diff --git a/Cargo.lock b/Cargo.lock
index 39e8deab..ba3aa9b2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -911,7 +911,9 @@ dependencies = [
  "digest 0.10.6",
  "elliptic-curve",
  "ff",
+ "ff-group-tests",
  "group",
+ "hex",
  "k256",
  "minimal-ed448",
  "p256",
@@ -4584,7 +4586,6 @@ dependencies = [
  "generic-array 0.14.6",
  "group",
  "hex",
- "hex-literal",
  "lazy_static",
  "rand_core 0.6.4",
  "subtle",
diff --git a/crypto/ciphersuite/Cargo.toml b/crypto/ciphersuite/Cargo.toml
index 54176d17..f3f12f78 100644
--- a/crypto/ciphersuite/Cargo.toml
+++ b/crypto/ciphersuite/Cargo.toml
@@ -34,6 +34,8 @@ k256 = { version = "0.11", features = ["arithmetic", "bits", "hash2curve"], opti
 minimal-ed448 = { path = "../ed448", version = "^0.1.2", optional = true }
 
 [dev-dependencies]
+hex = "0.4"
+
 ff-group-tests = { version = "0.12", path = "../ff-group-tests" }
 
 [features]
diff --git a/crypto/ciphersuite/README.md b/crypto/ciphersuite/README.md
index a5c28dd3..175987d0 100644
--- a/crypto/ciphersuite/README.md
+++ b/crypto/ciphersuite/README.md
@@ -1,4 +1,4 @@
-# Ciphersuite
+c# Ciphersuite
 
 Ciphersuites for elliptic curves premised on ff/group.
 
@@ -19,17 +19,17 @@ Ed25519/Ristretto are offered via
 around [curve25519-dalek](https://crates.io/crates/curve25519-dalek).
 
 Their `hash_to_F` is the wide reduction of SHA2-512, as used in
-[RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with
+[RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). This is also compliant with
 the draft
-[RFC RISTRETTO](https://www.ietf.org/archive/id/draft-rtf-cfrg-ristretto255-decaf448-05.html).
+[RFC-RISTRETTO](https://www.ietf.org/archive/id/draft-irtf-cfrg-ristretto255-decaf448-05.html).
 The domain-separation tag is naively prefixed to the message.
 
 ### Ed448
 
 Ed448 is offered via [minimal-ed448](https://crates.io/crates/minimal-ed448), an
-explicitly not recommended Ed448 implementation, limited to its prime-order
-subgroup.
+explicitly not recommended, unaudited Ed448 implementation, limited to its
+prime-order subgroup.
 
 Its `hash_to_F` is the wide reduction of SHAKE256, with a 114-byte output, as
-used in [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). The
+used in [RFC-8032](https://www.rfc-editor.org/rfc/rfc8032). The
 domain-separation tag is naively prefixed to the message.
diff --git a/crypto/ciphersuite/src/dalek.rs b/crypto/ciphersuite/src/dalek.rs
index e94837d1..ee49459f 100644
--- a/crypto/ciphersuite/src/dalek.rs
+++ b/crypto/ciphersuite/src/dalek.rs
@@ -43,6 +43,21 @@ dalek_curve!("ristretto", Ristretto, RistrettoPoint, b"ristretto");
 #[test]
 fn test_ristretto() {
   ff_group_tests::group::test_prime_group_bits::<RistrettoPoint>();
+
+  assert_eq!(
+    Ristretto::hash_to_F(
+      b"FROST-RISTRETTO255-SHA512-v11nonce",
+      &hex::decode(
+        "\
+81800157bb554f299fe0b6bd658e4c4591d74168b5177bf55e8dceed59dc80c7\
+5c3430d391552f6e60ecdc093ff9f6f4488756aa6cebdbad75a768010b8f830e"
+      )
+      .unwrap()
+    )
+    .to_bytes()
+    .as_ref(),
+    &hex::decode("40f58e8df202b21c94f826e76e4647efdb0ea3ca7ae7e3689bc0cbe2e2f6660c").unwrap()
+  );
 }
 
 #[cfg(feature = "ed25519")]
@@ -51,4 +66,21 @@ dalek_curve!("ed25519", Ed25519, EdwardsPoint, b"edwards25519");
 #[test]
 fn test_ed25519() {
   ff_group_tests::group::test_prime_group_bits::<EdwardsPoint>();
+
+  // Ideally, a test vector from RFC-8032 (not FROST) would be here
+  // Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges
+  assert_eq!(
+    Ed25519::hash_to_F(
+      b"FROST-ED25519-SHA512-v11nonce",
+      &hex::decode(
+        "\
+9d06a6381c7a4493929761a73692776772b274236fb5cfcc7d1b48ac3a9c249f\
+929dcc590407aae7d388761cddb0c0db6f5627aea8e217f4a033f2ec83d93509"
+      )
+      .unwrap()
+    )
+    .to_bytes()
+    .as_ref(),
+    &hex::decode("70652da3e8d7533a0e4b9e9104f01b48c396b5b553717784ed8d05c6a36b9609").unwrap()
+  );
 }
diff --git a/crypto/ciphersuite/src/ed448.rs b/crypto/ciphersuite/src/ed448.rs
index 9300a4b7..30301ec9 100644
--- a/crypto/ciphersuite/src/ed448.rs
+++ b/crypto/ciphersuite/src/ed448.rs
@@ -68,6 +68,35 @@ impl Ciphersuite for Ed448 {
 
 #[test]
 fn test_ed448() {
+  use ff::PrimeField;
+
   // TODO: Enable once ed448 passes these tests
   //ff_group_tests::group::test_prime_group_bits::<Point>();
+
+  // Ideally, a test vector from RFC-8032 (not FROST) would be here
+  // Unfortunately, the IETF draft doesn't provide any vectors for the derived challenges
+  assert_eq!(
+    Ed448::hash_to_F(
+      b"FROST-ED448-SHAKE256-v11nonce",
+      &hex::decode(
+        "\
+89bf16040081ff2990336b200613787937ebe1f024b8cdff90eb6f1c741d91c1\
+4a2b2f5858a932ad3d3b18bd16e76ced3070d72fd79ae4402df201f5\
+25e754716a1bc1b87a502297f2a99d89ea054e0018eb55d39562fd01\
+00"
+      )
+      .unwrap()
+    )
+    .to_repr()
+    .iter()
+    .cloned()
+    .collect::<Vec<_>>(),
+    hex::decode(
+      "\
+67a6f023e77361707c6e894c625e809e80f33fdb310810053ae29e28\
+e7011f3193b9020e73c183a98cc3a519160ed759376dd92c94831622\
+00"
+    )
+    .unwrap()
+  );
 }
diff --git a/crypto/ciphersuite/src/kp256.rs b/crypto/ciphersuite/src/kp256.rs
index 41a7c16a..1de4e652 100644
--- a/crypto/ciphersuite/src/kp256.rs
+++ b/crypto/ciphersuite/src/kp256.rs
@@ -65,18 +65,54 @@ macro_rules! kp_curve {
   };
 }
 
-#[cfg(feature = "p256")]
-kp_curve!("p256", p256, P256, b"P-256");
-#[cfg(feature = "p256")]
-#[test]
-fn test_p256() {
-  ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();
-}
-
 #[cfg(feature = "secp256k1")]
 kp_curve!("secp256k1", k256, Secp256k1, b"secp256k1");
 #[cfg(feature = "secp256k1")]
 #[test]
 fn test_secp256k1() {
   ff_group_tests::group::test_prime_group_bits::<k256::ProjectivePoint>();
+
+  // Ideally, a test vector from hash to field (not FROST) would be here
+  // Unfortunately, the IETF draft only provides vectors for field elements, not scalars
+  assert_eq!(
+    Secp256k1::hash_to_F(
+      b"FROST-secp256k1-SHA256-v11nonce",
+      &hex::decode(
+        "\
+80cbea5e405d169999d8c4b30b755fedb26ab07ec8198cda4873ed8ce5e16773\
+08f89ffe80ac94dcb920c26f3f46140bfc7f95b493f8310f5fc1ea2b01f4254c"
+      )
+      .unwrap()
+    )
+    .to_repr()
+    .iter()
+    .cloned()
+    .collect::<Vec<_>>(),
+    hex::decode("acc83278035223c1ba464e2d11bfacfc872b2b23e1041cf5f6130da21e4d8068").unwrap()
+  );
+}
+
+#[cfg(feature = "p256")]
+kp_curve!("p256", p256, P256, b"P-256");
+#[cfg(feature = "p256")]
+#[test]
+fn test_p256() {
+  ff_group_tests::group::test_prime_group_bits::<p256::ProjectivePoint>();
+
+  assert_eq!(
+    P256::hash_to_F(
+      b"FROST-P256-SHA256-v11nonce",
+      &hex::decode(
+        "\
+f4e8cf80aec3f888d997900ac7e3e349944b5a6b47649fc32186d2f1238103c6\
+0c9c1a0fe806c184add50bbdcac913dda73e482daf95dcb9f35dbb0d8a9f7731"
+      )
+      .unwrap()
+    )
+    .to_repr()
+    .iter()
+    .cloned()
+    .collect::<Vec<_>>(),
+    hex::decode("f871dfcf6bcd199342651adc361b92c941cb6a0d8c8c1a3b91d79e2c1bf3722d").unwrap()
+  );
 }
diff --git a/crypto/ed448/Cargo.toml b/crypto/ed448/Cargo.toml
index 207d4bde..fe061fc6 100644
--- a/crypto/ed448/Cargo.toml
+++ b/crypto/ed448/Cargo.toml
@@ -30,7 +30,6 @@ crypto-bigint = { version = "0.4", features = ["zeroize"] }
 dalek-ff-group = { path = "../dalek-ff-group", version = "^0.1.2" }
 
 [dev-dependencies]
-hex-literal = "0.3"
 hex = "0.4"
 
 ff-group-tests = { path = "../ff-group-tests" }