Indifferentiable hashing to ordinary elliptic \({\mathbb {F}}_{\!q}\)-curves of \(j=0\) with the cost of one exponentiation in \({\mathbb {F}}_{\!q}\)

Abstract

Let \({\mathbb {F}}_{\!q}\) be a finite field and \(E_b\!: y^2 = x^3 + b\) be an ordinary (i.e., non-supersingular) elliptic curve (of j-invariant 0) such that \(\sqrt{b} \in {\mathbb {F}}_{\!q}\) and \(q \not \equiv 1 \, (\mathrm {mod} \ 27)\). For example, these conditions are fulfilled for the curve BLS12-381 (\(b=4\)). It is a de facto standard in the real-world pairing-based cryptography at the moment. This article provides a new constant-time hash function \(H\!: \{0,1\}^* \rightarrow E_b({\mathbb {F}}_{\!q})\) indifferentiable from a random oracle. Its main advantage is the fact that H computes only one exponentiation in \({\mathbb {F}}_{\!q}\). In comparison, the previous fastest constant-time indifferentiable hash functions to \(E_b({\mathbb {F}}_{\!q})\) compute two exponentiations in \({\mathbb {F}}_{\!q}\). In particular, applying H to the widely used BLS multi-signature with m different messages, the verifier should perform only m exponentiations rather than 2m ones during the hashing phase.

Appendix (the case \(\root 6 \of {b} \in {\mathbb {F}}_{\!q}^*\))

In this case, without lost of generality, we can clearly suppose that \(b = 1\). By abuse of notation, let us continue to denote by b an element such that \(\sqrt{b} \in {\mathbb {F}}_{\!q}\), but \(\root 3 \of {b} \not \in {\mathbb {F}}_{\!q}\). Obviously, it always exists. Therefore the cubic \({\mathbb {F}}_{\!q}\)-twists of the curve \(E_1\) (including the trivial one) are determined by the equations \(E_1^{(i)}\!: y^2_i = b^ix_i^3 + 1 \simeq _{{\mathbb {F}}_{\!q}} E_{b^{2i}}\) and hence the Calabi–Yau threefold T (now denoted by \(T^\prime \)) has the affine model

$$\begin{aligned} \begin{aligned} T^\prime \!: {\left\{ \begin{array}{ll} y_1^2 - 1 = b (y_0^2 - 1) t_1^3, \\ y_2^2 - 1 = b^2 (y_0^2 - 1) t_2^3 \end{array}\right. } \quad \subset \quad {\mathbb {A}}^{\!5}_{(y_0,y_1,y_2,t_1,t_2)}, \end{aligned} \end{aligned}$$

where \(t_j := x_j/x_0\).

Looking at T from Lemma 1 and at \(T^\prime \) as the corresponding elliptic \({\mathbb {F}}_{\!q}(t_1, t_2)\)-curves, we obtain the isomorphism

Consequently, \(\varphi := \chi (\varphi )\) is an \({\mathbb {F}}_{\!q}(t_1, t_2)\)-point on \(T^\prime \) (for the old \(\varphi \) from Theorem 1) and the map \(h\!: {\mathbb {F}}_{\!q}^2 \rightarrow E_1({\mathbb {F}}_{\!q})\) is defined in the same way as in Sect. 3. It is worth emphasizing that all results of the paper remain true modulo minor modifications. For example, the case \(y = \beta = -3\) occurs in proving the analogue of Theorem 5, that is the estimate of \(\#h^{-\!1}(\omega ^i 2, -3)\) should be slightly different from that of \(\#h^{-\!1}(P)\) for a general point \(P \in E_1({\mathbb {F}}_{\!q})\). Nevertheless, the admissibility property of h is still fulfilled.

The content of this appendix is relevant for the curve BLS12-377 [21] popular in some blockchains. It is defined over the field \({\mathbb {F}}_{\!q}\) such that

$$\begin{aligned} \lceil \log _2(q) \rceil = 377, \qquad q \equiv 7 \ (\mathrm {mod} \ 9), \qquad q-1 = 2^{46} n, \end{aligned}$$

where \(2 \not \mid n \in {\mathbb {N}}\). Although Elligator 2 and the Wahby–Boneh encoding are formally applicable to this curve, (in contrast to the new map h) they are not implemented by means of one exponentiation in \({\mathbb {F}}_{\!q}\), because \(q \equiv 1 \ (\mathrm {mod} \ 8)\). Instead, one can utilize the constant-time version [9, Appendix I.4] of the Tonelli–Shanks algorithm (cf. [16]) for extracting a square root in \({\mathbb {F}}_{\!q}\), but it is more costly than an exponentiation.