doc: Add RFC documents

1 files changed, 2915 insertions, 0 deletions

diff --git a/doc/rfc/rfc9497.txt b/doc/rfc/rfc9497.txt
new file mode 100644
index 0000000..4cdb7c3
--- /dev/null
+++ b/doc/rfc/rfc9497.txt
@@ -0,0 +1,2915 @@
+
+
+
+
+Internet Research Task Force (IRTF)                          A. Davidson
+Request for Comments: 9497                                Brave Software
+Category: Informational                                 A. Faz-Hernandez
+ISSN: 2070-1721                                              N. Sullivan
+                                                              C. A. Wood
+                                                        Cloudflare, Inc.
+                                                           December 2023
+
+
+   Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups
+
+Abstract
+
+   An Oblivious Pseudorandom Function (OPRF) is a two-party protocol
+   between a client and a server for computing the output of a
+   Pseudorandom Function (PRF).  The server provides the PRF private
+   key, and the client provides the PRF input.  At the end of the
+   protocol, the client learns the PRF output without learning anything
+   about the PRF private key, and the server learns neither the PRF
+   input nor output.  An OPRF can also satisfy a notion of
+   'verifiability', called a VOPRF.  A VOPRF ensures clients can verify
+   that the server used a specific private key during the execution of
+   the protocol.  A VOPRF can also be partially oblivious, called a
+   POPRF.  A POPRF allows clients and servers to provide public input to
+   the PRF computation.  This document specifies an OPRF, VOPRF, and
+   POPRF instantiated within standard prime-order groups, including
+   elliptic curves.  This document is a product of the Crypto Forum
+   Research Group (CFRG) in the IRTF.
+
+Status of This Memo
+
+   This document is not an Internet Standards Track specification; it is
+   published for informational purposes.
+
+   This document is a product of the Internet Research Task Force
+   (IRTF).  The IRTF publishes the results of Internet-related research
+   and development activities.  These results might not be suitable for
+   deployment.  This RFC represents the consensus of the Crypto Forum
+   Research Group of the Internet Research Task Force (IRTF).  Documents
+   approved for publication by the IRSG are not candidates for any level
+   of Internet Standard; see Section 2 of RFC 7841.
+
+   Information about the current status of this document, any errata,
+   and how to provide feedback on it may be obtained at
+   https://www.rfc-editor.org/info/rfc9497.
+
+Copyright Notice
+
+   Copyright (c) 2023 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (https://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.
+
+Table of Contents
+
+   1.  Introduction
+     1.1.  Requirements Language
+     1.2.  Notation and Terminology
+   2.  Preliminaries
+     2.1.  Prime-Order Group
+     2.2.  Discrete Logarithm Equivalence Proofs
+       2.2.1.  Proof Generation
+       2.2.2.  Proof Verification
+   3.  Protocol
+     3.1.  Configuration
+     3.2.  Key Generation and Context Setup
+       3.2.1.  Deterministic Key Generation
+     3.3.  Online Protocol
+       3.3.1.  OPRF Protocol
+       3.3.2.  VOPRF Protocol
+       3.3.3.  POPRF Protocol
+   4.  Ciphersuites
+     4.1.  OPRF(ristretto255, SHA-512)
+     4.2.  OPRF(decaf448, SHAKE-256)
+     4.3.  OPRF(P-256, SHA-256)
+     4.4.  OPRF(P-384, SHA-384)
+     4.5.  OPRF(P-521, SHA-512)
+     4.6.  Future Ciphersuites
+     4.7.  Random Scalar Generation
+       4.7.1.  Rejection Sampling
+       4.7.2.  Random Number Generation Using Extra Random Bits
+   5.  Application Considerations
+     5.1.  Input Limits
+     5.2.  External Interface Recommendations
+     5.3.  Error Considerations
+     5.4.  POPRF Public Input
+   6.  IANA Considerations
+   7.  Security Considerations
+     7.1.  Security Properties
+     7.2.  Security Assumptions
+       7.2.1.  OPRF and VOPRF Assumptions
+       7.2.2.  POPRF Assumptions
+       7.2.3.  Static Diffie-Hellman Attack and Security Limits
+     7.3.  Domain Separation
+     7.4.  Timing Leaks
+   8.  References
+     8.1.  Normative References
+     8.2.  Informative References
+   Appendix A.  Test Vectors
+     A.1.  ristretto255-SHA512
+       A.1.1.  OPRF Mode
+       A.1.2.  VOPRF Mode
+       A.1.3.  POPRF Mode
+     A.2.  decaf448-SHAKE256
+       A.2.1.  OPRF Mode
+       A.2.2.  VOPRF Mode
+       A.2.3.  POPRF Mode
+     A.3.  P256-SHA256
+       A.3.1.  OPRF Mode
+       A.3.2.  VOPRF Mode
+       A.3.3.  POPRF Mode
+     A.4.  P384-SHA384
+       A.4.1.  OPRF Mode
+       A.4.2.  VOPRF Mode
+       A.4.3.  POPRF Mode
+     A.5.  P521-SHA512
+       A.5.1.  OPRF Mode
+       A.5.2.  VOPRF Mode
+       A.5.3.  POPRF Mode
+   Acknowledgements
+   Authors' Addresses
+
+1.  Introduction
+
+   A Pseudorandom Function (PRF) F(k, x) is an efficiently computable
+   function taking a private key k and a value x as input.  This
+   function is pseudorandom if the keyed function K(_) = F(k, _) is
+   indistinguishable from a randomly sampled function acting on the same
+   domain and range as K().  An Oblivious PRF (OPRF) is a two-party
+   protocol between a server and a client, wherein the server holds a
+   PRF key k and the client holds some input x.  The protocol allows
+   both parties to cooperate in computing F(k, x), such that the client
+   learns F(k, x) without learning anything about k and the server does
+   not learn anything about x or F(k, x).  A Verifiable OPRF (VOPRF) is
+   an OPRF, wherein the server also proves to the client that F(k, x)
+   was produced by the key k corresponding to the server's public key,
+   which the client knows.  A Partially Oblivious PRF (POPRF) is a
+   variant of a VOPRF, where the client and server interact in computing
+   F(k, x, y), for some PRF F with server-provided key k, client-
+   provided input x, and public input y, and the client receives proof
+   that F(k, x, y) was computed using k corresponding to the public key
+   that the client knows.  A POPRF with fixed input y is functionally
+   equivalent to a VOPRF.
+
+   OPRFs have a variety of applications, including password-protected
+   secret sharing schemes [JKKX16], privacy-preserving password stores
+   [SJKS17], and password-authenticated key exchange (PAKE) [OPAQUE].
+   Verifiable OPRFs are necessary in some applications, such as Privacy
+   Pass [PRIVACY-PASS].  Verifiable OPRFs have also been used for
+   password-protected secret sharing schemes, such as that of [JKK14].
+
+   This document specifies OPRF, VOPRF, and POPRF protocols built upon
+   prime-order groups.  The document describes each protocol variant,
+   along with application considerations, and their security properties.
+
+   This document represents the consensus of the Crypto Forum Research
+   Group (CFRG).  It is not an IETF product and is not a standard.
+
+1.1.  Requirements Language
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+   "OPTIONAL" in this document are to be interpreted as described in
+   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+   capitals, as shown here.
+
+1.2.  Notation and Terminology
+
+   The following functions and notation are used throughout the
+   document.
+
+   *  For any object x, we write len(x) to denote its length in bytes.
+
+   *  For two-byte arrays x and y, write x || y to denote their
+      concatenation.
+
+   *  I2OSP(x, xLen) converts a nonnegative integer x into a byte array
+      of specified length xLen, as described in [RFC8017].  Note that
+      this function returns a byte array in big-endian byte order.
+
+   *  The notation T U[N] refers to an array called U, containing N
+      items of type T.  The type opaque means one single byte of
+      uninterpreted data.  Items of the array are zero-indexed and
+      referred to as U[j], such that 0 <= j < N.
+
+   All algorithms and procedures described in this document are laid out
+   in a Python-like pseudocode.  Each function takes a set of inputs and
+   parameters and produces a set of output values.  Parameters become
+   constant values once the protocol variant and the ciphersuite are
+   fixed.
+
+   The PrivateInput data type refers to inputs that are known only to
+   the client in the protocol, whereas the PublicInput data type refers
+   to inputs that are known to both the client and server in the
+   protocol.  Both PrivateInput and PublicInput are opaque byte strings
+   of arbitrary length no larger than 2^16 - 1 bytes.  This length
+   restriction exists because PublicInput and PrivateInput values are
+   length-prefixed with two bytes before use throughout the protocol.
+
+   String values, such as "DeriveKeyPair", "Seed-", and "Finalize", are
+   ASCII string literals.
+
+   The following terms are used throughout this document.
+
+   PRF:  Pseudorandom Function
+
+   OPRF:  Oblivious Pseudorandom Function
+
+   VOPRF:  Verifiable Oblivious Pseudorandom Function
+
+   POPRF:  Partially Oblivious Pseudorandom Function
+
+   Client:  Protocol initiator.  Learns PRF evaluation as the output of
+      the protocol.
+
+   Server:  Computes the PRF using a private key.  Learns nothing about
+      the client's input or output.
+
+2.  Preliminaries
+
+   The protocols in this document have two primary dependencies:
+
+   Group:  A prime-order group implementing the API described below in
+      Section 2.1.  See Section 4 for specific instances of groups.
+
+   Hash:  A cryptographic hash function whose output length is Nh bytes.
+
+   Section 4 specifies ciphersuites as combinations of Group and Hash.
+
+2.1.  Prime-Order Group
+
+   In this document, we assume the construction of an additive, prime-
+   order group, denoted Group, for performing all mathematical
+   operations.  In prime-order groups, any element (other than the
+   identity) can generate the other elements of the group.  Usually, one
+   element is fixed and defined as the group generator.  Such groups are
+   uniquely determined by the choice of the prime p that defines the
+   order of the group.  (However, different representations of the group
+   for a single p may exist.  Section 4 lists specific groups that
+   indicate both the order and representation.)
+
+   The fundamental group operation is addition + with identity element
+   I.  For any elements A and B of the group, A + B = B + A is also a
+   member of the group.  Also, for any A in the group, there exists an
+   element -A, such that A + (-A) = (-A) + A = I.  Scalar multiplication
+   by r is equivalent to the repeated application of the group operation
+   on an element A with itself r - 1 times; this is denoted as r * A = A
+   + ... + A.  For any element A, p * A = I.  The case when the scalar
+   multiplication is performed on the group generator is denoted as
+   ScalarMultGen(r).  Given two elements A and B, the discrete logarithm
+   problem is to find an integer k, such that B = k * A.  Thus, k is the
+   discrete logarithm of B with respect to the base A.  The set of
+   scalars corresponds to GF(p), a prime field of order p, and is
+   represented as the set of integers defined by {0, 1, ..., p - 1}.
+   This document uses types Element and Scalar to denote elements of the
+   group and its set of scalars, respectively.
+
+   We now detail a number of member functions that can be invoked on a
+   prime-order group.
+
+   Order():  Outputs the order of the group (i.e., p).
+
+   Identity():  Outputs the identity element of the group (i.e., I).
+
+   Generator():  Outputs the generator element of the group.
+
+   HashToGroup(x):  Deterministically maps an array of bytes x to an
+      element of Group.  The map must ensure that, for any adversary
+      receiving R = HashToGroup(x), it is computationally difficult to
+      reverse the mapping.  This function is optionally parameterized by
+      a domain separation tag (DST); see Section 4.  Security properties
+      of this function are described in [RFC9380].
+
+   HashToScalar(x):  Deterministically maps an array of bytes x to an
+      element in GF(p).  This function is optionally parameterized by a
+      DST; see Section 4.  Security properties of this function are
+      described in [RFC9380], Section 10.5.
+
+   RandomScalar():  Chooses at random a nonzero element in GF(p).
+
+   ScalarInverse(s):  Returns the inverse of input Scalar s on GF(p).
+
+   SerializeElement(A):  Maps an Element A to a canonical byte array buf
+      of fixed-length Ne.
+
+   DeserializeElement(buf):  Attempts to map a byte array buf to an
+      Element A and fails if the input is not the valid canonical byte
+      representation of an element of the group.  This function can
+      raise a DeserializeError if deserialization fails or A is the
+      identity element of the group; see Section 4 for group-specific
+      input validation steps.
+
+   SerializeScalar(s):  Maps Scalar s to a canonical byte array buf of
+      fixed-length Ns.
+
+   DeserializeScalar(buf):  Attempts to map a byte array buf to Scalar
+      s.  This function can raise a DeserializeError if deserialization
+      fails; see Section 4 for group-specific input validation steps.
+
+   Section 4 contains details for the implementation of this interface
+   for different prime-order groups instantiated over elliptic curves.
+   In particular, for some choices of elliptic curves, e.g., those
+   detailed in [RFC7748], which require accounting for cofactors,
+   Section 4 describes required steps necessary to ensure the resulting
+   group is of prime order.
+
+2.2.  Discrete Logarithm Equivalence Proofs
+
+   A proof of knowledge allows a prover to convince a verifier that some
+   statement is true.  If the prover can generate a proof without
+   interaction with the verifier, the proof is noninteractive.  If the
+   verifier learns nothing other than whether the statement claimed by
+   the prover is true or false, the proof is zero-knowledge.
+
+   This section describes a noninteractive, zero-knowledge proof for
+   discrete logarithm equivalence (DLEQ), which is used in the
+   construction of VOPRF and POPRF.  A DLEQ proof demonstrates that two
+   pairs of group elements have the same discrete logarithm without
+   revealing the discrete logarithm.
+
+   The DLEQ proof resembles the Chaum-Pedersen [ChaumPedersen] proof,
+   which is shown to be zero-knowledge by Jarecki, et al. [JKK14] and is
+   noninteractive after applying the Fiat-Shamir transform [FS00].
+   Furthermore, Davidson, et al. [DGSTV18] showed a proof system for
+   batching DLEQ proofs that has constant-size proofs with respect to
+   the number of inputs.  The specific DLEQ proof system presented below
+   follows this latter construction with two modifications: (1) the
+   transcript used to generate the seed includes more context
+   information and (2) the individual challenges for each element in the
+   proof is derived from a seed-prefixed hash-to-scalar invocation,
+   rather than being sampled from a seeded Pseudorandom Number Generator
+   (PRNG).  The description is split into two subsections: one for
+   generating the proof, which is done by servers in the verifiable
+   protocols, and another for verifying the proof, which is done by
+   clients in the protocol.
+
+2.2.1.  Proof Generation
+
+   Generating a proof is done with the GenerateProof function, as
+   defined below.  Given Element values A and B, two non-empty lists of
+   Element values C and D of length m, and Scalar k, this function
+   produces a proof that k * A == B and k * C[i] == D[i] for each i in
+   [0, ..., m - 1].  The output is a value of type Proof, which is a
+   tuple of two Scalar values.  We use the notation proof[0] and
+   proof[1] to denote the first and second elements in this tuple,
+   respectively.
+
+   GenerateProof accepts lists of inputs to amortize the cost of proof
+   generation.  Applications can take advantage of this functionality to
+   produce a single, constant-sized proof for m DLEQ inputs, rather than
+   m proofs for m DLEQ inputs.
+
+   Input:
+
+     Scalar k
+     Element A
+     Element B
+     Element C[m]
+     Element D[m]
+
+   Output:
+
+     Proof proof
+
+   Parameters:
+
+     Group G
+
+   def GenerateProof(k, A, B, C, D):
+     (M, Z) = ComputeCompositesFast(k, B, C, D)
+
+     r = G.RandomScalar()
+     t2 = r * A
+     t3 = r * M
+
+     Bm = G.SerializeElement(B)
+     a0 = G.SerializeElement(M)
+     a1 = G.SerializeElement(Z)
+     a2 = G.SerializeElement(t2)
+     a3 = G.SerializeElement(t3)
+
+     challengeTranscript =
+       I2OSP(len(Bm), 2) || Bm ||
+       I2OSP(len(a0), 2) || a0 ||
+       I2OSP(len(a1), 2) || a1 ||
+       I2OSP(len(a2), 2) || a2 ||
+       I2OSP(len(a3), 2) || a3 ||
+       "Challenge"
+
+     c = G.HashToScalar(challengeTranscript)
+     s = r - c * k
+
+     return [c, s]
+
+   The helper function ComputeCompositesFast is as defined below and is
+   an optimization of the ComputeComposites function for servers since
+   they have knowledge of the private key.
+
+   Input:
+
+     Scalar k
+     Element B
+     Element C[m]
+     Element D[m]
+
+   Output:
+
+     Element M
+     Element Z
+
+   Parameters:
+
+     Group G
+     PublicInput contextString
+
+   def ComputeCompositesFast(k, B, C, D):
+     Bm = G.SerializeElement(B)
+     seedDST = "Seed-" || contextString
+     seedTranscript =
+       I2OSP(len(Bm), 2) || Bm ||
+       I2OSP(len(seedDST), 2) || seedDST
+     seed = Hash(seedTranscript)
+
+     M = G.Identity()
+     for i in range(m):
+       Ci = G.SerializeElement(C[i])
+       Di = G.SerializeElement(D[i])
+       compositeTranscript =
+         I2OSP(len(seed), 2) || seed || I2OSP(i, 2) ||
+         I2OSP(len(Ci), 2) || Ci ||
+         I2OSP(len(Di), 2) || Di ||
+         "Composite"
+
+       di = G.HashToScalar(compositeTranscript)
+       M = di * C[i] + M
+
+     Z = k * M
+
+     return (M, Z)
+
+   When used in the protocol described in Section 3, the parameter
+   contextString is as defined in Section 3.2.
+
+2.2.2.  Proof Verification
+
+   Verifying a proof is done with the VerifyProof function, as defined
+   below.  This function takes Element values A and B, two non-empty
+   lists of Element values C and D of length m, and a Proof value output
+   from GenerateProof.  It outputs a single boolean value indicating
+   whether or not the proof is valid for the given DLEQ inputs.  Note
+   this function can verify proofs on lists of inputs whenever the proof
+   was generated as a batched DLEQ proof with the same inputs.
+
+   Input:
+
+     Element A
+     Element B
+     Element C[m]
+     Element D[m]
+     Proof proof
+
+   Output:
+
+     boolean verified
+
+   Parameters:
+
+     Group G
+
+   def VerifyProof(A, B, C, D, proof):
+     (M, Z) = ComputeComposites(B, C, D)
+     c = proof[0]
+     s = proof[1]
+
+     t2 = ((s * A) + (c * B))
+     t3 = ((s * M) + (c * Z))
+
+     Bm = G.SerializeElement(B)
+     a0 = G.SerializeElement(M)
+     a1 = G.SerializeElement(Z)
+     a2 = G.SerializeElement(t2)
+     a3 = G.SerializeElement(t3)
+
+     challengeTranscript =
+       I2OSP(len(Bm), 2) || Bm ||
+       I2OSP(len(a0), 2) || a0 ||
+       I2OSP(len(a1), 2) || a1 ||
+       I2OSP(len(a2), 2) || a2 ||
+       I2OSP(len(a3), 2) || a3 ||
+       "Challenge"
+
+     expectedC = G.HashToScalar(challengeTranscript)
+     verified = (expectedC == c)
+
+     return verified
+
+   The definition of ComputeComposites is given below.
+
+   Input:
+
+     Element B
+     Element C[m]
+     Element D[m]
+
+   Output:
+
+     Element M
+     Element Z
+
+   Parameters:
+
+     Group G
+     PublicInput contextString
+
+   def ComputeComposites(B, C, D):
+     Bm = G.SerializeElement(B)
+     seedDST = "Seed-" || contextString
+     seedTranscript =
+       I2OSP(len(Bm), 2) || Bm ||
+       I2OSP(len(seedDST), 2) || seedDST
+     seed = Hash(seedTranscript)
+
+     M = G.Identity()
+     Z = G.Identity()
+     for i in range(m):
+       Ci = G.SerializeElement(C[i])
+       Di = G.SerializeElement(D[i])
+       compositeTranscript =
+         I2OSP(len(seed), 2) || seed || I2OSP(i, 2) ||
+         I2OSP(len(Ci), 2) || Ci ||
+         I2OSP(len(Di), 2) || Di ||
+         "Composite"
+
+       di = G.HashToScalar(compositeTranscript)
+       M = di * C[i] + M
+       Z = di * D[i] + Z
+
+     return (M, Z)
+
+   When used in the protocol described in Section 3, the parameter
+   contextString is as defined in Section 3.2.
+
+3.  Protocol
+
+   In this section, we define and describe three protocol variants
+   referred to as the OPRF, VOPRF, and POPRF modes.  Each of these
+   variants involves two messages between the client and server, but
+   they differ slightly in terms of the security properties; see
+   Section 7.1 for more information.  A high-level description of the
+   functionality of each mode follows.
+
+   In the OPRF mode, a client and server interact to compute output =
+   F(skS, input), where input is the client's private input, skS is the
+   server's private key, and output is the OPRF output.  After the
+   execution of the protocol, the client learns the output and the
+   server learns nothing.  This interaction is shown below.
+
+       Client(input)                                        Server(skS)
+     -------------------------------------------------------------------
+     blind, blindedElement = Blind(input)
+
+                                blindedElement
+                                  ---------->
+
+                   evaluatedElement = BlindEvaluate(skS, blindedElement)
+
+                                evaluatedElement
+                                  <----------
+
+     output = Finalize(input, blind, evaluatedElement)
+
+                      Figure 1: OPRF Protocol Overview
+
+   In the VOPRF mode, the client additionally receives proof that the
+   server used skS in computing the function.  To achieve verifiability,
+   as in [JKK14], the server provides a zero-knowledge proof that the
+   key provided as input by the server in the BlindEvaluate function is
+   the same key as is used to produce the server's public key, pkS,
+   which the client receives as input to the protocol.  This proof does
+   not reveal the server's private key to the client.  This interaction
+   is shown below.
+
+       Client(input, pkS)       <---- pkS ------        Server(skS, pkS)
+     -------------------------------------------------------------------
+     blind, blindedElement = Blind(input)
+
+                                blindedElement
+                                  ---------->
+
+                 evaluatedElement, proof = BlindEvaluate(skS, pkS,
+                                                         blindedElement)
+
+                            evaluatedElement, proof
+                                  <----------
+
+     output = Finalize(input, blind, evaluatedElement,
+                       blindedElement, pkS, proof)
+
+          Figure 2: VOPRF Protocol Overview with Additional Proof
+
+   The POPRF mode extends the VOPRF mode such that the client and server
+   can additionally provide the public input info, which is used in
+   computing the PRF.  That is, the client and server interact to
+   compute output = F(skS, input, info), as is shown below.
+
+       Client(input, pkS, info) <---- pkS ------  Server(skS, pkS, info)
+     -------------------------------------------------------------------
+     blind, blindedElement, tweakedKey = Blind(input, info, pkS)
+
+                                blindedElement
+                                  ---------->
+
+            evaluatedElement, proof = BlindEvaluate(skS, blindedElement,
+                                                    info)
+
+                            evaluatedElement, proof
+                                  <----------
+
+     output = Finalize(input, blind, evaluatedElement,
+                       blindedElement, proof, info, tweakedKey)
+
+       Figure 3: POPRF Protocol Overview with Additional Public Input
+
+   Each protocol consists of an offline setup phase and an online phase,
+   as described in Sections 3.2 and 3.3, respectively.  Configuration
+   details for the offline phase are described in Section 3.1.
+
+3.1.  Configuration
+
+   Each of the three protocol variants are identified with a one-byte
+   value (in hexadecimal):
+
+                            +===========+=======+
+                            | Mode      | Value |
+                            +===========+=======+
+                            | modeOPRF  | 0x00  |
+                            +-----------+-------+
+                            | modeVOPRF | 0x01  |
+                            +-----------+-------+
+                            | modePOPRF | 0x02  |
+                            +-----------+-------+
+
+                             Table 1: Identifiers
+                            for Protocol Variants
+
+   Additionally, each protocol variant is instantiated with a
+   ciphersuite or suite.  Each ciphersuite is identified with an ASCII
+   string identifier, referred to as identifier; see Section 4 for the
+   set of initial ciphersuite values.
+
+   The mode and ciphersuite identifier values are combined to create a
+   "context string" used throughout the protocol with the following
+   function:
+
+   def CreateContextString(mode, identifier):
+     return "OPRFV1-" || I2OSP(mode, 1) || "-" || identifier
+
+3.2.  Key Generation and Context Setup
+
+   In the offline setup phase, the server generates a fresh, random key
+   pair (skS, pkS).  There are two ways to generate this key pair.  The
+   first of which is using the GenerateKeyPair function described below.
+
+   Input: None
+
+   Output:
+
+     Scalar skS
+     Element pkS
+
+   Parameters:
+
+     Group G
+
+   def GenerateKeyPair():
+     skS = G.RandomScalar()
+     pkS = G.ScalarMultGen(skS)
+     return skS, pkS
+
+   The second way to generate the key pair is via the deterministic key
+   generation function DeriveKeyPair, as described in Section 3.2.1.
+   Applications and implementations can use either method in practice.
+
+   Also during the offline setup phase, both the client and server
+   create a context used for executing the online phase of the protocol
+   after agreeing on a mode and ciphersuite identifier.  The context,
+   such as OPRFServerContext, is an implementation-specific data
+   structure that stores a context string and the relevant key material
+   for each party.
+
+   The OPRF variant server and client contexts are created as follows:
+
+   def SetupOPRFServer(identifier, skS):
+     contextString = CreateContextString(modeOPRF, identifier)
+     return OPRFServerContext(contextString, skS)
+
+   def SetupOPRFClient(identifier):
+     contextString = CreateContextString(modeOPRF, identifier)
+     return OPRFClientContext(contextString)
+
+   The VOPRF variant server and client contexts are created as follows:
+
+   def SetupVOPRFServer(identifier, skS):
+     contextString = CreateContextString(modeVOPRF, identifier)
+     return VOPRFServerContext(contextString, skS)
+
+   def SetupVOPRFClient(identifier, pkS):
+     contextString = CreateContextString(modeVOPRF, identifier)
+     return VOPRFClientContext(contextString, pkS)
+
+   The POPRF variant server and client contexts are created as follows:
+
+   def SetupPOPRFServer(identifier, skS):
+     contextString = CreateContextString(modePOPRF, identifier)
+     return POPRFServerContext(contextString, skS)
+
+   def SetupPOPRFClient(identifier, pkS):
+     contextString = CreateContextString(modePOPRF, identifier)
+     return POPRFClientContext(contextString, pkS)
+
+3.2.1.  Deterministic Key Generation
+
+   This section describes a deterministic key generation function,
+   DeriveKeyPair.  It accepts a seed of 32 bytes generated from a
+   cryptographically secure random number generator and an optional
+   (possibly empty) info string.  Note that, by design, knowledge of
+   seed and info is necessary to compute this function, which means that
+   the secrecy of the output private key (skS) depends on the secrecy of
+   seed (since the info string is public).
+
+   Input:
+
+     opaque seed[32]
+     PublicInput info
+
+   Output:
+
+     Scalar skS
+     Element pkS
+
+   Parameters:
+
+     Group G
+     PublicInput contextString
+
+   Errors: DeriveKeyPairError
+
+   def DeriveKeyPair(seed, info):
+     deriveInput = seed || I2OSP(len(info), 2) || info
+     counter = 0
+     skS = 0
+     while skS == 0:
+       if counter > 255:
+         raise DeriveKeyPairError
+       skS = G.HashToScalar(deriveInput || I2OSP(counter, 1),
+                             DST = "DeriveKeyPair" || contextString)
+       counter = counter + 1
+     pkS = G.ScalarMultGen(skS)
+     return skS, pkS
+
+3.3.  Online Protocol
+
+   In the online phase, the client and server engage in a two-message
+   protocol to compute the protocol output.  This section describes the
+   protocol details for each protocol variant.  Throughout each
+   description, the following parameters are assumed to exist:
+
+   G:  a prime-order group implementing the API described in Section 2.1
+
+   contextString:  a PublicInput domain separation tag constructed
+      during context setup, as created in Section 3.1
+
+   skS and pkS:  a Scalar and Element representing the private and
+      public keys configured for the client and server in Section 3.2
+
+   Applications serialize protocol messages between the client and
+   server for transmission.  Element values and Scalar values are
+   serialized to byte arrays, and values of type Proof are serialized as
+   the concatenation of two serialized Scalar values.  Deserializing
+   these values can fail; in which case, the application MUST abort the
+   protocol, raising a DeserializeError failure.
+
+   Applications MUST check that input Element values received over the
+   wire are not the group identity element.  This check is handled after
+   deserializing Element values; see Section 4 for more information and
+   requirements on input validation for each ciphersuite.
+
+3.3.1.  OPRF Protocol
+
+   The OPRF protocol begins with the client blinding its input, as
+   described by the Blind function below.  Note that this function can
+   fail with an InvalidInputError error for certain inputs that map to
+   the group identity element.  Dealing with this failure is an
+   application-specific decision; see Section 5.3.
+
+   Input:
+
+     PrivateInput input
+
+   Output:
+
+     Scalar blind
+     Element blindedElement
+
+   Parameters:
+
+     Group G
+
+   Errors: InvalidInputError
+
+   def Blind(input):
+     blind = G.RandomScalar()
+     inputElement = G.HashToGroup(input)
+     if inputElement == G.Identity():
+       raise InvalidInputError
+     blindedElement = blind * inputElement
+
+     return blind, blindedElement
+
+   Clients store blind locally and send blindedElement to the server for
+   evaluation.  Upon receipt, servers process blindedElement using the
+   BlindEvaluate function described below.
+
+   Input:
+
+     Scalar skS
+     Element blindedElement
+
+   Output:
+
+     Element evaluatedElement
+
+   def BlindEvaluate(skS, blindedElement):
+     evaluatedElement = skS * blindedElement
+     return evaluatedElement
+
+   Servers send the output evaluatedElement to clients for processing.
+   Recall that servers may process multiple client inputs by applying
+   the BlindEvaluate function to each blindedElement received and
+   returning an array with the corresponding evaluatedElement values.
+
+   Upon receipt of evaluatedElement, clients process it to complete the
+   OPRF evaluation with the Finalize function described below.
+
+   Input:
+
+     PrivateInput input
+     Scalar blind
+     Element evaluatedElement
+
+   Output:
+
+     opaque output[Nh]
+
+   Parameters:
+
+     Group G
+
+   def Finalize(input, blind, evaluatedElement):
+     N = G.ScalarInverse(blind) * evaluatedElement
+     unblindedElement = G.SerializeElement(N)
+
+     hashInput = I2OSP(len(input), 2) || input ||
+                 I2OSP(len(unblindedElement), 2) || unblindedElement ||
+                 "Finalize"
+     return Hash(hashInput)
+
+   An entity that knows both the private key and the input can compute
+   the PRF result using the following Evaluate function.
+
+   Input:
+
+     Scalar skS
+     PrivateInput input
+
+   Output:
+
+     opaque output[Nh]
+
+   Parameters:
+
+     Group G
+
+   Errors: InvalidInputError
+
+   def Evaluate(skS, input):
+     inputElement = G.HashToGroup(input)
+     if inputElement == G.Identity():
+       raise InvalidInputError
+     evaluatedElement = skS * inputElement
+     issuedElement = G.SerializeElement(evaluatedElement)
+
+     hashInput = I2OSP(len(input), 2) || input ||
+                 I2OSP(len(issuedElement), 2) || issuedElement ||
+                 "Finalize"
+     return Hash(hashInput)
+
+3.3.2.  VOPRF Protocol
+
+   The VOPRF protocol begins with the client blinding its input, using
+   the same Blind function as in Section 3.3.1.  Clients store the
+   output blind locally and send blindedElement to the server for
+   evaluation.  Upon receipt, servers process blindedElement to compute
+   an evaluated element and a DLEQ proof using the following
+   BlindEvaluate function.
+
+   Input:
+
+     Scalar skS
+     Element pkS
+     Element blindedElement
+
+   Output:
+
+     Element evaluatedElement
+     Proof proof
+
+   Parameters:
+
+     Group G
+
+   def BlindEvaluate(skS, pkS, blindedElement):
+     evaluatedElement = skS * blindedElement
+     blindedElements = [blindedElement]     // list of length 1
+     evaluatedElements = [evaluatedElement] // list of length 1
+     proof = GenerateProof(skS, G.Generator(), pkS,
+                           blindedElements, evaluatedElements)
+     return evaluatedElement, proof
+
+   In the description above, inputs to GenerateProof are one-item lists.
+   Using larger lists allows servers to batch the evaluation of multiple
+   elements while producing a single batched DLEQ proof for them.
+
+   The server sends both evaluatedElement and proof back to the client.
+   Upon receipt, the client processes both values to complete the VOPRF
+   computation using the Finalize function below.
+
+   Input:
+
+     PrivateInput input
+     Scalar blind
+     Element evaluatedElement
+     Element blindedElement
+     Element pkS
+     Proof proof
+
+   Output:
+
+     opaque output[Nh]
+
+   Parameters:
+
+     Group G
+
+   Errors: VerifyError
+
+   def Finalize(input, blind, evaluatedElement,
+                blindedElement, pkS, proof):
+     blindedElements = [blindedElement]     // list of length 1
+     evaluatedElements = [evaluatedElement] // list of length 1
+     if VerifyProof(G.Generator(), pkS, blindedElements,
+                    evaluatedElements, proof) == false:
+       raise VerifyError
+
+     N = G.ScalarInverse(blind) * evaluatedElement
+     unblindedElement = G.SerializeElement(N)
+
+     hashInput = I2OSP(len(input), 2) || input ||
+                 I2OSP(len(unblindedElement), 2) || unblindedElement ||
+                 "Finalize"
+     return Hash(hashInput)
+
+   As in BlindEvaluate, inputs to VerifyProof are one-item lists.
+   Clients can verify multiple inputs at once whenever the server
+   produced a batched DLEQ proof for them.
+
+   Finally, an entity that knows both the private key and the input can
+   compute the PRF result using the Evaluate function described in
+   Section 3.3.1.
+
+3.3.3.  POPRF Protocol
+
+   The POPRF protocol begins with the client blinding its input, using
+   the following modified Blind function.  In this step, the client also
+   binds a public info value, which produces an additional tweakedKey to
+   be used later in the protocol.  Note that this function can fail with
+   an InvalidInputError error for certain private inputs that map to the
+   group identity element, as well as certain public inputs that, if not
+   detected at this point, will cause server evaluation to fail.
+   Dealing with either failure is an application-specific decision; see
+   Section 5.3.
+
+   Input:
+
+     PrivateInput input
+     PublicInput info
+     Element pkS
+
+   Output:
+
+     Scalar blind
+     Element blindedElement
+     Element tweakedKey
+
+   Parameters:
+
+     Group G
+
+   Errors: InvalidInputError
+
+   def Blind(input, info, pkS):
+     framedInfo = "Info" || I2OSP(len(info), 2) || info
+     m = G.HashToScalar(framedInfo)
+     T = G.ScalarMultGen(m)
+     tweakedKey = T + pkS
+     if tweakedKey == G.Identity():
+       raise InvalidInputError
+
+     blind = G.RandomScalar()
+     inputElement = G.HashToGroup(input)
+     if inputElement == G.Identity():
+       raise InvalidInputError
+
+     blindedElement = blind * inputElement
+
+     return blind, blindedElement, tweakedKey
+
+   Clients store the outputs blind and tweakedKey locally and send
+   blindedElement to the server for evaluation.  Upon receipt, servers
+   process blindedElement to compute an evaluated element and a DLEQ
+   proof using the following BlindEvaluate function.
+
+   Input:
+
+     Scalar skS
+     Element blindedElement
+     PublicInput info
+
+   Output:
+
+     Element evaluatedElement
+     Proof proof
+
+   Parameters:
+
+     Group G
+
+   Errors: InverseError
+
+   def BlindEvaluate(skS, blindedElement, info):
+     framedInfo = "Info" || I2OSP(len(info), 2) || info
+     m = G.HashToScalar(framedInfo)
+     t = skS + m
+     if t == 0:
+       raise InverseError
+
+     evaluatedElement = G.ScalarInverse(t) * blindedElement
+
+     tweakedKey = G.ScalarMultGen(t)
+     evaluatedElements = [evaluatedElement] // list of length 1
+     blindedElements = [blindedElement]     // list of length 1
+     proof = GenerateProof(t, G.Generator(), tweakedKey,
+                           evaluatedElements, blindedElements)
+
+     return evaluatedElement, proof
+
+   In the description above, inputs to GenerateProof are one-item lists.
+   Using larger lists allows servers to batch the evaluation of multiple
+   elements while producing a single batched DLEQ proof for them.
+
+   BlindEvaluate triggers InverseError when the function is about to
+   calculate the inverse of a zero scalar, which does not exist and
+   therefore yields a failure in the protocol.  This only occurs for
+   info values that map to the private key of the server.  Thus, clients
+   that cause this error should be assumed to know the server private
+   key.  Hence, this error can be a signal for the server to replace its
+   private key.
+
+   The server sends both evaluatedElement and proof back to the client.
+   Upon receipt, the client processes both values to complete the POPRF
+   computation using the Finalize function below.
+
+   Input:
+
+     PrivateInput input
+     Scalar blind
+     Element evaluatedElement
+     Element blindedElement
+     Proof proof
+     PublicInput info
+     Element tweakedKey
+
+   Output:
+
+     opaque output[Nh]
+
+   Parameters:
+
+     Group G
+
+   Errors: VerifyError
+
+   def Finalize(input, blind, evaluatedElement, blindedElement,
+                proof, info, tweakedKey):
+     evaluatedElements = [evaluatedElement] // list of length 1
+     blindedElements = [blindedElement]     // list of length 1
+     if VerifyProof(G.Generator(), tweakedKey, evaluatedElements,
+                    blindedElements, proof) == false:
+       raise VerifyError
+
+     N = G.ScalarInverse(blind) * evaluatedElement
+     unblindedElement = G.SerializeElement(N)
+
+     hashInput = I2OSP(len(input), 2) || input ||
+                 I2OSP(len(info), 2) || info ||
+                 I2OSP(len(unblindedElement), 2) || unblindedElement ||
+                 "Finalize"
+     return Hash(hashInput)
+
+   As in BlindEvaluate, inputs to VerifyProof are one-item lists.
+   Clients can verify multiple inputs at once whenever the server
+   produced a batched DLEQ proof for them.
+
+   Finally, an entity that knows both the private key and the input can
+   compute the PRF result using the Evaluate function described below.
+
+   Input:
+
+     Scalar skS
+     PrivateInput input
+     PublicInput info
+
+   Output:
+
+     opaque output[Nh]
+
+   Parameters:
+
+     Group G
+
+   Errors: InvalidInputError, InverseError
+
+   def Evaluate(skS, input, info):
+     inputElement = G.HashToGroup(input)
+     if inputElement == G.Identity():
+       raise InvalidInputError
+
+     framedInfo = "Info" || I2OSP(len(info), 2) || info
+     m = G.HashToScalar(framedInfo)
+     t = skS + m
+     if t == 0:
+       raise InverseError
+     evaluatedElement = G.ScalarInverse(t) * inputElement
+     issuedElement = G.SerializeElement(evaluatedElement)
+
+     hashInput = I2OSP(len(input), 2) || input ||
+                 I2OSP(len(info), 2) || info ||
+                 I2OSP(len(issuedElement), 2) || issuedElement ||
+                 "Finalize"
+     return Hash(hashInput)
+
+4.  Ciphersuites
+
+   A ciphersuite (also referred to as 'suite' in this document) for the
+   protocol wraps the functionality required for the protocol to take
+   place.  The ciphersuite should be available to both the client and
+   server, and agreement on the specific instantiation is assumed
+   throughout.
+
+   A ciphersuite contains instantiations of the following
+   functionalities:
+
+   Group:  A prime-order group exposing the API detailed in Section 2.1,
+      with the generator element defined in the corresponding reference
+      for each group.  Each group also specifies HashToGroup,
+      HashToScalar, and serialization functionalities.  For HashToGroup,
+      the domain separation tag (DST) is constructed in accordance with
+      the recommendations in [RFC9380], Section 3.1.  For HashToScalar,
+      each group specifies an integer order that is used in reducing
+      integer values to a member of the corresponding scalar field.
+
+   Hash:  A cryptographic hash function whose output length is Nh bytes
+      long.
+
+   This section includes an initial set of ciphersuites with supported
+   groups and hash functions.  It also includes implementation details
+   for each ciphersuite, focusing on input validation.  Future documents
+   can specify additional ciphersuites as needed, provided they meet the
+   requirements in Section 4.6.
+
+   For each ciphersuite, contextString is that which is computed in the
+   Setup functions.  Applications should take caution in using
+   ciphersuites targeting P-256 and ristretto255.  See Section 7.2 for
+   related discussion.
+
+4.1.  OPRF(ristretto255, SHA-512)
+
+   This ciphersuite uses ristretto255 [RFC9496] for the Group and
+   SHA-512 for the hash function.  The value of the ciphersuite
+   identifier is "ristretto255-SHA512".
+
+   Group:  ristretto255 [RFC9496]
+
+      Order():  Return 2^252 + 27742317777372353535851937790883648493
+         (see [RFC9496]).
+
+      Identity():  As defined in [RFC9496].
+
+      Generator():  As defined in [RFC9496].
+
+      HashToGroup():  Use hash_to_ristretto255 [RFC9380] with DST =
+         "HashToGroup-" || contextString and expand_message =
+         expand_message_xmd using SHA-512.
+
+      HashToScalar():  Compute uniform_bytes using expand_message =
+         expand_message_xmd, DST = "HashToScalar-" || contextString, and
+         an output length of 64 bytes, interpret uniform_bytes as a
+         512-bit integer in little-endian order, and reduce the integer
+         modulo Group.Order().
+
+      ScalarInverse(s):  Returns the multiplicative inverse of input
+         Scalar s mod Group.Order().
+
+      RandomScalar():  Implemented by returning a uniformly random
+         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
+         for implementation guidance.
+
+      SerializeElement(A):  Implemented using the Encode function from
+         Section 4.3.2 of [RFC9496]; Ne = 32.
+
+      DeserializeElement(buf):  Implemented using the Decode function
+         from Section 4.3.1 of [RFC9496].  Additionally, this function
+         validates that the resulting element is not the group identity
+         element.  If these checks fail, deserialization returns an
+         InputValidationError error.
+
+      SerializeScalar(s):  Implemented by outputting the little-endian,
+         32-byte encoding of the Scalar value with the top three bits
+         set to zero; Ns = 32.
+
+      DeserializeScalar(buf):  Implemented by attempting to deserialize
+         a Scalar from a little-endian, 32-byte string.  This function
+         can fail if the input does not represent a Scalar in the range
+         [0, G.Order() - 1].  Note that this means the top three bits of
+         the input MUST be zero.
+
+   Hash:  SHA-512; Nh = 64.
+
+4.2.  OPRF(decaf448, SHAKE-256)
+
+   This ciphersuite uses decaf448 [RFC9496] for the Group and SHAKE-256
+   for the hash function.  The value of the ciphersuite identifier is
+   "decaf448-SHAKE256".
+
+   Group:  decaf448 [RFC9496]
+
+      Order():  Return 2^446 - 13818066809895115352007386748515426880336
+         692474882178609894547503885.
+
+      Identity():  As defined in [RFC9496].
+
+      Generator():  As defined in [RFC9496].
+
+      RandomScalar():  Implemented by returning a uniformly random
+         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
+         for implementation guidance.
+
+      HashToGroup():  Use hash_to_decaf448 [RFC9380] with DST =
+         "HashToGroup-" || contextString and expand_message =
+         expand_message_xof using SHAKE-256.
+
+      HashToScalar():  Compute uniform_bytes using expand_message =
+         expand_message_xof, DST = "HashToScalar-" || contextString, and
+         output length 64, interpret uniform_bytes as a 512-bit integer
+         in little-endian order, and reduce the integer modulo
+         Group.Order().
+
+      ScalarInverse(s):  Returns the multiplicative inverse of input
+         Scalar s mod Group.Order().
+
+      SerializeElement(A):  Implemented using the Encode function from
+         Section 5.3.2 of [RFC9496]; Ne = 56.
+
+      DeserializeElement(buf):  Implemented using the Decode function
+         from Section 5.3.1 of [RFC9496].  Additionally, this function
+         validates that the resulting element is not the group identity
+         element.  If these checks fail, deserialization returns an
+         InputValidationError error.
+
+      SerializeScalar(s):  Implemented by outputting the little-endian,
+         56-byte encoding of the Scalar value; Ns = 56.
+
+      DeserializeScalar(buf):  Implemented by attempting to deserialize
+         a Scalar from a little-endian, 56-byte string.  This function
+         can fail if the input does not represent a Scalar in the range
+         [0, G.Order() - 1].
+
+   Hash:  SHAKE-256; Nh = 64.
+
+4.3.  OPRF(P-256, SHA-256)
+
+   This ciphersuite uses P-256 [NISTCurves] for the Group and SHA-256
+   for the hash function.  The value of the ciphersuite identifier is
+   "P256-SHA256".
+
+   Group:  P-256 (secp256r1) [NISTCurves]
+
+      Order():  Return 0xffffffff00000000ffffffffffffffffbce6faada7179e8
+         4f3b9cac2fc632551.
+
+      Identity():  As defined in [NISTCurves].
+
+      Generator():  As defined in [NISTCurves].
+
+      RandomScalar():  Implemented by returning a uniformly random
+         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
+         for implementation guidance.
+
+      HashToGroup():  Use hash_to_curve with suite P256_XMD:SHA-
+         256_SSWU_RO_ [RFC9380] and DST = "HashToGroup-" ||
+         contextString.
+
+      HashToScalar():  Use hash_to_field from [RFC9380] using L = 48,
+         expand_message_xmd with SHA-256, DST = "HashToScalar-" ||
+         contextString, and a prime modulus equal to Group.Order().
+
+      ScalarInverse(s):  Returns the multiplicative inverse of input
+         Scalar s mod Group.Order().
+
+      SerializeElement(A):  Implemented using the compressed Elliptic-
+         Curve-Point-to-Octet-String method according to [SEC1]; Ne =
+         33.
+
+      DeserializeElement(buf):  Implemented by attempting to deserialize
+         a 33-byte input string to a public key using the compressed
+         Octet-String-to-Elliptic-Curve-Point method according to [SEC1]
+         and then performing partial public-key validation, as defined
+         in Section 5.6.2.3.4 of [KEYAGREEMENT].  This includes checking
+         that the coordinates of the resulting point are in the correct
+         range, that the point is on the curve, and that the point is
+         not the group identity element.  If these checks fail,
+         deserialization returns an InputValidationError error.
+
+      SerializeScalar(s):  Implemented using the Field-Element-to-Octet-
+         String conversion according to [SEC1]; Ns = 32.
+
+      DeserializeScalar(buf):  Implemented by attempting to deserialize
+         a Scalar from a 32-byte string using Octet-String-to-Field-
+         Element from [SEC1].  This function can fail if the input does
+         not represent a Scalar in the range [0, G.Order() - 1].
+
+   Hash:  SHA-256; Nh = 32.
+
+4.4.  OPRF(P-384, SHA-384)
+
+   This ciphersuite uses P-384 [NISTCurves] for the Group and SHA-384
+   for the hash function.  The value of the ciphersuite identifier is
+   "P384-SHA384".
+
+   Group:  P-384 (secp384r1) [NISTCurves]
+
+      Order():  Return 0xfffffffffffffffffffffffffffffffffffffffffffffff
+         fc7634d81f4372ddf581a0db248b0a77aecec196accc52973.
+
+      Identity():  As defined in [NISTCurves].
+
+      Generator():  As defined in [NISTCurves].
+
+      RandomScalar():  Implemented by returning a uniformly random
+         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
+         for implementation guidance.
+
+      HashToGroup():  Use hash_to_curve with suite P384_XMD:SHA-
+         384_SSWU_RO_ [RFC9380] and DST = "HashToGroup-" ||
+         contextString.
+
+      HashToScalar():  Use hash_to_field from [RFC9380] using L = 72,
+         expand_message_xmd with SHA-384, DST = "HashToScalar-" ||
+         contextString, and a prime modulus equal to Group.Order().
+
+      ScalarInverse(s):  Returns the multiplicative inverse of input
+         Scalar s mod Group.Order().
+
+      SerializeElement(A):  Implemented using the compressed Elliptic-
+         Curve-Point-to-Octet-String method according to [SEC1]; Ne =
+         49.
+
+      DeserializeElement(buf):  Implemented by attempting to deserialize
+         a 49-byte array to a public key using the compressed Octet-
+         String-to-Elliptic-Curve-Point method according to [SEC1] and
+         then performing partial public-key validation, as defined in
+         Section 5.6.2.3.4 of [KEYAGREEMENT].  This includes checking
+         that the coordinates of the resulting point are in the correct
+         range, that the point is on the curve, and that the point is
+         not the point at infinity.  Additionally, this function
+         validates that the resulting element is not the group identity
+         element.  If these checks fail, deserialization returns an
+         InputValidationError error.
+
+      SerializeScalar(s):  Implemented using the Field-Element-to-Octet-
+         String conversion according to [SEC1]; Ns = 48.
+
+      DeserializeScalar(buf):  Implemented by attempting to deserialize
+         a Scalar from a 48-byte string using Octet-String-to-Field-
+         Element from [SEC1].  This function can fail if the input does
+         not represent a Scalar in the range [0, G.Order() - 1].
+
+   Hash:  SHA-384; Nh = 48.
+
+4.5.  OPRF(P-521, SHA-512)
+
+   This ciphersuite uses P-521 [NISTCurves] for the Group and SHA-512
+   for the hash function.  The value of the ciphersuite identifier is
+   "P521-SHA512".
+
+   Group:  P-521 (secp521r1) [NISTCurves]
+
+      Order():  Return 0x01fffffffffffffffffffffffffffffffffffffffffffff
+         ffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b889
+         9c47aebb6fb71e91386409.
+
+      Identity():  As defined in [NISTCurves].
+
+      Generator():  As defined in [NISTCurves].
+
+      RandomScalar():  Implemented by returning a uniformly random
+         Scalar in the range [0, G.Order() - 1].  Refer to Section 4.7
+         for implementation guidance.
+
+      HashToGroup():  Use hash_to_curve with suite P521_XMD:SHA-
+         512_SSWU_RO_ [RFC9380] and DST = "HashToGroup-" ||
+         contextString.
+
+      HashToScalar():  Use hash_to_field from [RFC9380] using L = 98,
+         expand_message_xmd with SHA-512, DST = "HashToScalar-" ||
+         contextString, and a prime modulus equal to Group.Order().
+
+      ScalarInverse(s):  Returns the multiplicative inverse of input
+         Scalar s mod Group.Order().
+
+      SerializeElement(A):  Implemented using the compressed Elliptic-
+         Curve-Point-to-Octet-String method according to [SEC1]; Ne =
+         67.
+
+      DeserializeElement(buf):  Implemented by attempting to deserialize
+         a 67-byte input string to a public key using the compressed
+         Octet-String-to-Elliptic-Curve-Point method according to [SEC1]
+         and then performing partial public-key validation, as defined
+         in Section 5.6.2.3.4 of [KEYAGREEMENT].  This includes checking
+         that the coordinates of the resulting point are in the correct
+         range, that the point is on the curve, and that the point is
+         not the point at infinity.  Additionally, this function
+         validates that the resulting element is not the group identity
+         element.  If these checks fail, deserialization returns an
+         InputValidationError error.
+
+      SerializeScalar(s):  Implemented using the Field-Element-to-Octet-
+         String conversion according to [SEC1]; Ns = 66.
+
+      DeserializeScalar(buf):  Implemented by attempting to deserialize
+         a Scalar from a 66-byte string using Octet-String-to-Field-
+         Element from [SEC1].  This function can fail if the input does
+         not represent a Scalar in the range [0, G.Order() - 1].
+
+   Hash:  SHA-512; Nh = 64.
+
+4.6.  Future Ciphersuites
+
+   A critical requirement of implementing the prime-order group using
+   elliptic curves is a method to instantiate the function HashToGroup,
+   which maps inputs to group elements.  In the elliptic curve setting,
+   this deterministically maps inputs (as byte arrays) to uniformly
+   chosen points on the curve.
+
+   In the security proof of the construction, Hash is modeled as a
+   random oracle.  This implies that any instantiation of HashToGroup
+   must be pre-image and collision resistant.  In Section 4, we give
+   instantiations of this functionality based on the functions described
+   in [RFC9380].  Consequently, any OPRF implementation must adhere to
+   the implementation and security considerations discussed in [RFC9380]
+   when instantiating the function.
+
+   The DeserializeElement and DeserializeScalar functions instantiated
+   for a particular prime-order group corresponding to a ciphersuite
+   MUST adhere to the description in Section 2.1.  Future ciphersuites
+   MUST describe how input validation is done for DeserializeElement and
+   DeserializeScalar.
+
+   Additionally, future ciphersuites must take care when choosing the
+   security level of the group.  See Section 7.2.3 for additional
+   details.
+
+4.7.  Random Scalar Generation
+
+   Two popular algorithms for generating a random integer uniformly
+   distributed in the range [0, G.Order() - 1] are described in the
+   following subsections.
+
+4.7.1.  Rejection Sampling
+
+   Generate a random byte array with Ns bytes and attempt to map to a
+   Scalar by calling DeserializeScalar in constant time.  If it
+   succeeds, return the result.  If it fails, try again with another
+   random byte array until the procedure succeeds.  Failure to implement
+   DeserializeScalar in constant time can leak information about the
+   underlying corresponding Scalar.
+
+   As an optimization, if the group order is very close to a power of 2,
+   it is acceptable to omit the rejection test completely.  In
+   particular, if the group order is p and there is an integer b such
+   that |p - 2^b| is less than 2^(b/2), then RandomScalar can simply
+   return a uniformly random integer of at most b bits.
+
+4.7.2.  Random Number Generation Using Extra Random Bits
+
+   Generate a random byte array with L = ceil(((3 *
+   ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an
+   integer; reduce the integer modulo G.Order(), and return the result.
+   See [RFC9380], Section 5 for the underlying derivation of L.
+
+5.  Application Considerations
+
+   This section describes considerations for applications, including
+   external interface recommendations, explicit error treatment, and
+   public input representation for the POPRF protocol variant.
+
+5.1.  Input Limits
+
+   Application inputs, expressed as PrivateInput or PublicInput values,
+   MUST be smaller than 2^16 - 1 bytes in length.  Applications that
+   require longer inputs can use a cryptographic hash function to map
+   these longer inputs to a fixed-length input that fits within the
+   PublicInput or PrivateInput length bounds.  Note that some
+   cryptographic hash functions have input length restrictions
+   themselves, but these limits are often large enough to not be a
+   concern in practice.  For example, SHA-256 has an input limit of 2^61
+   bytes.
+
+5.2.  External Interface Recommendations
+
+   In Section 3.3, the interface of the protocol functions allows that
+   some inputs (and outputs) to be group Element and Scalar values.
+   However, implementations can instead operate over Element and Scalar
+   values internally and only expose interfaces that operate with an
+   application-specific format of messages.
+
+5.3.  Error Considerations
+
+   Some OPRF variants specified in this document have fallible
+   operations.  For example, Finalize and BlindEvaluate can fail if any
+   element received from the peer fails input validation.  The explicit
+   errors generated throughout this specification, along with the
+   conditions that lead to each error, are as follows:
+
+   VerifyError:  Verifiable OPRF proof verification failed (Sections
+      3.3.2 and 3.3.3).
+
+   DeserializeError:  Group Element or Scalar deserialization failure
+      (Sections 2.1 and 3.3).
+
+   InputValidationError:  Validation of byte array inputs failed
+      (Section 4).
+
+   There are other explicit errors generated in this specification;
+   however, they occur with negligible probability in practice.  We note
+   them here for completeness.
+
+   InvalidInputError:  OPRF Blind input produces an invalid output
+      element (Sections 3.3.1 and 3.3.3).
+
+   InverseError:  A tweaked private key is invalid, i.e., has no
+      multiplicative inverse (Sections 2.1 and 3.3).
+
+   In general, the errors in this document are meant as a guide to
+   implementors.  They are not an exhaustive list of all the errors an
+   implementation might emit.  For example, implementations might run
+   out of memory and return a corresponding error.
+
+5.4.  POPRF Public Input
+
+   Functionally, the VOPRF and POPRF variants differ in that the POPRF
+   variant admits public input, whereas the VOPRF variant does not.
+   Public input allows clients and servers to cryptographically bind
+   additional data to the POPRF output.  A POPRF with fixed public input
+   is functionally equivalent to a VOPRF.  However, there are
+   differences in the underlying security assumptions made about each
+   variant; see Section 7.2 for more details.
+
+   This public input is known to both parties at the start of the
+   protocol.  It is RECOMMENDED that this public input be constructed
+   with some type of higher-level domain separation to avoid cross
+   protocol attacks or related issues.  For example, protocols using
+   this construction might ensure that the public input uses a unique,
+   prefix-free encoding.  See [RFC9380], Section 10.4 for further
+   discussion on constructing domain separation values.
+
+   Implementations of the POPRF may choose to not let applications
+   control info in cases where this value is fixed or otherwise not
+   useful to the application.  In this case, the resulting protocol is
+   functionally equivalent to the VOPRF, which does not admit public
+   input.
+
+6.  IANA Considerations
+
+   This document has no IANA actions.
+
+7.  Security Considerations
+
+   This section discusses the security of the protocols defined in this
+   specification, along with some suggestions and trade-offs that arise
+   from the implementation of the protocol variants in this document.
+   Note that the syntax of the POPRF variant is different from that of
+   the OPRF and VOPRF variants since it admits an additional public
+   input, but the same security considerations apply.
+
+7.1.  Security Properties
+
+   The security properties of an OPRF protocol with functionality y =
+   F(k, x) include those of a standard PRF.  Specifically:
+
+   Pseudorandomness:  For a random sampling of k, F is pseudorandom if
+      the output y = F(k, x) on any input x is indistinguishable from
+      uniformly sampling any element in F's range.
+
+   In other words, consider an adversary that picks inputs x from the
+   domain of F and evaluates F on (k, x) (without knowledge of randomly
+   sampled k).  Then, the output distribution F(k, x) is
+   indistinguishable from the output distribution of a randomly chosen
+   function with the same domain and range.
+
+   A consequence of showing that a function is pseudorandom is that it
+   is necessarily nonmalleable (i.e., we cannot compute a new evaluation
+   of F from an existing evaluation).  A genuinely random function will
+   be nonmalleable with high probability, so a pseudorandom function
+   must be nonmalleable to maintain indistinguishability.
+
+   Unconditional input secrecy:  The server does not learn anything
+      about the client input x, even with unbounded computation.
+
+   In other words, an attacker with infinite computing power cannot
+   recover any information about the client's private input x from an
+   invocation of the protocol.
+
+   Essentially, input secrecy is the property that, even if the server
+   learns the client's private input x at some point in the future, the
+   server cannot link any particular PRF evaluation to x.  This property
+   is also known as unlinkability [DGSTV18].
+
+   Beyond client input secrecy, in the OPRF protocol, the server learns
+   nothing about the output y of the function, nor does the client learn
+   anything about the server's private key k.
+
+   For the VOPRF and POPRF protocol variants, there is an additional
+   security property:
+
+   Verifiable:  The client must only complete execution of the protocol
+      if it can successfully assert that the output it computes is
+      correct.  This is taken with respect to the private key held by
+      the server.
+
+   Any VOPRF or POPRF that satisfies the 'verifiable' security property
+   is known as 'verifiable'.  In practice, the notion of verifiability
+   requires that the server commits to the key before the actual
+   protocol execution takes place.  Then, the client verifies that the
+   server has used the key in the protocol using this commitment.  In
+   the following, we may also refer to this commitment as a public key.
+
+   Finally, the POPRF variant also has the following security property:
+
+   Partial obliviousness:  The client and server must be able to perform
+      the PRF on the client's private and public input.  Both the client
+      and server know the public input, but similar to the OPRF and
+      VOPRF protocols, the server learns nothing about the client's
+      private input or the output of the function, and the client learns
+      nothing about the server's private key.
+
+   This property becomes useful when dealing with key management
+   operations, such as the rotation of the server's keys.  Note that
+   partial obliviousness only applies to the POPRF variant because
+   neither the OPRF nor VOPRF variants accept public input to the
+   protocol.
+
+   Since the POPRF variant has a different syntax than the OPRF and
+   VOPRF variants, i.e., y = F(k, x, info), the pseudorandomness
+   property is generalized:
+
+   Pseudorandomness:  For a random sampling of k, F is pseudorandom if
+      the output y = F(k, x, info) on any input pairs (x, info) is
+      indistinguishable from uniformly sampling any element in F's
+      range.
+
+7.2.  Security Assumptions
+
+   Below, we discuss the cryptographic security of each protocol variant
+   from Section 3, relative to the necessary cryptographic assumptions
+   that need to be made.
+
+7.2.1.  OPRF and VOPRF Assumptions
+
+   The OPRF and VOPRF protocol variants in this document are based on
+   [JKK14].  In particular, the VOPRF construction is similar to the
+   [JKK14] construction with the following distinguishing properties:
+
+   1.  This document does not use session identifiers to differentiate
+       different instances of the protocol.
+
+   2.  This document supports batching so that multiple evaluations can
+       happen at once whilst only constructing one DLEQ proof object.
+       This is enabled using an established batching technique
+       [DGSTV18].
+
+   The pseudorandomness and input secrecy (and verifiability) of the
+   OPRF (and VOPRF) protocols in [JKK14] are based on the One-More Gap
+   Computational Diffie-Hellman assumption that is computationally
+   difficult to solve in the corresponding prime-order group.  In
+   [JKK14], these properties are proven for one instance (i.e., one key)
+   of the VOPRF protocol and without batching.  There is currently no
+   security analysis available for the VOPRF protocol described in this
+   document in a setting with multiple server keys or batching.
+
+7.2.2.  POPRF Assumptions
+
+   The POPRF construction in this document is based on the construction
+   known as 3HashSDHI, given by [TCRSTW21].  The construction is
+   identical to 3HashSDHI, except that this design can optionally
+   perform multiple POPRF evaluations in one batch, whilst only
+   constructing one DLEQ proof object.  This is enabled using an
+   established batching technique [DGSTV18].
+
+   Pseudorandomness, input secrecy, verifiability, and partial
+   obliviousness of the POPRF variant is based on the assumption that
+   the One-More Gap Strong Diffie-Hellman Inversion (SDHI) assumption
+   from [TCRSTW21] is computationally difficult to solve in the
+   corresponding prime-order group.  Tyagi et al. [TCRSTW21] show that
+   both the One-More Gap Computational Diffie-Hellman assumption and the
+   One-More Gap SDHI assumption reduce to the q-DL (Discrete Log)
+   assumption in the algebraic group model for some q number of
+   BlindEvaluate queries.  (The One-More Gap Computational Diffie-
+   Hellman assumption was the hardness assumption used to evaluate the
+   OPRF and VOPRF designs based on [JKK14], which is a predecessor to
+   the POPRF variant in Section 3.3.3.)
+
+7.2.3.  Static Diffie-Hellman Attack and Security Limits
+
+   A side effect of the OPRF protocol variants in this document is that
+   they allow instantiation of an oracle for constructing static Diffie-
+   Hellman (DH) samples; see [BG04] and [Cheon06].  These attacks are
+   meant to recover (bits of) the server private key.  Best-known
+   attacks reduce the security of the prime-order group instantiation by
+   log_2(Q) / 2 bits, where Q is the number of BlindEvaluate calls made
+   by the attacker.
+
+   As a result of this class of attacks, choosing prime-order groups
+   with a 128-bit security level instantiates an OPRF with a reduced
+   security level of 128 - (log_2(Q) / 2) bits of security.  Moreover,
+   such attacks are only possible for those certain applications where
+   the adversary can query the OPRF directly.  Applications can mitigate
+   against this problem in a variety of ways, e.g., by rate-limiting
+   client queries to BlindEvaluate or by rotating private keys.  In
+   applications where such an oracle is not made available, this
+   security loss does not apply.
+
+   In most cases, it would require an informed and persistent attacker
+   to launch a highly expensive attack to reduce security to anything
+   much below 100 bits of security.  Applications that admit the
+   aforementioned oracle functionality and that cannot tolerate discrete
+   logarithm security of lower than 128 bits are RECOMMENDED to choose
+   groups that target a higher security level, such as decaf448 (used by
+   ciphersuite decaf448-SHAKE256), P-384 (used by ciphersuite
+   P384-SHA384), or P-521 (used by ciphersuite P521-SHA512).
+
+7.3.  Domain Separation
+
+   Applications SHOULD construct input to the protocol to provide domain
+   separation.  Any system that has multiple OPRF applications should
+   distinguish client inputs to ensure the OPRF results are separate.
+   Guidance for constructing info can be found in [RFC9380],
+   Section 3.1.
+
+7.4.  Timing Leaks
+
+   To ensure no information is leaked during protocol execution, all
+   operations that use secret data MUST run in constant time.  This
+   includes all prime-order group operations and proof-specific
+   operations that operate on secret data, including GenerateProof and
+   BlindEvaluate.
+
+8.  References
+
+8.1.  Normative References
+
+   [KEYAGREEMENT]
+              Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
+              Davis, "Recommendation for pair-wise key-establishment
+              schemes using discrete logarithm cryptography", NIST
+              SP 800-56A (Rev. 3), DOI 10.6028/nist.sp.800-56ar3, April
+              2018, <https://doi.org/10.6028/nist.sp.800-56ar3>.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119,
+              DOI 10.17487/RFC2119, March 1997,
+              <https://www.rfc-editor.org/info/rfc2119>.
+
+   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
+              "PKCS #1: RSA Cryptography Specifications Version 2.2",
+              RFC 8017, DOI 10.17487/RFC8017, November 2016,
+              <https://www.rfc-editor.org/info/rfc8017>.
+
+   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+              May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+   [RFC9380]  Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S.,
+              and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380,
+              DOI 10.17487/RFC9380, August 2023,
+              <https://www.rfc-editor.org/info/rfc9380>.
+
+   [RFC9496]  de Valence, H., Grigg, J., Hamburg, M., Lovecruft, I.,
+              Tankersley, G., and F. Valsorda, "The ristretto255 and
+              decaf448 Groups", RFC 9496, DOI 10.17487/RFC9496, December
+              2023, <https://www.rfc-editor.org/info/rfc9496>.
+
+8.2.  Informative References
+
+   [BG04]     Brown, D. and R. Gallant, "The Static Diffie-Hellman
+              Problem", November 2004,
+              <https://eprint.iacr.org/2004/306>.
+
+   [ChaumPedersen]
+              Chaum, D. and T. Pedersen, "Wallet Databases with
+              Observers", Advances in Cryptology - CRYPTO' 92, pp.
+              89-105, DOI 10.1007/3-540-48071-4_7, August 1992,
+              <https://doi.org/10.1007/3-540-48071-4_7>.
+
+   [Cheon06]  Cheon, J., "Security Analysis of the Strong Diffie-Hellman
+              Problem", Advances in Cryptology - EUROCRYPT 2006, pp.
+              1-11, DOI 10.1007/11761679_1, 2006,
+              <https://doi.org/10.1007/11761679_1>.
+
+   [DGSTV18]  Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G.,
+              and F. Valsorda, "Privacy Pass: Bypassing Internet
+              Challenges Anonymously", Proceedings on Privacy Enhancing
+              Technologies, vol. 2018, no. 3, pp. 164-180, DOI 
+              10.1515/popets-2018-0026, April 2018,
+              <https://doi.org/10.1515/popets-2018-0026>.
+
+   [FS00]     Fiat, A. and A. Shamir, "How To Prove Yourself: Practical
+              Solutions to Identification and Signature Problems",
+              Advances in Cryptology - CRYPTO' 86, pp. 186-194,
+              DOI 10.1007/3-540-47721-7_12, 1986,
+              <https://doi.org/10.1007/3-540-47721-7_12>.
+
+   [JKK14]    Jarecki, S., Kiayias, A., and H. Krawczyk, "Round-Optimal
+              Password-Protected Secret Sharing and T-PAKE in the
+              Password-Only Model", Lecture Notes in Computer Science,
+              pp. 233-253, DOI 10.1007/978-3-662-45608-8_13, 2014,
+              <https://doi.org/10.1007/978-3-662-45608-8_13>.
+
+   [JKKX16]   Jarecki, S., Kiayias, A., Krawczyk, H., and J. Xu,
+              "Highly-Efficient and Composable Password-Protected Secret
+              Sharing (Or: How to Protect Your Bitcoin Wallet Online)",
+              2016 IEEE European Symposium on Security and Privacy
+              (EuroS&P), DOI 10.1109/eurosp.2016.30, March 2016,
+              <https://doi.org/10.1109/eurosp.2016.30>.
+
+   [NISTCurves]
+              National Institute of Standards and Technology (NIST),
+              "Digital Signature Standard (DSS)", FIPS PUB 186-5,
+              DOI 10.6028/NIST.FIPS.186-5, February 2023,
+              <https://doi.org/10.6028/NIST.FIPS.186-5>.
+
+   [OPAQUE]   Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The
+              OPAQUE Asymmetric PAKE Protocol", Work in Progress,
+              Internet-Draft, draft-irtf-cfrg-opaque-13, 18 December
+              2023, <https://datatracker.ietf.org/doc/html/draft-irtf-
+              cfrg-opaque-13>.
+
+   [PRIVACY-PASS]
+              Celi, S., Davidson, A., Valdez, S., and C. A. Wood,
+              "Privacy Pass Issuance Protocol", Work in Progress,
+              Internet-Draft, draft-ietf-privacypass-protocol-16, 3
+              October 2023, <https://datatracker.ietf.org/doc/html/
+              draft-ietf-privacypass-protocol-16>.
+
+   [PrivacyPass]
+              "Privacy Pass", commit 085380a, March 2018,
+              <https://github.com/privacypass/team>.
+
+   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
+              for Security", RFC 7748, DOI 10.17487/RFC7748, January
+              2016, <https://www.rfc-editor.org/info/rfc7748>.
+
+   [SEC1]     Standards for Efficient Cryptography Group (SECG), "SEC 1:
+              Elliptic Curve Cryptography", May 2009,
+              <https://www.secg.org/sec1-v2.pdf>.
+
+   [SJKS17]   Shirvanian, M., Jarecki, S., Krawczyk, H., and N. Saxena,
+              "SPHINX: A Password Store that Perfectly Hides Passwords
+              from Itself", 2017 IEEE 37th International Conference on
+              Distributed Computing Systems (ICDCS),
+              DOI 10.1109/ICDCS.2017.64, June 2017,
+              <https://doi.org/10.1109/ICDCS.2017.64>.
+
+   [TCRSTW21] Tyagi, N., Celi, S., Ristenpart, T., Sullivan, N.,
+              Tessaro, S., and C. A. Wood, "A Fast and Simple Partially
+              Oblivious PRF, with Applications", Advances in Cryptology
+              - EUROCRYPT 2022 pp. 674-705,
+              DOI 10.1007/978-3-031-07085-3_23, May 2022,
+              <https://doi.org/10.1007/978-3-031-07085-3_23>.
+
+Appendix A.  Test Vectors
+
+   This section includes test vectors for the protocol variants
+   specified in this document.  For each ciphersuite specified in
+   Section 4, there is a set of test vectors for the protocol when
+   running the OPRF, VOPRF, and POPRF modes.  Each test vector lists the
+   batch size for the evaluation.  Each test vector value is encoded as
+   a hexadecimal byte string.  The fields of each test vector are
+   described below.
+
+   "Input":  The private client input, an opaque byte string.
+
+   "Info":  The public info, an opaque byte string.  Only present for
+      POPRF test vectors.
+
+   "Blind":  The blind value output by Blind(), a serialized Scalar of
+      Ns bytes long.
+
+   "BlindedElement":  The blinded value output by Blind(), a serialized
+      Element of Ne bytes long.
+
+   "EvaluatedElement":  The evaluated element output by BlindEvaluate(),
+      a serialized Element of Ne bytes long.
+
+   "Proof":  The serialized Proof output from GenerateProof() composed
+      of two serialized Scalar values, each Ns bytes long.  Only present
+      for VOPRF and POPRF test vectors.
+
+   "ProofRandomScalar":  The random Scalar r computed in
+      GenerateProof(), a serialized Scalar of Ns bytes long.  Only
+      present for VOPRF and POPRF test vectors.
+
+   "Output":  The protocol output, an opaque byte string of Nh bytes
+      long.
+
+   Test vectors with batch size B > 1 have inputs separated by a comma
+   ",".  Applicable test vectors will have B different values for the
+   "Input", "Blind", "BlindedElement", "EvaluationElement", and "Output"
+   fields.
+
+   The server key material, pkSm and skSm, are listed under the mode for
+   each ciphersuite.  Both pkSm and skSm are the serialized values of
+   pkS and skS, respectively, as used in the protocol.  Each key pair is
+   derived from a seed, denoted Seed, and info string, denoted KeyInfo,
+   which are listed as well, using the DeriveKeyPair function from
+   Section 3.2.
+
+A.1.  ristretto255-SHA512
+
+A.1.1.  OPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 5ebcea5ee37023ccb9fc2d2019f9d7737be85591ae8652ffa9ef0f4d37063
+   b0e
+
+A.1.1.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706
+   BlindedElement = 609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa
+   2dc99e412803c
+   EvaluationElement = 7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2
+   d8cc917ea0869c7e
+   Output = 527759c3d9366f277d8c6020418d96bb393ba2afb20ff90df23fb770826
+   4e2f3ab9135e3bd69955851de4b1f9fe8a0973396719b7912ba9ee8aa7d0b5e24bcf
+   6
+
+A.1.1.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706
+   BlindedElement = da27ef466870f5f15296299850aa088629945a17d1f5b7f5ff0
+   43f76b3c06418
+   EvaluationElement = b4cbf5a4f1eeda5a63ce7b77c7d23f461db3fcab0dd28e4e
+   17cecb5c90d02c25
+   Output = f4a74c9c592497375e796aa837e907b1a045d34306a749db9f34221f7e7
+   50cb4f2a6413a6bf6fa5e19ba6348eb673934a722a7ede2e7621306d18951e7cf2c7
+   3
+
+A.1.2.  VOPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = e6f73f344b79b379f1a0dd37e07ff62e38d9f71345ce62ae3a9bc60b04ccd
+   909
+   pkSm = c803e2cc6b05fc15064549b5920659ca4a77b2cca6f04f6b357009335476a
+   d4e
+
+A.1.2.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706
+   BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
+   642ddc439b945
+   EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
+   9c7669a9a014267e
+   Proof = ddef93772692e535d1a53903db24367355cc2cc78de93b3be5a8ffcc6985
+   dd066d4346421d17bf5117a2a1ff0fcb2a759f58a539dfbe857a40bce4cf49ec600d
+   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
+   81aa6f61d645fc0e
+   Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
+   a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
+   c
+
+A.1.2.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706
+   BlindedElement = cc0b2a350101881d8a4cba4c80241d74fb7dcbfde4a61fde2f9
+   1443c2bf9ef0c
+   EvaluationElement = 60a59a57208d48aca71e9e850d22674b611f752bed48b36f
+   7a91b372bd7ad468
+   Proof = 401a0da6264f8cf45bb2f5264bc31e109155600babb3cd4e5af7d181a2c9
+   dc0a67154fabf031fd936051dec80b0b6ae29c9503493dde7393b722eafdf5a50b02
+   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
+   81aa6f61d645fc0e
+   Output = 8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a
+   6df60356f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b
+   6
+
+A.1.2.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
+   e
+   BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
+   642ddc439b945,90a0145ea9da29254c3a56be4fe185465ebb3bf2a1801f7124bbba
+   dac751e654
+   EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
+   9c7669a9a014267e,cc5ac221950a49ceaa73c8db41b82c20372a4c8d63e5dded2db
+   920b7eee36a2a
+   Proof = cc203910175d786927eeb44ea847328047892ddf8590e723c37205cb7460
+   0b0a5ab5337c8eb4ceae0494c2cf89529dcf94572ed267473d567aeed6ab873dee08
+   ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
+   cf037f9ea84bbe0c
+   Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
+   a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
+   c,8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a6df6035
+   6f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b6
+
+A.1.3.  POPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 145c79c108538421ac164ecbe131942136d5570b16d8bf41a24d4337da981
+   e07
+   pkSm = c647bef38497bc6ec077c22af65b696efa43bff3b4a1975a3e8e0a1c5a79d
+   631
+
+A.1.3.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Info = 7465737420696e666f
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706
+   BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
+   dd8f3d461f715
+   EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
+   5693e2078450d874
+   Proof = 41ad1a291aa02c80b0915fbfbb0c0afa15a57e2970067a602ddb9e8fd6b7
+   100de32e1ecff943a36f0b10e3dae6bd266cdeb8adf825d86ef27dbc6c0e30c52206
+   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
+   81aa6f61d645fc0e
+   Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
+   2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
+   1
+
+A.1.3.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706
+   BlindedElement = f0f0b209dd4d5f1844dac679acc7761b91a2e704879656cb7c2
+   01e82a99ab07d
+   EvaluationElement = 8c3c9d064c334c6991e99f286ea2301d1bde170b54003fb9
+   c44c6d7bd6fc1540
+   Proof = 4c39992d55ffba38232cdac88fe583af8a85441fefd7d1d4a8d0394cd1de
+   77018bf135c174f20281b3341ab1f453fe72b0293a7398703384bed822bfdeec8908
+   ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
+   81aa6f61d645fc0e
+   Output = 7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b
+   56a52de2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae50
+   7
+
+A.1.3.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
+   6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
+   e
+   BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
+   dd8f3d461f715,423a01c072e06eb1cce96d23acce06e1ea64a609d7ec9e9023f304
+   9f2d64e50c
+   EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
+   5693e2078450d874,aa1f16e903841036e38075da8a46655c94fc92341887eb5819f
+   46312adfc0504
+   Proof = 43fdb53be399cbd3561186ae480320caa2b9f36cca0e5b160c4a677b8bbf
+   4301b28f12c36aa8e11e5a7ef551da0781e863a6dc8c0b2bf5a149c9e00621f02006
+   ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
+   cf037f9ea84bbe0c
+   Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
+   2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
+   1,7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b56a52de
+   2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae507
+
+A.2.  decaf448-SHAKE256
+
+A.2.1.  OPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = e8b1375371fd11ebeb224f832dcc16d371b4188951c438f751425699ed29e
+   cc80c6c13e558ccd67634fd82eac94aa8d1f0d7fee990695d1e
+
+A.2.1.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
+   BlindedElement = e0ae01c4095f08e03b19baf47ffdc19cb7d98e583160522a3c7
+   d6a0b2111cd93a126a46b7b41b730cd7fc943d4e28e590ed33ae475885f6c
+   EvaluationElement = 50ce4e60eed006e22e7027454b5a4b8319eb2bc8ced609eb
+   19eb3ad42fb19e06ba12d382cbe7ae342a0cad6ead0ef8f91f00bb7f0cd9c0a2
+   Output = 37d3f7922d9388a15b561de5829bbf654c4089ede89c0ce0f3f85bcdba0
+   9e382ce0ab3507e021f9e79706a1798ffeac68ebd5cf62e5eb9838c7068351d97ae3
+   7
+
+A.2.1.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
+   BlindedElement = 86a88dc5c6331ecfcb1d9aacb50a68213803c462e377577cacc
+   00af28e15f0ddbc2e3d716f2f39ef95f3ec1314a2c64d940a9f295d8f13bb
+   EvaluationElement = 162e9fa6e9d527c3cd734a31bf122a34dbd5bcb7bb23651f
+   1768a7a9274cc116c03b58afa6f0dede3994a60066c76370e7328e7062fd5819
+   Output = a2a652290055cb0f6f8637a249ee45e32ef4667db0b4c80c0a70d2a6416
+   4d01525cfdad5d870a694ec77972b9b6ec5d2596a5223e5336913f945101f0137f55
+   e
+
+A.2.2.  VOPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = e3c01519a076a326a0eb566343e9b21c115fa18e6e85577ddbe890b33104f
+   cc2835ddfb14a928dc3f5d79b936e17c76b99e0bf6a1680930e
+   pkSm = 945fc518c47695cf65217ace04b86ac5e4cbe26ca649d52854bb16c494ce0
+   9069d6add96b20d4b0ae311a87c9a73e3a146b525763ab2f955
+
+A.2.2.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
+   BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
+   1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb
+   EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
+   c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467
+   Proof = f84bbeee47aedf43558dae4b95b3853635a9fc1a9ea7eac9b454c64c66c4
+   f49cd1c72711c7ac2e06c681e16ea693d5500bbd7b56455df52f69e00b76b4126961
+   e1562fdbaaac40b7701065cbeece3febbfe09e00160f81775d36daed99d8a2a10be0
+   759e01b7ee81217203416c9db208
+   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
+   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
+   Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
+   5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
+   1
+
+A.2.2.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
+   BlindedElement = 88287e553939090b888ddc15913e1807dc4757215555e1c3a79
+   488ef311594729c7fa74c772a732b78440b7d66d0aa35f3bb316f1d93e1b2
+   EvaluationElement = c00978c73e8e4ee1d447ab0d3ad1754055e72cc85c08e3a0
+   db170909a9c61cbff1f1e7015f289e3038b0f341faea5d7780c130106065c231
+   Proof = 7a2831a6b237e11ac1657d440df93bc5ce00f552e6020a99d5c956ffc4d0
+   7b5ade3e82ecdc257fd53d76239e733e0a1313e84ce16cc0d82734806092a693d7e8
+   d3c420c2cb6ccd5d0ca32514fb78e9ad0973ebdcb52eba438fc73948d76339ee7101
+   21d83e2fe6f001cfdf551aff9f36
+   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
+   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
+   Output = 862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380
+   c959baa8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c94
+   1
+
+A.2.2.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
+   48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
+   a070e5f953d80bb464ea369e5522b
+   BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
+   1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb,2e15f3
+   93c035492a1573627a3606e528c6294c767c8d43b8c691ef70a52cc7dc7d1b53fe45
+   8350a270abb7c231b87ba58266f89164f714d9
+   EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
+   c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467,8ec
+   68e9871b296e81c55647ce64a04fe75d19932f1400544cd601468c60f998408bbb54
+   6601d4a636e8be279e558d70b95c8d4a4f61892be
+   Proof = 167d922f0a6ffa845eed07f8aa97b6ac746d902ecbeb18f49c009adc0521
+   eab1e4d275b74a2dc266b7a194c854e85e7eb54a9a36376dfc04ec7f3bd55fc9618c
+   3970cb548e064f8a2f06183a5702933dbc3e4c25a73438f2108ee1981c306181003c
+   7ea92fce963ec7b4ba4f270e6d38
+   ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
+   6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
+   Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
+   5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
+   1,862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380c959baa
+   8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c941
+
+A.2.3.  POPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 792a10dcbd3ba4a52a054f6f39186623208695301e7adb9634b74709ab22d
+   e402990eb143fd7c67ac66be75e0609705ecea800992aac8e19
+   pkSm = 6c9d12723a5bbcf305522cc04b4a34d9ced2e12831826018ea7b5dcf54526
+   47ad262113059bf0f6e4354319951b9d513c74f29cb0eec38c1
+
+A.2.3.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Info = 7465737420696e666f
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
+   BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
+   9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42
+   EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
+   02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c
+   Proof = 66caee75bf2460429f620f6ad3e811d524cb8ddd848a435fc5d89af48877
+   abf6506ee341a0b6f67c2d76cd021e5f3d1c9abe5aa9f0dce016da746135fedba2af
+   41ed1d01659bfd6180d96bc1b7f320c0cb6926011ce392ecca748662564892bae665
+   16acaac6ca39aadf6fcca95af406
+   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
+   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
+   Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
+   971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
+   d
+
+A.2.3.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112
+   BlindedElement = 12082b6a381c6c51e85d00f2a3d828cdeab3f5cb19a10b9c014
+   c33826764ab7e7cfb8b4ff6f411bddb2d64e62a472af1cd816e5b712790c6
+   EvaluationElement = f2919b7eedc05ab807c221fce2b12c4ae9e19e6909c47845
+   64b690d1972d2994ca623f273afc67444d84ea40cbc58fcdab7945f321a52848
+   Proof = a295677c54d1bc4286330907fc2490a7de163da26f9ce03a462a452fea42
+   2b19ade296ba031359b3b6841e48455d20519ad01b4ac4f0b92e76d3cf16fbef0a3f
+   72791a8401ef2d7081d361e502e96b2c60608b9fa566f43d4611c2f161d83aabef7f
+   8017332b26ed1daaf80440772022
+   ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
+   627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
+   Output = 8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf63
+   3126de0c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8
+   d
+
+A.2.3.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
+   3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
+   48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
+   a070e5f953d80bb464ea369e5522b
+   BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
+   9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42,fc8847
+   d43fb4cea4e408f585661a8f2867533fa91d22155d3127a22f18d3b007add480f7d3
+   00bca93fa47fe87ae06a57b7d0f0d4c30b12f0
+   EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
+   02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c,2e7
+   4c626d07de49b1c8c21d87120fd78105f485e36816af9bde3e3efbeef76815326062
+   fd333925b66c5ce5a20f100bf01770c16609f990a
+   Proof = fd94db736f97ea4efe9d0d4ad2933072697a6bbeb32834057b23edf7c700
+   9f011dfa72157f05d2a507c2bbf0b54cad99ab99de05921c021fda7d70e65bcecdb0
+   5f9a30154127ace983c74d10fd910b554c5e95f6bd1565fd1f3dbbe3c523ece5c72d
+   57a559b7be1368c4786db4a3c910
+   ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
+   6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
+   Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
+   971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
+   d,8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf633126de0
+   c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8d
+
+A.3.  P256-SHA256
+
+A.3.1.  OPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 159749d750713afe245d2d39ccfaae8381c53ce92d098a9375ee70739c7ac
+   0bf
+
+A.3.1.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 03723a1e5c09b8b9c18d1dcbca29e8007e95f14f4732d9346d4
+   90ffc195110368d
+   EvaluationElement = 030de02ffec47a1fd53efcdd1c6faf5bdc270912b8749e78
+   3c7ca75bb412958832
+   Output = a0b34de5fa4c5b6da07e72af73cc507cceeb48981b97b7285fc375345fe
+   495dd
+
+A.3.1.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 03cc1df781f1c2240a64d1c297b3f3d16262ef5d4cf10273488
+   2675c26231b0838
+   EvaluationElement = 03a0395fe3828f2476ffcd1f4fe540e5a8489322d398be3c
+   4e5a869db7fcb7c52c
+   Output = c748ca6dd327f0ce85f4ae3a8cd6d4d5390bbb804c9e12dcf94f853fece
+   3dcce
+
+A.3.2.  VOPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = ca5d94c8807817669a51b196c34c1b7f8442fde4334a7121ae4736364312f
+   ca6
+   pkSm = 03e17e70604bcabe198882c0a1f27a92441e774224ed9c702e51dd17038b1
+   02462
+
+A.3.2.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
+   4013648c01277da
+   EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
+   2e9ba29b90ae83e4a2
+   Proof = e7c2b3c5c954c035949f1f74e6bce2ed539a3be267d1481e9ddb178533df
+   4c2664f69d065c604a4fd953e100b856ad83804eb3845189babfa5a702090d6fc5fa
+   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
+   645a1
+
+A.3.2.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 03cd0f033e791c4d79dfa9c6ed750f2ac009ec46cd4195ca6fd
+   3800d1e9b887dbd
+   EvaluationElement = 030d2985865c693bf7af47ba4d3a3813176576383d19aff0
+   03ef7b0784a0d83cf1
+   Proof = 2787d729c57e3d9512d3aa9e8708ad226bc48e0f1750b0767aaff73482c4
+   4b8d2873d74ec88aebd3504961acea16790a05c542d9fbff4fe269a77510db00abab
+   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c
+   24f18
+
+A.3.2.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
+   1
+   BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
+   4013648c01277da,03462e9ae64cae5b83ba98a6b360d942266389ac369b923eb3d5
+   57213b1922f8ab
+   EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
+   2e9ba29b90ae83e4a2,02bb24f4d838414aef052a8f044a6771230ca69c0a5677540
+   fff738dd31bb69771
+   Proof = bdcc351707d02a72ce49511c7db990566d29d6153ad6f8982fad2b435d6c
+   e4d60da1e6b3fa740811bde34dd4fe0aa1b5fe6600d0440c9ddee95ea7fad7a60cf2
+   ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
+   51943c8026877963
+   Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
+   645a1,771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c24f
+   18
+
+A.3.3.  POPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 6ad2173efa689ef2c27772566ad7ff6e2d59b3b196f00219451fb2c89ee4d
+   ae2
+   pkSm = 030d7ff077fddeec965db14b794f0cc1ba9019b04a2f4fcc1fa525dedf72e
+   2a3e3
+
+A.3.3.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Info = 7465737420696e666f
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
+   db0b2bd9dd4e2c0
+   EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
+   67e125db024a2c74d2
+   Proof = f8a33690b87736c854eadfcaab58a59b8d9c03b569110b6f31f8bf7577f3
+   fbb85a8a0c38468ccde1ba942be501654adb106167c8eb178703ccb42bccffb9231a
+   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
+   5c592
+
+A.3.3.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 021a440ace8ca667f261c10ac7686adc66a12be31e3520fca31
+   7643a1eee9dcd4d
+   EvaluationElement = 0208ca109cbae44f4774fc0bdd2783efdcb868cb4523d521
+   96f700210e777c5de3
+   Proof = 043a8fb7fc7fd31e35770cabda4753c5bf0ecc1e88c68d7d35a62bf2631e
+   875af4613641be2d1875c31d1319d191c4bbc0d04875f4fd03c31d3d17dd8e069b69
+   ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5f
+   fce8c
+
+A.3.3.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
+   1
+   BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
+   db0b2bd9dd4e2c0,03ca4ff41c12fadd7a0bc92cf856732b21df652e01a3abdf0fa8
+   847da053db213c
+   EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
+   67e125db024a2c74d2,02f0b6bcd467343a8d8555a99dc2eed0215c71898c5edb77a
+   3d97ddd0dbad478e8
+   Proof = 8fbd85a32c13aba79db4b42e762c00687d6dbf9c8cb97b2a225645ccb00d
+   9d7580b383c885cdfd07df448d55e06f50f6173405eee5506c0ed0851ff718d13e68
+   ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
+   51943c8026877963
+   Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
+   5c592,1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5ffce
+   8c
+
+A.4.  P384-SHA384
+
+A.4.1.  OPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = dfe7ddc41a4646901184f2b432616c8ba6d452f9bcd0c4f75a5150ef2b2ed
+   02ef40b8b92f60ae591bcabd72a6518f188
+
+A.4.1.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364
+   BlindedElement = 02a36bc90e6db34096346eaf8b7bc40ee1113582155ad379700
+   3ce614c835a874343701d3f2debbd80d97cbe45de6e5f1f
+   EvaluationElement = 03af2a4fc94770d7a7bf3187ca9cc4faf3732049eded2442
+   ee50fbddda58b70ae2999366f72498cdbc43e6f2fc184afe30
+   Output = ed84ad3f31a552f0456e58935fcc0a3039db42e7f356dcb32aa6d487b6b
+   815a07d5813641fb1398c03ddab5763874357
+
+A.4.1.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364
+   BlindedElement = 02def6f418e3484f67a124a2ce1bfb19de7a4af568ede6a1ebb
+   2733882510ddd43d05f2b1ab5187936a55e50a847a8b900
+   EvaluationElement = 034e9b9a2960b536f2ef47d8608b21597ba400d5abfa1825
+   fd21c36b75f927f396bf3716c96129d1fa4a77fa1d479c8d7b
+   Output = dd4f29da869ab9355d60617b60da0991e22aaab243a3460601e48b07585
+   9d1c526d36597326f1b985778f781a1682e75
+
+A.4.2.  VOPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 051646b9e6e7a71ae27c1e1d0b87b4381db6d3595eeeb1adb41579adbf992
+   f4278f9016eafc944edaa2b43183581779d
+   pkSm = 031d689686c611991b55f1a1d8f4305ccd6cb719446f660a30db61b7aa87b
+   46acf59b7c0d4a9077b3da21c25dd482229a0
+
+A.4.2.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364
+   BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
+   a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9
+   EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
+   46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6
+   Proof = bfc6cf3859127f5fe25548859856d6b7fa1c7459f0ba5712a806fc091a30
+   00c42d8ba34ff45f32a52e40533efd2a03bc87f3bf4f9f58028297ccb9ccb18ae718
+   2bcd1ef239df77e3be65ef147f3acf8bc9cbfc5524b702263414f043e3b7ca2e
+   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
+   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
+   Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
+   26b4a622beab60220bf19078bca35a529b35c
+
+A.4.2.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364
+   BlindedElement = 02f27469e059886f221be5f2cca03d2bdc61e55221721c3b3e5
+   6fc012e36d31ae5f8dc058109591556a6dbd3a8c69c433b
+   EvaluationElement = 03f16f903947035400e96b7f531a38d4a07ac89a80f89d86
+   a1bf089c525a92c7f4733729ca30c56ce78b1ab4f7d92db8b4
+   Proof = d005d6daaad7571414c1e0c75f7e57f2113ca9f4604e84bc90f9be52da89
+   6fff3bee496dcde2a578ae9df315032585f801fb21c6080ac05672b291e575a40295
+   b306d967717b28e08fcc8ad1cab47845d16af73b3e643ddcc191208e71c64630
+   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
+   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
+   Output = b91c70ea3d4d62ba922eb8a7d03809a441e1c3c7af915cbc2226f485213
+   e895942cd0f8580e6d99f82221e66c40d274f
+
+A.4.2.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
+   6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
+   BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
+   a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9,02fa02470d7f151018b4
+   1e82223c32fad824de6ad4b5ce9f8e9f98083c9a726de9a1fc39d7a0cb6f4f188dd9
+   cea01474cd
+   EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
+   46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6,028e9e115625ff4c2
+   f07bf87ce3fd73fc77994a7a0c1df03d2a630a3d845930e2e63a165b114d98fe34e6
+   1b68d23c0b50a
+   Proof = 6d8dcbd2fc95550a02211fb78afd013933f307d21e7d855b0b1ed0af7807
+   6d8137ad8b0a1bfa05676d325249c1dbb9a52bd81b1c2b7b0efc77cf7b278e1c947f
+   6283f1d4c513053fc0ad19e026fb0c30654b53d9cea4b87b037271b5d2e2d0ea
+   ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
+   eca27405420cdf3d63cb3aef005f40ba51943c8026877963
+   Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
+   26b4a622beab60220bf19078bca35a529b35c,b91c70ea3d4d62ba922eb8a7d03809
+   a441e1c3c7af915cbc2226f485213e895942cd0f8580e6d99f82221e66c40d274f
+
+A.4.3.  POPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 5b2690d6954b8fbb159f19935d64133f12770c00b68422559c65431942d72
+   1ff79d47d7a75906c30b7818ec0f38b7fb2
+   pkSm = 02f00f0f1de81e5d6cf18140d4926ffdc9b1898c48dc49657ae36eb1e45de
+   b8b951aaf1f10c82d2eaa6d02aafa3f10d2b6
+
+A.4.3.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Info = 7465737420696e666f
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364
+   BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
+   93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3
+   EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
+   373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91
+   Proof = 82a17ef41c8b57f1e3122311b4d5cd39a63df0f67443ef18d961f9b659c1
+   601ced8d3c64b294f604319ca80230380d437a49c7af0d620e22116669c008ebb767
+   d90283d573b49cdb49e3725889620924c2c4b047a2a6225a3ba27e640ebddd33
+   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
+   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
+   Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
+   27303ed449a08caf84272c3bbc972ede797df
+
+A.4.3.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364
+   BlindedElement = 03f7efcb4aaf000263369d8a0621cb96b81b3206e99876de2a0
+   0699ed4c45acf3969cd6e2319215395955d3f8d8cc1c712
+   EvaluationElement = 034993c818369927e74b77c400376fd1ae29b6ac6c6ddb77
+   6cf10e4fbc487826531b3cf0b7c8ca4d92c7af90c9def85ce6
+   Proof = 693471b5dff0cd6a5c00ea34d7bf127b2795164e3bdb5f39a1e5edfbd13e
+   443bc516061cd5b8449a473c2ceeccada9f3e5b57302e3d7bc5e28d38d6e3a3056e1
+   e73b6cc030f5180f8a1ffa45aa923ee66d2ad0a07b500f2acc7fb99b5506465c
+   ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
+   c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
+   Output = ff2a527a21cc43b251a567382677f078c6e356336aec069dea8ba369953
+   43ca3b33bb5d6cf15be4d31a7e6d75b30d3f5
+
+A.4.3.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
+   889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
+   6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
+   BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
+   93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3,021a65d618d645f1a20b
+   c33b06deaa7e73d6d634c8a56a3d02b53a732b69a5c53c5a207ea33d5afdcde9a22d
+   59726bce51
+   EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
+   373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91,02017657b315ec65e
+   f861505e596c8645d94685dd7602cdd092a8f1c1c0194a5d0485fe47d071d972ab51
+   4370174cc23f5
+   Proof = 4a0b2fe96d5b2a046a0447fe079b77859ef11a39a3520d6ff7c626aad9b4
+   73b724fb0cf188974ec961710a62162a83e97e0baa9eeada73397032d928b3e97b1e
+   a92ad9458208302be3681b8ba78bcc17745bac00f84e0fdc98a6a8cba009c080
+   ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
+   eca27405420cdf3d63cb3aef005f40ba51943c8026877963
+   Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
+   27303ed449a08caf84272c3bbc972ede797df,ff2a527a21cc43b251a567382677f0
+   78c6e356336aec069dea8ba36995343ca3b33bb5d6cf15be4d31a7e6d75b30d3f5
+
+A.5.  P521-SHA512
+
+A.5.1.  OPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 0153441b8faedb0340439036d6aed06d1217b34c42f17f8db4c5cc610a4a9
+   55d698a688831b16d0dc7713a1aa3611ec60703bffc7dc9c84e3ed673b3dbe1d5fcc
+   ea6
+
+A.5.1.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 0300e78bf846b0e1e1a3c320e353d758583cd876df56100a3a1
+   e62bacba470fa6e0991be1be80b721c50c5fd0c672ba764457acc18c6200704e9294
+   fbf28859d916351
+   EvaluationElement = 030166371cf827cb2fb9b581f97907121a16e2dc5d8b10ce
+   9f0ede7f7d76a0d047657735e8ad07bcda824907b3e5479bd72cdef6b839b967ba5c
+   58b118b84d26f2ba07
+   Output = 26232de6fff83f812adadadb6cc05d7bbeee5dca043dbb16b03488abb99
+   81d0a1ef4351fad52dbd7e759649af393348f7b9717566c19a6b8856284d69375c80
+   9
+
+A.5.1.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 0300c28e57e74361d87e0c1874e5f7cc1cc796d61f9cad50427
+   cf54655cdb455613368d42b27f94bf66f59f53c816db3e95e68e1b113443d66a99b3
+   693bab88afb556b
+   EvaluationElement = 0301ad453607e12d0cc11a3359332a40c3a254eaa1afc642
+   96528d55bed07ba322e72e22cf3bcb50570fd913cb54f7f09c17aff8787af75f6a7f
+   af5640cbb2d9620a6e
+   Output = ad1f76ef939042175e007738906ac0336bbd1d51e287ebaa66901abdd32
+   4ea3ffa40bfc5a68e7939c2845e0fd37a5a6e76dadb9907c6cc8579629757fd4d04b
+   a
+
+A.5.2.  VOPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 015c7fc1b4a0b1390925bae915bd9f3d72009d44d9241b962428aad5d13f2
+   2803311e7102632a39addc61ea440810222715c9d2f61f03ea424ec9ab1fe5e31cf9
+   238
+   pkSm = 0301505d646f6e4c9102451eb39730c4ba1c4087618641edbdba4a60896b0
+   7fd0c9414ce553cbf25b81dfcca50a8f6724ab7a2bc4d0cf736967a287bb6084cc06
+   78ac0
+
+A.5.2.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
+   7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
+   5b4b3628a4f6380
+   EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
+   204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
+   bca0f8ca003eefb045
+   Proof = 0077fcc8ec6d059d7759b0a61f871e7c1dadc65333502e09a51994328f79
+   e5bda3357b9a4f410a1760a3612c2f8f27cb7cb032951c047cc66da60da583df7b24
+   7edd0188e5eb99c71799af1d80d643af16ffa1545acd9e9233fbb370455b10eb257e
+   a12a1667c1b4ee5b0ab7c93d50ae89602006960f083ca9adc4f6276c0ad60440393c
+   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
+   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
+   a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
+   b
+
+A.5.2.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 03005b05e656cb609ce5ff5faf063bb746d662d67bbd07c0626
+   38396f52f0392180cf2365cabb0ece8e19048961d35eeae5d5fa872328dce98df076
+   ee154dd191c615e
+   EvaluationElement = 0301b19fcf482b1fff04754e282292ed736c5f0aa080d4f4
+   2663cd3a416c6596f03129e8e096d8671fe5b0d19838312c511d2ce08d431e43e3ef
+   06199d8cab7426238d
+   Proof = 01ec9fece444caa6a57032e8963df0e945286f88fbdf233fb5101f0924f7
+   ea89c47023f5f72f240e61991fd33a299b5b38c45a5e2dd1a67b072e59dfe86708a3
+   59c701e38d383c60cf6969463bcf13251bedad47b7941f52e409a3591398e2792441
+   0b18a301c0e19f527cad504fa08388050ac634e1b05c5216d337742f2754e1fc502f
+   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
+   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b
+   54b6604d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf47
+   4
+
+A.5.2.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
+   39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
+   1
+   BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
+   7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
+   5b4b3628a4f6380,0301403b597538b939b450c93586ba275f9711ba07e42364bac1
+   d5769c6824a8b55be6f9a536df46d952b11ab2188363b3d6737635d9543d4dba14a6
+   e19421b9245bf5
+   EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
+   204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
+   bca0f8ca003eefb045,03001f96424497e38c46c904978c2fa1636c5c3dd2e634a85
+   d8a7265977c5dce1f02c7e6c118479f0751767b91a39cce6561998258591b5d7c1bb
+   02445a9e08e4f3e8d
+   Proof = 00b4d215c8405e57c7a4b53398caf55f1f1623aaeb22408ddb9ea2913090
+   9b3f95dbb1ff366e81e86e918f9f2fd8b80dbb344cd498c9499d112905e585417e00
+   68c600fe5dea18b389ef6c4cc062935607b8ccbbb9a84fba3143868a3e8a58efa0bf
+   6ca642804d09dc06e980f64837811227c4267b217f1099a4e28b0854f4e5ee659796
+   ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
+   27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
+   51943c8026877963
+   Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
+   a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
+   b,fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b54b6604
+   d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf474
+
+A.5.3.  POPRF Mode
+
+   Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
+   3a3
+   KeyInfo = 74657374206b6579
+   skSm = 014893130030ce69cf714f536498a02ff6b396888f9bb507985c32928c442
+   7d6d39de10ef509aca4240e8569e3a88debc0d392e3361bcd934cb9bdd59e339dff7
+   b27
+   pkSm = 0301de8ceb9ffe9237b1bba87c320ea0bebcfc3447fe6f278065c6c69886d
+   692d1126b79b6844f829940ace9b52a5e26882cf7cbc9e57503d4cca3cd834584729
+   f812a
+
+A.5.3.1.  Test Vector 1, Batch Size 1
+
+   Input = 00
+   Info = 7465737420696e666f
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
+   82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
+   d5ebb2238f2f0e2
+   EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
+   62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
+   f77aa1327253f26d01
+   Proof = 0106a89a61eee9dd2417d2849a8e2167bc5f56e3aed5a3ff23e22511fa1b
+   37a29ed44d1bbfd6907d99cfbc558a56aec709282415a864a281e49dc53792a4a638
+   a0660034306d64be12a94dcea5a6d664cf76681911c8b9a84d49bf12d4893307ec14
+   436bd05f791f82446c0de4be6c582d373627b51886f76c4788256e3da7ec8fa18a86
+   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
+   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
+   82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
+   b
+
+A.5.3.2.  Test Vector 2, Batch Size 1
+
+   Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364
+   BlindedElement = 030112ea89cf9cf589496189eafc5f9eb13c9f9e170d6ecde7c
+   5b940541cb1a9c5cfeec908b67efe16b81ca00d0ce216e34b3d5f46a658d3fd8573d
+   671bdb6515ed508
+   EvaluationElement = 0200ebc49df1e6fa61f412e6c391e6f074400ecdd2f56c4a
+   8c03fe0f91d9b551f40d4b5258fd891952e8c9b28003bcfa365122e54a5714c8949d
+   5d202767b31b4bf1f6
+   Proof = 0082162c71a7765005cae202d4bd14b84dae63c29067e886b82506992bd9
+   94a1c3aac0c1c5309222fe1af8287b6443ed6df5c2e0b0991faddd3564c73c7597ae
+   cd9a003b1f1e3c65f28e58ab4e767cfb4adbcaf512441645f4c2aed8bf67d132d966
+   006d35fa71a34145414bf3572c1de1a46c266a344dd9e22e7fb1e90ffba1caf556d9
+   ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
+   3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
+   e45c405d1348b7b1
+   Output = 27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af
+   5762c3638afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e
+   3
+
+A.5.3.3.  Test Vector 3, Batch Size 2
+
+   Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
+   Info = 7465737420696e666f
+   Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
+   88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
+   d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
+   39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
+   1
+   BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
+   82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
+   d5ebb2238f2f0e2,0201a328cf9f3fdeb86b6db242dd4cbb436b3a488b70b72d2fbb
+   d1e5f50d7b0878b157d6f278c6a95c488f3ad52d6898a421658a82fe7ceb000b01ae
+   dea7967522d525
+   EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
+   62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
+   f77aa1327253f26d01,020062ab51ac3aa829e0f5b7ae50688bcf5f63a18a83a6e0d
+   a538666b8d50c7ea2b4ef31f4ac669302318dbebe46660acdda695da30c22cee7ca2
+   1f6984a720504502e
+   Proof = 00731738844f739bca0cca9d1c8bea204bed4fd00285785738b985763741
+   de5cdfa275152d52b6a2fdf7792ef3779f39ba34581e56d62f78ecad5b7f8083f384
+   961501cd4b43713253c022692669cf076b1d382ecd8293c1de69ea569737f37a2477
+   2ab73517983c1e3db5818754ba1f008076267b8058b6481949ae346cdc17a8455fe2
+   ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
+   27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
+   51943c8026877963
+   Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
+   82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
+   b,27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af5762c36
+   38afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e3
+
+Acknowledgements
+
+   This document resulted from the work of the Privacy Pass team
+   [PrivacyPass].  The authors would also like to acknowledge helpful
+   conversations with Hugo Krawczyk.  Eli-Shaoul Khedouri provided
+   additional review and comments on key consistency.  Daniel Bourdrez,
+   Tatiana Bradley, Sofia Celi, Frank Denis, Julia Hesse, Russ Housley,
+   Kevin Lewi, Christopher Patton, and Bas Westerbaan also provided
+   helpful input and contributions to the document.
+
+Authors' Addresses
+
+   Alex Davidson
+   Brave Software
+   Email: alex.davidson92@gmail.com
+
+
+   Armando Faz-Hernandez
+   Cloudflare, Inc.
+   101 Townsend St
+   San Francisco, CA
+   United States of America
+   Email: armfazh@cloudflare.com
+
+
+   Nick Sullivan
+   Cloudflare, Inc.
+   101 Townsend St
+   San Francisco, CA
+   United States of America
+   Email: nicholas.sullivan+ietf@gmail.com
+
+
+   Christopher A. Wood
+   Cloudflare, Inc.
+   101 Townsend St
+   San Francisco, CA
+   United States of America
+   Email: caw@heapingbits.net