Hash-to-curve should probably be `unconstrained`?

[iAmMichaelConnor]

The hash-to-curve impl is a potential footgun:

• In unconstrained-land, it iterates until it finds a point on the curve.
• In constrainted-land, it is given a hint of data from the successful iteration, and that hint is then constrained to derive the result.

But it is not constraining that the hint is the first: i.e. it's not constraining that the result of hash-to-curve is actually the first successful iteration. This means that hash-to-curve is not constrained to be deterministic; it can give different results for the same input, depending on what the hint is.

This is why people gravitate towards constant-time hash-to-curve algorithms in constrained-land.

cc @kashbrti am I correct?

noir_bigcurve/src/utils/hash_to_curve.nr

Line 64 in c36268d

pub fn hash_to_curve<Fq, let SeedBytes: u32>(seed: [u8; SeedBytes], a: Fq, b: Fq) -> (Fq, Fq)