Feature request: SHA256 applied directly on field point

[GuthL]

To generate a proof of a signature inside a snark, we need to use a hash function. Right now, the only way is to convert the field point to its binary decomposition. We would like SHA256 to also take field elements

[Schaeff]

Thanks for this, what would you think of the following spec:

def sha256(field a, field b) -> (field)
   return sha256(0, 0, 0, ...toBits253(a), 0, 0, 0, ...toBits253(b))

We'd be effectively banning field elements between 2^253 and p - 1.

@HarryR @BarryWhitehat I'd love your feedback on this!

[barryWhiteHat]

So is this a question about how we can convert binary to field elements ? And the security things we need to be aware of.

[Schaeff]

I'm mostly interested in security aspect. If I'm not mistaken, if decompose to 254 bits, then (for example) 0 has two bit representations because of the overflow.

[GuthL]

I don't see the problem of having a toBits256(x) with 0 padding for bits 255 and 256. The output being random, the overflow is just as random.

[Schaeff]

I think I'm not talking about the hash, but rather about toBits256 being nondeterministic. @barrywhitehat any security issues you can think of?

[barryWhiteHat]

I am not an expert on this area. But i think that the limitation should work. But @HarryR or @jbaylina would be better to check with on this.

[stefandeml]

this issue will be addresses here: https://github.com/Zokrates/ZoKrates/issues/256