In OPRF protocol client needs to deterministically map an array of bytes x to an element of Group, namely an elliptic curve point. I know that it's insecure to replace HashToCurve with scalar multiplication but in case of OPRF we use blinding after mapping, so it should be secure to send such blinded point to a server anyway, no? Asking because hashing to a curve is hard/not available inside a snark circuit
Asked
Active
Viewed 37 times
