Closed bytemare closed 3 years ago
claucece
commented
3 years ago I think 'hash_to_field' should work for this.
The hash_to_field function is also suitable for securely hashing to scalars. For example, when hashing to scalars for an elliptic curve (sub)group with prime order r, it suffices to instantiate hash_to_curve with target field GF(r).Sorry, my comment was going to be: not sure how different hash_to_scalar is from hash_to_field, as it seems like the last one is used for hashing to scalars.
bytemare
commented
3 years ago Indeed, you're right, I totally missed that paragraph. Thank you for spotting it!
I wasn't thinking of anything different between the two: HashToScalar() would simply be an API naming convenience. So there would be HashToCurve() for points, and HashToScalar() for scalars, instead of HashToField().
But maybe this is totally irrelevant and not in the scope of the document.
armfazh
commented
3 years ago We used hashToField because this is a generic function that can be instantiated in, for example, hashToScalar. However, other applications can also use hashToField for their own purposes.
bytemare
commented
3 years ago Yup, clear :) thank you both!
paulmillr
commented
1 year ago See caveat https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/issues/343#issuecomment-1442462295: hash_to_scalar produces 0..p-1 while scalars usually must be 1..p-1
Just like hash_to_curve, maybe a function for hashing to a scalar (e.g. "hash_to_scalar") could be defined, that would be an alias of hash_to_field.
https://github.com/armfazh/h2c-go-ref implements such a functions