Commit 6ae70dab authored by Michael Hamburg's avatar Michael Hamburg

better docs on Elligator

parent 27129a17
......@@ -171,17 +171,32 @@ decaf_bool_t decaf_valid (
* @brief Elligator-like hash to curve.
* @brief Almost-Elligator-like hash to curve.
* May be up to 4:1 on [0,(p-1)/2]
* // TODO: check that it isn't more.
* Call this function with the output of a hash to make a hash to the curve.
* @param [in] ser A serialized point.
* This function runs Elligator2 on the decaf Jacobi quartic model. It then
* uses the isogeny to put the result in twisted Edwards form. As a result,
* it is safe (cannot produce points of order 4), and would be compatible with
* hypothetical other implementations of Decaf using a Montgomery or untwisted
* Edwards model.
* Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:
* A factor of 2 due to the isogeny.
* A factor of 2 because we quotient out the 2-torsion.
* // TODO: check that it isn't more, especially for the identity point.
* This function isn't quite indifferentiable from a random oracle.
* However, it is suitable for many protocols, including SPEKE and SPAKE2 EE.
* Furthermore, calling it twice with independent seeds and adding the results
* is indifferentiable from a random oracle.
* @param [in] hashed_data Output of some hash function.
* @param [out] pt The hashed input
void decaf_nonuniform_map_to_curve (
decaf_point_t pt,
const unsigned char ser[DECAF_SER_BYTES]
const unsigned char hashed_data[DECAF_SER_BYTES]
#undef API_VIS
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment