Notation
In this section we introduce some generic notation used throughout the spec. The primitive-specific notation is introduced in the respective sections.
We denote by $\ec (F_p)$ the finite abelian group based on an elliptic curve over a finite prime-order field $F_p$ (note that we simplify the notation and drop the explicit dependency on $F_p$ and security parameter $\kappa$). Most importantly, we assume the order of the group $\ec$ to be of the form $\cofvar\cdot \order$ for some small cofactor $\cofvar$ (sometimes equal to 1) and large prime number $\order$, and that the (hence) unique (sub)group $\group$ of order $\order$ is generated by a known base point $\generator$, i.e., $\group = \langle \generator\rangle$, in which the computational Diffie-Hellman (CDH) problem is believed to be hard. We use $\hash$ to denote a cryptographically safe hash function, modeled as a random oracle, $$ \hash: \lbrace 0, 1\rbrace^\text{a}\rightarrow{0,1}^{\ell(\kappa)}. $$ for any value of $a$ (we tried using $*$ but the katex compiler was not happy with it).
An elliptic curve point can be determined using the y-coordinate and the sign of the $x$-coordinate, meaning that an elliptic curve point can be represented using $s=\lceil\log_2(p)\rceil + 1$ bits. All elements in $F_p$ or $F_q$ are serialised in little-endian form. Elliptic curve points are encoded using their $y$-coordinate followed by the sign bit of the $x$ coordinate. An element $x$ in $F_p$ is negative if the enconding of $x$ is lexicographically larger than the encoding of $-x$.