Potential problems for the paranoid.

**Truncated
hashes**

For points on an elliptic curve over the base field,
`element_from_hash()`

will truncate
the input hash until it can represent an x-coordinate in that
field. (PBC then computes a corresponding y-coordinate.)
Ideally the hash length should be smaller than size of the base
field and also the size of the elliptic curve group.

Hashing to elements in field extensions does not take advantage of the fact that the extension has more elements than the base field. I intend to rewrite the code so that for a degree n extension code, PBC splits the hash into n parts and determine each polynomial coefficient from one ofthe pieces. At the moment every coefficient is the same and depends on the whole hash.

This is harmless for the base field, because all the pairing types implemented so far use an integer mod ring as the base field, rather than an extension of some low characteristic field.

**Zeroed
memory**

Unlike OpenSSL, there are no functions to zero memory
locations used in sensitive computations. To some extent, one
can use `element_random()`

to
overwrite data.

**PRNG
determinism**

On platforms without `/dev/urandom`

PBC falls back on a deterministic
pseudo-random number generator, except on Windows where it
attempts to use the Microsoft Crypto API.

Also, `/dev/urandom`

differs from
`/dev/random`

. A quote from its
manpage:

A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current non-classified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.