Define hashing to scalar

[bytemare]

Just like hash_to_curve, maybe a function for hashing to a scalar (e.g. "hash_to_scalar") could be defined, that would be an alias of hash_to_field.

https://github.com/armfazh/h2c-go-ref implements such a functions

[claucece]

I think 'hash_to_field' should work for this.

The hash_to_field function is also suitable for securely hashing to scalars. For example, when hashing to scalars for an elliptic curve (sub)group with prime order r, it suffices to instantiate hash_to_curve with target field GF(r).

[claucece]

Sorry, my comment was going to be: not sure how different hash_to_scalar is from hash_to_field, as it seems like the last one is used for hashing to scalars.

[bytemare]

Indeed, you're right, I totally missed that paragraph. Thank you for spotting it!

I wasn't thinking of anything different between the two: HashToScalar() would simply be an API naming convenience. So there would be HashToCurve() for points, and HashToScalar() for scalars, instead of HashToField().

But maybe this is totally irrelevant and not in the scope of the document.

[armfazh]

We used hashToField because this is a generic function that can be instantiated in, for example, hashToScalar. However, other applications can also use hashToField for their own purposes.

[bytemare]

Yup, clear :) thank you both!

[paulmillr]

See caveat #343 (comment): hash_to_scalar produces 0..p-1 while scalars usually must be 1..p-1