Skip to main content
SpringerLink
Log in

Some remarks on how to hash faster onto elliptic curves

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

This article proposes four optimizations of indifferentiable hashing onto (prime-order subgroups of) ordinary elliptic curves over finite fields \(\mathbb {F}_{q}\). One of them is dedicated to elliptic curves E without non-trivial automorphisms provided that \(q \equiv 2 \, (\textrm{mod} \, 3)\). The second deals with \(q \equiv 2, 4 \, (\textrm{mod} \, 7)\) and an elliptic curve \(E_7\) of j-invariant \(-3^3 5^3\). The corresponding section plays a rather theoretical role, because (the quadratic twist of) \(E_7\) is not used in real-world cryptography. The other two optimizations take place for the subgroups \(\mathbb {G}_1\), \(\mathbb {G}_2\) of pairing-friendly curves. The performance gain comes from the smaller number of required exponentiations in \(\mathbb {F}_{q}\) for hashing to \(E(\mathbb {F}_{q})\), \(E_7(\mathbb {F}_{q})\), and \(\mathbb {G}_2\) as well as from the absence of necessity to hash directly onto \(\mathbb {G}_1\) in certain settings. In particular, the last insight allows to drastically speed up verification of the aggregate BLS signature incorporated in many blockchain technologies. The new results affect, for example, the pairing-friendly curve BLS12-381 (the most popular in practice at the moment) and a few plain curves from the American standard NIST SP 800-186. Among other things, a taxonomy of state-of-the-art hash functions to elliptic curves is presented. Finally, the article discusses how to hash over highly 2-adic fields \(\mathbb {F}_{q}\).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Chávez-Saab, J., Rodriguez-Henriquez, F., Tibouchi, M.: SWIFTEC: Shallue–van de Woestijne indifferentiable function to elliptic curves. In: Agrawal S., Lin, D. (eds.) Advances in Cryptology—ASIACRYPT 2022, LNCS, vol. 13791, pp. 63–92. Springer, Cham (2022)

  2. El Mrabet, N., Joye, M. (eds.) Guide to Pairing-Based Cryptography. Cryptography and Network Security Series. Chapman and Hall/CRC, New York (2017)

  3. Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R.S., Wood, C.A.: Hashing to elliptic curves (RFC 9380). https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve (2023)

  4. Sakemi, Y., Kobayashi, T., Saito, T., Wahby, R.S.: Pairing-friendly curves. https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves (2023)

  5. Budroni, A., Pintore, F.: Efficient hash maps to \(\mathbb{G}_2\) on BLS curves. Appl. Algebra Eng. Commun. Comput. 1–21 (2020)

  6. El Housni, Y., Guillevic, A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology—EUROCRYPT 2022, LNCS, vol. 13276, pp. 367–396. Springer, Cham (2022)

  7. El Housni, Y., Guillevic, A., Piellard, T.: Co-factor clearing and subgroup membership testing on pairing-friendly curves. In: Batina, L., Daemen, J. (eds.) Progress in Cryptology—AFRICACRYPT 2022, LNCS, vol. 13503, pp. 518–536. Springer, Cham (2022)

  8. Fuentes-Castaneda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \(\mathbb{G}_2\). In: Miri, A., Vaudenay, S. (eds.) Selected Areas in Cryptography. SAC 2011, LNCS, vol. 7118, pp. 412–430. Springer, Berlin (2012)

  9. Scott M.: Authenticated ID-based key exchange and remote log-in with simple token and PIN number. https://eprint.iacr.org/2002/164 (2002)

  10. Pereira, G., Doliskani, J., Jao, D.: \(x\)-only point addition formula and faster compressed SIKE. J. Cryptogr. Eng. 11(1), 57–69 (2021)

    Article  Google Scholar 

  11. Boneh, D., Gorbunov, S., Wahby, R.S., Wee, H., Wood, C.A., Zhang, Z.: BLS signatures. https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature (2022)

  12. Boneh, D., Drijvers, M., Neven, G.: Compact multi-signatures for smaller blockchains. In: Peyrin, T., Galbraith, S.D. (eds.) Advances in Cryptology—ASIACRYPT 2018 , LNCS, vol. 11273, pp. 435–464. Springer, Cham (2018)

  13. Boneh, D., Drijvers, M., Neven, G.: BLS multi-signatures with public-key aggregation. https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html (2018)

  14. Galbraith, S.D.: CRYPTREC review of EdDSA. https://www.cryptrec.go.jp/exreport/cryptrec-ex-3003-2020.pdf (2020)

  15. Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) Advances in Cryptology—CRYPTO 1997, LNCS, vol. 1294, pp. 249–263. Springer, Berlin (1997)

  16. Barreto, P.S.L.M., Costello, C., Misoczki, R., Naehrig, M., Pereira, G.C.C.F., Zanon, G.: Subgroup security in pairing-based cryptography. In: Lauter, K., Rodriguez-Henriquez, F. (eds.) Progress in Cryptology—LATINCRYPT 2015, LNCS, vol. 9230, pp. 245–265. Springer, Cham (2015)

  17. Spagni, R.: https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html (2017)

  18. Barker, E., Chen, L., Roginsky, A., Vassilev, A., Davis, R.: Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography (NIST SP 800-56A Rev. 3). https://csrc.nist.gov/Pubs/sp/800/56/a/r3/Final (2018)

  19. Dai, Y., Lin, K., Zhao, C.-A., Zhou, Z.: Fast subgroup membership testings for \(\mathbb{G} _1\), \(\mathbb{G} _2\) and \(\mathbb{G} _T\) on pairing-friendly curves. Des. Codes Crypt. 91(10), 3141–3166 (2023)

    Article  Google Scholar 

  20. Granger, R., Smart, N.P.: On computing products of pairings. https://eprint.iacr.org/2006/172 (2006)

  21. El Housni, Y., Guillevic, A.: Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) Cryptology and Network Security. CANS 2020, LNCS, vol. 12579, pp. 259–279. Springer, Cham (2020)

  22. Vlasov A.: EIP-2539: BLS12-377 curve operations. https://eips.ethereum.org/EIPS/eip-2539 (2020)

  23. Koshelev, D.: Indifferentiable hashing to ordinary elliptic \(\mathbb{F} _{q}\)-curves of \(j=0\) with the cost of one exponentiation in \(\mathbb{F} _{q}\). Des Codes Cryptogr. 90(3), 801–812 (2022)

    Article  MathSciNet  Google Scholar 

  24. Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves. In: Rabin, T. (ed.) Advances in Cryptology—CRYPTO 2010, LNCS, vol. 6223, pp. 237–254. Springer, Berlin (2010)

  25. Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(4), 154–179 (2019)

    Article  Google Scholar 

  26. Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications, vol. 34. Chapman and Hall/CRC, New York (2005)

  27. Koshelev, D.: Magma code. https://github.com/Dimitri-Koshelev/Some-remarks-on-how-to-hash-faster-onto-elliptic-curves(2022)

  28. Supranational: blst/src/sqrt-addchain.h. https://github.com/supranational/blst/blob/c76b5ac69a0044432d16cfd2cce60c93c8b01872/src/sqrt-addchain.h (2020)

  29. Koshelev, D.: Sage code. https://github.com/Dimitri-Koshelev/Indifferentiable-hashing-to-ordinary-elliptic-curves-of-j-0-with-the-cost-of-one-exponentiation (2022)

  30. Zhang, Z.: Rust code. https://github.com/zhenfeizhang/indifferentiable-hashing (2023)

  31. Tibouchi, M., Kim, T.: Improved elliptic curve hashing and point representation. Des. Codes Cryptogr. 82(1–2), 161–177 (2017)

    Article  MathSciNet  Google Scholar 

  32. Farashahi, R.R., Fouque, P.-A., Shparlinski, I.E., Tibouchi, M., Voloch, J.F.: Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comput. 82(281), 491–512 (2013)

    Article  MathSciNet  Google Scholar 

  33. Koshelev, D.: The most efficient indifferentiable hashing to elliptic curves of \(j\)-invariant 1728. J. Math. Cryptol. 16(1), 298–309 (2022)

    Article  MathSciNet  Google Scholar 

  34. Hao, F.: Prudent practices in security standardization. IEEE Commun. Stand. Mag. 5(3), 40–47 (2021)

    Article  Google Scholar 

  35. Crypto Forum Research Group (CFRG): PAKE selection process. https://github.com/cfrg/pake-selection (2020)

  36. Abdalla, M., Haase, B., Hesse, J.: CPace, a balanced composable PAKE. https://datatracker.ietf.org/doc/draft-irtf-cfrg-cpace (2023)

  37. Bourdrez, D., Krawczyk, H., Lewi, K., Wood, C.A.: The OPAQUE asymmetric PAKE protocol. https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque (2023)

  38. Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) Advances in Cryptology—CRYPTO 2000, LNCS, vol. 1880, pp. 271–286. Springer, Berlin (2000)

  39. Tessaro, S., Zhu, C.: Short pairing-free blind signatures with exponential security. In: Dunkelman, O., Dziembowski, S. (eds.) Cryptology—EUROCRYPT 2022, LNCS, vol. 13276, pp. 782–811. Springer, Cham (2022)

  40. Davidson, A., Faz-Hernández, A., Sullivan, N., Wood, C.A.: Oblivious pseudorandom functions (OPRFs) using prime-order groups. https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf (2023)

  41. Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology—ASIACRYPT 2014, LNCS, vol. 8874, pp. 233–253. Springer, Berlin (2014)

  42. Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: how to protect your Bitcoin wallet online). In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 276–291 (2016)

  43. Icart T.: How to hash into elliptic curves. In: Halevi, S. (eds.) Advances in Cryptology—CRYPTO 2009, LNCS, vol. 5677, pp. 303–316. Springer, Berlin (2009)

  44. Koshelev, D.: Faster point compression for elliptic curves of \(j\)-invariant 0. Math. Asp. Cryptogr. 12(4), 115–123 (2021)

    MathSciNet  Google Scholar 

  45. Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI): Avis relatif aux paramètres de courbes elliptiques définis par l’Etat français. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000024668816 (2011)

  46. Chen, L., Moody, D., Regenscheid, A., Robinson, A., Randall, K.: Recommendations for discrete logarithm-based cryptography: elliptic curve domain parameters (NIST SP 800-186). https://csrc.nist.gov/publications/detail/sp/800-186/final (2023)

  47. Alekseev, E.K., Nikolaev, V.D., Smyshlyaev, S.V.: On the security properties of Russian standardized elliptic curves. Math. Asp. Cryptogr. 9(3), 5–32 (2018)

    Google Scholar 

  48. Fried, M.D.: Global construction of general exceptional covers, with motivation for applications to encoding. In: Mullen, G.L., Shiue, P.J. (eds.) Finite Fields: Theory, Applications, and Algorithms. Contemporary Mathematics, vol.168, pp. 69–100. American Mathematical Society, Providence (1994)

  49. Tibouchi, M.: Impossibility of surjective Icart-like encodings, In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) Provable Security. ProvSec 2014, LNCS, vol. 8782, pp. 29–39. Springer, Cham (2014)

  50. Koshelev, D.: Optimal encodings to elliptic curves of \(j\)-invariants 0, 1728. SIAM J. Appl. Algebra Geom. 6(4), 600–617 (2022)

    Article  MathSciNet  Google Scholar 

  51. Levi, S. (ed.) The Eightfold Way: The Beauty of Klein’s Quartic Curve. Mathematical Sciences Research Institute Publications, vol. 35. Cambridge University Press, Cambridge (1999)

  52. Magma group: Automorphism groups of curves. https://magma.maths.usyd.edu.au/magma/handbook/text/1417#16052

  53. Gasnier, J., Guillevic, A.: An algebraic point of view on the generation of pairing-friendly curves. https://hal.science/hal-04205681 (2023)

  54. Skałba, M.: Points on elliptic curves over finite fields. Acta Arith. 117(3), 293–301 (2005)

    Article  ADS  MathSciNet  Google Scholar 

  55. Shallue, A., van de Woestijne, C.E.: Construction of rational points on elliptic curves over finite fields. In: Hess, F., Pauli, S., Pohst, M. (eds.) Algorithmic Number Theory. ANTS 2006, LNCS, vol. 4076, pp. 510–524. Springer, Berlin (2006)

  56. Koshelev, D.: Hashing to elliptic curves through Cipolla–Lehmer–Müller’s square root algorithm. https://eprint.iacr.org/2023/390 (2023)

  57. Pornin, T.: X25519 implementation for ARM Cortex-M0/M0+. https://github.com/pornin/x25519-cm0 (2020)

  58. Hamburg, M.: Computing the Jacobi symbol using Bernstein–Yang. https://eprint.iacr.org/2021/1271 (2021)

  59. Moret-Bailly, L.: Variétés stablement rationnelles non rationnelles, Séminaire Bourbaki: volume 1984/85, report no. 643. Astérisque 133–134, 223–236 (1986)

  60. Kollár, J., Mella, M.: Quadratic families of elliptic curves and unirationality of degree 1 conic bundles. Am. J. Math. 139(4), 915–936 (2017)

    Article  MathSciNet  Google Scholar 

  61. Aranha, D.F., El Housni, Y., Guillevic, A.: A survey of elliptic curves for proof systems. Des. Codes Cryptogr. 91(11), 3333–3378 (2023)

    Article  MathSciNet  Google Scholar 

  62. Bernstein, D.J.: Faster square roots in annoying finite fields. https://cr.yp.to/papers.html#sqroot (2001)

  63. Herold, G.: field_element_square_root.go. https://github.com/GottfriedHerold/Bandersnatch/blob/main/bandersnatch/fieldElements/field_element_square_root.go (2023)

  64. Hagopian, I.: Bandersnatch sqrt optimization notes. https://hackmd.io/@jsign/bandersnatch-optimized-sqrt-notes (2023)

  65. Bernstein, D.J.: Cache-timing attacks on AES. https://cr.yp.to/papers.html#cachetiming (2005)

  66. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23, 37–71 (2010)

    Article  MathSciNet  Google Scholar 

  67. Müller, S.: On the computation of square roots in finite fields. Des. Codes Cryptogr. 31(3), 301–312 (2004)

    Article  MathSciNet  Google Scholar 

  68. Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, New York (2012)

    Book  Google Scholar 

  69. Postl, H.: Fast evaluation of Dickson polynomials. Contrib. Gen. Algebra 6, 223–225 (1988)

    MathSciNet  Google Scholar 

  70. Joye, M., Quisquater, J.-J.: Efficient computation of full Lucas sequences. Electron. Lett. 32(6), 537–538 (1996)

    Article  ADS  Google Scholar 

  71. Lambert, R.J.: Method to calculate square roots for elliptic curve cryptography. United States patent No. 9148282B2. https://patents.google.com/patent/US9148282B2/en (2013)

  72. Stark curve. https://docs.starkware.co/starkex/crypto/stark-curve.html

  73. Starkjub. https://github.com/hashcloak/starkjub (2023)

  74. Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. The Open Book Series 4(1), 39–55 (2020)

  75. Adj, G., Chi-Domínguez, J.J., Rodríguez-Henríquez, F.: Karatsuba-based square-root Vélu’s formulas applied to two isogeny-based protocols. J. Cryptogr. Eng. 13(1), 89–106 (2023)

    Article  Google Scholar 

  76. Sato, H., Hakuta, K.: An efficient method of generating rational points on elliptic curves. J. Math Ind. 1(A), 33–44 (2009)

    MathSciNet  Google Scholar 

  77. Shparlinski, I.E., Voloch, J.F.: Generators of elliptic curves over finite fields. Bull. Inst. Math. Acad. Sinica (New Ser.) 9(4), 657–670 (2014)

Download references

Acknowledgements

The author expresses his gratitude to Antonio Sanso, Daira Hopwood, Evgeny Alekseev, Gottfried Herold, Jeffrey Burdges, Justin Drake, Oleg Taraskin, Sergey Vasilyev, and Yu Dai for useful comments on the present paper and on the role of hashing to elliptic curves in real-world cryptography. In addition, it is impossible not to note the financial support provided by the Web3 Foundation (W3F) grant “Implementation of the new hash function to BLS12 curves”.

Author information

Authors and Affiliations

  1. Parallel Computation Laboratory, École Normale Supérieure de Lyon, Lyon, France

    Dmitrii Koshelev

Authors
  1. Dmitrii Koshelev
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dmitrii Koshelev.

Ethics declarations

Conflict of interest.

The author states no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Dmitrii Koshelev was supported by Ethereum Foundation.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Koshelev, D. Some remarks on how to hash faster onto elliptic curves. J Comput Virol Hack Tech (2024). https://doi.org/10.1007/s11416-024-00514-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11416-024-00514-4

Keywords

Search

Navigation