cronokirby
commented
1 year ago Seems like there's not really a generic way in Rust-Crypto elliptic curves to do wide reduction, outside of hash2curve, which isn't implemented for the Secp256k1 curve in the k256 crate. Sigh.
See https://github.com/cronokirby/cait-sith/blob/e08a60f7601cc8d20ad78973e13ff1b7318f453b/src/triples/random_ot_extension.rs#L23C1-L43 for where this happens.
Using a constant-time hash is necessary here, because we don't want to leak information about the values being hashed.