Change map to curve to use increment-then-hash #93
Description
Right now, curve points for the ECMH are found via a hash-then-increment construction. However, while there is no practical attack we have found on that construction, it's a sticking point that there's no security proof for that construction, whereas there does exist one for a similar increment-then-hash construction. This is a case in which a mistake from my misreading the literature has stuck because of a combination of computational efficiency and downstream tooling that has been constructed with the existing approach.
See audit for more details.