Notation

In this section we introduce some generic notation used throughout the spec. The primitive-specific notation is introduced in the respective sections.

We denote by $E (F_{p})$ the finite abelian group based on an elliptic curve over a finite prime-order field $F_{p}$ (note that we simplify the notation and drop the explicit dependency on $F_{p}$ and security parameter $κ$ ). Most importantly, we assume the order of the group $E$ to be of the form $cofvar \cdot q$ for some small cofactor $cofvar$ (sometimes equal to 1) and large prime number $q$ , and that the (hence) unique (sub)group $G$ of order $q$ is generated by a known base point $G$ , i.e., $G = ⟨ G ⟩$ , in which the computational Diffie-Hellman (CDH) problem is believed to be hard. We use $H$ to denote a cryptographically safe hash function, modeled as a random oracle, $H : {0, 1}^{a} \to {0, 1}^{ℓ (κ)} .$ for any value of $a$ (we tried using $*$ but the katex compiler was not happy with it).

An elliptic curve point can be determined using the y-coordinate and the sign of the $x$ -coordinate, meaning that an elliptic curve point can be represented using $s = ⌈ lo g_{2} (p)⌉ + 1$ bits. All elements in $F_{p}$ or $F_{q}$ are serialised in little-endian form. Elliptic curve points are encoded using their $y$ -coordinate followed by the sign bit of the $x$ coordinate. An element $x$ in $F_{p}$ is negative if the enconding of $x$ is lexicographically larger than the encoding of $- x$