feat: hash to curve

[mikelodder7]

Adds hash to curve according to draft v13.

For now is enabled with the hashing feature.

[newpavlov]

@tarcieri Maybe it's worth to incorporate this crate into elliptic-curve?

[tarcieri]

@mikelodder7 would you be interested in upstreaming hash2field somewhere, either elliptic-curve or possibly ff?

[mikelodder7]

Sure thing. Elliptic-curve probably makes more sense but I can be convinced otherwise

[tarcieri]

Sounds good!

If you're up for it, I think it might also be possible to extract a generic implementation of SSWU, although I'm fine with duplication for now and I can try to extract it as part of a follow-up:

#439 (comment)

You can use e.g. ff::{Field, PrimeField} as the bounds, and I can look into ensuring they're impl'd for the respective FieldElement types in k256 and p256.

[mikelodder7]

Yeah if ff::Field is impl'd then the dedup is easy from there. osswu will just have to take a set of params but otherwise, they'll be the same. Should osswu go upstream as well in elliptic-curve?

[tarcieri]

I think it'd be great if you can add a generic implementation, and in parallel I can work on trying to get the ff traits impl'd for the FieldElement types for k256 and p256.

[mikelodder7]

Cool. I'd extract the osswu method and hash2field crate to elliptic-curve.

[tarcieri]

Awesome!

[mikelodder7]

OSSWU upstreamed in PR 854

[daxpedda]

I tested this as part of opaque-ke and it works great so far, following requests:

• It would be amazing if the new hash_from_bytes and encode_from_bytes can be part of a trait specified in elliptic-curve.
• Currently everything is already in place to support hash_to_field(), which is the new FieldElement::encode() function. It would be great if this too can be exposed for Scalar, preferably through a trait specified in elliptic-curve too.

[tarcieri]

It seems like with #503 merged this can be closed?