27105ab8713dddbe4b00b49e23cf4c3920 P.y = 5522630c99b8e7bf21144cb3e733ab6df1c992af8c3ffb7dfbc659 32969b9190b2b95086083ac20912557f8f04e028e5 u[0] = 325f4ed2b0ec0748bf6bd02d214bd208f261ebf3eb9c4a7cc11469 Faz-Hernandez, et al. Expires 29 October 2020 [Page 105] Internet-Draft hash-to-curve April 2020 a514b53c159601eb5251fffbe0382055b415456fdb Q.x = 005584e50067c6993ebea12981462c8831a763b7fec6b23b52baff 61ced7ce27105ab8713dddbe4b00b49e23cf4c3920 Q.y = 5522630c99b8e7bf21144cb3e733ab6df1c992af8c3ffb7dfbc659 32969b9190b2b95086083ac20912557f8f04e028e5 G.3. NIST P-521 G.3.1. P521_XMD:SHA-512_SSWU_RO_ suite = P521_XMD:SHA-512_SSWU_RO_ dst = P521_XMD:SHA-512_SSWU_RO_TESTGEN msg = P.x = 0166100dc2ad2cec97ead596df90abaa15ba8a5c9c03d2012bb041 ed132c48f64c515ff13ed9d14b683d974f709362eae6b92e721854 8dbfb09aff52270fcecb5bf0 P.y = 016493756e8a23aa3407a0a9a770b35d2d683561242a6d5c63c3c1 69b1e818065847bfb2a505b2a539b02860c167a4b28784104c291d 5eb1f3fc8d4853f8e8acd3e3 u[0] = 010e5ea14104e9c8131132cee0f72c8d4d0bc31dd8a99e3e5645ba 3472534e2f08386312a2392843a5b884a4b85aecdc54def9058c96 9e235cc2967f3d336d80ca76 u[1] = 01713a5efd96ea7f80b57d1fef8a69eb4507eb9f2cb395c62603bd 77ba920a5dcf41d85b996ce29251d81d43d5cb5b284600af9eb821 3ac51ca85c1924826658cf45 Q0.x = 00b5115da091422f4a7a8c8d54843a77d2780605c7a26d9a066229 8a00c0a4866e6d85f240630a4edd683e7e8900103911bad401c620 ed30caf3bef813a7807fc6f1 Q0.y = 005b9bb84ab6355bf85d697b383bb4fd2b7d909a1caa2fc738e71d 14f8cb5f32eef9175aaa1141f6341021500db88c7ba8b6cae43a4f 7dd8b6e99acae1129afbeac2 Q1.x = 00717f86e20a1a98fffbf07ade7dc8700b41ce14c99aa5522d7741 fa787173f883bdd102830e4fa49d61c720a2d3f040db582a66d81e 596b40c2337cd4ad0a44a571 Q1.y = 00762f528b67ce465c5d859bbb937a079fed0a2aceefb50e12adb3 8936f0990b2af5e401c576dfd0ac4d8ffea03e7d2001292cafc7e2 d70d6328fb878eb23fd5b70d msg = abc P.x = 006b5ec5d1f0c288820e445db334b69e981eec24afa7c7766fc6c7 ad0a542f9636a4a71193dd6933ff2d8855758d9d10fcf741bdc90c 7c0dd5a79da1e9da3fdbcad6 P.y = 01b6f2c5966f062c56e0c37d3aaa376382126e88824a51d7630cc1 a20f05249154780712bb02b41cd65e6a025dc80b1733844a27435f 1c411ef54348377728fd0894 u[0] = 0090741de9fadae835269c94fea621135c52326c345de28a949436 6287edea90c7413314868fc54ea8d768d41692bd43c0f93b68c348 Faz-Hernandez, et al. Expires 29 October 2020 [Page 106] Internet-Draft hash-to-curve April 2020 06e8f96cd83099e233f239b9 u[1] = 001920f4589764ac37fbba8edfe78274e4c8e2131ecf6fd8ddcb45 e60467bd5edc3057eb77d47fd0f5bdb8add161781c8f60903bfad0 e6656f1cb8af93930f68e0e5 Q0.x = 019391de3ecf6fa9d5209586a14046507e0dfc312792d3c3aacba1 af68b72acffa02314171b8c16017c2a1d47ab71a34b933d42c84cb ed89d4b8e045734bb7940b62 Q0.y = 01ce51d5baf369ec174bd7e2f85b86d0a71753031ff9f9d5cab60a e95eb971c9b51d155ac3a59710a360efa5ba9be6ff524e973e086b 020c09f4773727a5655f855f Q1.x = 01ce2f3d98fa797efe58e532107fffee30dd625decb6c5d29d815b 2904b063bd995eadd40e4b15f8a3d539e75b1dde395ed66f77eee1 0b1772f36349eb9e7fe621a7 Q1.y = 01d384b830286c8381dda7a96f9d283a3d120d954dba779879fbb1 cbc803ff4a68df317bb21253a8ed38f8d11cee5b8927eb6d23716e 6a9f8834649ed86964dcdbd5 msg = abcdef0123456789 P.x = 0134366f8427cbf666a9b5fba8f7a21f051a7a6db3a6a10df6c0a6 98c88fb046a1fb6ff7da518c6bb0efb03807b05ac101f924ebb6b4 9d23e79ee558f8f19a6cfb77 P.y = 005a5bd658093a3d191522e2e8038af55b06b227c52db010b00ccc 13b44c037a5bc28c9797b02c564abec0e24935877da38c5ec9e1f8 6315b6c05ca01a106d236d4d u[0] = 00fd9508c3296aeb92cf1157ef9702ab04e510d8096bb635e64f7c ec5aa9a3d82ea26fc2c2ec7642d483abdd1f4c728fe7c9ff82bcee c26d2ee97758919bccde18d8 u[1] = 006a8c5339232bc71a8bd26b9e76fcffce954bad5ac9aab5e6f645 bd06339fa99eaffd29e5057c92231d6ad319de1057500d6a2d0967 f607fca3fd82229e28762070 Q0.x = 00fdd7ae4e327f7a5a848550ee0537627df17e40950be429375ff6 3c6a24e0563d20d4f71d3191b6d1b9e2c7c32685311a722b8be614 46488e72d198a64e3650da9f Q0.y = 01cbad24b0776c42f4f77335802dd9e6a6f7193d478479775e0e03 cb5ebac88d0d757ab21689ec21d6e7b537da8e9347d404de86dd58 0e8d2576b2bd2845134b2b7e Q1.x = 014554894976d7f287f89e24a7b1e825f510f00c6b72ef44a78bf6 86034029752a30bc5c0346053b2038e2cf758ba882e01e81b25315 27bc63ccca0b31149227316f Q1.y = 017c426709039af9e746d8495e5eb60a0da18a759f707827f9e63f a301af072abc7d42ce1a288a3b54b8762f80dda65a5820d1feeaa7 9e5108fedebdd05ae63653a6 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 107] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 010b3e43adfcc4fcacc7d156ec13f17c245ef3f529fdf546d59208 715b93f54ef9e6bb6861c333aa5b942010be9116e2fae46f8d4cfc 2915e64ef601652f547957d7 P.y = 01f2d170357e6ed27bd98737d55c0e4e6f683cf07d455b755d5390 91ca8f7b62a980288076c885561614bc24212e9b3d2159c0a53840 d56662dd899e7d63b2a0a38c u[0] = 0095feddbee4fed67006e3e1f54fc52c8d52475452ec3d99620720 9a666705b61596f8e9cfcfad5e8aad230b58d167241b6637a9e2f5 f9f56d177627226b3ac92d7c u[1] = 01defe27307147462df62f89c7eda3d9a10f02c7df349291428d13 decac80085ecd9b0ae5d831f9703d338ce3bc013f502f2baa0e407 76f376c4e7ce91ced69d5df6 Q0.x = 009bf512a76069d55bff75ac89d5cf5ea860d6f56aa7b0f6b3c53a e0195a8c7d044bfb3abb55d7cf6c8bdf62d4e7576db347ec9acca8 075de98a0c8ef5c367f5dd34 Q0.y = 0178a1a7ee092199563b8c1b43438a9bd699c18d60ee51d0ac25b3 22c8184d9a3d98856507d8f7ae67fd8c06c509a406a7f04406e826 57570904339f8a8cc5eb5340 Q1.x = 0099da46971d84a3cc455aa21af209438fe8822517dc1edd2c61e9 8b1511020943a393a8f519c85e13f430d4d6ab7f4e8e2ddb2a7eb1 d500518ea9c7ac1d8ab149f3 Q1.y = 01b751e0ad5f5290df8ab1d7a9449cfa8b9506701805302f9b6e23 3f88c2a1bd36bcd488445e57f51f533f9ebbf9515844f103d0c23e a8846909ebd579c58a5e5456 G.3.2. P521_XMD:SHA-512_SSWU_NU_ suite = P521_XMD:SHA-512_SSWU_NU_ dst = P521_XMD:SHA-512_SSWU_NU_TESTGEN msg = P.x = 005020b4c6fe78753a99a853267303a7e42b1fde326f4c856ce116 1cf26ee9fc9bb2475515e9699f16c8bdbe121c75020f4fb42905b6 4d9251f5dd5df052220d31bb P.y = 008a209c602896b2dfe110faae2c8ac602510846ef550ac2151a73 47ee2101549010e1b42c0ab25a59e0bcec505c146e60c35090cdb3 9860a2fc281d32116523e4e0 u[0] = 006268910c2fc4d0ac8f684e7c144b4be932cb37574aac4e18d43d a99b7c700ba51832fe63f482b7a5277f67dc2b246dc132701bc533 86b7a2d602c0fd5b5f1970ac Q.x = 005020b4c6fe78753a99a853267303a7e42b1fde326f4c856ce116 1cf26ee9fc9bb2475515e9699f16c8bdbe121c75020f4fb42905b6 4d9251f5dd5df052220d31bb Faz-Hernandez, et al. Expires 29 October 2020 [Page 108] Internet-Draft hash-to-curve April 2020 Q.y = 008a209c602896b2dfe110faae2c8ac602510846ef550ac2151a73 47ee2101549010e1b42c0ab25a59e0bcec505c146e60c35090cdb3 9860a2fc281d32116523e4e0 msg = abc P.x = 00bf1236559c8187d4b09d61a9262386f0ff767b232ca688ac26ae 35151ea1b4ad692cef512169187b32a902e33ff5afc5696f10dd51 e27830a2d71d1d282df1cd48 P.y = 01817df06a92dc15dd5b31182a53993cdbe177453da9ae53f5ba97 db0f2311e2b3784dd4b56216d86558ff19aa45dccd04f85e089159 e0bee0ff17d29a344cc56e5d u[0] = 01a97d3de4a4a0df813d6bce7b02adadb824d11a49b8622ec8cd13 d7c0c77bbbb590308abc2fe6a803b7f2be1508f017e61322785cb2 939cd5d6db54c12644431b25 Q.x = 00bf1236559c8187d4b09d61a9262386f0ff767b232ca688ac26ae 35151ea1b4ad692cef512169187b32a902e33ff5afc5696f10dd51 e27830a2d71d1d282df1cd48 Q.y = 01817df06a92dc15dd5b31182a53993cdbe177453da9ae53f5ba97 db0f2311e2b3784dd4b56216d86558ff19aa45dccd04f85e089159 e0bee0ff17d29a344cc56e5d msg = abcdef0123456789 P.x = 0097d312bfb4363155e4547400195e0f53c2e2257529c250698026 e07957e33d50d23dcf16229ff840d19bc048382aa6b9c2e164eb65 15d780a13241dd5022eefbcc P.y = 01354f9874d25347f1d4c1afc094feb4d1bacce49943a45f1e97ee 24482cf70a405bc4c20624da0a81f1079dbef75afb3ab9187b7def 9bd15ed9f093e6e3e5a1861e u[0] = 01178ad77cace46d9e30ff3642d178d32be517d6cf2ccd0ad78d7f 172c4c133bb900eec72c3ffc58baea56e13d10b97177d20f30528d 7509803f084adddb2713ed62 Q.x = 0097d312bfb4363155e4547400195e0f53c2e2257529c250698026 e07957e33d50d23dcf16229ff840d19bc048382aa6b9c2e164eb65 15d780a13241dd5022eefbcc Q.y = 01354f9874d25347f1d4c1afc094feb4d1bacce49943a45f1e97ee 24482cf70a405bc4c20624da0a81f1079dbef75afb3ab9187b7def 9bd15ed9f093e6e3e5a1861e msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 109] Internet-Draft hash-to-curve April 2020 P.x = 00c7604e04b98993845e36a3793eb6c16068bb5e2e465f5cda4d9d 3f61499ee549c82c3e73f44fdd8715a0c53f027bba6755e48577a7 5b7b4f5b5ca38d7cde14ce8a P.y = 00015254aa92f6134f17309e628a73b96befa04e2410fe7a951fe2 6ecfa81281a0e12cc92b170f61d893f8ac1c70b3af10320db3ab05 3d9272df25455768a8648739 u[0] = 002e6c37d500a673a816f0bf08e5f448132fcc3aaf1ba11e2ddc51 0663f5b85b08b82254766edfe15ffb0a1ddb725237811555f5b253 877d048d087189ff9ed45399 Q.x = 00c7604e04b98993845e36a3793eb6c16068bb5e2e465f5cda4d9d 3f61499ee549c82c3e73f44fdd8715a0c53f027bba6755e48577a7 5b7b4f5b5ca38d7cde14ce8a Q.y = 00015254aa92f6134f17309e628a73b96befa04e2410fe7a951fe2 6ecfa81281a0e12cc92b170f61d893f8ac1c70b3af10320db3ab05 3d9272df25455768a8648739 G.3.3. P521_XMD:SHA-512_SVDW_RO_ suite = P521_XMD:SHA-512_SVDW_RO_ dst = P521_XMD:SHA-512_SVDW_RO_TESTGEN msg = P.x = 001b358dd6be71bbc5a5640ddf744fec2136f8d97f61318ebb0310 9bb48dd25d06767d325b89d1f35d2b8c8ec82f7ff9b456c4db4391 f7c84e02a0839fb36019b2eb P.y = 015ba4aaa8a161f706daefe9f7e8ed6873c43010d6e9282345a26b 8e59da88c39bb68bfc45eb6f5df22bd45a6d79b14d759762243e20 a55d23b2e31d58ddd366ca04 u[0] = 00976e43b87046a6226bf27f9484b05379fce54f244e3f09270387 9849e83da3eb14b065face4ff96f9111ad99834c1fe679affccbf7 43c9355fbf3bf4da4a9d39d3 u[1] = 00002cbb5fa77d2a9bd7bdf0c18625f0785c870429ee5595b6b92d d14653a90b127d325abd28e8a519b9045abab5d9dd9b3ac65978a1 928a43427b15bb7dc41dca3a Q0.x = 01690f1819dce521688f0e06c8ee1af9fd75084245f6dc677e50ed b337f39d8b0122bb263dbd6061191f72291fb9bef897b3428f0cfa 956037af885bb589a79005d0 Q0.y = 00fe665f9e745ae89fd6193d8d8b8c98afeb33c59951d0b59db074 c2d27dd127aea2e51bb02e0a9def961e9c7de8394aec3a5e09c0ad d0ad37dcb23c81323181f837 Q1.x = 0005a11909eedba17d2af5187c07ddc3845c5b0e669f1552bc2b35 e6bb8250de7a3db60c5e09bafd08c03a3089b392f4eef3b2b6fb39 54714556a5d376000b24671d Q1.y = 0103620e73bdad41912775c72f2e4635b3a3167e6f60c517b118ad 67d9543a73377fbc0c59b31e8e7e41840480b3b0efc704315f518b 2edb6a9ee9a083ccb8044284 msg = abc Faz-Hernandez, et al. Expires 29 October 2020 [Page 110] Internet-Draft hash-to-curve April 2020 P.x = 010f318ade420723b9f06181146163fef880c9091b8c26e9c19309 a956b1f389403f04500d9384a74939daa28fe61c377acf87c2a3cb 2f25a696721beecb68c4b1ba P.y = 009895b5fef08da287f7b5e32fe28f76a2a33300380c842f716c2e 119be91dacfd9dc135172a3ecee631891253e5be7c182c4edef017 c768455f001e8aec2ed59fb7 u[0] = 00e9b8c49c91527a634f89148fad0f10ef11885f770c239051b4c4 e66ae1e799bbab1a92311a0756fc3152af9cedebda7e638262edb1 7379338f90777ab5a274defd u[1] = 00753fbc9bb128c2a3641ead57fc9a55f639f879b787097d1b87de 954d942a3532d7d0b073734e4ccfb77d4068a598889d53781a68f3 deecd98113cb10241540adfa Q0.x = 0158c0d51ec72be7619a4bf144fde6b0449f33c824be437b56de2f e259d6a2dfba93a66398c8c5cf3d0129813107ec7f52661dba9d9f f2d6364e72dac5760d509659 Q0.y = 00cbfacf0e949cbb5c433cfe21959e4a23c33c03acec3e500df8f6 9ba8baa5e868a4355e053d34c3ebe99c96c4f127efa4b7a7cbc0f9 a143a0cac99e6799c4e1dcc1 Q1.x = 01dd1a8502d05dd0368265ca3a9ff4cd400e447825aae741f4de70 a1ac470cee35b9e359e713320ca11d542dbe8561b100bef038c23c 4a57f6f4c1e7d42c3f0276d8 Q1.y = 010284bc1b4def1ffa34e5e430c59eb6aada3c48e1d37d7c2f48af 159b4a55c2b484fb2bedcba7629340ff756aee16c8e6ee5b165b51 bbc9c3aca95e06008312345c msg = abcdef0123456789 P.x = 01773d17192bbe06796b9484447a5b324bb12075cab82319ee18ab 16fedf170ca5dfb464b42b30d7dd2642a75abad7ce8991675896c7 31ffede8a6849f737d68a3b1 P.y = 012ed184f2435c9dd460c9baac96634289ead0115be259f0fbb00a 18ea89a0986b02d596a1a43c51aa7c725cda2d2d7dcd54128db2a2 2abf9818c5f28b8ec1057e9f u[0] = 00e62051dce9c57c9a975601565c2ec77e1af782ef222174c38ada 56dc243b6ac1c92380531191098c2575d4d9695a2e04b22abda84b e6b6555dce4f49ad68ef6afc u[1] = 003d49673bf7cd315eed6f7d94a528fac54b859907814fb3cb8cec 7002e6ab13b78757d726df4468bec668821ad3c03b63a7868159e3 df4664e98e3612fe063c9109 Q0.x = 00aab70c85c9028c4feac24296f0db84765e2b107750e2af4585a5 6964a30f38c9caf94afabb13ebfa5dc6a494944ceda8338496cb3f 32ad760e3403766b658c30a5 Q0.y = 000054e3565665d526e118ea49e9af161814bd4763cb2667b1fb95 c1de9833c9d2e807d10a88376253fc66da662f519fb769a8d17eaf 8ad7c849ac244efa09fa5694 Q1.x = 01cdeac9d978a98b7c909d8e3c254fcbd698baf778c3c3ef2706bf e3ea5b5d1df830ad97ba131048c76b0846f0122ae30b1ecc57031f 8b2242b608139b744c71b248 Q1.y = 01e08609e6994892ac6631358e39c997198f7cb3441368607c6e8e Faz-Hernandez, et al. Expires 29 October 2020 [Page 111] Internet-Draft hash-to-curve April 2020 055de4ca4f151bd796808c8e6b3ea2ab1fd8a9e56fb3fbf14598a0 09cfbe8851904c9dd194114b msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0009b40a64948c9fddaedf1cde72ca2f86f7cf747c9ff2a77650bb 9064371731acf7fb037c97411664be8c96299159e41d144b5f7a67 cf39dbc7a7cfedb4f709ede2 P.y = 00fb1506656904dbed1063e820b2ac98e99f59466a3ff8321026cd b4421cec0dc54b91038da291e59e67ae9563cd1d3ec83ebeca6bd4 232b41c3d6485f92a45b1b1e u[0] = 01fb0e852af9b8c96e2dc4ad8063f2644ff88706ea35df2bc3b93e 341c3be8fa688f9b80191642a1a5f945623252b6c3707715fa43b8 a84c231a9b3435552ccd1b1e u[1] = 013647b9b1630cc0f4a54c8970fda6409de54c5607d7a5abee5c1e fffa4959ef626d750ce60f5f0e9bfa20b25942b152d916fc4306f9 cffed3cd6f4ea54889fd0425 Q0.x = 0050f6c282bd6d648eda9056be0182ac00b31144f00276224e67e0 f529291f9ed1ba5294cf91bd57cad6c1843bf5d77383ed583900f7 6e42cc2b7ecb022630f85310 Q0.y = 0073e27ea277c01305df719afa20ad031b001515a19458cba172d6 86a6c435dc831f3c3bcaad042f5e64bf0b9ef54e48d20891188fbc 30a6da7d7e80fe2f023f51d4 Q1.x = 0003eac94fefa720fa3155ad3471d7dfac5693924307c3e766babf 6752f4bf6c6d4acc8e46bdcceb017e2148d72709dc1cd008acbeca 603e9378bd91f52e1650a38f Q1.y = 01fd0f8b8b2f061a86fd3f6470e974b832d0a7077fa2e3389877f5 2a15c1ebe45e8f11a1e74c2341ee7bddef2880b29f5a560ebf3841 4ffe26dc9d13bf9f3cc05bff G.3.4. P521_XMD:SHA-512_SVDW_NU_ suite = P521_XMD:SHA-512_SVDW_NU_ dst = P521_XMD:SHA-512_SVDW_NU_TESTGEN msg = P.x = 015020ea6e23e8425a7373be44c7a1c4b6424a13460424182af9be 89a900a2e8a1c6e3ebb848db5d75b811d786d1ff685addbdbfe36e 871b71d5f85b907a8b6d31af P.y = 006d8dc6f7ea8e505a79e93fd13cd09adbf9fb67ea01e510e88928 Faz-Hernandez, et al. Expires 29 October 2020 [Page 112] Internet-Draft hash-to-curve April 2020 28a0a6f1b8e5ed0091a21030f6e038103083ad56272b58dad7ddb2 bbf08b4baf105ecd260d25b9 u[0] = 0117da677908fe4dc21de34eec4ff5da38aa8e8c0e38e1b7191bba ef491917a643d80e73ebd63941c5fdff56c1790e9241e711db3e72 eb6bc24326780d384c8dc3ef Q.x = 015020ea6e23e8425a7373be44c7a1c4b6424a13460424182af9be 89a900a2e8a1c6e3ebb848db5d75b811d786d1ff685addbdbfe36e 871b71d5f85b907a8b6d31af Q.y = 006d8dc6f7ea8e505a79e93fd13cd09adbf9fb67ea01e510e88928 28a0a6f1b8e5ed0091a21030f6e038103083ad56272b58dad7ddb2 bbf08b4baf105ecd260d25b9 msg = abc P.x = 00f32104739ca325f28d5976407c24eee98aa2a53d0c02fc180db8 43064c262d034b9001670492a58e2c707b94db43e366b97bb516c7 d448fbb9027f1cf3aaefc6ef P.y = 0174ed6990e6c968bbcd28bf7437fb0dc529f2f34b1293b6b26ac8 3e1bed7bddd968098e5ad469027131933e190cd4e0c88eac820f1b d776c71a7343b1073da04217 u[0] = 01b81e9fcaa8a24957c63df909062338b63360e5b3b655631f00bf 7c1809d6e1536389807d06e78ee7cf8ab6713860a6884310e4baee ce4d76e50deac92c3f86f65b Q.x = 00f32104739ca325f28d5976407c24eee98aa2a53d0c02fc180db8 43064c262d034b9001670492a58e2c707b94db43e366b97bb516c7 d448fbb9027f1cf3aaefc6ef Q.y = 0174ed6990e6c968bbcd28bf7437fb0dc529f2f34b1293b6b26ac8 3e1bed7bddd968098e5ad469027131933e190cd4e0c88eac820f1b d776c71a7343b1073da04217 msg = abcdef0123456789 P.x = 015717eaf459548242d80685d356a35e0943f9d6a2aa6670ef797f 8da91803ba1689c5e9954ec564c6102cfacc1bf1ad3d8f0718675c f2a8b7742612ee1f42de6cba P.y = 017353e0376234a4820a69bd236d764b3a693e0c1a66495cafa188 cc5cd3fca2d47b0c6467198a8fafa78e6d182f5f4ae423068bb799 ed7b221f053e8c9dbc114636 u[0] = 01edf847e7cd8da37c0fa71995c9f619906fbd794f3c650e456cfe 4ec43408541dc094d009d9126218430a2252ef5fdbfc5697e5501e 43ffd08fee3335011e1e815a Q.x = 015717eaf459548242d80685d356a35e0943f9d6a2aa6670ef797f 8da91803ba1689c5e9954ec564c6102cfacc1bf1ad3d8f0718675c f2a8b7742612ee1f42de6cba Q.y = 017353e0376234a4820a69bd236d764b3a693e0c1a66495cafa188 cc5cd3fca2d47b0c6467198a8fafa78e6d182f5f4ae423068bb799 ed7b221f053e8c9dbc114636 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 113] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0086df207676e070a3e1ecd2b4bd8954ade990cbf594bfc1374c4f 2b85c6a2e921be320e7b6fbbf0704031f6d8e2d46c885afb4eb7ca ad7d4b2d739601161b492de0 P.y = 00e25c136b77fd7466d9fe7cc70cb318da1bdd3f42bd81e5c04be8 14d5c9a897342fb79ecd804aedc2f7c56eb0ff38c1305ab77049aa 369f32c98e65b2ad34c116b1 u[0] = 00b40ca653c0d8b459194943ab194139f0692a8f2fa24dfb44a983 b8a4e239a4a969486b50288d378b938bf9a5097ba5f0e71caaeefe 1413ca3d6c4e5bae1167bdaf Q.x = 0086df207676e070a3e1ecd2b4bd8954ade990cbf594bfc1374c4f 2b85c6a2e921be320e7b6fbbf0704031f6d8e2d46c885afb4eb7ca ad7d4b2d739601161b492de0 Q.y = 00e25c136b77fd7466d9fe7cc70cb318da1bdd3f42bd81e5c04be8 14d5c9a897342fb79ecd804aedc2f7c56eb0ff38c1305ab77049aa 369f32c98e65b2ad34c116b1 G.4. curve25519 G.4.1. curve25519_XMD:SHA-256_ELL2_RO_ suite = curve25519_XMD:SHA-256_ELL2_RO_ dst = curve25519_XMD:SHA-256_ELL2_RO_TESTGEN msg = P.x = 4a074f6e70afb2c4cb7c07ba0385a5d172d6b0e7ab688ff59bded8 de6ee89963 P.y = 4efb136c7423758e900c1b89a551309efdf571e4c75c9402a2be44 17778b8966 u[0] = 3b461907f03cc2319c90867cf7390902e421eed49f90777d1ef1e4 19bda710ae u[1] = 6f49a763dc4bbd992878b0f6a288fc7b5432f97ec5e31fe66a9434 78a08be6c1 Q0.x = 5616ba301f8124ffe817630070c9e55c62a6fef2467df069140bb5 72f05f729a Q0.y = 62db67cacd613609f79f55f2f553742b190edd11f99c105df833c4 a96bb2e098 Q1.x = 710543e579e03f25b11b152a549d01ecda96074113e7fd1ffaa8e1 dfd30b34d1 Q1.y = 1766caea6a7e704f2a0f840d9a3032490778fa27d6b9c84d0408b4 8368bb86e1 Faz-Hernandez, et al. Expires 29 October 2020 [Page 114] Internet-Draft hash-to-curve April 2020 msg = abc P.x = 3897021b66acdb5bdbc7726005da08cf8848ad348b64368ee17d08 1e472129a5 P.y = 7e17556bc25b7338564762b71555a9f7e03b30d0c08f81935336f5 7198831fb6 u[0] = 0ad2ea46975b313e3d5b608e1a28a8be91b1f996599c1675d2dd32 9b1186f73f u[1] = 75dea12a4b4b8c5cedb8f4b274939f2a94db1b8bb6452ec136b408 df7f95d435 Q0.x = 17f698f195896c22b77ec52c537e81ba8b052ff351d1769514bff4 9d341854bd Q0.y = 2db8da80e08489363a08b77d2781b3d239c03773187bb149ac06dd b7a99a4b4b Q1.x = 5bb68a41da036bdd91a7d09105d707def25899fa8af43dc2530874 113f34908e Q1.y = 1ca06bf6286f6c75d3d05bf5d2db7361865c34d1af0b585a42793e f015cc5d89 msg = abcdef0123456789 P.x = 56064637a63906a9789ee31d5d8b6ee8bf16309a9e7f2ff353f59f 6b0120a4ac P.y = 00e62a8b4b5af73b67e198ae3b52b868a55b5e8a6c7cf868aaf645 39d3aada53 u[0] = 2f4d7cbdc3378b961142a47bef46d45c1dec61e174a47eb6237adb a675c33b87 u[1] = 57f74cb2e24e5e1f115990be58ea5684096e7f2544be15e9059be1 75a84f7906 Q0.x = 4c1e59fea107fa8ef1e5da4f0b0204a2f323002ba2b1dadf935311 4ab8734a8d Q0.y = 2c765bd0c3b84fc2e8760e3a22933720f2f131b64dc01caf9f0f7f 9eb38126bd Q1.x = 655e68bb43f77e9be1ab9dfd6822b6963f3d03e32f3874c46f719d 4d65378443 Q1.y = 5618064e4670e1d8e775225e2e86543df9963ffd7aa8cc6db574f6 ec1d85f358 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 390534777c4be0feec6a698a9eb54e3d0001773cbd70a6b12420a8 15c662aa4b Faz-Hernandez, et al. Expires 29 October 2020 [Page 115] Internet-Draft hash-to-curve April 2020 P.y = 5177e6ca5e906454c2bf3d09fe5df74d6e6aba3f4643ef903c8579 3258bec2e3 u[0] = 45d8bb3daefe5f48b0b8ef2d723a76ca4e48607f82059ffaa3a2d5 8ce5ba266d u[1] = 3a0711e9c1a7359f51ac23efc76c9d41380aa88f46602ece1e359f 627f07ddad Q0.x = 37cd4c3f48597438002fcb39e79a8b6d9cf4df50cfa3bcba968637 cf15b7f0f7 Q0.y = 19d8cea6b9b6d8c81d56c082714ed738f178eb00ec97416ee1352c 66fe5e7271 Q1.x = 7db4c318a88c987d1bcde8438ed0380aac7d2de3f70596a0fdddd5 7abaa00455 Q1.y = 529bbf6c88d4a375d5d23f6757e80e802852a9b937e34f6800c8f6 f0a8435f0d G.4.2. curve25519_XMD:SHA-256_ELL2_NU_ suite = curve25519_XMD:SHA-256_ELL2_NU_ dst = curve25519_XMD:SHA-256_ELL2_NU_TESTGEN msg = P.x = 148142df0dbe2dcecda7260e34316a9f860a50dac69efef9d8b805 b78d5cc416 P.y = 54290bd159bade540d4da4062dd1ea08ca650a7be31fb18b5ff2ac 0660602734 u[0] = 1c4c6508a80db18ba615dca54655c20c4b6bc3816e7d90c5dd4666 80817df5c8 Q.x = 46c4bca377e4fac6085539a9f62b94626fe94cdb7d98cc12b3ad49 176ecbb0cb Q.y = 3afd6c29ea5cf0be10b2e86836ee758049656c94c4ba0bd6b797e7 212959865c msg = abc P.x = 45f5734efd91cfe67fee41b39920e1ce1fb3efe72548a1869dffb3 83f1e422a7 P.y = 7325c536453ec9bbc65c084dcf806f186b6a2f27f4695019918320 36ab90a0fc u[0] = 3c0ab054a5c6dd09e8f8832e9f3a234e624ac8267acbaa38187f90 46095e1d40 Q.x = 4f2d7e82d7d1928576dba4c5b56d841f2b086361a4b22fa1a34781 a02347b6ef Q.y = 66a88b7221a94fa651b04b62568ee457b4615d44bdef2f6b1ba3ac 1cf7c70d42 msg = abcdef0123456789 P.x = 1a02e25cd0a6c691045777f61d6b3732177ccd1340694db0785021 f5dd76ac45 P.y = 4c9ff3e3b57856fd84a7a617be3036c4f6021dfee3bc0b87d2edc2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 116] Internet-Draft hash-to-curve April 2020 590709acf3 u[0] = 15fb514d8a3a81a93c85bdee6f2c3bfef00a86d3cf888ea7fff9bf ce2fbfaec2 Q.x = 7ec6574c35ed8ce2fc8053d69270bb81bd1fc731ff779c7daef9e6 d5f4755ed6 Q.y = 728f927efffaa21a6859ff40f48831689cc934a5647d65f057919d d6e81b6dba msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 3f83bf211fbb42127e9eea01797a212d13eb812be8c199a01002e6 61e2996be9 P.y = 2cdf0fc2152a02e8b675d7e1e0a69f495a3c41bc00e55c7c7c07bb e5242f6484 u[0] = 6fa3542acdbaf7e8e6fcadb25f263c2109f13140552f02f020a877 30069280bf Q.x = 52661f6c4181d23a19ed6c34576eb00bc0d7d389f47b76bac55281 2ad5d11f2b Q.y = 5b5d4998eeec642542586143f57a8e7000202425acd7f0a96b1dd8 d2eda084c1 G.4.3. curve25519_XMD:SHA-512_ELL2_RO_ suite = curve25519_XMD:SHA-512_ELL2_RO_ dst = curve25519_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 3a172899f1c4e6a2297889b4cbe9312c20dd52c1c01adbad61372b 41d7dbb92c P.y = 0b9be02661fdead69d214f396e5bdfc5af30aa5339ce779c7d1a7a 6223fc82a5 u[0] = 0ee65264ee7fd5f177f17f00d9f669169cc3071e4edd56a27f5654 911b30fb45 u[1] = 65fabaa0d2ddbb06318adc118325ffb69c2cf04ffb2b3c22404150 67659530e4 Q0.x = 71ce39805cdf4a5877f05ecbc1e0bab4d5c427ef27432a1724ce22 512d707ace Q0.y = 7ab039c50934d19ee4577d370129ef1ab8762c565928a8a22c673e 5715ab13d5 Q1.x = 0f6ec145dd4faf417e82a555e767d3f8d799fb1d183405148ae988 Faz-Hernandez, et al. Expires 29 October 2020 [Page 117] Internet-Draft hash-to-curve April 2020 a08bf59eb4 Q1.y = 0fded9373c220670cbf30878a6c3950c9281ae6514e2f0d28efd1e 63affc1222 msg = abc P.x = 28bd6dbc9855b9982077919a22569b952577d3efbf7c6e7ae79ccc 9637ed954a P.y = 5ccc5e42af4a56b8524a4567432b106743c209639b00fbb9fb88d8 5f26d07b51 u[0] = 3f64d0a84c276012b40d1bb660988d7f3529a17eea28d286f870db c4d33a7207 u[1] = 005d866877b6cf987e63978171392872237e6c801f2180290a7b6f fd75803186 Q0.x = 1e470043ba9e1409ee7075e7f489b5ad10ada9390338e336c9cd19 0179476574 Q0.y = 65c11c156aed5086ce805d474db75448e2b8216f99f22607e20e5d f3fd3b585d Q1.x = 41fffa025bdfa4e1e3fa22c3baebb351f8a724d4b5256bc9d91dd8 c002e82a71 Q1.y = 76eebb6d4d6ed742078d8500e73ef81b69719fda322a95d9276637 571290006c msg = abcdef0123456789 P.x = 68171404201003f3e41c463d48293d332a174b1286cd306987e124 a43b5af34f P.y = 36bbe86d271e86d33963be75a3f46d810e91c94fd31851cd3b54a3 bde73c0328 u[0] = 00c34061c3588f2b55b5e2f037f19bd86ccda574d7ef87931cde60 cf490fdffd u[1] = 56f69388986103a60d1a54a7d5042e2d537d929db2227beb8fd700 58afe5fb1a Q0.x = 0193047494b5b93497d8a0c3ab515fee3b41748f0f6e38016637cb aee08edcdc Q0.y = 2d8186b3502558cf54ac8cd2de5d847c69c78cfed43897e6718821 75abe1f84f Q1.x = 37c9cb0bb46711237ae393f43bb46f31d160189cdea780439e76ae 36ceb175a9 Q1.y = 0526ebf1b7f5f1e5df4d365ebe8fabcb6a3855954a96450fb9f969 cf9b5fc2a2 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 118] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 63d086337efa346d964f801fb8ec02de22fe066bef916e6214dffd 732fd44ca7 P.y = 3bf10eb0ffde27ef3f5beb1161d5af8038addf2ec6891e249437dc 730c5d9c87 u[0] = 6683b676aa69e76833b50afe48cb70675608fdd3f5e4d417f651d1 0d3e995bb5 u[1] = 384201985801db4c1342b595ea12b358a40e5e6224288edb3e803d aa3b64306a Q0.x = 0ddf9ee23c4b5f876676d25a7639fa52bae7d9c48b0fc44c30d0c7 723640e9d8 Q0.y = 2199515c277ea11355bdd36a0d287491fc0d7b4531f1b183b048ec 9de67608d9 Q1.x = 5db604d99506067b8b4b8b514b172dd50d70f93490369fcb0df061 c6bfd8a02d Q1.y = 17c00883f916abeff2dd53c96863a322a6e4728427c780b7bee118 702a329958 G.4.4. curve25519_XMD:SHA-512_ELL2_NU_ suite = curve25519_XMD:SHA-512_ELL2_NU_ dst = curve25519_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = 1d8d887b93171f13d0c80c3cdf5ca8d1f2aa068b6c4124367f5d49 a72cd1c51c P.y = 13d9f9934f7f01936e26b67eafeffe06bc0638143d81280bd1d5f4 d302ad1929 u[0] = 573b55aefc52e0cb47dfe59b7352d0f775b79e8dfcf37f1b3e104a 6993553f0f Q.x = 0decd247491ce194e8e887289bd8d769de7b502d59efb753005044 58651984be Q.y = 32bbea1cb16d05159962bdb7185d63888ccf14d3b2cb7dc2922b13 af0423d6d9 msg = abc P.x = 594d2eeafd81b0976b8d1af9ac14fbc26d0efd37620adfc9d635e5 d80e4b0a41 P.y = 13c66a12e6bbb114d1a570b1a0b6172a6a8ba8815e73daed7bd9cb f5147fd860 u[0] = 70eb21469f3e2fe6c03b6adc1b826278d0732813e7f4d5c44adf46 a5389ae258 Q.x = 7776f671b2f3e9ec358f7f634d1694ba4036d2ee7178b691e44f1b 36d129a812 Q.y = 05e1f67045bda56aff62fdd82d7b9bb8409598ca44e0a914e84a4e 7800987cc2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 119] Internet-Draft hash-to-curve April 2020 msg = abcdef0123456789 P.x = 07e9fa7855955b452073cf33a01feb24d7ae9a86f5ec139ee30157 7e3c7ddca8 P.y = 51608786ad1fdbe6766a8defab5498fc6ccc907a0e08689eadca8b a895e855ea u[0] = 08a0f35daa8999ee5263641be2f44d1628044f939c34e98471d381 0301767c65 Q.x = 36260a425965973ecce5a673b31c3d71f80c184bad5937005a9013 98e1d0cb0b Q.y = 400ad6fa8975f91efbc8285fa7dad788bfad26afc14916b462c241 91356e822f msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0b2093b5aca9dcba4d2525d2a6ee6571db74f3d02594efff94dc8e c86e99742d P.y = 70c7c09544c600c972b1e4c9b2f19f4d2b36aeb6a569447d5b1eb7 50dc522ffa u[0] = 68b81faf749ff4301fd5a056bddfd2f2c0d8a109c5c4fbf0869003 42b7d4c88c Q.x = 74ca2fd0d812035ec8f3a99a458819955724e63599feb5b1816d7d bb7857deec Q.y = 6fe67ccfca95ada1249801e9396788da13d41752f29ae215b26393 3d03da791c G.5. edwards25519 G.5.1. edwards25519_XMD:SHA-256_ELL2_RO_ suite = edwards25519_XMD:SHA-256_ELL2_RO_ dst = edwards25519_XMD:SHA-256_ELL2_RO_TESTGEN msg = P.x = 0f8722c58d5dd9fb49af66acd5c9e4ec92a0a1ba58e1d34df48602 182d1f30a4 P.y = 40fbb3b412c5757f5b848e7cfd80b20337cd85c1b83248360bec0c 42dece0e8b u[0] = 126cce2c2bfe36dd1e2af9cf37b33e1129266b62878b74363c0aec 1322d32c0f u[1] = 390c5cbac4dd460d767fb2aa8be9026dcf5dbea509d522b52676c9 Faz-Hernandez, et al. Expires 29 October 2020 [Page 120] Internet-Draft hash-to-curve April 2020 4590ff1ed0 Q0.x = 17b654835ca629780e84d754c4178ed5844373919db388bdf6c4a5 751f7ea871 Q0.y = 4981a0ae26b113128044c040280eeb588ec2715a96c69f592710a8 51abe6fef7 Q1.x = 35205fee8d3e360ede66d009d6309dabd4f491f7710d47276479f5 dad4d9228c Q1.y = 3835cb6f183a5eb497b9a14e7b89df6b28a531b94d48003647ae41 2f2fb16714 msg = abc P.x = 3af830c8125a051566c2081a5ec586a6a900967a47a48919625920 cc35ec5628 P.y = 6f34b1f623f59fb105fc1fc883abe3fb92d1f005008d41f6689918 a9a9d06f40 u[0] = 5dcc66b4a0ec9007547f795be1e019c0e6baaa88b7952f0b734a36 a62ac4dd9b u[1] = 7a37cacfead893c02a83ce63eff2601caabe2746458bfe81cd48cc 46b1af1be1 Q0.x = 3f53ed25c90a9b8412004df5ee70a36c64facec99dc39142bb1d66 1a6ea98b4d Q0.y = 2fbbceac2131380c0517b146391a4fdb7e277fa424d66cd9ae3c1a d0c942c3fd Q1.x = 6e746dec39889516d1f60e6ddaa022bafc9f14b5f808e7b8c70446 8fb8f7ae5c Q1.y = 76a3cbcecab1ae5a219c179da5282d9dc72e5023fd325ceea2f69f e111598dae msg = abcdef0123456789 P.x = 79d929c77e5116cfda42d54657b243b834c80a51a4537f6f389181 8da38e5779 P.y = 3c5d2742f5629ce0c728416536e445edfb60b069549c3dfe3a398b 1157964ce7 u[0] = 63ca167d0f8ab1d3a66a71706be62a5be04e7808fda55ef55a0292 40f2b116ec u[1] = 0eb4dc9eaca0c016365c50786394bf96b1e9807f9db73f21f8e3e3 9dec5c97a8 Q0.x = 7a089b9dce60d4bb4844567f66b2b777a0b8866fa90e55d79918fc 3b908af3d5 Q0.y = 4f674adb4fabe7d9f0e66a38e9434b3cda0666ab00ef683eac5779 c6555919ad Q1.x = 35bf327e81a3558ea42d2eacec2fc806a2e50dd1ab7de8ba8fccf0 19010950cd Q1.y = 0007e543a54cfc1542c14b3b124eaf5f19b1174a60e1aaa580c501 74046a4ef1 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 121] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 597274648cc1dd7435ab65f06e88c77e27942a807f6ee4cb1a3f92 9fc8d2ea7e P.y = 78cf940c076993184b03cfb03dd243ca94adc0c59219cbe8f047bd a705c9e687 u[0] = 4df3a16d2e550cea9525a12fd49008479d01dd39e9021c0cd90a74 611791e13a u[1] = 18ade67094010490c196c5f807fb93db836b702c2b97fdb5bddebf 37167a8046 Q0.x = 3fbd6b1ab5cd72ef83f1c002ae91492cad8e0b1252613337ee883a be39b630ae Q0.y = 4f82b72fac3ecd699467a1b991b0cab19a54ca66fcfc2476bd16ab aa1b196a31 Q1.x = 626cba7ddf1a6c5fbec563b5a05e28e3bbe526170ce449f2114658 92b38fc13a Q1.y = 5ec4e0b5635cc7d5b2e12d5332cf11301478707cbd2caa4a9ac3bc 41d51ea5f4 G.5.2. edwards25519_XMD:SHA-256_ELL2_NU_ suite = edwards25519_XMD:SHA-256_ELL2_NU_ dst = edwards25519_XMD:SHA-256_ELL2_NU_TESTGEN msg = P.x = 380216454ceba984cb8ed41f90f67e6bbe6d9af872339dd18d2f55 dfed2bd0bb P.y = 23a3506d12ea03a09142346546cc531904938c624522a5594a6e92 c319ce9c1a u[0] = 01a7d61d2a7aa8abcb1328da9a23d05daf4a41630897ee78907b7d 85396764a7 Q.x = 0a2344be8c518d8728040934150289737edab1f2610fd1dcca3a1b 2988bf0da1 Q.y = 2e38cbf9b3cf07483d02ff251741cee7e38998cf449d23efb46463 431582da5f msg = abc P.x = 20167fd29377cf10821c720ec8923cd2580a1d6b11cf3465629a96 76610b10d2 P.y = 7f384523b09b60d354e9eb022e4d62f218ea49a5614d06b3050e0c 17e7df98bf u[0] = 2f089cf1c21df2f6680936b3d019f4b8c848f613f1e568d240ed51 Faz-Hernandez, et al. Expires 29 October 2020 [Page 122] Internet-Draft hash-to-curve April 2020 43c7d56c49 Q.x = 679cc8a05ac6c18809842745d3fefb947b9961e1145026cf1d5880 9a83adce8c Q.y = 221b84f538ed26c03e547db4b92a9d2dfc36d923cfd04efd1fdc85 2d8bc853d1 msg = abcdef0123456789 P.x = 43059ebcb19661e9fa879165a0317f1743cdcf3d05d842cb2affc9 5741b2f423 P.y = 1b53ee2a808775e1cafd4cb632f5b30923771ba96b654797ba9cb0 2e35a63cf5 u[0] = 076bd263c0fa6097d2db8c330cc6ea3177b4a8a8396887b6a730d7 eb7eafe1bf Q.x = 69df4212c878adb5ccb3bec61025056be1df0c1b7e1c306adfca9f 11eea37f2a Q.y = 7cc99f71b024c533bb1a234f51c2fa692ecbe4e668f66bc6b4360c c775e022f3 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 2b5e101dc84cc39697a5b49e085e2bd0f8916baaf045fd3dd353c9 4fc38feb79 P.y = 5df51d03cd43cd6aa44f40ef7bb179df8825e938885bf24e560450 8c9bcb2a39 u[0] = 34871edb9274ef81666d9427aa516278180e8f523dca620b91a299 0fe469d157 Q.x = 0243db509c6c1d5d75a8526d96aa63403a4db5bebecf1054403c10 199cb7de04 Q.y = 02b0664c9202c0bd8a577fe90cf2cb31f923137b5547c7ea64cbc1 81ce5dfaac G.5.3. edwards25519_XMD:SHA-512_ELL2_RO_ suite = edwards25519_XMD:SHA-512_ELL2_RO_ dst = edwards25519_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 733061c3944db1b40854922ec686e9d46d596993fc8f9379c7a620 8f04e090a4 P.y = 5c307efcdf7f0822428f932e66b46b3d88f59880772a1ab07fac52 Faz-Hernandez, et al. Expires 29 October 2020 [Page 123] Internet-Draft hash-to-curve April 2020 31609c5f76 u[0] = 34fcca2bbd52f190db11c3bf0c5433bc263af2515c379288d99abf c56258b4f7 u[1] = 60c15d061d49044f1a870b022820f8ff9740aa8cc8019ff798ba00 b1f47b1f08 Q0.x = 53d2dad3e30c5108e4e2415723cf6802aecdb558755f0615633d9b 8d206302e4 Q0.y = 619b1ca282f4e61603cf302ec763828345b840d35aef0579595d95 d1dbe62ed0 Q1.x = 30f1ef22590a2f8d8679e9eb69ef7d96ec6544333301cdddb1f5b8 39290835c4 Q1.y = 69a00936ac492b4dd8b8c5425ca085c5346b5c86abc7ab5abbc022 ac1e888a68 msg = abc P.x = 253da0916bb9ff544d9a4cd1252e96a3aceb0c1849e0096026f442 80c26c06fb P.y = 3f4887aeee9213d976e125bfd0e4e2201d7ddea8abfa28e47bec8d f008821b1c u[0] = 3c89e0e95dec55e651e9024834a0f481bc095dc125e45fd7ff36f6 f7efdbaeb4 u[1] = 72a4c5c44c1ecb08422f00aa3b910494fd4afeb5c00c15070c77bb 3873d4fdd4 Q0.x = 170251e3d6dd3481d1c48872ebdf8fc9b1c40a7a1db216b147eabb 6e43826a7a Q0.y = 33d236786b788d25051b23cc2506a34c4fe1448233c5ccb60abac3 1b9630dcdf Q1.x = 0f7bdaa0585ecd3fd774c2a22db4578b1af50a9020d752fb639075 bbfcbf9aa6 Q1.y = 7747a6883d07cf5a64c45938770d38cfb98a072229348423b1dc04 69b98a0567 msg = abcdef0123456789 P.x = 0b0cea8ca1e594f64731d2f3571616928deba7789e5da03c28e6ca 44b818ae95 P.y = 3c67b98967527a551ea54e4de791689834552009a7a40393fd4a23 d1f04061ef u[0] = 12538499c173d7612e359e692f220187524a0222cd68c8ba1881f7 8eca9a6723 u[1] = 790e3178bbfc5ff946216a1977c3e4eaef177a0eb1312d2c871272 0d0838194d Q0.x = 20af4c8bc339ae680459bd3411f15f0621a0cd2c5a017fb85f0054 202b1ff3d5 Q0.y = 7e6a0baec1ee6888025a93f30fa69faa7df8d456bd5eb2576d9b0f 616c75d8db Q1.x = 492418dc2a91a5afdcded30d648e492b2b12509f6a0d5567e33b9e e4940dde9d Q1.y = 36e2f37bde5d8d850f01480004d111319dff7e26842053127c6f7a Faz-Hernandez, et al. Expires 29 October 2020 [Page 124] Internet-Draft hash-to-curve April 2020 72de2ab912 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 2ba229a8a9c6eab346b31b8b8de0629314809edf066b773a102309 6e0979c60c P.y = 4ce238dc1cac3b392767bda2c81e3374e61efa4c2f93c5c400f0d8 48b9b2e339 u[0] = 09c5b7523f793057da91d04c936a68e788bf040f6b75f6d5e717fb c80f07967f u[1] = 559c4452f898a1d7e3201fe8e7242aba83d6755dc37ae1fa827d63 35344d818d Q0.x = 2c26532dee97024c529cf2b0a75b165b6986438acf10607d6ebf68 e725676050 Q0.y = 17930e4357444121131bc5689ae1db6aecd89bb0370485b2809b5a 60930bda42 Q1.x = 059ef158d57879963f8b0ad3c3db756768530fc396f37140d72e24 634d678515 Q1.y = 37fa3b34506b14d322724d54af5625195dfd737def787230690ed9 d6286638e4 G.5.4. edwards25519_XMD:SHA-512_ELL2_NU_ suite = edwards25519_XMD:SHA-512_ELL2_NU_ dst = edwards25519_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = 1dadc9fffc2bc7ee9ef2c60980f5b863b3ad0743aea183196f84a7 6b15fbf7b8 P.y = 4af6284e3cc7116df104f6708e0c44d79b0e294ccd89b87c4c3c89 2ebd2f03b1 u[0] = 155c21d4cd09704fb445dbd195567689dfee8746f6a41a8e2dd344 f370635fdc Q.x = 2720eda378f35270b6ca39f3da49bbf406244e393eb1423b1bf693 6061cca504 Q.y = 2e93babc6eeb31123cf939fba6578dc2e2924a2fcf9c6900d28c52 c287cb1c22 msg = abc P.x = 5cdeb5456820bd6f73e4d077b4bfba83a7dc50e875144467b7dd20 Faz-Hernandez, et al. Expires 29 October 2020 [Page 125] Internet-Draft hash-to-curve April 2020 41e5e2bcc3 P.y = 23e704500ac22fd7106ceedd86bfcc8d50351a6303be22b2724fcc 1280d00544 u[0] = 44affc91a5e431c6bba08db58d4155bc73ab1369871efe48457fb8 79873edebe Q.x = 6c5031267c9ff552b87482c7e65908d5241dfc8248cd8e3711c476 07db064841 Q.y = 27bc42ea0f0b92e62b368e8ab2e2e6bfe204bae24dce773282e0e2 fa9230893e msg = abcdef0123456789 P.x = 472370c66329c64bbb40b2a5a7f7b78b0b51b2c6c55f8260258c07 9a19c94527 P.y = 34b8a16b923101f2d4caa48d9bb86fef4f92be0ce0f55c8ba9db55 da23ad623e u[0] = 397af6c051fae69ac233a8f147d73d5ad5524164f8ab02081c0563 b035e23fe3 Q.x = 31631c01d4162e4d3545d731f827313356012c53b4324e55a884eb a10b872572 Q.y = 2a8b6a47187ac2483fd8d1b10908da0e156386cdfc50fa2c511dc3 60105970be msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 110d8143f8ed73bbb2f9a85de1abd2718cb4bb7db006296883ed6c 8524518a67 P.y = 31e648bbade3b272b7676f82da905d27de37f41581b1d170250dd9 d56f95413c u[0] = 1468be7f7907b634683fd7f5d7dbc71603eca5cc4643a6e760902c 0bffb994c0 Q.x = 62fe7545d28a771a2f16d1d78175cd18ee0f74cd5e8e60ed4c6af6 b93a898a6a Q.y = 5d76557b33de752c6b997402b77d4f7d7369181a9fae8d573b1959 9b89bf305c G.6. curve448 G.6.1. curve448_XMD:SHA-512_ELL2_RO_ Faz-Hernandez, et al. Expires 29 October 2020 [Page 126] Internet-Draft hash-to-curve April 2020 suite = curve448_XMD:SHA-512_ELL2_RO_ dst = curve448_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 65e43932a618a90573f3c9e8e8b51228bea147d59c288e7bd52194 749234835fca5b84ce6ba586230fcc7f9b0388fc644035793b4146 6daa P.y = 51e4c1f40af9546f420220e1a3533f96c25f7d1376f683f1bb2d0d fdd397642b20c4cc5a82f493bfb8f88db0a48e50bf428ba6f862be b877 u[0] = e4a1289f30d675e88aa7eb7a8a85066afce10c63ab6277b0c6b8c3 d86b4f01a42a179be4739d9b6b17e418ec4a7a02a8a350678d6930 bc22 u[1] = 5884bc9facb3616fb7757a72b0fc44c3d4cf819c102b36075ae3b3 dfa7768f54cba34ce8a5a11d95506e35b00960c18b0ee3e7d58193 3a0c Q0.x = 99d098cf682e7f4013a12c8a51d4c6a479a5b62d3b45cf00522f2b 7347afef14fe34fe9bbc3cc610fb2090dc67adc86bc016dcaeddfe 90e2 Q0.y = e920d887a4fee856582db3a6d635cc33064306f841ab30def293c9 89c836d93c0482caab3415c49e401bd18184d8fc5493b097d4af0e 930e Q1.x = b0170e6a3ef7a531b59728cf3ee1347fbc0c876efab05c6c59a146 e762a15543d420f6addb2644421a9f33b372f9739a743e8937ba7e a611 Q1.y = 9c41444e6d7737ffe5ed9ad212855c03fa75e2de2c2d3be92eebfd 77e8905de35d4946661cce5758d6c24840a5f9082326f0857a1d95 1f6c msg = abc P.x = 4e3f1ceb5126ea6cc8d2740853e8433f67462912a3c06e574fa570 bdd58f3dfdb34dd5223b2c71465825ee3c30e093b1027339c48683 ce28 P.y = 53ba442ccb6a789618f0e3e27166beef61f619241b8e072b5faabc 0259ca78ef0a7431e6678f93c73ca92cb12fa219660c31a0e1d349 0fff u[0] = aeb625d04b4c37adeb081e38b6254920060e10b85de4577e595423 6e389e6f71b2936357be1b378e97928298677f74109e9e6580880c bc38 u[1] = 0d660426bb3db9addf0556aa2a00dcac4d6f24ad95f0fef861b4c4 196a7942c32c8103dfc9c69062512197ecade45bb72dba0de71ac3 24d7 Q0.x = 7161e026d1ad3fa89b4923c85d5fa5718c37648399782ab16f3ba7 748734f958214a69a372e2baed7864f09660a64a4feb4373128d86 5e9e Q0.y = 2a63d883a0c0e1211e03bec06ba12749aa989e3bdea4fcbecb3cf1 deefd42275922b9aa715b48e9a7cd2e3ba14c5c1f3175432bfea3c 7278 Faz-Hernandez, et al. Expires 29 October 2020 [Page 127] Internet-Draft hash-to-curve April 2020 Q1.x = d31dc8dbf25562309a2edf6da59e8498bcffa3cb01a94cab727bd5 044eb7d25d27353a4f35fbeb6d5159b3039df97fe5762eb79ee40b 4714 Q1.y = 5d11e2164eea1960dd74fa46c5178ee3479b83bf381f871bd70c34 a63882f8e8da32ecf8c3ac612d75d20174c3b0468b46b1968c5a2e e49b msg = abcdef0123456789 P.x = b26f9b85e898fc32ff30972511b6f703ffdc80134354c938b5903c 793c1dc6e57d0f2cd5b8592bf5098a93e20e5819c81740c9035259 60d4 P.y = bb6bb7fa8c4aa864ddbf465fa88b2e4742d81a20e60fdb31e6516c f35ef1c5e1289576eee4f53130ebd7ee9a615612f99cbc8bf55cae 29c9 u[0] = 713f3d4bc5ee9a7648f418b5befdfdf706e0b199a15f9bcb9509d9 ce5955b3f784553eb221ac309508aae078b7c4b4b67061a6e0936f b119 u[1] = 1b1469fa9e93397e82c7702ae814598f1e5f6c720918b07276efc2 92fd8e02732c9b2d3c75ba302a4a0338ad5dde6ee87b0b9714d0b5 b4e8 Q0.x = b6f95c15ade4f01ce6df438bded3d55574a6a24f8eef6d93b7b834 58bce54c83332c5183252d6941240f6ec5495eef67da15f7f4a981 14ce Q0.y = eb7d87c8f3404918a2da248ecbb24cfa1e7771f42997c643cb8950 2acfcaee758154d969fd859fb44e78435070f4baa1b5be5f1abae5 327b Q1.x = be9a72d4c32d61894cda8f467bc9c19b35606f42e6a24e7564ddba 2e0c10d03584d8e01c7b1eb9bc1e5096fd6b09a86e68b6e9480203 f761 Q1.y = 736cd1eb7e986060bfd8c6687b5d2e1dce684c0d69830d00936c04 3e0242eedb02948d593cea212253a067f8a1591d8f69f0104a2c72 c99c msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 57ba5446a3277751991d51895357752adf7ddef43426d6c76d8a38 c1f797362849089058261a2b97092ac0b47b619255eede13ca8acf 52c8 P.y = 0a1ee932b0d8be1b7e755650881ea2d24e8e3ebfc46d2ff26d51e6 48091fb1ba3e1450f899e699510e9d10c1da69ba247b488ead83ca Faz-Hernandez, et al. Expires 29 October 2020 [Page 128] Internet-Draft hash-to-curve April 2020 8c52 u[0] = f600b019a044aab639657f73b2cbf59b1d72d951fa68dc01b88aec dec9ab500c87b3a5aba56bb0a7a477afeca573b99ab6e6de7448f3 4220 u[1] = 7483651b800439fcb5ba24c825992eadeae1d41927e57e9128c276 f3b103c12664e827e9d30a2a08f307623a99068e6ed93dbe78fffa bd58 Q0.x = 7797913d84240e3dd1155dd75175a2bc8a917356daa823e22bfce1 f863ede21abda536e6156c50742436f736455761ba20fa03c3fb1c 2179 Q0.y = e44f7a25ec9b650664c9ea26684443b9e06b6ab3edd6cfc89cdc05 d583cfb540bfc806ec50690c82f835cfc03bd9425d3beee6cf377e 288e Q1.x = 5b9402d193d37d259e35d209b2f50b4096c88cda7545d4acbddc3a f61c0c94aa515439565240c2debee781061febcf13d6f344a0a88b 488c Q1.y = d58cf00902535df0fb388715c800f85b140795f589760f0fd60b08 bfc44e4432e1f85c0111dd243d37ab135651c52aa4f6c068a0ca16 171c G.6.2. curve448_XMD:SHA-512_ELL2_NU_ suite = curve448_XMD:SHA-512_ELL2_NU_ dst = curve448_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = db2d394c230f07806f64d141abec430960b6a6762a752b70731c58 cd4d96c93b176321a4311061a2f64d3bcb1d46786be7594f4db484 7203 P.y = 7b6035b65af2f2ea404fa080c7a21c6045721057fded7d573ed5bf 8cdf96db62b747025e87f4661b24142ebba91db0ac66d0902c85eb 6829 u[0] = 249a72a3caf64d055e2bb83a896bfac4d1af8d41e3935883c66df6 da15ae86dde897e49e95a609c7e00f286aeac14e0b13a2aea86f14 f7fb Q.x = cd4e361fec6c6f098d482165ed47b5c29499ca91ce3fe5b35d1e78 04d4240967647a5651cd30a6dce95a4d5422ae6b294d050d83e3a1 256d Q.y = cdd47f57178d9b2499de620cd5bd8f9c8576dd1cd37b30c467048d a75a3da103a23b00d45eaf5544885d59f171ff3aa6d05adf267d56 61ad msg = abc P.x = 5c4b864bf52c3b6664afb5545896885e8773c319e7167acc75bc1f 06a2066bd20d3622ae7fed254dd03e6df18ab5cab5b4765679e84d 76e0 P.y = fb5017fc0b00952caf2190bec44ef4dd1146a09dedb217b95d8695 3a68bfcbaae5aab2eca5a7b36570a6eb422696c2c0a02bea9b9ce1 Faz-Hernandez, et al. Expires 29 October 2020 [Page 129] Internet-Draft hash-to-curve April 2020 bc0c u[0] = 150f5b0072c993b4bdff3500c641d26f8104c4bb744db090c1bd7b 045bed0c2959781417599d45943c88deb74b2fef1372fff6fb7c67 4546 Q.x = 6cf23d124f6a896754dbadd6971c31549db637a27f3d9f3c078399 d8a1db927b8768d617393a2be1c9d94e6a8c36b49a0f0a41a621cf 3c96 Q.y = 98c5f6fd0204b83a3f9d50b1589e8e8e4dbd409c2f0ec250c449a7 1eb297d8e4231990f46b5f0b9a78ea8464c50fbfecf92740b4629a 9318 msg = abcdef0123456789 P.x = 2fd6673e216745750ec195cd488d3783e9fbd69f95993cbc5248a7 62c446ea2ae10b30c5b66828dd05633a5dc0a43f6e61fb3f572fe2 da85 P.y = 0af04df18f3a963141db30c24e450d3034710a7b67a08d8180d909 6bf23040c0dc387575f6c939f3b4e5dd75cb89d839b653af838df1 6a66 u[0] = 18559fde14e46513c0836ff6bcf226d3e34fc3c468e5cb374134b4 db45bbe0dfa7cb3499a2699d256969de85b104144dd1593e817bbd 50d1 Q.x = 37451f90ecba47edd05d473b99fea080e0d8cdee09f967287456c0 e29ee3da5b449ddb4cf89f78ee6e8bb8f4fd235df47c2302daf454 c74b Q.y = c57d15c240d9c5f4ac6f61dc154920a491d70c8f52c2935175507d a487ca588395421959e4595cc6f5cb048617949ed04988fbf166d4 c31b msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = d8637bf465e6a254a6277684307b085a9e3fe38fe97487deacd8a8 5949926eaedb4b0ee3a0ab9c358e285ff661aac247fdb48bf23cff 48df P.y = a0042edd6ca06d529b6641bd95e59dc7441fef7b2f961b41b5a86a df1f66b702ae82e683d7c53abab7b340b86c284f36d9991508e3f7 3a63 u[0] = d7fdcd9dd2d0e2f516486b9c5fb549865ca39280e41743cfc6e012 e99f9108e55b81436c050c77361fa1d9650851de7e7a6e5d0a5af3 98df Q.x = c9440b72326b251887cc71fc39a1e1b3c96a9f908ffaa6869d28d8 Faz-Hernandez, et al. Expires 29 October 2020 [Page 130] Internet-Draft hash-to-curve April 2020 54684459c35a54d5859bbef1e4594bbca35ef3555bca4ceeb60c2a 27de Q.y = 49911fd9cf581ef8a288a644b16f80c1b4caafdf127187492e5bba afd57765326a618a1acd057abf0a57c224b50a788131160fde64bd 6903 G.7. edwards448 G.7.1. edwards448_XMD:SHA-512_ELL2_RO_ suite = edwards448_XMD:SHA-512_ELL2_RO_ dst = edwards448_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 0fe44e2eb2e4c64e774df311ee290305806eca8410b62fe020e481 cae0747c8bd6fe703ebc620008b06a85258040fb241e1df952e94f efec P.y = 04dae4a58bc21d48384a85ac56a58f4e71d19e233d9316ee3d6b95 6d35172a886702fcfd0134c3ce22f02adab417dc0facab508f37aa 3332 u[0] = 09a40ce753f16726fd0187c16f1fc1a6d88d2afc61d7d868b9825d 466f1b0f8237115397b6d9e739311d8615cb442fb93a73d5ad8f8a f50f u[1] = d6012e7b406163f8a44c36df9bb2e4aadb21a60ae4a4c03578eab2 81942a44721f65b51e147df7a15f365b9b38bd9976271d428f0aa3 27fd Q0.x = fcc2f08ce72bf0bf56355c64334733a1e5a733a8c42184aff651cd f43f43a0cd28e9c2bcbaea8e4ae27262ea10467dd24071bcf69d82 f2ed Q0.y = 091d729ebb25478ee9172d98654138ad175988e897c953fd10e005 b0abeccd3072d4f3adc4fad437a1e3bd75ec023a746f68de61eb2e 0718 Q1.x = 2617d1c71cb7b6b6aafa07f2c95bfefe2d45e93160e8dfa184f3af 3d10bf45d4f6d8b81026e41813875448aed2d5c23a295bcddb8889 1022 Q1.y = 2ca2d7b20ded65529b196e33871f86c0c46266d40c3716151494ee 26b16603953be1881235a4828346acbd42a05226eba7d75c7a5fba 4ab2 msg = abc P.x = 60cfe5b1c6b4984747f2a7fa0666df7298c094903ba2d450b54cbe 01d915ab782dda4a7c056cfa4e2bf759aded44045e4b85fd54a821 ff52 P.y = b06e9b3e83ea57f3ebd95cbb62423eb69897c484c16536a2be7966 4c6b2a1130b662384dc0a3defb05cf1dc061f84f4cfbc235ff55f2 9265 u[0] = 95e100f36217f828b70c0ac86025b7481d8853c4df613683fef88b dbbdb4722b5b31b8bc5019f0fe742acba2c2be57fff46edc920d65 Faz-Hernandez, et al. Expires 29 October 2020 [Page 131] Internet-Draft hash-to-curve April 2020 9cd6 u[1] = 0b31c01bdfe0d0ddb6c9e243b6f8e894a929b0927601455e791c4f 9884672931fda1f5e63ab4d7bff7e4dc1f0d9d6fb958452c88051e 7853 Q0.x = ceaff22a7be3d5991579f797dfa9a905f536145a5775ed725f4bb9 27e537afc4155bc1385dadc53cbbe2844c474beb19df5b59b93321 5663 Q0.y = 9f7fb2ef13960ec355e5628772baa30d83a7f09e7f69f4a1fc3b69 90bc8cfd4fb2d9580cb99bbc353cc25954370d17963e5c3bd7fb13 45f5 Q1.x = 8d3b293b3571ae024ecb0a04baa1e98d3150925bf3a550f1ca53c4 91fc99c0a54e71fa24368e24f0d0717a861cc5036dbde57ddaaeee 0d0c Q1.y = ba6535665b5316abf66b6d710e365e8906cabdbc985b9d0afcde0f 7f3d14f03eeb03de6058816d679d3ea8364ddef6712788bfda3538 92c3 msg = abcdef0123456789 P.x = dacba56925b132de6be7435c736bd354a67fb38aefb9c467ee93a5 577a6ce8e00dc08ead6c7222c478ec6283e35ff15e1b13fbe55b97 824c P.y = d7775f69bb4add0ca8b4224d744bf72254e8190f5779e034879d66 86808b9c0453b95dd69dc01d3f402f51aeed83c2a8569b96c8f8ef d431 u[0] = d1096353c1437b932f50fcbd9c3a3e37fb319c0dc0061f5b8ba6ab 8bff3e62d7fb41757848349f8750d3533856183a9a9304efa445b8 a592 u[1] = e59ee6dd4a8ade4f06e3e191328ef0d5cfe5a7fc8e7c825bb4e3d7 b26ce00b6d69f3b7d31ab6d345c9ca58685ef48bdbb6ccbc2bcfe2 7517 Q0.x = b3211e212cf85b56e0b50d6e08c9fa39119df86513e62bbfbfc5d6 34ed7cf3e94f770a91ae45077cade4b602a0dc3e8b4765008dc277 8cc9 Q0.y = 6d4b8842b050c3efe71abb0b6ba95255bc1126bba796c4a285c32f 132a712db3eab73fb82d44652a04f0161c1cde2d3bd56f65969478 a79f Q1.x = ca41bb012db93c83e8ad54a131200404db25f503f90f5969e1ea0f 548360066c6c435010d6bda5d105227c6be01c1c48b323b693ec6f 363c Q1.y = a17d4811bb3989913cc392e1622a74703dc35ff86e6dcfb2bfc3be 6e00253e52a7a7d79214fec2490cfc2e94e963443355f667c5349e 0f85 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 132] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = cdf91984bd11747c5042f491db0abcb3f07621fead5fa4014af13c 6be39168ee013530e5a2908a82cf1ce35093f333d00fac7e1d2b5e 2726 P.y = 7e7ec0f7356517eb2ad8fc4e17df2efd08af7241a8c71b31da74e2 05b86b7586caee8c13afce581e77a922bd0d8d8b73576b6c1fe902 5223 u[0] = c4f139f7d07ead57cf441d2d2e54a9333564040e8c39428c67cfc8 43e9da8c5ba4c449a9cc6588a489b35c9c5ba7219b01bd9ce0428f c2cd u[1] = 945687af139af91229f8576f0645aa3ec670e057b9efe80fb06e40 fb104f9d39c8e955e622996b30b0a683502ecee61c1b8de32f26ae 1710 Q0.x = 99bfa32a5c384d71ebcf6dc449e486d686e157c7056525149f5b73 365df0663dd55e9e0b6d693293534e680ee029013591a79b6cbefc 4dfd Q0.y = cd5221f208798d9b71f4e477d63022611d08907fd2175b599e345c cd8ab76b91cec3158b504d592a0fac2da90c577a1e496c23f5a975 a21f Q1.x = 0cdc11176ad5451104a58145b789c4e8617fb8ce0b1ed425ec0e31 0e5739230e8461a59d4d18df39f833451ecfcdf0549c902781687a 6c42 Q1.y = 2728be41751826371eed2f5473c0804186f3995cc1215b9b28d6cb e76c34f886e3f5c03491010a10f175a9bf7c0f96901bde8a065638 e0e0 G.7.2. edwards448_XMD:SHA-512_ELL2_NU_ suite = edwards448_XMD:SHA-512_ELL2_NU_ dst = edwards448_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = ec720213880616b46471080642d498f74725c3395d67c578128bf6 d160889e81a09d9050fc46bf4caab70c12633449a44ddb36e50f7e 909d P.y = 7d6df123229ef80780d297c894cf346cc42f4c4d83a645bb090a07 5770cee7cd0c1313b14fa201ecc4472bc0b151fdd7341a0ffefd30 4e09 u[0] = eb88ec9567385d57e000804d77992f293ce5ab1e1a99a037bf3fde 849b8334d2078775ae33423f993ff2d0964684fa6952fc4934125c 3a38 Q.x = 6187184b3e5313da9eb4aa069056a6efc4ff2df22647bbbea1c63f c946b9a13a3455a0f26da1a86b5cdee458d69f1883895146ba1368 f048 Faz-Hernandez, et al. Expires 29 October 2020 [Page 133] Internet-Draft hash-to-curve April 2020 Q.y = 9b213ba43cd7777c0b31b7db4bfd36e428f47da49ecb4cbf37ab19 ef7d8102ac386ae58e23c4f7bcae3b3713081ef08bbd0e88253179 c837 msg = abc P.x = ca85c23ea74f767a77a307649699d4f4af493485238c7a4efc15b2 b6dc4a41c4292c29696be16bba6173ab5d6a50ef299f72456fbac7 9476 P.y = 0b0f6af1be348d8739921ea395c6b00135be7ecabe04358436275d ef73f2340cdfec5fa1cf5c6d0b288bf834862c5b233b38197a448c 1f7f u[0] = 1302f34b450c31e5e6e92ed65442889791128216371a041d710b84 f26671595ff6cdfbaba6ecba28fa6173cdf51d2230f0029ea641c4 d1ba Q.x = e988b5bcaa6c301fba452303eaaf7728f9d7fbed1e31264f01cb47 c4007558ad265f15d53d83f6a3a5f85fa18ee5eb494305fa1b464d ebff Q.y = 0828aa97bcfc5409ef185f1fa4a3d8f7d3e4f5e7afd27478c00050 3065f1b7b832aec3e2359a6d3dd19a2c583747a0a31ed296d671ac da63 msg = abcdef0123456789 P.x = 8ffe9d81f3e887e3b21daae442c68046a06f2c4e8a9574649807ec aaa305c260d2856b2118c49ff06d2d8498cb9bd47cb33c1a301bc1 99a6 P.y = 6987b177d6669ccc7c1bacf0014031802973d4108dcd2df554e3e5 e5bcc8338a9ec90d546b964b83c75419bc980a271cb1600ba460f9 79ea u[0] = 78e00e654feecc2727b138297738596151d20c4451e3e4c379ff87 76e2f723dbdf49b329519db45bb40ebc9bff4acc994c22f2c8ff16 de67 Q.x = fdfa3a3c48e13d740428f569ea36c4ce4dfa7eb8ab051bd514c764 9d715a6a8a35798d249abd92e3701940585be47c573f3066d2fd20 376d Q.y = 6d6838be2ef1bf371dac733e11f725fa16b25308d24f9be4367550 583a018782ce24425866526a0a54208e5abce538a07e930ce51be6 3631 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 134] Internet-Draft hash-to-curve April 2020 P.x = 7a772da3bdcc88bd578da6c26b79981e31823a1a77c4fecebc7306 01ddf21ee27c7d7653fae841ae2d7601d4565f842ecd19301cffe8 804c P.y = 3685441a7605249cf4610f2f11ca36e33dad431dfd58e095bfc755 fd4fa0f276e7e8886beccf8054b2d820c099f6220210b7dba3792b bec9 u[0] = 6b105a376ed144a9a63d9ae5cb24d7ee862830a55dc8232dedc03b 102a09abbd93ec6fffd511d82748c9978330c636e6215cf46759c9 fbf9 Q.x = 301085d533dc7ee831b43cd69482b04261b86208e01c659bad7794 087dc12f26c6f1dfd79ccc482eced67f3429f6601d0c29208c87a5 bbc0 Q.y = b5afea2010593ed862bf534f0bdb9a6e72c8afd2f89c2a5f1c167d 20dbb0889af7af4bc1262ce81096d80d3443dd88d8a363259ddf1f d2a1 G.8. secp256k1 G.8.1. secp256k1_XMD:SHA-256_SSWU_RO_ suite = secp256k1_XMD:SHA-256_SSWU_RO_ dst = secp256k1_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 1d82f6ad812df79aa9f4b4f29d4bf927880fdd105225f81268b93c 7bb5db2e0e P.y = 3738448fc3577c80a2cc89dbee5addcefe6fea0bd0e1ee7609c74f 6ff4361e80 u[0] = 5205d8a13923161b75886c98cb47e35979b93fad5e3ff7ebb78006 be83d12ec8 u[1] = 8d3c1212eba5401919ed6c5d10e400473e66c9bb362992533c4235 0311a4f056 Q0.x = 001c200a38e4927f3e8b3c8bc1823ee44efda4741240e792059568 974f5c7479 Q0.y = 84a6768d19a72037c5c0bfbb869e967e977dfd3ea1bfcbcef46ea4 f42afcb60a Q1.x = df97201dc37b8576576376c8c86462db7d74680aee74aabfc8a55b 9fd610b559 Q1.y = d9376618dadf3383caddd0495a0db68d83a6f08b3fd358a6073112 b58e2cdfe2 msg = abc P.x = 984cda5f46618b7aad814e4f9c416bc5c1486693bfec8a3469b86c 76d0fd0938 P.y = a20735e9cf884fb174609a45e28d4a04cb875dffd7112dcbcdb4e0 9bbbdee9af u[0] = 683478aa778668a5c8dc0185495daae2e0cc04d136a50d03861aa1 63d1308fb2 Faz-Hernandez, et al. Expires 29 October 2020 [Page 135] Internet-Draft hash-to-curve April 2020 u[1] = a1375d34ab04455dd7a31a577c185a9a5b9e2229a247ea7cd2fd1f c8b8370910 Q0.x = c31dedbd183d66d3b9055e5da5428f47db4fab20b25ca4e836c0a0 93954f1511 Q0.y = 1aa5707a3fac674b963203157786542b4c7050e57ae5376ce742c0 83471da4ef Q1.x = f199185977b0a7fa23ce1f800de850d891890634a1b98c287df9f2 03562496d3 Q1.y = 270e9fe63b94d13773e54896f05591a770b9fdc289e89dd2a0b228 fb357d10ac msg = abcdef0123456789 P.x = 6622721b3819e9ffb76940f36182a881e00b6e766ef1593dd8ebb6 c624f1819f P.y = c85f4ab902141db1a847c54915393ee94f09c00e9499d588ad7786 aab0b69ad2 u[0] = 563a740c88ac3659ed787df6c00586b8b24f68af030d92ee980d4b 73f1201af9 u[1] = 5c6785fc70cfa6c85fdddece594c265224220a6a7348fe8b3d4f37 b938fd141e Q0.x = bd998b715af420c54863ad3f9ae98dc9f87da1295c4342e371163a 800c9581b6 Q0.y = a7133182b1459d9dfaedf30687cb0047b9f0f11b276a87d23c9f6e 9823b73968 Q1.x = 4fffd4531bd1b2dff9aa298806aae5e654f9cd9609a2d203ce4ac5 4dc715e311 Q1.y = e2eabc2548e052d3ae661eddbb31e0c7ed7eff1028c0c9f2b02f34 ffb4aa7097 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 5a80cb95c496cb6dc3fea4e266abf152ed2d6f3f4233b77a073b04 3158caf76e P.y = fd6ce760bd4aab2426489a013fa0d7d54b4b3597121e891071f822 a0afdb2712 u[0] = 57dc9b407b52330dfaee092c650ef2386d825572ee21b2a3cf8496 2fa2fba298 u[1] = a1582601cfdf027b691d010b8c07b368a92971db96cd8b10248ec8 2dec204b21 Q0.x = 5c86ae91ecffa9ec210e22a93f13d4a8b5dc3534683f68ef1cc15d Faz-Hernandez, et al. Expires 29 October 2020 [Page 136] Internet-Draft hash-to-curve April 2020 9cb9624d62 Q0.y = 19aec9559bd8f13387e4b38466a148d269896b56f730232d074bee 60c4b7a5f8 Q1.x = aba8c056657b994610840973824e036904bf8d49a0285df3b3db09 56573c9800 Q1.y = 2585e9882514cc95fbc9c3f56389cb31f60f398db9813de5c0c512 2462e2e04e G.8.2. secp256k1_XMD:SHA-256_SSWU_NU_ suite = secp256k1_XMD:SHA-256_SSWU_NU_ dst = secp256k1_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 38feae3ac66f46c364f6192dc6f5f57d28511013f80d5d9c0bb8bd 963b7fe852 P.y = c9e7a35cd549ee7fade583ddf86d79be420f280d8ef890c13975bf 7770e1d942 u[0] = 6cebbe5716c8500196db6b4257655ef993187f0ec76fd2a09941b5 892e444b06 Q.x = 38feae3ac66f46c364f6192dc6f5f57d28511013f80d5d9c0bb8bd 963b7fe852 Q.y = c9e7a35cd549ee7fade583ddf86d79be420f280d8ef890c13975bf 7770e1d942 msg = abc P.x = c644a2c06c75b9ea4cef629ac4d727df7bb32381164363edb72b30 c797a03bad P.y = bdbc67f2a52ff90d66c16fd420c2619c0f54c21fc6855e4b7d3157 960c822f1c u[0] = c22fbd207aaa62ce32a5394324831a4a51a1d22a385b961852047f 54ff176c29 Q.x = c644a2c06c75b9ea4cef629ac4d727df7bb32381164363edb72b30 c797a03bad Q.y = bdbc67f2a52ff90d66c16fd420c2619c0f54c21fc6855e4b7d3157 960c822f1c msg = abcdef0123456789 P.x = 31c2ed196c1b9bcd739bae9323462975d25b1158973d5642cb0b44 01320dea88 P.y = 294e9f87de469e2701f4b199da877caedc4e28f8b6d3f0f56dfc9d 63e9e0762b u[0] = 0bdc51780dabee9caab31f7ab5a08fede392eba9c06f9841662a85 4fec959736 Q.x = 31c2ed196c1b9bcd739bae9323462975d25b1158973d5642cb0b44 01320dea88 Q.y = 294e9f87de469e2701f4b199da877caedc4e28f8b6d3f0f56dfc9d 63e9e0762b Faz-Hernandez, et al. Expires 29 October 2020 [Page 137] Internet-Draft hash-to-curve April 2020 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 59be3628963caf3b318f9a39058e4e4db1e66dc77e40931ee99e1b b7a74adf51 P.y = ea52bd0c23190815647e5865173a286b9e8d0245c033417b37bf84 9f6b47b567 u[0] = 11c005ee574e3743eaba52be1a34051d4505627447f68094e128d8 ebcd67d1a2 Q.x = 59be3628963caf3b318f9a39058e4e4db1e66dc77e40931ee99e1b b7a74adf51 Q.y = ea52bd0c23190815647e5865173a286b9e8d0245c033417b37bf84 9f6b47b567 G.8.3. secp256k1_XMD:SHA-256_SVDW_RO_ suite = secp256k1_XMD:SHA-256_SVDW_RO_ dst = secp256k1_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = 5dc8cbf15b61f94aaee85ddbace7946c57a547c83f7b4f16cb9026 f1a663255d P.y = fae3c08a29f174f0ab907e479d9e36c07616654586430c1a028e30 1cc301d8fe u[0] = 379b3dff6018c91255c8888b1f467f8c25ffa40dac60e4755109db 7e49929e4c u[1] = 0951956bc2c00e6e9831efe81e533efad7c39447ecaf2be766f42b f6378cb866 Q0.x = 1a769cff827687e9c5fcc700e1bf642e512825e123b814ab1cf539 e867499280 Q0.y = ddfa091b23fdd3e6e788b235f8f1374440a3215fb92f2808a83357 a3159ad42c Q1.x = 24153d1e5bf1c6c8a3fa633e567914da91bb7be6f2d394dcbda30a 362460c1dd Q1.y = 84c533e4ff6262b5c265b7c6b98d6fb3e0e1ee541dd69e1a5fdadc d53a90e354 msg = abc P.x = 48151b7dd917612e859fc08c30d5ff3a8ec7a8f49b26d7e14407d1 9f8b121918 P.y = f241bf78ac5dc591e9e132ed9ae0d32ba3e49382ad42a17eeebe4f Faz-Hernandez, et al. Expires 29 October 2020 [Page 138] Internet-Draft hash-to-curve April 2020 5454a10960 u[0] = f97a75ba6f754a3882d3ec6a7355b45902cbc6a01263c435e15142 5587c1b594 u[1] = acb7b6b80dff405932784cf8bf7bfc823fe0b3e68f867b742c58a5 498a18393a Q0.x = 44b426c9f471bc3443634a4077f558dd88e5c06e16d4b4eb2eb4ce 374377ec31 Q0.y = 48971fdfc2822b7657c68399aa4f1821b7769a6080627a5346ff58 ef9e9ddb92 Q1.x = 01a75028918d13c5c2ad346dd4cbb58bff4133fdc3428a5d1f860d d28e0088e7 Q1.y = 93da916f22cd9b13917794aeaef2b90a29ea2de1f77868da2c1d3e 02abe9891a msg = abcdef0123456789 P.x = 270a85c60a344528b43b220f2954ef315e68db8c9020d13ffafb4f fd1a35f90b P.y = a8be495041e3723c8c24f14953a19b1be6912edb54bb479e7f13d7 f42b621bef u[0] = 02199c04fe37aba8a1bccc138199c107f4121ebc9135c7a15fcaf6 9b8b634a35 u[1] = fd4111f827a78278806a1c88e5e2b4ecc1404f1c86b41d0ecc54f6 a0c2d862d4 Q0.x = 1b21c3e7446936cc000d27a2e7602c24eb54ac235af04f2cb084f7 02b94af253 Q0.y = 117d2056b490f0879eb72e606c160dc9312960b5d756a32c571fa6 f12d6174ab Q1.x = 0c996f939ba6f9de3f18415b98c54f228da2a7271c1b486074d632 90d27bcb3d Q1.y = 32ff2739de71175591b063d4e5b6cf804f9a0d9a2b1da537264ff1 aa27e97be8 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = baaa6f8a8969a2e7544f93c6a8de7d4d041b6f2a80b07f2e815fc6 96aa698934 P.y = ddc7c31da16dcd2f9f1c1ed03c38954f9df073007e4d7c5b9a2c9c 762f0a305f u[0] = 284b7ed376a950e27375c94bffa6f8ed6a182ea5e51605d0b43685 d93e20bc64 Faz-Hernandez, et al. Expires 29 October 2020 [Page 139] Internet-Draft hash-to-curve April 2020 u[1] = 36e99c23a48e90d0ad0df5aa4f2aa3c0a00877bb4b2d1b11a81d91 3230e3dc05 Q0.x = 7bb7f4b2a9b9c1bb5a2d22cda128a786185636cf32cdca6fce7731 cc3fa2565d Q0.y = eee67657bd5365190f7302823d09b20aaf270030dae976243b0c18 2b977ae6f4 Q1.x = c2e7e37fdf5488de3841ac4eefc21de207e187efccefea8bd62228 57ca7a4410 Q1.y = c6048ea525e7479c80694062512376d94bd2c00065d2b4215acf60 2ce2bbd589 G.8.4. secp256k1_XMD:SHA-256_SVDW_NU_ suite = secp256k1_XMD:SHA-256_SVDW_NU_ dst = secp256k1_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = d5f2ac04a388212927ed7b8448db55ef22dcbd90d9e5debf206dd4 5bc1250b87 P.y = c04cb9752fdc475967a294da8f90817208e1489ae4d0dab2b0617f c9635379bd u[0] = 642587ff30ef636b582e8342c6a3f81ab349ea8a7d76cbd80c412c 25eb924f0b Q.x = d5f2ac04a388212927ed7b8448db55ef22dcbd90d9e5debf206dd4 5bc1250b87 Q.y = c04cb9752fdc475967a294da8f90817208e1489ae4d0dab2b0617f c9635379bd msg = abc P.x = c2e2b95f97de0360ba4be8de5e6324ec83ccd3cd165a6063315d4e d57528bb50 P.y = 2cec0d98c098fa8ba20efd99dcfba5e280f626166d233b8ba809a2 2c4bae08f9 u[0] = 3773e77cd90a5240e89a99a6c2bfd89be64432559ddd4dd24a1d20 13f543bfaf Q.x = c2e2b95f97de0360ba4be8de5e6324ec83ccd3cd165a6063315d4e d57528bb50 Q.y = 2cec0d98c098fa8ba20efd99dcfba5e280f626166d233b8ba809a2 2c4bae08f9 msg = abcdef0123456789 P.x = a8e4fe519fadbd9040ca8f055e98d9ce595d44a1590ed9c6eb82d7 18df9d579e P.y = e05e2e9f2e239108f3491d059aa80fa9480adcbf644ee37685ccf7 1d54a3f84f u[0] = bd7bd1e4150da866c9d15824a66ffd186e8e91b47810d29a887334 848fd87db3 Q.x = a8e4fe519fadbd9040ca8f055e98d9ce595d44a1590ed9c6eb82d7 Faz-Hernandez, et al. Expires 29 October 2020 [Page 140] Internet-Draft hash-to-curve April 2020 18df9d579e Q.y = e05e2e9f2e239108f3491d059aa80fa9480adcbf644ee37685ccf7 1d54a3f84f msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 49be71a6b06c0b505babd759c8639a955b12f1d4cbdc9fe755f30f 0329923147 P.y = f0718d3c31edc4e3c5b0745a313d25b7c24fde52bac894db257955 4f67715830 u[0] = 675c344812428d6ade56021a2c9eb566b5071ad75d369316534342 00dfaf20b2 Q.x = 49be71a6b06c0b505babd759c8639a955b12f1d4cbdc9fe755f30f 0329923147 Q.y = f0718d3c31edc4e3c5b0745a313d25b7c24fde52bac894db257955 4f67715830 G.9. BLS12-381 G1 G.9.1. BLS12381G1_XMD:SHA-256_SSWU_RO_ suite = BLS12381G1_XMD:SHA-256_SSWU_RO_ dst = BLS12381G1_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 0576730ab036cbac1d95b38dca905586f28d0a59048db4e8778782 d89bff856ddef89277ead5a21e2975c4a6e3d8c79e P.y = 1273e568bebf1864393c517f999b87c1eaa1b8432f95aea8160cd9 81b5b05d8cd4a7cf00103b6ef87f728e4b547dd7ae u[0] = 0633af2b38973d1cfb6e905292c41f209fe52e5be989b5e0d32c06 a0e3c23e4843927cb8289b440f3cde0da46dc9ba0d u[1] = 022474974e47d74c495de648eff1c8e4fabbae0d8ce3e30e3d1a5f 9386cdf2582f78df056342d59ccca34321d93ef13d Q0.x = 0b63f31bcc08df890f35ee362c8538fac22cf22637aa2ba22d9c85 bc1bda995926ab690d86830bf8ae06f4d537ccf6d7 Q0.y = 0666f3763cc7b223ab237e313f6474c9a3c2f5ed985ee8d1faa092 8b4b428ec1a366226125ce8f415edb3f706e71d80e Q1.x = 0362c0f9d6cf4b73309a16b439d096b3ead588ab03cff57daf56fe 747ab6d7774d5bfc0bd0a55bbeb0f05ec25cc191f6 Q1.y = 18d279b38babbd69aa176031655d138a731c049385aeef6eff3bf8 Faz-Hernandez, et al. Expires 29 October 2020 [Page 141] Internet-Draft hash-to-curve April 2020 0e45ebcad0a941cdfc135e9ea1690a25eb6eac38e5 msg = abc P.x = 061daf0cc00d8912dac1d4cf5a7c32fca97f8b3bf3f805121888e5 eb89f77f9a9f406569027ac6d0e61b1229f42c43d6 P.y = 0de1601e5ba02cb637c1d35266f5700acee9850796dc88e860d022 d7b9e7e3dce5950952e97861e5bb16d215c87f030d u[0] = 07df547923a0c77ddc4fea1a8a2eb156aef1746d5452239a55a378 c5d3590e0b75cddff0eef2a9214a41923f2be27b55 u[1] = 0f95fd8f00e25c3073ec07f249a7d527e580f01a6986158aeb064e d831d544fb9c5dbceb6604c908db5430d8f3d1c4f3 Q0.x = 0e8334d819ca7fad50979a487e0bc95cb1410914f1d760f842fc3d d0102755e7ca81b0356da7b9771ab11bf50efbca67 Q0.y = 120397edf7002610f907c2d4ecfcc4e817f1f8915becb591951079 6bf595d854048461662ad960347216b00dfc79db38 Q1.x = 013e1240e4da2abda009e263089cb8e57f1b24d0d1df09f644cc9c 9a8b3fde7d154c7f1b0895a0af22b902a8140fb3ce Q1.y = 0d6a9f75f2088dcac8f8ec0ab94bf2dac23b7b832bf23c91f9241f 753c5831054b058192351a972347cb19806e78477d msg = abcdef0123456789 P.x = 0fb3455436843e76079c7cf3dfef75e5a104dfe257a29a850c1455 68d500ad31ccfe79be9ae0ea31a722548070cf98cd P.y = 177989f7e2c751658df1b26943ee829d3ebcf131d8f805571712f3 a7527ee5334ecff8a97fc2a50cea86f5e6212e9a57 u[0] = 0a5d2ed6108aa08d652ab61af11c12d8750ed179cb962779c7b539 3f219ad4b78b7b252a2896a341ad451e93f1904fb0 u[1] = 17d6cd69f4bd29b85c550539a296c76ced075d9d39a81f4cdc2804 a7184ff9ea4a5a85dac4a2a61e317894d0fba55740 Q0.x = 03ff794b445b926906b2fa710ba5db9f7b8689429a1630ab672854 b5ba1a7c59bf3667d64aa63824a8798dcb631bfa9a Q0.y = 1581711cffadabb6136f4bf57749e04b92787c7486da6b6da1fa75 8655c9af275b23540370d9f3987a100f0d3dc8e6db Q1.x = 133bdea6715b4ef780693cd0055025b221becc8e04506a77648459 0df9b43af62ef402778a9c98ec540bc293e9741565 Q1.y = 0d953a5bdb2d16e62bfeab742e70ea64fddd83e8210b2416d40a02 b0d90986fd0d00a3d77751ac467964ecc037dc284a msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 142] Internet-Draft hash-to-curve April 2020 P.x = 0514af2137c1ae1d78d5cb97ee606ea142824c199f0f25ac463a0c 78200de57640d34686521d3e9cf6b3721834f8a038 P.y = 047a85d6898416a0899e26219bca7c4f0fa682717199de196b02b9 5eaf9fb55456ac3b810e78571a1b7f5692b7c58ab6 u[0] = 111e524a9da7ae49a1cf6b03f5bc9d374f16951dcba59d03529a94 afd4e5ba171fb1dffa373d13993503d594abd1b5ed u[1] = 006ad90d8d5101c88db3923376f2a33ff922ba39342d1a54627857 96b6ebdec10dedb5e9cd9ff8e611af939f7f617844 Q0.x = 17dc55e956f1e24c800fa6a61ccba179fbba6bbe27e96ab16b862d efa4782d567f8733f1ee39acd7b665ba0204318d7f Q0.y = 0252510413c32677817c4ee5f84e4c8f66721e489913a50eac550f 41ad48b01b763ec9eed5bd68bcac76131ca9ebd741 Q1.x = 03d2f5444d39ed19b6087cd684d2a72795038d1ffe9ab120f7e5ce 41fb48af76bba3eb4efc8a696418fcb3c5cfdbfd94 Q1.y = 061a1fe191cbf373b74d5f642148722160b5524dd2c06a49c5e4d5 480966de5b0854d53cbea144b482fa687eaf9fdc66 G.9.2. BLS12381G1_XMD:SHA-256_SSWU_NU_ suite = BLS12381G1_XMD:SHA-256_SSWU_NU_ dst = BLS12381G1_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 1223effdbb2d38152495a864d78eee14cb0992d89a241707abb038 19a91a6d2fd65854ab9a69e9aacb0cbebfd490732c P.y = 0f925d61e0b235ecd945cbf0309291878df0d06e5d80d6b84aa4ff 3e00633b26f9a7cb3523ef737d90e6d71e8b98b2d5 u[0] = 07fdf49ea58e96015d61f6b5c9d1c8f277146a533ae7fbca2a8ef4 c41055cd961fbc6e26979b5554e4b4f22330c0e16d Q.x = 062bef7110b5a85023eb7766d8b923f654cb65ef23acc571de3266 e46fb87c2efe7ed2b07f7d078dcb0970f30545523d Q.y = 095aaedd31b4bfecd080de37112afa90db9bb15e3798b122f8b7c9 3ff7984b8a41233d5ee994a4fceae1b8162dcc0cac msg = abc P.x = 179d3fd0b4fb1da43aad06cea1fb3f828806ddb1b1fa9424b1e394 4dfdbab6e763c42636404017da03099af0dcca0fd6 P.y = 0d037cb1c6d495c0f5f22b061d23f1be3d7fe64d3c6820cfcd99b6 b36fa69f7b4c1f4addba2ae7aa46fb25901ab483e4 u[0] = 1275ab3adbf824a169ed4b1fd669b49cf406d822f7fe90d6b2f8c6 01b5348436f89761bb1ad89a6fb1137cd91810e5d2 Q.x = 0ac8969372efb9ae5f9b6d53a440f4a57d9ff2e40b4903f8d167d5 8ba59ead7218a06b4b1821f2ca28ab1239502e1de2 Q.y = 01541a3325e7311a4aabff560a091467b847ffca590e1aaf354aae e1a6075d050ddd556d9c28e1fbfb97ca8749a8d68d msg = abcdef0123456789 P.x = 15aa66c77eded1209db694e8b1ba49daf8b686733afaa7b68c683d Faz-Hernandez, et al. Expires 29 October 2020 [Page 143] Internet-Draft hash-to-curve April 2020 0b01788dfb0617a2e2d04c0856db4981921d3004af P.y = 0952bb2f61739dd1d201dd0a79d74cda3285403d47655ee886afe8 60593a8a4e51c5b77a22d2133e3a4280eaaaa8b788 u[0] = 0e93d11d30de6d84b8578827856f5c05feef36083eef0b7b263e35 ecb9b56e86299614a042e57d467fa20948e8564909 Q.x = 07f6e801e5102c171d6fdaf312be3b1bb2d01c9c4842ebf199d703 51abf8c28e24347fa87694f72952c9e1a46f83d3e3 Q.y = 17dd3a8bf9d7f433a33f15ccb0b8e9e26e850cbe7c87293887ec70 4aa5dc8454b22299ff0eaecbf487a761a5625c81ee msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 06328ce5106e837935e8da84bd9af473422e62492930aa5f460369 baad9545defa468d9399854c23a75495d2a80487ee P.y = 094bfdfe3e552447433b5a00967498a3f1314b86ce7a7164c8a8f4 131f99333b30a574607e301d5f774172c627fd0bca u[0] = 015a41481155d17074d20be6d8ec4d46632a51521cd9c916e265bd 9b47343b3689979b50708c8546cbc2916b86cb1a3a Q.x = 053a91131611b1160954bdd0e69ffac08246ec85067a5dffb9f90e 24623975265f798212fce88b41b2e67a7934fcfcfc Q.y = 1913fd2b7c72b8b702a87906c6f98e1e81b5c6774f1fd708118d5f 2b9d90f4c756e79df8c9323af7a203b94a2018546a G.9.3. BLS12381G1_XMD:SHA-256_SVDW_RO_ suite = BLS12381G1_XMD:SHA-256_SVDW_RO_ dst = BLS12381G1_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = 163505b44d4a47de22946139337d787f93f4356075c55401f4fdbe b3ede4f3138684e2437e50175f94eac511d7c673d6 P.y = 0d09a4540a792daf4d0368f20afb5bd859e537e362edfc9b6f3529 0b6d05df90937ea91e6277d1cb91638c1abaec4eca u[0] = 10baa9e54a51ad63c6d8675830a2d74c43abd00a4e56432e90aa77 ccf95997286d3b7bf1f61059b76663878995426b9d u[1] = 0acf2dcf2bf547d48c01b96379801bd7e2b9f815f22132a07d1ae1 ffe49040825ba7b28082696a67b3de2cf9de5f886f Q0.x = 04c5db8bf2c09bda41eab080eb6ffed00f30d4c650a0c0c8cb136d 9041a9e9b420aa5737fc8dcd1ec2eda971b4bbf7e1 Q0.y = 05b8cc1054ff8ec690a4c073649b474b7b96f2b26ebf83cdd35419 Faz-Hernandez, et al. Expires 29 October 2020 [Page 144] Internet-Draft hash-to-curve April 2020 7ab89f66d78f120407a934d5aac78913d16a8092a5 Q1.x = 0ace795fe3b2f40cceda72f6fc9086009db87b1e63e906df2eeca7 48df8f961ae3c83e83bf6c11b5d833e7b93c8911f6 Q1.y = 02be94da9204c38c42828e677cc941184b62ab9aaebe408f90035c 50afd732611550dcd31cec9625874596c8d45dd2f5 msg = abc P.x = 02967a7955df3c43807263e9d33c28912daebcdf915ada74ea6ec1 31210a3f304d97a59d6e3b7bcd98d84f61efb2f659 P.y = 13dab558fae67943edd68f571bdc82ad6944f2d80285d9f578d4b1 be0d7b4641c653ca52f13eb3474922617c00e4eab5 u[0] = 12b51a783412cbfae1f1b20d7000184c74c889382dc65762ad98a8 d6d654aec9a05fa4621693072c67e41987e36b3998 u[1] = 150a735bb2fb20d4b6221a2d20cfbe275826a63a38f04f757ac63a 35dc0a26041d842e9d7f27e3394a007bbeee92fe85 Q0.x = 118e12a015459f171fa12049d2bf7a43aa2d07b10709c2e21757f1 91cc60a3313e447c4ceefb3dc89e05893af65b133d Q0.y = 0c02fa378304433efcf458c0cc531b72b8613e425cb8404be8612a ee0f7850724ed2a6c6d02a8310cf381b99c85293c6 Q1.x = 107450b1fd1a5e7b8fdf96cd40da9c1919ba86c124160ab6d5d2ed 9f83ee8f97c1530437f6f811fa4f4cd1d0a7d69c42 Q1.y = 039185c9fb255a0ac30d091675f02d29bfcf6045b1532384056876 a389819d48da77fd71669516e7c98e12da273cddd7 msg = abcdef0123456789 P.x = 084b64b095e373b86441e9fe737a3f8e56fe7f0016a973ed9938db 9958505a8927ca220d8e8235901d4bc1dccd4362bb P.y = 0fd10114cded64bf037d3ba00b4a85e5f19847535dbc960bdaaa8a 92bbb9d8a845dc355370ed0edb9d4403afc39bd30c u[0] = 163831497fddb01bbad44e3f592ad34635579e055d36be71d53bec 8b22c27525a471ea058bea4a188a857861fd1af802 u[1] = 0cf8d175460236795d8163d01d5068d82b218295a1f8a8eca094ce 27ff208ab5c9c3f4212e3fcdef3980a267598f6830 Q0.x = 01bbafd66bbe5955cf186e1b050f962f7a2efa4f03ff50353dbda7 8568f5541aa8582c25057a9fe414f9a1bd82eccf0a Q0.y = 0c96fd01df526fda79643a45b1ec5d435e63a3af5cf4088f30c073 02ff8e0a271aff59e5da618ab9b89326fe8b4338fa Q1.x = 086bb205df6314011dedc477b201229f383c1e2585b5aaf269fc67 62ccb2397690064429dddbf9f304367508aac0fe83 Q1.y = 02f80d27fd2981db284b0f66cf3d8e06f751464e610009b9f3fbb8 18f526ff85f7f1a38ea3c85008c5814ff19d05a1ee msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Faz-Hernandez, et al. Expires 29 October 2020 [Page 145] Internet-Draft hash-to-curve April 2020 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 1362872938edd5f0f648d3f8f71225b38a9bbf6c28dee168d76b27 4125ef4596d1959dfa622861848b2bf713fda12601 P.y = 0308f950d4321be5e06a751aee088d09da8fdb36c4bc6b801d529e 43250f3e90d55c8d9fea6d3762912f92866bd89d02 u[0] = 130bc594dc2a536afba69280db5d4675051f5eb3a5d147290874f5 3fd275acddf4faca77145fb23aa6d9357a00e0a4f4 u[1] = 02e5a19a37149c402114906448c3f7558125edbfce8c5241056d32 bac7980d95d820ecf23dbfa5eafa9c4f8c3dbb4b70 Q0.x = 17f78156bb227c0fefb04a3d58f7315cd7eb696e52b7efeef9fa82 171e8c6d8dd265f7fcffa8e6e734c6cc2611363e80 Q0.y = 000a6e05625536b8cc8fff02ebe2ff0a6f137d5f0b644afae033fd bec60e41e281383e97333a342e3492baeddf637e36 Q1.x = 191f209664bd324339cbbc4e3afe7e713fd47e57c476ff8c224bef 6b59745384ec6f15edd912c56336299733b9650f3a Q1.y = 108c7a3b7d2e6c83e1e9bbcb03960a3b9115d871cce130d8622576 339bbb3fd02565de45b06620d557e9244c4a4944d8 G.9.4. BLS12381G1_XMD:SHA-256_SVDW_NU_ suite = BLS12381G1_XMD:SHA-256_SVDW_NU_ dst = BLS12381G1_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = 10a5d58b52dc8b0e5b9c83e5e5ca49cc48d9efe5018d4d9816200b 2e6a2ed51a64f62bd413f1139d7504bae8e777e970 P.y = 10a24635478b4cb41a2919057d76d4b41bf41ebf23f8622f6f709e 722a7f4922ccfd001ead45f275685b5136e0d09012 u[0] = 118f642bd1c2a29911bb43e9838991f9399c41e3bf92a71b9219c8 a5edbdce319f51b90e72b949848851b608e0caee0e Q.x = 008b9526bf4806b9157907fbfdf03849905a586ab3b4faa2e1287d 54b151639c1c4e49e02c03df7e77384eab5f05b559 Q.y = 0888e71e577d22fa3891063e89307590efa7eaac676ce879afc53a 79155698f4ee55008e66be14dd77cf7ff41c55722a msg = abc P.x = 0dead3d3db337422694f10ba8e2391fffb6efff65c6bd60f624d0c e10fa200481a72ce0aaad111a4410a38a4b4108a46 P.y = 0038a800c995de01127f278169d365089cfa9ef09efd538dee91c9 7c8ec40891df0f50843864ad23904129d5b4f4a1d6 u[0] = 08a8225bcdee1e9db85e01ebee4b14a8825cc401189ae1c0474b48 3b0970b28e1ac12082c22954bfbb825fdcef77ecdc Q.x = 12e095c062d0a4358c5b382f8610e6104aed69944447f0d04b0a9f 0afd378e8fa8de4f0711168cd3aff501a145615503 Q.y = 0fe86fc6d6e51c6f9d75fc83c9da98a724a062ed25934740219653 Faz-Hernandez, et al. Expires 29 October 2020 [Page 146] Internet-Draft hash-to-curve April 2020 228b882182d6a4fac1a42480228db3c12344d2145e msg = abcdef0123456789 P.x = 15651e258c566dc7527a165698f8d71157078344c2dd359d220cf0 0168e536ec89222681f49c0b9b4cd0e8ffe85fcce7 P.y = 0077640379dd49d0ac509ac041a5f3c8a54cddbc6add66d5ce4ff8 6896fb293f43696ad6c628400be7fba6b058e3db8c u[0] = 0979bb7682c048cc9fe6b9cbd69a009a8347ae1fe3931b3afe24c2 9867adb96aa967e7682b3a47f9b9567c8551218a46 Q.x = 0319e7028069c8fc4ab9155d810c607186b9f97f854018d195f717 34039f83fd42d839dcdc044acb91db25d155c5fa58 Q.y = 1171bd0048f0741d7f2b5f1316678b5017cdc2d2efd28ef9d81406 33b200d57343b04d9f1ae25d9ef4a1bccdb57bbda8 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 06b8d589c3d2018d069d4cc57a359402a27ccb5bc017d9a2d67762 720a63afb9e2a12c0c417becc4b51efcb39e8cd2d4 P.y = 1307d340e6d9d16d822105a014419e9f6be6dd3fdbc42e2f960990 58a9fa24f17d81d4ce82cbd473bbe51bc95e988751 u[0] = 0aeef9f4c2881a00b584bcfe2fe19b861cb00fef6edcc5779b3217 8e952f033bf9066489921612cf3d25a8be095809d1 Q.x = 138307c4c46b63f05521143275b28a48a6ee2dbccef2b75e77e872 57b775a346905090bbfe4c35948bc76be1a6307b33 Q.y = 1668fe7bd31692c9ed74c657d631e82faa5aba8f89703870def397 4fe42947b1f36f2f3787e7f690ebf2fc8fb6e91dd1 G.10. BLS12-381 G2 G.10.1. BLS12381G2_XMD:SHA-256_SSWU_RO_ suite = BLS12381G2_XMD:SHA-256_SSWU_RO_ dst = BLS12381G2_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 0a650bd36ae7455cb3fe5d8bb1310594551456f5c6593aec9ee0c0 3d2f6cb693bd2c5e99d4e23cbaec767609314f51d3 + I * 0fbdae26f9f9586a46d4b0b70390d09064ef2afe5c99348438a3c7 d9756471e015cb534204c1b6824617a85024c772dc P.y = 0d8d49e7737d8f9fc5cef7c4b8817633103faf2613016cb86a1f3f Faz-Hernandez, et al. Expires 29 October 2020 [Page 147] Internet-Draft hash-to-curve April 2020 c29968fe2413e232d9208d2d74a89bf7a48ac36f83 + I * 02e5cf8f9b7348428cc9e66b9a9b36fe45ba0b0a146290c3a68d92 895b1af0e1f2d9f889fb412670ae8478d8abd4c5aa u[0] = 0ae8ca9aed945924c3a12f3b6f419cac381bae8f16044ab6c66b41 999e4bd0ea169b44f2fce3634a0ddea05b9186c6b2 + I * 1134506e471554affe377f908c29fc7cd7d247b3a14f9e092b9f4c 5b02577939ce01bd6b43d9d59d9a994e9fb5fb5096 u[1] = 0b28b14113885b1d8ad08f5da9111add00d8c496fb3d5d7b5d3b65 58a058e9e62cd02dafa7a95f968cb3063f09fc0e21 + I * 03378e456f437ce445b6bc95121566d85b1b3b8ca057064fe7a8a1 aad7e8a6e9f886cfb1704ad712e9042f4f002f4bd1 Q0.x = 090f7997311a1d4ec54520f81046063f4e9e7a64570133dc41c360 0ade2a4d21aae59714cf290f95f90a98b658f5b64a + I * 08427a6a0dc88a36698823d07ab25d11f95a9508cb5bb1ad2bd57b c02b5efb8c7b1da66ed02b0f915002446e24fd5d38 Q0.y = 10e03a54fd5ff7a0a69543aeeef42e22cb589e0b33455943cf84f0 c5b28e93fe17c0bbba2fafb10aea29b28705eec303 + I * 053b939496e87877fb1569c911bf618056396fac2458757da71cd8 3fa152239d605c6a4e4e847295080ea3874f84a832 Q1.x = 0df5643a19f8de7e8e45575551cfb8909f4a75722ec8fbc43cb8df 284cdde9e2c61ea0c6116bdd86d84063c96fc7dc7f + I * 1241a410598f1d57907850699a694720712feddb916f343db08f2c 18481df46cbdf7afe8eaf214127e427736ea281c5b Q1.y = 0ad66ed30cb6f55a83feed4b12c141bd41f593292403127b07e1bc 6dabacd8ea53f8a322b5d4080e4393184c713865fa + I * 0c4e6fb11ad2fe3a081a399df36094465aafb232f7564f4d35abb0 092ef9ee855bcfdac2e6775cd7d383241f13ed856a msg = abc P.x = 1953ce6d4267939c7360756d9cca8eb34aac4633ef35369a7dc249 445069888e7d1b3f9d2e75fbd468fbcbba7110ea02 + I * 03578447618463deb106b60e609c6f7cc446dc6035f84a72801ba1 7c94cd800583b493b948eff0033f09086fdd7f6175 P.y = 0882ab045b8fe4d7d557ebb59a63a35ac9f3d312581b509af0f8ea a2960cbc5e1e36bb969b6e22980b5cbdd0787fcf4e + I * 0184d26779ae9d4670aca9b267dbd4d3b30443ad05b8546d36a195 686e1ccc3a59194aea05ed5bce7c3144a29ec047c4 u[0] = 0a7d239c9bdb41ed2ad810820a8b4f0703f60cf5833440cd684e38 6e235b0f092da91adbaa69562b911ebd3f820655f2 + I * 16302b56f5a9f538c7168cd5194957903b82be6749171f8de112c8 bd3360ca24847d0567d6e42eae0c43a7fd8530b378 u[1] = 0a1cb4196dec71b1f704f3533cdf27f247e3ea175ddcc1ca6df0f4 5c587eb77efc6c493848f4df98e24a32753dfcf96b + I * 07aac42db7f3dfbc5146c70ca0ac6157893abf4e2162e303510e0c efb8d024c24080b9c2a9896f6c03ffe680fc18b788 Q0.x = 0c292ac371849207564e7b8f4edf47dc4b4d7a618dbacf6a322dc7 32f014cc2a22049eb69de11657c301cb4202b98541 + I * 0f37118e477c16005cae8f639e54119ff796eafe80461bf39ecce5 Faz-Hernandez, et al. Expires 29 October 2020 [Page 148] Internet-Draft hash-to-curve April 2020 c0192b93075febc80d4f73f9e0893adafa17b13b45 Q0.y = 15853304d7fd9f47df2ef6c4bd1fb0b3500386b23d1acc530be0c1 4e027f15b0aa83856d82edb723f3d857358ecffb80 + I * 0626fcfc6b3d8460df7ed2aeca6449cf6701dc7ff51c143ed20054 ecf18732f4c5985455864c79a4065b13e26ecccf9f Q1.x = 0bce3e2dd15f6acf55cce0e3a4cde190a6d45434a8b0ba7cf79ff3 7f737ed90dbfd2988a257db65e10e684e5876b50db + I * 19c1ad3eb0abb3590087d706eb155a4cd166484e82cdccb2465ce1 93b15a27d919aaa37d1824a9a9d87f31fefca1baee Q1.y = 110c9643a8dfd00123bb9e6a956426f26bedb0d430130026ce49b8 62431e80f5e306850239c857474f564915fc9a4ba6 + I * 1748ca13032a2c262295863897a15cd9a7e0baf003336bec6fc6e4 0b982d866fe3250619fdd2ceadb49fab8055f47e65 msg = abcdef0123456789 P.x = 17b461fc3b96a30c2408958cbfa5f5927b6063a8ad199d5ebf2d7c deffa9c20c85487204804fab53f950b2f87db365aa + I * 195fad48982e186ce3c5c82133aefc9b26d55979b6f530992a8849 d4263ec5d57f7a181553c8799bcc83da44847bdc8d P.y = 174a3473a3af2d0302b9065e895ca4adba4ece6ce0b41148ba5970 01abb152f852dd9a96fb45c9de0a43d944746f833e + I * 005cdf3d984e3391e7e969276fb4bc02323c5924a4449af167030d 855acc2600cf3d4fab025432c6d868c79571a95bef u[0] = 0e17df0242a3dd0e7454a4b580cafdc956650736b45181b329ca89 ee2348570a1d7a221554c7122b91e6e3c3525d396d + I * 0298e9fa0ff37440cd2862e91c0a27fed05087247acf79232f1a4e b7cf8f65997a92319a8cbd00f7b73ee9e82241eade u[1] = 1200056764f11beacdb6009acaf823e100da27b4bfe45e94097a52 c1fed615b32dbc5503f964ab5277a7c30d9a2bf0de + I * 0d1d7feb418f29dbf4d4459c839dd33f904d4292d016f701b35e4a 7611798c83de1b7deb1c6c1521e9142cc36a7d0579 Q0.x = 1552566a422494f9edd07e21ee59067ecf031f333b3961b710fac1 245fd003552c294ac47ef982432f0f1e1e9d07c4b6 + I * 115a9de418d20ce3105eaa2db025d183cc679327c6d6a229960d53 6b9fce33d3242f9819680a9200265ec2dd02b44b19 Q0.y = 0cef664ee9270354c3bc06d1e0570e4d6663cc528711afca101189 55990126f87917c87f7b9c4cf73aaf05c1b5875c6f + I * 0b136f41d233ea420bc3658c4156f717fb190775d3690d139c0923 c231e44af54d780119b8edf16038208b63feb1f3ee Q1.x = 0332d5027c68f38ca78c6c63c013178fb58b31283a6135f6bf5629 d18c76144accfd96905f51a49284f4ef622dfec003 + I * 04865f680c5f2203de00f95dd6652c9b3dc0d36361ee0df16a39a8 6d5f7cfc8df3674f3c3fddde88fb027353eac1a3dc Q1.y = 1651e6cc8af2241989a9006dd59a9cd41fc1bbc3a7f9e32875889a e54913b8398dfa106aff43ff1cfa9019141d9ad565 + I * 09324bdbfedfb886899a7961f7827702743ef550f548bb89ab15d4 b24c7c086196891fc300e3e39c21aec0257543a3fd Faz-Hernandez, et al. Expires 29 October 2020 [Page 149] Internet-Draft hash-to-curve April 2020 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0a162306f3b0f2bb326f0c4fb0e1fea020019c3af796dcd1d7264f 50ddae94cacf3cade74603834d44b9ab3d5d0a6c98 + I * 123b6bd9feeba26dd4ad00f8bfda2718c9700dc093ea5287d77118 44644eb981848316d3f3f57d5d3a652c6cdc816aca P.y = 15c1d4f1a685bb63ee67ca1fd96155e3d091e852a684b78d085fd3 4f6091e5249ddddbdcf2e7ec82ce6c04c63647eeb7 + I * 05483f3b96d9252dd4fc0868344dfaf3c9d145e3387db23fa8e449 304fab6a7b6ec9c15f05c0a1ea66ff0efcc03e001a u[0] = 0ca92554c8c45581eac2eed7ec2db1fe757af0a2803dc8e6318060 0eed2516f64b1c0d850c72a75c417f58723815795b + I * 12ef692f69b1d61854b80e071c7fd751b19da2c194ba0fbee9e684 54073dd3693e2c56852938aa1b090991018ff15a94 u[1] = 11043d352059287fe7424285da213d4cc414df4d5592ee25075030 88b3f89220697753ea8cd47fa13c9a15dbfb0ef20c + I * 110efeacfff2801024c019cee7adbc3d8144c3b73c548ad8f0759c 4976e0b3070293056f884dc0a1b3728546dddc6bcb Q0.x = 089b04f318946ce75b5b8c98607041488005ed412a4a99e7106b34 0427d35682036cecc076827e700e47c17f65ee3f09 + I * 03bef411c75f97147673952b19ee293e28df019be2fdecf5db09af b7caad4a5e984750b19c2007b50ae0b26f83088e8b Q0.y = 18b1ef96738c5df727e1fa2098178fe371751c0c169af30bdb95be 22a0ecbf0a75c0e6c63e4a32f241250f877859c086 + I * 0d04c624db798ca46a352637fa76516c83a5d98e147a25f629fb1e 02a9a453970e42d835ba765bd7d94a4a3f9f50e4a1 Q1.x = 121b1257fbd3dda5f478b5de6aee2ca88780248c59afad1a9c9c9d b5d03752792270cecc7cc676a1b91ee898b7f76977 + I * 17eadb5c134a1cc0305ad5d99f6e2a1cd906a2fdac318d4356527c 70fc94242ddb664486c814ebd5959a2cf4225a783a Q1.y = 00f0793bcfaf12e5d23fdd4173f7539e3cf182a0f5a1c98b488f59 daca5ecf7b694912a93f6b81498a5c2282c09ee63f + I * 081adf3c45b42c35fdb678c8bdec1d8c12f9d5a30b22cf52c1afc9 67d6ddc82fdae0673f76a5186a84f3602c7a22f6b8 G.10.2. BLS12381G2_XMD:SHA-256_SSWU_NU_ Faz-Hernandez, et al. Expires 29 October 2020 [Page 150] Internet-Draft hash-to-curve April 2020 suite = BLS12381G2_XMD:SHA-256_SSWU_NU_ dst = BLS12381G2_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 027e4bfada0b47f9f07e04aec463c7371e68f2fd0c738cd517932e a3801a35acf09db018deda57387b0f270f7a219e4d + I * 0d4333b77becbf9f9dfa3ca928002233d1ecc854b1447e5a71f751 c9042d000f42db91c1d6649a5e0ad22bd7bf7398b8 P.y = 053674cba9ef516ddc218fedb37324e6c47de27f88ab7ef123b006 127d738293c0277187f7e2f80a299a24d84ed03da7 + I * 0cc76dc777ea0d447e02a41004f37a0a7b1fafb6746884e8d9fc27 6716ccf47e4e0899548a2ec71c2bdf1a2a50e876db u[0] = 0e775d7827adf385b83e20e4445bd3fab21d7b4498426daf3c1d60 8b9d41e9edb5eda0df022e753b8bb4bc3bb7db4914 + I * 025fbc07711ba267b7e70c82caa70a16fbb1d470ae24ceef307f5e 2000751677820b7013ad4e25492dcf30052d3e5eca Q.x = 0155447bd67775ed9eaf35db498e8acf00b9240a8b336b284d4be1 558036495c5872384378c0931b888f85575768f52f + I * 09fbb2d6ee99f38a93c38c891cb28c5e2f18e97c78c7b74fbbb2d4 d21c1b02dd05170a3734bdf7ca97ac17091b85b1fc Q.y = 17d2d52554474a2cc19322bce0c3079671043190fc6d33679530df 9341bf23424b2aa4470de343e65ab1b1a3c1f380d7 + I * 052e9100ee074779a4da267cd34ba58be71f373b05ea5f9fb4a28d fb279a9129efd5f22156b2d3ae2b3c52ac0fc7004c msg = abc P.x = 09349f1cb5b2e55489dcd45a38545343451cc30a1681c57acd4fb0 a6db125f8352c09f4a67eb7d1d8242cb7d3405f97b + I * 18f0f87b40af67c056915dbaf48534c592524e82c1c2b50c3734d0 2c0172c80df780a60b5683759298a3303c5d942778 P.y = 02f2d9deb2c7742512f5b8230bf0fd83ea42279d7d39779543c1a4 3b61c885982b611f6a7a24b514995e8a098496b811 + I * 10a2ba341bc689ab947b7941ce6ef39be17acaab067bd32bd652b4 71ab0792c53a2bd03bdac47f96aaafe96e441f63c0 u[0] = 045ab31ce4b5a8ba7c4b2851b64f063a66cd1223d3c85005b78e1b eee65e33c90ceef0244e45fc45a5e1d6eab6644fdb + I * 1870a7dbfd2a1deb74015a3546b20f598041bf5d5202997956a94a 368d30d3f70f18cdaa1d33ce970a4e16af961cbdcb Q.x = 0d158306276e64752eb05c697c0e982c1f120d36a0001c20910632 b8ef4de742ff03b77a1d5313c0c5b015249d804713 + I * 03511e20d69ecd16eb9ed9bcbb500593abdf9b9dae12621a3b7faf fe3d2a78ecf9e1526b710ea9773a8b36e1c358f3e3 Q.y = 1299a622ac19a0cd8215b9d3d64916770894d9af261e25b0c6dce3 cd4025fa1ac58c4f20ca49f58db59ac4403f274dcc + I * 0cebbb186aa40e6ee61380ea20f21a1ce304ad0a0ca2c5126be0ff 18863ee17494e0da7e63eb8184b6d6e7c8b2a09bb4 msg = abcdef0123456789 Faz-Hernandez, et al. Expires 29 October 2020 [Page 151] Internet-Draft hash-to-curve April 2020 P.x = 149fe43777d34f0d25430dea463889bd9393bdfb4932946db23671 727081c629ebb98a89604f3433fba1c67d356a4af7 + I * 19808ec5930a53c7cf5912ccce1cc33f1b3dcff24a53ce1cc4cba4 1fd6996dbed4843ccdd2eaf6a0cd801e562718d163 P.y = 04c0d6793a766233b2982087b5f4a254f261003ccb3262ea7c5090 3eecef3e871d1502c293f9e063d7d293f6384f4551 + I * 04783e391c30c83f805ca271e353582fdf19d159f6a4c39b73acbb 637a9b8ac820cfbe2738d683368a7c07ad020e3e33 u[0] = 0b6e6135a4cd31ba980ddbd115ac48abef7ec60e226f264d7befe0 02c165f3a496f36f76dd524efd75d17422558d10b4 + I * 088fe329b054db8a6474f21a7fbfdf17b4c18044db299d9007af58 2c3d5f17d00e56d99921d4b5640fce44b05219b5de Q.x = 12e15bef85566a4587d120dc054c935f2ffb198aa0f70137b02c40 6ddbb80e01844e3efb7f4457f304d85410a5cb0e21 + I * 01a3026ebdf89e103658689c35316e87c2de54633bc5548104b48c 87690cb15008dde3cb0386923ff9cf89022adfb6ff Q.y = 068beb96b5ff990c8a44bd85e7dd2739dffd8942d749db0ac71273 74d4818b35e35266c708a74e904cc18c464fb0fa8a + I * 0c9d5a6359f809813ffc2a17357a6f92d08fc6ccf098309ee27dd5 27ba8ce43087971b963da5c663e958b7bbec04b105 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0804152cbf8474669ad7d1796ab92d7ca21f32d8bed70898a748ed 4e4e0ec557069003732fc86866d938538a2ae95552 + I * 0b8e0094c886487870372eb6264613a6a087c7eb9804fab789be4e 47a57b29eb19b1983a51165a1b5eb025865e9fc63a P.y = 09e5c8242dd7281ad32c03fe4af3f19167770016255fb25ad9b67e c51d62fade31a1af101e8f6172ec2ee8857662be3a + I * 14c80f068ece15a3936bb00c3c883966f75b4e8d9ddde809c11f78 1ab92d23a2d1d103ad48f6f3bb158bf3e3a4063449 u[0] = 0f45b50647d67485295aa9eb2d91a877b44813677c67c8d35b2173 ff3ba95f7bd0806f9ca8a1436b8b9d14ee81da4d7e + I * 03df16a66a05e4c1188c234788f43896e0565bfb64ac49b9639e6b 284cc47dad73c47bb4ea7e677db8d496beb907fbb6 Q.x = 17b0481e72cb03d59686907d10243ca3208078151e4881c8754503 587676512e182cc82b24e906a0b4ccf95e5adeb7fa + I * 09f9a74ec1f83ee91991c40858051460f1253283f101afc155b4fb 141af20ae84714cda88ee0bbcceb3cc010c2b3172a Q.y = 0cf1edfd25dfadc366eb5b92d6d300b68a9a01deb833b754fec39e Faz-Hernandez, et al. Expires 29 October 2020 [Page 152] Internet-Draft hash-to-curve April 2020 c049b70e8b8023c4abb1386a8c8419d44d414d7416 + I * 0eb4061e6ee7136fa62bcb68df9b1750ad85fc225050f06669d715 3bb96df7cea2eb1837aa2d482eeb1c4077c8885db9 G.10.3. BLS12381G2_XMD:SHA-256_SVDW_RO_ suite = BLS12381G2_XMD:SHA-256_SVDW_RO_ dst = BLS12381G2_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = 1247e409b2a18aa704b37c891ad429af1e81a7d03d97c1651d072a 63acc5585967939adfe6b41e608c4cf1444be4ebaf + I * 1379e10a574e45e6e8ffc3d403bf975984237d4e0dd350a2209ee5 025b738827620301e71bfe4449af7b9ea2a8fc0464 P.y = 0f171ce60457b1bf85847e48469e8a50e28b26e126201664b2eb96 2abe38c0eb2e1e84c953521c6e8cd82fe25fca520a + I * 02663ec2937ebd48810bbd17d88f03e9abea73025d7a59c5b7a0db 80ac3bde5b1b6fb55f825686d170702f9a0b354e7b u[0] = 011a69c0b78b463729c1e9e6c7a543d4c10e1880a6a5c92748db67 08c7492b170912c46abf43a50d6af40345ceeb16db + I * 1216c67865d83536ff57ed9480ac3ee581b7edc25860f73e2ed967 c40f5647a4bc25d54538e14a0404d550acdbe8056f u[1] = 190bfaa5cd1654a6f71bcff0265236fc73a1a8c72f637b13fa9e3b 7c69ad7a82de6419893f1a4f46b0aefeee08a5f877 + I * 001af2852d68aefb42258ae84e63fa04f45e0603a54d245882a2e2 373484d49277d885983e300dcc8a7632c476f6654e Q0.x = 0c518ce5d2e9e96a19ce4737e4f60ef6273231e706540bca662697 e16303f0066ace3544d272492b5c01ab2a20d08d0f + I * 132f304e07b3a827b26eacbb0e3af39a32b260d95ca86e63aa2f8d 0ba99b6f6ee5f15cbcd3afee9f9081879d5709c565 Q0.y = 021575725c8fb5107d5ad64c1f178d923e19203590dcb1b509af82 ffbf367b9c4cccb89301f0aea987dc788d44547f55 + I * 00a2ba2f88f654fcde8197b94d1605c24515a5cb7823288d13760c c23e49c424db9a08d37e1e55c425f1334894ce0125 Q1.x = 0fe40888ce7a67c99ba37194b2e62c77c9d2fb5d18d71faf81a408 4b8edc805c30776a46dbe6b749ea170868bf4faadc + I * 1918a1f78646dc0451cfdd37725fa080cfb9d9ea473b0f58a9929b 7b31ab8da8547346a091a7e2b3d073e3cc38ce0b12 Q1.y = 152eebe67adbeb41ccc8a03926448c9dbe6692254203c6378f00a7 e5bd56acdbde4ab9e8d1809aaf405bbe5ab395e385 + I * 070cc5025c561c1dfcca06ba88853300d4314db466e187e60cd191 5c735bf2c6dc3bd0903d988d7d9b3b9e46dbe3ee1d msg = abc P.x = 14dc75415d6482bae5db292316e9fce2a9ac7c9591222ba12ef70f e4ad5ddd2a95b696857234d9114812394b60f8871a + I * 121be08f8e5ebfd6bd080250aac7cde4ceb5672b5fd470bd8a9216 4e7b7fef93631da6bb514892cf913e5ba6bba00adc Faz-Hernandez, et al. Expires 29 October 2020 [Page 153] Internet-Draft hash-to-curve April 2020 P.y = 024233ce610d08957a91a989495af524ca3c4409e7f2fd38164ee7 e76fc9694338370d90d2150f2e602bec35eda9e22d + I * 00bd976560d390194db01606af280f74b6b4282d4bf3f6ed2718ac 67ebe1507e52eab74fbdfdfdf0092c0d9a106969e5 u[0] = 08dde2c4f9306a44a460f832d9153c2eccbb8588a7ac35b8476b00 6be691ce1b340486a56f180be2a022f3cee642ea2a + I * 05141fedc77647e15b94c7dd50010f0ab062f44dfb25bc4a127f94 aeede48e4f5782c83a29c98295d27210c7ff74ba6c u[1] = 0f6d3efdc539af5edd8b806160272c9699ab924f37d161509d4cfa 5a589d796d7b05b78fe5994bd082aa6765ef468421 + I * 00ba433ee89bbbb64364644c770149bba3d8fc6de84e2c057fe7ea 027fab92261a40a20214f4da43375f5d55d5c74361 Q0.x = 0d0c596608ea6ae9b18b6e55d21663933db8256234f5c2b3b3479b 7bfc490f7828c98f883e1a63c58cdc0fc028d4661a + I * 153ca080b13248f5f6b863a409ff2df352041c19f353f72dd0f323 3a1ae2fdeea6e31a93a7a290a99a56a7cfe8448ff1 Q0.y = 012454a1f725b9b478ebdfaf0e56870fa99a15ff3e003c21a15504 2b44a39cc3a36421b7e11112da0a43e8528b15f820 + I * 0116d64afa9e422e1d966a93b0e3a0e40c4e34dc34a4c7b2f71e15 20812f401baa979c5c62e67e4adf15ce4a507f7db1 Q1.x = 0083e95f0c761f7303c593bfacddf994635f12704cec7d2a1e8ce9 ce3186b20acad0a8f63ff94cefd67400c72751fa29 + I * 198853939c488f8d8e5bf0839aff9aee5513205a775a541ea3fbce 3ebc27395f811147593a7b51e4b1874cf14c8a5c59 Q1.y = 145f9d0d73567c83a5fccb0b05afc9585d302e1fe2e60fa91c673e 12a2e760e74c64eb88c7747030b1b50ec8b8111d7f + I * 102641fb2d3f4866926783d40d04d3b0f5a6ec4f4aab132053499b 50922a29dce7f535502e4038b1a8ce7ae79d2faacd msg = abcdef0123456789 P.x = 185cad2867dc5c11b0f42842adc2bc16ebaf95c761b5d26541a089 c19f54e5039ad911b2667de073c26d01911d203d58 + I * 05e0ac4290a0620d1b5d20b8b98ace6d1b198273e05a36daa18b3c 591ded4bfebbff7a8bb3bc2b9de009d5e9d0a78a12 P.y = 025525d91f16601d32379f4d5cba4a256ad84d40423ef294dabdf7 3e351f86b583c848f974899815a40c569465c68c7f + I * 09aa43a981af5885a0f86a1b9a143abbc1570d1bf342f8b506ff9f 9bcc15dbb12a8ac062f7e37e06b90881b8cbc1f4e9 u[0] = 11cb86b80f5715c34ebbbfd2b535a765de4e5e6de719f804b86e5d 0e7415f00a2123397e06a9fe969ef09cd84c4d0146 + I * 10c642ecf452b47f5dcff39e3ab10d9b240d9511837f2d6eb152f8 6b2960a2fb8350f9d0387f8a8899a58bd2c5691b92 u[1] = 05c8d547790510132e87b818de01994a7dcccbafcccffbfe38ada5 ba2573eda9308f4bad0fb1beb79b12c7329c18766b + I * 11931693de41195bec4acae1beea0b9b2bf2e55902bebb8f08da80 36989efacda79b275d0a5b06d42905826f99e05dfa Q0.x = 10319d966d19e9017cd0be3c551e4001c3e9d75a25e1700c3443b7 756ae94fe1d442d6b3839d505682fa82269c7e910e Faz-Hernandez, et al. Expires 29 October 2020 [Page 154] Internet-Draft hash-to-curve April 2020 + I * 1860d1ab41d2ffe81a587e6919b21348bb437a8ea88e932525c803 d5c1ee68bf47f515c445ae102cde5cf5569de63970 Q0.y = 133af9a9ac415000202b1a1fc258aa773902a937fa09af32267cfc f32baaa002eb80b1aefa92ee759867cd9222c55ea6 + I * 07abb300d3f1a89f91e55b1abf628f83dd967a97d81d8938c87606 0455abb77dfc9ce41c5a0beb99e9feb684b9f18d4e Q1.x = 14f0b1e5f3d5b113514a1ce6eb17de28d84fb686ed72b9a3091a9b e545977acaae253b65268c1057abccb2c47381a7b2 + I * 136ba736cfc5c767b74be4814e647516ef71e512623d481ec17c6d 89d65f536ed679900bf8050bed93a5833df4c032f5 Q1.y = 10e035eb449a1ebbc06431ee73251c7a94b96f83102bacb8c3a6bb acf32486bd6715dcfdd1c1a5ac0058f4fd7930e22b + I * 06e89c91fe9ed6c5f6184c5e3766d7393002d06cdffe4b084a5cb4 fd4ed71fa5f82590927ff983ea84cb7229a688d071 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 19925c3d247512c84e3ced29498eada349e82ee96689d5977e627c 5b75a904800d789d1848a0551fd1d8b300efef8663 + I * 07a1af1c92c0723656bb94b0ebae40d4c3e952b32473964710b9b9 602b8dbd4e80a8950208fc2cb449daea25af54f138 P.y = 179c7387bd605a594a778eb6305ba2d96d69383104c41fd6c5b151 7b1728959e78fef47260863497292e056b745d847a + I * 174fd14a9224fc3a7fa9019b7c344557f67b98f40c4fe7cefffd99 a57aac611de1456988947cbfa37728426d9eeaea52 u[0] = 1412f7dcbbd4b37d2818e3174f2e51c6767b4d93501208d905d625 a6decfd1253c626575c44b838cd8801653909fa3a1 + I * 17bb0ac3a973bf8d3663102459b8dca358d9b971ebc700126f1111 0c83f644f0ac5a86f1c7cd6babceb1f3705447665a u[1] = 0eaa03f98f9aa539262275d8862ce341537228572ea46dcd6e9e86 62bd7f986948ddab6cf0594faa7b417b772ec96177 + I * 0fdb46860616bdbd8faff9859ae8d92f282f9633a4b5050c924d71 1f1b32a6cc20f431c207d47d66dd27fb6604c871b0 Q0.x = 15e925b755b1d7ffadb242ae97d8f3826a46b6cebb87fc5afafa75 a041dce9dab92daff7c76a27fdaabee83b58302e7c + I * 198976a1d24b585148aa5331536a8d9747584d2cd86bb424426c4a e7234aed4afb060f1e09d1ab36bbf7a439fc8da6d1 Q0.y = 16cda73b5ec6993795f393f19129e0f4e3de82f803ca55f2196216 2ac599e48e39f0ff78e8159a05d0eceabc6cf01291 + I * 05b52d7a1673bb8168c3bbad3d3652abca5d7e0027a66791466877 Faz-Hernandez, et al. Expires 29 October 2020 [Page 155] Internet-Draft hash-to-curve April 2020 2ca6ca7e130b07ae7ea6b16695ed53e83789ca3a50 Q1.x = 031241efa254ea61dd01d9ac138fa90b5b5a60b1d37bdac7984f1a 038e867acb39f10d616b012b2d64f2a907ccf7a2c5 + I * 10e01a11fd5e4af0c2f7d373dfd0b565055680087068bfe3d9694b 443a76a472c409fd57e86647848615ed54bf85fac6 Q1.y = 173cec16ebaf7dc61a0c3fadd3a50bc19362dddfe166c6ff7a8444 3c04659c096be4982b3db1d7bb26ae16af4bfb532f + I * 13e3154a7eee424063ec3826c681675942bd36b9f2289854741442 0bd69ba4e273090d4722297f6e5ba2729fba8cabd9 G.10.4. BLS12381G2_XMD:SHA-256_SVDW_NU_ suite = BLS12381G2_XMD:SHA-256_SVDW_NU_ dst = BLS12381G2_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = 001f5fd916a2b24f6106bc49cc96d35eee8ede2f7f9699e3168115 19904e7b2803583f7078de54b1794d9f0704b85688 + I * 13ecdb8d57ecfbec3ea381839df152a26e9cce35b492daf3d007b3 250ec02b64d8080b4c8016853b388cea0b5489bc25 P.y = 0c0d2918e5d653902be579f05c2b446a77878d778d03a226ef0b73 412e793ecf6256e8cff50b8f5c8c7b3d5cbb8db2e4 + I * 03351116cbeb320b89c9633aeadabfc404090131811f1f9bfebe17 7a1920b1ebd5335eb4e0c140394cf00ce01ac778a4 u[0] = 0eef24c4eb118a5bae06055c1d98a9ef9ba4eb0f2bb749f63f2eed d71de7c7af27d3a6e4e17e5e2c611650521ee6b0b4 + I * 0908bd04d29ef7bfc7827b2e887ad025131aa38b1b96f15e879547 5a477f6e82ec3c7e0546a36f31dfd2a0c031b0c707 Q.x = 0e28eae4e4db410713f183018ead17eb7fdf149dcfc8d9bd010021 cddee0d4988c9d3456d6c3dcb6c57eeddf65076edc + I * 08b791576a8cc3b65818b7cb88188a1a63688c0724758a452a31e1 77b4900a750450ffa44f912c600b2bf45453a947d4 Q.y = 117b6df28c7b9cd8d208c6c7ec1453e68c7c97230843e076f03941 dd7f8c8e310f93fcf7560f2a490cf2f3c462f64b30 + I * 00849eb75f4b8f5c4b3ee6a34e267a3e2a0416f1d42e5bb57bb5fb cde448c01c632fea40524353cd7851dd8e4b4fcb8c msg = abc P.x = 0ad0765905e941f59e03a3c3684430c8bb3470b247a70b2e0fc50e 3dd0d6a3aa4bc2a970660aeaee1514ddbd02cb3bb0 + I * 11ab385921eb2d52affc127ce814c5284410a68d390f497150729a 717649673401d52f8da24baa71c696ffa904ce0c79 P.y = 13f087308db9972ec87a9cc3d4064cd630734809829e5035e83d6c 12fa9bd4fae2af9509ca80e5b34d04deeae5b1aab3 + I * 0cbfbead826b4cf0bb5fb7a534aa700e18fc205c924b5ffbe105bb 037fd27560c537c6c35184e53a56b392313a8ea036 u[0] = 1197064aa416ed1d2236d5571ff99c5956085096acff695a1b5939 5b2db29cb97b465016b4a4c1ecbc53760a05f1c600 Faz-Hernandez, et al. Expires 29 October 2020 [Page 156] Internet-Draft hash-to-curve April 2020 + I * 062e7c9bc14541239dff3d241091d3f0cb14c37698dccdd34b3998 35b2cbcd9fc7a3ebb25bf5c2ed6c867a3504d8e028 Q.x = 0be2212e9e3f4cfc5b14f590e3f1e07daf0f37cf0859927063b98f 009d4cd93d524334019b0627147fce0c977ac4b06c + I * 0e792f3bdd691b2ec82c46b1d77978ee1f768465fe779805eaa1e8 3f3c2c278553cdd4f549318fd2784156820a24c287 Q.y = 0fa287923f6386606d240fc06fae037b04324b63523cae055e9aac b8d70988580690407ba3e7055c1dae0db384808eae + I * 08c9c5926bacd48744e8e365fb0f98e394d7a55b47d9c896ea96fe a516b09f53afecae1fde28afb7033cf3d3aad74e7c msg = abcdef0123456789 P.x = 19d2e82a836c036fb0441e1c4ab657883526e732f0baae8b60e35a bdb432ec59c1978ba52f36a1f93c821d9c249f1a01 + I * 077ebc79f190a4dbd11fa52f43fa8b339769e25b612d8c9cb1a9f4 f487abb91b6e686b3fe3359f9b9864758623d0ccf5 P.y = 02eabe731541c963778438ce58d7fc2882f04709c048827ebb9da7 f08db7b80a2aea077becb561302f03691c512aa9ba + I * 114479c515e30ac4ed68f6950f31898e01a15765d76da4132eace7 6a3ab1d5922e22ba7333619a3ca044ee568bdb126e u[0] = 04bd797baab9a7dec6a33e0f2ecf148bf13c9f0ed7d414db7f7e78 bf654c7ff0366de76acf99b114b210004bd207ebd8 + I * 011cc2dcb9c22912dd0c3ca91cebefe5e57c24f2317dbd0ab5fe7f f6454d1dbe1a5e4e17d92e7bffad4fc12cbffb16b7 Q.x = 17baf01f2408702e29324660ec3a7415367ac32a5364c1acb3a2b9 7f83923dfd7729b729cab2234e12137854bcd2f059 + I * 00316054f1f0f5dcc0b7fe04e16d59109098c6d0bf8f6c32bc5d32 87439ea082bdba9269bae4437acacfe84a71a49d63 Q.y = 11618a2b53afef2553e7afa57495ed03cb7d072e52067dc2368d17 dabf149ec2f70198efc49c7545f9818827016d3408 + I * 0f1ebbdcbd6e2201799d869543362d8c7e1399dd14c9fe3b466b01 0c1b5edb30739b53f64abd24fc396328e9cdbd808e msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 12b242fc22a527edabca13f6e698d6476c24cf2a854c8bdd5da3bc 00e190874b0db2a730ddd03f5fbe36ca85ba99c3b5 + I * 04f3a9d0fcae0a360c08ab6adb11fb3c154164ebe3900990b265da e899cf7869cf6930cfb71f0ca965eec11b226f9485 P.y = 0de39be8863c3e4d4d7a0536780004af090789f94e1430fadce34e Faz-Hernandez, et al. Expires 29 October 2020 [Page 157] Internet-Draft hash-to-curve April 2020 a39330e7f276b327834be0fab8b95a68170bb252ed + I * 0962ee9b5b45333ecd3fde52f26e4193eeb6b78d49c7fffa3d8c40 052938e118d0e7b9affb8bb602fbcfe3b73524463a u[0] = 0cd6693615b9cf94b465a00fee61765ab3a531dcd6ac6515255f13 3b46ad2faaa0fcefbcb2d683d6a63f2742a10c1bc7 + I * 116f472765841380180b72806c9c323ad7ef71ec044bde80dde1ea 7b8d91b3aaa09112fdf2be583d1ab4aa409f7dfb63 Q.x = 152527c9fae465fddae8ec34e3f8441e5e1768cb316d121a277e18 2cc1995157359c0e4fdf151e77b070baa0ebab4dbf + I * 057831fc9cadafae5d8500bddf6c7b1f4e7b7e0df77ff0e3cda3d1 150e4a33403d293a9c2bb441a4424b26e3a7a78781 Q.y = 10fadd422a4aa508bc54eb926a97336d4f0c17448ffc71ed4b0a34 f6ce2546271ca86d2d701021c0d940cdf0cfca6f97 + I * 15cdafd712b63fc2bd0e47caa8ce68cf2a125ad70cc3a2a166e97c 6b270070e7cf46e6207a9d9121eac906adbec4bff9 Authors' Addresses Armando Faz-Hernandez Cloudflare 101 Townsend St San Francisco, United States of America Email: armfazh@cloudflare.com Sam Scott Cornell Tech 2 West Loop Rd New York, New York 10044, United States of America Email: sam.scott@cornell.edu Nick Sullivan Cloudflare 101 Townsend St San Francisco, United States of America Email: nick@cloudflare.com Riad S. Wahby Stanford University Faz-Hernandez, et al. Expires 29 October 2020 [Page 158] Internet-Draft hash-to-curve April 2020 Email: rsw@cs.stanford.edu Christopher A. Wood Cloudflare 101 Townsend St San Francisco, United States of America Email: caw@heapingbits.net Faz-Hernandez, et al. Expires 29 October 2020 [Page 159]