@@ -205,8 +205,17 @@ impl Fp {
205205 Some ( Fp :: from_array ( self . env ( ) , & bytes) )
206206 }
207207
208- /// Maps to a `G1Affine` point via [simplified SWU
209- /// mapping](https://www.rfc-editor.org/rfc/rfc9380.html#name-simplified-swu-for-ab-0)
208+ /// Maps this `Fp` element to a `G1Affine` point using the [simplified SWU
209+ /// mapping](https://www.rfc-editor.org/rfc/rfc9380.html#name-simplified-swu-for-ab-0).
210+ ///
211+ /// **Important:** The resulting point is on the curve but may not be in the
212+ /// prime-order subgroup (operations like pairing may fail). To ensure the
213+ /// point is in the prime-order subgroup, cofactor clearing must be
214+ /// performed on the output.
215+ ///
216+ /// For applications requiring a point directly in the prime-order subgroup,
217+ /// consider using `hash_to_g1`, which handles subgroup checks and cofactor
218+ /// clearing internally.
210219pub fn map_to_g1 ( & self ) -> G1Affine {
211220 self . env ( ) . crypto ( ) . bls12_381 ( ) . map_fp_to_g1 ( self )
212221 }
@@ -332,6 +341,17 @@ impl Fp2 {
332341 Some ( Fp2 :: from_array ( self . env ( ) , & inner) )
333342 }
334343
344+ /// Maps this `Fp2` element to a `G2Affine` point using the [simplified SWU
345+ /// mapping](https://www.rfc-editor.org/rfc/rfc9380.html#name-simplified-swu-for-ab-0).
346+ ///
347+ /// **Important:** The resulting point is on the curve but may not be in the
348+ /// prime-order subgroup (operations like pairing may fail). To ensure the
349+ /// point is in the prime-order subgroup, cofactor clearing must be
350+ /// performed on the output.
351+ ///
352+ /// For applications requiring a point directly in the prime-order subgroup,
353+ /// consider using `hash_to_g2`, which handles subgroup checks and cofactor
354+ /// clearing internally.
335355pub fn map_to_g2 ( & self ) -> G2Affine {
336356 self . env ( ) . crypto ( ) . bls12_381 ( ) . map_fp2_to_g2 ( self )
337357 }
0 commit comments