Hash to Point on G2 in BN256 pairing

[rsinha]

Hi,

First of all, thank you for your work on this crypto library.

Is there a reason Hash (to group element) is only defined for group G1, but not for G2?
I have a use case where key derivation requires hashing on both elements.

[ineiti]

Can you please explain further? You might have misunderstood the difference between the suite and the Group:

• suite: defines a hash-function, XOF, random-source plus a group (or three in the case of bn256)
• group: more precisely a field and a group that define a cryptographic one-way function to be used in asymmetric crypto

So the hash to group element is Embed, and this is defined on G1, G2, and GT.

[rsinha]

Thanks for the clarification. I am referring to the definition of func (p *pointG1) Hash(m []byte) kyber.Point in pairing/bn256/point.go. I didn't find a similar definition for pointG2.

It also looks like Embed is currently unsupported for the groups in bn256.

[ineiti]

Oups - I didn't read two lines down "not implemented" - sorry. You're right, Hash is not implemented on G2.

@nikkolasg did the implementation of this code. Or perhaps @Daeinar can help here?

Can we just copy/paste the code from G1.Hash to G2.Hash?

[AkshayaMani]

We have created a pull request for hash to G2. The status can be found here: #428.

[K1li4nL]

Hello, thank you for your interest in kyber, with the existing attacks on BN curves, BN256 security dropped to around a 100bits and for this reason we won't be investing more effort into this curve.