I would like to know an algorithm hash to a finite field.
I have an $l$ bit prime number $q$. I want setup a hash function $H: \{0,1\}^* \to \mathbb F_q$ but I do not know how I can do it. I use a library for a hash with C++, this is cryptopp. I find an answer at Right way to hash elliptic curve points into finite field but I don't understand.
Does anyone help me know what to do?
To hash from $\{0,1\}^*$ (or other large domain) into the integers in $[0,q)$ or any set with a natural mapping¹ to that interval, pick a $b$-bit security margin, a hash $H$ at least $h=\lceil b/2+\log_2q\rceil$-bit and unrelated to others used in the cryptosystem, and define the hash of bitstring $M$ as $H(M)\bmod q$, with $H(M)$ considered an integer in $[0,2^h)$ per e.g. big-endian convention.
When $M$ is random and $H(M)$ has at least $b$-bit security against distinguishing attacks, this has at least in the order of $b$-bit security against distinguishing attacks. When $q>2^b$, this has at least in the order of $b$-bit preimage resistance. When $q>2^{2b}$, this has at least in the order of $b$-bit collision resistance.
E.g. for $q$ up to 400 bits, $\text{SHA–512}(M)\bmod q$ will do if nothing in the system uses SHA–512 (nor something built using the same constants).
If ones needs several independent such hash functions, one should use several independent $H_i$ to start with. That can be constructed from a single hash $H$, e.g. as $H(M\mathbin\|i)\bmod q$.
¹ The mapping between the destination set and $[0,q)$ must be efficiently computable in both directions. Therefore the set can be the finite field $\mathbb F_q$ when $q$ is a prime or a prime power, or the ring $\mathbb Z_q$ (aka $\mathbb Z/q\mathbb Z$). We need a different construction for an Elliptic Curve (sub)group of order $q$ if we posit it's one where the Discrete Logarithm problem is hard.
