Is `ECP::mapit` a good random oracle?

[Aphoh]

Reading up on the ietf draft on hashing to curves, and I'm wondering if the current implementation in ECP::mapit does a good job of being a random oracle with respect to creating a uniform distribution on the curve. If not, I could give implementing one of the listed methods a crack.

[mcarrickscott]

For an example see the bls.rs file. The function bls_hash_to_point() implements the random oracle as specified in the hash_to_curve(msg) function in section 3 of the draft. The function bls_hash_to_point() calls ECP::map2point() which implements the constant time encoding of a field element to the curve - (not the ECP::mapit() function).

[Aphoh]

Ah I see. Other than the domain separation tag, is there anything bls-specific about that bls_hash_to_point method? I understand that bls IBE is the main use case for it, but it should still be safe to use the same method for any supported curve, no?

[mcarrickscott]

No, other than domain tag nothing BLS specific.

[Aphoh]

Excellent, thanks.