tplooker
commented
1 year ago Discussed on 12th of December WG call, related to #230, rough consensus appeared to be that we could simplify this procedure and not even invoke encode_for_hash, instead take msg and called hash_to_scalar directly. We also discussed removing the length check and adding a note around DST lengths.
BasileiosKal
Is there any actual reason to add the length of the messages in MapMessageToScalarAsHash??
It probably doesn’t hurt security even with weak hash functions (especially since the hash is moded), however I don’t think it adds anything either. Most hash-functions (e.g., sha-2 and the Merkle–Damgard functions in general), encode the length of the message either way in the pad.
+ I don’t think we have to worry about length extension attacks, even if they where possible -which are not-.