From 738d0e23099e6b9e8058d5654d5f1096417ad8a9 Mon Sep 17 00:00:00 2001
From: dAxpeDDa <daxpedda@gmail.com>
Date: Wed, 1 Feb 2023 15:11:13 +0100
Subject: [PATCH] Update to draft 19

---
 .github/workflows/main.yml     |   2 +-
 Cargo.toml                     |  10 +-
 README.md                      |   2 +-
 src/ciphersuite.rs             |  10 +-
 src/common.rs                  |  96 +++-
 src/group/elliptic_curve.rs    |  22 +-
 src/group/mod.rs               |  10 +-
 src/group/ristretto.rs         |  12 +-
 src/lib.rs                     |   2 +-
 src/oprf.rs                    |  12 +-
 src/poprf.rs                   |  27 +-
 src/tests/cfrg_vectors.rs      | 959 ++++++++++++++++-----------------
 src/tests/parser.rs            |   2 +-
 src/tests/test_cfrg_vectors.rs |  12 +-
 src/voprf.rs                   |  17 +-
 15 files changed, 617 insertions(+), 578 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8372dd3..0c9f2c8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -43,7 +43,7 @@ jobs:
           - --features serde
         toolchain:
           - stable
-          - 1.60.0
+          - 1.61.0
     name: test
     steps:
       - name: Checkout sources
diff --git a/Cargo.toml b/Cargo.toml
index 1c6b116..7657377 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ license = "MIT"
 name = "voprf"
 readme = "README.md"
 repository = "https://github.com/novifinancial/voprf/"
-rust-version = "1.60"
+rust-version = "1.61"
 version = "0.5.0-pre.1"
 
 [features]
@@ -28,7 +28,7 @@ curve25519-dalek = { version = "=4.0.0-rc.0", default-features = false, features
 derive-where = { version = "1", features = ["zeroize-on-drop"] }
 digest = "0.10"
 displaydoc = { version = "0.2", default-features = false }
-elliptic-curve = { version = "0.12", features = [
+elliptic-curve = { version = "0.13.0-pre.3", features = [
   "hash2curve",
   "sec1",
   "voprf",
@@ -45,7 +45,7 @@ zeroize = { version = "1.5", default-features = false }
 [dev-dependencies]
 generic-array = { version = "0.14", features = ["more_lengths"] }
 hex = "0.4"
-p256 = { version = "0.12", default-features = false, features = [
+p256 = { version = "0.13.0-pre", default-features = false, features = [
   "hash2curve",
   "voprf",
 ] }
@@ -59,3 +59,7 @@ sha2 = "0.10"
 all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 targets = []
+
+[patch.crates-io]
+elliptic-curve = { git = "https://github.com/khonsulabs/traits", branch = "hash2curve-multi-dst" }
+p256 = { git = "https://github.com/RustCrypto/elliptic-curves", rev = "1ab86e179dc7d1b1edf1392eaf2647a6ba7b6fc8" }
diff --git a/README.md b/README.md
index 3f74279..591d0a3 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ voprf = "0.5.0-pre.1"
 
 ### Minimum Supported Rust Version
 
-Rust **1.60** or higher.
+Rust **1.61** or higher.
 
 Contributors
 ------------
diff --git a/src/ciphersuite.rs b/src/ciphersuite.rs
index 734c9ca..8e3ea7f 100644
--- a/src/ciphersuite.rs
+++ b/src/ciphersuite.rs
@@ -8,7 +8,7 @@
 //! Defines the CipherSuite trait to specify the underlying primitives for VOPRF
 
 use digest::core_api::BlockSizeUser;
-use digest::{Digest, OutputSizeUser};
+use digest::{FixedOutput, HashMarker, OutputSizeUser};
 use elliptic_curve::VoprfParameters;
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 
@@ -22,7 +22,7 @@ where
 {
     /// The ciphersuite identifier as dictated by
     /// <https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/>
-    const ID: u16;
+    const ID: &'static str;
 
     /// A finite cyclic group along with a point representation that allows some
     /// customization on how to hash an input to a curve point. See [`Group`].
@@ -30,17 +30,17 @@ where
 
     /// The main hash function to use (for HKDF computations and hashing
     /// transcripts).
-    type Hash: BlockSizeUser + Digest;
+    type Hash: BlockSizeUser + Default + FixedOutput + HashMarker;
 }
 
 impl<T: VoprfParameters> CipherSuite for T
 where
     T: Group,
-    T::Hash: BlockSizeUser + Digest,
+    T::Hash: BlockSizeUser + Default + FixedOutput + HashMarker,
     <T::Hash as OutputSizeUser>::OutputSize:
         IsLess<U256> + IsLessOrEqual<<T::Hash as BlockSizeUser>::BlockSize>,
 {
-    const ID: u16 = T::ID;
+    const ID: &'static str = T::ID;
 
     type Group = T;
 
diff --git a/src/common.rs b/src/common.rs
index 02721b8..b83d4b6 100644
--- a/src/common.rs
+++ b/src/common.rs
@@ -8,12 +8,13 @@
 //! Common functionality between multiple OPRF modes.
 
 use core::convert::TryFrom;
+use core::ops::Add;
 
 use derive_where::derive_where;
 use digest::core_api::BlockSizeUser;
 use digest::{Digest, Output, OutputSizeUser};
 use generic_array::sequence::Concat;
-use generic_array::typenum::{IsLess, IsLessOrEqual, Unsigned, U11, U2, U256};
+use generic_array::typenum::{IsLess, IsLessOrEqual, Unsigned, U2, U256, U9};
 use generic_array::{ArrayLength, GenericArray};
 use rand_core::{CryptoRng, RngCore};
 use subtle::ConstantTimeEq;
@@ -33,7 +34,7 @@ pub(crate) const STR_DERIVE_KEYPAIR: [u8; 13] = *b"DeriveKeyPair";
 pub(crate) const STR_COMPOSITE: [u8; 9] = *b"Composite";
 pub(crate) const STR_CHALLENGE: [u8; 9] = *b"Challenge";
 pub(crate) const STR_INFO: [u8; 4] = *b"Info";
-pub(crate) const STR_VOPRF: [u8; 8] = *b"VOPRF10-";
+pub(crate) const STR_OPRF: [u8; 7] = *b"OPRFV1-";
 pub(crate) const STR_HASH_TO_SCALAR: [u8; 13] = *b"HashToScalar-";
 pub(crate) const STR_HASH_TO_GROUP: [u8; 12] = *b"HashToGroup-";
 
@@ -194,9 +195,9 @@ where
         &STR_CHALLENGE,
     ];
 
-    let dst = GenericArray::from(STR_HASH_TO_SCALAR).concat(create_context_string::<CS>(mode));
+    let dst = Dst::new::<CS, _, _>(STR_HASH_TO_SCALAR, mode);
     // This can't fail, the size of the `input` is known.
-    let c_scalar = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst).unwrap();
+    let c_scalar = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst.as_dst()).unwrap();
     let s_scalar = r - &(c_scalar * &k);
 
     Ok(Proof { c_scalar, s_scalar })
@@ -254,9 +255,9 @@ where
         &STR_CHALLENGE,
     ];
 
-    let dst = GenericArray::from(STR_HASH_TO_SCALAR).concat(create_context_string::<CS>(mode));
+    let dst = Dst::new::<CS, _, _>(STR_HASH_TO_SCALAR, mode);
     // This can't fail, the size of the `input` is known.
-    let c = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst).unwrap();
+    let c = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst.as_dst()).unwrap();
 
     match c.ct_eq(&proof.c_scalar).into() {
         true => Ok(()),
@@ -296,7 +297,7 @@ where
     let len = u16::try_from(c_slice.len()).map_err(|_| Error::Batch)?;
 
     // seedDST = "Seed-" || contextString
-    let seed_dst = GenericArray::from(STR_SEED).concat(create_context_string::<CS>(mode));
+    let seed_dst = Dst::new::<CS, _, _>(STR_SEED, mode);
 
     // h1Input = I2OSP(len(Bm), 2) || Bm ||
     //           I2OSP(len(seedDST), 2) || seedDST
@@ -304,8 +305,8 @@ where
     let seed = CS::Hash::new()
         .chain_update(elem_len)
         .chain_update(CS::Group::serialize_elem(b))
-        .chain_update(i2osp_2_array(&seed_dst))
-        .chain_update(seed_dst)
+        .chain_update(seed_dst.i2osp_2())
+        .chain_update_multi(&seed_dst.as_dst())
         .finalize();
     let seed_len = i2osp_2_array(&seed);
 
@@ -332,9 +333,9 @@ where
             &STR_COMPOSITE,
         ];
 
-        let dst = GenericArray::from(STR_HASH_TO_SCALAR).concat(create_context_string::<CS>(mode));
+        let dst = Dst::new::<CS, _, _>(STR_HASH_TO_SCALAR, mode);
         // This can't fail, the size of the `input` is known.
-        let di = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst).unwrap();
+        let di = CS::Group::hash_to_scalar::<CS::Hash>(&h2_input, &dst.as_dst()).unwrap();
         m = c * &di + &m;
         z = match k_option {
             Some(_) => z,
@@ -365,8 +366,7 @@ where
     <CS::Hash as OutputSizeUser>::OutputSize:
         IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
 {
-    let context_string = create_context_string::<CS>(mode);
-    let dst = GenericArray::from(STR_DERIVE_KEYPAIR).concat(context_string);
+    let dst = Dst::new::<CS, _, _>(STR_DERIVE_KEYPAIR, mode);
 
     let info_len = i2osp_2(info.len()).map_err(|_| Error::DeriveKeyPair)?;
 
@@ -376,7 +376,7 @@ where
         // || contextString)
         let sk_s = CS::Group::hash_to_scalar::<CS::Hash>(
             &[seed, &info_len, info, &counter.to_be_bytes()],
-            &dst,
+            &dst.as_dst(),
         )
         .map_err(|_| Error::DeriveKeyPair)?;
 
@@ -455,8 +455,8 @@ where
     <CS::Hash as OutputSizeUser>::OutputSize:
         IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
 {
-    let dst = GenericArray::from(STR_HASH_TO_GROUP).concat(create_context_string::<CS>(mode));
-    CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst).map_err(|_| Error::Input)
+    let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, mode);
+    CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst.as_dst()).map_err(|_| Error::Input)
 }
 
 /// Internal function that finalizes the hash input for OPRF, VOPRF & POPRF.
@@ -497,16 +497,64 @@ where
         .finalize())
 }
 
-/// Generates the contextString parameter as defined in
-/// <https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/>
-pub(crate) fn create_context_string<CS: CipherSuite>(mode: Mode) -> GenericArray<u8, U11>
+pub(crate) struct Dst<L: ArrayLength<u8>> {
+    dst_1: GenericArray<u8, L>,
+    dst_2: &'static str,
+}
+
+impl<L: ArrayLength<u8>> Dst<L> {
+    pub(crate) fn new<CS: CipherSuite, T, TL: ArrayLength<u8>>(par_1: T, mode: Mode) -> Self
+    where
+        T: Into<GenericArray<u8, TL>>,
+        TL: Add<U9, Output = L>,
+        <CS::Hash as OutputSizeUser>::OutputSize:
+            IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
+    {
+        let par_1 = par_1.into();
+        // Generates the contextString parameter as defined in
+        // <https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/>
+        let par_2 = GenericArray::from(STR_OPRF)
+            .concat([mode.to_u8()].into())
+            .concat([b'-'].into());
+
+        let dst_1 = par_1.concat(par_2);
+        let dst_2 = CS::ID;
+
+        assert!(
+            L::USIZE + dst_2.len() <= u16::MAX.into(),
+            "constructed DST longer then {}",
+            u16::MAX
+        );
+
+        Self { dst_1, dst_2 }
+    }
+
+    pub(crate) fn as_dst(&self) -> [&[u8]; 2] {
+        [&self.dst_1, self.dst_2.as_bytes()]
+    }
+
+    pub(crate) fn i2osp_2(&self) -> [u8; 2] {
+        u16::try_from(L::USIZE + self.dst_2.len())
+            .unwrap()
+            .to_be_bytes()
+    }
+}
+
+trait DigestExt {
+    fn chain_update_multi(self, data: &[&[u8]]) -> Self;
+}
+
+impl<T> DigestExt for T
 where
-    <CS::Hash as OutputSizeUser>::OutputSize:
-        IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
+    T: Digest,
 {
-    GenericArray::from(STR_VOPRF)
-        .concat([mode.to_u8()].into())
-        .concat(CS::ID.to_be_bytes().into())
+    fn chain_update_multi(mut self, datas: &[&[u8]]) -> Self {
+        for data in datas {
+            self.update(data)
+        }
+
+        self
+    }
 }
 
 ///////////////////////
diff --git a/src/group/elliptic_curve.rs b/src/group/elliptic_curve.rs
index edbd958..5cc7d2d 100644
--- a/src/group/elliptic_curve.rs
+++ b/src/group/elliptic_curve.rs
@@ -6,12 +6,12 @@
 // of this source tree.
 
 use digest::core_api::BlockSizeUser;
-use digest::Digest;
+use digest::{FixedOutput, HashMarker};
 use elliptic_curve::group::cofactor::CofactorGroup;
 use elliptic_curve::hash2curve::{ExpandMsgXmd, FromOkm, GroupDigest};
 use elliptic_curve::sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint};
 use elliptic_curve::{
-    AffinePoint, Field, FieldSize, Group as _, ProjectivePoint, PublicKey, Scalar, SecretKey,
+    AffinePoint, Field, FieldBytesSize, Group as _, ProjectivePoint, PublicKey, Scalar, SecretKey,
 };
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 use generic_array::GenericArray;
@@ -24,32 +24,32 @@ impl<C> Group for C
 where
     C: GroupDigest,
     ProjectivePoint<Self>: CofactorGroup + ToEncodedPoint<Self>,
-    FieldSize<Self>: ModulusSize,
+    FieldBytesSize<Self>: ModulusSize,
     AffinePoint<Self>: FromEncodedPoint<Self> + ToEncodedPoint<Self>,
     Scalar<Self>: FromOkm,
 {
     type Elem = ProjectivePoint<Self>;
 
-    type ElemLen = <FieldSize<Self> as ModulusSize>::CompressedPointSize;
+    type ElemLen = <FieldBytesSize<Self> as ModulusSize>::CompressedPointSize;
 
     type Scalar = Scalar<Self>;
 
-    type ScalarLen = FieldSize<Self>;
+    type ScalarLen = FieldBytesSize<Self>;
 
     // Implements the `hash_to_curve()` function from
     // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
-    fn hash_to_curve<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Elem, InternalError>
+    fn hash_to_curve<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         Self::hash_from_bytes::<ExpandMsgXmd<H>>(input, dst).map_err(|_| InternalError::Input)
     }
 
     // Implements the `HashToScalar()` function
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Scalar, InternalError>
+    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         <Self as GroupDigest>::hash_to_scalar::<ExpandMsgXmd<H>>(input, dst)
@@ -92,7 +92,7 @@ where
 
     #[cfg(test)]
     fn zero_scalar() -> Self::Scalar {
-        Scalar::<Self>::zero()
+        Scalar::<Self>::ZERO
     }
 
     fn serialize_scalar(scalar: Self::Scalar) -> GenericArray<u8, Self::ScalarLen> {
@@ -100,7 +100,7 @@ where
     }
 
     fn deserialize_scalar(scalar_bits: &[u8]) -> Result<Self::Scalar> {
-        SecretKey::<Self>::from_be_bytes(scalar_bits)
+        SecretKey::<Self>::from_slice(scalar_bits)
             .map(|secret_key| *secret_key.to_nonzero_scalar())
             .map_err(|_| Error::Deserialization)
     }
diff --git a/src/group/mod.rs b/src/group/mod.rs
index 132b78d..95f71f6 100644
--- a/src/group/mod.rs
+++ b/src/group/mod.rs
@@ -14,7 +14,7 @@ mod ristretto;
 use core::ops::{Add, Mul, Sub};
 
 use digest::core_api::BlockSizeUser;
-use digest::Digest;
+use digest::{FixedOutput, HashMarker};
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256};
 use generic_array::{ArrayLength, GenericArray};
 use rand_core::{CryptoRng, RngCore};
@@ -54,9 +54,9 @@ pub trait Group {
     /// # Errors
     /// [`Error::Input`](crate::Error::Input) if the `input` is empty or longer
     /// then [`u16::MAX`].
-    fn hash_to_curve<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Elem, InternalError>
+    fn hash_to_curve<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>;
 
     /// Hashes a slice of pseudo-random bytes to a scalar
@@ -64,9 +64,9 @@ pub trait Group {
     /// # Errors
     /// [`Error::Input`](crate::Error::Input) if the `input` is empty or longer
     /// then [`u16::MAX`].
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Scalar, InternalError>
+    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>;
 
     /// Get the base point for the group
diff --git a/src/group/ristretto.rs b/src/group/ristretto.rs
index 591ad4e..910a96c 100644
--- a/src/group/ristretto.rs
+++ b/src/group/ristretto.rs
@@ -10,7 +10,7 @@ use curve25519_dalek::ristretto::{CompressedRistretto, RistrettoPoint};
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::Identity;
 use digest::core_api::BlockSizeUser;
-use digest::Digest;
+use digest::{FixedOutput, HashMarker};
 use elliptic_curve::hash2curve::{ExpandMsg, ExpandMsgXmd, Expander};
 use generic_array::typenum::{IsLess, IsLessOrEqual, U256, U32, U64};
 use generic_array::GenericArray;
@@ -26,7 +26,7 @@ pub struct Ristretto255;
 
 #[cfg(feature = "ristretto255-ciphersuite")]
 impl crate::CipherSuite for Ristretto255 {
-    const ID: u16 = 0x0001;
+    const ID: &'static str = "ristretto255-SHA512";
 
     type Group = Ristretto255;
 
@@ -44,9 +44,9 @@ impl Group for Ristretto255 {
 
     // Implements the `hash_to_ristretto255()` function from
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.txt
-    fn hash_to_curve<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Elem, InternalError>
+    fn hash_to_curve<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Elem, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         let mut uniform_bytes = GenericArray::<_, U64>::default();
@@ -59,9 +59,9 @@ impl Group for Ristretto255 {
 
     // Implements the `HashToScalar()` function from
     // https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-07.html#section-4.1
-    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[u8]) -> Result<Self::Scalar, InternalError>
+    fn hash_to_scalar<H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Scalar, InternalError>
     where
-        H: Digest + BlockSizeUser,
+        H: BlockSizeUser + Default + FixedOutput + HashMarker,
         H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
     {
         let mut uniform_bytes = GenericArray::<_, U64>::default();
diff --git a/src/lib.rs b/src/lib.rs
index 1dfa360..7bb74e4 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -8,7 +8,7 @@
 //! An implementation of a verifiable oblivious pseudorandom function (VOPRF)
 //!
 //! Note: This implementation is in sync with
-//! [draft-irtf-cfrg-voprf-11](https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-11.html),
+//! [draft-irtf-cfrg-voprf-19](https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-19.html),
 //! but this specification is subject to change, until the final version
 //! published by the IETF.
 //!
diff --git a/src/oprf.rs b/src/oprf.rs
index 6e8d7af..e27c9c9 100644
--- a/src/oprf.rs
+++ b/src/oprf.rs
@@ -291,11 +291,10 @@ where
 mod tests {
     use core::ptr;
 
-    use generic_array::sequence::Concat;
     use rand::rngs::OsRng;
 
     use super::*;
-    use crate::common::{create_context_string, STR_HASH_TO_GROUP};
+    use crate::common::{Dst, STR_HASH_TO_GROUP};
     use crate::Group;
 
     fn prf<CS: CipherSuite>(
@@ -308,8 +307,8 @@ mod tests {
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst = GenericArray::from(STR_HASH_TO_GROUP).concat(create_context_string::<CS>(mode));
-        let point = CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst).unwrap();
+        let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, mode);
+        let point = CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst.as_dst()).unwrap();
 
         let res = point * &key;
 
@@ -348,9 +347,8 @@ mod tests {
             .finalize(&input, &EvaluationElement(client_blind_result.message.0))
             .unwrap();
 
-        let dst =
-            GenericArray::from(STR_HASH_TO_GROUP).concat(create_context_string::<CS>(Mode::Oprf));
-        let point = CS::Group::hash_to_curve::<CS::Hash>(&[&input], &dst).unwrap();
+        let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, Mode::Oprf);
+        let point = CS::Group::hash_to_curve::<CS::Hash>(&[&input], &dst.as_dst()).unwrap();
         let res2 = finalize_after_unblind::<CS, _, _>(iter::once((input.as_ref(), point)), &[])
             .next()
             .unwrap()
diff --git a/src/poprf.rs b/src/poprf.rs
index 1dfabe7..ce0f16c 100644
--- a/src/poprf.rs
+++ b/src/poprf.rs
@@ -14,16 +14,14 @@ use core::iter::{self, Map, Repeat, Zip};
 use derive_where::derive_where;
 use digest::core_api::BlockSizeUser;
 use digest::{Digest, Output, OutputSizeUser};
-use generic_array::sequence::Concat;
 use generic_array::typenum::{IsLess, IsLessOrEqual, Unsigned, U256};
 use generic_array::GenericArray;
 use rand_core::{CryptoRng, RngCore};
 
 use crate::common::{
-    create_context_string, derive_keypair, deterministic_blind_unchecked, generate_proof,
-    hash_to_group, i2osp_2, server_evaluate_hash_input, verify_proof, BlindedElement,
-    EvaluationElement, Mode, PreparedEvaluationElement, Proof, STR_FINALIZE, STR_HASH_TO_SCALAR,
-    STR_INFO,
+    derive_keypair, deterministic_blind_unchecked, generate_proof, hash_to_group, i2osp_2,
+    server_evaluate_hash_input, verify_proof, BlindedElement, Dst, EvaluationElement, Mode,
+    PreparedEvaluationElement, Proof, STR_FINALIZE, STR_HASH_TO_SCALAR, STR_INFO,
 };
 #[cfg(feature = "serde")]
 use crate::serialization::serde::{Element, Scalar};
@@ -616,10 +614,9 @@ where
     let info_len = i2osp_2(info.len()).map_err(|_| Error::Info)?;
     let framed_info = [STR_INFO.as_slice(), &info_len, info];
 
-    let dst =
-        GenericArray::from(STR_HASH_TO_SCALAR).concat(create_context_string::<CS>(Mode::Poprf));
+    let dst = Dst::new::<CS, _, _>(STR_HASH_TO_SCALAR, Mode::Poprf);
     // This can't fail, the size of the `input` is known.
-    let m = CS::Group::hash_to_scalar::<CS::Hash>(&framed_info, &dst).unwrap();
+    let m = CS::Group::hash_to_scalar::<CS::Hash>(&framed_info, &dst.as_dst()).unwrap();
 
     let t = CS::Group::base_elem() * &m;
     let tweaked_key = t + &pk;
@@ -654,10 +651,9 @@ where
     let info_len = i2osp_2(info.len()).map_err(|_| Error::Info)?;
     let framed_info = [STR_INFO.as_slice(), &info_len, info];
 
-    let dst =
-        GenericArray::from(STR_HASH_TO_SCALAR).concat(create_context_string::<CS>(Mode::Poprf));
+    let dst = Dst::new::<CS, _, _>(STR_HASH_TO_SCALAR, Mode::Poprf);
     // This can't fail, the size of the `input` is known.
-    let m = CS::Group::hash_to_scalar::<CS::Hash>(&framed_info, &dst).unwrap();
+    let m = CS::Group::hash_to_scalar::<CS::Hash>(&framed_info, &dst.as_dst()).unwrap();
 
     let t = sk + &m;
 
@@ -810,8 +806,8 @@ mod tests {
     {
         let t = compute_tweak::<CS>(key, Some(info)).unwrap();
 
-        let dst = GenericArray::from(STR_HASH_TO_GROUP).concat(create_context_string::<CS>(mode));
-        let point = CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst).unwrap();
+        let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, mode);
+        let point = CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst.as_dst()).unwrap();
 
         // evaluatedElement = G.ScalarInverse(t) * blindedElement
         let res = point * &CS::Group::invert_scalar(t);
@@ -864,10 +860,9 @@ mod tests {
             .blind_evaluate(&mut rng, &client_blind_result.message, Some(info))
             .unwrap();
         let wrong_pk = {
-            let dst = GenericArray::from(STR_HASH_TO_GROUP)
-                .concat(create_context_string::<CS>(Mode::Oprf));
+            let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, Mode::Oprf);
             // Choose a group element that is unlikely to be the right public key
-            CS::Group::hash_to_curve::<CS::Hash>(&[b"msg"], &dst).unwrap()
+            CS::Group::hash_to_curve::<CS::Hash>(&[b"msg"], &dst.as_dst()).unwrap()
         };
         let client_finalize_result = client_blind_result.state.finalize(
             input,
diff --git a/src/tests/cfrg_vectors.rs b/src/tests/cfrg_vectors.rs
index b7c26df..893a2d6 100644
--- a/src/tests/cfrg_vectors.rs
+++ b/src/tests/cfrg_vectors.rs
@@ -6,10 +6,10 @@
 // of this source tree.
 
 //! The VOPRF test vectors taken from:
-//! https://github.com/cfrg/draft-irtf-cfrg-voprf/blob/master/draft-irtf-cfrg-voprf.md
+//! https://github.com/cfrg/draft-irtf-cfrg-voprf/blob/draft-irtf-cfrg-voprf-19/draft-irtf-cfrg-voprf.md
 
 pub(crate) const VECTORS: &str = r#"
-## OPRF(ristretto255, SHA-512)
+## ristretto255-SHA512
 
 ### OPRF Mode
 
@@ -17,8 +17,8 @@ pub(crate) const VECTORS: &str = r#"
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = e617ae6f2d10de61e16cab73023c5a2df74335d13f89470957214664468d2
-e0b
+skSm = 5ebcea5ee37023ccb9fc2d2019f9d7737be85591ae8652ffa9ef0f4d37063
+b0e
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -27,13 +27,13 @@ e0b
 Input = 00
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706
-BlindedElement = c83d0d8a3e80be2ced8bf35c5f3e24d42260ca8fa9a0403ca83
-033588c26614d
-EvaluationElement = b29ca44d6dfafc77a50b72abc53cfb7abcbe9cf6714afc76
-893ee8dcaf053b59
-Output = 8a19c9b8f4459d541ebbfff4e29f36620e44e825a27b0f2e3a3c0d8e963
-588ee04348312dc8b43a48c41d4e7d904f95c91813a6b4f624392433f0568409da62
-8
+BlindedElement = 609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa
+2dc99e412803c
+EvaluationElement = 7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2
+d8cc917ea0869c7e
+Output = 527759c3d9366f277d8c6020418d96bb393ba2afb20ff90df23fb770826
+4e2f3ab9135e3bd69955851de4b1f9fe8a0973396719b7912ba9ee8aa7d0b5e24bcf
+6
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -42,13 +42,13 @@ Output = 8a19c9b8f4459d541ebbfff4e29f36620e44e825a27b0f2e3a3c0d8e963
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706
-BlindedElement = 8673ffd2f26b2579922fc485c77e106def00982e0abb233b4c6
-e54841d43ba29
-EvaluationElement = 68ed7037846f48a1b4073a0d110f6e4de8f53ab845365c0f
-3d7f1b67caa39126
-Output = bcdbd421c0863495d63d81a868858f34f5215437c5777072a92703f36b3
-6c4a2d3e7e54a5762e70b06223527c211e2d4364481270f72971a2db8b7ab8fad84e
-e
+BlindedElement = da27ef466870f5f15296299850aa088629945a17d1f5b7f5ff0
+43f76b3c06418
+EvaluationElement = b4cbf5a4f1eeda5a63ce7b77c7d23f461db3fcab0dd28e4e
+17cecb5c90d02c25
+Output = f4a74c9c592497375e796aa837e907b1a045d34306a749db9f34221f7e7
+50cb4f2a6413a6bf6fa5e19ba6348eb673934a722a7ede2e7621306d18951e7cf2c7
+3
 ~~~
 
 ### VOPRF Mode
@@ -57,10 +57,10 @@ e
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = a3b8dea4a99be2469da7f7d2d93fe5f2867317d6705350475d47739c7214d
-a07
-pkSm = c00fbee6832a8e5d6cc1d1a23315daf6a6018f19e29ba37b05499259da854
-b48
+skSm = e6f73f344b79b379f1a0dd37e07ff62e38d9f71345ce62ae3a9bc60b04ccd
+909
+pkSm = c803e2cc6b05fc15064549b5920659ca4a77b2cca6f04f6b357009335476a
+d4e
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -69,17 +69,17 @@ b48
 Input = 00
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706
-BlindedElement = 6cce2c7913f4c8c0ac44ec149a1544b0e711e1630753d4efc7c
-5fe36a4d50638
-EvaluationElement = 826f2f3e553a039bcd69c9df6cb166e7943fd207089ae704
-1f6041322ce7033a
-Proof = 2e541a6962e783d2f42d5f4fb1364e51c368e95e83a962614714e9dfe21a
-720cd8c8eb8106131b4a758b5a0987d3870adb348f5eae7b4a2bc26735928cc4b90c
+BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
+642ddc439b945
+EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
+9c7669a9a014267e
+Proof = ddef93772692e535d1a53903db24367355cc2cc78de93b3be5a8ffcc6985
+dd066d4346421d17bf5117a2a1ff0fcb2a759f58a539dfbe857a40bce4cf49ec600d
 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
 81aa6f61d645fc0e
-Output = 4d5dd83db5bfd850e3e0c17519f1013aab904e7b131dc1ded31f7a76aac
-f040f6b344b0e635cf6df30771a35157e0e3d9539f7a891b48cd8521692b15c51538
-d
+Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
+a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
+c
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -88,17 +88,17 @@ d
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706
-BlindedElement = 6a4e632b76a2cfcb0295ee74098a15a3e858f6006fd9fa8576a
-5813e051ac134
-EvaluationElement = 2cb879d933a1af46c77e89f3f39a38f80347bf4716da3dc3
-07c8aa1282179823
-Proof = eabae3489c46b9e9a8da0cc921d2bc2960ef5fb0b38c8f067cc5c21f62f4
-eb0ff5472009aec126f543b6051b5d62ccbf2625aab6684076c26cfdf0904257090c
+BlindedElement = cc0b2a350101881d8a4cba4c80241d74fb7dcbfde4a61fde2f9
+1443c2bf9ef0c
+EvaluationElement = 60a59a57208d48aca71e9e850d22674b611f752bed48b36f
+7a91b372bd7ad468
+Proof = 401a0da6264f8cf45bb2f5264bc31e109155600babb3cd4e5af7d181a2c9
+dc0a67154fabf031fd936051dec80b0b6ae29c9503493dde7393b722eafdf5a50b02
 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
 81aa6f61d645fc0e
-Output = 5c3fe06ef39905710a124df0727c6c938f48234b35ccc4548c0736d7f6f
-36e6b7333a9aefc93d6b1ee20151a40bce453866b62cf5d41799982fee6100680915
-9
+Output = 8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a
+6df60356f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b
+6
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -108,20 +108,20 @@ Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
 e
-BlindedElement = 6cce2c7913f4c8c0ac44ec149a1544b0e711e1630753d4efc7c
-5fe36a4d50638,aa9908e4c40b7fe5f091cf0f7fb8ec75ffdaaf2d19512b7b9939f0
-ffaaa0654f
-EvaluationElement = 826f2f3e553a039bcd69c9df6cb166e7943fd207089ae704
-1f6041322ce7033a,902ef95488cc3c47fe569bc96c922a4ae3f9ebd8ccbc71bfefa
-5f1e7da9ab953
-Proof = d9bfee92cd7496cdf469947b534549ceb79ebd7b5695d20437b3e14758cf
-de0998eaa13a480cc35b562cbfb1412b1677650cd901b5fb4d6805581a95b440320f
+BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
+642ddc439b945,90a0145ea9da29254c3a56be4fe185465ebb3bf2a1801f7124bbba
+dac751e654
+EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
+9c7669a9a014267e,cc5ac221950a49ceaa73c8db41b82c20372a4c8d63e5dded2db
+920b7eee36a2a
+Proof = cc203910175d786927eeb44ea847328047892ddf8590e723c37205cb7460
+0b0a5ab5337c8eb4ceae0494c2cf89529dcf94572ed267473d567aeed6ab873dee08
 ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
 cf037f9ea84bbe0c
-Output = 4d5dd83db5bfd850e3e0c17519f1013aab904e7b131dc1ded31f7a76aac
-f040f6b344b0e635cf6df30771a35157e0e3d9539f7a891b48cd8521692b15c51538
-d,5c3fe06ef39905710a124df0727c6c938f48234b35ccc4548c0736d7f6f36e6b73
-33a9aefc93d6b1ee20151a40bce453866b62cf5d41799982fee61006809159
+Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
+a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
+c,8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a6df6035
+6f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b6
 ~~~
 
 ### POPRF Mode
@@ -130,10 +130,10 @@ d,5c3fe06ef39905710a124df0727c6c938f48234b35ccc4548c0736d7f6f36e6b73
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = 024eaeb72e5b3729d7f19d90aa44e3d2f4c445fb29011ffd755655636f2b1
-00a
-pkSm = e001954ccd18ec5aa89bcbf26c03d84dc4d9c9b973d9f06b1e0ceb7b79f41
-d65
+skSm = 145c79c108538421ac164ecbe131942136d5570b16d8bf41a24d4337da981
+e07
+pkSm = c647bef38497bc6ec077c22af65b696efa43bff3b4a1975a3e8e0a1c5a79d
+631
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -143,17 +143,17 @@ Input = 00
 Info = 7465737420696e666f
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706
-BlindedElement = 009ffa1ffc529e4f1d3d8de1c06d22fbb15e39920a72ad4efed
-6c39af9438a2d
-EvaluationElement = aa9af25bf4edead5e2e0a4b8f93db9b497017f93cf68c750
-45f02172bfc5d304
-Proof = bb893ccce54685a871185bb056cb5e0594d09d3b53f2f879de06a650b8ae
-ff08371f2ff9f3d5cac7f393cc37b2c71c2a6fbb80f35fe36b8e5cbddf11469c8e03
+BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
+dd8f3d461f715
+EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
+5693e2078450d874
+Proof = 41ad1a291aa02c80b0915fbfbb0c0afa15a57e2970067a602ddb9e8fd6b7
+100de32e1ecff943a36f0b10e3dae6bd266cdeb8adf825d86ef27dbc6c0e30c52206
 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
 81aa6f61d645fc0e
-Output = e7ed59e3f808c369598961ebfd9af74272894e0904d1c11653a21b08204
-dba1a5fb5c3dd6be6c419190a84b576d91eb3d8d920d450fee0427fd24524950d72d
-6
+Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
+2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
+1
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -163,17 +163,17 @@ Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Info = 7465737420696e666f
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706
-BlindedElement = 5e009e08e228f95ee3703cff60a1d54225bb282bdb6d7dc9a78
-e287f8418315a
-EvaluationElement = 2e528236481eb6d87b07ef5f8c17910323d04b3bf0cb2f2d
-23d5a7ad9f069b22
-Proof = 3796381ab287189839288bbaffc971eb87c3a28226fa99dc83b363adb2f4
-b20e4ae81fb675ebcd43d13918f71846cb488d0ce7d473bfca68450a5a5472564500
+BlindedElement = f0f0b209dd4d5f1844dac679acc7761b91a2e704879656cb7c2
+01e82a99ab07d
+EvaluationElement = 8c3c9d064c334c6991e99f286ea2301d1bde170b54003fb9
+c44c6d7bd6fc1540
+Proof = 4c39992d55ffba38232cdac88fe583af8a85441fefd7d1d4a8d0394cd1de
+77018bf135c174f20281b3341ab1f453fe72b0293a7398703384bed822bfdeec8908
 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
 81aa6f61d645fc0e
-Output = 9a0d8c55e2fef4bada9fb5877a0e739496e539a0d835722911dab9ec112
-397e763a605acbc072619e8b8acefb8ee704a357556edc802648089d684baa763ce1
-4
+Output = 7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b
+56a52de2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae50
+7
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -184,32 +184,32 @@ Info = 7465737420696e666f
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
 6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
 e
-BlindedElement = 009ffa1ffc529e4f1d3d8de1c06d22fbb15e39920a72ad4efed
-6c39af9438a2d,1ee64b9e5148987ca6647ccddc11ef506231e986d5ce08ef9b8230
-871f840b3a
-EvaluationElement = aa9af25bf4edead5e2e0a4b8f93db9b497017f93cf68c750
-45f02172bfc5d304,3073794fd68f64432b4d1f24752c4398f0e81e00b5b5842e463
-5dd381331091b
-Proof = 7d59db67715a9030d46ab50a614fb55927961c8d9322cb6973ef36775309
-810b9f4a670ba4b9321f5cf753be2a58dee0730cfabd12b8f25a8a342e158ae2b608
+BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
+dd8f3d461f715,423a01c072e06eb1cce96d23acce06e1ea64a609d7ec9e9023f304
+9f2d64e50c
+EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
+5693e2078450d874,aa1f16e903841036e38075da8a46655c94fc92341887eb5819f
+46312adfc0504
+Proof = 43fdb53be399cbd3561186ae480320caa2b9f36cca0e5b160c4a677b8bbf
+4301b28f12c36aa8e11e5a7ef551da0781e863a6dc8c0b2bf5a149c9e00621f02006
 ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
 cf037f9ea84bbe0c
-Output = e7ed59e3f808c369598961ebfd9af74272894e0904d1c11653a21b08204
-dba1a5fb5c3dd6be6c419190a84b576d91eb3d8d920d450fee0427fd24524950d72d
-6,9a0d8c55e2fef4bada9fb5877a0e739496e539a0d835722911dab9ec112397e763
-a605acbc072619e8b8acefb8ee704a357556edc802648089d684baa763ce14
+Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
+2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
+1,7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b56a52de
+2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae507
 ~~~
 
-## OPRF(decaf448, SHAKE-256)
+## decaf448-SHAKE256
 
 ### OPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3
+3a3
 KeyInfo = 74657374206b6579
-skSm = 30f71e5b5be9c91dd54c5a48e82be8d47eeb2cb2c45d7874a45dddc85af8d
-3f95b1ce73a99c47edc26ac9ddd936bd9b6b73728995bf1d213
+skSm = e8b1375371fd11ebeb224f832dcc16d371b4188951c438f751425699ed29e
+cc80c6c13e558ccd67634fd82eac94aa8d1f0d7fee990695d1e
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -218,13 +218,13 @@ skSm = 30f71e5b5be9c91dd54c5a48e82be8d47eeb2cb2c45d7874a45dddc85af8d
 Input = 00
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
-BlindedElement = a4205d2af0410dccbd4464629ba1b835456d04d994cf93988cf
-2c3b9d45d3c4671c7625f52c66c760a069e2c3c367826debb13da089d735c
-EvaluationElement = e8d78cf5212fddf940f9f6fe02250ed83cc0595e3f0e7481
-1cdb9f62c0fa7fea94c45795637dc5c3ac31ee1cff18d0d675396ae09b302f76
-Output = 1c1a9df7d0616e0f5fdfb6479acec73a4f5562da8f9488f3b6112ef11c6
-7c5900e0abc3a169486ac7230a306c8796562a045c66305ed7cb2a3fae658e45eae4
-c
+BlindedElement = e0ae01c4095f08e03b19baf47ffdc19cb7d98e583160522a3c7
+d6a0b2111cd93a126a46b7b41b730cd7fc943d4e28e590ed33ae475885f6c
+EvaluationElement = 50ce4e60eed006e22e7027454b5a4b8319eb2bc8ced609eb
+19eb3ad42fb19e06ba12d382cbe7ae342a0cad6ead0ef8f91f00bb7f0cd9c0a2
+Output = 37d3f7922d9388a15b561de5829bbf654c4089ede89c0ce0f3f85bcdba0
+9e382ce0ab3507e021f9e79706a1798ffeac68ebd5cf62e5eb9838c7068351d97ae3
+7
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -233,12 +233,12 @@ c
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
-BlindedElement = ec5b609e5d3c0bb024c35256194694ea6e42aa24d13cf6b0597
-49cb36911ccba0923cb73136acdf4bcecf23b6025f7b9b93d2eb0c09d964d
-EvaluationElement = 524c3a644e381b4ae416724247f94b996f655167e0d4e1ba
-d93cbc731c3beb36e3822e9dcbdc3600966226387a2306ba70eb68db5a64f92f
-Output = 95f519e8ff2b54d8d596da2c54829ae3dd900f5c18eef48efa03ef6694c
-505bea17b7982246c862d081b9fdcf295debc60abec8b0ddbfdf48bd302a3fe61b21
+BlindedElement = 86a88dc5c6331ecfcb1d9aacb50a68213803c462e377577cacc
+00af28e15f0ddbc2e3d716f2f39ef95f3ec1314a2c64d940a9f295d8f13bb
+EvaluationElement = 162e9fa6e9d527c3cd734a31bf122a34dbd5bcb7bb23651f
+1768a7a9274cc116c03b58afa6f0dede3994a60066c76370e7328e7062fd5819
+Output = a2a652290055cb0f6f8637a249ee45e32ef4667db0b4c80c0a70d2a6416
+4d01525cfdad5d870a694ec77972b9b6ec5d2596a5223e5336913f945101f0137f55
 e
 ~~~
 
@@ -246,12 +246,12 @@ e
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3
+3a3
 KeyInfo = 74657374206b6579
-skSm = 44c46e78aa6386cee57a46c75d124b13ced3e5f055caa3baaad61501330a4
-24463400453c97245a8f7b4c65f2c4c3dabd09a049c034f9e20
-pkSm = 78f4233110896fd41531fce182094c3bc4cf65f97b23078476b3b68118736
-617172d3735c5832081864e7c75cd3ddb449e93068b34ba863e
+skSm = e3c01519a076a326a0eb566343e9b21c115fa18e6e85577ddbe890b33104f
+cc2835ddfb14a928dc3f5d79b936e17c76b99e0bf6a1680930e
+pkSm = 945fc518c47695cf65217ace04b86ac5e4cbe26ca649d52854bb16c494ce0
+9069d6add96b20d4b0ae311a87c9a73e3a146b525763ab2f955
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -260,19 +260,19 @@ pkSm = 78f4233110896fd41531fce182094c3bc4cf65f97b23078476b3b68118736
 Input = 00
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
-BlindedElement = 38b758b69dfaaff8576eaaabfe70801813d95eb098f85516bcd
-46a0f68d1ea8cc1dea3bc7c8d340ee77c5bbca6e7d723e51d77e0807acd0d
-EvaluationElement = 7a8374bbae55dfc91e10a9d8042015419c505a6a8ac54e5b
-93867747eb04252aba316d9f750fa0c54458aa8c90e963a60af5ae6f141af8d2
-Proof = 2fd38cf9829c5f3fd294a5eb114356cd67cc5839cf797dc060273e07cf57
-0dbabea029f0bf4675d84866865d1d146bfa38eff8195b59cf3c180bab30509061b9
-d02e70f709f085dc8c98c0924259c9a3463ef5ceb97105989941155b98bd7b03b1e1
-e538850139dc1a56beff1bb9401f
+BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
+1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb
+EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
+c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467
+Proof = f84bbeee47aedf43558dae4b95b3853635a9fc1a9ea7eac9b454c64c66c4
+f49cd1c72711c7ac2e06c681e16ea693d5500bbd7b56455df52f69e00b76b4126961
+e1562fdbaaac40b7701065cbeece3febbfe09e00160f81775d36daed99d8a2a10be0
+759e01b7ee81217203416c9db208
 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
-Output = 3db64b6f803391e7c9803135457da250eb29778480c30f29d53e9ff46c3
-ce5ba9555418fc28af347c18b77a990eb904d0043a3411837b6d316f749428a9a370
-4
+Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
+5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
+1
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -281,19 +281,19 @@ ce5ba9555418fc28af347c18b77a990eb904d0043a3411837b6d316f749428a9a370
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
-BlindedElement = ea9b2d51579f5c07c5c511cf3bba888f5fc76d6ce29075a0b02
-5adb3daf4b568045c28e6bd00442251597ba6264e59beaf46220d8405fff6
-EvaluationElement = f6d23094a82e33e231003a1ecdd4659029d613932b767451
-c607ec428315283fe0b121bf09d7c88cf2ed50910463e38383fb52e5562a87f0
-Proof = 104e45c171bd7ca9119af1091e3175c8af4e9efdbd4704b3d5a8dfc99465
-9842ea021da27a9c1e0fbac369627eb5e9cf9e82964b7412081f15f6bfc5c68425f6
-4f1a4dae420a03d582a6cfffc0fc4da71a145bb5305ae28985e15e067d28523578ea
-696205cea28cf5831abed3e40f37
+BlindedElement = 88287e553939090b888ddc15913e1807dc4757215555e1c3a79
+488ef311594729c7fa74c772a732b78440b7d66d0aa35f3bb316f1d93e1b2
+EvaluationElement = c00978c73e8e4ee1d447ab0d3ad1754055e72cc85c08e3a0
+db170909a9c61cbff1f1e7015f289e3038b0f341faea5d7780c130106065c231
+Proof = 7a2831a6b237e11ac1657d440df93bc5ce00f552e6020a99d5c956ffc4d0
+7b5ade3e82ecdc257fd53d76239e733e0a1313e84ce16cc0d82734806092a693d7e8
+d3c420c2cb6ccd5d0ca32514fb78e9ad0973ebdcb52eba438fc73948d76339ee7101
+21d83e2fe6f001cfdf551aff9f36
 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
-Output = 4dc9ec52b6aa7f1f38a320d10cb58e0d86b040f6376d2f178f42c99986f
-e932aca7162cb72dd94056724617979c0f7ea652b1492bbad1d82748a38ff4daf129
-8
+Output = 862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380
+c959baa8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c94
+1
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -304,36 +304,36 @@ Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
 48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
 a070e5f953d80bb464ea369e5522b
-BlindedElement = 38b758b69dfaaff8576eaaabfe70801813d95eb098f85516bcd
-46a0f68d1ea8cc1dea3bc7c8d340ee77c5bbca6e7d723e51d77e0807acd0d,5a788e
-f7949021b22da4a4e89b2443458c96fcbec8b66b08df885eec8fb4070fefe8b50e08
-5e043c368cc05a9339b5ae31eb6482efc0d933
-EvaluationElement = 7a8374bbae55dfc91e10a9d8042015419c505a6a8ac54e5b
-93867747eb04252aba316d9f750fa0c54458aa8c90e963a60af5ae6f141af8d2,0ac
-81e0e5b9fa6d90be58a6fc3fb4fde57e0efacbe210cebc2c85a6e934114b5e0e5ba4
-cc202bde7cd7708415cdcc2312a51fca6ad6f06bf
-Proof = a221b134d99ba97cad98bf45341eeacd8a402a6e4c5ea5f93cee54ad0f2b
-ee544f67d2859a5253cb9def403bfee9420a5224fad35e3f9a3fbb5f28f6b8abcb34
-130beaa158a41d1497aacc2f073b2da5471067bb832ec8044f417f528e2e6ccb897f
-992424220d608b5e7bbfd4257e1f
+BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
+1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb,2e15f3
+93c035492a1573627a3606e528c6294c767c8d43b8c691ef70a52cc7dc7d1b53fe45
+8350a270abb7c231b87ba58266f89164f714d9
+EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
+c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467,8ec
+68e9871b296e81c55647ce64a04fe75d19932f1400544cd601468c60f998408bbb54
+6601d4a636e8be279e558d70b95c8d4a4f61892be
+Proof = 167d922f0a6ffa845eed07f8aa97b6ac746d902ecbeb18f49c009adc0521
+eab1e4d275b74a2dc266b7a194c854e85e7eb54a9a36376dfc04ec7f3bd55fc9618c
+3970cb548e064f8a2f06183a5702933dbc3e4c25a73438f2108ee1981c306181003c
+7ea92fce963ec7b4ba4f270e6d38
 ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
 6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
-Output = 3db64b6f803391e7c9803135457da250eb29778480c30f29d53e9ff46c3
-ce5ba9555418fc28af347c18b77a990eb904d0043a3411837b6d316f749428a9a370
-4,4dc9ec52b6aa7f1f38a320d10cb58e0d86b040f6376d2f178f42c99986fe932aca
-7162cb72dd94056724617979c0f7ea652b1492bbad1d82748a38ff4daf1298
+Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
+5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
+1,862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380c959baa
+8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c941
 ~~~
 
 ### POPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3
+3a3
 KeyInfo = 74657374206b6579
-skSm = fdd59cb218c7fbdcd48b18ef21ab647a6c210110c765bc3da6c11e563671a
-48402c23129ce2ffd021d99da5a2d04158883c65d7f74a4901b
-pkSm = 1223e0aec4ee5bc19181078be380cc745d1896e1369aed3cc8a45b40ba3f9
-aa1f79e23d542d6529e17465d1954d75e336910c6417de99200
+skSm = 792a10dcbd3ba4a52a054f6f39186623208695301e7adb9634b74709ab22d
+e402990eb143fd7c67ac66be75e0609705ecea800992aac8e19
+pkSm = 6c9d12723a5bbcf305522cc04b4a34d9ced2e12831826018ea7b5dcf54526
+47ad262113059bf0f6e4354319951b9d513c74f29cb0eec38c1
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -343,19 +343,19 @@ Input = 00
 Info = 7465737420696e666f
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
-BlindedElement = f86104fcefec6bdca7767bc3e6a2ac9de2b00546579fd50ff66
-687df531f7a2dfa8689a6cfdf91efc32d6fff490e722990752b7bc4bda28f
-EvaluationElement = 76f27e6fa79cd38638e35f5caa5d641e41526fbfd9272c19
-be22dfc8cdd962e6d5d4e0c605c9bd6588eb9698a2bbf792a0827bb1116c8812
-Proof = 3a1b3400ad16e1562e731c64520fa5a3664c1487ffe6537e85029842904d
-3e01f9e7435b881ab9346847cc3470a2b37e6a10a4ef7bd36b2d06c602086a33252f
-39c562aab5820a66c3bdf9d72583587e93ea893725be535cdeca1094d5b4dae119b4
-9456162f60034a904f521f7cd818
+BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
+9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42
+EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
+02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c
+Proof = 66caee75bf2460429f620f6ad3e811d524cb8ddd848a435fc5d89af48877
+abf6506ee341a0b6f67c2d76cd021e5f3d1c9abe5aa9f0dce016da746135fedba2af
+41ed1d01659bfd6180d96bc1b7f320c0cb6926011ce392ecca748662564892bae665
+16acaac6ca39aadf6fcca95af406
 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
-Output = 2a08f81bf204eb43a57dbc011946861ed715a2fd3d39a3b35e43c74d07d
-4734149ba163389a02f6cd33fbb5b84e167d35dca7a7dc00b89418398c255c8293ac
-6
+Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
+971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
+d
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -365,19 +365,19 @@ Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Info = 7465737420696e666f
 Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
-BlindedElement = e6f508abea28cbb0242f0dae1c0a92e017127edb7c8d8e0ec98
-a5ea25c6bc9bb86bfc0bf9b8a086302e29a2a4b0a1d9d80f2d439cfba3ec1
-EvaluationElement = 1ea637b039e0ab12c6959c74e275471e33655007a7fa23af
-97ec578bcfc8c3381d4929ebf51433b76460d583f16b7cf1e75b9708f5d9d2f7
-Proof = d53a1bfeafc5b47fc86406fba080e57434a7004a0739399ccb356f790b13
-585da9d69a25c526e039fa06ad6a5781283ea7997eced063fd32e58bc95d57fd771c
-ad4a7e23633ae2049eec5ad86ade6a5e98d44f78fd86b5f55ab3c7a03025d6aec1f4
-f50a2bd7b9b554841f6b4cd23d14
+BlindedElement = 12082b6a381c6c51e85d00f2a3d828cdeab3f5cb19a10b9c014
+c33826764ab7e7cfb8b4ff6f411bddb2d64e62a472af1cd816e5b712790c6
+EvaluationElement = f2919b7eedc05ab807c221fce2b12c4ae9e19e6909c47845
+64b690d1972d2994ca623f273afc67444d84ea40cbc58fcdab7945f321a52848
+Proof = a295677c54d1bc4286330907fc2490a7de163da26f9ce03a462a452fea42
+2b19ade296ba031359b3b6841e48455d20519ad01b4ac4f0b92e76d3cf16fbef0a3f
+72791a8401ef2d7081d361e502e96b2c60608b9fa566f43d4611c2f161d83aabef7f
+8017332b26ed1daaf80440772022
 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
-Output = 80ac73a09fbf8cbd329ff1b7f42d8d14e46ae5b732f776f3203f0680daf
-265254360da0afcd9dc1d0cd3858ab21ce8e7a19f0426d7e701cfda34fb8238c9e43
-4
+Output = 8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf63
+3126de0c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8
+d
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -389,27 +389,27 @@ Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
 3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
 48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
 a070e5f953d80bb464ea369e5522b
-BlindedElement = f86104fcefec6bdca7767bc3e6a2ac9de2b00546579fd50ff66
-687df531f7a2dfa8689a6cfdf91efc32d6fff490e722990752b7bc4bda28f,50c684
-9c8f6355687bbc9d4675bcea953cb913c5447c9c8400062ae37f808ce8a75d592c56
-f3393d4ea12ec72f9f84402002eb497201089a
-EvaluationElement = 76f27e6fa79cd38638e35f5caa5d641e41526fbfd9272c19
-be22dfc8cdd962e6d5d4e0c605c9bd6588eb9698a2bbf792a0827bb1116c8812,7ca
-a4dd83ecae98fc3e282a0e7df1887393a3fc1e17935dfe355da394756fbfcad65386
-eeedf1ba8498411645448c7027753cd9090198c02
-Proof = b4f869bf5ec65e0152af5bd29f9fa32c3dfc00355e4e019feda07a281547
-fb2f0c559c600bf6cb52a92753264d1c1367e0134b132880732ec70a8c741d60370e
-5c22c4aca0e4564732b0157858f3c968bda06aab34c71386ec88afe76ec2c14bf56f
-0adf7b05bab826e4aa034cc78837
+BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
+9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42,fc8847
+d43fb4cea4e408f585661a8f2867533fa91d22155d3127a22f18d3b007add480f7d3
+00bca93fa47fe87ae06a57b7d0f0d4c30b12f0
+EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
+02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c,2e7
+4c626d07de49b1c8c21d87120fd78105f485e36816af9bde3e3efbeef76815326062
+fd333925b66c5ce5a20f100bf01770c16609f990a
+Proof = fd94db736f97ea4efe9d0d4ad2933072697a6bbeb32834057b23edf7c700
+9f011dfa72157f05d2a507c2bbf0b54cad99ab99de05921c021fda7d70e65bcecdb0
+5f9a30154127ace983c74d10fd910b554c5e95f6bd1565fd1f3dbbe3c523ece5c72d
+57a559b7be1368c4786db4a3c910
 ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
 6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
-Output = 2a08f81bf204eb43a57dbc011946861ed715a2fd3d39a3b35e43c74d07d
-4734149ba163389a02f6cd33fbb5b84e167d35dca7a7dc00b89418398c255c8293ac
-6,80ac73a09fbf8cbd329ff1b7f42d8d14e46ae5b732f776f3203f0680daf2652543
-60da0afcd9dc1d0cd3858ab21ce8e7a19f0426d7e701cfda34fb8238c9e434
+Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
+971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
+d,8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf633126de0
+c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8d
 ~~~
 
-## OPRF(P-256, SHA-256)
+## P256-SHA256
 
 ### OPRF Mode
 
@@ -417,8 +417,8 @@ Output = 2a08f81bf204eb43a57dbc011946861ed715a2fd3d39a3b35e43c74d07d
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = 274d7747cf2e26352ecea6bd768c426087da3dfcd466b6841b441ada8412f
-b33
+skSm = 159749d750713afe245d2d39ccfaae8381c53ce92d098a9375ee70739c7ac
+0bf
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -427,12 +427,12 @@ b33
 Input = 00
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02ff9dc7d4350ab6fe1f41299ec5fa8283b6ef37fc62682ea69
-6142e13aad4ae9c
-EvaluationElement = 023a5facf92477164f10cc6bf35b4d9272bfadf98dbabbe7
-b7a137efa1af6546fb
-Output = 488d693c0d43ab75703901fa1398907cf7dc7a90978d1c2f0def63c88e8
-1b8b0
+BlindedElement = 03723a1e5c09b8b9c18d1dcbca29e8007e95f14f4732d9346d4
+90ffc195110368d
+EvaluationElement = 030de02ffec47a1fd53efcdd1c6faf5bdc270912b8749e78
+3c7ca75bb412958832
+Output = a0b34de5fa4c5b6da07e72af73cc507cceeb48981b97b7285fc375345fe
+495dd
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -441,12 +441,12 @@ Output = 488d693c0d43ab75703901fa1398907cf7dc7a90978d1c2f0def63c88e8
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 03b3cd723330e42975e6e18a6157ecf9455894c18a0189e3e62
-4a46d705f790fcc
-EvaluationElement = 03f1ea590f2cc4afd45a841285c6be4d88825a9c6c04eb55
-a1ca996583dd3e2e9f
-Output = dacd8400f6fae62beabead9bc27869b5109fb5d87da338ae2488712ec25
-f1be9
+BlindedElement = 03cc1df781f1c2240a64d1c297b3f3d16262ef5d4cf10273488
+2675c26231b0838
+EvaluationElement = 03a0395fe3828f2476ffcd1f4fe540e5a8489322d398be3c
+4e5a869db7fcb7c52c
+Output = c748ca6dd327f0ce85f4ae3a8cd6d4d5390bbb804c9e12dcf94f853fece
+3dcce
 ~~~
 
 ### VOPRF Mode
@@ -455,10 +455,10 @@ f1be9
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = b3d12edba73e40401fdc27c0094a56337feb3646d1633345af7e7142a6b15
-59d
-pkSm = 03f9fc787c9a4dda44a4b811a961d1fd60f87be7465b8a1b9058dc534dae7
-0624c
+skSm = ca5d94c8807817669a51b196c34c1b7f8442fde4334a7121ae4736364312f
+ca6
+pkSm = 03e17e70604bcabe198882c0a1f27a92441e774224ed9c702e51dd17038b1
+02462
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -467,16 +467,16 @@ pkSm = 03f9fc787c9a4dda44a4b811a961d1fd60f87be7465b8a1b9058dc534dae7
 Input = 00
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02bf13d60f3e39e2018c7be9876d88b52e56c0fc2847c8550e3
-cee152c51cf72ec
-EvaluationElement = 0253e64b5251607348f2b46064805275a849e44db465f649
-267c54bd7a774d670f
-Proof = d0bff8c87ee38f2b2e9e28161fb0f3bc7e4c3bee7329276487d4fd98d4f4
-74fff793a846ffcb44d48f9545e321d89e4e6bccea858089732abf10bf19a220a936
+BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
+4013648c01277da
+EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
+2e9ba29b90ae83e4a2
+Proof = e7c2b3c5c954c035949f1f74e6bce2ed539a3be267d1481e9ddb178533df
+4c2664f69d065c604a4fd953e100b856ad83804eb3845189babfa5a702090d6fc5fa
 ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = 9df5d51a9149a86c3660396feabaf790b8c838fc96012adba5acbd913f2
-a4016
+Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
+645a1
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -485,16 +485,16 @@ a4016
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02a13e263fd9df5aa0078f8d5d6cbe8763e5bee69ee06841a66
-dad0db8701480cf
-EvaluationElement = 02d9f54fcb97bdab47e6664376a75911f1c3e447f5754550
-89d926fbd032cb6e53
-Proof = e3ccd78a2f2428d04599c90d4b45e3de49b38a3ba0c80a224b8125747648
-718319238dd349cdeb533a6d24333b56aafbb202bec1831511717b231b89b8b36853
+BlindedElement = 03cd0f033e791c4d79dfa9c6ed750f2ac009ec46cd4195ca6fd
+3800d1e9b887dbd
+EvaluationElement = 030d2985865c693bf7af47ba4d3a3813176576383d19aff0
+03ef7b0784a0d83cf1
+Proof = 2787d729c57e3d9512d3aa9e8708ad226bc48e0f1750b0767aaff73482c4
+4b8d2873d74ec88aebd3504961acea16790a05c542d9fbff4fe269a77510db00abab
 ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = beef8ec835625f610d616d32b1d13f2f899f07c0b8089fa48a1f0ecbc5a
-91b8b
+Output = 771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c
+24f18
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -504,19 +504,19 @@ Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
 1
-BlindedElement = 02bf13d60f3e39e2018c7be9876d88b52e56c0fc2847c8550e3
-cee152c51cf72ec,0322b89e261428d77367cba2aa78fdfa2b21c2919150cafe802e
-9020c7f95ec180
-EvaluationElement = 0253e64b5251607348f2b46064805275a849e44db465f649
-267c54bd7a774d670f,02182b225cfab1d2e25da200549d8b5e2c4581aa7b7bd85be
-f9b61a14549f58230
-Proof = 900fd64d21320b6059a2810f7046066c4c91a5f4e4f6063c7b51316a4862
-2de8f3a28e5f1d0ebe8ae77fdaacbcb1ae92685243e9ceb813bb749dee6c7123270e
+BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
+4013648c01277da,03462e9ae64cae5b83ba98a6b360d942266389ac369b923eb3d5
+57213b1922f8ab
+EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
+2e9ba29b90ae83e4a2,02bb24f4d838414aef052a8f044a6771230ca69c0a5677540
+fff738dd31bb69771
+Proof = bdcc351707d02a72ce49511c7db990566d29d6153ad6f8982fad2b435d6c
+e4d60da1e6b3fa740811bde34dd4fe0aa1b5fe6600d0440c9ddee95ea7fad7a60cf2
 ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
 51943c8026877963
-Output = 9df5d51a9149a86c3660396feabaf790b8c838fc96012adba5acbd913f2
-a4016,beef8ec835625f610d616d32b1d13f2f899f07c0b8089fa48a1f0ecbc5a91b
-8b
+Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
+645a1,771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c24f
+18
 ~~~
 
 ### POPRF Mode
@@ -525,10 +525,10 @@ a4016,beef8ec835625f610d616d32b1d13f2f899f07c0b8089fa48a1f0ecbc5a91b
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = 59519f6c7da344f340ad35ad895a5b97437673cc3ac8b964b823cdb52c932
-f86
-pkSm = 0335065d006a3db4fb09154024dff38c3188a1027e19ce6932e6824c12764
-47766
+skSm = 6ad2173efa689ef2c27772566ad7ff6e2d59b3b196f00219451fb2c89ee4d
+ae2
+pkSm = 030d7ff077fddeec965db14b794f0cc1ba9019b04a2f4fcc1fa525dedf72e
+2a3e3
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -538,16 +538,16 @@ Input = 00
 Info = 7465737420696e666f
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02811b5218bd2bb8361f990efb6062f1201241bcd6f053a5c35
-c34dcd7292e7730
-EvaluationElement = 02555fc8577c4f88eeb13bc6ac53994f8fb287a33a704592
-05ddff91bc19b6a2da
-Proof = d87b112dfa11b77f226b85693ab1b5f63adfa491b6e051e570a12392a926
-c4816778b527526ba6212c4b0597f13e05f5f9b2223429aab82cd2596625ab1cad0b
+BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
+db0b2bd9dd4e2c0
+EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
+67e125db024a2c74d2
+Proof = f8a33690b87736c854eadfcaab58a59b8d9c03b569110b6f31f8bf7577f3
+fbb85a8a0c38468ccde1ba942be501654adb106167c8eb178703ccb42bccffb9231a
 ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = af6525716fe5dd844076bb5cb118ceda08c02c2d1a02368922ddad63f40
-f8b44
+Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
+5c592
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -557,16 +557,16 @@ Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Info = 7465737420696e666f
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 03e9ddbb1fa70461119afcf0ffbfe3fcd105690c14cf0e07872
-e72d4f63aa0e197
-EvaluationElement = 03156037ca1ab2166e924e6197344a9885256de2cd7d9432
-ae36e3f94049e94bbb
-Proof = d087b632e2aa4a67e0bc8b7cf012646217a2dfdbf49c60f236a43c66c72b
-7f2767b85dc93b96a11e3286ef1ff1864b544a68c2c2d8c2bc35ef7cf7dd34189d3e
+BlindedElement = 021a440ace8ca667f261c10ac7686adc66a12be31e3520fca31
+7643a1eee9dcd4d
+EvaluationElement = 0208ca109cbae44f4774fc0bdd2783efdcb868cb4523d521
+96f700210e777c5de3
+Proof = 043a8fb7fc7fd31e35770cabda4753c5bf0ecc1e88c68d7d35a62bf2631e
+875af4613641be2d1875c31d1319d191c4bbc0d04875f4fd03c31d3d17dd8e069b69
 ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = 192f4e5d4f89ffe4b9cea5c1c9619ffe32443a5c04fc35f98c3821420cf
-1890c
+Output = 1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5f
+fce8c
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -577,31 +577,31 @@ Info = 7465737420696e666f
 Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
 1
-BlindedElement = 02811b5218bd2bb8361f990efb6062f1201241bcd6f053a5c35
-c34dcd7292e7730,0366ff91265bb4a9d24130b9e8cd3ecc523084b512b6b0722de4
-4049616b8c374f
-EvaluationElement = 02555fc8577c4f88eeb13bc6ac53994f8fb287a33a704592
-05ddff91bc19b6a2da,032bdb191ef5604cf43d0c37faead30c4b2b21e3f61c0d47c
-cc84850fc5656e500
-Proof = 1bd5f64dffa2ab8d6532122887ed55ad17d114020901a7a01cf2412d568e
-22b6d0536fd6dbefe9f417060468ee3cc451a8f3750f4d8d4acf1e98437248cc7fa2
+BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
+db0b2bd9dd4e2c0,03ca4ff41c12fadd7a0bc92cf856732b21df652e01a3abdf0fa8
+847da053db213c
+EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
+67e125db024a2c74d2,02f0b6bcd467343a8d8555a99dc2eed0215c71898c5edb77a
+3d97ddd0dbad478e8
+Proof = 8fbd85a32c13aba79db4b42e762c00687d6dbf9c8cb97b2a225645ccb00d
+9d7580b383c885cdfd07df448d55e06f50f6173405eee5506c0ed0851ff718d13e68
 ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
 51943c8026877963
-Output = af6525716fe5dd844076bb5cb118ceda08c02c2d1a02368922ddad63f40
-f8b44,192f4e5d4f89ffe4b9cea5c1c9619ffe32443a5c04fc35f98c3821420cf189
-0c
+Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
+5c592,1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5ffce
+8c
 ~~~
 
-## OPRF(P-384, SHA-384)
+## P384-SHA384
 
 ### OPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3
+3a3
 KeyInfo = 74657374206b6579
-skSm = c0503759ddd1e31d8c7eae9304c9b1c16f83d1f6d962e3e7b789cd85fd581
-800e96c5c4256131aafcff9a76919abbd55
+skSm = dfe7ddc41a4646901184f2b432616c8ba6d452f9bcd0c4f75a5150ef2b2ed
+02ef40b8b92f60ae591bcabd72a6518f188
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -610,12 +610,12 @@ skSm = c0503759ddd1e31d8c7eae9304c9b1c16f83d1f6d962e3e7b789cd85fd581
 Input = 00
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364
-BlindedElement = 0396a1584fedc4d91ddb753a0c49e0aa2298c1936dbc935d60f
-e793d82809f44ff05fbd1922a2cae789d700b5ef4310fb3
-EvaluationElement = 0361804cebcb1873cee5e51efd5257cd8b095521cc0089cf
-4c1100b1d749e212a044eae6d4f3d852e379eeb1bb54047823
-Output = b7ccad41ed7f56be97621bbba8cc3a4f5e8a46a28d72b0fe089d12802f8
-6f080b20726e01a99390aba3437ac50c640d6
+BlindedElement = 02a36bc90e6db34096346eaf8b7bc40ee1113582155ad379700
+3ce614c835a874343701d3f2debbd80d97cbe45de6e5f1f
+EvaluationElement = 03af2a4fc94770d7a7bf3187ca9cc4faf3732049eded2442
+ee50fbddda58b70ae2999366f72498cdbc43e6f2fc184afe30
+Output = ed84ad3f31a552f0456e58935fcc0a3039db42e7f356dcb32aa6d487b6b
+815a07d5813641fb1398c03ddab5763874357
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -624,24 +624,24 @@ Output = b7ccad41ed7f56be97621bbba8cc3a4f5e8a46a28d72b0fe089d12802f8
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364
-BlindedElement = 0370b0b4649c0880d44c421a3ca7c915b1b6ffa61f5a1290aa2
-2258b006d148e5c105d47725e1ee1b2483b9c5666384038
-EvaluationElement = 036d0aaf31ec411ef8e11c68551434883468e56cbd5d615a
-c8c52b9dc7af326889d52d7466c5eed47f8c89707976aadc64
-Output = ca7dc32dc6434101f35a790717dd591e5963acc86d20fda68011fe228fb
-76be8da7f42c6a92284df88fb8e69480a3cb9
+BlindedElement = 02def6f418e3484f67a124a2ce1bfb19de7a4af568ede6a1ebb
+2733882510ddd43d05f2b1ab5187936a55e50a847a8b900
+EvaluationElement = 034e9b9a2960b536f2ef47d8608b21597ba400d5abfa1825
+fd21c36b75f927f396bf3716c96129d1fa4a77fa1d479c8d7b
+Output = dd4f29da869ab9355d60617b60da0991e22aaab243a3460601e48b07585
+9d1c526d36597326f1b985778f781a1682e75
 ~~~
 
 ### VOPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3
+3a3
 KeyInfo = 74657374206b6579
-skSm = 514fb6fe2e66af1383840759d56f71730331280f062930ee2a2f7ea42f935
-acf94087355699d788abfdf09d19a5c85ac
-pkSm = 02f773b99e65ad26e8cd20614910ce7ad74c1baa5bdbfd9f124389dc8ef44
-b5989f5bf036f6802dc2242fd7068b73da29f
+skSm = 051646b9e6e7a71ae27c1e1d0b87b4381db6d3595eeeb1adb41579adbf992
+f4278f9016eafc944edaa2b43183581779d
+pkSm = 031d689686c611991b55f1a1d8f4305ccd6cb719446f660a30db61b7aa87b
+46acf59b7c0d4a9077b3da21c25dd482229a0
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -650,17 +650,17 @@ b5989f5bf036f6802dc2242fd7068b73da29f
 Input = 00
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364
-BlindedElement = 03022e23d8356d74d8f9a24ade759fb4e7cf050d1a770110878
-83d4db52f16751d8d987fa49764c157c1039c4cdfa5ef7a
-EvaluationElement = 0202bdefbc2d55a37aa848df5efc561055235d9190da9ec3
-0ccfb84d93b033a29c4fb1968c55c63a0b90a205e1e9c4c19f
-Proof = 929ee0254047350f580cdbd6fca706a9d110e4fc0aa1383af8d35a536795
-69c038d90900e8810eca177b9cfd6a2d0f1fb5ed7a2e0f3107719cbd9c74ab7d9502
-79869f67551b629c3706c8f9cee651d700453ca44e43b0a08c05502cd28f3960
+BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
+a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9
+EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
+46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6
+Proof = bfc6cf3859127f5fe25548859856d6b7fa1c7459f0ba5712a806fc091a30
+00c42d8ba34ff45f32a52e40533efd2a03bc87f3bf4f9f58028297ccb9ccb18ae718
+2bcd1ef239df77e3be65ef147f3acf8bc9cbfc5524b702263414f043e3b7ca2e
 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
-Output = 7eb3cc88d920431c3a5ea3fb6e36b515b6d82c5ef537e285918fe7c741e
-97819ce029657d6cced0f8850f47ff281c444
+Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
+26b4a622beab60220bf19078bca35a529b35c
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -669,17 +669,17 @@ Output = 7eb3cc88d920431c3a5ea3fb6e36b515b6d82c5ef537e285918fe7c741e
 Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364
-BlindedElement = 037ae30a62126a39ca791aadafb65769c812a559c7da92820e1
-43350b6bb8cefb543af2e0179664f9cd0d1499c018a0b18
-EvaluationElement = 0355f95a68e8c4f0d40910e9a85f09109e4e7fff84f75db1
-a4aa8e21c451ac2d872113b497bea6c0be1b535241557032a2
-Proof = f4ec262642fc9981fe5d1f0a3737f2d09ec9b056f577224013f5a3d09812
-fb22c6b45e17150d8fe3a8c7e63094cdf40a60ae1e50fc2e1678954c1ecbaed2f7d0
-7e6d597fffedc7aca450ed64164c46e62d1326ff1f6eaeba4b5dd151e953e060
+BlindedElement = 02f27469e059886f221be5f2cca03d2bdc61e55221721c3b3e5
+6fc012e36d31ae5f8dc058109591556a6dbd3a8c69c433b
+EvaluationElement = 03f16f903947035400e96b7f531a38d4a07ac89a80f89d86
+a1bf089c525a92c7f4733729ca30c56ce78b1ab4f7d92db8b4
+Proof = d005d6daaad7571414c1e0c75f7e57f2113ca9f4604e84bc90f9be52da89
+6fff3bee496dcde2a578ae9df315032585f801fb21c6080ac05672b291e575a40295
+b306d967717b28e08fcc8ad1cab47845d16af73b3e643ddcc191208e71c64630
 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
-Output = fb538f84dae5f214c5adfcf529c6fe63bc46d6a4073d540cf0dabcc7c8e
-0f3c1b43b606002a9aa52ae158a19d900c136
+Output = b91c70ea3d4d62ba922eb8a7d03809a441e1c3c7af915cbc2226f485213
+e895942cd0f8580e6d99f82221e66c40d274f
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -689,34 +689,34 @@ Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
 6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
-BlindedElement = 03022e23d8356d74d8f9a24ade759fb4e7cf050d1a770110878
-83d4db52f16751d8d987fa49764c157c1039c4cdfa5ef7a,031ee43111a2406b09eb
-4fb2a3a5fd7c690c0aa51158af766c9df1428bb18195f054c5f68ae1863e6ab3dd42
-98b3db712b
-EvaluationElement = 0202bdefbc2d55a37aa848df5efc561055235d9190da9ec3
-0ccfb84d93b033a29c4fb1968c55c63a0b90a205e1e9c4c19f,021fdbb3b92cf4f8e
-04534bc1a9f62596667c3ea49a6e89f1610b9f7f89708e8730df159827ea92e26fcf
-db2063920c89c
-Proof = 9cc7fe5a120cec6ef0d877260cf1af1861f281aa0015f371c8830f93f286
-8f5891ee6f32ec6fcbe130a50de24c93b131261eb4a242941c8d5ad9ad2f2be402d9
-386ac4afcf5e5498f35cc3db0442a77e139eb56a7b3435177e7bf1a48cef184a
+BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
+a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9,02fa02470d7f151018b4
+1e82223c32fad824de6ad4b5ce9f8e9f98083c9a726de9a1fc39d7a0cb6f4f188dd9
+cea01474cd
+EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
+46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6,028e9e115625ff4c2
+f07bf87ce3fd73fc77994a7a0c1df03d2a630a3d845930e2e63a165b114d98fe34e6
+1b68d23c0b50a
+Proof = 6d8dcbd2fc95550a02211fb78afd013933f307d21e7d855b0b1ed0af7807
+6d8137ad8b0a1bfa05676d325249c1dbb9a52bd81b1c2b7b0efc77cf7b278e1c947f
+6283f1d4c513053fc0ad19e026fb0c30654b53d9cea4b87b037271b5d2e2d0ea
 ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
 eca27405420cdf3d63cb3aef005f40ba51943c8026877963
-Output = 7eb3cc88d920431c3a5ea3fb6e36b515b6d82c5ef537e285918fe7c741e
-97819ce029657d6cced0f8850f47ff281c444,fb538f84dae5f214c5adfcf529c6fe
-63bc46d6a4073d540cf0dabcc7c8e0f3c1b43b606002a9aa52ae158a19d900c136
+Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
+26b4a622beab60220bf19078bca35a529b35c,b91c70ea3d4d62ba922eb8a7d03809
+a441e1c3c7af915cbc2226f485213e895942cd0f8580e6d99f82221e66c40d274f
 ~~~
 
 ### POPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3
+3a3
 KeyInfo = 74657374206b6579
-skSm = 0fcba4a204f67d6c13f780e613915f755319aaa3cb03cd20a5a4a6c403a48
-12a4fff5d3223e2c309aa66b05cb7611fd4
-pkSm = 03a571100213c4356177af14a7039cfee270ad1f9abde42ac3418c501209e
-d7b2fc0d4aa3373c12ba956fb555b02843fc8
+skSm = 5b2690d6954b8fbb159f19935d64133f12770c00b68422559c65431942d72
+1ff79d47d7a75906c30b7818ec0f38b7fb2
+pkSm = 02f00f0f1de81e5d6cf18140d4926ffdc9b1898c48dc49657ae36eb1e45de
+b8b951aaf1f10c82d2eaa6d02aafa3f10d2b6
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -726,17 +726,17 @@ Input = 00
 Info = 7465737420696e666f
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364
-BlindedElement = 03156aece0ce92e9eb8f7a9b7f6bd30230a048d41384f2fe49f
-1f9f69e180c23390e3ba8d0ee66dde6d637f03c06385f76
-EvaluationElement = 02352ec7586660cc4257a9e78366727341db0825e431fc82
-4a70a91019b67be26d8b880b2d4d8e734207d4a21a23429d74
-Proof = 77bb1ca3ba4013b93ccb302db838839098eca743de542d3c79d189f2adf0
-01999583a01aead6c248a32ff13b7f1f3d6b2dd04f653a5beb0f0394ad83ce5e79ea
-08ae029d669b918b6d62ed3b77b08a07f04bbc341fae06444d196746da4da884
+BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
+93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3
+EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
+373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91
+Proof = 82a17ef41c8b57f1e3122311b4d5cd39a63df0f67443ef18d961f9b659c1
+601ced8d3c64b294f604319ca80230380d437a49c7af0d620e22116669c008ebb767
+d90283d573b49cdb49e3725889620924c2c4b047a2a6225a3ba27e640ebddd33
 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
-Output = fa15c0fe8706ac256dfd3c38d21ba0cd57b927cfcf3e4d6d5554ec1272e
-670079b95cdbb2778e0df22baf50f33e12607
+Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
+27303ed449a08caf84272c3bbc972ede797df
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -746,17 +746,17 @@ Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Info = 7465737420696e666f
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364
-BlindedElement = 02d46e0e2d27d8bb126e1201e881d0070b8807cb5635687b20d
-d4a3a248e7a40c50a1ad3e905e43342771eb23bc8827a00
-EvaluationElement = 030879805ff65cb536293a1449c00824e55c4c1b25379f2e
-c17d97923055169a6d97b46ed7b11bb661cc8cb9535abc3d66
-Proof = 9982a8501f45839213441d4ec501cf496d06fffab65f13ca3b3e66d21398
-fe9e0e04aafdf50eae214fa9cccad3c53d524d0f8c185ed60b11fcf5c7e82e10a8d3
-f3b2ce1e4a004d65e6ad596eeb5738453465d881f2770858cd46ac32f0e16121
+BlindedElement = 03f7efcb4aaf000263369d8a0621cb96b81b3206e99876de2a0
+0699ed4c45acf3969cd6e2319215395955d3f8d8cc1c712
+EvaluationElement = 034993c818369927e74b77c400376fd1ae29b6ac6c6ddb77
+6cf10e4fbc487826531b3cf0b7c8ca4d92c7af90c9def85ce6
+Proof = 693471b5dff0cd6a5c00ea34d7bf127b2795164e3bdb5f39a1e5edfbd13e
+443bc516061cd5b8449a473c2ceeccada9f3e5b57302e3d7bc5e28d38d6e3a3056e1
+e73b6cc030f5180f8a1ffa45aa923ee66d2ad0a07b500f2acc7fb99b5506465c
 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
-Output = 77cb533216c32cac017d706d5f0ee4630bcb0bfefbb980d95e98dc240ab
-c70a944a44cde69b805aee3a39b2eb7d834be
+Output = ff2a527a21cc43b251a567382677f078c6e356336aec069dea8ba369953
+43ca3b33bb5d6cf15be4d31a7e6d75b30d3f5
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -767,36 +767,35 @@ Info = 7465737420696e666f
 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
 889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
 6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
-BlindedElement = 03156aece0ce92e9eb8f7a9b7f6bd30230a048d41384f2fe49f
-1f9f69e180c23390e3ba8d0ee66dde6d637f03c06385f76,025663d73e3418039fdd
-ea1a212d254ec0103f28904e588b73c7da8298347706b2f69902a98e8d01c7aaa69a
-297b14c7dc
-EvaluationElement = 02352ec7586660cc4257a9e78366727341db0825e431fc82
-4a70a91019b67be26d8b880b2d4d8e734207d4a21a23429d74,02f8e532fabdd09bb
-2a7391a2a80c14f265c0456009199b77eefac1013d4a4f449dfe46d5d6d2d4d74f8c
-9fb1e2868b611
-Proof = f8c938b5d2aff7d1a05ecdcf4178d682fe7b35c375be5db88dfa59f488c6
-e4a68d4f99f16330a06f918e264ad68a78fdfad91446b72e1a3da2a65e531d520dd0
-4fd91dd49b09037648e04a44e83d0dfd2aab7627e7389818924ad9bff591d646
+BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
+93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3,021a65d618d645f1a20b
+c33b06deaa7e73d6d634c8a56a3d02b53a732b69a5c53c5a207ea33d5afdcde9a22d
+59726bce51
+EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
+373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91,02017657b315ec65e
+f861505e596c8645d94685dd7602cdd092a8f1c1c0194a5d0485fe47d071d972ab51
+4370174cc23f5
+Proof = 4a0b2fe96d5b2a046a0447fe079b77859ef11a39a3520d6ff7c626aad9b4
+73b724fb0cf188974ec961710a62162a83e97e0baa9eeada73397032d928b3e97b1e
+a92ad9458208302be3681b8ba78bcc17745bac00f84e0fdc98a6a8cba009c080
 ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
 eca27405420cdf3d63cb3aef005f40ba51943c8026877963
-Output = fa15c0fe8706ac256dfd3c38d21ba0cd57b927cfcf3e4d6d5554ec1272e
-670079b95cdbb2778e0df22baf50f33e12607,77cb533216c32cac017d706d5f0ee4
-630bcb0bfefbb980d95e98dc240abc70a944a44cde69b805aee3a39b2eb7d834be
+Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
+27303ed449a08caf84272c3bbc972ede797df,ff2a527a21cc43b251a567382677f0
+78c6e356336aec069dea8ba36995343ca3b33bb5d6cf15be4d31a7e6d75b30d3f5
 ~~~
 
-## OPRF(P-521, SHA-512)
+## P521-SHA512
 
 ### OPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = 0152e55f3a5d836ab6c2091a904ba4b4f92e51ba59ecc211b4fc771f7c6c8
-b17fcbbb2bed8a65afd7811ceeec3eac83df6a58515b6d3c71ee0ffc349e28c3fb78
-d83
+skSm = 0153441b8faedb0340439036d6aed06d1217b34c42f17f8db4c5cc610a4a9
+55d698a688831b16d0dc7713a1aa3611ec60703bffc7dc9c84e3ed673b3dbe1d5fcc
+ea6
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -806,15 +805,15 @@ Input = 00
 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 03016480f33f005c8a8eb1003e48ebc22e082d0b86678f8460e
-df21cc1518a13bfc0001fa143d474b18214188d93a7b3124b1b385db4cd4e356ad24
-923ae55d70ce8a7
-EvaluationElement = 03005fdb56bf49fcd073b1c4cfb42ceef5666c709785ae82
-d659e4d75c0f5591cbf812ca9ffd992ac67c1877b63978f417687a2a6c17697e858c
-f715843f9e4235566a
-Output = ddcaaceceec790f4858a09f3e06e74e8b0841681a3d45ab1393d0948379
-43f782d9ed22ae716a642d4ee428ddf1dae9ff631047864b99a305412aceb7efafa3
-2
+BlindedElement = 0300e78bf846b0e1e1a3c320e353d758583cd876df56100a3a1
+e62bacba470fa6e0991be1be80b721c50c5fd0c672ba764457acc18c6200704e9294
+fbf28859d916351
+EvaluationElement = 030166371cf827cb2fb9b581f97907121a16e2dc5d8b10ce
+9f0ede7f7d76a0d047657735e8ad07bcda824907b3e5479bd72cdef6b839b967ba5c
+58b118b84d26f2ba07
+Output = 26232de6fff83f812adadadb6cc05d7bbeee5dca043dbb16b03488abb99
+81d0a1ef4351fad52dbd7e759649af393348f7b9717566c19a6b8856284d69375c80
+9
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -824,30 +823,29 @@ Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02000e860d3b8205e0cb4f289771c8e6189b47c60cbff24459e
-12a60317ac242e9cb36ab033a620cdee5628ecae4a81303e7464d52194d801756911
-fd7ddfa5430e69c
-EvaluationElement = 0300e2663f17144682b25de378531abd6d065b770eec073a
-42494719f27748f75b4ab11aecb06bf8815bcc9eeb3ce54978605bd8a54c22a1dea6
-2da1ae5f9f5e5e90f4
-Output = 287712c6dbed773f39925fec0ad686dfda4a679cc7e88fa60ba9d3a7d71
-2a11d4a0445995391ba56cfb018922e0d4bb4b25ec0965a33170c9b00f45c361b021
-5
+BlindedElement = 0300c28e57e74361d87e0c1874e5f7cc1cc796d61f9cad50427
+cf54655cdb455613368d42b27f94bf66f59f53c816db3e95e68e1b113443d66a99b3
+693bab88afb556b
+EvaluationElement = 0301ad453607e12d0cc11a3359332a40c3a254eaa1afc642
+96528d55bed07ba322e72e22cf3bcb50570fd913cb54f7f09c17aff8787af75f6a7f
+af5640cbb2d9620a6e
+Output = ad1f76ef939042175e007738906ac0336bbd1d51e287ebaa66901abdd32
+4ea3ffa40bfc5a68e7939c2845e0fd37a5a6e76dadb9907c6cc8579629757fd4d04b
+a
 ~~~
 
 ### VOPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = 00fb5507f94782c5b72acc16b9eb21064f86b4aa525b9865258d157b0431a
-b5c3515fc975fa19ddb28129c969992b31d8946c4e354bc49458bb25fae58f10ac3f
-678
-pkSm = 0301322c63ad53e079791739169e011f362f4396a8e93fceeee9cd814d471
-80e75ffd717820fe9e9c763fa595340cd80989c31fbd0200572080752c73b80b7532
-2f300
+skSm = 015c7fc1b4a0b1390925bae915bd9f3d72009d44d9241b962428aad5d13f2
+2803311e7102632a39addc61ea440810222715c9d2f61f03ea424ec9ab1fe5e31cf9
+238
+pkSm = 0301505d646f6e4c9102451eb39730c4ba1c4087618641edbdba4a60896b0
+7fd0c9414ce553cbf25b81dfcca50a8f6724ab7a2bc4d0cf736967a287bb6084cc06
+78ac0
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -857,22 +855,22 @@ Input = 00
 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02016dafe8eee47b591592705ce4d5231563b637e5a51b425b8
-81f1cc576c53caae4ec59fd6e3a918d5c35e6db77cf3a5862b71a8b6c7eaded3ebdf
-0c6e14778c03a8c
-EvaluationElement = 020124a0ee09ade261bbf67e1e3d296655c97e6c5c14c71a
-386e636d8f55d29f5f6dcec954ff28bfc7e6e63240a52bf278ae94b312be3d8bf850
-55d2a1dbab687905b0
-Proof = 00156561564a9128de6e2fb92d0ee065bb19192ff86549c37fab777f2d57
-a951ff94b3832162cf02ad73287a0f0906045878105d8ab54a7cc9a1a0039d0cb241
-ebd10197e5cef77e8fbe0414f86b86fe2e823e0d8dbdcf2ccac54d273e814da062ba
-941a27d1e7e28c44cdbdaffe392cc915bf8b9add15d51b68afd6e88a52d07ff8b3d1
+BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
+7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
+5b4b3628a4f6380
+EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
+204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
+bca0f8ca003eefb045
+Proof = 0077fcc8ec6d059d7759b0a61f871e7c1dadc65333502e09a51994328f79
+e5bda3357b9a4f410a1760a3612c2f8f27cb7cb032951c047cc66da60da583df7b24
+7edd0188e5eb99c71799af1d80d643af16ffa1545acd9e9233fbb370455b10eb257e
+a12a1667c1b4ee5b0ab7c93d50ae89602006960f083ca9adc4f6276c0ad60440393c
 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = 16a9387153bf7fa2c733d42f299877324cfce3b39093e72067c3d59948b
-f745d77b2fe9180ffb442ec45b575eb4108d2b6f207cbfabd7bc540ad2a087cfabca
-2
+Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
+a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
+b
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -882,22 +880,22 @@ Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 02008f585341e32244d67033ddcf4c1cc30f7661c4cfc177f09
-82c69bf9c90e1da02d86a26ece60b8c42b278a1dc85afcc9cbc6aedff15cc092af03
-5100b915c2bb4df
-EvaluationElement = 03006cfeb22e141859e6a2050a714bde8ab8109abb2b42bc
-8f18ace67121c1811c9e95e7cf8ffd4f13f8cee80fc3c69318b0eb30ecdf6e7d7e84
-faefa6f0b8299217fe
-Proof = 01db7070ab756e8c2b12cb81c40daac6ef1d5137be3626a10ee867b0b736
-ae5ab05aadbc3ee3d1d0202b7687e1614765893cba67b307c67a8a4ce7b3eaf3ba64
-204901ce6f8dc9234d27373b1027982d7e3bb196d157403f50c2f1bf0fa701753ef6
-3d7265c0b1016e662456d4bdea55b3d983350b2c2ce80e192897161a1b780046b952
+BlindedElement = 03005b05e656cb609ce5ff5faf063bb746d662d67bbd07c0626
+38396f52f0392180cf2365cabb0ece8e19048961d35eeae5d5fa872328dce98df076
+ee154dd191c615e
+EvaluationElement = 0301b19fcf482b1fff04754e282292ed736c5f0aa080d4f4
+2663cd3a416c6596f03129e8e096d8671fe5b0d19838312c511d2ce08d431e43e3ef
+06199d8cab7426238d
+Proof = 01ec9fece444caa6a57032e8963df0e945286f88fbdf233fb5101f0924f7
+ea89c47023f5f72f240e61991fd33a299b5b38c45a5e2dd1a67b072e59dfe86708a3
+59c701e38d383c60cf6969463bcf13251bedad47b7941f52e409a3591398e2792441
+0b18a301c0e19f527cad504fa08388050ac634e1b05c5216d337742f2754e1fc502f
 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = 0163635204be5347419796f3564b36d6e89c9170e4fcca5b6df79d3f676
-f641b2ae3ae1a64cc49f3d788e276abe14e3c38bb2f92fdba0b45ed122a6930e7d96
-1
+Output = fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b
+54b6604d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf47
+4
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -909,42 +907,41 @@ Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
 39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
 1
-BlindedElement = 02016dafe8eee47b591592705ce4d5231563b637e5a51b425b8
-81f1cc576c53caae4ec59fd6e3a918d5c35e6db77cf3a5862b71a8b6c7eaded3ebdf
-0c6e14778c03a8c,03005467c05309dd2b9ef584dd33ae30e93ae5508f2ceda71497
-63b4b44fe797f7d0f4c7441298a0ed821ede9ebdc8c0215f96db57c64feb734a145f
-00d00f0f222db1
-EvaluationElement = 020124a0ee09ade261bbf67e1e3d296655c97e6c5c14c71a
-386e636d8f55d29f5f6dcec954ff28bfc7e6e63240a52bf278ae94b312be3d8bf850
-55d2a1dbab687905b0,0300fdf99a9eb28097074daf75ba9fe16868690b16165f58f
-9c4fa266d5fffa5a87026a98ac3b0ca6dc7e42f49140a004c325646aec5ddc778db7
-08748cc2f632ed937
-Proof = 01935896f4c03ea5257d6471677f191ea7dfc777cc1e15f82e423cf1948c
-440ee56a1c5a8627aad8da8e507a7f382b45255e55a1f1afc99c6b14237ce7cf0855
-40fa000fe413be351bd11ac910b1d4af34d2c97c7b7a53438340dd659272f3d86470
-35b13cd8072903b9a3adf8e89bfb1f77d732fa224f32674506e3e88e29ce182186e3
+BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
+7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
+5b4b3628a4f6380,0301403b597538b939b450c93586ba275f9711ba07e42364bac1
+d5769c6824a8b55be6f9a536df46d952b11ab2188363b3d6737635d9543d4dba14a6
+e19421b9245bf5
+EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
+204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
+bca0f8ca003eefb045,03001f96424497e38c46c904978c2fa1636c5c3dd2e634a85
+d8a7265977c5dce1f02c7e6c118479f0751767b91a39cce6561998258591b5d7c1bb
+02445a9e08e4f3e8d
+Proof = 00b4d215c8405e57c7a4b53398caf55f1f1623aaeb22408ddb9ea2913090
+9b3f95dbb1ff366e81e86e918f9f2fd8b80dbb344cd498c9499d112905e585417e00
+68c600fe5dea18b389ef6c4cc062935607b8ccbbb9a84fba3143868a3e8a58efa0bf
+6ca642804d09dc06e980f64837811227c4267b217f1099a4e28b0854f4e5ee659796
 ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
 27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
 51943c8026877963
-Output = 16a9387153bf7fa2c733d42f299877324cfce3b39093e72067c3d59948b
-f745d77b2fe9180ffb442ec45b575eb4108d2b6f207cbfabd7bc540ad2a087cfabca
-2,0163635204be5347419796f3564b36d6e89c9170e4fcca5b6df79d3f676f641b2a
-e3ae1a64cc49f3d788e276abe14e3c38bb2f92fdba0b45ed122a6930e7d961
+Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
+a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
+b,fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b54b6604
+d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf474
 ~~~
 
 ### POPRF Mode
 
 ~~~
 Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
-3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
 3a3
 KeyInfo = 74657374206b6579
-skSm = 01e0993daeb97f8fc8176089e4e6adb4c03dc9b18daf7e976ed7fa6f3cb89
-c40c6a84156f20371ef23bfe6e049423244d7d746c79ad380ac7fe285aba162419e9
-012
-pkSm = 0301264d23f5d1d615f9747d2a7177a419dabde6ca0f5a047979dbe9bce33
-7241b7d2959025476f354c4f57017363d667b83b691fad8c172959963e6000de9533
-f187a
+skSm = 014893130030ce69cf714f536498a02ff6b396888f9bb507985c32928c442
+7d6d39de10ef509aca4240e8569e3a88debc0d392e3361bcd934cb9bdd59e339dff7
+b27
+pkSm = 0301de8ceb9ffe9237b1bba87c320ea0bebcfc3447fe6f278065c6c69886d
+692d1126b79b6844f829940ace9b52a5e26882cf7cbc9e57503d4cca3cd834584729
+f812a
 ~~~
 
 #### Test Vector 1, Batch Size 1
@@ -955,22 +952,22 @@ Info = 7465737420696e666f
 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 0200e36b187060fef4f4cfef21cdb4ef8b5793a1bf44da95229
-062303688d4cf6a50c16b7c943c79d91357223b56866351a17a9c7f49730fd28add9
-301d399c0cf206c
-EvaluationElement = 03014e216c05cf1d108829946891cc44693b0a411851a03f
-c439130054d920eb8ad596a4dfa5314f68d298a094777855aa55c98480575a3816cf
-ac52f838693e0e7fe5
-Proof = 00c5a46ff1e7d8cd2711daf8ec8752451c4c7ed815f3e8d51db64f1eed83
-a7cc33f0f99ce067676c478bd616a9ef6377994e4bd69051424a576a4e26f0ec7ed8
-1fd000b7ae1eaee9e5b6991afdbb2c9c29a04e2ab3a2066df89308410a59267a60a2
-2a47666de009646c78e9094c9f4de177a620e97f63e35ada0c8b438b4605248c9087
+BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
+82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
+d5ebb2238f2f0e2
+EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
+62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
+f77aa1327253f26d01
+Proof = 0106a89a61eee9dd2417d2849a8e2167bc5f56e3aed5a3ff23e22511fa1b
+37a29ed44d1bbfd6907d99cfbc558a56aec709282415a864a281e49dc53792a4a638
+a0660034306d64be12a94dcea5a6d664cf76681911c8b9a84d49bf12d4893307ec14
+436bd05f791f82446c0de4be6c582d373627b51886f76c4788256e3da7ec8fa18a86
 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = 3be90ca19fbe2fc250de62792c7cf4b6b5555c8655fce1694fc7563d5d4
-c5001efd1e91fbbaea31d75e33dbdefe57420c395f1ac805cc0095c4d81a0beddcb0
-1
+Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
+82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
+b
 ~~~
 
 #### Test Vector 2, Batch Size 1
@@ -981,22 +978,22 @@ Info = 7465737420696e666f
 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
 d364
-BlindedElement = 0300357933cc17cdcce862b794a4161d8eb10d23009695639e3
-fdc8dffc235e19e92e0a3d3c7c6249dd9dcd02da0a8f061d89b6809d3292951ee0e9
-ead21a62d1335fe
-EvaluationElement = 0300a5132ae9c429dd33b25c051f45451c6e54e154d698c3
-f3d8820bd9607e7a65762911c647b3460be166f37ba443bf000b23552298f14e0555
-b3f0ddf0e900e1d38c
-Proof = 0004f0791cbe6ac6f4074834e172beedea19ecd3a2c504a71fd870b42314
-d3b072633a8265c774668274dcbcaebf1726768fab4edec69a33a7d37095ebef3e1b
-b44900f0a175b56ceeae8a87bc5553405e0b030ebcf8303befc5890c8afa1e61fd41
-66480ff428eae4193f12bbf1fc31d5d7196ce8692e37bc9a63cdf4c9fafe10a2dc9a
+BlindedElement = 030112ea89cf9cf589496189eafc5f9eb13c9f9e170d6ecde7c
+5b940541cb1a9c5cfeec908b67efe16b81ca00d0ce216e34b3d5f46a658d3fd8573d
+671bdb6515ed508
+EvaluationElement = 0200ebc49df1e6fa61f412e6c391e6f074400ecdd2f56c4a
+8c03fe0f91d9b551f40d4b5258fd891952e8c9b28003bcfa365122e54a5714c8949d
+5d202767b31b4bf1f6
+Proof = 0082162c71a7765005cae202d4bd14b84dae63c29067e886b82506992bd9
+94a1c3aac0c1c5309222fe1af8287b6443ed6df5c2e0b0991faddd3564c73c7597ae
+cd9a003b1f1e3c65f28e58ab4e767cfb4adbcaf512441645f4c2aed8bf67d132d966
+006d35fa71a34145414bf3572c1de1a46c266a344dd9e22e7fb1e90ffba1caf556d9
 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
 e45c405d1348b7b1
-Output = 1d90446522e3c131e90be2e4f372959ae5ab4f25ca98e83e5e62d6336c4
-8b5ec22fc6083d2b050cad2bbc22ae7115c2b934d965ffe74aaa43c905cd2af76728
-d
+Output = 27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af
+5762c3638afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e
+3
 ~~~
 
 #### Test Vector 3, Batch Size 2
@@ -1009,26 +1006,26 @@ Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
 d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
 39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
 1
-BlindedElement = 0200e36b187060fef4f4cfef21cdb4ef8b5793a1bf44da95229
-062303688d4cf6a50c16b7c943c79d91357223b56866351a17a9c7f49730fd28add9
-301d399c0cf206c,03007530916e8ec76199429667a82ca4df65b913d8b1fb157319
-e73706f118b4f46047c01b7da024bdf5a06f2f4e879b1a1cd3fcb1ca2c37ce158cc8
-625e76b3bb1cc4
-EvaluationElement = 03014e216c05cf1d108829946891cc44693b0a411851a03f
-c439130054d920eb8ad596a4dfa5314f68d298a094777855aa55c98480575a3816cf
-ac52f838693e0e7fe5,0200005cf5e719b3066dcf0fbd6228bc921cebccc49feb1ac
-be9d9c4c88f4169e1d0d5408f92ad9f599c2f5f6d7d4c6e575e86f64c4eead2bb9b3
-e8e04d141a90b7382
-Proof = 00d846f4a2a7722fe6a24e7257e43d88c3e01977282fba352c08fd38b69b
-f1df64f90660b03b73abba50cb389af3d602da66411401d3c9f87bcb6363d6406e0a
-cad3018a44bcda83524d4a48f0ed96ebca96d7626b634ba28fcba0c21956fc90c516
-859df8ba6edeb7a44daeeec51c3a56b79c1f9e211e9974e5f293ade221523953d12f
+BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
+82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
+d5ebb2238f2f0e2,0201a328cf9f3fdeb86b6db242dd4cbb436b3a488b70b72d2fbb
+d1e5f50d7b0878b157d6f278c6a95c488f3ad52d6898a421658a82fe7ceb000b01ae
+dea7967522d525
+EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
+62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
+f77aa1327253f26d01,020062ab51ac3aa829e0f5b7ae50688bcf5f63a18a83a6e0d
+a538666b8d50c7ea2b4ef31f4ac669302318dbebe46660acdda695da30c22cee7ca2
+1f6984a720504502e
+Proof = 00731738844f739bca0cca9d1c8bea204bed4fd00285785738b985763741
+de5cdfa275152d52b6a2fdf7792ef3779f39ba34581e56d62f78ecad5b7f8083f384
+961501cd4b43713253c022692669cf076b1d382ecd8293c1de69ea569737f37a2477
+2ab73517983c1e3db5818754ba1f008076267b8058b6481949ae346cdc17a8455fe2
 ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
 27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
 51943c8026877963
-Output = 3be90ca19fbe2fc250de62792c7cf4b6b5555c8655fce1694fc7563d5d4
-c5001efd1e91fbbaea31d75e33dbdefe57420c395f1ac805cc0095c4d81a0beddcb0
-1,1d90446522e3c131e90be2e4f372959ae5ab4f25ca98e83e5e62d6336c48b5ec22
-fc6083d2b050cad2bbc22ae7115c2b934d965ffe74aaa43c905cd2af76728d
+Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
+82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
+b,27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af5762c36
+38afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e3
 ~~~
 "#;
diff --git a/src/tests/parser.rs b/src/tests/parser.rs
index 8cebec8..b9ee7df 100644
--- a/src/tests/parser.rs
+++ b/src/tests/parser.rs
@@ -14,7 +14,7 @@ pub(crate) fn rfc_to_json(input: &str) -> String {
 }
 
 fn parse_ciphersuites(input: &str) -> String {
-    let re = regex::Regex::new(r"## OPRF\((?P<ciphersuite>.+?)\)").unwrap();
+    let re = regex::Regex::new(r"\n## (?P<ciphersuite>.+?)\n").unwrap();
     let mut ciphersuites = vec![];
 
     let chunks: Vec<&str> = re.split(input).collect();
diff --git a/src/tests/test_cfrg_vectors.rs b/src/tests/test_cfrg_vectors.rs
index 6c21ca0..f16152b 100644
--- a/src/tests/test_cfrg_vectors.rs
+++ b/src/tests/test_cfrg_vectors.rs
@@ -97,7 +97,7 @@ fn test_vectors() -> Result<()> {
 
         let ristretto_oprf_tvs = json_to_test_vectors!(
             rfc,
-            String::from("ristretto255, SHA-512"),
+            String::from("ristretto255-SHA512"),
             String::from("OPRF")
         );
         assert_ne!(ristretto_oprf_tvs.len(), 0);
@@ -109,7 +109,7 @@ fn test_vectors() -> Result<()> {
 
         let ristretto_voprf_tvs = json_to_test_vectors!(
             rfc,
-            String::from("ristretto255, SHA-512"),
+            String::from("ristretto255-SHA512"),
             String::from("VOPRF")
         );
         assert_ne!(ristretto_voprf_tvs.len(), 0);
@@ -121,7 +121,7 @@ fn test_vectors() -> Result<()> {
 
         let ristretto_poprf_tvs = json_to_test_vectors!(
             rfc,
-            String::from("ristretto255, SHA-512"),
+            String::from("ristretto255-SHA512"),
             String::from("POPRF")
         );
         assert_ne!(ristretto_poprf_tvs.len(), 0);
@@ -133,7 +133,7 @@ fn test_vectors() -> Result<()> {
     }
 
     let p256_oprf_tvs =
-        json_to_test_vectors!(rfc, String::from("P-256, SHA-256"), String::from("OPRF"));
+        json_to_test_vectors!(rfc, String::from("P256-SHA256"), String::from("OPRF"));
     assert_ne!(p256_oprf_tvs.len(), 0);
     test_oprf_seed_to_key::<NistP256>(&p256_oprf_tvs)?;
     test_oprf_blind::<NistP256>(&p256_oprf_tvs)?;
@@ -142,7 +142,7 @@ fn test_vectors() -> Result<()> {
     test_oprf_evaluate::<NistP256>(&p256_oprf_tvs)?;
 
     let p256_voprf_tvs =
-        json_to_test_vectors!(rfc, String::from("P-256, SHA-256"), String::from("VOPRF"));
+        json_to_test_vectors!(rfc, String::from("P256-SHA256"), String::from("VOPRF"));
     assert_ne!(p256_voprf_tvs.len(), 0);
     test_voprf_seed_to_key::<NistP256>(&p256_voprf_tvs)?;
     test_voprf_blind::<NistP256>(&p256_voprf_tvs)?;
@@ -151,7 +151,7 @@ fn test_vectors() -> Result<()> {
     test_voprf_evaluate::<NistP256>(&p256_voprf_tvs)?;
 
     let p256_poprf_tvs =
-        json_to_test_vectors!(rfc, String::from("P-256, SHA-256"), String::from("POPRF"));
+        json_to_test_vectors!(rfc, String::from("P256-SHA256"), String::from("POPRF"));
     assert_ne!(p256_poprf_tvs.len(), 0);
     test_poprf_seed_to_key::<NistP256>(&p256_poprf_tvs)?;
     test_poprf_blind::<NistP256>(&p256_poprf_tvs)?;
diff --git a/src/voprf.rs b/src/voprf.rs
index 4df3b05..bdf5de6 100644
--- a/src/voprf.rs
+++ b/src/voprf.rs
@@ -587,13 +587,12 @@ mod tests {
 
     use ::alloc::vec;
     use ::alloc::vec::Vec;
-    use generic_array::sequence::Concat;
     use generic_array::typenum::Sum;
     use generic_array::ArrayLength;
     use rand::rngs::OsRng;
 
     use super::*;
-    use crate::common::{create_context_string, STR_HASH_TO_GROUP};
+    use crate::common::{Dst, STR_HASH_TO_GROUP};
     use crate::Group;
 
     fn prf<CS: CipherSuite>(
@@ -605,8 +604,8 @@ mod tests {
         <CS::Hash as OutputSizeUser>::OutputSize:
             IsLess<U256> + IsLessOrEqual<<CS::Hash as BlockSizeUser>::BlockSize>,
     {
-        let dst = GenericArray::from(STR_HASH_TO_GROUP).concat(create_context_string::<CS>(mode));
-        let point = CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst).unwrap();
+        let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, mode);
+        let point = CS::Group::hash_to_curve::<CS::Hash>(&[input], &dst.as_dst()).unwrap();
 
         let res = point * &key;
 
@@ -718,10 +717,9 @@ mod tests {
             .unwrap();
         let messages: Vec<_> = messages.collect();
         let wrong_pk = {
-            let dst = GenericArray::from(STR_HASH_TO_GROUP)
-                .concat(create_context_string::<CS>(Mode::Oprf));
+            let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, Mode::Oprf);
             // Choose a group element that is unlikely to be the right public key
-            CS::Group::hash_to_curve::<CS::Hash>(&[b"msg"], &dst).unwrap()
+            CS::Group::hash_to_curve::<CS::Hash>(&[b"msg"], &dst.as_dst()).unwrap()
         };
         let client_finalize_result =
             VoprfClient::batch_finalize(&inputs, &client_states, &messages, &proof, wrong_pk);
@@ -739,10 +737,9 @@ mod tests {
         let server = VoprfServer::<CS>::new(&mut rng).unwrap();
         let server_result = server.blind_evaluate(&mut rng, &client_blind_result.message);
         let wrong_pk = {
-            let dst = GenericArray::from(STR_HASH_TO_GROUP)
-                .concat(create_context_string::<CS>(Mode::Oprf));
+            let dst = Dst::new::<CS, _, _>(STR_HASH_TO_GROUP, Mode::Oprf);
             // Choose a group element that is unlikely to be the right public key
-            CS::Group::hash_to_curve::<CS::Hash>(&[b"msg"], &dst).unwrap()
+            CS::Group::hash_to_curve::<CS::Hash>(&[b"msg"], &dst.as_dst()).unwrap()
         };
         let client_finalize_result = client_blind_result.state.finalize(
             input,