Replace hash-to-curve in multiset hash by quantum safe primitives #276
Description
In our multiset hash, we rely on hash-to-curve to calculate the hash of values of the memory addresses, and consider each hash as the x of a point, then commit the accumulation of all the points in the EC subgroup(actually equivalently commit to the scalars). If DLOG hardness is preserved, prover can not forge another set of scalars for all the points respectively, and hence can not forge the proof of the offline memory checking.
The basic problem can be describe as below:
For a set of messages, we need to map each message to some group/subgroup element, but keep private key of all the group elements secret.
To achieve quantum safe, we need to remove the DLOG hardness assumption.