The main motivation here is to allow primeorder dependents, e.g. p256, to construct AffinePoints from FieldElements. Currently this is a problem with hash2curve, where we have to go through AffinePoint::decompress().

However, this also overlaps with dalek-cryptography/curve25519-dalek#817. So the proposal should be quite straightforward:

pub trait DecodePoint<C: Curve>: Sized {
    fn decode(x: &FieldBytes<C>, y: &FieldBytes<C>) -> CtOption<Self>;
}

Then expose a const method on AffinePoints themselves.

However, specifically for hash2curve, we will need an unchecked method to avoid the additional overhead. So I propose adding another trait:

pub trait UncheckedDecodePoint<C: Curve>: Sized {
    fn decode(x: C::FieldElement, y: C::FieldElement) -> Self;
}

I believe this would not be publicly accessible anyway, because users don't have access to FieldElement directly.

Happy to make a PR upon approval.