When creating protocols/algorithms that are generic over hashes, it could be useful to constrain hashes depending on their collision resistance.

The primary motivation, which also serves as an example, is properly constraining ExpandMsg implementations according to the spec. Both expand_message_xmd and expand_message_xof require the hash's collision resistance to be at least higher than the curves security level.

For expand_message_xmd this was simpler, because it requires a hash with a fixed output, so the requirement is set that the output size of the hash has to be at least twice the security level of the curve. I implemented this constraint in #1813. I don't know if this is a general property of cryptographically secure hash algorithm, but I suspect it just aligns with SHA-2/SHA-3.

For expand_message_xof, there is currently no way to extract any information from an existing trait about this. However, e.g. for SHAKE the specification is quite clear about the collision resistance.

I propose adding an associated type to HashMarker, like this:

trait HashMarker {
    type CollisionResistance: ArraySize;
}

I'm happy to do the implementation upon approval!