Implement the VRF for the private indices

[masomel]

Currently the server only hashes the username string. Need to implement the VUF (per the paper) and have the client verify it during lookups.

[wbl]

Do we want to use the pairing-based crypto approach on top of a vendored library? I think I can do that without too much trouble, and make a VUF library with a sane API (maybe not that Javaish).

[masomel]

Thanks for your suggestion! But the approach we prefer now is DL-based VRF. We describe a specific construction that @jcb82 designed specifically for CONIKS in Appendix A of our paper.

[liamsi]

In case you can consider using an existing implementation instead: Seems like @moxie and @trevp worked on a clean Java implementation (I'm not sure yet how much or if it differs from @jcb82's construction): https://github.com/WhisperSystems/curve25519-java/blob/f596383883d19304a91caeb723323c0892feda24/common/src/main/java/org/whispersystems/curve25519/Curve25519.java
It is specified here: https://whispersystems.org/docs/specifications/xeddsa/

[masomel]

I'll definitely look into this implementation, and maybe ask Joe if he's had a chance to review it, but it would be great if we could just import it.