Hash to group must be domain-separated.

[armfazh]

The current interface for hashing to group elements must consider the use of domain separation strings.

This is aligned with hash to curve IETF specification. All hashes must be domain-separated, so a protocol can specify the separation when the hash is invoked as different random oracles. See more https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#name-domain-separation-requireme

Current:

kyber/hash.go

Lines 13 to 15 in 5706fa5

	type HashablePoint interface {
	Hash([]byte) Point
	}

Proposed:

type HashablePoint interface { 
    Hash(msg, dst []byte) Point 
} 

[ineiti]

I don't think this is kyber's task to do. Kyber is the "shoot in your foot" crypto library.

If you want to have kyber for actual applications for people who don't know what they're doing, there is a lot to do.

And if you start nudging it here and there in a more fool-proof version, you might anger researchers who won't find their required primitives anymore.

I propose to close this issue and keep kyber as "shoot in your foot" library. Other libraries can build on top of kyber to have a more user-friendly way of handling crypto.