Network Working Group

Internet Research Task Force (IRTF)                          A. Davidson
Internet-Draft
Request for Comments: 9497                                Brave Software
Intended status:
Category: Informational                                 A. Faz-Hernandez
Expires: 25 August 2023
ISSN: 2070-1721                                              N. Sullivan
                                                              C. A. Wood
                                                        Cloudflare, Inc.
                                                        21 February
                                                           December 2023

   Oblivious Pseudorandom Functions (OPRFs) using Using Prime-Order Groups
                        draft-irtf-cfrg-voprf-21

Abstract

   An Oblivious Pseudorandom Function (OPRF) is a two-party protocol
   between a client and a server for computing the output of a
   Pseudorandom Function (PRF).  The server provides the PRF private
   key, and the client provides the PRF input.  At the end of the
   protocol, the client learns the PRF output without learning anything
   about the PRF private key, and the server learns neither the PRF
   input nor output.  An OPRF can also satisfy a notion of
   'verifiability', called a VOPRF.  A VOPRF ensures clients can verify
   that the server used a specific private key during the execution of
   the protocol.  A VOPRF can also be partially-oblivious, partially oblivious, called a
   POPRF.  A POPRF allows clients and servers to provide public input to
   the PRF computation.  This document specifies an OPRF, VOPRF, and
   POPRF instantiated within standard prime-order groups, including
   elliptic curves.  This document is a product of the Crypto Forum
   Research Group (CFRG) in the IRTF.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-voprf.

Status of This Memo

   This Internet-Draft document is submitted in full conformance with not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the
   provisions Internet Research Task Force
   (IRTF).  The IRTF publishes the results of BCP 78 Internet-related research
   and BCP 79.

   Internet-Drafts are working documents development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Crypto Forum
   Research Group of the Internet Engineering Research Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts (IRTF).  Documents
   approved for publication by the IRSG are draft documents valid not candidates for a maximum any level
   of Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of six months this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 25 August 2023.
   https://www.rfc-editor.org/info/rfc9497.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info)
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Change log  . . . . . . . . . . . . . . . . . . . . . . .   4
     1.2.  Requirements  . . . . . . . . . . . . . . . . . . . . . .   8
     1.3. Language
     1.2.  Notation and Terminology  . . . . . . . . . . . . . . . .   8
   2.  Preliminaries . . . . . . . . . . . . . . . . . . . . . . . .   9
     2.1.  Prime-Order Group . . . . . . . . . . . . . . . . . . . .  10
     2.2.  Discrete Logarithm Equivalence Proofs . . . . . . . . . .  11
       2.2.1.  Proof Generation  . . . . . . . . . . . . . . . . . .  12
       2.2.2.  Proof Verification  . . . . . . . . . . . . . . . . .  15
   3.  Protocol  . . . . . . . . . . . . . . . . . . . . . . . . . .  18
     3.1.  Configuration . . . . . . . . . . . . . . . . . . . . . .  20
     3.2.  Key Generation and Context Setup  . . . . . . . . . . . .  20
       3.2.1.  Deterministic Key Generation  . . . . . . . . . . . .  22
     3.3.  Online Protocol . . . . . . . . . . . . . . . . . . . . .  23
       3.3.1.  OPRF Protocol . . . . . . . . . . . . . . . . . . . .  24
       3.3.2.  VOPRF Protocol  . . . . . . . . . . . . . . . . . . .  26
       3.3.3.  POPRF Protocol  . . . . . . . . . . . . . . . . . . .  29
   4.  Ciphersuites  . . . . . . . . . . . . . . . . . . . . . . . .  33
     4.1.  OPRF(ristretto255, SHA-512) . . . . . . . . . . . . . . .  33
     4.2.  OPRF(decaf448, SHAKE-256) . . . . . . . . . . . . . . . .  34
     4.3.  OPRF(P-256, SHA-256)  . . . . . . . . . . . . . . . . . .  36
     4.4.  OPRF(P-384, SHA-384)  . . . . . . . . . . . . . . . . . .  37
     4.5.  OPRF(P-521, SHA-512)  . . . . . . . . . . . . . . . . . .  38
     4.6.  Future Ciphersuites . . . . . . . . . . . . . . . . . . .  39
     4.7.  Random Scalar Generation  . . . . . . . . . . . . . . . .  40
       4.7.1.  Rejection Sampling  . . . . . . . . . . . . . . . . .  40
       4.7.2.  Random Number Generation Using Extra Random Bits  . .  40
   5.  Application Considerations  . . . . . . . . . . . . . . . . .  40
     5.1.  Input Limits  . . . . . . . . . . . . . . . . . . . . . .  41
     5.2.  External Interface Recommendations  . . . . . . . . . . .  41
     5.3.  Error Considerations  . . . . . . . . . . . . . . . . . .  41
     5.4.  POPRF Public Input  . . . . . . . . . . . . . . . . . . .  42
   6.  IANA considerations . . . . . . . . . . . . . . . . . . . . .  42 Considerations
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  42
     7.1.  Security Properties . . . . . . . . . . . . . . . . . . .  42
     7.2.  Security Assumptions  . . . . . . . . . . . . . . . . . .  44
       7.2.1.  OPRF and VOPRF Assumptions  . . . . . . . . . . . . .  44
       7.2.2.  POPRF Assumptions . . . . . . . . . . . . . . . . . .  45
       7.2.3.  Static Diffie Hellman Diffie-Hellman Attack and Security Limits  . .  45
     7.3.  Domain Separation . . . . . . . . . . . . . . . . . . . .  46
     7.4.  Timing Leaks  . . . . . . . . . . . . . . . . . . . . . .  46
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  46
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  46
     9.1.
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  46
     9.2.
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  47
   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .  49
     A.1.  ristretto255-SHA512 . . . . . . . . . . . . . . . . . . .  50
       A.1.1.  OPRF Mode . . . . . . . . . . . . . . . . . . . . . .  50
       A.1.2.  VOPRF Mode  . . . . . . . . . . . . . . . . . . . . .  51
       A.1.3.  POPRF Mode  . . . . . . . . . . . . . . . . . . . . .  53
     A.2.  decaf448-SHAKE256 . . . . . . . . . . . . . . . . . . . .  54
       A.2.1.  OPRF Mode . . . . . . . . . . . . . . . . . . . . . .  54
       A.2.2.  VOPRF Mode  . . . . . . . . . . . . . . . . . . . . .  55
       A.2.3.  POPRF Mode  . . . . . . . . . . . . . . . . . . . . .  57
     A.3.  P256-SHA256 . . . . . . . . . . . . . . . . . . . . . . .  59
       A.3.1.  OPRF Mode . . . . . . . . . . . . . . . . . . . . . .  59
       A.3.2.  VOPRF Mode  . . . . . . . . . . . . . . . . . . . . .  60
       A.3.3.  POPRF Mode  . . . . . . . . . . . . . . . . . . . . .  61
     A.4.  P384-SHA384 . . . . . . . . . . . . . . . . . . . . . . .  63
       A.4.1.  OPRF Mode . . . . . . . . . . . . . . . . . . . . . .  63
       A.4.2.  VOPRF Mode  . . . . . . . . . . . . . . . . . . . . .  64
       A.4.3.  POPRF Mode  . . . . . . . . . . . . . . . . . . . . .  65
     A.5.  P521-SHA512 . . . . . . . . . . . . . . . . . . . . . . .  67
       A.5.1.  OPRF Mode . . . . . . . . . . . . . . . . . . . . . .  67
       A.5.2.  VOPRF Mode  . . . . . . . . . . . . . . . . . . . . .  68
       A.5.3.  POPRF Mode  . . . . . . . . . . . . . . . . . . . . .  70
   Acknowledgements
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  72

1.  Introduction

   A Pseudorandom Function (PRF) F(k, x) is an efficiently computable
   function taking a private key k and a value x as input.  This
   function is pseudorandom if the keyed function K(_) = F(k, _) is
   indistinguishable from a randomly sampled function acting on the same
   domain and range as K().  An Oblivious PRF (OPRF) is a two-party
   protocol between a server and a client, where wherein the server holds a
   PRF key k and the client holds some input x.  The protocol allows
   both parties to cooperate in computing F(k, x) x), such that the client
   learns F(k, x) without learning anything about k; k and the server does
   not learn anything about x or F(k, x).  A Verifiable OPRF (VOPRF) is
   an
   OPRF OPRF, wherein the server also proves to the client that F(k, x)
   was produced by the key k corresponding to the server's public key,
   which the client knows.  A Partially-Oblivious Partially Oblivious PRF (POPRF) is a
   variant of a VOPRF wherein VOPRF, where the client and server interact in computing
   F(k, x, y), for some PRF F with server-provided key k, client-provided client-
   provided input x, and public input y, and the client receives proof
   that F(k, x, y) was computed using k corresponding to the public key
   that the client knows.  A POPRF with fixed input y is functionally
   equivalent to a VOPRF.

   OPRFs have a variety of applications, including: including password-protected
   secret sharing schemes [JKKX16], privacy-preserving password stores
   [SJKS17], and password-authenticated key exchange or PAKE (PAKE) [OPAQUE].
   Verifiable OPRFs are necessary in some applications applications, such as Privacy
   Pass [PRIVACYPASS]. [PRIVACY-PASS].  Verifiable OPRFs have also been used for
   password-protected secret sharing schemes schemes, such as that of [JKK14].

   This document specifies OPRF, VOPRF, and POPRF protocols built upon
   prime-order groups.  The document describes each protocol variant,
   along with application considerations, and their security properties.

   This document represents the consensus of the Crypto Forum Research
   Group (CFRG).  It is not an IETF product and is not a standard.

1.1.  Change log

   draft-21 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-21):

   *  Apply more IRSG review comments.

   draft-20 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-20):

   *  Address IRSG comments.

   draft-19 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-19):

   *  Fix error.

   draft-18 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-18):

   *  Apply editorial suggestions from CFRG chair review.

   draft-17 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-17):

   *  Change how suites are identified and finalize test vectors.

   *  Apply editorial suggestions from IRTF chair review.

   draft-16 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-16):

   *  Apply editorial suggestions from document shepherd.

   draft-15 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-15):

   *  Apply editorial suggestions from CFRG RGLC.

   draft-14 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-14):

   *  Correct current state of formal analysis for the VOPRF protocol
      variant.

   draft-13 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-13):

   *  Editorial improvements based on Crypto Panel Review.

   draft-12 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-12):

   *  Small editorial fixes

   draft-11 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-11):

   *  Change Evaluate to BlindEvaluate, and add Evaluate for PRF
      evaluation

   draft-10 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-10):

   *  Editorial improvements

   draft-09 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-09):

   *  Split syntax for OPRF, VOPRF, and POPRF functionalities.

   *  Make Blind function fallible for invalid private and public
      inputs.

   *  Specify key generation.

   *  Remove serialization steps from core protocol functions.

   *  Refactor protocol presentation for clarity.

   *  Simplify security considerations.

   *  Update application interface considerations.

   *  Update test vectors.

   draft-08 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-08):

   *  Adopt partially-oblivious PRF construction from [TCRSTW21].

   *  Update P-384 suite to use SHA-384 instead of SHA-512.

   *  Update test vectors.

   *  Apply various editorial changes.

   draft-07 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-07):

   *  Bind blinding mechanism to mode (additive for verifiable mode and
      multiplicative for base mode).

   *  Add explicit errors for deserialization.

   *  Document explicit errors and API considerations.

   *  Adopt SHAKE-256 for decaf448 ciphersuite.

   *  Normalize HashToScalar functionality for all ciphersuites.

   *  Refactor and generalize DLEQ proof functionality and domain
      separation tags for use in other protocols.

   *  Update test vectors.

   *  Apply various editorial changes.

   draft-06 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-06):

   *  Specify of group element and scalar serialization.

   *  Remove info parameter from the protocol API and update domain
      separation guidance.

   *  Fold Unblind function into Finalize.

   *  Optimize ComputeComposites for servers (using knowledge of the
      private key).

   *  Specify deterministic key generation method.

   *  Update test vectors.

   *  Apply various editorial changes.

   draft-05 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-05):

   *  Move to ristretto255 and decaf448 ciphersuites.

   *  Clean up ciphersuite definitions.

   *  Pin domain separation tag construction to draft version.

   *  Move key generation outside of context construction functions.

   *  Editorial changes.

   draft-04 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04):

   *  Introduce Client and Server contexts for controlling verifiability
      and required functionality.

   *  Condense API.

   *  Remove batching from standard functionality (included as an
      extension)

   *  Add Curve25519 and P-256 ciphersuites for applications that
      prevent strong-DH oracle attacks.

   *  Provide explicit prime-order group API and instantiation advice
      for each ciphersuite.

   *  Proof-of-concept implementation in sage.

   *  Remove privacy considerations advice as this depends on
      applications.

   draft-03 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-03):

   *  Certify public key during VerifiableFinalize.

   *  Remove protocol integration advice.

   *  Add text discussing how to perform domain separation.

   *  Drop OPRF_/VOPRF_ prefix from algorithm names.

   *  Make prime-order group assumption explicit.

   *  Changes to algorithms accepting batched inputs.

   *  Changes to construction of batched DLEQ proofs.

   *  Updated ciphersuites to be consistent with hash-to-curve and added
      OPRF specific ciphersuites.

   draft-02 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-02):

   *  Added section discussing cryptographic security and static DH
      oracles.

   *  Updated batched proof algorithms.

   draft-01 (https://tools.ietf.org/html/draft-irtf-cfrg-voprf-01):

   *  Updated ciphersuites to be in line with
      https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04.

   *  Made some necessary modular reductions more explicit.

1.2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.3.

1.2.  Notation and Terminology

   The following functions and notation are used throughout the
   document.

   *  For any object x, we write len(x) to denote its length in bytes.

   *  For two byte two-byte arrays x and y, write x || y to denote their
      concatenation.

   *  I2OSP(x, xLen): Converts xLen) converts a non-negative integer x into a byte array
      of specified length xLen xLen, as described in [RFC8017].  Note that
      this function returns a byte array in big-endian byte order.

   *  The notation T U[N] refers to an array called U U, containing N
      items of type T.  The type opaque means one single byte of
      uninterpreted data.  Items of the array are zero-indexed and
      referred to as U[j] U[j], such that 0 <= j < N.

   All algorithms and procedures described in this document are laid out
   in a Python-like pseudocode.  Each function takes a set of inputs and
   parameters and produces a set of output values.  Parameters become
   constant values once the protocol variant and the ciphersuite are
   fixed.

   The PrivateInput data type refers to inputs that are known only to
   the client in the protocol, whereas the PublicInput data type refers
   to inputs that are known to both the client and server in the
   protocol.  Both PrivateInput and PublicInput are opaque byte strings
   of arbitrary length no larger than 2^16 - 1 bytes.  This length
   restriction exists because PublicInput and PrivateInput values are
   length-prefixed with two bytes before use throughout the protocol.

   String values values, such as "DeriveKeyPair", "Seed-", and "Finalize" "Finalize", are
   ASCII string literals.

   The following terms are used throughout this document.

   *

   PRF:  Pseudorandom Function.

   * Function

   OPRF:  Oblivious Pseudorandom Function.

   * Function

   VOPRF:  Verifiable Oblivious Pseudorandom Function.

   * Function

   POPRF:  Partially Oblivious Pseudorandom Function.

   * Function

   Client:  Protocol initiator.  Learns pseudorandom function PRF evaluation as the output of
      the protocol.

   *

   Server:  Computes the pseudorandom function PRF using a private key.  Learns nothing about
      the client's input or output.

2.  Preliminaries

   The protocols in this document have two primary dependencies:

   *

   Group:  A prime-order group implementing the API described below in
      Section 2.1.  See Section 4 for specific instances of groups.

   *

   Hash:  A cryptographic hash function whose output length is Nh bytes.

   Section 4 specifies ciphersuites as combinations of Group and Hash.

2.1.  Prime-Order Group

   In this document, we assume the construction of an additive, prime-
   order group Group group, denoted Group, for performing all mathematical
   operations.  In prime-order groups, any element (other than the
   identity) can generate the other elements of the group.  Usually, one
   element is fixed and defined as the group generator.  Such groups are
   uniquely determined by the choice of the prime p that defines the
   order of the group.  (There may, however, exist  (However, different representations of the group
   for a single p. p may exist.  Section 4 lists specific groups which that
   indicate both the order and representation.)

   The fundamental group operation is addition + with identity element
   I.  For any elements A and B of the group, A + B = B + A is also a
   member of the group.  Also, for any A in the group, there exists an
   element -A -A, such that A + (-A) = (-A) + A = I.  Scalar multiplication
   by r is equivalent to the repeated application of the group operation
   on an element A with itself r-1 times, r - 1 times; this is denoted as r*A r * A = A
   + ... + A.  For any element A, p*A=I. p * A = I.  The case when the scalar
   multiplication is performed on the group generator is denoted as
   ScalarMultGen(r).  Given two elements A and B, the discrete logarithm
   problem is to find an integer k k, such that B = k*A. k * A.  Thus, k is the
   discrete logarithm of B with respect to the base A.  The set of
   scalars corresponds to GF(p), a prime field of order p, and are is
   represented as the set of integers defined by {0, 1, ..., p-1}. p - 1}.
   This document uses types Element and Scalar to denote elements of the
   group and its set of scalars, respectively.

   We now detail a number of member functions that can be invoked on a
   prime-order group.

   *

   Order():  Outputs the order of the group (i.e. (i.e., p).

   *

   Identity():  Outputs the identity element of the group (i.e. (i.e., I).

   *

   Generator():  Outputs the generator element of the group.

   *

   HashToGroup(x):  Deterministically maps an array of bytes x to an
      element of Group.  The map must ensure that, for any adversary
      receiving R = HashToGroup(x), it is computationally difficult to
      reverse the mapping.  This function is optionally parameterized by
      a domain separation tag (DST); see Section 4.  Security properties
      of this function are described in [I-D.irtf-cfrg-hash-to-curve].

   * [RFC9380].

   HashToScalar(x):  Deterministically maps an array of bytes x to an
      element in GF(p).  This function is optionally parameterized by a
      DST; see Section 4.  Security properties of this function are
      described in [I-D.irtf-cfrg-hash-to-curve], [RFC9380], Section 10.5.

   *

   RandomScalar():  Chooses at random a non-zero nonzero element in GF(p).

   *

   ScalarInverse(s):  Returns the inverse of input Scalar s on GF(p).

   *

   SerializeElement(A):  Maps an Element A to a canonical byte array buf
      of fixed length fixed-length Ne.

   *

   DeserializeElement(buf):  Attempts to map a byte array buf to an
      Element A, A and fails if the input is not the valid canonical byte
      representation of an element of the group.  This function can
      raise a DeserializeError if deserialization fails or A is the
      identity element of the group; see Section 4 for group-specific
      input validation steps.

   *

   SerializeScalar(s):  Maps a Scalar s to a canonical byte array buf of fixed length
      fixed-length Ns.

   *

   DeserializeScalar(buf):  Attempts to map a byte array buf to a Scalar
      s.  This function can raise a DeserializeError if deserialization
      fails; see Section 4 for group-specific input validation steps.

   Section 4 contains details for the implementation of this interface
   for different prime-order groups instantiated over elliptic curves.
   In particular, for some choices of elliptic curves, e.g., those
   detailed in [RFC7748], which require accounting for cofactors,
   Section 4 describes required steps necessary to ensure the resulting
   group is of prime order.

2.2.  Discrete Logarithm Equivalence Proofs

   A proof of knowledge allows a prover to convince a verifier that some
   statement is true.  If the prover can generate a proof without
   interaction with the verifier, the proof is noninteractive.  If the
   verifier learns nothing other than whether the statement claimed by
   the prover is true or false, the proof is zero-knowledge.

   This section describes a noninteractive noninteractive, zero-knowledge proof for
   discrete logarithm equivalence (DLEQ), which is used in the
   construction of VOPRF and POPRF.  A DLEQ proof demonstrates that two
   pairs of group elements have the same discrete logarithm without
   revealing the discrete logarithm.

   The DLEQ proof resembles the Chaum-Pedersen [ChaumPedersen] proof,
   which is shown to be zero-knowledge by Jarecki, et al. [JKK14] and is
   noninteractive after applying the Fiat-Shamir transform [FS00].
   Furthermore, Davidson, et al. [DGSTV18] showed a proof system for
   batching DLEQ proofs that has constant-size proofs with respect to
   the number of inputs.  The specific DLEQ proof system presented below
   follows this latter construction with two modifications: (1) the
   transcript used to generate the seed includes more context
   information,
   information and (2) the individual challenges for each element in the
   proof is derived from a seed-prefixed hash-to-scalar invocation invocation,
   rather than being sampled from a seeded PRNG. Pseudorandom Number Generator
   (PRNG).  The description is split into two sub-sections: subsections: one for
   generating the proof, which is done by servers in the verifiable
   protocols, and another for verifying the proof, which is done by
   clients in the protocol.

2.2.1.  Proof Generation

   Generating a proof is done with the GenerateProof function, as
   defined below.  Given elements Element values A and B, two non-empty lists of elements
   Element values C and D of length m, and a scalar k; Scalar k, this function
   produces a proof that
   k*A k * A == B and k*C[i] k * C[i] == D[i] for each i in
   [0, ..., m - 1].  The output is a value of type Proof, which is a
   tuple of two Scalar values.  We use the notation proof[0] and
   proof[1] to denote the first and second elements in this tuple,
   respectively.

   GenerateProof accepts lists of inputs to amortize the cost of proof
   generation.  Applications can take advantage of this functionality to
   produce a single, constant-sized proof for m DLEQ inputs, rather than
   m proofs for m DLEQ inputs.

   Input:

     Scalar k
     Element A
     Element B
     Element C[m]
     Element D[m]

   Output:

     Proof proof

   Parameters:

     Group G

   def GenerateProof(k, A, B, C, D) D):
     (M, Z) = ComputeCompositesFast(k, B, C, D)

     r = G.RandomScalar()
     t2 = r * A
     t3 = r * M

     Bm = G.SerializeElement(B)
     a0 = G.SerializeElement(M)
     a1 = G.SerializeElement(Z)
     a2 = G.SerializeElement(t2)
     a3 = G.SerializeElement(t3)

     challengeTranscript =
       I2OSP(len(Bm), 2) || Bm ||
       I2OSP(len(a0), 2) || a0 ||
       I2OSP(len(a1), 2) || a1 ||
       I2OSP(len(a2), 2) || a2 ||
       I2OSP(len(a3), 2) || a3 ||
       "Challenge"

     c = G.HashToScalar(challengeTranscript)
     s = r - c * k

     return [c, s]

   The helper function ComputeCompositesFast is as defined below, below and is
   an optimization of the ComputeComposites function for servers since
   they have knowledge of the private key.

   Input:

     Scalar k
     Element B
     Element C[m]
     Element D[m]

   Output:

     Element M
     Element Z

   Parameters:

     Group G
     PublicInput contextString

   def ComputeCompositesFast(k, B, C, D):
     Bm = G.SerializeElement(B)
     seedDST = "Seed-" || contextString
     seedTranscript =
       I2OSP(len(Bm), 2) || Bm ||
       I2OSP(len(seedDST), 2) || seedDST
     seed = Hash(seedTranscript)

     M = G.Identity()
     for i in range(m):
       Ci = G.SerializeElement(C[i])
       Di = G.SerializeElement(D[i])
       compositeTranscript =
         I2OSP(len(seed), 2) || seed || I2OSP(i, 2) ||
         I2OSP(len(Ci), 2) || Ci ||
         I2OSP(len(Di), 2) || Di ||
         "Composite"

       di = G.HashToScalar(compositeTranscript)
       M = di * C[i] + M

     Z = k * M

     return (M, Z)

   When used in the protocol described in Section 3, the parameter
   contextString is as defined in Section 3.2.

2.2.2.  Proof Verification

   Verifying a proof is done with the VerifyProof function, as defined
   below.  This function takes elements Element values A and B, two non-empty
   lists of
   elements Element values C and D of length m, and a Proof value output
   from GenerateProof.  It outputs a single boolean value indicating
   whether or not the proof is valid for the given DLEQ inputs.  Note
   this function can verify proofs on lists of inputs whenever the proof
   was generated as a batched DLEQ proof with the same inputs.

   Input:

     Element A
     Element B
     Element C[m]
     Element D[m]
     Proof proof

   Output:

     boolean verified

   Parameters:

     Group G

   def VerifyProof(A, B, C, D, proof):
     (M, Z) = ComputeComposites(B, C, D)
     c = proof[0]
     s = proof[1]

     t2 = ((s * A) + (c * B))
     t3 = ((s * M) + (c * Z))

     Bm = G.SerializeElement(B)
     a0 = G.SerializeElement(M)
     a1 = G.SerializeElement(Z)
     a2 = G.SerializeElement(t2)
     a3 = G.SerializeElement(t3)

     challengeTranscript =
       I2OSP(len(Bm), 2) || Bm ||
       I2OSP(len(a0), 2) || a0 ||
       I2OSP(len(a1), 2) || a1 ||
       I2OSP(len(a2), 2) || a2 ||
       I2OSP(len(a3), 2) || a3 ||
       "Challenge"

     expectedC = G.HashToScalar(challengeTranscript)
     verified = (expectedC == c)

     return verified

   The definition of ComputeComposites is given below.

   Input:

     Element B
     Element C[m]
     Element D[m]

   Output:

     Element M
     Element Z

   Parameters:

     Group G
     PublicInput contextString

   def ComputeComposites(B, C, D):
     Bm = G.SerializeElement(B)
     seedDST = "Seed-" || contextString
     seedTranscript =
       I2OSP(len(Bm), 2) || Bm ||
       I2OSP(len(seedDST), 2) || seedDST
     seed = Hash(seedTranscript)

     M = G.Identity()
     Z = G.Identity()
     for i in range(m):
       Ci = G.SerializeElement(C[i])
       Di = G.SerializeElement(D[i])
       compositeTranscript =
         I2OSP(len(seed), 2) || seed || I2OSP(i, 2) ||
         I2OSP(len(Ci), 2) || Ci ||
         I2OSP(len(Di), 2) || Di ||
         "Composite"

       di = G.HashToScalar(compositeTranscript)
       M = di * C[i] + M
       Z = di * D[i] + Z

     return (M, Z)

   When used in the protocol described in Section 3, the parameter
   contextString is as defined in Section 3.2.

3.  Protocol

   In this section, we define and describe three protocol variants
   referred to as the OPRF, VOPRF, and POPRF modes.  Each of these
   variants involve involves two messages between the client and server server, but
   they differ slightly in terms of the security properties; see
   Section 7.1 for more information.  A high level high-level description of the
   functionality of each mode follows.

   In the OPRF mode, a client and server interact to compute output =
   F(skS, input), where input is the client's private input, skS is the
   server's private key, and output is the OPRF output.  After the
   execution of the protocol, the client learns the output and the
   server learns nothing.  This interaction is shown below.

       Client(input)                                        Server(skS)
     -------------------------------------------------------------------
     blind, blindedElement = Blind(input)

                                blindedElement
                                  ---------->

                   evaluatedElement = BlindEvaluate(skS, blindedElement)

                                evaluatedElement
                                  <----------

     output = Finalize(input, blind, evaluatedElement)

                      Figure 1: OPRF protocol overview Protocol Overview

   In the VOPRF mode, the client additionally receives proof that the
   server used skS in computing the function.  To achieve verifiability,
   as in [JKK14], the server provides a zero-knowledge proof that the
   key provided as input by the server in the BlindEvaluate function is
   the same key as it is used to produce the server's public key, pkS,
   which the client receives as input to the protocol.  This proof does
   not reveal the server's private key to the client.  This interaction
   is shown below.

       Client(input, pkS)       <---- pkS ------        Server(skS, pkS)
     -------------------------------------------------------------------
     blind, blindedElement = Blind(input)

                                blindedElement
                                  ---------->

                 evaluatedElement, proof = BlindEvaluate(skS, pkS,
                                                         blindedElement)

                            evaluatedElement, proof
                                  <----------

     output = Finalize(input, blind, evaluatedElement,
                       blindedElement, pkS, proof)

          Figure 2: VOPRF protocol overview Protocol Overview with additional proof Additional Proof

   The POPRF mode extends the VOPRF mode such that the client and server
   can additionally provide a the public input info that info, which is used in
   computing the pseudorandom function. PRF.  That is, the client and server interact to
   compute output = F(skS, input, info) info), as is shown below.

       Client(input, pkS, info) <---- pkS ------  Server(skS, pkS, info)
     -------------------------------------------------------------------
     blind, blindedElement, tweakedKey = Blind(input, info, pkS)

                                blindedElement
                                  ---------->

            evaluatedElement, proof = BlindEvaluate(skS, blindedElement,
                                                    info)

                            evaluatedElement, proof
                                  <----------

     output = Finalize(input, blind, evaluatedElement,
                       blindedElement, proof, info, tweakedKey)

       Figure 3: POPRF protocol overview Protocol Overview with additional public input Additional Public Input

   Each protocol consists of an offline setup phase and an online phase,
   as described in Section Sections 3.2 and Section 3.3, respectively.  Configuration
   details for the offline phase are described in Section 3.1.

3.1.  Configuration

   Each of the three protocol variants are identified with a one-byte
   value (in hexadecimal):

                            +===========+=======+
                            | Mode      | Value |
                            +===========+=======+
                            | modeOPRF  | 0x00  |
                            +-----------+-------+
                            | modeVOPRF | 0x01  |
                            +-----------+-------+
                            | modePOPRF | 0x02  |
                            +-----------+-------+

                             Table 1: Identifiers
                            for protocol variants. Protocol Variants

   Additionally, each protocol variant is instantiated with a
   ciphersuite,
   ciphersuite or suite.  Each ciphersuite is identified with an ASCII
   string identifier, referred to as identifier; see Section 4 for the
   set of initial ciphersuite values.

   The mode and ciphersuite identifier values are combined to create a
   "context string" used throughout the protocol with the following
   function:

   def CreateContextString(mode, identifier):
     return "OPRFV1-" || I2OSP(mode, 1) || "-" || identifier

3.2.  Key Generation and Context Setup

   In the offline setup phase, the server generates a fresh, random key
   pair (skS, pkS).  There are two ways to generate this key pair.  The
   first of which is using the GenerateKeyPair function described below.

   Input: None

   Output:

     Scalar skS
     Element pkS

   Parameters:

     Group G

   def GenerateKeyPair():
     skS = G.RandomScalar()
     pkS = G.ScalarMultGen(skS)
     return skS, pkS

   The second way to generate the key pair is via the deterministic key
   generation function DeriveKeyPair DeriveKeyPair, as described in Section 3.2.1.
   Applications and implementations can use either method in practice.

   Also during the offline setup phase, both the client and server
   create a context used for executing the online phase of the protocol
   after agreeing on a mode and ciphersuite identifier.  The context,
   such as OPRFServerContext, is an implementation-specific data
   structure that stores a context string and the relevant key material
   for each party.

   The OPRF variant server and client contexts are created as follows:

   def SetupOPRFServer(identifier, skS):
     contextString = CreateContextString(modeOPRF, identifier)
     return OPRFServerContext(contextString, skS)

   def SetupOPRFClient(identifier):
     contextString = CreateContextString(modeOPRF, identifier)
     return OPRFClientContext(contextString)

   The VOPRF variant server and client contexts are created as follows:

   def SetupVOPRFServer(identifier, skS):
     contextString = CreateContextString(modeVOPRF, identifier)
     return VOPRFServerContext(contextString, skS)

   def SetupVOPRFClient(identifier, pkS):
     contextString = CreateContextString(modeVOPRF, identifier)
     return VOPRFClientContext(contextString, pkS)

   The POPRF variant server and client contexts are created as follows:

   def SetupPOPRFServer(identifier, skS):
     contextString = CreateContextString(modePOPRF, identifier)
     return POPRFServerContext(contextString, skS)

   def SetupPOPRFClient(identifier, pkS):
     contextString = CreateContextString(modePOPRF, identifier)
     return POPRFClientContext(contextString, pkS)

3.2.1.  Deterministic Key Generation

   This section describes a deterministic key generation function,
   DeriveKeyPair.  It accepts a seed of Ns 32 bytes generated from a
   cryptographically secure random number generator and an optional
   (possibly empty) info string.  The constant Ns corresponds to the
   size in bytes of a serialized Scalar and is defined in Section 2.1.  Note that that, by design design, knowledge of
   seed and info is necessary to compute this function, which means that
   the secrecy of the output private key (skS) depends on the secrecy of
   seed (since the info string is public).

   Input:

     opaque seed[Ns] seed[32]
     PublicInput info

   Output:

     Scalar skS
     Element pkS

   Parameters:

     Group G
     PublicInput contextString

   Errors: DeriveKeyPairError

   def DeriveKeyPair(seed, info):
     deriveInput = seed || I2OSP(len(info), 2) || info
     counter = 0
     skS = 0
     while skS == 0:
       if counter > 255:
         raise DeriveKeyPairError
       skS = G.HashToScalar(deriveInput || I2OSP(counter, 1),
                             DST = "DeriveKeyPair" || contextString)
       counter = counter + 1
     pkS = G.ScalarMultGen(skS)
     return skS, pkS

3.3.  Online Protocol

   In the online phase, the client and server engage in a two message two-message
   protocol to compute the protocol output.  This section describes the
   protocol details for each protocol variant.  Throughout each
   description
   description, the following parameters are assumed to exist:

   *  G,

   G:  a prime-order Group group implementing the API described in Section 2.1.

   *  contextString, 2.1

   contextString:  a PublicInput domain separation tag constructed
      during context setup setup, as created in Section 3.1.

   * 3.1

   skS and pkS, pkS:  a Scalar and Element representing the private and
      public keys configured for the client and server in Section 3.2. 3.2

   Applications serialize protocol messages between the client and
   server for transmission.  Elements  Element values and scalars Scalar values are
   serialized to byte arrays, and values of type Proof are serialized as
   the concatenation of two serialized scalars. Scalar values.  Deserializing
   these values can fail, fail; in which case case, the application MUST abort the protocol
   protocol, raising a DeserializeError failure.

   Applications MUST check that input Element values received over the
   wire are not the group identity element.  This check is handled after
   deserializing Element values; see Section 4 for more information and
   requirements on input validation for each ciphersuite.

3.3.1.  OPRF Protocol

   The OPRF protocol begins with the client blinding its input, as
   described by the Blind function below.  Note that this function can
   fail with an InvalidInputError error for certain inputs that map to
   the group identity element.  Dealing with this failure is an
   application-specific decision; see Section 5.3.

   Input:

     PrivateInput input

   Output:

     Scalar blind
     Element blindedElement

   Parameters:

     Group G

   Errors: InvalidInputError

   def Blind(input):
     blind = G.RandomScalar()
     inputElement = G.HashToGroup(input)
     if inputElement == G.Identity():
       raise InvalidInputError
     blindedElement = blind * inputElement

     return blind, blindedElement

   Clients store blind locally, locally and send blindedElement to the server for
   evaluation.  Upon receipt, servers process blindedElement using the
   BlindEvaluate function described below.

   Input:

     Scalar skS
     Element blindedElement

   Output:

     Element evaluatedElement

   def BlindEvaluate(skS, blindedElement):
     evaluatedElement = skS * blindedElement
     return evaluatedElement

   Servers send the output evaluatedElement to clients for processing.
   Recall that servers may process multiple client inputs by applying
   the BlindEvaluate function to each blindedElement received, received and
   returning an array with the corresponding evaluatedElement values.

   Upon receipt of evaluatedElement, clients process it to complete the
   OPRF evaluation with the Finalize function described below.

   Input:

     PrivateInput input
     Scalar blind
     Element evaluatedElement

   Output:

     opaque output[Nh]

   Parameters:

     Group G

   def Finalize(input, blind, evaluatedElement):
     N = G.ScalarInverse(blind) * evaluatedElement
     unblindedElement = G.SerializeElement(N)

     hashInput = I2OSP(len(input), 2) || input ||
                 I2OSP(len(unblindedElement), 2) || unblindedElement ||
                 "Finalize"
     return Hash(hashInput)

   An entity which that knows both the private key and the input can compute
   the PRF result using the following Evaluate function.

   Input:

     Scalar skS
     PrivateInput input

   Output:

     opaque output[Nh]

   Parameters:

     Group G

   Errors: InvalidInputError

   def Evaluate(skS, input):
     inputElement = G.HashToGroup(input)
     if inputElement == G.Identity():
       raise InvalidInputError
     evaluatedElement = skS * inputElement
     issuedElement = G.SerializeElement(evaluatedElement)

     hashInput = I2OSP(len(input), 2) || input ||
                 I2OSP(len(issuedElement), 2) || issuedElement ||
                 "Finalize"
     return Hash(hashInput)

3.3.2.  VOPRF Protocol

   The VOPRF protocol begins with the client blinding its input, using
   the same Blind function as in Section 3.3.1.  Clients store the
   output blind locally and send blindedElement to the server for
   evaluation.  Upon receipt, servers process blindedElement to compute
   an evaluated element and a DLEQ proof using the following
   BlindEvaluate function.

   Input:

     Scalar skS
     Element pkS
     Element blindedElement

   Output:

     Element evaluatedElement
     Proof proof

   Parameters:

     Group G

   def BlindEvaluate(skS, pkS, blindedElement):
     evaluatedElement = skS * blindedElement
     blindedElements = [blindedElement]     // list of length 1
     evaluatedElements = [evaluatedElement] // list of length 1
     proof = GenerateProof(skS, G.Generator(), pkS,
                           blindedElements, evaluatedElements)
     return evaluatedElement, proof

   In the description above, inputs to GenerateProof are one-item lists.
   Using larger lists allows servers to batch the evaluation of multiple
   elements while producing a single batched DLEQ proof for them.

   The server sends both evaluatedElement and proof back to the client.
   Upon receipt, the client processes both values to complete the VOPRF
   computation using the Finalize function below.

   Input:

     PrivateInput input
     Scalar blind
     Element evaluatedElement
     Element blindedElement
     Element pkS
     Proof proof

   Output:

     opaque output[Nh]

   Parameters:

     Group G

   Errors: VerifyError

   def Finalize(input, blind, evaluatedElement,
                blindedElement, pkS, proof):
     blindedElements = [blindedElement]     // list of length 1
     evaluatedElements = [evaluatedElement] // list of length 1
     if VerifyProof(G.Generator(), pkS, blindedElements,
                    evaluatedElements, proof) == false:
       raise VerifyError

     N = G.ScalarInverse(blind) * evaluatedElement
     unblindedElement = G.SerializeElement(N)

     hashInput = I2OSP(len(input), 2) || input ||
                 I2OSP(len(unblindedElement), 2) || unblindedElement ||
                 "Finalize"
     return Hash(hashInput)

   As in BlindEvaluate, inputs to VerifyProof are one-item lists.
   Clients can verify multiple inputs at once whenever the server
   produced a batched DLEQ proof for them.

   Finally, an entity which that knows both the private key and the input can
   compute the PRF result using the Evaluate function described in
   Section 3.3.1.

3.3.3.  POPRF Protocol

   The POPRF protocol begins with the client blinding its input, using
   the following modified Blind function.  In this step, the client also
   binds a public info value, which produces an additional tweakedKey to
   be used later in the protocol.  Note that this function can fail with
   an InvalidInputError error for certain private inputs that map to the
   group identity element, as well as certain public inputs that, if not
   detected at this point, will cause server evaluation to fail.
   Dealing with either failure is an application-specific decision; see
   Section 5.3.

   Input:

     PrivateInput input
     PublicInput info
     Element pkS

   Output:

     Scalar blind
     Element blindedElement
     Element tweakedKey

   Parameters:

     Group G

   Errors: InvalidInputError

   def Blind(input, info, pkS):
     framedInfo = "Info" || I2OSP(len(info), 2) || info
     m = G.HashToScalar(framedInfo)
     T = G.ScalarMultGen(m)
     tweakedKey = T + pkS
     if tweakedKey == G.Identity():
       raise InvalidInputError

     blind = G.RandomScalar()
     inputElement = G.HashToGroup(input)
     if inputElement == G.Identity():
       raise InvalidInputError

     blindedElement = blind * inputElement

     return blind, blindedElement, tweakedKey

   Clients store the outputs blind and tweakedKey locally and send
   blindedElement to the server for evaluation.  Upon receipt, servers
   process blindedElement to compute an evaluated element and a DLEQ
   proof using the following BlindEvaluate function.

   Input:

     Scalar skS
     Element blindedElement
     PublicInput info

   Output:

     Element evaluatedElement
     Proof proof

   Parameters:

     Group G

   Errors: InverseError

   def BlindEvaluate(skS, blindedElement, info):
     framedInfo = "Info" || I2OSP(len(info), 2) || info
     m = G.HashToScalar(framedInfo)
     t = skS + m
     if t == 0:
       raise InverseError

     evaluatedElement = G.ScalarInverse(t) * blindedElement

     tweakedKey = G.ScalarMultGen(t)
     evaluatedElements = [evaluatedElement] // list of length 1
     blindedElements = [blindedElement]     // list of length 1
     proof = GenerateProof(t, G.Generator(), tweakedKey,
                           evaluatedElements, blindedElements)

     return evaluatedElement, proof

   In the description above, inputs to GenerateProof are one-item lists.
   Using larger lists allows servers to batch the evaluation of multiple
   elements while producing a single batched DLEQ proof for them.

   BlindEvaluate triggers InverseError when the function is about to
   calculate the inverse of a zero scalar, which does not exist and
   therefore yields a failure in the protocol.  This only occurs for
   info values that map to the private key of the server.  Thus, clients
   that cause this error should be assumed to know the server private
   key.  Hence, this error can be a signal for the server to replace its
   private key.

   The server sends both evaluatedElement and proof back to the client.
   Upon receipt, the client processes both values to complete the POPRF
   computation using the Finalize function below.

   Input:

     PrivateInput input
     Scalar blind
     Element evaluatedElement
     Element blindedElement
     Proof proof
     PublicInput info
     Element tweakedKey

   Output:

     opaque output[Nh]

   Parameters:

     Group G

   Errors: VerifyError

   def Finalize(input, blind, evaluatedElement, blindedElement,
                proof, info, tweakedKey):
     evaluatedElements = [evaluatedElement] // list of length 1
     blindedElements = [blindedElement]     // list of length 1
     if VerifyProof(G.Generator(), tweakedKey, evaluatedElements,
                    blindedElements, proof) == false:
       raise VerifyError

     N = G.ScalarInverse(blind) * evaluatedElement
     unblindedElement = G.SerializeElement(N)

     hashInput = I2OSP(len(input), 2) || input ||
                 I2OSP(len(info), 2) || info ||
                 I2OSP(len(unblindedElement), 2) || unblindedElement ||
                 "Finalize"
     return Hash(hashInput)

   As in BlindEvaluate, inputs to VerifyProof are one-item lists.
   Clients can verify multiple inputs at once whenever the server
   produced a batched DLEQ proof for them.

   Finally, an entity which that knows both the private key and the input can
   compute the PRF result using the Evaluate function described below.

   Input:

     Scalar skS
     PrivateInput input
     PublicInput info

   Output:

     opaque output[Nh]

   Parameters:

     Group G

   Errors: InvalidInputError, InverseError

   def Evaluate(skS, input, info):
     inputElement = G.HashToGroup(input)
     if inputElement == G.Identity():
       raise InvalidInputError

     framedInfo = "Info" || I2OSP(len(info), 2) || info
     m = G.HashToScalar(framedInfo)
     t = skS + m
     if t == 0:
       raise InverseError
     evaluatedElement = G.ScalarInverse(t) * inputElement
     issuedElement = G.SerializeElement(evaluatedElement)

     hashInput = I2OSP(len(input), 2) || input ||
                 I2OSP(len(info), 2) || info ||
                 I2OSP(len(issuedElement), 2) || issuedElement ||
                 "Finalize"
     return Hash(hashInput)

4.  Ciphersuites

   A ciphersuite (also referred to as 'suite' in this document) for the
   protocol wraps the functionality required for the protocol to take
   place.  The ciphersuite should be available to both the client and
   server, and agreement on the specific instantiation is assumed
   throughout.

   A ciphersuite contains instantiations of the following
   functionalities:

   *

   Group:  A prime-order Group group exposing the API detailed in Section 2.1,
      with the generator element defined in the corresponding reference
      for each group.  Each group also specifies HashToGroup,
      HashToScalar, and serialization functionalities.  For HashToGroup,
      the domain separation tag (DST) is constructed in accordance with
      the recommendations in
      [I-D.irtf-cfrg-hash-to-curve], [RFC9380], Section 3.1.  For HashToScalar,
      each group specifies an integer order that is used in reducing
      integer values to a member of the corresponding scalar field.

   *

   Hash:  A cryptographic hash function whose output length is Nh bytes
      long.

   This section includes an initial set of ciphersuites with supported
   groups and hash functions.  It also includes implementation details
   for each ciphersuite, focusing on input validation.  Future documents
   can specify additional ciphersuites as needed needed, provided they meet the
   requirements in Section 4.6.

   For each ciphersuite, contextString is that which is computed in the
   Setup functions.  Applications should take caution in using
   ciphersuites targeting P-256 and ristretto255.  See Section 7.2 for
   related discussion.

4.1.  OPRF(ristretto255, SHA-512)

   This ciphersuite uses ristretto255 [RISTRETTO] [RFC9496] for the Group and
   SHA-512 for the Hash hash function.  The value of the ciphersuite
   identifier is "ristretto255-SHA512".

   *

   Group:  ristretto255 [RISTRETTO]

      - [RFC9496]

      Order():  Return 2^252 + 27742317777372353535851937790883648493
         (see [RISTRETTO])

      - [RFC9496]).

      Identity():  As defined in [RISTRETTO].

      - [RFC9496].

      Generator():  As defined in [RISTRETTO].

      - [RFC9496].

      HashToGroup():  Use hash_to_ristretto255
         [I-D.irtf-cfrg-hash-to-curve] [RFC9380] with DST =
         "HashToGroup-" ||
         contextString, contextString and expand_message =
         expand_message_xmd using SHA-512.

      -

      HashToScalar():  Compute uniform_bytes using expand_message =
         expand_message_xmd, DST = "HashToScalar-" || contextString, and
         an output length 64, of 64 bytes, interpret uniform_bytes as a
         512-bit integer in little-endian order, and reduce the integer
         modulo Group.Order().

      -

      ScalarInverse(s):  Returns the multiplicative inverse of input
         Scalar s mod Group.Order().

      -

      RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
         for implementation guidance.

      -

      SerializeElement(A):  Implemented using the 'Encode' Encode function from
         Section 4.3.2 of [RISTRETTO]; [RFC9496]; Ne = 32.

      -

      DeserializeElement(buf):  Implemented using the 'Decode' Decode function
         from Section 4.3.1 of [RISTRETTO]. [RFC9496].  Additionally, this function
         validates that the resulting element is not the group identity
         element.  If these checks fail, deserialization returns an
         InputValidationError error.

      -

      SerializeScalar(s):  Implemented by outputting the little-endian little-endian,
         32-byte encoding of the Scalar value with the top three bits
         set to zero; Ns = 32.

      -

      DeserializeScalar(buf):  Implemented by attempting to deserialize
         a Scalar from a little-endian little-endian, 32-byte string.  This function
         can fail if the input does not represent a Scalar in the range
         [0, G.Order() - 1].  Note that this means the top three bits of
         the input MUST be zero.

   *

   Hash:  SHA-512; Nh = 64.

4.2.  OPRF(decaf448, SHAKE-256)

   This ciphersuite uses decaf448 [RISTRETTO] [RFC9496] for the Group and SHAKE-256
   for the Hash hash function.  The value of the ciphersuite identifier is
   "decaf448-SHAKE256".

   *

   Group:  decaf448 [RISTRETTO]
      - [RFC9496]

      Order():  Return 2^446 - 138180668098951153520073867485154268803
         36692474882178609894547503885

      - 13818066809895115352007386748515426880336
         692474882178609894547503885.

      Identity():  As defined in [RISTRETTO].

      - [RFC9496].

      Generator():  As defined in [RISTRETTO].

      - [RFC9496].

      RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
         for implementation guidance.

      -

      HashToGroup():  Use hash_to_decaf448
         [I-D.irtf-cfrg-hash-to-curve] [RFC9380] with DST =
         "HashToGroup-" ||
         contextString, contextString and expand_message =
         expand_message_xof using SHAKE-256.

      -

      HashToScalar():  Compute uniform_bytes using expand_message =
         expand_message_xof, DST = "HashToScalar-" || contextString, and
         output length 64, interpret uniform_bytes as a 512-bit integer
         in little-endian order, and reduce the integer modulo
         Group.Order().

      -

      ScalarInverse(s):  Returns the multiplicative inverse of input
         Scalar s mod Group.Order().

      -

      SerializeElement(A):  Implemented using the 'Encode' Encode function from
         Section 5.3.2 of [RISTRETTO]; [RFC9496]; Ne = 56.

      -

      DeserializeElement(buf):  Implemented using the 'Decode' Decode function
         from Section 5.3.1 of [RISTRETTO]. [RFC9496].  Additionally, this function
         validates that the resulting element is not the group identity
         element.  If these checks fail, deserialization returns an
         InputValidationError error.

      -

      SerializeScalar(s):  Implemented by outputting the little-endian little-endian,
         56-byte encoding of the Scalar value; Ns = 56.

      -

      DeserializeScalar(buf):  Implemented by attempting to deserialize
         a Scalar from a little-endian little-endian, 56-byte string.  This function
         can fail if the input does not represent a Scalar in the range
         [0, G.Order() - 1].

   *

   Hash:  SHAKE-256; Nh = 64.

4.3.  OPRF(P-256, SHA-256)

   This ciphersuite uses P-256 [NISTCurves] for the Group and SHA-256
   for the Hash hash function.  The value of the ciphersuite identifier is
   "P256-SHA256".

   *

   Group:  P-256 (secp256r1) [NISTCurves]

      -

      Order():  Return 0xffffffff00000000ffffffffffffffffbce6faada7179
         e84f3b9cac2fc632551.

      - 0xffffffff00000000ffffffffffffffffbce6faada7179e8
         4f3b9cac2fc632551.

      Identity():  As defined in [NISTCurves].

      -

      Generator():  As defined in [NISTCurves].

      -

      RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
         for implementation guidance.

      -

      HashToGroup():  Use hash_to_curve with suite P256_XMD:SHA-
         256_SSWU_RO_ [I-D.irtf-cfrg-hash-to-curve] [RFC9380] and DST = "HashToGroup-" ||
         contextString.

      -

      HashToScalar():  Use hash_to_field from
         [I-D.irtf-cfrg-hash-to-curve] [RFC9380] using L = 48,
         expand_message_xmd with SHA-256, DST = "HashToScalar-" ||
         contextString, and a prime modulus equal to Group.Order().

      -

      ScalarInverse(s):  Returns the multiplicative inverse of input
         Scalar s mod Group.Order().

      -

      SerializeElement(A):  Implemented using the compressed Elliptic-
         Curve-Point-to-Octet-String method according to [SEC1]; Ne =
         33.

      -

      DeserializeElement(buf):  Implemented by attempting to deserialize
         a 33 byte 33-byte input string to a public key using the compressed
         Octet-String-to-Elliptic-Curve-Point method according to [SEC1], [SEC1]
         and then performs performing partial public-key
         validation validation, as defined
         in section Section 5.6.2.3.4 of [KEYAGREEMENT].  This includes checking
         that the coordinates of the resulting point are in the correct
         range, that the point is on the curve, and that the point is
         not the group identity element.  If these checks fail,
         deserialization returns an InputValidationError error.

      -

      SerializeScalar(s):  Implemented using the Field-Element-to-
         Octet-String Field-Element-to-Octet-
         String conversion according to [SEC1]; Ns = 32.

      -

      DeserializeScalar(buf):  Implemented by attempting to deserialize
         a Scalar from a 32-byte string using Octet-String-
         to-Field-Element Octet-String-to-Field-
         Element from [SEC1].  This function can fail if the input does
         not represent a Scalar in the range [0, G.Order() - 1].

   *

   Hash:  SHA-256; Nh = 32.

4.4.  OPRF(P-384, SHA-384)

   This ciphersuite uses P-384 [NISTCurves] for the Group and SHA-384
   for the Hash hash function.  The value of the ciphersuite identifier is
   "P384-SHA384".

   *

   Group:  P-384 (secp384r1) [NISTCurves]

      -

      Order():  Return 0xfffffffffffffffffffffffffffffffffffffffffffff
         fffc7634d81f4372ddf581a0db248b0a77aecec196accc52973.

      - 0xfffffffffffffffffffffffffffffffffffffffffffffff
         fc7634d81f4372ddf581a0db248b0a77aecec196accc52973.

      Identity():  As defined in [NISTCurves].

      -

      Generator():  As defined in [NISTCurves].

      -

      RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
         for implementation guidance.

      -

      HashToGroup():  Use hash_to_curve with suite P384_XMD:SHA-
         384_SSWU_RO_ [I-D.irtf-cfrg-hash-to-curve] [RFC9380] and DST = "HashToGroup-" ||
         contextString.

      -

      HashToScalar():  Use hash_to_field from
         [I-D.irtf-cfrg-hash-to-curve] [RFC9380] using L = 72,
         expand_message_xmd with SHA-384, DST = "HashToScalar-" ||
         contextString, and a prime modulus equal to Group.Order().

      -

      ScalarInverse(s):  Returns the multiplicative inverse of input
         Scalar s mod Group.Order().

      -

      SerializeElement(A):  Implemented using the compressed Elliptic-
         Curve-Point-to-Octet-String method according to [SEC1]; Ne =
         49.

      -

      DeserializeElement(buf):  Implemented by attempting to deserialize
         a 49-byte array to a public key using the compressed Octet-String-to-Elliptic-Curve-Point Octet-
         String-to-Elliptic-Curve-Point method according to [SEC1], [SEC1] and
         then performs performing partial public-key
         validation validation, as defined in section
         Section 5.6.2.3.4 of [KEYAGREEMENT].  This includes checking
         that the coordinates of the resulting point are in the correct
         range, that the point is on the curve, and that the point is
         not the point at infinity.  Additionally, this function
         validates that the resulting element is not the group identity
         element.  If these checks fail, deserialization returns an
         InputValidationError error.

      -

      SerializeScalar(s):  Implemented using the Field-Element-to-
         Octet-String Field-Element-to-Octet-
         String conversion according to [SEC1]; Ns = 48.

      -

      DeserializeScalar(buf):  Implemented by attempting to deserialize
         a Scalar from a 48-byte string using Octet-String-
         to-Field-Element Octet-String-to-Field-
         Element from [SEC1].  This function can fail if the input does
         not represent a Scalar in the range [0, G.Order() - 1].

   *

   Hash:  SHA-384; Nh = 48.

4.5.  OPRF(P-521, SHA-512)

   This ciphersuite uses P-521 [NISTCurves] for the Group and SHA-512
   for the Hash hash function.  The value of the ciphersuite identifier is
   "P521-SHA512".

   *

   Group:  P-521 (secp521r1) [NISTCurves]

      -

      Order():  Return 0x01fffffffffffffffffffffffffffffffffffffffffff
         ffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8
         899c47aebb6fb71e91386409.

      - 0x01fffffffffffffffffffffffffffffffffffffffffffff
         ffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b889
         9c47aebb6fb71e91386409.

      Identity():  As defined in [NISTCurves].

      -

      Generator():  As defined in [NISTCurves].

      -

      RandomScalar():  Implemented by returning a uniformly random
         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
         for implementation guidance.

      -

      HashToGroup():  Use hash_to_curve with suite P521_XMD:SHA-
         512_SSWU_RO_ [I-D.irtf-cfrg-hash-to-curve] [RFC9380] and DST = "HashToGroup-" ||
         contextString.

      -

      HashToScalar():  Use hash_to_field from
         [I-D.irtf-cfrg-hash-to-curve] [RFC9380] using L = 98,
         expand_message_xmd with SHA-512, DST = "HashToScalar-" ||
         contextString, and a prime modulus equal to Group.Order().

      -

      ScalarInverse(s):  Returns the multiplicative inverse of input
         Scalar s mod Group.Order().

      -

      SerializeElement(A):  Implemented using the compressed Elliptic-
         Curve-Point-to-Octet-String method according to [SEC1]; Ne =
         67.

      -

      DeserializeElement(buf):  Implemented by attempting to deserialize
         a 49 byte 67-byte input string to a public key using the compressed
         Octet-String-to-Elliptic-Curve-Point method according to [SEC1], [SEC1]
         and then performs performing partial public-key
         validation validation, as defined
         in section Section 5.6.2.3.4 of [KEYAGREEMENT].  This includes checking
         that the coordinates of the resulting point are in the correct
         range, that the point is on the curve, and that the point is
         not the point at infinity.  Additionally, this function
         validates that the resulting element is not the group identity
         element.  If these checks fail, deserialization returns an
         InputValidationError error.

      -

      SerializeScalar(s):  Implemented using the Field-Element-to-
         Octet-String Field-Element-to-Octet-
         String conversion according to [SEC1]; Ns = 66.

      -

      DeserializeScalar(buf):  Implemented by attempting to deserialize
         a Scalar from a 66-byte string using Octet-String-
         to-Field-Element Octet-String-to-Field-
         Element from [SEC1].  This function can fail if the input does
         not represent a Scalar in the range [0, G.Order() - 1].

   *

   Hash:  SHA-512; Nh = 64.

4.6.  Future Ciphersuites

   A critical requirement of implementing the prime-order group using
   elliptic curves is a method to instantiate the function HashToGroup,
   that
   which maps inputs to group elements.  In the elliptic curve setting,
   this deterministically maps inputs (as byte arrays) to uniformly
   chosen points on the curve.

   In the security proof of the construction construction, Hash is modeled as a
   random oracle.  This implies that any instantiation of HashToGroup
   must be pre-image and collision resistant.  In Section 4 4, we give
   instantiations of this functionality based on the functions described
   in [I-D.irtf-cfrg-hash-to-curve]. [RFC9380].  Consequently, any OPRF implementation must adhere to
   the implementation and security considerations discussed in [I-D.irtf-cfrg-hash-to-curve] [RFC9380]
   when instantiating the function.

   The DeserializeElement and DeserializeScalar functions instantiated
   for a particular prime-order group corresponding to a ciphersuite
   MUST adhere to the description in Section 2.1.  Future ciphersuites
   MUST describe how input validation is done for DeserializeElement and
   DeserializeScalar.

   Additionally, future ciphersuites must take care when choosing the
   security level of the group.  See Section 7.2.3 for additional
   details.

4.7.  Random Scalar Generation

   Two popular algorithms for generating a random integer uniformly
   distributed in the range [0, G.Order() -1] - 1] are as follows: described in the
   following subsections.

4.7.1.  Rejection Sampling

   Generate a random byte array with Ns bytes, bytes and attempt to map to a
   Scalar by calling DeserializeScalar in constant time.  If it
   succeeds, return the result.  If it fails, try again with another
   random byte array, array until the procedure succeeds.  Failure to implement
   DeserializeScalar in constant time can leak information about the
   underlying corresponding Scalar.

   As an optimization, if the group order is very close to a power of 2,
   it is acceptable to omit the rejection test completely.  In
   particular, if the group order is p, p and there is an integer b such
   that |p - 2^b| is less than 2^(b/2), then RandomScalar can simply
   return a uniformly random integer of at most b bits.

4.7.2.  Random Number Generation Using Extra Random Bits

   Generate a random byte array with L = ceil(((3 *
   ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an
   integer; reduce the integer modulo G.Order() G.Order(), and return the result.
   See [I-D.irtf-cfrg-hash-to-curve], [RFC9380], Section 5 for the underlying derivation of L.

5.  Application Considerations

   This section describes considerations for applications, including
   external interface recommendations, explicit error treatment, and
   public input representation for the POPRF protocol variant.

5.1.  Input Limits

   Application inputs, expressed as PrivateInput or PublicInput values,
   MUST be smaller than 2^16-1 2^16 - 1 bytes in length.  Applications that
   require longer inputs can use a cryptographic hash function to map
   these longer inputs to a fixed-length input that fits within the
   PublicInput or PrivateInput length bounds.  Note that some
   cryptographic hash functions have input length restrictions
   themselves, but these limits are often large enough to not be a
   concern in practice.  For example, SHA-256 has an input limit of 2^61
   bytes.

5.2.  External Interface Recommendations

   In Section 3.3, the interface of the protocol functions allows that
   some inputs (and outputs) to be group elements Element and scalars. Scalar values.
   However, implementations can instead operate over group elements Element and scalars
   internally, Scalar
   values internally and only expose interfaces that operate with an
   application-specific format of messages.

5.3.  Error Considerations

   Some OPRF variants specified in this document have fallible
   operations.  For example, Finalize and BlindEvaluate can fail if any
   element received from the peer fails input validation.  The explicit
   errors generated throughout this specification, along with the
   conditions that lead to each error, are as follows:

   *

   VerifyError:  Verifiable OPRF proof verification failed;
      Section failed (Sections
      3.3.2 and Section 3.3.3.

   * 3.3.3).

   DeserializeError:  Group Element or Scalar deserialization failure;
      Section failure
      (Sections 2.1 and Section 3.3.

   * 3.3).

   InputValidationError:  Validation of byte array inputs failed;
      Section 4. failed
      (Section 4).

   There are other explicit errors generated in this specification;
   however, they occur with negligible probability in practice.  We note
   them here for completeness.

   *

   InvalidInputError:  OPRF Blind input produces an invalid output
      element; Section
      element (Sections 3.3.1 and Section 3.3.3.

   * 3.3.3).

   InverseError:  A tweaked private key is invalid (has invalid, i.e., has no
      multiplicative inverse); Section inverse (Sections 2.1 and Section 3.3. 3.3).

   In general, the errors in this document are meant as a guide to
   implementors.  They are not an exhaustive list of all the errors an
   implementation might emit.  For example, implementations might run
   out of memory and return a corresponding error.

5.4.  POPRF Public Input

   Functionally, the VOPRF and POPRF variants differ in that the POPRF
   variant admits public input, whereas the VOPRF variant does not.
   Public input allows clients and servers to cryptographically bind
   additional data to the POPRF output.  A POPRF with fixed public input
   is functionally equivalent to a VOPRF.  However, there are
   differences in the underlying security assumptions made about each
   variant; see Section 7.2 for more details.

   This public input is known to both parties at the start of the
   protocol.  It is RECOMMENDED that this public input be constructed
   with some type of higher-level domain separation to avoid cross
   protocol attacks or related issues.  For example, protocols using
   this construction might ensure that the public input uses a unique,
   prefix-free encoding.  See [I-D.irtf-cfrg-hash-to-curve], [RFC9380], Section 10.4 for further
   discussion on constructing domain separation values.

   Implementations of the POPRF may choose to not let applications
   control info in cases where this value is fixed or otherwise not
   useful to the application.  In this case, the resulting protocol is
   functionally equivalent to the VOPRF, which does not admit public
   input.

6.  IANA considerations Considerations

   This document has no IANA actions.

7.  Security Considerations

   This section discusses the security of the protocols defined in this
   specification, along with some suggestions and trade-offs that arise
   from the implementation of the protocol variants in this document.
   Note that the syntax of the POPRF variant is different from that of
   the OPRF and VOPRF variants since it admits an additional public
   input, but the same security considerations apply.

7.1.  Security Properties

   The security properties of an OPRF protocol with functionality y =
   F(k, x) include those of a standard PRF.  Specifically:

   *

   Pseudorandomness:  For a random sampling of k, F is pseudorandom if
      the output y = F(k, x) on any input x is indistinguishable from
      uniformly sampling any element in F's range.

   In other words, consider an adversary that picks inputs x from the
   domain of F and evaluates F on (k, x) (without knowledge of randomly
   sampled k).  Then  Then, the output distribution F(k, x) is
   indistinguishable from the output distribution of a randomly chosen
   function with the same domain and range.

   A consequence of showing that a function is pseudorandom is that it
   is necessarily non-malleable (i.e. nonmalleable (i.e., we cannot compute a new evaluation
   of F from an existing evaluation).  A genuinely random function will
   be non-malleable nonmalleable with high probability, and so a pseudorandom function
   must be non-malleable nonmalleable to maintain indistinguishability.

   *

   Unconditional input secrecy:  The server does not learn anything
      about the client input x, even with unbounded computation.

   In other words, an attacker with infinite computing power cannot
   recover any information about the client's private input x from an
   invocation of the protocol.

   Essentially, input secrecy is the property that, even if the server
   learns the client's private input x at some point in the future, the
   server cannot link any particular PRF evaluation to x.  This property
   is also known as unlinkability [DGSTV18].

   Beyond client input secret, secrecy, in the OPRF protocol, the server learns
   nothing about the output y of the function, nor does the client learn
   anything about the server's private key k.

   For the VOPRF and POPRF protocol variants, there is an additional
   security property:

   *

   Verifiable:  The client must only complete execution of the protocol
      if it can successfully assert that the output it computes is
      correct.  This is taken with respect to the private key held by
      the server.

   Any VOPRF or POPRF that satisfies the 'verifiable' security property
   is known as 'verifiable'.  In practice, the notion of verifiability
   requires that the server commits to the key before the actual
   protocol execution takes place.  Then  Then, the client verifies that the
   server has used the key in the protocol using this commitment.  In
   the following, we may also refer to this commitment as a public key.

   Finally, the POPRF variant also has the following security property:

   *

   Partial obliviousness:  The client and server must be able to perform
      the PRF on the client's private input and public input.  Both the client
      and server know the public input, but similar to the OPRF and
      VOPRF protocols, the server learns nothing about the client's
      private input or the output of the function, and the client learns
      nothing about the server's private key.

   This property becomes useful when dealing with key management
   operations
   operations, such as the rotation of the server's keys.  Note that
   partial obliviousness only applies to the POPRF variant because
   neither the OPRF nor VOPRF variants accept public input to the
   protocol.

   Since the POPRF variant has a different syntax than the OPRF and
   VOPRF variants, i.e., y = F(k, x, info), the pseudorandomness
   property is generalized:

   *

   Pseudorandomness:  For a random sampling of k, F is pseudorandom if
      the output y = F(k, x, info) on any input pairs (x, info) is
      indistinguishable from uniformly sampling any element in F's
      range.

7.2.  Security Assumptions

   Below, we discuss the cryptographic security of each protocol variant
   from Section 3, relative to the necessary cryptographic assumptions
   that need to be made.

7.2.1.  OPRF and VOPRF Assumptions

   The OPRF and VOPRF protocol variants in this document are based on
   [JKK14].  In particular, the VOPRF construction is similar to the
   [JKK14] construction with the following distinguishing properties:

   1.  This document does not use session identifiers to differentiate
       different instances of the protocol; and protocol.

   2.  This document supports batching so that multiple evaluations can
       happen at once whilst only constructing one DLEQ proof object.
       This is enabled using an established batching technique
       [DGSTV18].

   The pseudorandomness and input secrecy (and verifiability) of the
   OPRF (and VOPRF) protocols in [JKK14] are based on the One-More Gap
   Computational Diffie Hellman Diffie-Hellman assumption that is computationally
   difficult to solve in the corresponding prime-order group.  In
   [JKK14], these properties are proven for one instance (i.e., one key)
   of the VOPRF protocol, protocol and without batching.  There is currently no
   security analysis available for the VOPRF protocol described in this
   document in a setting with multiple server keys or batching.

7.2.2.  POPRF Assumptions

   The POPRF construction in this document is based on the construction
   known as 3HashSDHI 3HashSDHI, given by [TCRSTW21].  The construction is
   identical to 3HashSDHI, except that this design can optionally
   perform multiple POPRF evaluations in one batch, whilst only
   constructing one DLEQ proof object.  This is enabled using an
   established batching technique [DGSTV18].

   Pseudorandomness, input secrecy, verifiability, and partial
   obliviousness of the POPRF variant is based on the assumption that
   the One-More Gap Strong Diffie-Hellman Inversion (SDHI) assumption
   from [TCRSTW21] is computationally difficult to solve in the
   corresponding prime-order group.  Tyagi et al. [TCRSTW21] show that
   both the One-More Gap Computational Diffie Hellman Diffie-Hellman assumption and the
   One-More Gap SDHI assumption reduce to the q-DL (Discrete Log)
   assumption in the algebraic group model, model for some q number of
   BlindEvaluate queries.  (The One-More Gap Computational Diffie Diffie-
   Hellman assumption was the hardness assumption used to evaluate the
   OPRF and VOPRF designs based on [JKK14], which is a predecessor to
   the POPRF variant in Section 3.3.3.)

7.2.3.  Static Diffie Hellman Diffie-Hellman Attack and Security Limits

   A side-effect side effect of the OPRF protocol variants in this document is that
   they allow instantiation of an oracle for constructing static DH Diffie-
   Hellman (DH) samples; see [BG04] and [Cheon06].  These attacks are
   meant to recover (bits of) the server private key.  Best-known
   attacks reduce the security of the prime-order group instantiation by log_2(Q)/2
   log_2(Q) / 2 bits, where Q is the number of BlindEvaluate calls made
   by the attacker.

   As a result of this class of attacks, choosing prime-order groups
   with a 128-bit security level instantiates an OPRF with a reduced
   security level of 128-(log_2(Q)/2) 128 - (log_2(Q) / 2) bits of security.  Moreover,
   such attacks are only possible for those certain applications where
   the adversary can query the OPRF directly.  Applications can mitigate
   against this problem in a variety of ways, e.g., by rate-limiting
   client queries to BlindEvaluate or by rotating private keys.  In
   applications where such an oracle is not made available available, this
   security loss does not apply.

   In most cases, it would require an informed and persistent attacker
   to launch a highly expensive attack to reduce security to anything
   much below 100 bits of security.  Applications that admit the
   aforementioned oracle functionality, functionality and that cannot tolerate discrete
   logarithm security of lower than 128 bits, bits are RECOMMENDED to choose
   groups that target a higher security level, such as decaf448 (used by
   ciphersuite decaf448-SHAKE256), P-384 (used by ciphersuite
   P384-SHA384), or P-521 (used by ciphersuite P521-SHA512).

7.3.  Domain Separation

   Applications SHOULD construct input to the protocol to provide domain
   separation.  Any system which that has multiple OPRF applications should
   distinguish client inputs to ensure the OPRF results are separate.
   Guidance for constructing info can be found in
   [I-D.irtf-cfrg-hash-to-curve], [RFC9380],
   Section 3.1.

7.4.  Timing Leaks

   To ensure no information is leaked during protocol execution, all
   operations that use secret data MUST run in constant time.  This
   includes all prime-order group operations and proof-specific
   operations that operate on secret data, including GenerateProof and
   BlindEvaluate.

8.  Acknowledgements

   This document resulted from the work of the Privacy Pass team
   [PrivacyPass].  The authors would also like to acknowledge helpful
   conversations with Hugo Krawczyk.  Eli-Shaoul Khedouri provided
   additional review and comments on key consistency.  Daniel Bourdrez,
   Tatiana Bradley, Sofia Celi, Frank Denis, Julia Hesse, Russ Housley,
   Kevin Lewi, Christopher Patton, and Bas Westerbaan also provided
   helpful input and contributions to the document.

9.  References

9.1.

8.1.  Normative References
   [I-D.irtf-cfrg-hash-to-curve]
              Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S.,
              and C. A. Wood, "Hashing to Elliptic Curves", Work in
              Progress, Internet-Draft, draft-irtf-cfrg-hash-to-curve-
              16, 15 June 2022, <https://datatracker.ietf.org/doc/html/
              draft-irtf-cfrg-hash-to-curve-16>.

   [KEYAGREEMENT]
              Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
              Davis, "Recommendation for pair-wise key-establishment
              schemes using discrete logarithm cryptography", National
              Institute of Standards and Technology report, NIST
              SP 800-56A (Rev. 3), DOI 10.6028/nist.sp.800-56ar3, April
              2018, <https://doi.org/10.6028/nist.sp.800-56ar3>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,
              <https://www.rfc-editor.org/rfc/rfc8017>.
              <https://www.rfc-editor.org/info/rfc8017>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RISTRETTO] <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9380]  Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S.,
              and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380,
              DOI 10.17487/RFC9380, August 2023,
              <https://www.rfc-editor.org/info/rfc9380>.

   [RFC9496]  de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I.,
              Tankersley, G., and F. Valsorda, "The ristretto255 and
              decaf448 Groups", Work in Progress, Internet-Draft, draft-
              irtf-cfrg-ristretto255-decaf448-06, 13 February RFC 9496, DOI 10.17487/RFC9496, December
              2023,
              <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
              ristretto255-decaf448-06>.

9.2. <https://www.rfc-editor.org/info/rfc9496>.

8.2.  Informative References

   [BG04]     Brown, D. and R. Gallant, "The Static Diffie-Hellman
              Problem", November 2004,
              <https://eprint.iacr.org/2004/306>.

   [ChaumPedersen]
              Chaum, D. and T. Pedersen, "Wallet Databases with
              Observers", Advances in Cryptology - CRYPTO' 92 92, pp.
              89-105, DOI 10.1007/3-540-48071-4_7, August 2007, 1992,
              <https://doi.org/10.1007/3-540-48071-4_7>.

   [Cheon06]  Cheon, J., "Security Analysis of the Strong Diffie-Hellman
              Problem", Advances in Cryptology - EUROCRYPT 2006 2006, pp.
              1-11, DOI 10.1007/11761679_1, 2006,
              <https://doi.org/10.1007/11761679_1>.

   [DGSTV18]  Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G.,
              and F. Valsorda, "Privacy Pass: Bypassing Internet
              Challenges Anonymously", Proceedings on Privacy Enhancing
              Technologies
              Technologies, vol. 2018, no. 3, pp. 164-180, DOI
              10.1515/popets-2018-0026, April 2018,
              <https://doi.org/10.1515/popets-2018-0026>.

   [FS00]     Fiat, A. and A. Shamir, "How To Prove Yourself: Practical
              Solutions to Identification and Signature Problems",
              Advances in Cryptology - CRYPTO' 86 86, pp. 186-194,
              DOI 10.1007/3-540-47721-7_12, April 2007, 1986,
              <https://doi.org/10.1007/3-540-47721-7_12>.

   [JKK14]    Jarecki, S., Kiayias, A., and H. Krawczyk, "Round-Optimal
              Password-Protected Secret Sharing and T-PAKE in the
              Password-Only Model", Lecture Notes in Computer
              Science Science,
              pp. 233-253, DOI 10.1007/978-3-662-45608-8_13, 2014,
              <https://doi.org/10.1007/978-3-662-45608-8_13>.

   [JKKX16]   Jarecki, S., Kiayias, A., Krawczyk, H., and J. Xu,
              "Highly-Efficient and Composable Password-Protected Secret
              Sharing (Or: How to Protect Your Bitcoin Wallet Online)",
              2016 IEEE European Symposium on Security and Privacy
              (EuroS&P), DOI 10.1109/eurosp.2016.30, March 2016,
              <https://doi.org/10.1109/eurosp.2016.30>.

   [NISTCurves]
              "Digital Signature Standard (DSS)",
              National Institute of Standards and Technology report, (NIST),
              "Digital Signature Standard (DSS)", FIPS PUB 186-5,
              DOI 10.6028/nist.fips.186-4, July 2013,
              <https://doi.org/10.6028/nist.fips.186-4>. 10.6028/NIST.FIPS.186-5, February 2023,
              <https://doi.org/10.6028/NIST.FIPS.186-5>.

   [OPAQUE]   Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The
              OPAQUE Asymmetric PAKE Protocol", Work in Progress,
              Internet-Draft, draft-irtf-cfrg-opaque-09, 6 July 2022,
              <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
              opaque-09>.

   [PrivacyPass]
              "Privacy Pass", <https://github.com/privacypass/team>.

   [PRIVACYPASS] draft-irtf-cfrg-opaque-13, 18 December
              2023, <https://datatracker.ietf.org/doc/html/draft-irtf-
              cfrg-opaque-13>.

   [PRIVACY-PASS]
              Celi, S., Davidson, A., Faz-Hernandez, A., Valdez, S., and C. A. Wood,
              "Privacy Pass Issuance Protocol", Work in Progress, Internet-Draft, draft-ietf-privacypass-protocol-
              08, 30 January
              October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-
              privacypass-protocol-08>. <https://datatracker.ietf.org/doc/html/
              draft-ietf-privacypass-protocol-16>.

   [PrivacyPass]
              "Privacy Pass", commit 085380a, March 2018,
              <https://github.com/privacypass/team>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/rfc/rfc7748>. <https://www.rfc-editor.org/info/rfc7748>.

   [SEC1]     Standards for Efficient Cryptography Group (SECG), "SEC 1:
              Elliptic Curve Cryptography", May 2009,
              <https://www.secg.org/sec1-v2.pdf>.

   [SJKS17]   Shirvanian, M., Jarecki, S., Krawczyk, H., and N. Saxena,
              "SPHINX: A Password Store that Perfectly Hides Passwords
              from Itself", In 2017 IEEE 37th International Conference on
              Distributed Computing Systems (ICDCS),
              DOI 10.1109/ICDCS.2017.64, June 2017,
              <https://doi.org/10.1109/ICDCS.2017.64>.

   [TCRSTW21] Tyagi, N., Celi, S., Ristenpart, T., Sullivan, N.,
              Tessaro, S., and C. A. Wood, "A Fast and Simple Partially
              Oblivious PRF, with Applications", Advances in Cryptology
              - EUROCRYPT 2022 pp. 674-705,
              DOI 10.1007/978-3-031-07085-3_23, May 2022,
              <https://doi.org/10.1007/978-3-031-07085-3_23>.

Appendix A.  Test Vectors

   This section includes test vectors for the protocol variants
   specified in this document.  For each ciphersuite specified in
   Section 4, there is a set of test vectors for the protocol when run
   running the OPRF, VOPRF, and POPRF modes.  Each test vector lists the
   batch size for the evaluation.  Each test vector value is encoded as
   a hexadecimal byte string.  The fields of each test vector are
   described below.

   *

   "Input":  The private client input, an opaque byte string.

   *

   "Info":  The public info, an opaque byte string.  Only present for
      POPRF test vectors.

   *

   "Blind":  The blind value output by Blind(), a serialized Scalar of
      Ns bytes long.

   *

   "BlindedElement":  The blinded value output by Blind(), a serialized
      Element of Ne bytes long.

   *

   "EvaluatedElement":  The evaluated element output by BlindEvaluate(),
      a serialized Element of Ne bytes long.

   *

   "Proof":  The serialized Proof output from GenerateProof() composed
      of two serialized Scalar values values, each of Ns bytes long.  Only present
      for VOPRF and POPRF test vectors.

   *

   "ProofRandomScalar":  The random scalar Scalar r computed in
      GenerateProof(), a serialized Scalar of Ns bytes long.  Only
      present for VOPRF and POPRF test vectors.

   *

   "Output":  The protocol output, an opaque byte string of length Nh
      bytes. bytes
      long.

   Test vectors with batch size B > 1 have inputs separated by a comma
   ",".  Applicable test vectors will have B different values for the
   "Input", "Blind", "BlindedElement", "EvaluationElement", and "Output"
   fields.

   The server key material, pkSm and skSm, are listed under the mode for
   each ciphersuite.  Both pkSm and skSm are the serialized values of
   pkS and skS, respectively, as used in the protocol.  Each key pair is
   derived from a seed Seed seed, denoted Seed, and info string string, denoted KeyInfo,
   which are listed as well, using the DeriveKeyPair function from
   Section 3.2.

A.1.  ristretto255-SHA512

A.1.1.  OPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 5ebcea5ee37023ccb9fc2d2019f9d7737be85591ae8652ffa9ef0f4d37063
   b0e

A.1.1.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706
   BlindedElement = 609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa
   2dc99e412803c
   EvaluationElement = 7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2
   d8cc917ea0869c7e
   Output = 527759c3d9366f277d8c6020418d96bb393ba2afb20ff90df23fb770826
   4e2f3ab9135e3bd69955851de4b1f9fe8a0973396719b7912ba9ee8aa7d0b5e24bcf
   6

A.1.1.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706
   BlindedElement = da27ef466870f5f15296299850aa088629945a17d1f5b7f5ff0
   43f76b3c06418
   EvaluationElement = b4cbf5a4f1eeda5a63ce7b77c7d23f461db3fcab0dd28e4e
   17cecb5c90d02c25
   Output = f4a74c9c592497375e796aa837e907b1a045d34306a749db9f34221f7e7
   50cb4f2a6413a6bf6fa5e19ba6348eb673934a722a7ede2e7621306d18951e7cf2c7
   3

A.1.2.  VOPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = e6f73f344b79b379f1a0dd37e07ff62e38d9f71345ce62ae3a9bc60b04ccd
   909
   pkSm = c803e2cc6b05fc15064549b5920659ca4a77b2cca6f04f6b357009335476a
   d4e

A.1.2.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706
   BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
   642ddc439b945
   EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
   9c7669a9a014267e
   Proof = ddef93772692e535d1a53903db24367355cc2cc78de93b3be5a8ffcc6985
   dd066d4346421d17bf5117a2a1ff0fcb2a759f58a539dfbe857a40bce4cf49ec600d
   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
   81aa6f61d645fc0e
   Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
   a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
   c

A.1.2.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706
   BlindedElement = cc0b2a350101881d8a4cba4c80241d74fb7dcbfde4a61fde2f9
   1443c2bf9ef0c
   EvaluationElement = 60a59a57208d48aca71e9e850d22674b611f752bed48b36f
   7a91b372bd7ad468
   Proof = 401a0da6264f8cf45bb2f5264bc31e109155600babb3cd4e5af7d181a2c9
   dc0a67154fabf031fd936051dec80b0b6ae29c9503493dde7393b722eafdf5a50b02
   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
   81aa6f61d645fc0e
   Output = 8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a
   6df60356f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b
   6

A.1.2.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
   e
   BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
   642ddc439b945,90a0145ea9da29254c3a56be4fe185465ebb3bf2a1801f7124bbba
   dac751e654
   EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
   9c7669a9a014267e,cc5ac221950a49ceaa73c8db41b82c20372a4c8d63e5dded2db
   920b7eee36a2a
   Proof = cc203910175d786927eeb44ea847328047892ddf8590e723c37205cb7460
   0b0a5ab5337c8eb4ceae0494c2cf89529dcf94572ed267473d567aeed6ab873dee08
   ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
   cf037f9ea84bbe0c
   Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
   a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
   c,8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a6df6035
   6f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b6

A.1.3.  POPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 145c79c108538421ac164ecbe131942136d5570b16d8bf41a24d4337da981
   e07
   pkSm = c647bef38497bc6ec077c22af65b696efa43bff3b4a1975a3e8e0a1c5a79d
   631

A.1.3.1.  Test Vector 1, Batch Size 1

   Input = 00
   Info = 7465737420696e666f
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706
   BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
   dd8f3d461f715
   EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
   5693e2078450d874
   Proof = 41ad1a291aa02c80b0915fbfbb0c0afa15a57e2970067a602ddb9e8fd6b7
   100de32e1ecff943a36f0b10e3dae6bd266cdeb8adf825d86ef27dbc6c0e30c52206
   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
   81aa6f61d645fc0e
   Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
   2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
   1

A.1.3.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706
   BlindedElement = f0f0b209dd4d5f1844dac679acc7761b91a2e704879656cb7c2
   01e82a99ab07d
   EvaluationElement = 8c3c9d064c334c6991e99f286ea2301d1bde170b54003fb9
   c44c6d7bd6fc1540
   Proof = 4c39992d55ffba38232cdac88fe583af8a85441fefd7d1d4a8d0394cd1de
   77018bf135c174f20281b3341ab1f453fe72b0293a7398703384bed822bfdeec8908
   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
   81aa6f61d645fc0e
   Output = 7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b
   56a52de2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae50
   7

A.1.3.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
   6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
   e
   BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
   dd8f3d461f715,423a01c072e06eb1cce96d23acce06e1ea64a609d7ec9e9023f304
   9f2d64e50c
   EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
   5693e2078450d874,aa1f16e903841036e38075da8a46655c94fc92341887eb5819f
   46312adfc0504
   Proof = 43fdb53be399cbd3561186ae480320caa2b9f36cca0e5b160c4a677b8bbf
   4301b28f12c36aa8e11e5a7ef551da0781e863a6dc8c0b2bf5a149c9e00621f02006
   ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
   cf037f9ea84bbe0c
   Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
   2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
   1,7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b56a52de
   2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae507

A.2.  decaf448-SHAKE256

A.2.1.  OPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = e8b1375371fd11ebeb224f832dcc16d371b4188951c438f751425699ed29e
   cc80c6c13e558ccd67634fd82eac94aa8d1f0d7fee990695d1e

A.2.1.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
   BlindedElement = e0ae01c4095f08e03b19baf47ffdc19cb7d98e583160522a3c7
   d6a0b2111cd93a126a46b7b41b730cd7fc943d4e28e590ed33ae475885f6c
   EvaluationElement = 50ce4e60eed006e22e7027454b5a4b8319eb2bc8ced609eb
   19eb3ad42fb19e06ba12d382cbe7ae342a0cad6ead0ef8f91f00bb7f0cd9c0a2
   Output = 37d3f7922d9388a15b561de5829bbf654c4089ede89c0ce0f3f85bcdba0
   9e382ce0ab3507e021f9e79706a1798ffeac68ebd5cf62e5eb9838c7068351d97ae3
   7

A.2.1.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
   BlindedElement = 86a88dc5c6331ecfcb1d9aacb50a68213803c462e377577cacc
   00af28e15f0ddbc2e3d716f2f39ef95f3ec1314a2c64d940a9f295d8f13bb
   EvaluationElement = 162e9fa6e9d527c3cd734a31bf122a34dbd5bcb7bb23651f
   1768a7a9274cc116c03b58afa6f0dede3994a60066c76370e7328e7062fd5819
   Output = a2a652290055cb0f6f8637a249ee45e32ef4667db0b4c80c0a70d2a6416
   4d01525cfdad5d870a694ec77972b9b6ec5d2596a5223e5336913f945101f0137f55
   e

A.2.2.  VOPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = e3c01519a076a326a0eb566343e9b21c115fa18e6e85577ddbe890b33104f
   cc2835ddfb14a928dc3f5d79b936e17c76b99e0bf6a1680930e
   pkSm = 945fc518c47695cf65217ace04b86ac5e4cbe26ca649d52854bb16c494ce0
   9069d6add96b20d4b0ae311a87c9a73e3a146b525763ab2f955

A.2.2.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
   BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
   1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb
   EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
   c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467
   Proof = f84bbeee47aedf43558dae4b95b3853635a9fc1a9ea7eac9b454c64c66c4
   f49cd1c72711c7ac2e06c681e16ea693d5500bbd7b56455df52f69e00b76b4126961
   e1562fdbaaac40b7701065cbeece3febbfe09e00160f81775d36daed99d8a2a10be0
   759e01b7ee81217203416c9db208
   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
   Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
   5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
   1

A.2.2.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
   BlindedElement = 88287e553939090b888ddc15913e1807dc4757215555e1c3a79
   488ef311594729c7fa74c772a732b78440b7d66d0aa35f3bb316f1d93e1b2
   EvaluationElement = c00978c73e8e4ee1d447ab0d3ad1754055e72cc85c08e3a0
   db170909a9c61cbff1f1e7015f289e3038b0f341faea5d7780c130106065c231
   Proof = 7a2831a6b237e11ac1657d440df93bc5ce00f552e6020a99d5c956ffc4d0
   7b5ade3e82ecdc257fd53d76239e733e0a1313e84ce16cc0d82734806092a693d7e8
   d3c420c2cb6ccd5d0ca32514fb78e9ad0973ebdcb52eba438fc73948d76339ee7101
   21d83e2fe6f001cfdf551aff9f36
   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
   Output = 862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380
   c959baa8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c94
   1

A.2.2.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
   48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
   a070e5f953d80bb464ea369e5522b
   BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
   1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb,2e15f3
   93c035492a1573627a3606e528c6294c767c8d43b8c691ef70a52cc7dc7d1b53fe45
   8350a270abb7c231b87ba58266f89164f714d9
   EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
   c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467,8ec
   68e9871b296e81c55647ce64a04fe75d19932f1400544cd601468c60f998408bbb54
   6601d4a636e8be279e558d70b95c8d4a4f61892be
   Proof = 167d922f0a6ffa845eed07f8aa97b6ac746d902ecbeb18f49c009adc0521
   eab1e4d275b74a2dc266b7a194c854e85e7eb54a9a36376dfc04ec7f3bd55fc9618c
   3970cb548e064f8a2f06183a5702933dbc3e4c25a73438f2108ee1981c306181003c
   7ea92fce963ec7b4ba4f270e6d38
   ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
   6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
   Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
   5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
   1,862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380c959baa
   8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c941

A.2.3.  POPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 792a10dcbd3ba4a52a054f6f39186623208695301e7adb9634b74709ab22d
   e402990eb143fd7c67ac66be75e0609705ecea800992aac8e19
   pkSm = 6c9d12723a5bbcf305522cc04b4a34d9ced2e12831826018ea7b5dcf54526
   47ad262113059bf0f6e4354319951b9d513c74f29cb0eec38c1

A.2.3.1.  Test Vector 1, Batch Size 1

   Input = 00
   Info = 7465737420696e666f
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
   BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
   9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42
   EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
   02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c
   Proof = 66caee75bf2460429f620f6ad3e811d524cb8ddd848a435fc5d89af48877
   abf6506ee341a0b6f67c2d76cd021e5f3d1c9abe5aa9f0dce016da746135fedba2af
   41ed1d01659bfd6180d96bc1b7f320c0cb6926011ce392ecca748662564892bae665
   16acaac6ca39aadf6fcca95af406
   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
   Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
   971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
   d

A.2.3.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
   BlindedElement = 12082b6a381c6c51e85d00f2a3d828cdeab3f5cb19a10b9c014
   c33826764ab7e7cfb8b4ff6f411bddb2d64e62a472af1cd816e5b712790c6
   EvaluationElement = f2919b7eedc05ab807c221fce2b12c4ae9e19e6909c47845
   64b690d1972d2994ca623f273afc67444d84ea40cbc58fcdab7945f321a52848
   Proof = a295677c54d1bc4286330907fc2490a7de163da26f9ce03a462a452fea42
   2b19ade296ba031359b3b6841e48455d20519ad01b4ac4f0b92e76d3cf16fbef0a3f
   72791a8401ef2d7081d361e502e96b2c60608b9fa566f43d4611c2f161d83aabef7f
   8017332b26ed1daaf80440772022
   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
   Output = 8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf63
   3126de0c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8
   d

A.2.3.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
   3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
   48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
   a070e5f953d80bb464ea369e5522b
   BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
   9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42,fc8847
   d43fb4cea4e408f585661a8f2867533fa91d22155d3127a22f18d3b007add480f7d3
   00bca93fa47fe87ae06a57b7d0f0d4c30b12f0
   EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
   02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c,2e7
   4c626d07de49b1c8c21d87120fd78105f485e36816af9bde3e3efbeef76815326062
   fd333925b66c5ce5a20f100bf01770c16609f990a
   Proof = fd94db736f97ea4efe9d0d4ad2933072697a6bbeb32834057b23edf7c700
   9f011dfa72157f05d2a507c2bbf0b54cad99ab99de05921c021fda7d70e65bcecdb0
   5f9a30154127ace983c74d10fd910b554c5e95f6bd1565fd1f3dbbe3c523ece5c72d
   57a559b7be1368c4786db4a3c910
   ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
   6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
   Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
   971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
   d,8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf633126de0
   c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8d

A.3.  P256-SHA256

A.3.1.  OPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 159749d750713afe245d2d39ccfaae8381c53ce92d098a9375ee70739c7ac
   0bf

A.3.1.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 03723a1e5c09b8b9c18d1dcbca29e8007e95f14f4732d9346d4
   90ffc195110368d
   EvaluationElement = 030de02ffec47a1fd53efcdd1c6faf5bdc270912b8749e78
   3c7ca75bb412958832
   Output = a0b34de5fa4c5b6da07e72af73cc507cceeb48981b97b7285fc375345fe
   495dd

A.3.1.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 03cc1df781f1c2240a64d1c297b3f3d16262ef5d4cf10273488
   2675c26231b0838
   EvaluationElement = 03a0395fe3828f2476ffcd1f4fe540e5a8489322d398be3c
   4e5a869db7fcb7c52c
   Output = c748ca6dd327f0ce85f4ae3a8cd6d4d5390bbb804c9e12dcf94f853fece
   3dcce

A.3.2.  VOPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = ca5d94c8807817669a51b196c34c1b7f8442fde4334a7121ae4736364312f
   ca6
   pkSm = 03e17e70604bcabe198882c0a1f27a92441e774224ed9c702e51dd17038b1
   02462

A.3.2.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
   4013648c01277da
   EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
   2e9ba29b90ae83e4a2
   Proof = e7c2b3c5c954c035949f1f74e6bce2ed539a3be267d1481e9ddb178533df
   4c2664f69d065c604a4fd953e100b856ad83804eb3845189babfa5a702090d6fc5fa
   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
   645a1

A.3.2.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 03cd0f033e791c4d79dfa9c6ed750f2ac009ec46cd4195ca6fd
   3800d1e9b887dbd
   EvaluationElement = 030d2985865c693bf7af47ba4d3a3813176576383d19aff0
   03ef7b0784a0d83cf1
   Proof = 2787d729c57e3d9512d3aa9e8708ad226bc48e0f1750b0767aaff73482c4
   4b8d2873d74ec88aebd3504961acea16790a05c542d9fbff4fe269a77510db00abab
   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c
   24f18

A.3.2.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
   1
   BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
   4013648c01277da,03462e9ae64cae5b83ba98a6b360d942266389ac369b923eb3d5
   57213b1922f8ab
   EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
   2e9ba29b90ae83e4a2,02bb24f4d838414aef052a8f044a6771230ca69c0a5677540
   fff738dd31bb69771
   Proof = bdcc351707d02a72ce49511c7db990566d29d6153ad6f8982fad2b435d6c
   e4d60da1e6b3fa740811bde34dd4fe0aa1b5fe6600d0440c9ddee95ea7fad7a60cf2
   ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
   51943c8026877963
   Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
   645a1,771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c24f
   18

A.3.3.  POPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 6ad2173efa689ef2c27772566ad7ff6e2d59b3b196f00219451fb2c89ee4d
   ae2
   pkSm = 030d7ff077fddeec965db14b794f0cc1ba9019b04a2f4fcc1fa525dedf72e
   2a3e3

A.3.3.1.  Test Vector 1, Batch Size 1

   Input = 00
   Info = 7465737420696e666f
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
   db0b2bd9dd4e2c0
   EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
   67e125db024a2c74d2
   Proof = f8a33690b87736c854eadfcaab58a59b8d9c03b569110b6f31f8bf7577f3
   fbb85a8a0c38468ccde1ba942be501654adb106167c8eb178703ccb42bccffb9231a
   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
   5c592

A.3.3.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 021a440ace8ca667f261c10ac7686adc66a12be31e3520fca31
   7643a1eee9dcd4d
   EvaluationElement = 0208ca109cbae44f4774fc0bdd2783efdcb868cb4523d521
   96f700210e777c5de3
   Proof = 043a8fb7fc7fd31e35770cabda4753c5bf0ecc1e88c68d7d35a62bf2631e
   875af4613641be2d1875c31d1319d191c4bbc0d04875f4fd03c31d3d17dd8e069b69
   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5f
   fce8c

A.3.3.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
   1
   BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
   db0b2bd9dd4e2c0,03ca4ff41c12fadd7a0bc92cf856732b21df652e01a3abdf0fa8
   847da053db213c
   EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
   67e125db024a2c74d2,02f0b6bcd467343a8d8555a99dc2eed0215c71898c5edb77a
   3d97ddd0dbad478e8
   Proof = 8fbd85a32c13aba79db4b42e762c00687d6dbf9c8cb97b2a225645ccb00d
   9d7580b383c885cdfd07df448d55e06f50f6173405eee5506c0ed0851ff718d13e68
   ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
   51943c8026877963
   Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
   5c592,1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5ffce
   8c

A.4.  P384-SHA384

A.4.1.  OPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = dfe7ddc41a4646901184f2b432616c8ba6d452f9bcd0c4f75a5150ef2b2ed
   02ef40b8b92f60ae591bcabd72a6518f188

A.4.1.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364
   BlindedElement = 02a36bc90e6db34096346eaf8b7bc40ee1113582155ad379700
   3ce614c835a874343701d3f2debbd80d97cbe45de6e5f1f
   EvaluationElement = 03af2a4fc94770d7a7bf3187ca9cc4faf3732049eded2442
   ee50fbddda58b70ae2999366f72498cdbc43e6f2fc184afe30
   Output = ed84ad3f31a552f0456e58935fcc0a3039db42e7f356dcb32aa6d487b6b
   815a07d5813641fb1398c03ddab5763874357

A.4.1.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364
   BlindedElement = 02def6f418e3484f67a124a2ce1bfb19de7a4af568ede6a1ebb
   2733882510ddd43d05f2b1ab5187936a55e50a847a8b900
   EvaluationElement = 034e9b9a2960b536f2ef47d8608b21597ba400d5abfa1825
   fd21c36b75f927f396bf3716c96129d1fa4a77fa1d479c8d7b
   Output = dd4f29da869ab9355d60617b60da0991e22aaab243a3460601e48b07585
   9d1c526d36597326f1b985778f781a1682e75

A.4.2.  VOPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 051646b9e6e7a71ae27c1e1d0b87b4381db6d3595eeeb1adb41579adbf992
   f4278f9016eafc944edaa2b43183581779d
   pkSm = 031d689686c611991b55f1a1d8f4305ccd6cb719446f660a30db61b7aa87b
   46acf59b7c0d4a9077b3da21c25dd482229a0

A.4.2.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364
   BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
   a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9
   EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
   46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6
   Proof = bfc6cf3859127f5fe25548859856d6b7fa1c7459f0ba5712a806fc091a30
   00c42d8ba34ff45f32a52e40533efd2a03bc87f3bf4f9f58028297ccb9ccb18ae718
   2bcd1ef239df77e3be65ef147f3acf8bc9cbfc5524b702263414f043e3b7ca2e
   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
   Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
   26b4a622beab60220bf19078bca35a529b35c

A.4.2.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364
   BlindedElement = 02f27469e059886f221be5f2cca03d2bdc61e55221721c3b3e5
   6fc012e36d31ae5f8dc058109591556a6dbd3a8c69c433b
   EvaluationElement = 03f16f903947035400e96b7f531a38d4a07ac89a80f89d86
   a1bf089c525a92c7f4733729ca30c56ce78b1ab4f7d92db8b4
   Proof = d005d6daaad7571414c1e0c75f7e57f2113ca9f4604e84bc90f9be52da89
   6fff3bee496dcde2a578ae9df315032585f801fb21c6080ac05672b291e575a40295
   b306d967717b28e08fcc8ad1cab47845d16af73b3e643ddcc191208e71c64630
   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
   Output = b91c70ea3d4d62ba922eb8a7d03809a441e1c3c7af915cbc2226f485213
   e895942cd0f8580e6d99f82221e66c40d274f

A.4.2.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
   6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
   BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
   a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9,02fa02470d7f151018b4
   1e82223c32fad824de6ad4b5ce9f8e9f98083c9a726de9a1fc39d7a0cb6f4f188dd9
   cea01474cd
   EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
   46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6,028e9e115625ff4c2
   f07bf87ce3fd73fc77994a7a0c1df03d2a630a3d845930e2e63a165b114d98fe34e6
   1b68d23c0b50a
   Proof = 6d8dcbd2fc95550a02211fb78afd013933f307d21e7d855b0b1ed0af7807
   6d8137ad8b0a1bfa05676d325249c1dbb9a52bd81b1c2b7b0efc77cf7b278e1c947f
   6283f1d4c513053fc0ad19e026fb0c30654b53d9cea4b87b037271b5d2e2d0ea
   ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
   eca27405420cdf3d63cb3aef005f40ba51943c8026877963
   Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
   26b4a622beab60220bf19078bca35a529b35c,b91c70ea3d4d62ba922eb8a7d03809
   a441e1c3c7af915cbc2226f485213e895942cd0f8580e6d99f82221e66c40d274f

A.4.3.  POPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 5b2690d6954b8fbb159f19935d64133f12770c00b68422559c65431942d72
   1ff79d47d7a75906c30b7818ec0f38b7fb2
   pkSm = 02f00f0f1de81e5d6cf18140d4926ffdc9b1898c48dc49657ae36eb1e45de
   b8b951aaf1f10c82d2eaa6d02aafa3f10d2b6

A.4.3.1.  Test Vector 1, Batch Size 1

   Input = 00
   Info = 7465737420696e666f
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364
   BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
   93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3
   EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
   373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91
   Proof = 82a17ef41c8b57f1e3122311b4d5cd39a63df0f67443ef18d961f9b659c1
   601ced8d3c64b294f604319ca80230380d437a49c7af0d620e22116669c008ebb767
   d90283d573b49cdb49e3725889620924c2c4b047a2a6225a3ba27e640ebddd33
   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
   Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
   27303ed449a08caf84272c3bbc972ede797df

A.4.3.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364
   BlindedElement = 03f7efcb4aaf000263369d8a0621cb96b81b3206e99876de2a0
   0699ed4c45acf3969cd6e2319215395955d3f8d8cc1c712
   EvaluationElement = 034993c818369927e74b77c400376fd1ae29b6ac6c6ddb77
   6cf10e4fbc487826531b3cf0b7c8ca4d92c7af90c9def85ce6
   Proof = 693471b5dff0cd6a5c00ea34d7bf127b2795164e3bdb5f39a1e5edfbd13e
   443bc516061cd5b8449a473c2ceeccada9f3e5b57302e3d7bc5e28d38d6e3a3056e1
   e73b6cc030f5180f8a1ffa45aa923ee66d2ad0a07b500f2acc7fb99b5506465c
   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
   Output = ff2a527a21cc43b251a567382677f078c6e356336aec069dea8ba369953
   43ca3b33bb5d6cf15be4d31a7e6d75b30d3f5

A.4.3.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
   889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
   6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
   BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
   93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3,021a65d618d645f1a20b
   c33b06deaa7e73d6d634c8a56a3d02b53a732b69a5c53c5a207ea33d5afdcde9a22d
   59726bce51
   EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
   373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91,02017657b315ec65e
   f861505e596c8645d94685dd7602cdd092a8f1c1c0194a5d0485fe47d071d972ab51
   4370174cc23f5
   Proof = 4a0b2fe96d5b2a046a0447fe079b77859ef11a39a3520d6ff7c626aad9b4
   73b724fb0cf188974ec961710a62162a83e97e0baa9eeada73397032d928b3e97b1e
   a92ad9458208302be3681b8ba78bcc17745bac00f84e0fdc98a6a8cba009c080
   ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
   eca27405420cdf3d63cb3aef005f40ba51943c8026877963
   Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
   27303ed449a08caf84272c3bbc972ede797df,ff2a527a21cc43b251a567382677f0
   78c6e356336aec069dea8ba36995343ca3b33bb5d6cf15be4d31a7e6d75b30d3f5

A.5.  P521-SHA512

A.5.1.  OPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 0153441b8faedb0340439036d6aed06d1217b34c42f17f8db4c5cc610a4a9
   55d698a688831b16d0dc7713a1aa3611ec60703bffc7dc9c84e3ed673b3dbe1d5fcc
   ea6

A.5.1.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 0300e78bf846b0e1e1a3c320e353d758583cd876df56100a3a1
   e62bacba470fa6e0991be1be80b721c50c5fd0c672ba764457acc18c6200704e9294
   fbf28859d916351
   EvaluationElement = 030166371cf827cb2fb9b581f97907121a16e2dc5d8b10ce
   9f0ede7f7d76a0d047657735e8ad07bcda824907b3e5479bd72cdef6b839b967ba5c
   58b118b84d26f2ba07
   Output = 26232de6fff83f812adadadb6cc05d7bbeee5dca043dbb16b03488abb99
   81d0a1ef4351fad52dbd7e759649af393348f7b9717566c19a6b8856284d69375c80
   9

A.5.1.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 0300c28e57e74361d87e0c1874e5f7cc1cc796d61f9cad50427
   cf54655cdb455613368d42b27f94bf66f59f53c816db3e95e68e1b113443d66a99b3
   693bab88afb556b
   EvaluationElement = 0301ad453607e12d0cc11a3359332a40c3a254eaa1afc642
   96528d55bed07ba322e72e22cf3bcb50570fd913cb54f7f09c17aff8787af75f6a7f
   af5640cbb2d9620a6e
   Output = ad1f76ef939042175e007738906ac0336bbd1d51e287ebaa66901abdd32
   4ea3ffa40bfc5a68e7939c2845e0fd37a5a6e76dadb9907c6cc8579629757fd4d04b
   a

A.5.2.  VOPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 015c7fc1b4a0b1390925bae915bd9f3d72009d44d9241b962428aad5d13f2
   2803311e7102632a39addc61ea440810222715c9d2f61f03ea424ec9ab1fe5e31cf9
   238
   pkSm = 0301505d646f6e4c9102451eb39730c4ba1c4087618641edbdba4a60896b0
   7fd0c9414ce553cbf25b81dfcca50a8f6724ab7a2bc4d0cf736967a287bb6084cc06
   78ac0

A.5.2.1.  Test Vector 1, Batch Size 1

   Input = 00
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
   7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
   5b4b3628a4f6380
   EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
   204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
   bca0f8ca003eefb045
   Proof = 0077fcc8ec6d059d7759b0a61f871e7c1dadc65333502e09a51994328f79
   e5bda3357b9a4f410a1760a3612c2f8f27cb7cb032951c047cc66da60da583df7b24
   7edd0188e5eb99c71799af1d80d643af16ffa1545acd9e9233fbb370455b10eb257e
   a12a1667c1b4ee5b0ab7c93d50ae89602006960f083ca9adc4f6276c0ad60440393c
   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
   a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
   b

A.5.2.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 03005b05e656cb609ce5ff5faf063bb746d662d67bbd07c0626
   38396f52f0392180cf2365cabb0ece8e19048961d35eeae5d5fa872328dce98df076
   ee154dd191c615e
   EvaluationElement = 0301b19fcf482b1fff04754e282292ed736c5f0aa080d4f4
   2663cd3a416c6596f03129e8e096d8671fe5b0d19838312c511d2ce08d431e43e3ef
   06199d8cab7426238d
   Proof = 01ec9fece444caa6a57032e8963df0e945286f88fbdf233fb5101f0924f7
   ea89c47023f5f72f240e61991fd33a299b5b38c45a5e2dd1a67b072e59dfe86708a3
   59c701e38d383c60cf6969463bcf13251bedad47b7941f52e409a3591398e2792441
   0b18a301c0e19f527cad504fa08388050ac634e1b05c5216d337742f2754e1fc502f
   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b
   54b6604d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf47
   4

A.5.2.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
   39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
   1
   BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
   7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
   5b4b3628a4f6380,0301403b597538b939b450c93586ba275f9711ba07e42364bac1
   d5769c6824a8b55be6f9a536df46d952b11ab2188363b3d6737635d9543d4dba14a6
   e19421b9245bf5
   EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
   204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
   bca0f8ca003eefb045,03001f96424497e38c46c904978c2fa1636c5c3dd2e634a85
   d8a7265977c5dce1f02c7e6c118479f0751767b91a39cce6561998258591b5d7c1bb
   02445a9e08e4f3e8d
   Proof = 00b4d215c8405e57c7a4b53398caf55f1f1623aaeb22408ddb9ea2913090
   9b3f95dbb1ff366e81e86e918f9f2fd8b80dbb344cd498c9499d112905e585417e00
   68c600fe5dea18b389ef6c4cc062935607b8ccbbb9a84fba3143868a3e8a58efa0bf
   6ca642804d09dc06e980f64837811227c4267b217f1099a4e28b0854f4e5ee659796
   ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
   27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
   51943c8026877963
   Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
   a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
   b,fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b54b6604
   d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf474

A.5.3.  POPRF Mode

   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
   3a3
   KeyInfo = 74657374206b6579
   skSm = 014893130030ce69cf714f536498a02ff6b396888f9bb507985c32928c442
   7d6d39de10ef509aca4240e8569e3a88debc0d392e3361bcd934cb9bdd59e339dff7
   b27
   pkSm = 0301de8ceb9ffe9237b1bba87c320ea0bebcfc3447fe6f278065c6c69886d
   692d1126b79b6844f829940ace9b52a5e26882cf7cbc9e57503d4cca3cd834584729
   f812a

A.5.3.1.  Test Vector 1, Batch Size 1

   Input = 00
   Info = 7465737420696e666f
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
   82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
   d5ebb2238f2f0e2
   EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
   62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
   f77aa1327253f26d01
   Proof = 0106a89a61eee9dd2417d2849a8e2167bc5f56e3aed5a3ff23e22511fa1b
   37a29ed44d1bbfd6907d99cfbc558a56aec709282415a864a281e49dc53792a4a638
   a0660034306d64be12a94dcea5a6d664cf76681911c8b9a84d49bf12d4893307ec14
   436bd05f791f82446c0de4be6c582d373627b51886f76c4788256e3da7ec8fa18a86
   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
   82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
   b

A.5.3.2.  Test Vector 2, Batch Size 1

   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364
   BlindedElement = 030112ea89cf9cf589496189eafc5f9eb13c9f9e170d6ecde7c
   5b940541cb1a9c5cfeec908b67efe16b81ca00d0ce216e34b3d5f46a658d3fd8573d
   671bdb6515ed508
   EvaluationElement = 0200ebc49df1e6fa61f412e6c391e6f074400ecdd2f56c4a
   8c03fe0f91d9b551f40d4b5258fd891952e8c9b28003bcfa365122e54a5714c8949d
   5d202767b31b4bf1f6
   Proof = 0082162c71a7765005cae202d4bd14b84dae63c29067e886b82506992bd9
   94a1c3aac0c1c5309222fe1af8287b6443ed6df5c2e0b0991faddd3564c73c7597ae
   cd9a003b1f1e3c65f28e58ab4e767cfb4adbcaf512441645f4c2aed8bf67d132d966
   006d35fa71a34145414bf3572c1de1a46c266a344dd9e22e7fb1e90ffba1caf556d9
   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
   e45c405d1348b7b1
   Output = 27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af
   5762c3638afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e
   3

A.5.3.3.  Test Vector 3, Batch Size 2

   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
   Info = 7465737420696e666f
   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
   d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
   39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
   1
   BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
   82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
   d5ebb2238f2f0e2,0201a328cf9f3fdeb86b6db242dd4cbb436b3a488b70b72d2fbb
   d1e5f50d7b0878b157d6f278c6a95c488f3ad52d6898a421658a82fe7ceb000b01ae
   dea7967522d525
   EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
   62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
   f77aa1327253f26d01,020062ab51ac3aa829e0f5b7ae50688bcf5f63a18a83a6e0d
   a538666b8d50c7ea2b4ef31f4ac669302318dbebe46660acdda695da30c22cee7ca2
   1f6984a720504502e
   Proof = 00731738844f739bca0cca9d1c8bea204bed4fd00285785738b985763741
   de5cdfa275152d52b6a2fdf7792ef3779f39ba34581e56d62f78ecad5b7f8083f384
   961501cd4b43713253c022692669cf076b1d382ecd8293c1de69ea569737f37a2477
   2ab73517983c1e3db5818754ba1f008076267b8058b6481949ae346cdc17a8455fe2
   ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
   27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
   51943c8026877963
   Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
   82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
   b,27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af5762c36
   38afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e3

Acknowledgements

   This document resulted from the work of the Privacy Pass team
   [PrivacyPass].  The authors would also like to acknowledge helpful
   conversations with Hugo Krawczyk.  Eli-Shaoul Khedouri provided
   additional review and comments on key consistency.  Daniel Bourdrez,
   Tatiana Bradley, Sofia Celi, Frank Denis, Julia Hesse, Russ Housley,
   Kevin Lewi, Christopher Patton, and Bas Westerbaan also provided
   helpful input and contributions to the document.

Authors' Addresses

   Alex Davidson
   Brave Software
   Email: alex.davidson92@gmail.com

   Armando Faz-Hernandez
   Cloudflare, Inc.
   101 Townsend St
   San Francisco, CA
   United States of America
   Email: armfazh@cloudflare.com

   Nick Sullivan
   Cloudflare, Inc.
   101 Townsend St
   San Francisco, CA
   United States of America
   Email: nick@cloudflare.com nicholas.sullivan+ietf@gmail.com

   Christopher A. Wood
   Cloudflare, Inc.
   101 Townsend St
   San Francisco, CA
   United States of America
   Email: caw@heapingbits.net