Internet-Draft | hash-to-curve | March 2020 |
Faz-Hernandez, et al. | Expires 10 September 2020 | [Page] |
This document specifies a number of algorithms that may be used to encode or hash an arbitrary string to a point on an elliptic curve.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 September 2020.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Many cryptographic protocols require a procedure that encodes an arbitrary input, e.g., a password, to a point on an elliptic curve. This procedure is known as hashing to an elliptic curve. Prominent examples of cryptosystems that hash to elliptic curves include Simple Password Exponential Key Exchange [J96], Password Authenticated Key Exchange [BMP00], Identity-Based Encryption [BF01] and Boneh-Lynn-Shacham signatures [BLS01].¶
Unfortunately for implementors, the precise hash function that is suitable for a given scheme is not necessarily included in the description of the protocol. Compounding this problem is the need to pick a suitable curve for the specific protocol.¶
This document aims to bridge this gap by providing a thorough set of recommended algorithms for a range of curve types. Each algorithm conforms to a common interface: it takes as input an arbitrary-length byte string and produces as output a point on an elliptic curve. We provide implementation details for each algorithm, describe the security rationale behind each recommendation, and give guidance for elliptic curves that are not explicitly covered.¶
This document does not cover rejection sampling methods, sometimes known as "try-and-increment" or "hunt-and-peck," because the goal is to describe algorithms that can plausibly be made constant time. Use of these rejection methods is NOT RECOMMENDED, because they have been a perennial cause of side-channel vulnerabilities.¶
This document is intended for use by both implementors and protocol designers.¶
For implementors, the necessary and sufficient level of specification is a hash-to-curve suite, which fixes all of the parameters listed in Section 8, plus a domain separation tag (Section 3.1). Starting from working operations on the target elliptic curve and its base field, a hash-to-curve suite requires implementing the specified encoding function (Section 3), its constituent subroutines (Section 5, Section 6, Section 7), and a few utility functions (Section 4).¶
Correspondingly, designers specifying a protocol that requires hashing to an elliptic curve should either choose an existing hash-to-curve suite or specify a new one (see Section 8.8). In addition, designers should choose a domain separation tag following the guidelines in Section 3.1.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The following is a brief definition of elliptic curves, with an emphasis on important parameters and their relation to hashing to curves. For further reference on elliptic curves, consult [CFADLNV05] or [W08].¶
Let F be the finite field GF(q) of prime characteristic p > 3. (This document does not consider elliptic curves over fields of characteristic 2 or 3.) In most cases F is a prime field, so q = p. Otherwise, F is an extension field, so q = p^m for an integer m > 1. This document writes elements of extension fields in a primitive element or polynomial basis, i.e., as a vector of m elements of GF(p) written in ascending order by degree. The entries of this vector are indexed in ascending order starting from 1, i.e., x = (x_1, x_2, ..., x_m). For example, if q = p^2 and the primitive element basis is (1, I), then x = (a, b) corresponds to the element a + b * I, where x_1 = a and x_2 = b.¶
An elliptic curve E is specified by an equation in two variables and a finite field F. An elliptic curve equation takes one of several standard forms, including (but not limited to) Weierstrass, Montgomery, and Edwards.¶
The curve E induces an algebraic group whose elements are those points with coordinates (x, y) satisfying the curve equation, and where x and y are elements of F. This group has order n, meaning that there are n distinct points. This document uses additive notation for the elliptic curve group operation.¶
For security reasons, groups of prime order MUST be used. Elliptic curves induce subgroups of prime order. Let G be a subgroup of the curve of prime order r, where n = h * r. In this equation, h is an integer called the cofactor. An algorithm that takes as input an arbitrary point on the curve E and produces as output a point in the subgroup G of E is said to "clear the cofactor." Such algorithms are discussed in Section 7.¶
Certain hash-to-curve algorithms restrict the form of the curve equation, the characteristic of the field, and/or the parameters of the curve. For each algorithm presented, this document lists the relevant restrictions.¶
Summary of quantities:¶
Symbol | Meaning | Relevance |
---|---|---|
F,q,p | Finite field F of characteristic p and #F = q = p^m. | For prime fields, q = p; otherwise, q = p^m and m>1. |
E | Elliptic curve. | E is specified by an equation and a field F. |
n | Number of points on the elliptic curve E. | n = h * r, for h and r defined below. |
G | A subgroup of the elliptic curve. | Destination group to which byte strings are encoded. |
r | Order of G. | This number MUST be prime. |
h | Cofactor, h >= 1. | An integer satisfying n = h * r. |
In this section, we define important terms used in the rest of this document.¶
A mapping is a deterministic function from an element of the field F to a point on an elliptic curve E defined over F.¶
In general, the set of all points that a mapping can produce over all possible inputs may be only a subset of the points on an elliptic curve (i.e., the mapping may not be surjective). In addition, a mapping may output the same point for two or more distinct inputs (i.e., the mapping may not be injective). For example, consider a mapping from F to an elliptic curve having n points: if the number of elements of F is not equal to n, then this mapping cannot be bijective (i.e., both injective and surjective) since it is defined to be deterministic.¶
Mappings may also be invertible, meaning that there is an efficient algorithm that, for any point P output by the mapping, outputs an x in F such that applying the mapping to x outputs P. Some of the mappings given in Section 6 are invertible, but this document does not discuss inversion algorithms.¶
Encodings are closely related to mappings. Like a mapping, an encoding is a function that outputs a point on an elliptic curve. In contrast to a mapping, however, the input to an encoding is an arbitrary string. Encodings can be deterministic or probabilistic. Deterministic encodings are preferred for security, because probabilistic ones are more likely to leak information through side channels.¶
This document constructs deterministic encodings by composing a hash function H with a deterministic mapping. In particular, H takes as input an arbitrary string and outputs an element of F. The deterministic mapping takes that element as input and outputs a point on an elliptic curve E defined over F. Since the hash function H takes arbitrary strings as inputs, it cannot be injective: the set of inputs is larger than the set of outputs, so there must be distinct inputs that give the same output (i.e., there must be collisions). Thus, any encoding built from H is also not injective.¶
Like mappings, encodings may be invertible, meaning that there is an efficient algorithm that, for any point P output by the encoding, outputs a string s such that applying the encoding to s outputs P. The hash function used by all encodings specified in this document (Section 5) is not invertible; thus, the encodings are also not invertible.¶
Two different types of encodings are possible: nonuniform encodings, whose output distribution is not uniformly random, and random oracle encodings, whose output distribution is indistinguishable from uniformly random. Some protocols require a random oracle for security, while others can be securely instantiated with a nonuniform encoding. When the required encoding is not clear, applications SHOULD use a random oracle.¶
Care is required when constructing a random oracle from a mapping function. A simple but insecure approach is to use the output of a cryptographically secure hash function H as the input to the mapping. Because in general the mapping is not surjective, the output of this construction is distinguishable from uniformly random, i.e., it does not behave like a random oracle.¶
Brier et al. [BCIMRT10] describe two generic methods for constructing random oracle encodings. Farashahi et al. [FFSTV13] and Tibouchi and Kim [TK17] refine the analysis of one of these constructions. That construction is described in Section 3.¶
(In more detail: both constructions are indifferentiable from a random oracle [MRH04] when instantiated with appropriate hash functions modeled as random oracles. See Section 10 for further discussion.)¶
A procedure related to encoding is the conversion of an elliptic curve point to a bit string. This is called serialization, and is typically used for compactly storing or transmitting points. The reverse operation, deserialization, converts a bit string to an elliptic curve point. For example, [SEC1] and [p1363a] give standard methods for serialization and deserialization.¶
Deserialization is different from encoding in that only certain strings (namely, those output by the serialization procedure) can be deserialized. In contrast, this document is concerned with encodings from arbitrary strings to elliptic curve points. This document does not cover serialization or deserialization.¶
Cryptographic protocols that use random oracles are often analyzed under the assumption that random oracles answer only queries generated by that protocol. In practice, this assumption does not hold if two protocols query the same random oracle. Concretely, consider protocols P1 and P2 that query random oracle RO: if P1 and P2 both query RO on the same value x, the security analysis of one or both protocols may be invalidated.¶
A common approach to addressing this issue is called domain separation, which allows a single random oracle to simulate multiple, independent oracles. This is effected by ensuring that each simulated oracle sees queries that are distinct from those seen by all other simulated oracles. For example, to simulate two oracles RO1 and RO2 given a single oracle RO, one might define¶
RO1(x) := RO("RO1" || x) RO2(x) := RO("RO2" || x)¶
In this example, "RO1" and "RO2" are called domain separation tags; they ensure that queries to RO1 and RO2 cannot result in identical queries to RO. Thus, it is safe to treat RO1 and RO2 as independent oracles.¶
This section presents a general framework for encoding byte strings to points on an elliptic curve. To construct these encodings, we rely on three basic functions:¶
We describe two high-level encoding functions (Section 2.2.2). Although these functions have the same interface, the distributions of their outputs are different.¶
encode_to_curve(msg) Input: msg, an arbitrary-length byte string. Output: P, a point in G. Steps: 1. u = hash_to_field(msg, 1) 2. Q = map_to_curve(u[0]) 3. P = clear_cofactor(Q) 4. return P¶
hash_to_curve(msg) Input: msg, an arbitrary-length byte string. Output: P, a point in G. Steps: 1. u = hash_to_field(msg, 2) 2. Q0 = map_to_curve(u[0]) 3. Q1 = map_to_curve(u[1]) 4. R = Q0 + Q1 # Point addition 5. P = clear_cofactor(R) 6. return P¶
Instances of these functions are given in Section 8, which defines a list of suites that specify a full set of parameters matching elliptic curves and algorithms.¶
All uses of the encoding functions defined in this document MUST include domain separation (Section 2.2.5) to avoid interfering with other uses of similar functionality.¶
Protocols that instantiate multiple, independent hash functions based on either hash_to_curve or encode_to_curve MUST enforce domain separation between those hash functions. This requirement applies both in the case of multiple hashes to the same curve and in the case of multiple hashes to different curves. (This is because the hash_to_field primitive (Section 5) requires domain separation to guarantee independent outputs.)¶
Domain separation is enforced with a domain separation tag (DST), which is a byte string. Care is required when selecting and using a domain separation tag. The following requirements apply:¶
As an example, consider a fictional protocol named Quux that defines several different ciphersuites. A reasonable choice of tag is "QUUX-V<xx>-CS<yy>", where <xx> and <yy> are two-digit numbers indicating the version and ciphersuite, respectively.¶
As another example, consider a fictional protocol named Baz that requires two independent random oracles, where one oracle outputs points on the curve E1 and the other outputs points on the curve E2. Reasonable choices of tags for the E1 and E2 oracles are "BAZ-V<xx>-CS<yy>-E1" and "BAZ-V<xx>-CS<yy>-E2", respectively, where <xx> and <yy> are as described above.¶
Algorithms in this document make use of utility functions described below.¶
For security reasons, all field operations, comparisons, and assignments MUST be implemented in constant time (i.e., execution time MUST NOT depend on the values of the inputs), and without branching. Guidance on implementing these low-level operations in constant time is beyond the scope of this document.¶
is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F; { False, otherwise.¶
sqrt(x): The sqrt operation is a multi-valued function, i.e. there exist two roots of x in the field F whenever x is square. To maintain compatibility across implementations while allowing implementors leeway for optimizations, this document does not require sqrt() to return a particular value. Instead, as explained in Section 6.4, any higher-level function that computes square roots also specifies how to determine the sign of the result.¶
The preferred way of computing square roots is to fix a deterministic algorithm particular to F. We give several algorithms in Appendix F. Regardless of the method chosen, the sqrt function should be implemented in a way that resists timing side channels, i.e., in constant time.¶
This section defines two ways of determining the "sign" of an element of F. The variant that should be used is a matter of convention. Other sgn0 variants are possible, but the two given below cover commonly used notions of sign.¶
It is RECOMMENDED to select the variant that matches the point decompression method of the target curve. In particular, since point decompression requires computing a square root and then choosing the sign of the resulting point, all decompression methods specify, implicitly or explicitly, a method for determining the sign of an element of F. It is convenient for hash-to-curve and decompression to agree on a notion of sign, since this may permit simpler implementations.¶
See Section 2.1 for a discussion of representing elements of extension fields as vectors; this representation is used in both of the sgn0 variants below.¶
Note that any valid sgn0 function for extension fields must iterate over the entire vector representation of the input element. To see why, imagine a function sgn0* that ignores the final entry in its input vector, and consider a field element x = (0, x_2). Since sgn0* ignores x_2, sgn0*(x) == sgn0*(-x), which is incorrect when x_2 != 0. The same argument applies to all entries of any x, establishing the claim.¶
The following sgn0 variant is defined such that sgn0_be(x) = -1 just when the big-endian encoding of x is lexically greater than the encoding of -x.¶
This variant SHOULD be used when points on the target elliptic curve are serialized using the SORT compression method given in IEEE 1363a-2004 [p1363a], Section 5.5.6.1.2, and other similar methods.¶
sgn0_be(x) Parameters: - F, a finite field of characteristic p and order q = p^m. - p, the characteristic of F (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above). Input: x, an element of F. Output: -1 or 1 (an integer). Notation: x_i is the i^th element of the vector representation of x. Steps: 1. sign = 0 2. for i in (m, m - 1, ..., 1): 3. sign_i = CMOV(1, -1, x_i > ((p - 1) / 2)) 4. sign_i = CMOV(sign_i, 0, x_i == 0) 5. sign = CMOV(sign, sign_i, sign == 0) 6. return CMOV(sign, 1, sign == 0) # Regard x == 0 as positive¶
The following sgn0 variant is defined such that sgn0_le(x) = -1 just when x != 0 and the parity of the least significant nonzero entry of the vector representation of x is 1.¶
This variant SHOULD be used when points on the target elliptic curve are serialized using any of the following methods:¶
This variant is also compatible with the compression method specified for the Ed25519 and Ed448 elliptic curves [RFC8032].¶
sgn0_le(x) Parameters: - F, a finite field of characteristic p and order q = p^m. - p, the characteristic of F (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above). Input: x, an element of F. Output: -1 or 1 (an integer). Notation: x_i is the i^th element of the vector representation of x. Steps: 1. sign = 0 2. for i in (1, 2, ..., m): 3. sign_i = CMOV(1, -1, x_i mod 2 == 1) 4. sign_i = CMOV(sign_i, 0, x_i == 0) 5. sign = CMOV(sign, sign_i, sign == 0) 6. return CMOV(sign, 1, sign == 0) # Regard x == 0 as positive¶
The hash_to_field function hashes a byte string msg of any length into one or more elements of a field F. This function works in two steps: it first hashes the input byte string to produce a pseudorandom byte string, and then interprets this pseudorandom byte string as one or more elements of F.¶
For the first step, hash_to_field calls an auxiliary function expand_message. This document defines two variants of expand_message, one appropriate for hash functions like SHA-2 [FIPS180-4] or SHA-3 [FIPS202], and one appropriate for extensible-output functions like SHAKE-128 [FIPS202]. Security considerations for each expand_message variant are discussed below (Section 5.3.1, Section 5.3.2).¶
Implementors MUST NOT use rejection sampling to generate a uniformly random element of F. The reason is that rejection sampling procedures are difficult to implement in constant time, and later well-meaning "optimizations" may silently render an implementation non-constant-time.¶
The hash_to_field function is designed to be indifferentiable from a random oracle [MRH04] when expand_message (Section 5.3) is modeled as a random oracle (see Section 10.1). Ensuring indifferentiability requires care; to see why, consider a prime p that is close to 3/4 * 2^256. Reducing a random 256-bit integer modulo this p yields a value that is in the range [0, p / 3] with probability roughly 1/2, meaning that this value is statistically far from uniform in [0, p - 1].¶
To control bias, hash_to_field instead uses pseudorandom integers whose length is at least ceil(log2(p)) + k bits. Reducing such integers mod p gives bias at most 2^-k for any p; this bias is appropriate when targeting k-bit security. To obtain such integers, hash_to_field uses expand_message to obtain L pseudorandom bytes, where L = ceil((ceil(log2(p)) + k) / 8); this byte string is then interpreted as an integer via OS2IP [RFC8017]. For example, for a 255-bit prime p, and k = 128-bit security, L = ceil((255 + 128) / 8) = 48 bytes.¶
The following procedure implements hash_to_field.¶
The expand_message parameter to this function MUST conform to the requirements given below (Section 5.3).¶
Section 3.1 discusses requirements for domain separation and recommendations for choosing DST, the domain separation tag. This is the REQUIRED method for applying domain separation.¶
hash_to_field(msg, count) Parameters: - DST, a domain separation tag (see discussion above). - F, a finite field of characteristic p and order q = p^m. - p, the characteristic of F (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above). - L = ceil((ceil(log2(p)) + k) / 8), where k is the security parameter of the cryptosystem (e.g., k = 128). - expand_message, a function that expands a byte string and domain separation tag into a pseudorandom byte string (see discussion above). Inputs: - msg is a byte string containing the message to hash. - count is the number of elements of F to output. Outputs: - (u_0, ..., u_(count - 1)), a list of field elements. Steps: 1. len_in_bytes = count * m * L 2. pseudo_random_bytes = expand_message(msg, DST, len_in_bytes) 3. for i in (0, ..., count - 1): 4. for j in (0, ..., m - 1): 5. elm_offset = L * (j + i * m) 6. tv = substr(pseudo_random_bytes, elm_offset, L) 7. e_j = OS2IP(tv) mod p 8. u_i = (e_0, ..., e_(m - 1)) 9. return (u_0, ..., u_(count - 1))¶
expand_message is a function that generates a pseudorandom byte string. It takes three arguments:¶
This document defines two variants of expand_message:¶
These variants should suffice for the vast majority of use cases, but other variants are possible; Section 5.3.3 discusses requirements.¶
The expand_message variants defined in this section accept domain separation tags of at most 255 bytes. If a domain separation tag longer than 255 bytes must be used (e.g., because of requirements imposed by an invoking protocol), implementors MUST compute a short domain separation tag by hashing, as follows:¶
DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST)¶
Here, a_very_long_DST is the DST whose length is greater than 255 bytes, "H2C-OVERSIZE-DST-" is an ASCII string literal, and the hash function H MUST meet the criteria given in Section 5.3.1.¶
The expand_message_xmd function produces a pseudorandom byte string using a cryptographic hash function H that outputs b bits. For security, H must meet the following requirements:¶
SHA-2 [FIPS180-4] and SHA-3 [FIPS202] are typical and RECOMMENDED choices. As an example, for the 128-bit security level, b >= 256 bits and either SHA-256 or SHA3-256 would be an appropriate choice.¶
The following procedure implements expand_message_xmd.¶
expand_message_xmd(msg, DST, len_in_bytes) Parameters: - H, a hash function (see requirements above). - b_in_bytes, ceil(b / 8) for b the output size of H in bits. For example, for b = 256, b_in_bytes = 32. - r_in_bytes, the input block size of H, measured in bytes. For example, for SHA-256, r_in_bytes = 64. Input: - msg, a byte string. - DST, a byte string of at most 255 bytes. - len_in_bytes, the length of the requested output in bytes. Output: - pseudo_random_bytes, a byte string Steps: 1. ell = ceil(len_in_bytes / b_in_bytes) 2. ABORT if ell > 255 3. DST_prime = I2OSP(len(DST), 1) || DST 4. Z_pad = I2OSP(0, r_in_bytes) 5. l_i_b_str = I2OSP(len_in_bytes, 2) 6. b_0 = H(Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime) 7. b_1 = H(b_0 || I2OSP(1, 1) || DST_prime) 8. for i in (2, ..., ell): 9. b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) 10. pseudo_random_bytes = b_1 || ... || b_ell 11. return substr(pseudo_random_bytes, 0, len_in_bytes)¶
Note that the string Z_pad is prepended to msg when computing b_0 (step 6). This is necessary for security when H is a Merkle-Damgaard hash, e.g., SHA-2 (see Section 10.2). Hashing this additional data means that the cost of computing b_0 is higher than the cost of simply computing H(msg). In most settings this overhead is negligible, because the cost of evaluating H is much less than the other costs involved in hashing to a curve.¶
It is possible, however, to entirely avoid this overhead by taking advantage of the fact that Z_pad depends only on H, and not on the arguments to expand_message_xmd. To do so, first precompute and save the internal state of H after ingesting Z_pad; and then, when computing b_0, initialize H using the saved state. Further details are beyond the scope of this document.¶
The expand_message_xof function produces a pseudorandom byte string using an extensible-output function (XOF) H. For security, H must meet the following criteria:¶
The SHAKE [FIPS202] XOF family is a typical and RECOMMENDED choice. As an example, for 128-bit security, SHAKE-128 would be an appropriate choice.¶
The following procedure implements expand_message_xof.¶
expand_message_xof(msg, DST, len_in_bytes) Parameters: - H, an extensible-output function. H(m, d) hashes message m and returns d bytes. Input: - msg, a byte string. - DST, a byte string of at most 255 bytes. - len_in_bytes, the length of the requested output in bytes. Output: - pseudo_random_bytes, a byte string Steps: 1. DST_prime = I2OSP(len(DST), 1) || DST 2. msg_prime = msg || I2OSP(len_in_bytes, 2) || DST_prime 3. pseudo_random_bytes = H(msg_prime, len_in_bytes) 4. return pseudo_random_bytes¶
When defining a new expand_message variant, the most important consideration is that hash_to_field models expand_message as a random oracle. Thus, implementors SHOULD prove indifferentiability from a random oracle under an appropriate assumption about the underlying cryptographic primitives.¶
In addition, expand_message variants:¶
In addition, an expand_message variant MUST specify a unique EXP_TAG that identifies that variant in a Suite ID. See Section 8.9 for more information.¶
The mappings in this section are suitable for constructing either nonuniform or random oracle encodings using the constructions of Section 3. Certain mappings restrict the form of the curve or its parameters. For each mapping presented, this document lists the relevant restrictions.¶
Note that mappings in this section are not interchangeable: different mappings will almost certainly output different points when evaluated on the same input.¶
This section gives brief guidelines on choosing a mapping function for a given elliptic curve. Note that the suites given in Section 8 are recommended mappings for the respective curves.¶
If the target elliptic curve is a Montgomery curve (Section 6.7), the Elligator 2 method (Section 6.7.1) is recommended. Similarly, if the target elliptic curve is a twisted Edwards curve (Section 6.8), the twisted Edwards Elligator 2 method (Section 6.8.2) is recommended.¶
The remaining cases are Weierstrass curves. For curves supported by the Simplified SWU method (Section 6.6.2), that mapping is the recommended one. Otherwise, the Simplified SWU method for AB == 0 (Section 6.6.3) is recommended if the goal is best performance, while the Shallue-van de Woestijne method (Section 6.6.1) is recommended if the goal is simplicity of implementation. (The reason for this distinction is that the Simplified SWU method for AB == 0 requires implementing an isogeny map in addition to the mapping function, while the Shallue-van de Woestijne method does not.)¶
The Shallue-van de Woestijne method (Section 6.6.1) works with any curve, and may be used in cases where a generic mapping is required. Note, however, that this mapping is almost always more computationally expensive than the curve-specific recommendations above.¶
The generic interface shared by all mappings in this section is as follows:¶
(x, y) = map_to_curve(u)¶
The input u and outputs x and y are elements of the field F. The coordinates (x, y) specify a point on an elliptic curve defined over F. Note that the point (x, y) is not a uniformly random point. If uniformity is required for security, the random oracle construction of Section 3 MUST be used instead.¶
As a rough guide, the following conventions are used in pseudocode:¶
In general, elliptic curves have equations of the form y^2 = g(x). Most of the mappings in this section first identify an x such that g(x) is square, then take a square root to find y. Since there are two square roots when g(x) != 0, this results in an ambiguity regarding the sign of y.¶
To resolve this ambiguity, the mappings in this section specify the sign of the y-coordinate in terms of the input to the mapping function. Two main reasons support this approach. First, this covers elliptic curves over any field in a uniform way, and second, it gives implementors leeway to optimize their square-root implementations.¶
Mappings may have have exceptional cases, i.e., inputs u on which the mapping is undefined. These cases must be handled carefully, especially for constant-time implementations.¶
For each mapping in this section, we discuss the exceptional cases and show how to handle them in constant time. Note that all implementations SHOULD use inv0 (Section 4) to compute multiplicative inverses, to avoid exceptional cases that result from attempting to compute the inverse of 0.¶
The mappings in this section apply to a target curve E defined by the equation¶
y^2 = g(x) = x^3 + A * x + B¶
where 4 * A^3 + 27 * B^2 != 0.¶
Shallue and van de Woestijne [SW06] describe a mapping that applies to essentially any elliptic curve. (Note, however, that this mapping is more expensive to evaluate than the other mappings in this document.)¶
The parameterization given below is for Weierstrass curves; its derivation is detailed in [W19]. This parameterization also works for Montgomery (Section 6.7) and twisted Edwards (Section 6.8) curves via the rational maps given in Appendix B: first evaluate the Shallue-van de Woestijne mapping to an equivalent Weierstrass curve, then map that point to the target Montgomery or twisted Edwards curve using the corresponding rational map.¶
Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B.¶
Constants:¶
Z, an element of F meeting the below criteria. Appendix E.1 gives a Sage [SAGE] script that outputs the RECOMMENDED Z.¶
Sign of y: Inputs u and -u give the same x-coordinate. Thus, we set sgn0(y) == sgn0(u).¶
Exceptions: The exceptional cases for u occur when (1 + u^2 * g(Z)) * (1 - u^2 * g(Z)) == 0. The restrictions on Z given above ensure that implementations that use inv0 to invert this product are exception free.¶
Operations:¶
1. tv1 = u^2 * g(Z) 2. tv2 = 1 + tv1 3. tv1 = 1 - tv1 4. tv3 = inv0(tv1 * tv2) 5. tv4 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) 6. tv4 = tv4 * sgn0(tv4) # sgn0(tv4) MUST equal 1 7. tv5 = u * tv1 * tv3 * tv4 8. x1 = -Z / 2 - tv5 9. x2 = -Z / 2 + tv5 10. x3 = Z - 4 * g(Z) * (tv2^2 * tv3)^2 / (3 * Z^2 + 4 * A) 11. If is_square(g(x1)), set x = x1 and y = sqrt(g(x1)) 12. Else If is_square(g(x2)), set x = x2 and y = sqrt(g(x2)) 13. Else set x = x3 and y = sqrt(g(x3)) 14. If sgn0(u) != sgn0(y), set y = -y 15. return (x, y)¶
The following procedure implements the Shallue and van de Woestijne method in a straight-line fashion.¶
map_to_curve_svdw(u) Input: u, an element of F. Output: (x, y), a point on E. Constants: 1. c1 = g(Z) 2. c2 = -Z / 2 3. c3 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # sgn0(c3) MUST equal 1 4. c4 = -4 * g(Z) / (3 * Z^2 + 4 * A) Steps: 1. tv1 = u^2 2. tv1 = tv1 * c1 3. tv2 = 1 + tv1 4. tv1 = 1 - tv1 5. tv3 = tv1 * tv2 6. tv3 = inv0(tv3) 7. tv4 = u * tv1 8. tv4 = tv4 * tv3 9. tv4 = tv4 * c3 10. x1 = c2 - tv4 11. gx1 = x1^2 12. gx1 = gx1 + A 13. gx1 = gx1 * x1 14. gx1 = gx1 + B 15. e1 = is_square(gx1) 16. x2 = c2 + tv4 17. gx2 = x2^2 18. gx2 = gx2 + A 19. gx2 = gx2 * x2 20. gx2 = gx2 + B 21. e2 = is_square(gx2) AND NOT e1 # Avoid short-circuit logic ops 22. x3 = tv2^2 23. x3 = x3 * tv3 24. x3 = x3^2 25. x3 = x3 * c4 26. x3 = x3 + Z 27. x = CMOV(x3, x1, e1) # x = x1 if gx1 is square, else x = x3 28. x = CMOV(x, x2, e2) # x = x2 if gx2 is square and gx1 is not 29. gx = x^2 30. gx = gx + A 31. gx = gx * x 32. gx = gx + B 33. y = sqrt(gx) 34. e3 = sgn0(u) == sgn0(y) 35. y = CMOV(-y, y, e3) # Select correct sign of y 36. return (x, y)¶
The function map_to_curve_simple_swu(u) implements a simplification of the Shallue-van de Woestijne-Ulas mapping [U07] described by Brier et al. [BCIMRT10], which they call the "simplified SWU" map. Wahby and Boneh [WB19] generalize and optimize this mapping.¶
Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B where A != 0 and B != 0.¶
Constants:¶
Z, an element of F meeting the below criteria. Appendix E.2 gives a Sage [SAGE] script that outputs the RECOMMENDED Z. The criteria are:¶
Sign of y: Inputs u and -u give the same x-coordinate. Thus, we set sgn0(y) == sgn0(u).¶
Exceptions: The exceptional cases are values of u such that Z^2 * u^4 + Z * u^2 == 0. This includes u == 0, and may include other values depending on Z. Implementations must detect this case and set x1 = B / (Z * A), which guarantees that g(x1) is square by the condition on Z given above.¶
Operations:¶
1. tv1 = inv0(Z^2 * u^4 + Z * u^2) 2. x1 = (-B / A) * (1 + tv1) 3. If tv1 == 0, set x1 = B / (Z * A) 4. gx1 = x1^3 + A * x1 + B 5. x2 = Z * u^2 * x1 6. gx2 = x2^3 + A * x2 + B 7. If is_square(gx1), set x = x1 and y = sqrt(gx1) 8. Else set x = x2 and y = sqrt(gx2) 9. If sgn0(u) != sgn0(y), set y = -y 10. return (x, y)¶
The following procedure implements the simplified SWU mapping in a straight-line fashion. Appendix D gives an optimized straight-line procedure for P-256 [FIPS186-4]. For more information on optimizing this mapping, see [WB19] Section 4 or the example code found at [hash2curve-repo].¶
map_to_curve_simple_swu(u) Input: u, an element of F. Output: (x, y), a point on E. Constants: 1. c1 = -B / A 2. c2 = -1 / Z Steps: 1. tv1 = Z * u^2 2. tv2 = tv1^2 3. x1 = tv1 + tv2 4. x1 = inv0(x1) 5. e1 = x1 == 0 6. x1 = x1 + 1 7. x1 = CMOV(x1, c2, e1) # If (tv1 + tv2) == 0, set x1 = -1 / Z 8. x1 = x1 * c1 # x1 = (-B / A) * (1 + (1 / (Z^2 * u^4 + Z * u^2))) 9. gx1 = x1^2 10. gx1 = gx1 + A 11. gx1 = gx1 * x1 12. gx1 = gx1 + B # gx1 = g(x1) = x1^3 + A * x1 + B 13. x2 = tv1 * x1 # x2 = Z * u^2 * x1 14. tv2 = tv1 * tv2 15. gx2 = gx1 * tv2 # gx2 = (Z * u^2)^3 * gx1 16. e2 = is_square(gx1) 17. x = CMOV(x2, x1, e2) # If is_square(gx1), x = x1, else x = x2 18. y2 = CMOV(gx2, gx1, e2) # If is_square(gx1), y2 = gx1, else y2 = gx2 19. y = sqrt(y2) 20. e3 = sgn0(u) == sgn0(y) # Fix sign of y 21. y = CMOV(-y, y, e3) 22. return (x, y)¶
Wahby and Boneh [WB19] show how to adapt the simplified SWU mapping to Weierstrass curves having A == 0 or B == 0, which the mapping of Section 6.6.2 does not support. (The case A == B == 0 is excluded because y^2 = x^3 is not an elliptic curve.)¶
This method applies to curves like secp256k1 [SEC2] and to pairing-friendly curves in the Barreto-Lynn-Scott [BLS03], Barreto-Naehrig [BN05], and other families.¶
This method requires finding another elliptic curve E' given by the equation¶
y'^2 = g'(x') = x'^3 + A' * x' + B'¶
that is isogenous to E and has A' != 0 and B' != 0. (One might do this, for example, using [SAGE]; for details, see [WB19], Appendix A.) This isogeny defines a map iso_map(x', y') that takes as input a point on E' and produces as output a point on E.¶
Once E' and iso_map are identified, this mapping works as follows: on input u, first apply the simplified SWU mapping to get a point on E', then apply the isogeny map to that point to get a point on E.¶
Note that iso_map is a group homomorphism, meaning that point addition commutes with iso_map. Thus, when using this mapping in the hash_to_curve construction of Section 3, one can effect a small optimization by first mapping u0 and u1 to E', adding the resulting points on E', and then applying iso_map to the sum. This gives the same result while requiring only one evaluation of iso_map.¶
Preconditions: An elliptic curve E' with A' != 0 and B' != 0 that is isogenous to the target curve E with isogeny map iso_map from E' to E.¶
Helper functions:¶
Sign of y: for this map, the sign is determined by map_to_curve_simple_swu. No further sign adjustments are necessary.¶
Exceptions: map_to_curve_simple_swu handles its exceptional cases. Exceptional cases of iso_map MUST return the identity point on E.¶
Operations:¶
1. (x', y') = map_to_curve_simple_swu(u) # (x', y') is on E' 2. (x, y) = iso_map(x', y') # (x, y) is on E 3. return (x, y)¶
See [hash2curve-repo] or [WB19], Section 4.3 for details on implementing the isogeny map.¶
The mapping defined in this section applies to a target curve M defined by the equation¶
K * t^2 = s^3 + J * s^2 + s¶
Preconditions: A Montgomery curve K * t^2 = s^3 + J * s^2 + s where J != 0, K != 0, and (J^2 - 4) / K^2 is non-zero and non-square in F.¶
Constants:¶
Sign of t: Inputs u and -u give the same s-coordinate. Thus, we set sgn0(t) == sgn0(u).¶
Exceptions: The exceptional case is Z * u^2 == -1, i.e., 1 + Z * u^2 == 0. Implementations must detect this case and set x1 = -(J / K). Note that this can only happen when q = 3 (mod 4).¶
Operations:¶
1. x1 = -(J / K) * inv0(1 + Z * u^2) 2. If x1 == 0, set x1 = -(J / K) 3. gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2 4. x2 = -x1 - (J / K) 5. gx2 = x2^3 + (J / K) * x2^2 + x2 / K^2 6. If is_square(gx1), set x = x1 and y = sqrt(gx1) 7. Else set x = x2 and y = sqrt(gx2) 8. s = x * K 9. t = y * K 10. If sgn0(u) != sgn0(t), set t = -t 11. return (s, t)¶
The following procedure implements Elligator 2 in a straight-line fashion. Appendix D gives optimized straight-line procedures for curve25519 and curve448 [RFC7748].¶
map_to_curve_elligator2(u) Input: u, an element of F. Output: (s, t), a point on M. Constants: 1. c1 = J / K 2. c2 = 1 / K^2 Steps: 1. tv1 = u^2 2. tv1 = Z * tv1 # Z * u^2 3. e1 = tv1 == -1 # exceptional case: Z * u^2 == -1 4. tv1 = CMOV(tv1, 0, e1) # if tv1 == -1, set tv1 = 0 5. x1 = tv1 + 1 6. x1 = inv0(x1) 7. x1 = -c1 * x1 # x1 = -(J / K) / (1 + Z * u^2) 8. gx1 = x1 + c1 9. gx1 = gx1 * x1 10. gx1 = gx1 + c2 11. gx1 = gx1 * x1 # gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2 12. x2 = -x1 - c1 13. gx2 = tv1 * gx1 14. e2 = is_square(gx1) 15. x = CMOV(x2, x1, e2) # If is_square(gx1), x = x1, else x = x2 16. y2 = CMOV(gx2, gx1, e2) # If is_square(gx1), y2 = gx1, else y2 = gx2 17. y = sqrt(y2) 18. s = x * K 19. t = y * K 20. e3 = sgn0(u) == sgn0(t) # Fix sign of t 21. t = CMOV(-t, t, e3) 22. return (s, t)¶
Twisted Edwards curves (a class of curves that includes Edwards curves) are given by the equation¶
a * v^2 + w^2 = 1 + d * v^2 * w^2¶
with a != 0, d != 0, and a != d [BBJLP08].¶
These curves are closely related to Montgomery curves (Section 6.7): every twisted Edwards curve is birationally equivalent to a Montgomery curve ([BBJLP08], Theorem 3.2). This equivalence yields an efficient way of hashing to a twisted Edwards curve: first, hash to an equivalent Montgomery curve, then transform the result into a point on the twisted Edwards curve via a rational map. This method of hashing to a twisted Edwards curve thus requires identifying a corresponding Montgomery curve and rational map. We describe how to identify such a curve and map immediately below.¶
There are two ways to identify the correct Montgomery curve and rational map for use when hashing to a given twisted Edwards curve.¶
When hashing to a standardized twisted Edwards curve for which a corresponding Montgomery form and rational map are also standardized, the standard Montgomery form and rational map MUST be used to ensure compatibility with existing software. Two such standardized curves are the edwards25519 and edwards448 curves, which correspond to the Montgomery curves curve25519 and curve448, respectively. For both of these curves, [RFC7748] lists both the Montgomery and twisted Edwards forms and gives the corresponding rational maps.¶
The rational map for edwards25519 ([RFC7748], Section 4.1) uses the constant sqrt_neg_486664 = sqrt(-486664) (mod 2^255 - 19). To ensure compatibility, this constant MUST be chosen such that sgn0(sqrt_neg_486664) == 1. Analogous ambiguities in other standardized rational maps MUST be resolved in the same way: for any constant k whose sign is ambiguous, k MUST be chosen such that sgn0(k) == 1.¶
The 4-isogeny map from curve448 to edwards448 ([RFC7748], Section 4.2) is unambiguous with respect to sign.¶
When defining new twisted Edwards curves, a Montgomery equivalent and rational map SHOULD be specified, and the sign of the rational map SHOULD be stated unambiguously.¶
When hashing to a twisted Edwards curve that does not have a standardized Montgomery form or rational map, the following procedure MUST be used to derive them. For a twisted Edwards curve given by¶
a * v^2 + w^2 = 1 + d * v^2 * w^2¶
first compute J and K, the parameters of the equivalent Montgomery curve given by¶
K * t^2 = s^3 + J * s^2 + s¶
as follows:¶
Note that this curve has the form required by the Elligator 2 mapping of Section 6.7.1. The rational map from the point (s, t) on this Montgomery curve to the point (v, w) on the twisted Edwards curve is given by¶
(For completeness, we give the inverse map in Appendix B.1. Note that the inverse map is not used when hashing to a twisted Edwards curve.)¶
Rational maps may be undefined on certain inputs, e.g., when the denominator of one of the rational functions is zero. In the map described above, the exceptional cases are t == 0 or s == -1. Implementations MUST detect exceptional cases and return the value (v, w) = (0, 1), which is the identity point on all twisted Edwards curves.¶
The following straight-line implementation of the above rational map handles the exceptional cases. Implementations of other rational maps (e.g., the ones give in [RFC7748]) are analogous.¶
rational_map(s, t) Input: (s, t), a point on the curve K * t^2 = s^3 + J * s^2 + s. Output: (v, w), a point on an equivalent twisted Edwards curve. 1. tv1 = s + 1 2. tv2 = tv1 * t # (s + 1) * t 3. tv2 = inv0(tv2) # 1 / ((s + 1) * t) 4. v = tv2 * tv1 # 1 / t 5. v = v * s # s / t 6. w = tv2 * t # 1 / (s + 1) 7. tv1 = s - 1 8. w = w * tv1 # (s - 1) / (s + 1) 9. e = tv2 == 0 10. w = CMOV(w, 1, e) # handle exceptional case 11. return (v, w)¶
Preconditions: A twisted Edwards curve E and an equivalent Montgomery curve M meeting the requirements in Section 6.8.1.¶
Helper functions:¶
Sign of t (and v): for this map, the sign is determined by map_to_curve_elligator2. No further sign adjustments are required.¶
Exceptions: The exceptions for the Elligator 2 mapping are as given in Section 6.7.1. The exceptions for the rational map are as given in Section 6.8.1. No other exceptions are possible.¶
The following procedure implements the Elligator 2 mapping for a twisted Edwards curve. (Note that the output point is denoted (v, w) because it is a point on the target twisted Edwards curve.)¶
map_to_curve_elligator2_edwards(u) Input: u, an element of F. Output: (v, w), a point on E. 1. (s, t) = map_to_curve_elligator2(u) # (s, t) is on M 2. (v, w) = rational_map(s, t) # (v, w) is on E 3. return (v, w)¶
The mappings of Section 6 always output a point on the elliptic curve, i.e., a point in a group of order h * r (Section 2.1). Obtaining a point in G may require a final operation commonly called "clearing the cofactor," which takes as input any point on the curve.¶
The cofactor can always be cleared via scalar multiplication by h. For elliptic curves where h = 1, i.e., the curves with a prime number of points, no operation is required. This applies, for example, to the NIST curves P-256, P-384, and P-521 [FIPS186-4].¶
In some cases, it is possible to clear the cofactor via a faster method than scalar multiplication by h. These methods are equivalent to (but usually faster than) multiplication by some scalar h_eff whose value is determined by the method and the curve. Examples of fast cofactor clearing methods include the following:¶
The clear_cofactor function is parameterized by a scalar h_eff. Specifically,¶
clear_cofactor(P) := h_eff * P¶
where * represents scalar multiplication. When a curve does not support a fast cofactor clearing method, h_eff = h and the cofactor MUST be cleared via scalar multiplication.¶
When a curve admits a fast cofactor clearing method, clear_cofactor MAY be evaluated either via that method or via scalar multiplication by the equivalent h_eff; these two methods give the same result. Note that in this case scalar multiplication by the cofactor h does not generally give the same result as the fast method, and SHOULD NOT be used.¶
This section lists recommended suites for hashing to standard elliptic curves.¶
A suite fully specifies the procedure for hashing byte strings to points on a specific elliptic curve group. Each suite comprises the following parameters:¶
In addition to the above parameters, the mapping f may require additional parameters Z, M, rational_map, E', and/or iso_map. These MUST be specified when applicable.¶
All applications MUST choose a domain separation tag (DST) in accordance with the guidelines in Section 3.1. In addition, applications whose security requires a random oracle that returns points on the target curve MUST use a suite whose encoding type is hash_to_curve (Section 3); see Section 8.9.¶
The below table lists the curves for which suites are defined and the subsection that gives the corresponding parameters.¶
E | Section |
---|---|
NIST P-256 | Section 8.1 |
NIST P-384 | Section 8.2 |
NIST P-521 | Section 8.3 |
curve25519 / edwards25519 | Section 8.4 |
curve448 / edwards448 | Section 8.5 |
secp256k1 | Section 8.6 |
BLS12-381 | Section 8.7 |
This section defines ciphersuites for the NIST P-256 elliptic curve [FIPS186-4].¶
P256_XMD:SHA-256_SSWU_RO_ is defined as follows:¶
E: y^2 = x^3 + A * x + B, where¶
P256_XMD:SHA-256_SVDW_RO_ is identical to P256_XMD:SHA-256_SSWU_RO_, except for the following parameters:¶
P256_XMD:SHA-256_SSWU_NU_ is identical to P256_XMD:SHA-256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3).¶
P256_XMD:SHA-256_SVDW_NU_ is identical to P256_XMD:SHA-256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3).¶
An optimized example implementation of the Simplified SWU mapping to P-256 is given in Appendix D.2.¶
This section defines ciphersuites for the NIST P-384 elliptic curve [FIPS186-4].¶
P384_XMD:SHA-512_SSWU_RO_ is defined as follows:¶
E: y^2 = x^3 + A * x + B, where¶
P384_XMD:SHA-512_SVDW_RO_ is identical to P384_XMD:SHA-512_SSWU_RO_, except for the following parameters:¶
P384_XMD:SHA-512_SSWU_NU_ is identical to P384_XMD:SHA-512_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3).¶
P384_XMD:SHA-512_SVDW_NU_ is identical to P384_XMD:SHA-512_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3).¶
An optimized example implementation of the Simplified SWU mapping to P-384 is given in Appendix D.2.¶
This section defines ciphersuites for the NIST P-521 elliptic curve [FIPS186-4].¶
P521_XMD:SHA-512_SSWU_RO_ is defined as follows:¶
E: y^2 = x^3 + A * x + B, where¶
P521_XMD:SHA-512_SVDW_RO_ is identical to P521_XMD:SHA-512_SSWU_RO_, except for the following parameters:¶
P521_XMD:SHA-512_SSWU_NU_ is identical to P512_XMD:SHA-512_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3).¶
P521_XMD:SHA-512_SVDW_NU_ is identical to P512_XMD:SHA-512_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3).¶
An optimized example implementation of the Simplified SWU mapping to P-521 is given in Appendix D.2.¶
This section defines ciphersuites for curve25519 and edwards25519 [RFC7748].¶
curve25519_XMD:SHA-256_ELL2_RO_ is defined as follows:¶
E: K * t^2 = s^3 + J * s^2 + s, where¶
edwards25519_XMD:SHA-256_ELL2_RO_ is identical to curve25519_XMD:SHA-256_ELL2_RO_, except for the following parameters:¶
E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where¶
curve25519_XMD:SHA-256_ELL2_NU_ is identical to curve25519_XMD:SHA-256_ELL2_RO_, except that the encoding type is encode_to_curve (Section 3).¶
edwards25519_XMD:SHA-256_ELL2_NU_ is identical to edwards25519_XMD:SHA-256_ELL2_RO_, except that ene encoding type is encode_to_curve (Section 3).¶
curve25519_XMD:SHA-512_ELL2_RO_ is identical to curve25519_XMD:SHA-256_ELL2_RO_, except that H is SHA-512.¶
curve25519_XMD:SHA-512_ELL2_NU_ is identical to curve25519_XMD:SHA-256_ELL2_NU_, except that H is SHA-512.¶
edwards25519_XMD:SHA-512_ELL2_RO_ is identical to edwards25519_XMD:SHA-256_ELL2_RO_, except that H is SHA-512.¶
edwards25519_XMD:SHA-512_ELL2_NU_ is identical to edwards25519_XMD:SHA-256_ELL2_NU_, except that H is SHA-512.¶
Optimized example implementations of the above mappings are given in Appendix D.3 and Appendix D.4.¶
This section defines ciphersuites for curve448 and edwards448 [RFC7748].¶
curve448_XMD:SHA-512_ELL2_RO_ is defined as follows:¶
E: K * t^2 = s^3 + J * s^2 + s, where¶
edwards448_XMD:SHA-512_ELL2_RO_ is identical to curve448_XMD:SHA-512_ELL2_RO_, except for the following parameters:¶
E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where¶
curve448_XMD:SHA-512_ELL2_NU_ is identical to curve448_XMD:SHA-512_ELL2_RO_, except that the encoding type is encode_to_curve (Section 3).¶
edwards448_XMD:SHA-512_ELL2_NU_ is identical to edwards448_XMD:SHA-512_ELL2_RO_, except that the encoding type is encode_to_curve (Section 3).¶
Optimized example implementations of the above mappings are given in Appendix D.5 and Appendix D.6.¶
This section defines ciphersuites for the secp256k1 elliptic curve [SEC2].¶
secp256k1_XMD:SHA-256_SSWU_RO_ is defined as follows:¶
E': y'^2 = x'^3 + A' * x' + B', where¶
secp256k1_XMD:SHA-256_SVDW_RO_ is identical to secp256k1_XMD:SHA-256_SSWU_RO_, except for the following parameters:¶
secp256k1_XMD:SHA-256_SSWU_NU_ is identical to secp256k1_XMD:SHA-256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3).¶
secp256k1_XMD:SHA-256_SVDW_NU_ is identical to secp256k1_XMD:SHA-256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3).¶
An optimized example implementation of the Simplified SWU mapping to the curve E' isogenous to secp256k1 is given in Appendix D.2.¶
This section defines ciphersuites for groups G1 and G2 of the BLS12-381 elliptic curve [BLS12-381].¶
BLS12381G1_XMD:SHA-256_SSWU_RO_ is defined as follows:¶
E': y'^2 = x'^3 + A' * x' + B', where¶
BLS12381G1_XMD:SHA-256_SVDW_RO_ is identical to BLS12381G1_XMD:SHA-256_SSWU_RO_, except for the following parameters:¶
BLS12381G1_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G1_XMD:SHA-256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3).¶
BLS12381G1_XMD:SHA-256_SVDW_NU_ is identical to BLS12381G1_XMD:SHA-256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3).¶
Note that the h_eff values for these suites are chosen for compatibility with the fast cofactor clearing method described by Scott ([WB19] Section 5).¶
An optimized example implementation of the Simplified SWU mapping to the curve E' isogenous to BLS12-381 G1 is given in Appendix D.2.¶
BLS12381G2_XMD:SHA-256_SSWU_RO_ is defined as follows:¶
base field F is GF(p^m), where¶
E': y'^2 = x'^3 + A' * x' + B', where¶
BLS12381G2_XMD:SHA-256_SVDW_RO_ is identical to BLS12381G2_XMD:SHA-256_SSWU_RO_, except for the following parameters:¶
BLS12381G2_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G2_XMD:SHA-256_SSWU_RO_, except that the encoding type is encode_to_curve (Section 3).¶
BLS12381G2_XMD:SHA-256_SVDW_NU_ is identical to BLS12381G2_XMD:SHA-256_SVDW_RO_, except that the encoding type is encode_to_curve (Section 3).¶
Note that the h_eff values for these suites are chosen for compatibility with the fast cofactor clearing method described by Budroni and Pintore ([BP17], Section 4.1).¶
The RECOMMENDED way to define a new hash-to-curve suite is:¶
When hashing to an elliptic curve not listed in this section, corresponding hash-to-curve suites SHOULD be fully specified as described above.¶
Suite IDs MUST be constructed as follows:¶
CURVE_ID || "_" || HASH_ID || "_" || MAP_ID || "_" || ENC_VAR || "_"¶
The fields CURVE_ID, HASH_ID, MAP_ID, and ENC_VAR are ASCII-encoded strings of at most 64 characters each. Fields MUST contain only ASCII characters between 0x21 and 0x7E (inclusive) other underscore (i.e., 0x5f).¶
As indicated above, each field (including the last) is followed by an underscore ("_", ASCII 0x5f). This helps to ensure that Suite IDs are prefix free. Suite IDs MUST include the final underscore and MUST NOT include any characters after the final underscore.¶
Suite ID fields MUST be chosen as follows:¶
HASH_ID: a human-readable representation of the expand_message function and any underlying hash primitives used in hash_to_field (Section 5). This field MUST be constructed as follows:¶
EXP_TAG || ":" || HASH_NAME¶
EXP_TAG indicates the expand_message variant:¶
HASH_NAME is a human-readable name for the underlying hash primitive. As examples:¶
MAP_ID: a human-readable representation of the map_to_curve function as defined in Section 6. These are defined as follows:¶
ENC_VAR: a string indicating the encoding type and other information. The first two characters of this string indicate whether the suite represents a hash_to_curve or an encode_to_curve operation (Section 3), as follows:¶
ENC_VAR MAY also be used to encode other information used to identify variants, for example, a version number. The RECOMMENDED way to do so is to add one or more subfields separated by colons. For example, "RO:V02" is an appropriate ENC_VAR value for the second version of a random-oracle suite, while "RO:V02:FOO01:BAR17" might be used to indicate a variant of that suite.¶
This document has no IANA actions.¶
When constant-time implementations are required, all basic operations and utility functions must be implemented in constant time, as discussed in Section 4. In some applications (e.g., embedded systems), leakage through other side channels (e.g., power or electromagnetic side channels) may be pertinent. Defending against such leakage is outside the scope of this document, because the nature of the leakage and the appropriate defense depends on the protocol from which a hash-to-curve function is invoked.¶
Section 3.1 describes considerations related to domain separation.¶
Section 5 describes considerations for uniformly hashing to field elements; see Section 10.1 and Section 10.2 for further discussion.¶
Each encoding variant (Section 3) accepts an arbitrary byte string and maps it to a pseudorandom point on the curve. Note, however, that directly evaluating the mappings of Section 6 produces an output that is distinguishable from random.¶
When the hash_to_curve function (Section 3) is instantiated with a hash_to_field function that is indifferentiable from a random oracle (Section 5), the resulting function is indifferentiable from a random oracle ([FFSTV13], [LBB19], [MRH04]). In most cases such a function can be safely used in protocols whose security analysis assumes a random oracle that outputs points on an elliptic curve. As Ristenpart et al. discuss in [RSS11], however, not all security proofs that rely on random oracles continue to hold when those oracles are replaced by indifferentiable functionalities. This limitation should be considered when analyzing the security of protocols relying on the hash_to_curve function.¶
When hashing passwords using any function described in this document, an adversary who learns the output of the hash function (or potentially any intermediate value, e.g., the output of hash_to_field) may be able to carry out a dictionary attack. To mitigate such attacks, it is recommended to first execute a more costly key derivation function (e.g., PBKDF2 [RFC2898] or scrypt [RFC7914]) on the password, then hash the output of that function to the target elliptic curve. For collision resistance, the hash underlying the key derivation function should be chosen according to the guidelines listed in Section 5.3.¶
The hash_to_field function defined in Section 5 is indifferentiable from a random oracle [MRH04] when expand_message (Section 5.3) is modeled as a random oracle. By composability of indifferentiability proofs, this also holds when expand_message is proved indifferentiable from a random oracle relative to an underlying primitive that is modeled as a random oracle. When following the guidelines in Section 5.3, both variants of expand_message defined in that section meet this requirement (see also Section 10.2).¶
We very briefly sketch the indifferentiability argument for hash_to_field. Notice that each integer mod p that hash_to_field returns (i.e., each element of the vector representation of F) is a member of an equivalence class of roughly 2^k integers of length log2(p) + k bits, all of which are equal modulo p. For each integer mod p that hash_to_field returns, the simulator samples one member of this equivalence class at random and outputs the byte string returned by I2OSP. (Notice that this is essentially the inverse of the hash_to_field procedure.)¶
Finally, the expand_message variants in this document (Section 5.3) always append the domain separation tag DST to the strings hashed by H, the underlying hash or extensible output function. This means that invocations of H outside of hash_to_field can be separated from those inside of hash_to_field by appending a tag distinct from DST to their inputs. Other expand_message variants that follow the guidelines in Section 5.3.3 are expected to have similar properties, but these should be analyzed on a case-by-case basis.¶
The expand_message_xmd function defined in Section 5.3.1 is indifferentiable from a random oracle [MRH04] when one of the following holds:¶
For cases (1) and (2), the indifferentiability of expand_message_xmd follows directly from the indifferentiability of H.¶
For case (3), i.e., for H a Merkle-Damgaard hash function, indifferentiability follows from [CDMP05], Theorem 3.5. In particular, expand_message_xmd computes b_0 by prepending one block of 0-bytes to the message and auxiliary information (length, counter, and DST). Then, each of the output blocks b_i, i >= 1 in expand_message_xmd is the result of invoking H on a unique, prefix-free encoding of b_0. This is true, first, because the length of the input to all such invocations is equal and fixed by the choice of H and DST, and second, because each such input has a unique suffix (because of the inclusion of the counter byte I2OSP(i, 1)).¶
The essential difference between the construction of [CDMP05] and expand_message_xmd is that the latter hashes a counter appended to strxor(b_0, b_(i - 1)) (step 9) rather than to b_0. This approach increases the Hamming distance between inputs to different invocations of H, which reduces the likelihood that nonidealities in H affect the distribution of the b_i values.¶
The authors would like to thank Adam Langley for his detailed writeup of Elligator 2 with Curve25519 [L13]; Dan Boneh, Christopher Patton, and Benjamin Lipp for educational discussions; and Sean Devlin, Justin Drake, Dan Harkins, Thomas Icart, Andy Polyakov, Leonid Reyzin, Michael Scott, and Mathy Vanhoef for helpful feedback.¶
This section gives several useful rational maps.¶
This section gives a generic birational map between twisted Edwards and Montgomery curves. This birational map comprises the rational map specified in Section 6.8.1 and its inverse.¶
The twisted Edwards curve¶
a * v^2 + w^2 = 1 + d * v^2 * w^2¶
is birationally equivalent to the Montgomery curve¶
K * t^2 = s^3 + J * s^2 + s¶
by the following mappings ([BBJLP08], Theorem 3.2). To convert from twisted Edwards to Montgomery form, the mapping is¶
This mapping is defined when a != d, which is guaranteed by the definition of twisted Edwards curves. The mapping is undefined when v == 0 or w == 1. If (v, w) == (0, -1), return the point (s, t) = (0, 0). For all other undefined inputs, return the identity point on the Montgomery curve. (This follows from [BBJLP08], Section 3.)¶
To convert from Montgomery to twisted Edwards form, the mapping is¶
This mapping is defined when J != 2, J != -2, and K != 0; all Montgomery curves meet these criteria. The mapping is undefined when t == 0 or s == -1. If (s, t) == (0, 0), return the point (v, w) = (0, -1). For all other undefined inputs, return the identity point on the twisted Edwards curve, namely, (v, w) = (0, 1). (This follows from [BBJLP08], Section 3.)¶
(Note that Section 6.8.1 gives a simpler rule for handling undefined inputs to this rational map: always return the identity point. The simpler rule gives the same result when used as part of an encoding function (Section 3), because the cofactor clearing step will always map the point (v, w) = (0, -1) to the identity point.)¶
Composing the mapping of this section with the mapping from Montgomery to Weierstrass curves in Appendix B.2 yields a mapping from twisted Edwards curves to Weierstrass curves, which is the form required by the mappings in Section 6.6. This composition of mappings can be used to apply the Shallue-van de Woestijne (Section 6.6.1) or Simplified SWU (Section 6.6.2) method to twisted Edwards curves.¶
The rational map from the point (s, t) on the Montgomery curve¶
K * t^2 = s^3 + J * s^2 + s¶
to the point (x, y) on the equivalent Weierstrass curve¶
y^2 = x^3 + A * x + B¶
is given by:¶
The inverse map, from the point (x, y) to the point (s, t), is given by¶
This mapping can be used to apply the Shallue-van de Woestijne (Section 6.6.1) or Simplified SWU (Section 6.6.2) method to Montgomery curves.¶
This section specifies the isogeny maps for the secp256k1 and BLS12-381 suites listed in Section 8.¶
These maps are given in terms of affine coordinates. Wahby and Boneh ([WB19], Section 4.3) show how to evaluate these maps in a projective coordinate system (Appendix D.1), which avoids modular inversions.¶
Refer to the draft repository [hash2curve-repo] for a Sage [SAGE] script that constructs these isogenies.¶
This section specifies the isogeny map for the secp256k1 suite listed in Section 8.6.¶
The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:¶
The constants used to compute x_num are as follows:¶
The constants used to compute x_den are as follows:¶
The constants used to compute y_num are as follows:¶
The constants used to compute y_den are as follows:¶
The 11-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:¶
The constants used to compute x_num are as follows:¶
The constants used to compute x_den are as follows:¶
The constants used to compute y_num are as follows:¶
The constants used to compute y_den are as follows:¶
The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:¶
The constants used to compute x_num are as follows:¶
The constants used to compute x_den are as follows:¶
The constants used to compute y_num are as follows:¶
The constants used to compute y_den are as follows:¶
This section gives sample implementations optimized for some of the elliptic curves listed in Section 8. Sample Sage [SAGE] code for each algorithm can also be found in the draft repository [hash2curve-repo].¶
The sample code in this section uses a different interface than the mappings of Section 6. Specifically, each mapping function in this section has the following signature:¶
(xn, xd, yn, yd) = map_to_curve(u)¶
The resulting point (x, y) is given by (xn / xd, yn / yd).¶
The reason for this modified interface is that it enables further optimizations when working with points in a projective coordinate system. This is desirable, for example, when the resulting point will be immediately multiplied by a scalar, since most scalar multiplication algorithms operate on projective points.¶
The following are two commonly used projective coordinate systems and the corresponding conversions:¶
The following is a straight-line implementation of the Simplified SWU mapping that applies to any curve over GF(p) for p = 3 (mod 4). This includes the ciphersuites for NIST curves P-256, P-384, and P-521 [FIPS186-4] given in Section 8. It also includes the curves isogenous to secp256k1 (Section 8.6) and BLS12-381 G1 (Section 8.7.1).¶
The implementations for these curves differ only in the constants and the base field. The constant definitions below are given in terms of the parameters for the Simplified SWU mapping; for parameter values for the curves listed above, see Section 8.1 (P-256), Section 8.2 (P-384), Section 8.3 (P-521), Section 8.6 (E' isogenous to secp256k1), and Section 8.7.1 (E' isogenous to BLS12-381 G1).¶
map_to_curve_simple_swu_3mod4(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on the target curve. Constants: defined per curve; see above. 1. c1 = (p - 3) / 4 # Integer arithmetic 2. c2 = sqrt(-Z^3) Steps: 1. tv1 = u^2 2. tv3 = Z * tv1 3. tv2 = tv3^2 4. xd = tv2 + tv3 5. x1n = xd + 1 6. x1n = x1n * B 7. xd = -A * xd 8. e1 = xd == 0 9. xd = CMOV(xd, Z * A, e1) # If xd == 0, set xd = Z * A 10. tv2 = xd^2 11. gxd = tv2 * xd # gxd == xd^3 12. tv2 = A * tv2 13. gx1 = x1n^2 14. gx1 = gx1 + tv2 # x1n^2 + A * xd^2 15. gx1 = gx1 * x1n # x1n^3 + A * x1n * xd^2 16. tv2 = B * gxd 17. gx1 = gx1 + tv2 # x1n^3 + A * x1n * xd^2 + B * xd^3 18. tv4 = gxd^2 19. tv2 = gx1 * gxd 20. tv4 = tv4 * tv2 # gx1 * gxd^3 21. y1 = tv4^c1 # (gx1 * gxd^3)^((p - 3) / 4) 22. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4) 23. x2n = tv3 * x1n # x2 = x2n / xd = Z * u^2 * x1n / xd 24. y2 = y1 * c2 # y2 = y1 * sqrt(-Z^3) 25. y2 = y2 * tv1 26. y2 = y2 * u 27. tv2 = y1^2 28. tv2 = tv2 * gxd 29. e2 = tv2 == gx1 30. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 31. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 32. e3 = sgn0(u) == sgn0(y) # Fix sign of y 33. y = CMOV(-y, y, e3) 34. return (xn, xd, y, 1)¶
The following is a straight-line implementation of Elligator 2 for curve25519 [RFC7748] as specified in Section 8.4.¶
map_to_curve_elligator2_curve25519(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on curve25519. Constants: 1. c1 = (p + 3) / 8 # Integer arithmetic 2. c2 = 2^c1 3. c3 = sqrt(-1) 4. c4 = (p - 5) / 8 # Integer arithmetic Steps: 1. tv1 = u^2 2. tv1 = 2 * tv1 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not 4. x1n = -486662 # x1 = x1n / xd = -486662 / (1 + 2 * u^2) 5. tv2 = xd^2 6. gxd = tv2 * xd # gxd = xd^3 7. gx1 = 486662 * xd # 486662 * xd 8. gx1 = gx1 + x1n # x1n + 486662 * xd 9. gx1 = gx1 * x1n # x1n^2 + 486662 * x1n * xd 10. gx1 = gx1 + tv2 # x1n^2 + 486662 * x1n * xd + xd^2 11. gx1 = gx1 * x1n # x1n^3 + 486662 * x1n^2 * xd + x1n * xd^2 12. tv3 = gxd^2 13. tv2 = tv3^2 # gxd^4 14. tv3 = tv3 * gxd # gxd^3 15. tv3 = tv3 * gx1 # gx1 * gxd^3 16. tv2 = tv2 * tv3 # gx1 * gxd^7 17. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8) 18. y11 = y11 * tv3 # gx1 * gxd^3 * (gx1 * gxd^7)^((p - 5) / 8) 19. y12 = y11 * c3 20. tv2 = y11^2 21. tv2 = tv2 * gxd 22. e1 = tv2 == gx1 23. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt 24. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd 25. y21 = y11 * u 26. y21 = y21 * c2 27. y22 = y21 * c3 28. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1) 29. tv2 = y21^2 30. tv2 = tv2 * gxd 31. e2 = tv2 == gx2 32. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt 33. tv2 = y1^2 34. tv2 = tv2 * gxd 35. e3 = tv2 == gx1 36. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 37. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 38. e4 = sgn0(u) == sgn0(y) # Fix sign of y 39. y = CMOV(-y, y, e4) 40. return (xn, xd, y, 1)¶
The following is a straight-line implementation of Elligator 2 for edwards25519 [RFC7748] as specified in Section 8.4. The subroutine map_to_curve_elligator2_curve25519 is defined in Appendix D.3.¶
map_to_curve_elligator2_edwards25519(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on edwards25519. Constants: 1. c1 = sqrt(-486664) # sgn0(c1) MUST equal 1 Steps: 1. (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u) 2. xn = xMn * yMd 3. xn = xn * c1 4. xd = xMd * yMn # xn / xd = c1 * xM / yM 5. yn = xMn - xMd 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d) 7. tv1 = xd * yd 8. e = tv1 == 0 9. xn = CMOV(xn, 0, e) 10. xd = CMOV(xd, 1, e) 11. yn = CMOV(yn, 1, e) 12. yd = CMOV(yd, 1, e) 13. return (xn, xd, yn, yd)¶
The following is a straight-line implementation of Elligator 2 for curve448 [RFC7748] as specified in Section 8.5.¶
map_to_curve_elligator2_curve448(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on curve448. Constants: 1. c1 = (p - 3) / 4 # Integer arithmetic Steps: 1. tv1 = u^2 2. e1 = tv1 == 1 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0 4. xd = 1 - tv1 5. x1n = -156326 6. tv2 = xd^2 7. gxd = tv2 * xd # gxd = xd^3 8. gx1 = 156326 * xd # 156326 * xd 9. gx1 = gx1 + x1n # x1n + 156326 * xd 10. gx1 = gx1 * x1n # x1n^2 + 156326 * x1n * xd 11. gx1 = gx1 + tv2 # x1n^2 + 156326 * x1n * xd + xd^2 12. gx1 = gx1 * x1n # x1n^3 + 156326 * x1n^2 * xd + x1n * xd^2 13. tv3 = gxd^2 14. tv2 = gx1 * gxd # gx1 * gxd 15. tv3 = tv3 * tv2 # gx1 * gxd^3 16. y1 = tv3^c1 # (gx1 * gxd^3)^((p - 3) / 4) 17. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4) 18. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd 19. y2 = y1 * u 20. y2 = CMOV(y2, 0, e1) 21. tv2 = y1^2 22. tv2 = tv2 * gxd 23. e2 = tv2 == gx1 24. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 25. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 26. e3 = sgn0(u) == sgn0(y) # Fix sign of y 27. y = CMOV(-y, y, e3) 28. return (xn, xd, y, 1)¶
The following is a straight-line implementation of Elligator 2 for edwards448 [RFC7748] as specified in Section 8.5. The subroutine map_to_curve_elligator2_curve448 is defined in Appendix D.5.¶
map_to_curve_elligator2_edwards448(u) Input: u, an element of F. Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a point on edwards448. Steps: 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u) 2. xn2 = xn^2 3. xd2 = xd^2 4. xd4 = xd2^2 5. yn2 = yn^2 6. yd2 = yd^2 7. xEn = xn2 - xd2 8. tv2 = xEn - xd2 9. xEn = xEn * xd2 10. xEn = xEn * yd 11. xEn = xEn * yn 12. xEn = xEn * 4 13. tv2 = tv2 * xn2 14. tv2 = tv2 * yd2 15. tv3 = 4 * yn2 16. tv1 = tv3 + yd2 17. tv1 = tv1 * xd4 18. xEd = tv1 + tv2 19. tv2 = tv2 * xn 20. tv4 = xn * xd4 21. yEn = tv3 - yd2 22. yEn = yEn * tv4 23. yEn = yEn - tv2 24. tv1 = xn2 + xd2 25. tv1 = tv1 * xd2 26. tv1 = tv1 * xd 27. tv1 = tv1 * yn2 28. tv1 = -2 * tv1 29. yEd = tv2 + tv1 30. tv4 = tv4 * yd2 31. yEd = yEd + tv4 32. tv1 = xEd * yEd 33. e = tv1 == 0 34. xEn = CMOV(xEn, 0, e) 35. xEd = CMOV(xEd, 1, e) 36. yEn = CMOV(yEn, 1, e) 37. yEd = CMOV(yEd, 1, e) 38. return (xEn, xEd, yEn, yEd)¶
This section gives Sage [SAGE] scripts used to generate parameters for the mappings of Section 6.¶
The below function outputs an appropriate Z for the Shallue and van de Woestijne map (Section 6.6.1).¶
# Arguments: # - F, a field object, e.g., F = GF(2^521 - 1) # - A and B, the coefficients of the curve equation y^2 = x^3 + A * x + B def find_z_svdw(F, A, B): g = lambda x: F(x)^3 + F(A) * F(x) + F(B) h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z)) ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): if g(Z_cand) == F(0): # Criterion 1: g(Z) != 0 in F. continue if h(Z_cand) == F(0): # Criterion 2: -(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F. continue if not h(Z_cand).is_square(): # Criterion 3: -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F. continue if g(Z_cand).is_square() or g(-Z_cand / F(2)).is_square(): # Criterion 4: At least one of g(Z) and g(-Z / 2) is square in F. return Z_cand ctr += 1¶
The below function outputs an appropriate Z for the Simplified SWU map (Section 6.6.2).¶
# Arguments: # - F, a field object, e.g., F = GF(2^521 - 1) # - A and B, the coefficients of the curve equation y^2 = x^3 + A * x + B def find_z_sswu(F, A, B): R.<xx> = F[] # Polynomial ring over F g = xx^3 + F(A) * xx + F(B) # y^2 = g(x) = x^3 + A * x + B ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): if Z_cand.is_square(): # Criterion 1: Z is non-square in F. continue if Z_cand == F(-1): # Criterion 2: Z != -1 in F. continue if not (g - Z_cand).is_irreducible(): # Criterion 3: g(x) - Z is irreducible over F. continue if g(B / (Z_cand * A)).is_square(): # Criterion 4: g(B / (Z * A)) is square in F. return Z_cand ctr += 1¶
The below function outputs an appropriate Z for the Elligator 2 map (Section 6.7.1).¶
# Argument: # - F, a field object, e.g., F = GF(2^255 - 19) def find_z_ell2(F): ctr = F.gen() while True: for Z_cand in (F(ctr), F(-ctr)): if Z_cand.is_square(): # Z must be a non-square in F. continue return Z_cand ctr += 1¶
This section defines special-purpose sqrt functions for the three most common cases, q = 3 (mod 4), q = 5 (mod 8), and q = 9 (mod 16). In addition, it gives a generic constant-time algorithm that works for any prime modulus.¶
[AR13] and [S85] describe optimized methods for extension fields.¶
sqrt_3mod4(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input: x, an element of F. Output: z, an element of F such that (z^2) == x, if x is square in F. Constants: 1. c1 = (q + 1) / 4 # Integer arithmetic Procedure: 1. return x^c1¶
sqrt_5mod8(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input: x, an element of F. Output: z, an element of F such that (z^2) == x, if x is square in F. Constants: 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 2. c2 = (q + 3) / 8 # Integer arithmetic Procedure: 1. tv1 = x^c2 2. tv2 = tv1 * c1 3. e = (tv1^2) == x 4. z = CMOV(tv2, tv1, e) 5. return z¶
sqrt_9mod16(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input: x, an element of F. Output: z, an element of F such that (z^2) == x, if x is square in F. Constants: 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F 4. c4 = (q + 7) / 16 # Integer arithmetic Procedure: 1. tv1 = x^c4 2. tv2 = c1 * tv1 3. tv3 = c2 * tv1 4. tv4 = c3 * tv1 5. e1 = (tv2^2) == x 6. e2 = (tv3^2) == x 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x 9. e3 = (tv2^2) == x 10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2 11. return z¶
This algorithm is a constant-time version of the classic Tonelli-Shanks algorithm ([C93], Algorithm 1.5.1) due to Sean Bowe, Jack Grigg, and Eirik Ogilvie-Wigley [jubjub-fq], adapted and optimized by Michael Scott.¶
This algorithm applies to GF(p) for any p. Note, however, that the special-purpose algorithms given in the prior sections are faster, when they apply.¶
sqrt_ts_ct(x) Parameters: - F, a finite field of characteristic p and order q = p^m. Input x, an element of F. Output: z, an element of F such that z^2 == x, if x is square in F. Constants: 1. c1, the largest integer such that 2^c1 divides q - 1. 2. c2 = (q - 1) / (2^c1) # Integer arithmetic 3. c3 = (c2 - 1) / 2 # Integer arithmetic 4. c4, a non-square value in F 5. c5 = c4^c2 in F Procedure: 1. z = x^c3 2. t = z * z * x 3. z = z * x 4. b = t 5. c = c5 6. for i in (c1, c1 - 1, ..., 2): 7. for j in (1, 2, ..., i - 2): 8. b = b * b 9. z = CMOV(z, z * c, b != 1) 10. c = c * c 11. t = CMOV(t, t * c, b != 1) 12. b = t 13. return z¶
This section gives test vectors for each suite defined in {#suites}. The test vectors in this section were generated using code that is available from [hash2curve-repo].¶
Each test vector in this section lists values computed by the appropriate encoding function, with variable names defined as in Section 3. For example, for a suite whose encoding type is random oracle, the test vector gives the value for msg, u, Q0, Q1, and the output point P.¶
suite = P256_XMD:SHA-256_SSWU_RO_ dst = P256_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 03f6cd48873763fc0eb06947d0dcb35aea09599df5652ab3585eb3 b0fe5dc5f8 P.y = fda9972c0a5c1bb0b9ac1b1590404f7793d3523a194b6283c0cbb8 da9f163781 u[0] = 54b82282b0ca2fadc1d3aaca8b3749a6f626a0db55c1a71683e532 1b0ca167ac u[1] = 12217139110a50ffb097ef02eec754aa0848d1ffc2dab783271e26 2f525a5c02 Q0.x = 06ecc4e1f2e89279dfd197abcd9452d2ad41686960cd9fdd109d99 5e797fd5f9 Q0.y = 43541719de000662feebe412bead45724d04b2b537c367144656c2 5d70702fa2 Q1.x = a16564b5afad9148200409307674e600e8624adb76e4a0e50a2063 ba190268a2 Q1.y = f3ffbafa60f93772e304f1f4121c98d2dcd5e80e2253eafe55cf8d cb3e60cf4a msg = abc P.x = f2edd21087e86cab1a9f01c8d05a3ede5936e641086ae07660b679 178db1c6f2 P.y = ee8df178c724d131a9ab173c2359a97e3fb7f70cb4060463e72b6b 423c943754 u[0] = a7b97013c7f7ddb79348ba163bbadd8128a770f425c96a16d3cd80 ded548481c u[1] = 4d4cc838974b8d38b02b106bf96b4abb5bb8a78d0f8063911a7846 c2c3144cd6 Q0.x = 59035c27d2bf446222c7f42bcd67616b375f4f3738baa2d5386ddb 0da65d5ced Q0.y = dc510ee04310d23333b4f385c01d9f39eaf0dac442165929b54dee 176b47b810 Q1.x = e0d4318efdcf2fc7cef4572945d5cfd1e65c89fbc29becd4871827 81f98d0e80 Q1.y = 0ed569711187cce5dd1047826cf266fa5c8319459240975ba02f4e eae5c3b4ca msg = abcdef0123456789 P.x = 56d7548bd4db17f2d6eb666b1d119dc5a79087c66a3bd3dfc5232a 99851e05d2 P.y = 1d392bf473d962dfc82e413df0b70356a8d550ced314f397c8aeea 1b1bd8b5e8 u[0] = de1a53abd911ff4864136514a0a76f97a33cde47ca695cd659f718 78b16e818e u[1] = 38216f3c99e9cc00602d92652e8149fcfe9cde6d3d742db9f8604f 5be29e3a56 Q0.x = e90130ab063fa8915f7b40d87dc844cb17615fbca777a8786dfa92 0f7d64de18 Q0.y = 3ed7e73dcb859ff29ee8c03c2fee155593e9bfa350108597823b52 e8b550dddc Q1.x = 6b92f84f15e7ff8db05e5f6aa5d65b98786e5c01fc046f4080c3f1 bbd175daf3 Q1.y = 9217ff1c2a10aeb4e741ae3ea3502a1bc9e482844f31dd9c18d657 fa79a9a994 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = ce6b06fd60933cdd9a92429d6a809a80a722d0b6242856e5d9320c 173387e603 P.y = 10a337579d7e0e5d21dabeb20bb447505898a26d4ae08ab9cc94a0 cd3c6ffff1 u[0] = 88fc351f653028d82517fdc955a47b7b7e0a7f7ba476e1c51d06fd 87d43ffe86 u[1] = bb4b5f971bb299e65baf86b3244905dcc51dd686ee5794a995e418 03f9966959 Q0.x = 639c0217dddeeab6b2994777cb203ac37c6d1ffc51e8c673ef5684 f76e8f419d Q0.y = e3e36a9781f86c59dd808d5aa7b164a00b02c05fd84a9e84608a0e 1d07d4b532 Q1.x = c3f1acec963aa610b0d2b128bdaf425070c5ca6cef88a51f3316bb ffa5880fa4 Q1.y = f36f6d9c0168659be9a0e58b168ae2e0e98189448adc9e88b75332 8a900945ad¶
suite = P256_XMD:SHA-256_SSWU_NU_ dst = P256_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 2b1b6eb1989d3fb644a4d2962e5adab24444abf37963e3ee5c3a47 aa864c0899 P.y = 6b49f459088caf7588cde4650fba46f72870fe5bde98d170153bd8 3d467caddc u[0] = 84bc3167da0939bc7130e749558acfa0001eaf26990b6f9565a882 72edb162a6 Q.x = 2b1b6eb1989d3fb644a4d2962e5adab24444abf37963e3ee5c3a47 aa864c0899 Q.y = 6b49f459088caf7588cde4650fba46f72870fe5bde98d170153bd8 3d467caddc msg = abc P.x = 3a7c9353213d23c67286117b783863d0fcf0741df89680eb8678dc 3482aa4294 P.y = d023fd86e73e383327ebb25b1fc3980d0048c2c31a9927a6585ffb 127f8b4262 u[0] = 03f880f3c4b02f3afdfbb79f5a68f52a52dda11bb18bc615693cc3 9e88eaef0e Q.x = 3a7c9353213d23c67286117b783863d0fcf0741df89680eb8678dc 3482aa4294 Q.y = d023fd86e73e383327ebb25b1fc3980d0048c2c31a9927a6585ffb 127f8b4262 msg = abcdef0123456789 P.x = dc152e051787dfe673e1bfe48a72c5814c559e66c8e1a369084cbe 73929d0ae3 P.y = 12162397d8f3235e978e7aca400f78135f3de76b8f58c1fe4bf39a d4be424e0f u[0] = 6d895387b21ede1286f10a00bdc9543c2c33e3075287015ad50494 86aafc8155 Q.x = dc152e051787dfe673e1bfe48a72c5814c559e66c8e1a369084cbe 73929d0ae3 Q.y = 12162397d8f3235e978e7aca400f78135f3de76b8f58c1fe4bf39a d4be424e0f msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = bdff5810ac42130719752d50ccc5f79e169e90a90cda984c311f6b ad8e77fb44 P.y = 73aa23cfb08dd1ed92d770152d59b7e2b63176ceb664bdcae8153d 83609dd2e5 u[0] = 91cb15a547813dad8255626afab8db2937bf9136e3e140a2281dda 77568f0ae3 Q.x = bdff5810ac42130719752d50ccc5f79e169e90a90cda984c311f6b ad8e77fb44 Q.y = 73aa23cfb08dd1ed92d770152d59b7e2b63176ceb664bdcae8153d 83609dd2e5¶
suite = P256_XMD:SHA-256_SVDW_RO_ dst = P256_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = be9400f16f7a1ec3fb526872919f4f9af94c6ac3e8fe5787c0f415 e9def825ff P.y = d14b462afed314ca7c20b1f6f3e501a610b79e0ca8adfce841b9c6 804cfbe419 u[0] = 4ad57c89ca3a6dbff76ce5a844aec126d7e4e58646403b3df08f32 6676d8c8b4 u[1] = d2be61ac4135806ff144acfd6d7f779a74b2cb9e91ff4491763bf9 72fdd2e378 Q0.x = 0e233e601d7e0caee9b4b48a546561aa257fa0b1fd49d62edcebb4 fdddea46d2 Q0.y = 498ef4cade20e4ba193e5ae5fa66d556f23d9293680c997e667ee9 a409deee34 Q1.x = fc0dda7c130cbd7f1e5ab25e6447f5c18f4f8a4c5fe7bf694a44c1 7413c2652b Q1.y = a78e3f4af8b3f09f4bb126d5669dbda7343499161eac746a37828b b6e6f01300 msg = abc P.x = 508fb4590784ea78f129c2eb2d67d73f6642f5ff15dd02931c477b cdcab87137 P.y = 878c0c8b483ee6f0645c7effcf4ca1d2ed2f3654a527f7e06fbc43 21cc15db41 u[0] = f467e1dbcf8f75d17c272eb10f1d89213a078014631fa396b18dfc bb5a177e69 u[1] = 210f9e593582b708768ed53faff7514fb238664acb2fb033188d2e 9926e3f62b Q0.x = 1ba6f73dccbb69e1987bf676b5f51a994624c34874fcc96e4bbf53 dfd8a8c2f9 Q0.y = 3508cb3c41fe3c9c3aae84ddcacc2ec8ddec56c0f83875fedd87f8 bdc6f54e79 Q1.x = 8dac9d3d364c587e2bf43b856fe1102a2a82af80aa3f9e5593298e 88f25ef2db Q1.y = a031a5907d7bd51c46b202c25cd36f06bb7c48f78bc04d77484b1d ef70634ad7 msg = abcdef0123456789 P.x = 7226cec474433278e405e2a472a0c44c27234fe5aa5507674dc762 e7fde6f269 P.y = 8c6424f339a34fcd937d7aa9234f8545bbed9b070e8f52f3893bfc 21e121f0ba u[0] = 04adbdf1097d6637a52c955ba18f286337e3c7570195983a294aa5 21d232cb1c u[1] = d9eebe468d34e0000da1de381f30e96caa582155b4baa0f078879c c045201ab5 Q0.x = 2483744650307cf5c9b42d0dfeb5a6a552ddbc9f33306e26014aad 49135a7661 Q0.y = b42c2f1b332a23d294a395d18a9dd5e6076be31726a80ef4011b51 a6e0a5d50e Q1.x = 34147e925ff536360e70fb6093dff185d11937eaaf03a7c27fe0c8 347e0368ca Q1.y = 613746d811d1cfeb76632f0da3be81ef9ba86d4aa7459c0b21711a 282abca3b3 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 34746e280053b2f059a749fe9bbf32bef6f0d1290c6e002245c5e5 3759b4d52c P.y = 07a7235b1ec33076a2ec7a8478af55f39c766e69d9e0fee8cae327 5276c8ac04 u[0] = a0e77c3fb10bed3ffb1c154877d3dd327569e10ac93d186b2787f1 5095c59d47 u[1] = dfe760152ea428430ca0ddec8ce33c9657b5d54efcf1f55d861910 671efa3fda Q0.x = 85381155e57753630c0bda6f012ab819f2bf309819c1e9c20bf186 a84705bd5b Q0.y = 173b8e141b32dee991f7498077847b0f76a61125bfbc41e9d804fc 55caba8abf Q1.x = f98bec489e4d2c5d8416e0f1bc40510a8169dfd91ff06ff4eece76 f44392b8a5 Q1.y = f165f1b2b2cb47a3fdab38fb41d8947a2c565e685737c8ab6ec095 14d4000f4e¶
suite = P256_XMD:SHA-256_SVDW_NU_ dst = P256_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = 8501dd0a6f2313cbe3adea8991bc7ce09400fe0ed9fe4ab2930bf6 325cdb35f1 P.y = fe28c7d2476ab1464e7b097d77ad527c3ef7265759bbb01bd690f0 6542beb4d5 u[0] = aacf70475184d6532779d2e7b1b148130dd280fdf07eb82bfb3bfd 2e61d5b441 Q.x = 8501dd0a6f2313cbe3adea8991bc7ce09400fe0ed9fe4ab2930bf6 325cdb35f1 Q.y = fe28c7d2476ab1464e7b097d77ad527c3ef7265759bbb01bd690f0 6542beb4d5 msg = abc P.x = 2873efb7a560eab63c93e1e35e25c4867d9565279b2954a72f7e68 e5cb398714 P.y = ae5f67e81613340d0e19238c055d51dc181e740267acdc85285608 00fb5a1661 u[0] = 1befe400c70c6bd32d63d8049db60afa9a19cf4718164336359c0d 9891cd6bbb Q.x = 2873efb7a560eab63c93e1e35e25c4867d9565279b2954a72f7e68 e5cb398714 Q.y = ae5f67e81613340d0e19238c055d51dc181e740267acdc85285608 00fb5a1661 msg = abcdef0123456789 P.x = d4b392897e9f709a1803314c04f34ff29030400aba9886e254a45e 061cee5059 P.y = 5ce9455cecc9a105f73ca63f068a9bebd5be12705bdb5ba2c5edbb 692d48c2a4 u[0] = f49957bfa6cfa9732f1094e5ee12df073eb0915acdf5fc65bbd1cc 796edf7b92 Q.x = d4b392897e9f709a1803314c04f34ff29030400aba9886e254a45e 061cee5059 Q.y = 5ce9455cecc9a105f73ca63f068a9bebd5be12705bdb5ba2c5edbb 692d48c2a4 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 54e8999525538c4c067ade8e68979a4299a0b4e11328a1bc7a7849 7bd007273a P.y = eab90502eb73fc640ef054f108cb40c9e89bbaf3b1cbe35735200a 371e823e90 u[0] = 68dd1e91ec38fb8638dd718d82f437658b815c7f57a74ca6d9afcd e5f18244cc Q.x = 54e8999525538c4c067ade8e68979a4299a0b4e11328a1bc7a7849 7bd007273a Q.y = eab90502eb73fc640ef054f108cb40c9e89bbaf3b1cbe35735200a 371e823e90¶
suite = P384_XMD:SHA-512_SSWU_RO_ dst = P384_XMD:SHA-512_SSWU_RO_TESTGEN msg = P.x = 619d4168877421106aecb16ec35d84b7fdfa215cdb446d82bac49f 6eab51a34b4d5314823f7639293cf6471c6c981a99 P.y = e5035c694665ca25b2c57542673af6b91288110b0b0689657cd031 96976d82dec104fd9f91296c85d1ed94bc9309840e u[0] = 091d2a7c61e98f914380f54b5a19cdf32f51aecd11e65ce494112e e6e4b3b4a6298a775a4178dea6090874eb96c689ac u[1] = 3b2fa6330a16df240bd84c60e815346d06511f55969f6d4f8c26f9 9854b72347892d8a864c16ba8df16528c52f290578 Q0.x = a2c93220bc6918cbf2124d614ce2edeb7385b4e822f55cf596d94d e6848bb67c6e4e7a70ad85cd2bb9cb1496f4dfdc37 Q0.y = 70184f23bd4fee377a6708eef5ddecb15333ad40a4d28715233168 7054b803efa89685605b40866cbdf9140dffb7a90a Q1.x = ba5b9c205ce4c2da6bfd0a8b0d2234d3f6318fb2565c719a0cbbc6 7626645932500a915efa0d29f0bbd10f248a5e6642 Q1.y = 4f263dd72c7741e8c03bff484e306001ac5b31df3ca151f025c7ad 791b0f453f7d3614bd1c24414e609c06376d1fe498 msg = abc P.x = d7c33555606b86c3ffaa1a645f806bac9d553a769f5a735d75a395 d58a70956b6d3bdbd6a6a8c83121678a036005208a P.y = e1c55f372a905040576f61fbc07e9664359e76f3e7b5be8dfe7224 720f85753a823e94a3f886ced2ec5ce13b1248147a u[0] = ffc8bb0c99882b5506c5e7950f33dd079cabf702a9e04fb040a810 ebc8d40cf825728c78dbf1230c480e2cc371f1d4a4 u[1] = af12b4191e814480159b520a789666d00c99cb29344569ecb221fb 8cad69411f0096775eaf1f4face1edc85db658bb3b Q0.x = 3a0d5045f51ec19eae02a59405b4f5f3012c01b5aa87677e0fd35b bc08a1316562207ff2d313282e6524a714a1fec282 Q0.y = 9aa73f6108e6af8faf5bfec00ffef05ea7559f8100c67e997e00d5 d847d9b98f2461ee3fd303341d9f02f7f1b4f4a9de Q1.x = 184296dbb14ea7e17359be458e801bdcd37bfb4d259c9b4bcf88e3 7ad88368fa739dd26ba0d2a632ce35ffdd35176b78 Q1.y = 73ab89802e651825e77a99361bb2cbd365bcc5301207e99be0a954 d49628dda943dd0c3f41d8775405c987bff62486ab msg = abcdef0123456789 P.x = d1f4bdd7ef9ee1c2d57ccd2b3b80123ccf3eb64b2f0a3ad26b8cd1 a8a8e411aadb9922d0e66a89ef0e78dba1489e23ea P.y = 9f376abd97ab8838c604a05ad17be1dfe0d924ddf0184341ec8e5a ef9efb0f6559ab3048b4e1e0e42ac19ccb6d1dd892 u[0] = 5ff66529c7354d61088a998c43e1e2dc7603e40d4118b3f8c0f842 6e12b141251d1aec9b5d597d01ef7093199ed0c67f u[1] = 611ef2efe2da7beb61ed2158e2db03f06fb3d4ce485c7e30575920 07a91053c22d496ba112645f2145d4b1bd7bf98a2c Q0.x = 455d7359198a678bf4de0a6dafbe7929acb93e7dc5b50a260e5998 0828038247c22a88b73a517bdbcb0b90671037ea84 Q0.y = c4737acffcf31b97bccb55923fd5629d896a636f50f46ab01aaf55 647334bef77164861dc3a7af96a591230a40a41f19 Q1.x = 6836e44666701764cbb69216568c7c52afb341f294b221f1dbb646 fcfde97c6650ae68c1e69f9ede4c360d79ff7c85e0 Q1.y = 0e0bdd40fbaf98dd8ce0e3b32ac61113369be3600190ef8013709b 961cdedb2f5273873aee848d48d74a07e7f10e6022 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 1b669293d6edfd55ca7f9725d72fc62b55a8829738404a1239f2ca 783ad8f8a3ebe2ce54a28fcb6e9eca85d1ce29a929 P.y = 25556bc2c6382c261feb362519f1e5d616518810262c358fb80e45 803ebcd0ce830b594da7a0e9de9eb13ad2d9191d34 u[0] = 632014cbbab75556b66ef27806aa016c170cb5f7cdc7cabda43db4 0be1323faacf90113acbaf4065fd26552f085026f6 u[1] = 86e70cc3af0887e8fc4b5216405fc3fe7277a1e43d88068ca74d8e 4b6afd817ec14d4b57bb7de29d71ddf587f73d57e5 Q0.x = 88672e48d6fb2e5361e3f550987d74fefb55083f826f9c45f4e601 3261750cb533e085c99993dacc87702ebbbceab269 Q0.y = 18baf7353c64daea70b6745216865433fe693c63da2c7a3a72aea7 f263d0d8a9274795b0fdb45bca9ce3494416d1db18 Q1.x = 4b76e5d9a68727d35f90d21bb1b2425b20f8585aa740491749ea76 884f7f5b2b7df3d3d2dda4f520b7b1a321f5c71acf Q1.y = ef067ae93f7a1e7ffe39e47e02038a6571ce53e17ae166555f0228 1fb1531c031de3a43f6e614cda04c2f4b0e23b6783¶
suite = P384_XMD:SHA-512_SSWU_NU_ dst = P384_XMD:SHA-512_SSWU_NU_TESTGEN msg = P.x = e301de73b2aa0d7d10916a1c96fbb5b257a763e07af63b5070eeae a5b5802e95e8dbe2d781bb2b071393d7076dd05ddd P.y = 54fc88309ad1877a0161d3306248f79b740f10f10006b05a47f81a 163b065258ed1323a35eeea5cb1ea86355ba31b9f9 u[0] = ec21664b5b562ca14c6e3d882e1d688a6565985c8486af3c4d8951 8ce283f9f2b7cc8a5b55968c62f85b420678821e83 Q.x = e301de73b2aa0d7d10916a1c96fbb5b257a763e07af63b5070eeae a5b5802e95e8dbe2d781bb2b071393d7076dd05ddd Q.y = 54fc88309ad1877a0161d3306248f79b740f10f10006b05a47f81a 163b065258ed1323a35eeea5cb1ea86355ba31b9f9 msg = abc P.x = 586d7162ddfc0233b8ba30d29ab4fea344336d978f771cd991e1cf 66b3ae4d29c0c01c490bb2073f9afbcbe16190a2d7 P.y = ed4e34ea44b6e32976810f9bc96e9c8a5bb5890abdbcd59283e11f 9b7c5089f94b46758db2add2c59f0ac12a19d9d795 u[0] = 3d083883a17c60649cd759dd61302da3d0cdc9e7fffa7e1dffc013 583890b27574473d35b7b8f90a63bbb3e38776bedd Q.x = 586d7162ddfc0233b8ba30d29ab4fea344336d978f771cd991e1cf 66b3ae4d29c0c01c490bb2073f9afbcbe16190a2d7 Q.y = ed4e34ea44b6e32976810f9bc96e9c8a5bb5890abdbcd59283e11f 9b7c5089f94b46758db2add2c59f0ac12a19d9d795 msg = abcdef0123456789 P.x = 86114b3da1e654ccbbe442d2ad548f68b19b8773e9fe4d98ea04a8 adffa0bb63337467ddf04df926a07c078a444a6efc P.y = a4505d54ee92518dc640792e7a1b07222dfcb61a3a6ab319b745a0 97c42ced72f46171fd342f96ce72aa6224f56cd01a u[0] = fce089572bf8eec0b94d8c619c1a198dbb70ed129b3b7e22351a14 defa02cda789b15ef3c499c464188140bfd0d78f10 Q.x = 86114b3da1e654ccbbe442d2ad548f68b19b8773e9fe4d98ea04a8 adffa0bb63337467ddf04df926a07c078a444a6efc Q.y = a4505d54ee92518dc640792e7a1b07222dfcb61a3a6ab319b745a0 97c42ced72f46171fd342f96ce72aa6224f56cd01a msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 28c7dafb30a83e5cf3c984eeb191ebe742954f87963c91fc717b9e bf3880cf40837a8c5ccc734846ae98ad6096462459 P.y = 32e3251f9869e546ef37311696fa047c8e45e60a809de166ecda3c 23d95cf8532248dfd87e4e50b3eaa1e3d704d5ce53 u[0] = d1f73f4b4f1d8446aa0cf6e12f1737e52de386a16dad52d3af1fbb 320151b09d70240979c346c6e15f2c9ae6a734f78f Q.x = 28c7dafb30a83e5cf3c984eeb191ebe742954f87963c91fc717b9e bf3880cf40837a8c5ccc734846ae98ad6096462459 Q.y = 32e3251f9869e546ef37311696fa047c8e45e60a809de166ecda3c 23d95cf8532248dfd87e4e50b3eaa1e3d704d5ce53¶
suite = P384_XMD:SHA-512_SVDW_RO_ dst = P384_XMD:SHA-512_SVDW_RO_TESTGEN msg = P.x = 116b610b993a485a113916f5be8bb682263f8a2110484ee985c8cd 5c11ecd52d617742a2f3c16dcfb3bb60de53151ac2 P.y = e1fb2f2de9297eaea87b6552682b04c59ab5419b291477a85a26a1 56a8a72f596fae14c5b1188accdabf6f99664b3e98 u[0] = b22b20d1c078b3fd21c90105c7aecc0a4ef5b6a9faebfcfd6cf6fa 892e0794b7b023eebc3c3998cbd77e3b12ce59dbcd u[1] = f8536be13271b8fe5f345d4f06d8dc6fdeaf1b489bea07ecf1c516 f45859c049fa9f412a39740936fd66bce4ed9ca85e Q0.x = 02f7273b142a6e1ec112d31bde5189992505a0792a5fbec37f2c2f 6df0784ce383fbd787a6e0f83e3fb44e1ccf35d2f1 Q0.y = dc43d0f30ce6bd01b82946687c11d37acd20688477dcf3fa617d7f beaea7b4f730bcff5ea6e3e58ecfbee3ecc17749a7 Q1.x = 9de548b51a0afd8ae7d3b4a0ae2d2ec988d3ecf74d50de65931cad 7be828355737be3f5d72d61b21322171f2ea9edf42 Q1.y = 6a40ade6703e53f4ce39f9fab4c8b27a82267c4dd6618ac8e8638f 18ac816536517c1680fc21efab8b5fd4fc42724cf8 msg = abc P.x = 544796d77562735ce9e993225f913b8202af7595cb06e16e62fc4d a56f5908994cbc5dde35a91595586515b26b6ce4ca P.y = 7fcf56951efbfc565fe3b4ead037a92e20d5bb03622f028db59355 3fc1d5d7293526f742fe26fe0a38fe94a2c2c4f1ca u[0] = 79a4d89cada964929bf78f77facc181ffcacefef6439e1443a8640 b88c212b578decaeb2b91c8915be7f9762fbade780 u[1] = 2bb7989a70f32b3b8bef707a83ad822a71f9c065322aa604f0d1df c8f576dee2f3c94619a9b9fadf2f739510021dc46e Q0.x = 2f72995c4e9d8f660131ff1a2ab03041632f06444c6084ad4c3424 a4816f508d060c3a85d34b885ddf77955fd5917df3 Q0.y = 2d5a3486cf641336a92617d4a22a502dfe8791b13849488520b309 f7fb1916b5338c24a883147bbfcd34093244efc788 Q1.x = 2112ebec9794ee455a30d3dc1a7e00b4d48eda6585ee5bb6b7c569 96a1ecfbdcbe744d3da5c10965422f4f979e69caca Q1.y = a3cb85d19867d48195da52305b0e02dae32c8a396aa6e28f25edb2 4e996953bbb6915065d93b9908821e62fe067a6306 msg = abcdef0123456789 P.x = dd25d11fb04cce44f87a8eabb47dfab3223f967b485995de7f733e cb2cc9f74cd9fa492fd158c7587d5d0e1aea9c4b15 P.y = 332a94ff5101e3cfcd55a1449e8a99376c5985ece155079e498085 4ae9be1c2e93d5d2643600480d7b693046bd2b4b79 u[0] = cd1ef357a816a8e353c6cf37023067226bdec751b30855abc440d4 fa7ab6e65a0c20ce04fa1e4af21e40725d6705aa87 u[1] = 7d9982d89b869fe5fd0712be092f426c9ae4d92d9c53d6c8955310 dd6ad42994885e2cbc51676f33d5893410a511e8a3 Q0.x = 2799a36673ba6c950da6175633c2abb5d2880461833e0ebfb4fbac 3f83119dff7c316c5aae03dff253f28e4366be65aa Q0.y = d7aaeae65d98df66ba758771653a69d59e13d623f04731dc495cdd 80ad588501e4e8f9d35ce654819a8d92a646576b21 Q1.x = 5bfb20a562b5c02e5eca70bf9b9b2b1d9c47b68f55bf26d42a4bf1 741413262a5c2a43ae1458b98d792703b25d418fc3 Q1.y = b41797642a62d717932a257c3500a08c8cdb19da402354b85a7288 8c7c68d6fd0c8821c4fc0aa0d0551a01e7433b4abb msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 04cb2eb225d6c0fca3ab45a3cbfc30b45202d3cca0e79526061d10 dd8553e50b82f760865d62e6cdbbd29adb1b299e79 P.y = 1e22c1c3e7737f3a6b5075da1ddccbf9f85d466bf4e07798bff3df 75ffbb2bbb6b28424a081a52020e191133591b83bc u[0] = ca87d41db1ef851c1414e156e9cdb12944afe8538953880375e505 4aab81a63514a391b62f43bdaba56e547a5da12522 u[1] = 781cd222de78756f4d7ffb6819e814fd1790ce6771ce208194e34a f537876be6d5dd2c0a9ff9b8d60319dc8c58bdc021 Q0.x = 56cf2041d2afeae7545fb360c64d7273f8783c420158523639b9bd f2a7611b5d97081cf420dc3f440a840bcdcf4cba93 Q0.y = 0cb2f1578dabd7a7ea0a076921ee0928e5b486dec806ca245362df 6a96d8c78fc3d4f1a5387ba56ab4c8c02fef3f28ba Q1.x = ddde570972e875a0e40e6e6e277341d38a3a0af0d52bd9575293d0 d9a90b7f2c60b1568c34c1b0720369203e580bcec1 Q1.y = fa7df2fb5c0b9e462b237e75749842ffadc43f0cd57fcd9b863716 a1aecec0cef768562af664d10bbb92008bdb00aaed¶
suite = P384_XMD:SHA-512_SVDW_NU_ dst = P384_XMD:SHA-512_SVDW_NU_TESTGEN msg = P.x = a2c7fd2c9097273267214a8031b0fdc7c5e3475a08ad27940ce6da 329f55ceeb19046cd9f3f3dc2043ed1e0633f848aa P.y = 4c6d2e0a28bb0b2c68c4116a11896b235eba951f222e7966b86e3a 709df700d10a338eef31180cc8ed084d5c962d04c0 u[0] = 63956551cf429ada10d0caaf0834dfc7147bac3cafe8562b3f8327 5e62799ce55143e378595034ed969e971d0065a078 Q.x = a2c7fd2c9097273267214a8031b0fdc7c5e3475a08ad27940ce6da 329f55ceeb19046cd9f3f3dc2043ed1e0633f848aa Q.y = 4c6d2e0a28bb0b2c68c4116a11896b235eba951f222e7966b86e3a 709df700d10a338eef31180cc8ed084d5c962d04c0 msg = abc P.x = b0c82cb3343daf4320712673f1ac67f4d14a4ae8d040ab5529952e 4431dbcf1b2cb47a3bfb16956857a48a00a62dff6d P.y = 94a1e3da0b75370b2a62d0c8bfdc7996e675efe0e65ae74628c929 78b18ba3cd075550da1887a7da394492c7dd2506cf u[0] = 84f5786378e0ac4ce30a349121f7d7fdcfba9d8f4549ef2e33ce53 d68cf0196302c8b426fd1ae817dcea42c59c82c2e5 Q.x = b0c82cb3343daf4320712673f1ac67f4d14a4ae8d040ab5529952e 4431dbcf1b2cb47a3bfb16956857a48a00a62dff6d Q.y = 94a1e3da0b75370b2a62d0c8bfdc7996e675efe0e65ae74628c929 78b18ba3cd075550da1887a7da394492c7dd2506cf msg = abcdef0123456789 P.x = c7b19f3fc636f2568206ede8b74811dc7dbf0bba449dc20fe680bc 7548286d7a31d2b981122df38bb3a8d80571d71a40 P.y = 4b2148246465ab125f7d31739e5b675ed5d16de310fb3c4cdf6999 cc3867dd525c87fd809e580f62d94a19ab6f4ff2a2 u[0] = f614a511e6b8f03c00c7c82eb4c399f0e833eb7c01c9c36c00b642 4c37c198c20276637f1d2569f40f229930fd9de2ae Q.x = c7b19f3fc636f2568206ede8b74811dc7dbf0bba449dc20fe680bc 7548286d7a31d2b981122df38bb3a8d80571d71a40 Q.y = 4b2148246465ab125f7d31739e5b675ed5d16de310fb3c4cdf6999 cc3867dd525c87fd809e580f62d94a19ab6f4ff2a2 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 277012d7c8638c070e7b04672a3e56c4150acc31616461d6429b56 e21f8824952e0194fcd2dc9858a4f915dc3dea61ec P.y = 2f59cbe11b24e0c13c5318ef52438576d7109079ca0590e923cdbb 76de4f692ff250cc46a4cf06316804e680f964365b u[0] = aad065adfec6745b83223ebb23f9769cd8457ec1857479d3d01eb2 ac6f709a5a19033d67373d30f3054c3a4f43f94ef3 Q.x = 277012d7c8638c070e7b04672a3e56c4150acc31616461d6429b56 e21f8824952e0194fcd2dc9858a4f915dc3dea61ec Q.y = 2f59cbe11b24e0c13c5318ef52438576d7109079ca0590e923cdbb 76de4f692ff250cc46a4cf06316804e680f964365b¶
suite = P521_XMD:SHA-512_SSWU_RO_ dst = P521_XMD:SHA-512_SSWU_RO_TESTGEN msg = P.x = 00ad6cb736cb0565a2b6c52dd9e53f76a9a40a44c73bfaacef03c3 ef62a9a23920b7df4de1b92754de7bb3013d9d36049da001136e7f 4b1b0ba10beac862a2b3d3c5 P.y = 01c2ecab1b6f7bb6797a4b5bd416b385e891926fc17f230f2406f3 d47076526c5d90bfb4d0170fd8a339de1a66e6304d280d0404fb68 5b2ca07e2742a770b681bf56 u[0] = 012bf001213ebf5c37474cf09f804fdb239c82edcf42d1eacf54c3 2e3400ee2c4e6d8231fef3a11633b25f8a8c4c4e827d0b7db16c25 67bf5a41413d0218ec5855a7 u[1] = 01f06e1a4dfeeac6810422d5da691121f75d1db17e187f65b15550 ae6698bb67173544c28a6d4111691081a619722f70840cf2665207 e82f35634f379351af0d4637 Q0.x = 00eb222cc5bd63364f650c2182a52af6deb789783f6cc2b45f67d3 4a8a238f4c3becc371d1fc78d29697df81933e62939c805c384115 e66733259a3f7145ca8085f2 Q0.y = 00a9bc815419728122b2503b3f96093c33a16e2f9817eb32870db4 74e3a6411e5f8c09b32de33f125732bc3e1515361abc2dd74ef36e ca66af95fdb3fbef8f149cd1 Q1.x = 008e76a7377126972a4645e17c3930a390363a4073b6401d8ce508 68e03ab449c7d433604c014c255989391a537d86b99af867d87297 20d08185bfa0df440b7aa923 Q1.y = 0072b4676f1900568f7d6614f4661d0df86d9564936f92eb05936b f9c3dbad1019a3588893b8ea98f71ab8e587ab38cdb807f519379e abc7f8d27dcafd7b130d2843 msg = abc P.x = 0141b07880eab4a77b7ba29f0f0e85fb202e6b020ce1b5395b54c2 50d62f1ae770e9f0315ae70edabfaedba56803073ff885da8c6fe9 ee62eeb81f810caeb88f528f P.y = 011ed75d5f62abd63415d4db3c7584ad743aa89e1ff5c1b250cbb7 2eae6e238e5e486feef5f2b3202d945d181e8108109d9b5dc10047 672dd292b25f7c1b9a5541c5 u[0] = 007bdc26e59c48e161d5805dca3929431b370e351f36baf8351726 0c4ed440eeba12a4c34209d74cbffb2abdc0fbe471a79d9bec6cd0 af536c41445cc7b665e84534 u[1] = 0134b98b8e73587124752a418b1cee287ecd410a7896f32815ae23 8a5c0eccca3eda271ae4c3b23276c7d211fb9276d77e6ebafc5071 4d0b403c9e9ba25f67ea3aac Q0.x = 0112888dbefe4c6b546fba832693c1030585d2109820a4f6f8863a b51f33b80ac1382169b196039ad4c934674a962599a116b0b7debd e24cb43953d02eb845c07c1e Q0.y = 0019c0af8926bd00b1e34073673074b8a6ebcddae3643f2b7e5760 b010c84cd3589d666c58a5d2ae214878cef1e9fe630b3d7b07c025 3eb71789b7ab22987fb2794c Q1.x = 01455e7a85dc202348ac075de68a45697675d7086d1702ab8268bf 27d5113e94bb689ac338c486d6f82c8cc938f89c8cb7f07eda36e7 be906798615e25f4ce73b5f5 Q1.y = 01cb2e858cfba8c1ad216fab1f535e7a397a5c83c36789d568cfba 83c4d7aa9333c87d608fea72c37d3dd1198d0c7e1636a699bad6ec 6d794b95aca76dfeab313f8e msg = abcdef0123456789 P.x = 019f0195e514da4243a4d2de4b7ed2415d5205c6da11eb7deae70b e78a61bb89ebf17f7c9970ee20b4152ae50c95e55f626bc7350d5a 0f530a91f48047bd90eeeaa7 P.y = 016eaa02cd5511a96eed4ffc965bdc3f1fdbb7f4c9895eabdf168b 44250278ebca55474bc89a2f246b8fb959010502aab8a9385319bc f69f74dd8f518bea1c7fafde u[0] = 0117ea59f8ba7e6a8d4c5b4337c6f34c1e0d28769d5c5e1c73c8f0 9c8386e7c8b74bff5158553bf0d8ea1ab45e4e61cfa4e0893a7061 562368ec11a8566557fe75d2 u[1] = 00431e5043c40e56afd165e733f2280922f23a31ba0b2e12ffa130 4ca3fd87fea0b309e90bc3e0b9e03f5198120e1e0c3ff56cfabb8c 49f35460cf495a72f295e870 Q0.x = 000d0164f2e5d7748f33824344af8752ca4741a9d045830c49d93a debf57550253b793f2370290fc0b22919afc18bf663e5118232059 67f0aa94033302244d83618a Q0.y = 015c8a9ecdb5ffa0a3949d2004dca96157edc8804960bc30b17a52 6d9dd09be3d6ac1fcae0d1c9581eec9d99e561737c734fa43b15d8 4e3d194cba74145080d82d5a Q1.x = 00cbde7f4491d11480cd1140e4f7439745d6f0aedcf0ee721228fe 9a49ed8a689aaf0463691ba499e7f609ef56559835f85978c201ff 0a457cc9a72ff4cca24a3e2a Q1.y = 004dd85f141148bc7cdbd0877d8d195038aedb3d4708d579aeb4fb f94d8a1c81910d0d00d055d2ea18c4df0ad5fbb43b9007603aa4be 47a5348554aa6a2c1ad39dfc msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 00de3dd7780cfcd538f7b3067d8da52c522a031244dc0d327e6e99 ef331be475354a0b481a22e0d4d35b232da260baac5b693a827a20 b1f328a416ffc47ad945a4dc P.y = 016bb6c5c965c6a80a4a5e0c2c7bbd841766eac695f88a730076b3 2d4399da01609a4a17b59a21f4f58a174d6110081b96e5aaedead3 cfd4252e74de969680ba74ab u[0] = 007cc5f6f0cc942b7c6148c3e1ac54553f4dc3032c59e5bd862bbf f6550c656597283db923673152f5c92b0fa59f38d433899678c09c d9753adbf3f5c4c5c98d0764 u[1] = 01ada0f87b5b64db9d187a2a9e0d802432891289bdadbc8c5a18c6 716dd8820ebaabf4c5f05f67f4f5febd2f4ab761d90b1f951d48f4 2cdd11eba88ae114dd554b5d Q0.x = 01f0d615b1d5e2bcd0c5aad6103c45d8c38fd248d06497b79bdddd f25c37adccb461439122b4c59cd689ce534083b56d2f5ad8b66eea ce78d95038e77e278b619f71 Q0.y = 013e1e9a917b0504c79e6e0cc022fb167ec2a9bd479cd490639b17 b0925f502191a0cffb2310344da59b1fa331e8e71775c6426c8735 9a68d755c7e2556e690de872 Q1.x = 00b16209974a7b2719d08648cc811f70c029945d4b17b5f26c333c 8876c7e21759468de547e12ee0a4eb04cb29d5e87209d71eb0f8a3 e5bc6169bc4b2f8d8a59de38 Q1.y = 015a551e61b60bb10183089d6a1355a8f24c082aacdf9e2e9b23ad ff36598b13840c4a848453794a93e7e5f63278be6585d9d62e271f f8c0f5f16db085abadb7cfff¶
suite = P521_XMD:SHA-512_SSWU_NU_ dst = P521_XMD:SHA-512_SSWU_NU_TESTGEN msg = P.x = 0074dff9ec0371e4de820fc4b2a8a5e71498434a458a4805ba11d6 2ac80da2049fbccc3e4bf20a45efcd04344528fc1cbbfdbed6b2e0 5c5cc3d4fe55e00fb2647dcd P.y = 001cbb63a0161e5eee698ae8044949c00c0164fc247f3f2a4ecf2c 6c0a03d5a64593b563623c1a8aee92ec23dfe2430fa5a912a825ca 638f4b13963cd14729424b57 u[0] = 0193d358a22125c3d2b7515b0e9ca279d1089ee0a4c806e5d585ed 585beef9eaae37e0bf2c632c60e94fcb76db30418e7afd9c713bf7 d47ec8ca6b851a5d8b69a98b Q.x = 0074dff9ec0371e4de820fc4b2a8a5e71498434a458a4805ba11d6 2ac80da2049fbccc3e4bf20a45efcd04344528fc1cbbfdbed6b2e0 5c5cc3d4fe55e00fb2647dcd Q.y = 001cbb63a0161e5eee698ae8044949c00c0164fc247f3f2a4ecf2c 6c0a03d5a64593b563623c1a8aee92ec23dfe2430fa5a912a825ca 638f4b13963cd14729424b57 msg = abc P.x = 01a5084b5e79f60471b4cf3524bcf441a5be3d6ef10be5dd534ed7 ddf9c093f6bb79f53792b7a2e38c3610245c69b49511cc4b882551 048a5c2ada5dbf81be0ae471 P.y = 0162d8cc7e11ba34475e40e8bb6bea8034840dc82f72338e9873fc 8105921dbf980743927ab8476610c9983b158a63d82d5c18d71df5 98b325221bfaaa82b62d9c10 u[0] = 00e349a6622102a38650a7405fc2bdf1245b8ea21e03e76060c23c fb2f6067522026aba99a4bcc8e8f739d1852fdaf5e51a8114aa033 ee9d10832ce1084ad102dca0 Q.x = 01a5084b5e79f60471b4cf3524bcf441a5be3d6ef10be5dd534ed7 ddf9c093f6bb79f53792b7a2e38c3610245c69b49511cc4b882551 048a5c2ada5dbf81be0ae471 Q.y = 0162d8cc7e11ba34475e40e8bb6bea8034840dc82f72338e9873fc 8105921dbf980743927ab8476610c9983b158a63d82d5c18d71df5 98b325221bfaaa82b62d9c10 msg = abcdef0123456789 P.x = 00e823a635ca827853994d748f78f407cb99ecc16166da410c30f5 b728ba5d9da6c1664a7a123d18c538b733e54e4bb0e9bfe743ec62 60debf547cd61af94d8af6dc P.y = 0170c8f2d8e642e1651ca96c10b523f65e3f982945b6698effc78d 15e148d0455ed2370a3fa898613c9407e454db1c9ff39165e44a02 cd2397a95c5f3f102599fe7b u[0] = 01f402cd45679ffd7adcb768498a1169fc2906701cf7a2fb2bafb6 7a6a2bcaf426159995c1c5cf135c92e49ccf94e9534c5b966ea51a ad9a6a9747b44dbec6e3ae99 Q.x = 00e823a635ca827853994d748f78f407cb99ecc16166da410c30f5 b728ba5d9da6c1664a7a123d18c538b733e54e4bb0e9bfe743ec62 60debf547cd61af94d8af6dc Q.y = 0170c8f2d8e642e1651ca96c10b523f65e3f982945b6698effc78d 15e148d0455ed2370a3fa898613c9407e454db1c9ff39165e44a02 cd2397a95c5f3f102599fe7b msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 015ec57e0b995da9568e8d2b1b3856399f24ff650f4daaac8620da 5613fc8aaf011691744db8ce27498b6d9d313952ca00dc05564da7 84712fb4bc289a934940e16e P.y = 00b422a44a249e3c4d2b534bce9d2aba782f7d81679b786ab4f5c9 7a34702a354851d7cc5f21397be3a4f9a83dcabf1a3241255c4584 0b068567e2c843607ffe0937 u[0] = 00deed8428df4b4e18889cf80998fa56f34c53a99171a7ffc6cc22 693f89c13a13713e4a0258839ba192c1fb1cebc97ac66e8eaa30b8 f5e747122aa35df669b240cd Q.x = 015ec57e0b995da9568e8d2b1b3856399f24ff650f4daaac8620da 5613fc8aaf011691744db8ce27498b6d9d313952ca00dc05564da7 84712fb4bc289a934940e16e Q.y = 00b422a44a249e3c4d2b534bce9d2aba782f7d81679b786ab4f5c9 7a34702a354851d7cc5f21397be3a4f9a83dcabf1a3241255c4584 0b068567e2c843607ffe0937¶
suite = P521_XMD:SHA-512_SVDW_RO_ dst = P521_XMD:SHA-512_SVDW_RO_TESTGEN msg = P.x = 01150883968dacf7ce208286699234a0bb3f791683db216b768a07 1ad25a5246fee1f57bf9744eef50c35115743e07f639f202d2d571 25720fb78d7c89291e6f59de P.y = 017407011b5d19aca70a0c074ad6e4479aacbbbdccb1483a03b17f 71ba4d8bd2dc805e673dc380f948602de7a8914664523767156587 3d94c33563bf8f7a58883e3b u[0] = 0086d686b9851408cb2dcef6671a6e6ead3b7ef0aede006c365b15 db2f2a63f729be3ec8410588585b0e89fd7455bf8db810be85dbca ded43b9c96bd5641a093a4d6 u[1] = 00ac232cd219c6fb1c6a814889c6a5a5f7241468f6c7aa92cc6a11 8e2809677fc3219b9381fd9d2c3cd3d45204f974854b52c88166a4 e95f67bda3b03a77fe856488 Q0.x = 00919682cfb480d6e608aecca50465744ec4eda04da80bd2dc766b a9efdc13e880e84c8734b4302868b04abd79f0238729d97e7ce678 2b0a31695d3ff8dfb7b12026 Q0.y = 0059e1201c05a481e39253745310243782c0d3f686599815f1f585 1de075e87108debecba6bb90301a7b40c51508202af7eefbbf6bd1 5c66d8adeb6cbd5c57f7f8aa Q1.x = 016406d2f3731e0f0268fa217940fac75738f9885f822625ed98dd 3a940ad06f97c982a782d5e0b8ba4a197d64448321d0f8bf3e80ff 0bd66a9bfaf25bb634131e85 Q1.y = 00ac2f6fb25b10622bc92b9fc09a6febfa13c7d8a48cf3aa29f488 8ef5a62b8d8430faab51bc268cd943e107692ddb344024c55bf987 3c8cdc3227740d20971a25b0 msg = abc P.x = 011f919dc22ae35a9f39daafd8a590baae6cac25fdce72a788d5d7 68b08e76dbcfce09b1098dba43047d620599903b4ded7efc2ab27c ff44bd8bf302e515ba303db1 P.y = 01c2e7c61cd5b3a9ba7298eed4d55f27622fe6775a3fcdaa83545a 84f31547524a3abc5dcd6a052fff6f58f86f48490d6fcee7a9d87c 091fd46e34025f8c6734753f u[0] = 01eb85e967b18e1bbf6203c2a54023ca26d450e8c58840812d04cb 4a22334494f7b35ebd5fcdcffe370cee44ec2e00b1cdd27f40c716 3fa707f7dde13c53cfe57a77 u[1] = 01d6461a553e91d9a90f2d4305d6e27894d9aee6a10693238a2ad0 800df97d610a0ca42a211521d8cf723edbe8923aac6f14e0a9e5a5 4b2304b991d1290d7d238b90 Q0.x = 010c8f95d5cb19c41c07053a027deb285ac46d6dc0bca6e18bd293 e0a363e913e0bd670ee3241ba9b7f290f3cc490d8369b3d35dd373 c3db6c5a9de4d4d83b371a3f Q0.y = 01cf7f537359296a1ad2bff6d4ff9369012d9933890bdfa33048a4 8368000e5fb14f3dad3e497428caf1620c94fcd4617f021af74819 27cbfce4b4a7343c941a1ba9 Q1.x = 01affc06abdc12a5034ca64a62e9e49d069cc9166a86834bb0d15d a847e351c6f3fe58a57e9646211ece6babf5b2164c2ab2116e3bc3 5cdb5d3abb4fc0959a2053a8 Q1.y = 009f337e3ba7c31dbb54ce4ab15cc77fb02d00de89cde0eb58c71a 3abe5b1b89c4097454ff695bbef5bc7aae57ba020876050953f51b 446c25a8c303e682e1f0bd2c msg = abcdef0123456789 P.x = 0191fb5112741260267b1e71ddc7753c2b9b5f568f3d788164d0c5 c338485e5beb73a496917f3a4eca342d42838fcd884fa464ad8a32 fddc22afdfeb85759619225e P.y = 0168075e06615b595fd1348df72e4081a5e99439cf14fdf9d71b04 c5a39d7b727d420cc5d26943cf21c8520c96d9b374ca4a45f0a593 f81e3f9a20c2d632557e7bac u[0] = 0001de91de8bc127f45097c096af3917882473574137efbf5e6e6d 3f77fb55794e2de027ca157f5c337cb6d9214d768804526907b333 c6ecd9bcd9d5c43297785b7d u[1] = 00a488bd10c5e7c0495dab4d2ecfe4a279ef67d2d6bc5d7d353151 e940cf7c3c21054ae6f98256fc87ef5abf722f4070f957fc5f1574 9aece872b80429345862ffd4 Q0.x = 004cc7090abc28807bf2cafd94c8519727b93d4960f8809adf0e13 b160daf677dba10e56476f0f6defdcfa6490c8015d5bc845fdfa32 a56a47e0b5535a57ec6f093d Q0.y = 001a24cd77ca718008a8f04b317be351cd647fdb7a0ab215a551f4 c29a2e01f05e4759ca9efb97e5dadbe7d038585b92d31902668ec0 b5ef436f14fdfe836c65bd73 Q1.x = 0193195c8a656c5d53cfe8aa6511066a5d7e869406286a1c623f91 a3c8db5c6ded4c56dd5c4c6307894de4557d36a81954d000e1e7a7 d8ab0a77bd8923b885849aab Q1.y = 015f66f08a2055a42144ba5590dc5bac41d1bf8e999f5ec80b9b52 d379f81a47a751e3e619fb44d3e230c9e7dd78d1fd3d6e908ad0f9 b922d2fb603654fef6f968ee msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0148fcbbe6ddb97429f0bf2f4b5db3919ad5977c6676d6166355af f0b0448cedf4ca451ea5dcf2658403df03accb0662d15dbd314b74 0031e599e11b5e89da9d6dd2 P.y = 01413b34a200a0e244c601ec27a13087179da06662ed9a1ef29367 6f127be45f7a10fbf0eb826680dde3ee20638d5ca7357e5478ed4f 8ad795ce0f014232adb901c4 u[0] = 002259f4f7c089c393342bb34c767cb4518f9692b1e00d84d6a80b b12dd44694fb43d898a5beaf8ba1a106614b7df0c2e3c750785114 45227cd310000b7e77bcbfe8 u[1] = 00788b77dfdd3d6f5dba4af49f93a2bbfcd619be58711a7df538c0 f57193918cdf0ee483cf25e029257c568784de300bff98c057489b df1f9df0b7e99ab8412e716c Q0.x = 01cff78630681f055e018f6cdb4dff3723dac546b2fb49340ee8f3 3a417b790c94b6bd8a5a84cf2dff4ed892de8ca81382540b64b32f 81c4f0d65053ef9d1b49886c Q0.y = 0056ef1568872b438250917cb334dc98d281f0c3265cd7a02fdc40 8be1baa28cb33f372747597aa2b880c499691bda562e63e413303d fb4c9b5df3efd945c9a39b74 Q1.x = 01b56c7f8f07605935668c1fa6b981870086e384e0bf569da5b68d 2934402d0365be11be5a97664c0c71f42a5322e1a2aa8b8737a561 acb161da6c9b9d50381159ef Q1.y = 006e24d9bcc739a4e9502fbf3ddf24968c8b0ee15f63ede187056b a5a9f8a116ae4c856eb280fb278adbce1678e128a5065e358c1256 5b6acc6ae4e51981ef97b4da¶
suite = P521_XMD:SHA-512_SVDW_NU_ dst = P521_XMD:SHA-512_SVDW_NU_TESTGEN msg = P.x = 012d13741acd676d6fba94126ad8c1fea0458b1748252642d322b0 5cd70eed21ec04d82632ad7465b90c567d88c986a504b7971476ee e7c57f52c65d1f1380437ed2 P.y = 019bb624b62227c5e72735a33f0085a12c618670b8df3fa998428e 1683af28fb77798621a6d6688e7a453cefdc28d710e01dfa05edf6 6f4fabbcdcd3916a08954ad7 u[0] = 01d6d1c2ac46a7d9cac9c750ac97c52a079f57d6977ed3e6bfbe19 fe5c8deba1c89e3ebc54c0313637c3b1b485db6ab973eaca172c15 2d27739beb4563c37fdb4467 Q.x = 012d13741acd676d6fba94126ad8c1fea0458b1748252642d322b0 5cd70eed21ec04d82632ad7465b90c567d88c986a504b7971476ee e7c57f52c65d1f1380437ed2 Q.y = 019bb624b62227c5e72735a33f0085a12c618670b8df3fa998428e 1683af28fb77798621a6d6688e7a453cefdc28d710e01dfa05edf6 6f4fabbcdcd3916a08954ad7 msg = abc P.x = 01fdaadfab7c1b1107cfb3aec85807deaffcc52efe635ccacb4ca9 3241d052c31fa5daf0ec3279d7cb317a088ee8b33efce7481e717d b351645b94dbaae92d51aa44 P.y = 00edeac1ea057c53ba97882162961cf6416600d4a596b667696cc3 3ae66366dbe2e9c6d91a7daf453e759d3b463c9cb72c93b5b7bee3 9e16e48b1a83dcf08ea420ec u[0] = 01b9501f6589f9ae5f04cd969f2d4f98992790006a15d1171d3b73 2c39354e1b32ea1eea0a298e2078e0c699302b98a3eea79068294b f0d8cb6f93d0d824bfd57bb2 Q.x = 01fdaadfab7c1b1107cfb3aec85807deaffcc52efe635ccacb4ca9 3241d052c31fa5daf0ec3279d7cb317a088ee8b33efce7481e717d b351645b94dbaae92d51aa44 Q.y = 00edeac1ea057c53ba97882162961cf6416600d4a596b667696cc3 3ae66366dbe2e9c6d91a7daf453e759d3b463c9cb72c93b5b7bee3 9e16e48b1a83dcf08ea420ec msg = abcdef0123456789 P.x = 00c3a8bd2cb22277650e054dc62e549f00aabc316eaeeebc18297b 2dd1ff41127e80ae9c987a874b163df5583c0fba15215e8680a50d 0fb9efc4a61936f2d3d83833 P.y = 0175869ce7bd8df84de35182ae7d61cb58b35ac1f33343a39a69dd c21edcdc81b9f3c2ecde52b3ba3d889252611bc8e9c307dfd8cc94 463a6e556d510aad819b7e13 u[0] = 018e9e25f4e95c2ee011e76228b20a428c639fbcc8f463e0329ed7 c424a0cd9619638a5d46f8feeb1e88e2493bb62c9585d3397a4780 499185944c5502e77f5d6e35 Q.x = 00c3a8bd2cb22277650e054dc62e549f00aabc316eaeeebc18297b 2dd1ff41127e80ae9c987a874b163df5583c0fba15215e8680a50d 0fb9efc4a61936f2d3d83833 Q.y = 0175869ce7bd8df84de35182ae7d61cb58b35ac1f33343a39a69dd c21edcdc81b9f3c2ecde52b3ba3d889252611bc8e9c307dfd8cc94 463a6e556d510aad819b7e13 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 00850df274e8755eb6962a34e9c6623c2b7421dac00c6f2109fc2c 91cd186262b4c979b3deb959f0ce5de6cdc2779cc242f0308896b5 6f48edebd56244cedecebb56 P.y = 01ecc97ba7e7638e5e2b0d1c789bb77a8c4478a9f9df7e746fa8b8 9e5ee27118dd04378b85c3fb1af01a7071ac65cfc028ad98a34688 4bdf1b7d8a74bc4f3ae68651 u[0] = 0026d960cc3339da65236557eee01b7e1cfc6bedf7133adef63310 9c671d6ea7fe773ad258848d77cf7ad6a5f3fc56fc189a7981c115 e98987c754139901e90123e7 Q.x = 00850df274e8755eb6962a34e9c6623c2b7421dac00c6f2109fc2c 91cd186262b4c979b3deb959f0ce5de6cdc2779cc242f0308896b5 6f48edebd56244cedecebb56 Q.y = 01ecc97ba7e7638e5e2b0d1c789bb77a8c4478a9f9df7e746fa8b8 9e5ee27118dd04378b85c3fb1af01a7071ac65cfc028ad98a34688 4bdf1b7d8a74bc4f3ae68651¶
suite = curve25519_XMD:SHA-256_ELL2_RO_ dst = curve25519_XMD:SHA-256_ELL2_RO_TESTGEN msg = P.x = 551e22c9bb52b7c92bf6de89ed0342ed88ebc745b56f41df76d330 9ace9ecb1d P.y = 391fb59b7632b095ac0ba86e5e4bd26d3a0e8a6785507f9e6028f6 952aadde1c u[0] = 029d51ce5a9f1e92ccfb4f9992a833f46680893d8214cc3cc39fbe 0dc21ec4d3 u[1] = 34dd938d1a410ae0463069873b482282d0a148bf39c5c5cd00a06c deeb053ae0 Q0.x = 5e97e35ce155f1a9d2d1480b04aa2033fa47de7f193674810da0aa 7164430a17 Q0.y = 07dd2f5cfb0096aa5b54c9338c7d5cf51c22ad4161ef97dc4da42f c04caf095b Q1.x = 64b522bb69567cdf0b1fc77e4c451d655039d1300a76e44bc491e3 4a652ee2b8 Q1.y = 1f02d73bad67e92ca65c93e8806cbac16ea852126cd37eb44a1bf5 c0ca195c46 msg = abc P.x = 5dbca64b6e5b1d52a14834a1d27318c9027cdedd9f2b3f0e043831 d81df197bc P.y = 610cece822c51538d2be6d629f8df3b8ecfafe90794b176bfcda18 736b3481d9 u[0] = 41a5a09179d68a50735c5b4aa9268508254a548bbdb43afa6500c5 1d7904c501 u[1] = 5626759522ee975d2cfca3d4b26a38fe371c38858900aa404c3cd3 49127824a2 Q0.x = 1f5008d8cf3682a81fd9f40243cee0ee557a4d3565141bf34f62c7 078b58f0c1 Q0.y = 019bd58a930a486f52fe8c32f463e7753ff666f603676558e8d47d df800fca5d Q1.x = 64f9ec0d1f4041b7c14d28445d1a21ad80a35cf2e0b422ae2c6be6 3a1fe80892 Q1.y = 619cd420135fc2aea1c3026ed7b8cfa3b1ec79255f06e494e4a3eb 33de56a312 msg = abcdef0123456789 P.x = 0dc6ee7e347bc8d6215bfb90f77ddb7135be460271e9a89c4daf6e 606b90ba98 P.y = 53218d16891f5dc8706be89c74297c89a611800157fb73fea7d84c 4771ba9f06 u[0] = 17e6eb3adb84a1953eec11452a728c3fdcd2e95f8fd6b67fa79361 d1f09f1db4 u[1] = 557144a6bb572ede4c57e554eddb2fd126353d6eb50d0ee696259c 2a1a8e7753 Q0.x = 56fc43b58f1b64d744c37db72afc2f828842a75f4959e7a988ef26 bf9785bde5 Q0.y = 03eb55be088aa9e9a0a59143d73e4997e61fbf55156f229413b6fd 3cee712322 Q1.x = 16ea83da89a4dd5bd2f657269f986856cb78a13de5a10f9cea399d 317c2cdf68 Q1.y = 318307e8a361fc56a93cef8097c19e8a601a94a809a31ca8e3b33a 94021551af msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 3e5bfe6e86c7d42722fef7a41de5e89334652578e88c882a262094 2d35d9b5cb P.y = 14dd0ff480b0b00f3f59eb3c229e9f6583e4eb79a357881532378d c5b434bee3 u[0] = 26e9ad5f584bd6bb708eee63cdd5f3cf9f88d36b129c89f8d54180 4d2ac0a482 u[1] = 57bd5385a5d6ea6d49350482801989a452b3476a0081ee2bb5a312 585ad28eeb Q0.x = 5b5f1d868ffcbe4ef6f8a606b3d9767ad30ecad900cfb07277c3ec d8593196bb Q0.y = 2afcc868cf91b5583dede67b55eed1706dd76a8a184972894a0037 7360da7874 Q1.x = 64d8b8301b35997ff212d61899e1a8c953666f4ca4942554ac4eb2 82eed9c1d7 Q1.y = 1b2db02fd39064c6d2716f7c775787b5201029f8ab20cd108c8682 9abd153b87¶
suite = curve25519_XMD:SHA-256_ELL2_NU_ dst = curve25519_XMD:SHA-256_ELL2_NU_TESTGEN msg = P.x = 384822128c05f38a5139a72781ee71c90c9b837870746200d9a027 d5f7fa2c56 P.y = 3db0b7ac1691801416ba8a76cbc49acfd41f1e31becb97eedfaf7f e6bfe56fff u[0] = 4ed5a4f4dbfc953d1ade72efc965f1cfa44d57640add47b3b36507 739ffaf4d9 Q.x = 1a153f75938296cda751e6894dc1413c8286eec49da74b22be99d5 efe8708005 Q.y = 0b0c5538e44ca85142d7be8f4bb5e3f5de6276dc881e026931a849 146076cfd3 msg = abc P.x = 298d43b25ee3db66136cbd4e182ad53f1e92389ee02f120488d20b 97acaabec0 P.y = 288ccd99f3bb33b62dfdd62f17f800f39e9f89877a325c9f873669 0474f0f900 u[0] = 4ed68e01a4912df4088e77ae8a22cc47a44943b9ac2e6e23218bdb 9f67416742 Q.x = 282ff81ffae65d15ad359823e471d986c3d9e9db12b9ed081e221c 57de245521 Q.y = 7c5eca3edc6a55c843bf9d37c7c27305bf09db001f138b8a2cfcba 1eee06f3ac msg = abcdef0123456789 P.x = 0cec9c2220c2968db5922a249306d3e5671feaa8940a345ba90f29 5f1a4b7dfd P.y = 467885e1292df27c09a5a686566d70010ca91910350d8127c62f9e 5db1a59dd6 u[0] = 334a59d8fef7f1f7ec781e5ebcc43f0675ffabd33e472c8156f121 9063558153 Q.x = 3f9366f4a010430847777e9af2166fb86cba2747aea03b6a0b1770 effa107ed4 Q.y = 495719cf1566779aa98aee1622c4cea88470ad86e90669ed0f0c83 42ce6151b1 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 5bb54635e3991cf45224a33a71d437a4de23380c6927e1194ff86b 6773ccecf8 P.y = 06266c3e11a656d26f32d839f90d43f3e766ceae04e8374d3c2729 6244ddb61a u[0] = 4c7da91907215ccb20b8a064166b03e2cf13abe2393b6729499731 292f089e1b Q.x = 2d10c1e1995ee326f35e38ef2d083a2375cd7181a541db6c7ce582 f8984867ce Q.y = 1f246d036efc124b21ba899e3aa870bac4a7c3c731bcabf5cd3268 7f6c041b15¶
suite = curve25519_XMD:SHA-512_ELL2_RO_ dst = curve25519_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 145f1a4a2cdbb00f721af9fc0720755d082dd3309d585413bdc57b 79deed66a4 P.y = 265318a216a4eaed4db4dd4e27abe71b94d558e1b60a0363f8194d 6cad7502c3 u[0] = 60dee63d38dba6095eeb95ea343132b6f33d84e809d92a64ba6f34 8554c94481 u[1] = 607e4b11d1b17bad8d482b7a4603486b403875740ed3a643fb948c 95c967bb87 Q0.x = 2b15e08da01b40a96b46f51cdabf3aeeb75ea9bf223eeb217638d2 3f6d849a11 Q0.y = 1aa11a09488c7ee589a232d7b57c3836de0f0b389f2eaf39114e5c 691ccf6ee5 Q1.x = 2a263d203c2c54af0205dae921d2f8a24fe3e7aee9f6e401eb385b 81412aa964 Q1.y = 5a8ea52fd22c0727ba4a52bd52ff51a6ab9bb70c666e79a1015e03 9b66654467 msg = abc P.x = 40215373a3b81b38af3f6ced23769f4c075619da8dde18f4d9ae1e 00f1b848f7 P.y = 0e84dcc422b1504eacc6d34a178ff8443db269c84d4af738a1ed60 38074692e2 u[0] = 7f346b4b77c04efce603d5443c80fae1dc5ac1fb78a859a0aad809 0fba0841dc u[1] = 2741ea7cba3c843ce34e9b1a6cf4981c1be23e91ea3c6f60efcc71 ba62aae6db Q0.x = 44b85219849bf492f790eac07b96b624edb5b266d13a351dae8d97 8dfb42ce94 Q0.y = 305d336eaccd259ee67f43861f06039a60bfe22b743cba05de7229 58a4a16064 Q1.x = 79a8fc2c4401593e55b05e0f2655b6e07473fcec1c87dfc7c545a9 5b76f53b2a Q1.y = 6834a80ed53e0e2ef8e7ddcc7aab4048975141aa205b26b4ded130 a376957d01 msg = abcdef0123456789 P.x = 593fc49ec025f0485c369962b8e6d62d1ce87cefaef5cbb41b5d66 4827907900 P.y = 0b0ff5742d778c4b09c9e8342a1bba2e81d23916228b684db428bf 8c11ef329c u[0] = 724d603fa092b3b2fb26acfc49b69214e8f6b23455e5ad1288eea6 82acb24c45 u[1] = 07d99c595eeefe4895921cf06f5fae756f41030ce804c739d712d8 95bd85ccc5 Q0.x = 7db3053a52e9e9c5d9f6d9d08500823907e5ef4fd7dffb242053f4 d0ed40fbd9 Q0.y = 0b797789facc33a96479aefeb4e4f91698f43005aada9d71516df5 ea34431881 Q1.x = 48ed35ddea926f8b2a55bd20b18c3d22bf737767c7261d1ab3efe4 123c4cb7a9 Q1.y = 0099c457a4a9c6ab32d5a89a1f35f6e54d684e58a74fe62442a39c 2934425955 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 6cff0ffff35c1bf2f342153245740fbcb008e46640688f9aca30cf b763ff9701 P.y = 6734a600e4f8597d9ae7a27197bdcf5e97999360310ea7df27cd03 a47e4fb180 u[0] = 6cebac5b14cec271dea87b00822ce9f4712faa39895826edf9e7d1 052fdc6a59 u[1] = 62404e1b9f98555fb42732d16052fa5cfc00a86dd5d5d0a0bed0a2 56475dcfc9 Q0.x = 7c31abd1045caba48ea77fbd078bfa4c20ffab70f90a2738ba8ec8 88dc5bc01b Q0.y = 528ed08cbd11986252131d2ac4d3700dbecac75bc4cb66282dafcc 37a947c7ed Q1.x = 2df9dcf04cba473f70794b46a24cc3331b16699e121667171d13ab 4251a1737e Q1.y = 06c4ba3124d13c9f69752387a55977acb5ef410bdf475f8868eb6f 1f9a15e527¶
suite = curve25519_XMD:SHA-512_ELL2_NU_ dst = curve25519_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = 3d97d9b446926250ae3112ecb6cb6e610c53a9cecee5b55c1ab35b 6f07a082dc P.y = 07df167ef93c7842c6561b707025d500d8b560139a83eeef03fb31 ac9ec4c843 u[0] = 65d61dfa58cf932cd60f65f24739d1afe89442e4a3b2e6ea9d65b0 865f148901 Q.x = 1241e151a4da26769778a6c8aa5a219ff608c6c31bea49a0558487 a102bf6355 Q.y = 4bf3ec4f91865513d898097fdce2990b6ea8fc5a50de2d9950c50b 97fc374c79 msg = abc P.x = 17591a1748995feb03b4184f6abf0361dfe9bc64fc461bec862581 137f146812 P.y = 70825eeb8f20888be50833e1401511464ee7ddecd6294266177fb7 95bdcc744e u[0] = 1393600fd74775f0d19a8ebd282b05349641a8b079c71030bf1bf3 70c41acef9 Q.x = 25c758d9c7a11a43e72d3ddd7976458330fa9e37f63991457fac99 a70253cfba Q.y = 55108cb5971fb8c68e2bd2d869ea52495e8056075857c8656cb580 3a1c42ee89 msg = abcdef0123456789 P.x = 7ccf1faaeb988112434274c401de53e74f14c9afb17c07ce1942a0 afaa8bd0d5 P.y = 50df42f5065e8f9ade54e2eec2f04048250c9eeecc9709c58ed09a e829cf6d3c u[0] = 3e2240ce35b52e6ce7f2cc4c3e57c03bc1619494256e495dadadb1 0dcc2675e8 Q.x = 6c70b60bbea45867f1e270af0812137ac64c8931370dae67a41301 41f9bbacb1 Q.y = 58e6b785c269fc21d1ba8be61c9c0595b1d5df7574815bba5f883c 9af79f68be msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 2557e05f806568bacea2439cfb15b34910064a91af6115ebd851e1 8270f5d1d0 P.y = 1fc39764b621696e64a4c17a5c2e0051d7b5fba740260a0fe871b6 fd872f489f u[0] = 6719884a782571b55353a8f2946a3e42430f0c769ce85d1a47026d 491452b773 Q.x = 64aaf5ae99e65460ba87f7f3c6871a66c3c5d3e671b33fe723603c 0eed7b9922 Q.y = 2348578fee0d3c353a6efb0c20f02ee50f69cf50626f3558b99424 d19bbace17¶
suite = edwards25519_XMD:SHA-256_ELL2_RO_ dst = edwards25519_XMD:SHA-256_ELL2_RO_TESTGEN msg = P.x = 046f7ac05fd7748eb4cb99043af9e7a7209d8372e27034fd4f6cd2 58c5557711 P.y = 0ab78b10ee6f33f339ed388ce1393f80b0b27817b89dbf6ae943a7 5f93fba38e u[0] = 181ac326893428d453e8dc058bc62a11d82c6a8c205749184abee3 c94ea43a3d u[1] = 715cbdfc73cc240655c96e503b6afedbb675de116847afa7c22f97 71fdf8b70a Q0.x = 3903bb757a7e768049f8f0a08b96ad3c034eb694cfae969fb732be 0996df3caf Q0.y = 72008e13e0e5090ca79a85c71e3f82a9d5adba0473e4a9f5853848 3a00ce9896 Q1.x = 4378c3e197ad248a484b98711dda3cc4ee3647c88385435f9cd81c da1b4909eb Q1.y = 726f30bdb55cbd9e00b8801cac092f9f68d7a650829b16de151426 25b8c2eb0e msg = abc P.x = 4b0e6009dd4333c3c80d2ec73d123ef69868d3b7547a611eaf7602 a08627b605 P.y = 4715be234514062aee8060742fcce446808b81135669aaccbf6aef 4ffd43e386 u[0] = 63fce9868bfb9165094ed2b097adafa040a1a00d56720af1e73a41 c273f49148 u[1] = 50e9ecb264e462d76203dcb526b00485d1ef568c5ea346d89c6d3f 7b16a15555 Q0.x = 0e460620f17e7a3b0258f757d90cde88510dc5bfa415dec91043fd b585fe05dc Q0.y = 2ea19cc92331ba9d2250d56aaa48f448973b5120734fd4d09048fc 8f67c97485 Q1.x = 1501716f21813d93de9eb6e37e5a606236ee0d30c56a46a933527c 225dd2b05a Q1.y = 3b193e355856bb2381aa97aa3e5e25569677f5d97f4983c414075e b0bd01f434 msg = abcdef0123456789 P.x = 4c937a8324452f3c1339500069d70031bb42124845b599317d6fdf 46c854d008 P.y = 045d7dcf705fab83fe638054fdb6af021a67699bd387a59dc3ac57 cbf798c6a3 u[0] = 57c9d949302f36433734eb0c1b45fd0b63a018cf1bdda2f04cc13d ed7b6bbf4b u[1] = 7d224f3cf3cedd36bcb6edb33c28e932d6af67cfa7d84499674990 e5fb8cade1 Q0.x = 240dbda5cb37d8f621b22229b02491800cb37f89fe54f14e83d1a2 7e55a6c277 Q0.y = 476ae78a0c17dbb5bd75fa7b16d12f1600bad9fb764329bf50ec17 8765fdcd5f Q1.x = 7e11d53d262007c0db3cee76f485f217cb1e8b7af2250b9a37b66a 42d58d0937 Q1.y = 3aac2ba9701325187df28b10a44fd433468af8454d21db384de44f 4c155bc079 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 1ebcb6a0da0499e59982aa64156f4304bf0583afe597becbb21db5 6e3ac157bf P.y = 6bedadab00ae61939e299f7e5bf00f935d520b5f1f7073e21d89a5 67715274e1 u[0] = 2c1413e90118989b8df79484247bf6d480cf242a270ba2ea9c962b 4ff933c835 u[1] = 7690959cd6e05c5971a329bee690f5f1f02fca7c783e6f4ed71ca7 f60aa03a1b Q0.x = 0f3209fd7026b4483081e988365ece6919fc41a8502d66e773745a 5ffd981b74 Q0.y = 41ea9efc9f94fa2ab628ae99aac817792b3557b40bd8791bedc68d 7ec85d9d1d Q1.x = 2557da4630dc78e33b34d273102fe14daa2d81a60926273724d2b7 43af4425fc Q1.y = 3a4a99bd1b4c83330eed3d02c6e63349f3dd0a36a1260a99ed4c04 f7992ab48c¶
suite = edwards25519_XMD:SHA-256_ELL2_NU_ dst = edwards25519_XMD:SHA-256_ELL2_NU_TESTGEN msg = P.x = 08226f0a827eb3bb0f0589709b9bd2e6e8107a685d80c6c9cdb40c 7230fc97be P.y = 055d178a04b891dcbeae89f6daf1360a48683a6ee37599fb90d0a0 7c3d8a25d4 u[0] = 596f2044f5405f877cf98ae8e5550d449ddd57272f19cc07e8f035 6e8548d383 Q.x = 28b50697900178d1a2451b09cc1c573c13da4d9b2afe3be423cd4c 1bcd39dc2b Q.y = 57e58c8840f2e7dbc594ccf45b8663833e34317ae2d956135c5c01 de25f41379 msg = abc P.x = 1ef41abebcbc9b662c5d0937924641250004048e36edb1088a6104 3a4e403e25 P.y = 0ff9bb8cdde0ecf76699e1b5ee3e373e1303e468c736af5517b090 874e01298c u[0] = 22649b4f1cda6266d740d8d546d10fa453af8b8b047945221b4e98 3ea28f7b37 Q.x = 7e9989153c21a1fa25580ceebf4793230abf6fd049a4710a20fc4d 73e61c56b6 Q.y = 796967a3ab929db72fd3e23395b02bf5391ff6c5a7e7f0abf3a8f9 a707cb393d msg = abcdef0123456789 P.x = 4e54152535efce2dec85bbe6e314ecbd6b49399954eb2e359706fa 6af0f9d5ff P.y = 4cc40c04402f0959da468ab117680072fdc35d58b21a5faffc7ac3 e0d650dddb u[0] = 56a17c686169e72e6cc2b12785ecf7c423693bd3ca2fd37f901ae8 6dcdf7bac7 Q.x = 5a001b1dd41003a45014174f02a77f4ce3017df5959be5b4fe1316 bed1e3da3e Q.y = 2b6a80d085e1637cc20ba86136de04b867cdd0c454627e5f14c5a6 bdac0cf161 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 363a71aabcfb1eacd545403b3a49ae9a9f46aaaab1c7a2b8eef789 152acb1d81 P.y = 6ffd3d900a09c546bd16924210b35dc4179056d5b8c537579aeed1 4f01454b44 u[0] = 43f438bbce3938385aba3efa7b4704d0a2896593edc4f99ee4d7d8 f99e408d9a Q.x = 5100fa3465951cc6a7eadafde16a43dfcee775505bdd05ccddb3f0 9e26102d9d Q.y = 4a3846b73f87fa9e46c4aae0bf2634699adcd324d85d0478989aa8 2a3bbd1d00¶
suite = edwards25519_XMD:SHA-512_ELL2_RO_ dst = edwards25519_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 355199593026fae01f068dcf79adb8dbf2da7b1f040bde080723fe aa94b65042 P.y = 1af40833bed99ac42f445e9494dbcc489561b3995a40e3864a1b1b db6ed6ecd0 u[0] = 5561279bae7b4bffa30d2249dd56904af4e9b5844770979ae0b2c9 8f8af24082 u[1] = 05183b3cbbdd97689256838cde5c531baf7a95b1eb9943303706a3 63883638ea Q0.x = 09c5be10d8e2629cc5921040760ef8c8ddd7ffb8bd9cbcc6256f50 6e870381b9 Q0.y = 17929f5922ca2c188a2b6c7955c4e4618248c390be69e01b56cfdc b80bb8861a Q1.x = 04130b6e1f8dc7c32d2eb98d46395fff8579d3be4a91976e2b0614 ed6f39f8e8 Q1.y = 65b1c3a24ebe11f4113b6f936f26d6f630de27c21ec0979b08334a a3a4349bc8 msg = abc P.x = 124b63773b748a096e505433ee596c120168623ca320910d8298e6 d90a4a309c P.y = 7bdb83b6322c4977ffbb69b18df168b56eec733a0254cac0e85eb7 90460ee4b2 u[0] = 3af3dd59fb2b343e836c749290372ade32db6c6aefcfa8460bafe4 4913d16c17 u[1] = 0fbd9bb5c9446b308fd4e8d6d37bb40a85ec994fc156d9e2f27c6d 3cbefbcffc Q0.x = 48ec52ada1d034bed2941a3ebaca1bb3fc7018e4cfac62e5cb6a05 82d85b4e87 Q0.y = 2769e1a74624974a71d543723bae513305c3c8b2ab8431a07f31fb 35147e1184 Q1.x = 23586e9d6a60c06eb7fbf3d66b6dd7c9ed5c8dba065d59b5a71577 37ebf19415 Q1.y = 0c4118945ae99cfc6c56ab993488795f30826e7fff95febe3c923d c4a523d4ff msg = abcdef0123456789 P.x = 5538ebb02b3351458ae3c37d4e59247be093fd2537f4e18605c341 96a0b2b3a4 P.y = 2dd85e9585fba5ab3c22a07cf07b2cf4a19b10dcab49e1a4c8f952 461e644bbc u[0] = 13058c758c796708365f21094f489345f4e30e49b1d380ed064e9b 7b8d107cad u[1] = 319be66d0491de283eeab5f2745e6ab9b19eec8c13e6c8b7069e2e 6aad42f8ba Q0.x = 066b6b75588b6d2532568b3683a7c1b24465be6fa3d06fe61e8bc1 42e04afb96 Q0.y = 222cf85e42efab0c89c6e210d774b26f2d05a4c4262f1bd124e622 c6fe5c1dc5 Q1.x = 220a2fcbd88a7fbe61f263ba6b12d37aee8bdfb5a40e6a4fe89ad7 e438643432 Q1.y = 1ad7fb8388761fdcb8cc206d87cb5bd1bd6a316e66ce782e7a10ea fc5284f412 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 4b2083d31c45aa28a4e5759e73e35d5606be05d9c1090df93f09d0 b23ceb21c0 P.y = 160e08388e85b6bcbec8f321ed1de259ffe88dc547a1ce506d61b3 0fd2378fc5 u[0] = 547dddae1d6f60997fcf95d741eccc7fe5cf60857585e125dfdf9c c6eb987a81 u[1] = 5dfdd58493b9fab32d3a39e0a9450c82b4308d7fb24ed43f585ce4 70581a4d93 Q0.x = 3a34b03ac9cfbccf869c4606664d2bab9f048d306bde0e73dc093c 5818bc9674 Q0.y = 3e5593005148b6f4b9a6491610a288191e3264677b03d7e9c8c870 33053f86d2 Q1.x = 19031af03055a1efe13c6ef43d88e9ac713bb78cb985cd61985594 24029f1d02 Q1.y = 42ece5969a9b335cdfaf2367451ec12c56dc0607f038606222d113 2d078f0b4f¶
suite = edwards25519_XMD:SHA-512_ELL2_NU_ dst = edwards25519_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = 34110392cf2797c527e790379df1a910afa14ae2c368b246a26b9d 9925ac0c71 P.y = 115fe9c145cec75332210f75537f89a5af2e9e81928ab63225fcf0 db4b9f0b41 u[0] = 50d07fff97e9f2984a1763dab82e1da8bf6628f4bcbd8a5a8b3bc2 1aac8ea907 Q.x = 672e3335e81eb42ac9d280a5799f073af446f5855a2214b4b32105 b01b2a0e23 Q.y = 69ca23a597a1b0a1f6f90e911af4e6f9457a903622cbb6b9452eb3 3b3d85a81c msg = abc P.x = 4a3cd9eca424168031e7c2ef6ea8872919ee1d109e9ca6e2f1dfd1 9563ff63eb P.y = 2a78994752306e4a4eb1c629b3c8625cc26f143f1fe35fc728d295 222eba7890 u[0] = 569fc930f70c8b4e50f35c3ae893264757589f11e43aa8bf995603 1a4fdec18f Q.x = 5998e943fda82e321789226093300204ea96af8d183dd7146b775b f1d79d1e94 Q.y = 7467d959e0f62a399197daf58f3d798ce21310d5a1f61e23151e9d e278747421 msg = abcdef0123456789 P.x = 165abfd4e6ede6db0b8e90e40d4639ed5d7521e4779302c605ff43 0d0aa9747b P.y = 0ca9e2b900bcdfc8b26d705040b6b6a6fd6bfadfd43982a2a59e1d 069898ae6b u[0] = 42bebc0bdffd5ce8f9b875e318a04e451fcfa323e146defc71937e a2ed43c839 Q.x = 3bc0e89d1f93a8c43d16d43ee390da0b60e42184180a4601333404 296cb9cb8e Q.y = 1685bcdbbddd93475f5b0490beebc6a00db1c6ec019c1768ffd705 246b1ace93 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0544b2343ce246e25376db1ba4ab61bd91740ce3ca4ec8db31d8be d097fb4758 P.y = 511dee3fcc3a422738c453a58acdeafc08fc76f862e97d678adb26 f03d0963b5 u[0] = 6b143c02ab4a45c6a7e71b6a97a71a1fc8a089f7fb83164256518f 40f15d96d3 Q.x = 3408ca8aad2b2f343a498ce85bc6e56cccf391bdfbac0b7c178250 3d3b3b0a1d Q.y = 1ca5e123fba67a5f0fb433c3e2423df5518b9ccd74e6e01f652e89 914f089907¶
suite = curve448_XMD:SHA-512_ELL2_RO_ dst = curve448_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = 21f78478bd717f5fdf648512597ff9f3c2a4bf5800d4dd813018fb 047286af69cd8cfc3b4380c9dc93f3b560b4e63d4bf19c41fcd6ff 393a P.y = 94cd55f3fa7ffd5d1266461a68c5ee03af4aadb77249486c33bae5 19916b77535239c890552c6f63b9fc4c9f00b067caafe416701b34 ca3f u[0] = ac71575f98e4a4bdb7d0fb683200383a44e26b693fa59ef897a4b3 27211478fd674def10aa41d0a5c6fd910a11deb010b47ab47b9f1d 1f7e u[1] = 3b1423f8c141e4d8b956eb5fb20b9ae8ed7fe593ebb8ac3edadd84 e1e54a97fd726950aa9f6d461b2adc037caae51bbcd6ff3dbf3bbb d872 Q0.x = a3193ba63182c9d276e0d8fd9e4b957aecaf830ac14c0652e1db66 e06f7fb20a7f2b4e5b0ddb0c1212b40b4bfa116cf536c096afb814 f848 Q0.y = d6d1e34860f5593191a774e05f5d68c63adb525ff7896a20040c2b 30a1566d17e9372020cdcf227b98b9985d06a2b9ba04e88f715f89 9702 Q1.x = 8389a1b3131219141579dbc52d63d913937e1a0e8493f82fc46141 ce355a311ea2b3c5bd733aa087aa6482fe5e89049d1e356460ed94 871b Q1.y = 21214a80f9a4fab7ef59bfebadb7fbdfcc852c1cf518239ad7c175 c1a9a25f8740fa9f1300a2de04c848c60e44e08fd25b8f285ceb81 895a msg = abc P.x = d0ffa9b8551e7295f3e663c993db473e7a049bdb0c0c7b23a34297 5229d9958c5371db48a25ea758d0a1b8d5cab5c1fffce003f036da ba04 P.y = ddcbbf8edc1509c2a39ec2426b81e495a5ce33d5dcd96357625f27 279f0366bbf287061e984666a142d280edc1329554c353db819843 fb4f u[0] = ed9f4bb9bc0253536c45d34688b3096725db693f5af1659ba48ca0 67aab8ca495594d9d94d3cd8bd394b79c566c57baa16cb330db3ac e7ed u[1] = 2fca5d5201399fab882009d46078874a17337843a86a64863ef931 6a3ef293395c4de2b306dab0002169295fe2dcbd973a8210c6b63a 8236 Q0.x = 3244dbebbe141c71e59bee53507f3dbb5e2d7ea35cd6767eb9fe18 b2c2901c717cd578baa564db42de9b227643bf0b13654a0cb95041 6bb9 Q0.y = 6aad2e7445bb01f43797bf6b24efe796f6925b162f97b29addab33 24fb6b5556158a73c9b2c32463ffc1de536cd65d1ca49fa064621a e503 Q1.x = 9f8608ff76d7f998ad3376f1dfb7a3441bec0ec6d4f9950dcd16eb 84894a271e547781249f59c25c82535eb07fb103f4088eac45aa01 5bff Q1.y = 511a509c545ecfe9999e388fdededee610ae572affa42e6f587cef 07b5626e5c02f4949fcd959d224e31d825d131de32b1b510b7d551 eac0 msg = abcdef0123456789 P.x = 1dc040d287f05f0ac0769405216d285d17b3ebaf9e9554c8ffbc7f 25de178b528fae889b7d90e59f8becd5bf395414b05adbb4354018 baf7 P.y = e9730fdd89aa2ed9be03aaac27fc6f655856055d8ded93ecc63e31 8e21b240d592e60781b207539f04a28a36b2f7511229675bb38a6e de21 u[0] = f070b8ef55cdf617fd63f9e25a45529ed60b40dffea4ff42ca90d0 e96a2591cd01fb9dfd5b3a1bdf8385d08146dc4343cbae367a2e41 677f u[1] = b55db04e2d841a72ba1194eca52de0635083520cb9956430b24b39 e4de5e412272103039b52872281c789eef41bc45eed4af277c97ef 30d4 Q0.x = daa6c0bf01ee5ed465450c0cacb515acb022301cef25ef3e324dc0 288a746830f1da8b68b93e2b1db6ed7c9444d8235fc9fd4c5cd86b 8bdc Q0.y = b158d1caf233ce737998d56f34e4b652c9574d0a35fa3a2cf4f4e6 c3ad261ac54eea2cca895a9ffaf0397b760a7e21a636f1b201d91d e5b3 Q1.x = 8087fb4658454128559baeb6b2a87e20ef66b308847ea76a9340bf c5f5194654ec626b0d12b88877b5b2848968ba5978ffeb6d7b0ada c3c9 Q1.y = 8c5109d75eeae5f3e15faceb1d5852e72d6a8287e72bcb9759c912 d19f281ed0e7111e0ca72720d46f9b314b67f2025a2e82b86aa715 4104 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = ea5bec7c3f36f844cdbdf215067785d7677776bb7d19675d1c3912 4ecfa828d5ee7eac1c580630be0483b3740003012f32cdd5f6a18d af4f P.y = cfe11f4cb36327bfbd1c711b53b839eed8a71947c1209439608523 3f815703afe136c85a93ee527308b30270c4085147a2e652dfa102 f742 u[0] = b63a92b6bdd618be51a73c6bd34af23975c73dbe9962be502c08a7 563feb81710a798034c70d9ed7bbe25d81b1c8c27c2f850c258447 8cc6 u[1] = cb86f19ef00c35982a9c104c8b82cc8d2a199bc31f25bc879b51d8 8168fcd8ab305f4331573ea12a6bf69f7ea76c0f1a84be987dcd06 6f50 Q0.x = f50b3633869f3c82e88b54790df222e706f611d2ac6f7f5a2b3e7c f20e3cae24fa247da0b326f04cb0513c842d6ccc479f84355896c7 d678 Q0.y = 306e0233225931cddaa4fa8ee5aba40ab06852590226a7c3a7684f 43e12304791110a64751f27ad8a17b93ce94977ffdae8db2ca72fc 847e Q1.x = 33b99bec6b0311d6433d57b762c732259e46ff134f59d16e6e9c62 d77df8dd597c41493976d3bf07ea19d82487b3f84979e53cde2b8c c833 Q1.y = ef6ed1bada9b7261695ca14282c5956d8e4df3c9a3d6bd7606e15d 130b9278325809abb3c8a4e30918128a66d2a9af777fe3a0ba07aa fdd8¶
suite = curve448_XMD:SHA-512_ELL2_NU_ dst = curve448_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = 2183d97000fd3ee7e910b7cfe21d9996168d4f4c8b0a711e66170b d1829a35eeeeb9200932e7ca4cc7faddc1b716c4808a4adc9a68a8 59c5 P.y = edd9a4f7154b646f21dfd0387a7696066eac44ab1cf0da578cfff5 5e60da581c19d0436312b989141b764a5ab641579443aadda96105 33b6 u[0] = df946392828b16784ba146354c781b3c25a28b5ece5b9c8088b684 0f871d7578fe4850276ec01f2035197f5882c1e6506dd0fd7338fc 2ee5 Q.x = db4e79e5d711e6c82d9aec2c3d8ab7f41148a7fe1fb6d7ff586214 ee9f752b3f331627a2f258f289c5fe38536e8e213a9ea06695c051 0a38 Q.y = 491f677655e9bcefcda66b92cdb02d41b73604ef7dc23a69af993c eca5841ff33312b9b844a02f3054056ab2811da3ff1fc34251b6d5 f80b msg = abc P.x = 88cb9634c61bbbffff09d423857aef50b15b42bc4389d6c66e179b de024cbe75d5cadcf7be4156f1aa2a40f709d3f3b02245d4a67176 2c80 P.y = b6565ca3d04f50d8d22511af542a55118f8cac4c6235ff42e0c3ca 066c2f98d5038022fe42009bf5435e8c049027ce3cb9592784f3ec 4449 u[0] = 801a7cdf6b9926e3617df4617178487dbb92a7ef310170316664a6 4f878a20214af859bf691e1e50499dd937e09f5e7b040c22a521ca 2466 Q.x = a1e939400b8336cb04ff098cb2801a340d5200a85f5f56befb7acf f92c5a58041e4329fc733f52c0d0e68e3686331e8dac6fef3e88f6 17ec Q.y = 0a4d08b25bcd3d73ee88eccc7c97570e9f824b769df692ed22872e 847707ded4373defed7a54a798d3bb05a61c6de281b05a3cf12a2d ad80 msg = abcdef0123456789 P.x = 9b4d581f3b10bb090d5fb78a4dd65f386c6530b97c0f0432e092d5 80f554fe432d66463b3b4a1a660845a66b9ecf98ae5316df6ffa4b fc2d P.y = bcd1555142aab27c4cc26e1c5117eec0b8cb858e4500c1b76d7717 3d5c937b384f1705e9efa049f259ff7d6b8adbb3e9ce8f9b8a0e7b 9944 u[0] = 7309e98e2d59af9c84deb4f8c6210df9ec569d724ed7ecb22d56b1 c9f64cb49b04d905336e0ef3f1e204553a0adc136881fb3d31dbe8 2d0e Q.x = 2918222446810f1de7b0729776e4d63ac4e48e2a2279b53355cccb 9b20251bb4a311938fa3ea0ffe3c046e68f7c896a2b39e79a9f157 3094 Q.y = 8d18c4b0458c7085c592272ed20afa34998f7486025cfe326c7afe 56411812579ff94778aac3017b28b2d08f8ce164b1923edd813ca5 7f6a msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 5e8679afb70fe836ab83577840234764b9879ddd9509bd3fa6894f 111bc21b18718a3b2fb4faab519cd3096bbb9c9ffe828c8702f770 0c95 P.y = 97d37ef305860f65ea247da63e85a5b90f363482ff38b5e051bc82 759d1a9c9bd5ddc3a812ea4453390ea08d2dd3289f10cbf3df194c b895 u[0] = 33921076a158e463b80644c2bbcd14d9f064c96e8d0a451c357d6d 2ff361e33f9eb0b4dd89b30b1a7b79a756cdd611b4c2d1e416c621 cec1 Q.x = a9757d017a87fc07ed43268cacac61c3bdad1e1b73c7fa8c816fca 1343b05d051eeb66650a114422a1554905fafbc866cbb8f5ae13e1 5c18 Q.y = 1fdc90b44483cc5a5c90e83954366456a2762938b7e88b3c8dd09a e95a58d2c78a4889a742f3cd8ef1a03e88fed8e3c9647fd9bd8af8 5267¶
suite = edwards448_XMD:SHA-512_ELL2_RO_ dst = edwards448_XMD:SHA-512_ELL2_RO_TESTGEN msg = P.x = e54af3058170d7b465db0cf48ce21e28659aa04a5b490f868b65f3 8c95d83164a19b47ee029c2b64e1e5a446dab02bab4be161c11e18 2ec0 P.y = 2e38750489aa0bd7dedb33212525be1a04bfcd97223c73fae32dbe f05c2041db24dd9b62b0af44dfe44948f8fed4f38c991124073066 23c5 u[0] = b4d9d1895cb65553ddac80fb1fdfa6718943967975fd3227be7884 f30794e6c7c41ec24b07e13c3822bab3e7514159429a721f2b6a46 6d0f u[1] = e235635e9ca91fd4e0384606e2bf1918d84afd759cfea41bf56397 2e1b82c2d700194ea823852e4ce83815b33bc522e13d8c361ac311 9f39 Q0.x = 2c665a5226d6cd7983a08c910651f624c904dd8f1009648e645d04 e381fb04c718b14f1041092e46e3935401a3b85eaaa7a0fbc0ce67 9980 Q0.y = f15d91cb50d1d9818521684b761aaaf0fb1db0278c718cce5d8aad 7166f42d79d0f1210e7957b170daae9be3e353f9e3465a5bbf93dd 5c64 Q1.x = a36c98ec2b442335d5debc9d1a59c34e6a7e67d02dddd41256cee4 e2f705401778f02a7cf21b85635f1eb9f34aac0985575d26b02122 beaa Q1.y = adf6a6544cd208538e16de28e725dc674152c20a9311fb9df60894 17ed33f2dcd85176759845b957d35f32b9c56b1396796e33439b4c 6a54 msg = abc P.x = f583e90dcba4b48f7b0a510bcf5e3b1ef4a73e4280ab8836480335 177cf251299ef33fed2c7492082f5a443297dd79dd4bdf7f30b1bb bedb P.y = 241ec020befbf4fe92528713ef2275445547abd94a7f71beec8c8d edf42f68d51ecbd6dcf5789a317c85cc2daca79f4ceddc8d5e9d14 9d84 u[0] = 18ea51720224486cad1aecd722b5748a4e6297df7603f264983ce1 519a471097d328e7871c694b57e83de0cfec01629f9b1c36a66478 a949 u[1] = 0c9de3b0e748d03e3c914ddecca5d4507a11860ed73abc2c953ed6 2811fca4fe3f154e8da9520c019d9c8389eff12936e09c2e0f8e8b 300a Q0.x = f2a84e3d13ab1107dbd4db40555570dc1c61479a9d5aeee22941ab a0feae6ad7f018bae02e5086b772e5b15f070f1cb1eb303e6108de 4951 Q0.y = e3d62ab209de4e0b23f20d9aa84b9b18e9c6500211106c1c043eb9 38647dd08c39babb90b7a3928fb55741744ef15791cc563111412f 46ad Q1.x = 27f62515c82d3f6fe0edf0762d3220b3c3bf4e8d466b6524aa2cee 13aecfb7f041ed2247f5a78283293f971bee806231f77851dd2650 cbf9 Q1.y = 1ed1a0fba069f682816bc44e1cb5d0413bea5ea43d6c8de600521e fcc0e56cbdb745d1fd8b53c1d88d26eb68e09c404e5805067d3bf8 2e64 msg = abcdef0123456789 P.x = d03b676a730b4a8418793154bf4e6a6d8bd94df6964429754346c8 2275929ec8448feece8b929a053b4513ee90d1d613509aeb81d32c e42a P.y = 41e6d33f904844d51c59aa0e97423d8060821da3f40a10f9572487 a3917c5ef1d2cb67f43d6bae65670a1a54233cc927fbdb97a77afc 1161 u[0] = 8be92c1e97e9bdfca76029d928899510db3e2a84a80dcac58383e7 c0bf0776721bc9b99204a68448a7effa87bd63172023dc63ea71e1 2e8f u[1] = 61801a7ec7847b88a512df4c9f12f04782db61c37ab3e1fa21b1cf 255e2102b34ec3992d79919b6df7831043d28c5e673d46c34ae65a 43ba Q0.x = 159754771764f81704aff2e7849498787f03616c01fb1a232904cb b720b68adb06643ec0445314314355c29fd191a7b1447de4a1f3c4 4685 Q0.y = befc0bb9d5697a31ec8611197e6c5c0a8299ce93d8b17705b05aa3 a340cf7efc0379955fc908d86c031f5c475cf7a172d8cfb81c9869 764c Q1.x = 8c8ca5ae4be432d0d27d0eecd4acde82c555a4be4b297c6255b954 4af4567c03ed07eb1f71f119f5083dfe69773e72c873ddfe1f0cf0 3cbf Q1.y = 6b8ad4dcb2ff061a9b6f94da5e13c6443e0bb596f22d1a9320f06b 094a6a4253f02d224c05717bdebb477c33537dc3d1c1a2a840596a ba73 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = b2ec3e837f23e4dbc82b80a493d202a24bd55c4c304a6f88dc2c1e 976ccc3d385070829916c923232f845237d60dfbb5e23760197ffc 9177 P.y = 5c0312f8c7578b03f816468d079af61aa36e6c6473886308a2d0e7 d31c6506de9bf8a489dcadd1a2ff86a0160cf199f581074d604820 3f0e u[0] = c561c853c080a370e155141b5c902164324b31b2cdb143a8732170 cbacec701febc8fbf986b8821c341c14304cd6c5aaab59b33a157e 8564 u[1] = 1540013e32bf3f64c7380adb160b27a3b7fe7f2f53d19f3ee475ab 7d21088cabbcaffc706a6fb47e4c8ff55fda04e325b7c21c0e2b96 0323 Q0.x = 7246a708d161231deb74eed793dc0e7c71edf94d40c9f9f74d23de ac9cd5f450c0b4ecc342c7777c2a23b7f7fa526f000341916e3646 f781 Q0.y = 12a84e91cf8b70ace832411c2803455e08dce856144667422ae49b 8f80341f2bb965db7ace67911b3b97ba5f3584ba08dbeb481b2116 d32d Q1.x = 01090cb9f4cf9a02dcd065ed65195b6957e1cd9d7e0e46870c2515 13d151799dcd2fd3ddd70543df850d7356742b7976b44455ed53ca 81a3 Q1.y = 49715e3ce7f5f9200f527c0c703119023df3463c242d114f6b0ce0 f10a45bb3661c87d5d8cedc137383170df7ab63541bd6d04bbb33c 62c1¶
suite = edwards448_XMD:SHA-512_ELL2_NU_ dst = edwards448_XMD:SHA-512_ELL2_NU_TESTGEN msg = P.x = 47fb0126fc722d16fc3d7bfc3b0b801571f058290408ecae2bf8c8 cc35e0fd702d0a169f6d9cb0cbe24ad226ae78aaf2f77dd906806d 3de3 P.y = 4f8aec8c3c24ab883ad2f8a7803f74f72a0ec20daefd63c96e89ff eac238436b27316569ca3885fd3a694e9d7337b3335564ae27db78 5bb4 u[0] = 3b8a62f7162ce426ec4562db3e5aa5263b1ef51caba6a81f562623 ba219b9449ec128eb5f8aba2115ae738d548308689f42fc33c03c0 dc16 Q.x = 2f37119d6f0854731f013563fc174fcb93b0099adfed722cb988e7 6a597b05d489ae3f559485b0400997369a851f0385673633cb8811 360f Q.y = 7ca637e249804a7cbe2c07f339e6996a29c612a4b95fa3462335ef 3f87b44f8a700c33839e1abdb455abd6434c01b24ccee7b62179ec b165 msg = abc P.x = 9bd168d0151f8487c63f956e33614ef45ffb7f501d13241e747101 26a681d5d860396cca691c813c6a95fb35f3c4265a76f3a24be96e 680a P.y = bfa4b2acec2af0523016d12dc37c7d0695127b1a9a7d281b3ee63a 8b105e58a8f98145d701d10bc47b0fa3344385323658c00bee6b17 855c u[0] = 784cee1a9ee364242b453257e00d8f6254063ce4272ea59362d6bc dc8c5c94a5c7eb49107188146f06c8ee886b1598d1aa148deb8cb4 cd65 Q.x = aa75440eff5a95296a5c1304d00fa7b1d93c5c81ba0b2088d6a2aa 2c978466e8cf99ee64bfe20f102710c0ad85d55a8df432e020975f 9dc3 Q.y = b0aea1a5cb12e9a2fc5a67b36e7adb7a3b6b9a4438fde9b5aa8a93 6edbe940333182504fa4439d945c263aa774f60ca9b1f0f166373c b4cb msg = abcdef0123456789 P.x = a175d110f5aff27311798c4ac46d7021bf6dfa4a30d7d9a9086e43 60aa6249d87991a2a4d134eee1b1fd81393404146e34de1966a44c d6c9 P.y = b6cae3d5c4d7876952344335b02504dbb31a73af59fd8288af3ec8 2a7b69f87ca99c9c6846098a4ac1c19030cdcdc97ffed7c3cf9524 2724 u[0] = 9daf8a9fa44d817c75349b5bd94a76ccbe8438bb0c41f7544a207e 1c0e3277df27615a0ed4dfaa7a754c7d1bb12634f974a84b4eda16 b1f7 Q.x = ee1c91e69d29c4b66b121b60d53910ff44ad8c30c61ace9be71f76 48ebdcf781fd2734ffaca664fd2e63af563a18a30c37a056e31c68 bb0e Q.y = b89afa69e9e60b820a4bfa8d519101ec63c5429bb309caa961452a 56697ad0c268bb04265d474317e327fa926d4f7ea99b3a73546154 04e0 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = bd4fe82690a62897671e2cbdf5f9dee5b42e0d33e7fc300233a594 a1e0cd296ad9f001962a0988d68815dd919c85236061f7945d7f94 0fa9 P.y = d776f6a3c24ef5e937ee7e889bcb112abd51d644a299bb44ea8965 bc13675136ad429952a1af5833c4968c7322dfcaae2a19d2cd124b a4d9 u[0] = a3b2b2f3d9feb982c871dd951354ee037d40da82c221afcf201f80 3d2af78a0c8e5869146d5cc4c4831c3199153ccaff2b0208b4f969 98c8 Q.x = 10231374b2bf13eee3d6bd6c1f27e0ddcef4dbdbe06133357170a9 4aea79f95fd86dacda7c48e6e6d326d940c09fb13759ad18abed8b 2d0f Q.y = c29bb3c5305c70c482ab2ef87a8e81b0335f7d84982f57615661c8 ee4c9c260c2804093f1315739f9fd907aaa98afc92092e6f86ef4c a173¶
suite = secp256k1_XMD:SHA-256_SSWU_RO_ dst = secp256k1_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 733fddf3612d3516dc9ec8b61759c242df573668f43bac67b0cc2b b8ebda7b72 P.y = bb633f8a914f1dd1da988b49cf11250c2fe66a396f6c8bf72981d9 e140eca7d8 u[0] = 3ab7d05ca97119b5f91a5c9a780d32d19e6a4ed12c78c7544fdf3e 7db31e045b u[1] = 87ca26bfcd0173e4511d86805db971b22cc15a2b95a2c63417ea6f dfa37ec043 Q0.x = 68f789f85587d190e04957967b5a2024b43b88a745ffb6c9f4206d 1506f17dbd Q0.y = e22d2020b3b618b8997a1a1f49c092f4d519dcb49da74c9516d892 fd939533b5 Q1.x = 5201629b2ad52b0ca37aee01a1e13b7e2ecc91ce3c279a6667293f c1afe06c5c Q1.y = d8ad74bd3f93081816e48cf21a5d5f3a8bae7dd426c901384f88a9 f5cc0bf1a9 msg = abc P.x = 0b71db187b0a619331e953035a46e6d6f9f141b9f8b109fbe38bdd 0b8675a2f8 P.y = 84dea7a654229b50d487c558bd67f056d9e30b35ecb136a2de4d62 bff9903e66 u[0] = b2567533bc95dbc88e637fbcb9a748a8786708194d31c8df97f79d 171838272b u[1] = 99bb9aa261e47e4bea6e7c8d0f37ff62ab8ad9ad8ef0bb11784a97 28446f9069 Q0.x = 3c894e4fdf3cba59f70e3f9c900d3900e9a0526ad278c5fb007c62 65ba023eab Q0.y = 26c9899ab4b83c02a879bfe028bb3eedfcca598cd9aada9d064b94 16a5b98607 Q1.x = 27ceb73d6348acd61fa1ea85d2d7bc45eb533ea41605e4fb306ba6 17fc8885d3 Q1.y = a115a75b37ae1fd23ad8652dfb37fdf5133b6a47cccb0a2c211b70 317bc93a47 msg = abcdef0123456789 P.x = 7d2bf71041e0267a226b3ff85180c577b637d63888274b8f01ca6f f210432f51 P.y = 62ae2567997680b685c9af79d64e572765f579e380cae90b3d706c c67ed7b9b9 u[0] = c574c75aba2addf84986d0c27df6871d24fd982c779e350bbb7da5 e3dd2fc110 u[1] = 2b48512e02509982099eac4d319bc4b6b87c405fc2578437e5e933 c977d101f9 Q0.x = 8d3b7d21f3bd15f5b31d57556d956c103b942dbc94516653922c3f e8169b26f1 Q0.y = 28c2a16424a0d1cb735c9f144c4357731afd6490ddb8047254a87c 34dba67699 Q1.x = d6f0424cdedecc6188910e7bc1c0851b7d9e9284053ed912aac2a5 a59392b2a6 Q1.y = a4568d0292dc767a473ab390b53fa8db7d7ea97ea7d90793c74bd7 c6e391de19 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = ab878eaae0e759a225f472c09a201c29be494f648a25f6ec1e1196 fc87258749 P.y = 5e4942b57b11bbae42d4a889019d1a54813905e5178c44d7cdbe46 59ba5c8d1b u[0] = 389de71cda24753bbc3811e2c5d54195063deb1254fcf448179b82 bb55b9e044 u[1] = 934f2e766b69d419308ec93a709c16470344aaf9101440bc05e074 ed6cbe3e3d Q0.x = c96b220ac2d34570de856340a6146b4942f54424ec1bc1e05b63d0 c756066e9a Q0.y = b204aaeeb0fe9139e8c8dd64cbbe37208449a5613e081e12c2709e 685899f200 Q1.x = 24695b3a6d95538cc99a1ab11af2ebcd14c8f676ae66b396922c85 9528a6e9e6 Q1.y = 2f20daceb860082bf39bc17831e90ced55416d54737b0af30a8db7 8b88c9ee52¶
suite = secp256k1_XMD:SHA-256_SSWU_NU_ dst = secp256k1_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = fbf556f8dd33ec00571f567ab0b366389f8e58e57daf9c0ffee251 3dbe3b12b5 P.y = 8483a69cacd420ba70f49a28a6ea05964db89477954ccab7a58931 43aa84daa8 u[0] = 59deac5afa2bfedf03f0275173a38da0af4779da257375a22f98ef 06404e5f6a Q.x = fbf556f8dd33ec00571f567ab0b366389f8e58e57daf9c0ffee251 3dbe3b12b5 Q.y = 8483a69cacd420ba70f49a28a6ea05964db89477954ccab7a58931 43aa84daa8 msg = abc P.x = 77858441c354c88ccb02c0743d081ae80df8ccaba688cb0bd3b0a9 02dfb55077 P.y = e23759ff36fb09d5ca6c148d178058b48be637253d275c937323cb fcd08a1a1d u[0] = 8008e395ec68247cd1fea7cccb6ba6aabd0f58aae8f3937dc297b3 e82bef9a4a Q.x = 77858441c354c88ccb02c0743d081ae80df8ccaba688cb0bd3b0a9 02dfb55077 Q.y = e23759ff36fb09d5ca6c148d178058b48be637253d275c937323cb fcd08a1a1d msg = abcdef0123456789 P.x = a505dac19323f3ec71aa84a5984146923c59b0720634e7667d675e 506994bb52 P.y = 24c8166d66e7fb737696f37e818ce8656e7d32acf6d24ecddefe0e d15dde620d u[0] = 7b846ac5db51b662ea619efea1fac238a5efbb1c124b2c2e39d112 a62d01d267 Q.x = a505dac19323f3ec71aa84a5984146923c59b0720634e7667d675e 506994bb52 Q.y = 24c8166d66e7fb737696f37e818ce8656e7d32acf6d24ecddefe0e d15dde620d msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 3e96c858026157c6f05132e4784aea7dd9d6c0d92f601f068a1528 3bb42252f1 P.y = b110972547240d89f1bfa9af84bb1069876f8c96291395bfb0b573 4e8339cc13 u[0] = 83c53b55e8e12d06d2c82f94a3eb57349869f2736a7a340a8b8731 089031b05f Q.x = 3e96c858026157c6f05132e4784aea7dd9d6c0d92f601f068a1528 3bb42252f1 Q.y = b110972547240d89f1bfa9af84bb1069876f8c96291395bfb0b573 4e8339cc13¶
suite = secp256k1_XMD:SHA-256_SVDW_RO_ dst = secp256k1_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = dbc32a97a6da03a615b70cd6e0d58f2653c03394513634e977db70 a9195345a8 P.y = adb868f0f9be71c8765063883adb65733635a206434b8114d98786 ce049ed9ec u[0] = 24e247f642985dda504f391474a6e9d6cbf9d809e11e2757f8ecb9 825361e126 u[1] = b1029a73ea8550005f09b4ce0f61cf5dc270122bc371c3143f355f 6d18338656 Q0.x = 31d9cec3b1cd1f46c0e777f61b4974296f2f78644bf03d6c723cc0 75a371b608 Q0.y = 8b50c0b855f66f608c01bb24d3c4d14998e7c95c73cd6da727c752 01eb4258ee Q1.x = 35536a1bfee29f3aa387c69cbff2077c33b391c3dc9ec63a4e129b ef5f771721 Q1.y = 7a1c8cceed0041fc609c3b4b3c2dfacb311bd08848a6fc8997cde7 97bfd04ffc msg = abc P.x = df5fdf0c1ab9ad2519e04b17f3c31fc521209f95302d6ea3f48e32 eba3aa2fc1 P.y = d253f780074bcd75b013920fad69d47643fbd1755cae12b4c160ae adb23cd34f u[0] = aeb022d4b701a2fc0adc5a8996c9e81581744a2f7c286f92560d0c 8b5680608f u[1] = ee2c23054e45fe1893f0bc6006e2adb6e8b7feac3c9cd9bb08093b 1ed6ab2b9f Q0.x = 009642c108e1f574a6d48f171bf2bc856c7a60a61738fd201c2fd5 3ca474fbcf Q0.y = 694f5dee86fa93e1cf01a0f234599b3d68fc4305d27497417cf71d 3df5a122b5 Q1.x = 583dbdbb235ae3a744df5308c79bb4a50208e7e3ae4b9e671a4060 deaa52615f Q1.y = 80b6dd1edda6883fc8340801b8bbbe8d658da185bf6c08b559ea69 bdaf23a7c1 msg = abcdef0123456789 P.x = 4b99c1e00552b18f407fd5906d3deafd2e6fa4e16e07eb27728207 a028467f3d P.y = 0dddf058cb1f6e0bb11cb0be1d5fbce9fb40c89fe75a11df7fa53a 6028d3bb4f u[0] = a40b91d1f83bd226fdeac8bfe0fe6253b5e1f4f50558ae91a6a162 e83aeeec46 u[1] = f8a893f876e825e887b9d1d0e637f96d77538c107507c333684420 36e11f5df5 Q0.x = 2bd23602845f0a4877ad2252c51d3194dc9d50934431cc6d0ee4db 63f68ef056 Q0.y = ba81d93499085d585c1f7a7466f2a47b526ae55bcadd9cfffb4739 cc9c5ab22a Q1.x = 7f3d94fb8fa566daf060a92d6a25113782d9b33bc538f1bab8c7ae 88d46618d7 Q1.y = 22665f0e9b8c2fd7d7c3313776dd03d6354603cfe89107d13e1b52 5b79aa55c9 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 90ca97c050ed2603d5d366c8129e9fda737232567f60229e453dc9 ffc30893d3 P.y = 2a796c4045a9e665ca79cea40d8255d05e59073c8446eda8b59282 1f1994dc9a u[0] = d13ba9f2012fa3b19fc1aeaa35b7eefed4389909491a05e2c88dc8 e81f847d08 u[1] = e99cbb84be75005216494eb95979e7567fdf9c257d8305e146597b 056195a5d4 Q0.x = 010aa437bb197d03387fb57756f9fda7e9e73f3a8b38bba8a11965 6ba178bdc7 Q0.y = ac2ba13a58e302a3e0cbde5fa2503b5eba5a30a6e774555b87d92e 385fa52746 Q1.x = 2fd8097bb4131beaebcde17658abba2f4135041b7bb5a9e5d699fd 65f836928a Q1.y = 265f01d0f5907d426ea805acc38eb22847c0800ad6d2cc62b6d6c2 dc922a7bc6¶
suite = secp256k1_XMD:SHA-256_SVDW_NU_ dst = secp256k1_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = 51da4962212a8025a5a849706970cfbfe471f681c049405086a7df 5a2db652be P.y = 649a8ba766c9ccb8232d665a731c59bcd06a918801fc106ebfc889 01a4ca2733 u[0] = 84798acb6f9c692d909d77598f179d47205d69cca9aefa36f87ff6 7c1aeae0e7 Q.x = 51da4962212a8025a5a849706970cfbfe471f681c049405086a7df 5a2db652be Q.y = 649a8ba766c9ccb8232d665a731c59bcd06a918801fc106ebfc889 01a4ca2733 msg = abc P.x = 7617367b4d893c4f7a0286cde9c5b92d828244a3d19fb8c17cecd2 5cd08ff439 P.y = d129b568725160c2af879746d2a9087a07f94e526ed3ee5b2b1d5d bb1cc0bd33 u[0] = f794d108d20381eee8a178c90e75068e232ca8ff0f391c21153016 226ac56eb5 Q.x = 7617367b4d893c4f7a0286cde9c5b92d828244a3d19fb8c17cecd2 5cd08ff439 Q.y = d129b568725160c2af879746d2a9087a07f94e526ed3ee5b2b1d5d bb1cc0bd33 msg = abcdef0123456789 P.x = 27e97147da349e94eff05e11f816d97eae95bfb4b37d1656266219 99780cfea4 P.y = 9fdb96f46863ae060cc05b1b36478e28d97c1e33ac743715c2d36c 7feece408d u[0] = 11db2699d5241142e8afd619ea3ba174033b0b5fbc15d197fd7759 7237b7851b Q.x = 27e97147da349e94eff05e11f816d97eae95bfb4b37d1656266219 99780cfea4 Q.y = 9fdb96f46863ae060cc05b1b36478e28d97c1e33ac743715c2d36c 7feece408d msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 443288595246459c9f71d0c2e4a8ec9b9bb6f002e0c5d9cc853ca8 7c6d662701 P.y = 82b74662cfd559e77c915848dcd4ca77e75b80802c6bfba2fd4aba 9ff929b5aa u[0] = dd6da75f3df111c0c103e4c238a387d997cf6b11b435f8ae88340c f3c3729fb6 Q.x = 443288595246459c9f71d0c2e4a8ec9b9bb6f002e0c5d9cc853ca8 7c6d662701 Q.y = 82b74662cfd559e77c915848dcd4ca77e75b80802c6bfba2fd4aba 9ff929b5aa¶
suite = BLS12381G1_XMD:SHA-256_SSWU_RO_ dst = BLS12381G1_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 14738daf70f5142df038c9e3be76f5d71b0db6613e5ef55cfe8e43 e27f840dc75de97092da617376a9f598e7a0920c47 P.y = 12645b7cb071943631d062b22ca61a8a3df2a8bdac4e6fcd2c1864 3ef37a98beacf770ce28cb01c8abf5ed63d1a19b53 u[0] = 14700e34d15178550475044b044b4e41ca8d52a655c34f8afea856 d21d499f48c9370d2bae4ae8351305493e48d36ab5 u[1] = 17e2da57f6fd3f11dba6119db4cd26b03e63e67b4e42db678d9c41 fdfcaff00ba336d8563abcd9da6c17d2e1784ee858 Q0.x = 02f2686965a4dd27ccb11119f2e131aefee818744a414d23ecef4d b1407991fdf058f0affaee18fd586a9ab81060ae20 Q0.y = 0341a16c88a39b3d111b36b7cf885b7147b1d54b9201faaba5b47d 7839bcf433cc35bb1f7b8e55aa9382a52fe4d84370 Q1.x = 1357bddd2bc6c8e752f3cf498ffe29ae87d8ff933701ae76f82d28 39b0d9aee5229d4fff54dfb8223be0d88fa4485863 Q1.y = 09ba0ec3c78cf1e65330721f777b529aef27539642c39be11f4591 06b890ec5eb4a21c5d94885603e822cfa765170857 msg = abc P.x = 01fea27a940188120178dfceec87dca78b745b6e73757be21c54d6 cee6f07e3d5a465cf425c9d34dccfa95acffa86bf2 P.y = 18def9271f5fd253380c764a6818e8b6524c3d35864fcf963d8503 1225d62bf8cd0abeb326c3c62fec56f6100fa04367 u[0] = 10c84aa245c74ee20579a27e63199be5d19cdfb5e44c6b58776593 1605d7790a1df6e1433f78bcddb4edb8553374f75e u[1] = 0f73433dcc2b5f9905c49d905bd62e1a1529b057c77194e56d1968 60d9d645167e0430aec9d3c70de31dd046fcab4a20 Q0.x = 119cc1d21e3e494d388a8718fe9f8ec6d8ff134486ce5c1f971297 97616c4b8125f0dc568c59836cbf064496136438bc Q0.y = 19e6c998825ee57b82c4808e4df477680f0f254c9edce228104422 494a4e5d40d11ee676f6b861b6c49cf7de9d777aef Q1.x = 0d1783f40bd83461b921c3fcd0e9ba326ef75272b122cf44338f00 60d7179995a38ea9c66f3ce800e2f693d2634a4524 Q1.y = 017b2566d55fa7ee43844f1fa068cb0a11d5889c11607d939da046 697c8ba25cf71054c2a8eb2189d3680485a39f5bdd msg = abcdef0123456789 P.x = 0bdbca067fc4458a1206ecf3e235b400449c5693dd99e99a9793da 076cb65e1b796bc279c892ae1c320c3783e25062d2 P.y = 12ca3f12b93b0028390a4ef4fa7083cb23f66ca42423e6e5398762 0e1d57c23a0ad6a14db1f709d0494c7d5122e0632f u[0] = 11503eb4a558d0d2c5fc7cdddb51ba715c33577cf1a7f2f21a7eee 6d2a570332bbbe53ae3392c9f8d8f6c172ae484692 u[1] = 0efd59b8d98be7c491dfdb9d2a669e32e9bb348f8a64dbf7e47708 dd5d40f484b1439109a3f96230bf63af72b908c43d Q0.x = 1614d05720a39379fb89469883f90ae3e50995def9e17f8f8566a3 f6cfb4fe88267eac1dc7834406fc597965065ef100 Q0.y = 1060e5aab331ac4940693a936ea80029bb2c4a3945add7ae35bce8 05e767af827c4a9ffcb5842fbc50ab234716d895f6 Q1.x = 0f612cda21cee750b1ccff361a4ce047e70d9a9e152e96a60aa29b 5d8a5dcd25f7c5bd71bb56bd34e6a8af7532afaa4f Q1.y = 1878f926302468949ef290b4fee621d1172e072eda1b42e366df68 fc87f53c35583dbc043009e0b38a04a9b1ff617efe msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0a81ca09b6a8c05712396801e6432a87b14ab1f764fa519e9f5158 16607283fe2a653a191fc1c8fee89cd30195e7a8e1 P.y = 11c7f1b59bb552692288da6557d1b5c72a448101faf56dd4125d84 22af1425c4ddeecfbd5200525064657a79bdd0c3ed u[0] = 134dc7f817cc08c5a3128892385ff6e9dd55f5e39d9a2d74ac7405 8d5dfc025d507806ab5d9254bd2334defbb477400d u[1] = 0eeaf2c6f4c1ca5cc039d99cb94234f67e65968f36d9dd77e95da5 5dadd085b50fbb11489167ded9157e5aac0d99d5be Q0.x = 0a817078e7f30f08e94a25c2a1947160db1fe52042626660b8252c d339e678a1fecc0e6da60390a203532bd089a426b6 Q0.y = 097bd5d6ae3f5b5d0ba5e4099485caa2c505a1d900e4525af10254 b3927ae0c82611be944ff8fdc6b278aab9e17ee27c Q1.x = 1098f203da72c58dca61ffd52a3de82603d3154c527df51c2efe62 98ea0eeaa065d57ba3a809b5e32d9d56dade119006 Q1.y = 0bcbd9df3505f049476f060c1d1c958fe8b34e426fd7e75424c9e2 27d9c4d3edbd5eddb8b1e89cc91b4a7bd3275d4d70¶
suite = BLS12381G1_XMD:SHA-256_SSWU_NU_ dst = BLS12381G1_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 115281bd55a4103f31c8b12000d98149598b72e5da14e953277def 263a24bc2e9fd8fa151df73ea3800f9c8cbb9b245c P.y = 0796506faf9edbf1957ba8d667a079cab0d3a37e302e5132bd2566 5b66b26ea8556a0cfb92d6ae2c4890df0029b455ce u[0] = 0ccb6bda9b602ab82aae21c0291623e2f639648a6ada1c76d8ffb6 64130fd18d98a2cc6160624148827a9726678e7cd4 Q.x = 0dddf77f320e7848a457358ab8d3b84cbaf19307be26b91a10c211 651691cd736b1f59d77aed3954f857f108d6966f5b Q.y = 0450ab32020649f22a2fca166a1d8a59d4c93f1eb078a4bedd6c48 027b9933507a2a8ae4d915305f58ede781283325a9 msg = abc P.x = 04a7a63d24439ade3cd16eaab22583c95b061136bd5013cf109d92 983f902c31f49c95cbeb97222577e571e97a68a32e P.y = 09a8aa8d6e4b409bbe9a6976c016688269024d6e9d378ed25e8b49 86194511f479228fa011ec88b8f4c57a621fc12187 u[0] = 08accd9a1bd4b75bb2e9f014ac354a198cbf607f0061d00a6286f5 544cf4f9ecc1439e3194f570cbbc7b96d1a754f231 Q.x = 12897a9a513b12303a7f0f3a3cc7c838d16847a31507980945312b ede915848159bd390b16b8e378b398e31a385d9180 Q.y = 1372530cc0811d70071e50640281aa8aaf96ee09c01281ccfead92 296cb9dacf5054aa51dbea730e46239e709042a15d msg = abcdef0123456789 P.x = 05c59faaf88187f51cd9cc6c20ca47ac66cc38d99af88aef2e82d7 f35104168916f200a79562e64bc843f83cdc8a4675 P.y = 0b10472100a4aaa665f35f044b14a234b8f74990fa029e3dd06aa6 0b232fd9c232564ceead8cdb72a8a0320fc1071845 u[0] = 0a359cf072db3a39acf22f086d825fcf49d0daf241d98902342380 fc5130b44e55de8f684f300bc11c44dee526413363 Q.x = 08459bd42a955d6e247fce6c81eda0ad9645f9e666d141a71f0afa 3fbc509b2c58550fe077d073cc752493400399fddd Q.y = 169d35a8c6bb915ae910f4c6cde359622746b0c8b2b241b411d0e9 2ef991d3e6a7b0fafabb93c1de2e3997d6e362ce8a msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 10147709f8d4f6f2fa6f957f6c6533e3bf9069c01be721f9421d88 e0f02d8c617d048c6f8b13b81309d1ef6b56eeddc7 P.y = 1048977c38688f1a3acf48ae319216cb1509b6a29bd1e7f3b2e476 088a280e8c97d4a4c147f0203c7b3acb3caa566ae8 u[0] = 181d09392c52f7740d5eaae52123c1dfa4808343261d8bdbaf19e7 773e5cdfd989165cd9ecc795500e5da2437dde2093 Q.x = 08c937d529c01ab2398b85b0bff6da465ed6265d4944dbbef7d383 eea40157927082739c7b5417027d2225c6cb9d5ef0 Q.y = 059047d83b5ea1ff7f0665b406acede27f233d3414055cbff25b37 614b679f08fd6d807b5956edec6abad36c5321d99e¶
suite = BLS12381G1_XMD:SHA-256_SVDW_RO_ dst = BLS12381G1_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = 045f87745ff759f9197e131ad83d47d635dc36a3e0c7e4a1be5e1e ffe5e63ac69c8f34e6c3aef9c5cf28224922788367 P.y = 06125886a03f883740a078313d5fa6e4a68b9c0394eb75f77c65fc 8b44db3f4ef933ac6adf341bc45fabc7907afcb832 u[0] = 04a74117c448f7aad70bd41328b3856de638c0e10c9ff344295a04 b90db0f2afe80ff2da62e091793d6e52bc70b28d47 u[1] = 06f44093874c190fff1e893c847a59601d5d5ac0aebd85ba36b390 6a93173e0d2fcf6bed8013ee2679ca337f21f8f053 Q0.x = 0d8deaf1a9fe87c5710466d0cd554b243a041a97c15228f1c65be6 244b5e1a575f4ab2762a1cc9ff18d45d4f1494e2c6 Q0.y = 090dce51930eff6bccfc7cc2920f180c398b0a97085ff9e4841367 e701a0f28616bef537203d27b0656f3b7ee52ee0ac Q1.x = 0a36d0d4051eb32d253b069d1d15c5b69cefbb75bf38d66d43b374 32b34f88b2553bf063c6533ca87112c3e95c295ebf Q1.y = 0bdc425e77f44ac13587b17dab2b1b9d3e3501be1fe1c56c7f3701 fbe53b43a37263c04fd9aa1b7f58b1b63fe6cb29fd msg = abc P.x = 009a357691a6f7b2917d9a34ba64d896d40b49733fcb3207f8c146 e20fffb47823198a26b6ceeb01215fc3422908020e P.y = 03fe44c894c107a8547826b60f577b90f80c63f899ef9dcff94daa dae180ad803609337c9ec97d6d9b8ba306df7a9849 u[0] = 145191560d1db38062a0a2e29469d71eb035f888cd4bb2792ddf88 ad63c93320738a3e4c6e199bb286e26efaad665a0f u[1] = 17f7bbcbcf64dedb58af6560e2b2d08a678e4a57a0b042978840ab b77f25b33090035675ac30bb461a8955a9d1ebb411 Q0.x = 01b50bac3377c4e764fda5fcbe9bb477c3becb8cf18a3026a88ab2 a0fbf6d8164d60d85ac9e67b6712fbb26b10ec4597 Q0.y = 11acedae54a20e1f8d58fd074e1b7de957203f56365b52a09824ff 9f8d191356914818bdb35faffe8657ad24e1f5db5f Q1.x = 16bb1fce160d3fb5194b275a907cb03bfbe8713e830f2a573acc26 782c65c9a6e88d96c6489c96dc6f65815cb5ab2662 Q1.y = 159720d02fef12d1a40b1c91336908d72b0eb1fe54a16a914c5ae9 710a8fa8dfad035ac6c39708c88318fe26113f28d5 msg = abcdef0123456789 P.x = 04eb09680fe48598533932907810fb7681e60b3689cb138454bec6 27490c5089b6dd755556e52a36c3817e98b62d7497 P.y = 1763dd8bf6823d9a22124d22a4ab3d93d8a9603ec80b4a40905b26 664b16033fa6e73a6155c9bc4c6faa42bf911ffba1 u[0] = 06ed3e25d860fc574e482bbc0a09c5f44216ad44d75ea499cf905e fe4bc3c5fd3e94df483d17501395f325d3c8ea7925 u[1] = 1426c02b7de4bedb4a301c7d2d4a270f672a8fc448471f2c3dfcf4 3846b102e592ad6e055c2d5149fcbc21f5fb6002c0 Q0.x = 164e16e858fa1e1a4ea52152ffe0a42f1e6ae1258dd830eb7aa664 34d7d5689da945e29c61766ae213bc1878363a3d4c Q0.y = 077cc4c8f74f33a0e6036d32c4407b3021b0be82e0eba80a1fc119 f69a071c52f25764dbd72f2cafb420264c079b7691 Q1.x = 06a856de4eb5651a21c68c7e85796c16e417d7d97cb3e1b74bbc40 42b340e647fc41cc570bd160fe9917d32a47bc8b5e Q1.y = 15c4e89949bbdb253d333018a1417150f8a78187c343f5bbdf25d9 62c513df1d96ee1059facab028549ebe7716164466 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0915842b42c2c4d3b509823c60c1fad834784ff451855f43390b80 c3b6985d76aadc6ecfbb4b42a07921410d6821f0bb P.y = 052873ee0b444dd8337ce403636d680cff1e9402b7a1ce2ab210bf f11a83fe4e14216fe96efe3f344c1a2ec0fc1b2c5f u[0] = 0da5000e88db641d86b6aa2711b88b9bcf45fc95689dec569bd9ae 6aac6b19e96620920f3fb806d0e72a111889983c11 u[1] = 0367d0cf2689a9e972f01d9d325a3e1bdcee67af7f39fb71030869 457ea93d0039e58bb92cd058e45ced781def78ac79 Q0.x = 15901778217bbe602fe603edfa0518009197445f34dd2184450fb2 a1a5088945c32d31f6a9fcd9e3c4333557a11c18a3 Q0.y = 126fc2597e155f4aeeacb7a039b5a0012be2cc1433d8c097b6c8e9 e6be9b5f279c0decb019a6995345e607a36681f8a3 Q1.x = 0dcb7e280b34f7caf24928ecb126a3bacbfeb4b70612d60bc7cd36 467ad58cf33925e9c78635cdb7a024c0a3031846c1 Q1.y = 066bbc62980e8bf7664f2b84ee69f3ed2c1a49ef1f8c0d35d709ef 1ed149f79cc93a65ccde5194d333710496f087d41d¶
suite = BLS12381G1_XMD:SHA-256_SVDW_NU_ dst = BLS12381G1_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = 126690faf7d2cc7838d18f58ae94e9eab1d042fb93ed7245aee5a1 a3ecac3f1935df62b807f9bd7be1018492b4ccd087 P.y = 0d2fe772107e935ddfb916da6dd69cb3c9b112cbd7452a3da77e16 620f58c06db9c1eb19ab031995c96dc2d0c16b5031 u[0] = 1754372e423dd665efc2703d235a5b42ad5609ee9872c303a0b900 b152d5ae8d64c2d67764a6f188b87d61445cf5634c Q.x = 10c4561604827f4687f7bf5a365411577c6c0298910d6a67685c67 5f1dd0b59ac5fbb46b729b3389499aaaf5b11bfc06 Q.y = 114963eba7ffc5e3bc4c86a1dbf73b4952bfd60fa94449b2adc81d ee0e974e4afd228a1af4fb1d4ede14cdc727deed0c msg = abc P.x = 03929609010843a52432b815cb5fb90d6a5ee8a10cc75c70d6f1bd 64642a0057d2e69187ea3fff0a34e7e72b1cef5948 P.y = 196b4734ee0b1845619e8b871c0a2ea556660dab119868ad5542dc 5b782b0df61cb6d2a1b2cd174a80cbc9f8cde6d470 u[0] = 0a55c5bc65256c488bb068e3b1d5d2fc4acb3017da1f7d9a3a9036 eb5880123b0aad219aedb4836eab28e7a85d171054 Q.x = 0f5b63a00bd63757fab41dbc9b47b679650d903a83934eb920a130 97d58dd5f82068c059bf1de52971373c3cc83c427e Q.y = 03f2547ce0337e25a9fad27335f499b054cc1ab3e1c29366959599 b5d362602bedcce56c0e039c4ec0fbbdf041564892 msg = abcdef0123456789 P.x = 107485fecc3be4b92f8cc35f1782c67742d055c379e6bcb7783639 6edebe728aec4ecad0290bd1bbd5be7047ccb8554c P.y = 0603d69e02982c8a0edc6fd84848fa9d9c75a0d7a372eb1ea26722 45ee2d9ed672cd1a564fec3cb77758b966316d5c09 u[0] = 06983540e75c0e7a36976a66cbfee71e05c9ea2cbdb3b0f25aa932 9e02ee95895fcde7262dae46c370c148e1027c4819 Q.x = 09c7ef760508a7d4a226869cae2c556a8773ebf5d4bbba33b0cffb bba598105bf7549cd33d52ded62be72f718ab0ac9c Q.y = 0aa4882a7806cac7bb3bd6404000066b7c6ff14dc590efa26f2740 b1af2f3be2b50e1d5b99b37d723d9d3b0cf089bf62 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 06c214d69a4ecd4fd0230f2dd2a8988daff27c597acee1ec5e6045 e0848894d1435f5c143f4226fbc27a2045921c2499 P.y = 179e0869d8c73643e0bc27ebe3178ee297ad366c9a4f416a0b0ac2 265ff763fbd8c0bf37e637d081190352f4c1961f74 u[0] = 011a4d12d373940b946029aef4bbdbb880810b25370d1f5b171e2d 68091fabc9a4c8fc4f39c9b0ef98c34b5f90070a9d Q.x = 0598fd95bcd0a790e6921a51f212f5194781521cf32fcea581be2a 5cbfd2a8fda8828141a24168689a273d258b1fe083 Q.y = 04d0dbee266de33d9bee538d188e209476ebe3b34e58a19d0ea6ae 542219b3f3549685ef3eef82991feb23ddde098285¶
suite = BLS12381G2_XMD:SHA-256_SSWU_RO_ dst = BLS12381G2_XMD:SHA-256_SSWU_RO_TESTGEN msg = P.x = 0d3b02ee071b12d1e79138c3900ca3da7b8021ac462fe6ed68080d c9a5f1c5de46b7fe171e8b3e4e7537e7746757aeca + I * 0d4733459fead6a1f30e5f92df08ecfd0db9bcd0f3e2f2de0f00c8 f45e081420aa4392eade61eade57d7a68474672fc1 P.y = 09cc6f7b3074f0c82510e65d8fc58f6033e03ba7358005a13e2bbd 7f429b080f29731ef08c3780c9e3c746578b96b05c + I * 0011531b8e08900a4f6f612e1e27432961419ce6a5ee3ec904a535 88982d36ec4ea37be80b6cb7d986b38faec67dbe44 u[0] = 1921dd796efec0b5f2ad9037e73b7470e6e7c85e6b7bf6e6827729 442cd01aa55ac765ae451f497873400e90a814105c + I * 0838662da53724510bb7d677b7caedbf3c4e19e55b42c9872c2af0 96272b26cb53cc522413cf4c54c1f7691bcdabfc4d u[1] = 12bcf2aa2ec29a9dc0b77c942869af340047a27b57f549ecdd2e93 fc5e63d0364fba13941725cbbac1d1e8c6e8605d5d + I * 04e892eca8729b9a2b88b4b0b33e8c8d4ed52f7d0fc860e41f09de 0a05c48f605a7a9d603b60db4f9ee49f888e4f3273 Q0.x = 06828063f239b9607a9668fc0a59e5391c1bf24ba42ab5b4801126 66e3835c45f29401bea70d6f529d07e33bc017c1a4 + I * 04545e6b5318ec1c10f75791bc97142722370b851b7829987ada82 8de5a9b6353cb2c4f8540bf0821328c983e7eb887e Q0.y = 06fc755b65fd277f7e1e4a6174dc11fedddf1baaefc07d04c3d120 e15ca2ec61f489711c4af949bf6a5d26a885db05e3 + I * 068d9e1e428ed301e425e633603ea9ce5ff02df898aca1957fe5be 1faf2ff42b64485cab41370a50c1e7e9742c0a2c6d Q1.x = 16af5b519e92362ce94c0ef76051510266c5ace22d2cf9c3c1ef20 856e4669523df27c30e513444b436cef2082983814 + I * 03cb00c0a0370bd301cd45b0c08e6feea3adf07052e83a3f2ced57 665d7484f5540db310f649387701731ff185b460da Q1.y = 025310a94143c55175eb4929df2d8294b0268f3011850bdf46bdfb 82749233e8dbb8070d623e3fb8397b079504d6c5aa + I * 087d9d2c1cd911f8cd9844e60011a1d1c02d61a831bfd33b58c436 d4305935abd3207c553c0145fd3ae1bf18c82011ce msg = abc P.x = 0b6d276d0bfbddde617a9ab4c175b07c9c4aecad2cdd6cc9ca541b 61334a69c58680ef5692bbad03d2f572838df32b66 + I * 139e9d78ff6d9d163f979d14a64c5e57f82f1ef7e42ece338b571a 9e92c0666f0f6bf1a5fc21e2d32bcb6432eab7037c P.y = 022f9ee5d596d06c5f2f735c3c5f743978f79fd57bf7d4291e2212 27f490d3f276066de9f9edc89c57e048ef4cf0ef72 + I * 14dd23517516a80d1d840e34f51dfb76946c7670fca0f36ad8ec9b de4ea82dfae119a21b076519bcc1c00152989a4d45 u[0] = 0b7b2d371fc970671ddf7bc9ca4a70a1bd286af4487b497e460c0b 44d405d73db576f8a08d59416cc976d4b1d0100775 + I * 0e86d0eb2d34c34fe8b2a1f2d999fa3dabcd504fdb4beb57e79756 b08fd75b0a82660abc6026ecc4ccf327a522587b38 u[1] = 10376d048c060df1c5017a363144c482892fe2ce0061094327b8bb e49a713ce795726aa23b5402a271e9f1e7b9b6c7ba + I * 0117f2ea63015e192d759f11a658a002e06112147d90f00d742972 2456b9a1c63fef2dbe8df13168e3bd40af2fb959f3 Q0.x = 198d5f5fad8e1594ed98ee3d5f5b24b58e6cb8ae37372f6028e7be ffa0e7a16b0958e13f92f322f513b85eacdd88d0c2 + I * 09288d195828e46e7c058b22115af5c1bde20cb7462a3f9d648818 8fa937e2c0bee3aa188622312f87e12b48660a66d2 Q0.y = 16a0916a0c42492649701f0520c075d4cc66d74cd8fb4f9c6d2631 cac1bb48e357bae0b97bb7f87f1b08539ac944f46a + I * 0dd21353972061024a92db26e51cd97246c89a884ecad67a1ff8dd 1da73a8397f54d41533ea2ac48ee4f5817cb09dd1a Q1.x = 17a29041f55a2b23b3a601b8d4f5a3e85b75cdc52650f26470884b 8b367b20ef8f7e6f0ee8969b994f4132344a68f023 + I * 115d814e4f7973e7a960df53b494c2a0a1cd7a42ce6650bd7f46e5 5a2622dbf6528392ab9c8ff45d3fd97bd7b1dcfe67 Q1.y = 15749a8af1d35fcb409ffc3336670a8b47a117f81670394183c316 d7bcd2a49b2253ced38b7d00763a2fe4afb51f0336 + I * 10624b1845ccd669e5edd403d68a603fb43e382c6570953dd9b9ad d472e422d1098eb45380fa870e14f6927252c4e667 msg = abcdef0123456789 P.x = 0ded52c30aace28d3e9cc5c1b47861ae4dd4e9cd17622e0f5b9d58 4af0397cd0e3bae80d4ee2d9d4b18c390f63154dfd + I * 046701a03f361a0b8392ca387585f7ee6534dcec9450a035e39dc3 7387d5ca079b9557447f7d9cad0bd9671cb65ada02 P.y = 07a5cf56c5ea1d69ad59c0e80cc16c0c1b27f02840b396eb0ea320 f70e87f705c6fa70cfeb9719b14badbb058bec5a4c + I * 0674d1f7c9e8e84d8d7a07b40231257571c43160fd566e8d24459d 17ca52f6068e1b63aaae5359d8869d4abc66de66b6 u[0] = 0022182b07cb11d26cbdab43e0d696297a7dfe1b8dd2fa8ded11f8 58bf25ab000adb1ec319cbfa42d1107a3ec9528b33 + I * 01160e11ac26a46322b4867a0d66cbb1d8b8f78e88a3771b7a832d 18c65d65297692e9faa1f65719c9ea621578003c37 u[1] = 185e096fa6e05479e1f3ae4148fd4de985c73e414f9a9202d3930d 59a09d90d87e545522a91a0d24c6aa3e2363a48a41 + I * 08e234820b6cdd9229490f5c1e05e82b8fe7b1efab9dfaabe3ea41 58f0f8da855daf1e1f5382246187d317ccee520a0e Q0.x = 1729bbdeef9e902ab2e2bf6f90e3800231397ecc36b0b53d33ecb1 73bd682ef45a51e691d7c884965fb530cc85d6476d + I * 07fd016eb7f3785362f75a0150d9e73d5ae13631c491075d73eab5 c3b6ceb8391d909926d0c519fb83fbe889dae667eb Q0.y = 15ee2194b053071cd1d40bacbb2650b5608d22d12ddeeae9fb1192 1e475ffea6d1c008fc390f231aa14589365c6937c7 + I * 15345785b7ba1db6cf6ec9f652dede47c86b6837b2c43f3a9e6984 f95feecffb84bb5963df655068a0ad6b8d8a762fc6 Q1.x = 18505ec8bfa125df7ea130e702eaa33a89961dd24ad06b3b3452da 15f2394d0abec06aa3b4e9433c32fa8a7c6ef874ec + I * 17c0d91f4c363a7ff183deeb4308fa5e8d61c0263b9d0ddcf304b2 758e2b556695fe20636b4b7a2cd4909c145a81c884 Q1.y = 140b4d6603a96ef9de2a71a8ceec992aa72eb8c4f08d28de11310d cfd4d13dbb68734001417d0c1587b9082b593ab9ca + I * 0ac81f1093f8be742b331c1c04e9cb0fb75ac72e87ae5da9fa395b 043fb83fbdabe9e54331ec3a3a754f845939b118f6 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0161130ef4aa2f60f751e6b3dd48ac6e994d2d2613897c5dd26945 bc72f33cc2977e1255c3f2dc0f1440d15a71c29b40 + I * 06db1818f132a61f5fe86d315faa8de4653049ac9cf7fbbc6d9987 e5864d82a0156259d56192109bafddd5c30b9f01f5 P.y = 00f7fab0fedc978b974a38a1755244727b8a4eb31073653fa94959 4645ad181880d20ff0c91c4375b7e451fe803c9847 + I * 0964d550ee8752b6db99555ffcd442b4185267f31e3d57435ea738 96a7a9fe952bd67f90fd75f4413212ac9640a7672c u[0] = 0034f33d3e0b2bb1e396fa3716a02682ebfefe6b99e986c356c725 f4bb787714f66fca8aac0581b538ae255aa69aa8b2 + I * 169a32a329b295e56423a29a2fa15b259f5e27f992c1391b3d333a 4a050d8264cf146b1baa641e609ec748d74d6bfcd5 u[1] = 04028afd52de566f85dec8fd409112d34f09ed3b617b31bb23b0a9 6d76080d1dce671a910785cf63d4efcc20112f4a67 + I * 06d00ecaf61b0f972b521b223aeed36d1e4e1e6308b36dea9eeeb9 17619499d06615c275ea39cc4d7db697e4b697d40e Q0.x = 08420c5b8d9f73ddac45b6ce050a8876e5014cb8783bc63a24eeba b5e0ca75d547b51025ecfe75f4efadbc8d71c145c5 + I * 1915fda1fb71039148f5d346f1c36df1630a2f908881f29de32a5c 2782eb6eb3c8cbe58f8c1bf8d348319347c6ec7635 Q0.y = 0e557684bd3e61db3f96df904c57ee1e8e45f5aecdda654ed74158 7082ad91860d311cae158569c217c56bbba3d3f25f + I * 0acc1f70e15591005ab8bcdc7b1b19e3c16a6ee6c7a17ce83eaa27 71971254be34726b266c076abab6b9b477ef790261 Q1.x = 0cabb5826e6bf948e30cbb094b72685aa1d93ea49fdd9d54828b7f fb9df582e3d9405f33b9ae3ad3b6fd51863ff68c56 + I * 0604d687830b1dba2cd28c644709475c7a5427aa15278df2db06f5 9a48bcfb52061f77b6f5b637fc345e2bc64aa7e5ba Q1.y = 11e8a23425631218f3249f1870a8b1a17d82f3224602e433ff04a5 525e827582ac5898e81972e21618e41e5c5edc03f5 + I * 18f405a27aaf3803ef88b9f4d3e5d8eed901d980ebbefb71d5816a c2f1975c513965b7556ee44db2f74202ac178c72e4¶
suite = BLS12381G2_XMD:SHA-256_SSWU_NU_ dst = BLS12381G2_XMD:SHA-256_SSWU_NU_TESTGEN msg = P.x = 170919c7845a9e623cef297e17484606a3eb2ae21ed8a21ff2b258 861daefa3ac36955c0b374c6f4925868920d9c5f0b + I * 04264ddf941f7c9ea5ad62027c72b194c6c3f62a92fcdb56ddc9de 7990489af1f81c576e7f451c2cd416102253e040f0 P.y = 0ce03abe6c55ff0640b2b303440d88bd1a2b0cbfe3274b2802c1f5 8b1085e4dd8795c9c4d9c166d2f033e3c438e7f8a9 + I * 02d03d852629f70563e3a653ccc2e114439f551a2fd87c8136eb20 5b84e22c3f40507beccdcdc52c921b69a57968ec7c u[0] = 09367e3b485dda3925e82cc458e5009051281d3e442e94f9ef9fee c44ee26375d6dc904dc1aa1f831f2aebd7b437ad12 + I * 094376a68cdc8f64bd981d59bf762f9b2960df6b135f6e09ceada2 fe8d0000bbf04023492796c09f8ef04016a2e8365f Q.x = 029b6b7335975135a3dd653cb5f865f8e1a6fd0e806f83f0807842 6d294efb72578dc6747b81747d03b5bce9fa9c6d4c + I * 0e31914536a751dce017585d51c8c30127cf0abf8cce302faf8ea8 7de1393a37696df8d999f597b256e8e19a0865817a Q.y = 0a718016d326692f10e7508c6abc624e1b37da5fd0e4391acf5a19 fac36b97a9ae13a79dd2bd0b28c1db20f9d27607e9 + I * 01df562b2fe9e7281b63a3c136a93773184ad924d9a0a0cd01b511 50f175f9dfaa8d009f77df9812636a6de4a1b0a901 msg = abc P.x = 16d830a4e12fddfbdaf9a667f94f21e490879fd3ccc5ee6f039cd7 c2174fb47ea8027af78779a978d2a921612844587f + I * 019a3b47aa956b2b548cc04d9e109dec06642d6e28814f7e35f807 e1ce609e2eae3a155af406c842529776d8192f562e P.y = 15930174c11aa9b51a5cc3ebfa1ab6377e2318c4ea2df387bdb84b 28687a02c86e6401b195bbcabb6e95d6ae43669e12 + I * 15adde069459ab2012b44c7703119185b96b7f04ad59b39f4f6aea 35fdbb9c5c7d876b5f89afb55b67e7da96ad489dc3 u[0] = 17ecd5d41a860b8886cb1210874b254f59945b089f774dcc14bc1a ca7d4e3c975bce0d28510c442e9a932be5880ee5b1 + I * 0f105595e14847cc9a41fd70deb3240337678b266304100ec261ad d2585b991c7268bb1a325d2f871b327e8d04fd579b Q.x = 0f4c4441758b65035fab9adeb84dc4fcbf48e218085111cbc9e329 4dde67ba93411d747d090fbc5aa144900df054ed32 + I * 0bcf59db7917f351264cbc8825c04e88885b01f8228ecef238e39c d9d7e42c7a6b4aeeabacbfe43ea36f1a148c3517ae Q.y = 128fae582c1c32dc1199981981c9f2ff42343523192b82d3c010c6 b06e419087449196cf4a79caa921db2ab10fc316b5 + I * 0cff0768048fef20c10c19679deb85fff097befdb18a47a21c2ee5 7eeebf046d4d9f3bdaff6f9c7d6c80e0700018b86e msg = abcdef0123456789 P.x = 1498937f0ed18c49ebbcdee579b58ce235f3ab03be5dc809e1df25 e2e0b4eb4c672f4eaf26df91f3755d6367df55d5be + I * 0910b2d55e210122fab2d2dae81e6a440fd22e925e422aaf16a8fd 28477bacb12aa888de0faeea203e372a1c1cd9578c P.y = 033b1948575e70fed67fb4f7bd86b5452dfc0afeb74ecf5cab4a68 72e33f0eade9564d3d5b9fcb9d4c498afda0bc037d + I * 102631eb4e684d759312d7eab78598f487c2c10ad3d3552cb43ce6 f09a11eb46e551864863077906d3ecfd921f1fe541 u[0] = 032ae17a23a76c94745a5460cd9f1191c0ebeec7adfc4df28b0833 e536b7dbabf498dc076ff16cc11c6a6ef5105df693 + I * 1107a6f450c6c9580c720190b577f52c633cf5f3defb528ae873d3 723bccc8fa433014e9120a1da31abc27c674f37ae4 Q.x = 110a8c50fb6b2df0146678e80de24089e0d619c45c488e0c688f13 6963a4190b76647e9e122c18ab7b60a88ca1281e9c + I * 17f35d34544ad51d51f2ccfbda142addc678bf5551bf301dce3c3b 934ecb6aa78b3814729282755a62e4680083736628 Q.y = 0bd9c15e07f2a2bd5dacae74861afa19ea15d393fe7552d3ba45ef 1396d37ff7967bdf67d93ea68baf849710bcd88147 + I * 18e9a587c3b76f53a62e8919101b6f2b25803333a53b2c8596db44 929bd59376f0a170c5debea9f8a378107c2ee1d51b msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 18af6eedb7ed3be66c5a1d998ad4d9640f557b189558baec41f6e7 12ff2a39f795a35494b4b12343b7a1a2b17686d793 + I * 021f7faa0550e5a5d08338b4c0a5d30240dec7989fc7c77b6ffba9 bfd5d64ce45af5aad8da8482bf0da91af4f29d371f P.y = 0cc46cea229960bfbe25831162c27f96cf8bb14c017938e35b6369 87a306521915456fbd40633c6d5a30f61bce52a3f5 + I * 166c1abec65af593d291dbd05e5d7d28f1a9ffb73751d65f49d760 84493f3da707ee2bbf54cf6de5bbaac2ffa0028c31 u[0] = 0cda6b874f8c41862c078099aa76d607be51d913a2e3f997539a09 93bda31892292818c74aa9be035f234df2576fe49a + I * 0306162d24592a18fa8de2007d7b69d04bb7a71a5a7965d15bdcba a4ddf9b599079fbdae9f67d55ab6dba044f9daf179 Q.x = 0cf7bef1339955cf2139e61d3876d22bfcc89c44492b458b2d08a6 bb4fa58755739a4b216bfd7604e203f4c31cfcdc00 + I * 0b80a0dee7817f29f8bf3374a3c033586d695391dc95280b2143d3 98817bbf9b76547c54b81fd2b8ad24a6afa1dd8524 Q.y = 07bba42c7be028acf9111e51cfa6d98f2949f12635847e938b0f79 80705da9abd1d77bbdaf86f90512e0139ac0e57a6b + I * 0266340a1aaaf26dd5ec892f33dcb6a217dcde9b8d39dff5d277d9 3130ee3e33e43a2cb83665fee8648d610da2967fa5¶
suite = BLS12381G2_XMD:SHA-256_SVDW_RO_ dst = BLS12381G2_XMD:SHA-256_SVDW_RO_TESTGEN msg = P.x = 0d2b7cb4e1b0f001de23bda54652814186434637442e61bd7ae665 f78e3e8429a3b0abf727b6ffc1a7d5d7f5683c2517 + I * 0c6519468850b1b6b34c2ac7a67166d9c2b842df09105c8644d6d9 be03880c56452e26dc82ee93d0db99946acc2675f4 P.y = 063e54fd52fde42a5d4a0739ce89956deb0aa4721237b581a79af5 e6e847dc047e0b0a41502975e4c15bed99cdcdf0e8 + I * 0a04fe752f02d57217f2eca100582f9f60fe464aaec2e94624ff22 a2522d562fc251e3e962b00f2a7cb544bad462487e u[0] = 178a86886823673336e71d5cb95ef38381506d64e1251fe3f66c2f ae08f5c1b5d1f01a0f09cbb29e8d776345c7601941 + I * 1200915fc80bdf41b2723f5051a642fee4f548ebdd6f90da9d34d8 f477fd17f84921be12497be94b9061bcc9e977a958 u[1] = 0c2b3e012f715a94fc08bd3757ba7c979d848c9719264d2a6b07f0 3be4f236da0f5017ee8b92fa4fac3ab88c64cce667 + I * 099e1f36e1dada16e9277160ba74552efaa0c939a629c16fc8ebda 75421af560a7ede7cd4423f00ffc1a12c07ab05fa0 Q0.x = 0440b705d56079686eace2e3d2fc6c26ed4349ddb574bbb13ef5c9 c25c7a757b43a1243ecfc62f9cdd169d6360c21cad + I * 061b98df942271495e7259a7010ed74c6bdf0f83fe225c7e60fa91 b3699d32a99afa440f1ec380aacc8d703649631246 Q0.y = 12964591a5a374d4ed6f1306e1889d8ab5259e88928cf0900c6f4f c64ca2cd7d1cc992166f0515c7ce53dd52efe3ded2 + I * 1440790373a4369524884f589eff8c3ddeb82ad6032446072e75c3 b09a300bfd9303a4794f6676ff2c73c796f9110557 Q1.x = 01146e5fe16047ea58369ff4e6f53ada22c23260cb46b4ac1b24a7 054691835c6f45e3a8218ed67c68a2c492b35a89b6 + I * 196e511b97c1f3802e37478224bb5ce12082cee5dd8e5630ff194d 8537c7b30ace746d39c051cf3f6a836a861f0fca71 Q1.y = 16860436cd82bd22c166a92a38bae79036e357ce185ddcc481cef4 6edf398d377b5d85f38325be63270cf09c31329583 + I * 067e5d9c24201fa688bb9101b96fff337625778d0a6cb00495fa5a a8840bfed134b7b1bbd03979538b9b9bb5222b8a99 msg = abc P.x = 0c2e41838e536c79576d6b34974204b591f0127354eac121b79029 886a405615b273a6e1a78476d5d824d781b885af26 + I * 0dca051f4d106f072564729f74969ab9e557760e14c67c55ed38fb 7e2f3f4b26af1ce227c963fd06a5c5c2745f082415 P.y = 12e8f2e906c3bac97820bd1cfad278d03321ba3d650a93cea80d4e ea70271aff8f145dc6d7c32e4e945b4a213a551871 + I * 006d694e36dc47f3761ffc22d8a3cc66a9abe8851ad7dc42630a57 3f569692d46de02256b9bf98f1066be5ce38d97836 u[0] = 0ecb785eea491ba407b29812dd080692d7f654fa9be80e1b930f90 a2764157ec6522aec0ebeca35a440b524b1efe2ade + I * 02f7de24231dbff773ec0ebdf9b1b7d84713ef0eff9ff8bc356163 c34bc42e373abebb437568b9b8a7a9622f52f8f64d u[1] = 09ed2dafb8141db58cf0e3038c1b5969742a15dfd3a8de689309ad 49477a8c4d45f0b3029d216bef8197a615b89ee53d + I * 0da9396afba6386ea945d8881d5d1b4e892ff506940d11f1c14e11 008650abf458d6423185935f13e5304ac325996fed Q0.x = 056eff68c169148bf3cf4a1e3dcd47d05f172f54f0f0906759b98e e48897090c16127085c2f9a16dec9ef0b73e1e98ae + I * 0245cec38af51ed121d2d2f9ba21469335fb2eddc2c084386477c5 3d2999c65182d43285464927b5f63465599955b283 Q0.y = 1597b2110dc452b8083728a6ed061340b27cef4b2f96c7c4c74e3f 090577407f2d8e72dd12e5a642eb0e0116d50d2900 + I * 040a92bbe9662fa154a7706b0b208bbc5083e2909de5e0feb243c4 aeb4c2abd9201d970fd586fe9fc3f7b70deeca38c0 Q1.x = 0a231b6efadfd4cd9243b2d5f8d9820943f6616bd34dc48b677783 f0d298211d06b9f25e7ebaf5c3d53009c99b2371bb + I * 0397e8e732c84a631df79723dc4ce49aeb1a08857cfd4272ca2b41 d840862588fb75ac2555f127b3852942d5be5d8f32 Q1.y = 0576ad544c7dff5cfb6fe52857e89f1ad5ee0f703826471a18c6e8 a28f538a87de1d02cca1a4aa7c1a90f0f2e1efe9fa + I * 16eae9ad925c008d00832bad8830eaf05a2e693ddcf1fbb5d27025 15fbbac163f0b12369e5466bcb30153616cf1a9021 msg = abcdef0123456789 P.x = 103b9ec29f230ce504d06b3d9efbebd5ef5cda2bbdbd09e66ed997 9a84dd4ccbb86bdfdb4e9673b75af702cd933b9938 + I * 17bb4ca24579cf87c16a554bc92497a67390971ad25d60a09befa7 799b01676cdb30308ec0ddae9e4a5ca485200bc01f P.y = 161a632c2847e27715f550ea93ac9897dab5d7ad483cbf180efefa a232f2bba706bff16b1f1c3e0b9da9ff39e160e42f + I * 047f0b3db455080f13114bb2bbe37d40abdc9850bdc724f27a9ffa 7bbd8307739fa1b803d69c30da64586c102842a3ae u[0] = 15788d0f014f083f4a6bad1e3ec01905fb81328fac060d575f9220 ddb7fc495f6cca48e8f46c69153ef0152caa692bbe + I * 0c50eaf8096785caee1e08ff3d9d46b8e4c1a1600406d4ab8c9c96 c74c4d2b6b90fb5ddb0bdf7adabe0b176f75005df7 u[1] = 0274a965f4d5b3c5e1d35e426df580885eb9aeb4d0997afcb51d2a a908b7a7a5d2b608b4b054fbf77eb2ec8f6854d192 + I * 07be630ece05ab3536328fc3ccbbc7b8af99542ce0a7241bcf0372 3f9b45cbe16d3003dd28fcaaa4558f8f8f261a654a Q0.x = 0ad81631edcdf51ac0df8426a5d49192326f94244df93b8f990b9d 23c2fd654b8f310a8bc0b136b649271a2ed598aeb7 + I * 106a7d7e84ca907f28cdf2e2ab98a49d53aa70f512afc0c764fdff e778ff3538992546decf48142a790700c6eee5db70 Q0.y = 0d9c4f07a23d596b3735a7e275a4a8ed3ac7b6849d83adf78b2743 c6cb180232d5f180f7e32422c5e81039f9d48f9cb3 + I * 0b4ee768a0d0525872db9e4c511da298691aa7a3360a38cfb89691 da7c9a314a8d461e8cc8935d08b6fed60ef149e9d9 Q1.x = 1351d14d9737ba5ded8fee48ee1e45c823eaec7b58600a5af7c354 3c0b450c565db1e1d37732182dbcbbc31ea33e3e1f + I * 0c5ddcd88ebee0861a91dde563a6785752fbc5f4e079665ca2c056 7dac8f203ed81f609e27e223938a55534ba8693657 Q1.y = 146bbafa353ed101672c21e98fb2e1aa6f438c918d963b4f05e80c 36cac3769ad25b49720b8566e1ea1eecff77b010cb + I * 02613eb3f365b783461d0edc9b3212495ae6f4de190150b94bbeca a6d631a6ccdf09335ac6f6aba57d70ce06d1a6d615 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 125730d27604ffa5f1be4e6357f2dacf59803b6b8ce43b81eb2e42 010e0765ea149ed52e5d8ad0847617bb87a3cfdbbc + I * 033008748ad6e6d95b68e86d8e786609c1011729606e45ab0b5691 eceb3d4c72a80e36792f74e907309f3550bd7b9a6e P.y = 180de292e84a7ecc8361490a3f0d8bcf834e12d68529e437df7821 11f01c8c73c53c9a502eac6aa9dffceae1b7df55b8 + I * 07225c86be63f0b3eb8acf88ff4133fa9bb8c0b1d50c997ad33f57 dcb9cd09cc4676da6f37fd7f4bfaa06bfca9bdb772 u[0] = 00a73d9f99c991b8a95d533111700cb468bb9dfc7ecfa8879d278e fd4f62907dc735a137ed26eac6fbd4730d16c525e7 + I * 011de2ac3ddd0fce82f81ff1506a4da615a545f5f1a38d76493489 d043dec0298423741a607fd45b57526b2dbf7c0512 u[1] = 054e5964345b7e40826826b6c0773ae205596eed3f430649873afb 7ff36a0a4583d947b5e1dcaaf64b62067814724329 + I * 0c022493d6de52b27b95ba1097b803e2834ce69555e25bda8df9a6 0bbd7cb8ef2d11eea6ea85856626a1f35c2ccccb95 Q0.x = 17dab789594c9400a35e44e124a04eb15a273b7ff3385aeb5767ce cf3a5d6ce03bee39e9b3d9eedef8dfc1c064465f04 + I * 0d2b1ae115243ae13e9018e065bfb4215671e2ea86792e78858f01 2264b642591f4839972f58c00309cbf54a6f2809c5 Q0.y = 19d7a9d430474d353c6ccf18db52263cd2fa4685e0194b3ec55672 dfea3645c08feb3643dc8a4e995406e3b1108e7275 + I * 03ac4fde5674418babfbbc6bad412d789f018ad49135ef84e6cbb1 b63eb9fb61d7d12caa9ccb4e710d1badff2fe47515 Q1.x = 08d580532d837ce1cd78df4e3668b123eafd519b93e359ba64e028 1740742649b76c960e5390e1fd4ea4abcc84afcaca + I * 12a30881e5bca0c8f3f8159b1490e215a380eb70c71f14570e886f 6ba2de770e26ce6634e00c9a98e14665f61820209f Q1.y = 13192225f9eea2cb2c342e39654a115e5f4b002943cea6067d429e 685317be5034edcfe71897728402fc28abb725eca9 + I * 01c62e5d5325ec325e75e7e0a60a86d489ee543b0709ccd76807ca fd1d8041486c185a89f6ca72b96cb7eb193a3d5ef5¶
suite = BLS12381G2_XMD:SHA-256_SVDW_NU_ dst = BLS12381G2_XMD:SHA-256_SVDW_NU_TESTGEN msg = P.x = 164c24901348f035811139a2ad95042bc85bb4b4481309431cd985 03c951e9cb8f29d3c4ad0abeb31a3da4062f4b9027 + I * 0cbca2904d96a263308df43e2767c4165f0357a5f0abf3419acab6 fcf2200002b0b018c574f9253716844947f2752c94 P.y = 12b642193b7beb7989fe98c06482effb8740d9e744ff317e050f75 8bf449d6dedfded2eb1b1b3314b8699b9ea41f9fab + I * 0219ec9ba08594f6e1582fb6a6ffb795a92551b32191f146296d29 497bbafba7b3aae8ab2f012a5780f72cb0d0380a78 u[0] = 12e76b1034fcb8958d47b2ff763642841556e09d524a6e1ac14600 9e7b0a60e859567d52629ea27abc86996632970e99 + I * 005f69bf4eb6ef49bd04d4ca394c77b9ad359646e2ed36e013dc94 91a64f2d1207734d4b91b53fd71a32d9e966d46dce Q.x = 033aa78402bfe8ee9117ac5501b55e2d1cc133a36ff2351b0176e7 f44b009260f9f984be5aff18207a751fee8347250f + I * 0f6512f645a015b2917bcef9407299bc46e57344ec24877b681b2c 7b3c8171bbd0efe0074fe5eaa7fc74983494f90521 Q.y = 02ed21e9ce037653ba12b3996f085847db2daf80e0033013a67667 c6c53983ee76af4946da08c7186164ed50d225551f + I * 05f95d63b6f2d45bc79824359754d23c795f98be958384829ea72b 473525f58bef08bbf1c09ad153628f2d3ca9f44bdc msg = abc P.x = 14662fda486645b71a497576120b99cd0c8fd72c52ade4b13ce4de 57ca05acba0facf6bdc1a230539a96e97fbfdef9fd + I * 0646f0fb608d82ba68075d6af75c61b762c5b47de2c620822e88ac d296fcfecf125113392b582c48c9c4cec645e7e817 P.y = 097b57eed2bdcc07cf6518cc582af8604d284f51447d572f3c8b3c 36c13f2f5ab3448d06a5e433a0a4753163469977b4 + I * 0d0e9f7c5c51da1a8b3211052b0562b0f19690027d2bf0df3f662e c9743b0b39c6b9be5b5bf6d224f7eff946b3c4a149 u[0] = 108fd37b239357d783a30c9aeea3129316f236cfa8e279bbd921ea 7c642ffbb69e4f731cbee57b2df7b17e9ec19c8c91 + I * 110587325ae905e360ad84368fe6aed5b8636bab77eaac3921c046 8154c5d72ddd3ca2e9d57d393d55929344a34215c2 Q.x = 065cca134296b189b4587c38490d674900cac3cb7a6e14ff96f415 eae6ce4ee51696910182471d2542b86bc707a40230 + I * 088edc31bb54b91389c1c057cc5b69e62eb06f72c3184834ce60bc df1ee885ad8e03005230bfb15c89109209d8c7671b Q.y = 17c0ef47c0c7960baec68b33d1ce4e9a54c2c770956cc43afe93d8 b4bb07d5205fca8f785d55010111367b529a13a67b + I * 121a0b8aa8dc49fd8da99eb93d9d736e01e65a0e72c9144b3ba874 16fdf125a355f38b5d98e98c20744cbae1c344386f msg = abcdef0123456789 P.x = 0816a09925c45e39c3c04d3fdb331613f7308a0d5dec8e5496e4ae c5e5a67458532f25dd07c6a793bc4be8be17a9fd56 + I * 0addce3d065de3f0e1b4ccad3e503b570412818094d1639329e7f4 c6ad759bdcaff01f234ec3f1ebe71209a0773e4ca9 P.y = 1214b5de271352309fd0091b72eecdb6224f58af9c76ae47a2b215 12fe194d5c08278bbfbbd3468ba4ef3abbdb0ffcf0 + I * 105bd74edfcf83e10663800fc4aca1f2de2e3197b6ad91c246c3c9 828e24c44384747b95a8d156da7063df00546a6bad u[0] = 183b05a0844e652153f50ef0ea7e12bd9174707faf7fa3ac3d4408 e8f06b0c8bae4aa322a71614f7d0380986632f2261 + I * 011b40d28c312f5f62289fe083c493c84ac5c2e66f8be782c1d504 93d30bab14fc88966dfe4d51f53049d1e7b221e0e7 Q.x = 02da0a79d42b538d42ffc67176681d80ca8d0dc26974d3a30440ee 92a362c13bbf737b414fbdf2fd8ce635a396e79ff0 + I * 0e91dd04cd2d2e112e503efec26f84183fca55101c36fa41226c72 eab8e398a189c9cf2f4eda77f7c9a38a09a563b2f1 Q.y = 0d3d3ca0d4ec0aff793a69c22e2abf333e8efc5a72b1d5179c1947 9e191daff895c95f32669672a1d3df38b1a184f8e8 + I * 069ab87711da7286d7c75f8cdd4b1e2719554d7866139e948851bc 14d7e9124f6f969118bdd2ae3db9d8f997b59717e2 msg = a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa P.x = 0eb76ebb9399768c509108314b557659a38bc8187e7ab742adf8c6 72da98e2a7c9714e0e885070ccb7fbbabebf7a7bbb + I * 04049cf80dd5f3a2734402d6ef6ce67f35189a4ace622dae7cf02b 8b9662cd58f05dde5b6920fb93c6126c5895e9a3a5 P.y = 022d29c941c40481c8496f4b1df9fb708103c3170e99ffe41942e7 9ce8b0e35ecdce0e9281da60a685bafe07f9a635a7 + I * 023c57e63304ec8997a2b35ab78a2d060ffde49ff0235058ffdbf1 29946672e518bb31506c53dad9c8a30b751b6181bf u[0] = 09619086497c2a6933c45e2d330c560562d87d3b2f77f1d2da5152 5fb630a0ba2bd03ea9ebeb65778a65b29f1092a99d + I * 0c3c45a61a7938b2a8a645c48c37a2e2e957b5ef5bbe3f661e8bdc b50e962a548862335c8503d73c1d28c5dc598ea29f Q.x = 1764c36ebfdb830ad6bed870087c5969cc95e16ca57d572047f8bb 17ba961d2264c86726ef69ce6122a4459a6025461c + I * 0d27880f35312ee235f2dc9208cc679679261e7f909072c5b71b14 e369e20dc0c52459ace34c23aa6842e9b4663073e7 Q.y = 07e98c5d7eadaa88299ee4ecccf848ca9492db725c45696596c500 00cdf4852cee8d4a0e3ec0ca4d7b048ab0d92a4dee + I * 00b35c992495fa745f8a3b765a2e7d7ee06e7c4cdd6d26be78b062 31a98cf9fd6b585d24b6f7a659c45e1acd64082af5¶