vrf hash_to_curve won't end up in G when cofactor > 1

[reyzin]

The curve may have more points than q, in which case G is not the whole curve, but only a subgroup of it. This is not the case for the NIST prime-field curves, but is for some other curves (e.g., 25519, NIST binary-field curves). ECVRF_hash_to_curve will not work in that case, because it will get a point on the curve, but not in the group G. Multiplying by the cofactor should solve the problem.

[goldbe]

Also, see https://github.com/fcelda/nsec5-draft/commit/f277c06f26ec579dcaaf480700b7bd56f3d75ce8 which modifies the way we do ECVRF_proof2hash to make sure that an EC point gamma (which is not necessarily in G) is mapped to G by raising it to the cofactor.

[goldbe]

I think we can close this now. Note however that the change does require some implementations to be updated. We should update the implementers.