This document describes a set of procedures for encoding an arbitrary-length
byte string to a point on an elliptic curve. The document contains a set of
recommended suites, provides implementation guidelines and target security
levels for each of them. Rejection sampling methods of hashing to curves are
not covered by the document because of significant issues with constant-time
implementations. This document is a product of the Crypto Forum Research Group
(CFRG) in the IRTF.
Research Group Summary
After adopting the document it was presented in CFRG meetings at IETF 101, IETF
102, IETF 103, IETF 105 and IETF 106. There was a Research Group Last Call for
the draft in 2020. There were no major concerns raised during the RGLC. Several
minor concerns raised during the RGLC were addressed by the authors. The
authors have answered the questions raised during the Research Group Last Call,
no questions have remained unanswered. Crypto Review Panel review was solicited
in June 2020. The review was provided by Thomas Pornin. Comments from that
review were addressed in -09 and -10.
There are at least eight implementations for various elliptic curves: a Go
implementation (in CIRCL) for hashing to curve for the three NIST curves and
for BLS12-381 , implementations for BLS12-381 in rust , boringSSL ,
wrapper Go-rust-C  , and py_ecc , EIP for ethereum [7,8], see also .
All authors of the document have confirmed that they are not aware of any IPRs
related to the document other than the ones that are already in the
datatracker. The construction is used in a significant number of CFRG documents
(active CFRG I-Ds for the current moment): Two-Round Threshold Signatures with
FROST, SPAKE2, Oblivious Pseudorandom Functions (OPRFs) using Prime-Order
Groups, Verifiable Random Functions (VRFs), Pairing-Friendly Curves.
Stanislav Smyshlyaev is the Document Shepherd.
Colin Perkins is the IRTF Chair.
 https://github.com/drand/bls12381rs