Hash-to-curve function in MiniPSI

[bitwiseshiftleft]

Hi, and thanks for your talk at the NIST STPPA workshop.

I'm curious about the curve and hash-to-curve functions used in MiniPSI. If I understand the code correctly, MiniPSI's hash-to-curve is implemented as H(x) = EccPoint::randomize(hash(x)), which in turn computes g^hash(x). This is not a random oracle, and doesn't work for at least DDH-based PSI, and I would suspect most other PSI as well: from g^a, you can easily compute H(x)^a and vice-versa, which enables a dictionary attack on the PSI protocol.

But maybe I'm misreading the code here?