why not use hkdf instead of expand_message

[stef]

i found this https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/issues/137 previous issue, and i'm confused was it already used for the expand message part, or was this something else?

[kwantam]

Thanks for the question! (FYI, we discussed this in #202.) The high-level summary is:

• efficiency on embedded systems, and
• paranoia about domain separation of the underlying hash functions.

Note that it may be possible to specify expand_message in terms of HKDF (though it would require some assumptions and/or care for domain separation) and, once that's done, build a suite on top of it.

[stef]

aah. thank you i did look for hkdf while searching the issues, but this issue i missed. my question is answered!