Hi, Does anyone know the state-of-the-art for encoding/decoding an elliptic curve point into a random-looking bit string, such that the mapping covers all points and bit strings? Is it Elligator-squared?
https://eprint.iacr.org/2014/043.pdf I'm interested in this partly as a way of making handshake protocols (e.g. Noise) indistinguishable from random (e.g. censorship resistance). Also if such a protocol was encoding its ephemeral DH public keys in this form, I believe (?) this would enable a PAKE almost for free: simply XOR the encoded DH ephemeral public values (or even just one of them) with the password or hash(password), per Bellovin and Merrit's 1992 EKE paper: https://www.cs.columbia.edu/~smb/papers/neke.pdf ? Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves