The goal with right shifting hash is to make it fit into Bn254 curve order. The curve order is of 254 bits ($log_2(p) = 253.59..$). So shifting by 3 bits is fine.
As discussed with @cedoor, there might be some other considerations like ease of shifting a byte in TS code. Practically, shifting by 8 bits is also secure enough. This issue is for reference and anyone else to chime in with their thoughts.
0xbok
commented
4 months ago
The goal with right shifting hash is to make it fit into Bn254 curve order. The curve order is of 254 bits ($log_2(p) = 253.59..$). So shifting by 3 bits is fine.
https://github.com/semaphore-protocol/semaphore/blob/a522fff4483e0409afbeb7ae85de24f4506c9ec0/packages/contracts/contracts/Semaphore.sol#L192
As discussed with @cedoor, there might be some other considerations like ease of shifting a byte in TS code. Practically, shifting by 8 bits is also secure enough. This issue is for reference and anyone else to chime in with their thoughts.