fr_from_hash converts a 256-bit SHA-256 digest into a Decaf377 scalar using from_le_bytes_mod_order.
The Decaf377 scalar-field order is approximately 251.5 bits and does not divide 2^256. Consequently, reducing a uniformly distributed 256-bit value modulo the field order does not produce a uniform scalar distribution. Some field elements are generated more frequently than others.
This conversion is used for security-sensitive FROST values, including challenge scalars and binding factors. The resulting modular bias therefore affects values involved directly in signature generation and verification.
FROST’s hash-to-field requirements call for sufficient oversampling specifically to make this reduction bias negligible. A single 256-bit digest does not provide that margin for the Decaf377 scalar field.
The behavior is also inconsistent with the Decaf377 PRE implementation, which explicitly accounts for the field’s approximately 251-bit size during scalar derivation.
fr_from_hashconverts a 256-bit SHA-256 digest into a Decaf377 scalar usingfrom_le_bytes_mod_order.The Decaf377 scalar-field order is approximately 251.5 bits and does not divide
2^256. Consequently, reducing a uniformly distributed 256-bit value modulo the field order does not produce a uniform scalar distribution. Some field elements are generated more frequently than others.This conversion is used for security-sensitive FROST values, including challenge scalars and binding factors. The resulting modular bias therefore affects values involved directly in signature generation and verification.
FROST’s hash-to-field requirements call for sufficient oversampling specifically to make this reduction bias negligible. A single 256-bit digest does not provide that margin for the Decaf377 scalar field.
The behavior is also inconsistent with the Decaf377 PRE implementation, which explicitly accounts for the field’s approximately 251-bit size during scalar derivation.