Abstract
This article proposes four optimizations of indifferentiable hashing onto (prime-order subgroups of) ordinary elliptic curves over finite fields \(\mathbb {F}_{q}\). One of them is dedicated to elliptic curves E without non-trivial automorphisms provided that \(q \equiv 2 \, (\textrm{mod} \, 3)\). The second deals with \(q \equiv 2, 4 \, (\textrm{mod} \, 7)\) and an elliptic curve \(E_7\) of j-invariant \(-3^3 5^3\). The corresponding section plays a rather theoretical role, because (the quadratic twist of) \(E_7\) is not used in real-world cryptography. The other two optimizations take place for the subgroups \(\mathbb {G}_1\), \(\mathbb {G}_2\) of pairing-friendly curves. The performance gain comes from the smaller number of required exponentiations in \(\mathbb {F}_{q}\) for hashing to \(E(\mathbb {F}_{q})\), \(E_7(\mathbb {F}_{q})\), and \(\mathbb {G}_2\) as well as from the absence of necessity to hash directly onto \(\mathbb {G}_1\) in certain settings. In particular, the last insight allows to drastically speed up verification of the aggregate BLS signature incorporated in many blockchain technologies. The new results affect, for example, the pairing-friendly curve BLS12-381 (the most popular in practice at the moment) and a few plain curves from the American standard NIST SP 800-186. Among other things, a taxonomy of state-of-the-art hash functions to elliptic curves is presented. Finally, the article discusses how to hash over highly 2-adic fields \(\mathbb {F}_{q}\).
Similar content being viewed by others
References
Chávez-Saab, J., Rodriguez-Henriquez, F., Tibouchi, M.: SWIFTEC: Shallue–van de Woestijne indifferentiable function to elliptic curves. In: Agrawal S., Lin, D. (eds.) Advances in Cryptology—ASIACRYPT 2022, LNCS, vol. 13791, pp. 63–92. Springer, Cham (2022)
El Mrabet, N., Joye, M. (eds.) Guide to Pairing-Based Cryptography. Cryptography and Network Security Series. Chapman and Hall/CRC, New York (2017)
Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R.S., Wood, C.A.: Hashing to elliptic curves (RFC 9380). https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve (2023)
Sakemi, Y., Kobayashi, T., Saito, T., Wahby, R.S.: Pairing-friendly curves. https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves (2023)
Budroni, A., Pintore, F.: Efficient hash maps to \(\mathbb{G}_2\) on BLS curves. Appl. Algebra Eng. Commun. Comput. 1–21 (2020)
El Housni, Y., Guillevic, A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology—EUROCRYPT 2022, LNCS, vol. 13276, pp. 367–396. Springer, Cham (2022)
El Housni, Y., Guillevic, A., Piellard, T.: Co-factor clearing and subgroup membership testing on pairing-friendly curves. In: Batina, L., Daemen, J. (eds.) Progress in Cryptology—AFRICACRYPT 2022, LNCS, vol. 13503, pp. 518–536. Springer, Cham (2022)
Fuentes-Castaneda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \(\mathbb{G}_2\). In: Miri, A., Vaudenay, S. (eds.) Selected Areas in Cryptography. SAC 2011, LNCS, vol. 7118, pp. 412–430. Springer, Berlin (2012)
Scott M.: Authenticated ID-based key exchange and remote log-in with simple token and PIN number. https://eprint.iacr.org/2002/164 (2002)
Pereira, G., Doliskani, J., Jao, D.: \(x\)-only point addition formula and faster compressed SIKE. J. Cryptogr. Eng. 11(1), 57–69 (2021)
Boneh, D., Gorbunov, S., Wahby, R.S., Wee, H., Wood, C.A., Zhang, Z.: BLS signatures. https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature (2022)
Boneh, D., Drijvers, M., Neven, G.: Compact multi-signatures for smaller blockchains. In: Peyrin, T., Galbraith, S.D. (eds.) Advances in Cryptology—ASIACRYPT 2018 , LNCS, vol. 11273, pp. 435–464. Springer, Cham (2018)
Boneh, D., Drijvers, M., Neven, G.: BLS multi-signatures with public-key aggregation. https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html (2018)
Galbraith, S.D.: CRYPTREC review of EdDSA. https://www.cryptrec.go.jp/exreport/cryptrec-ex-3003-2020.pdf (2020)
Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) Advances in Cryptology—CRYPTO 1997, LNCS, vol. 1294, pp. 249–263. Springer, Berlin (1997)
Barreto, P.S.L.M., Costello, C., Misoczki, R., Naehrig, M., Pereira, G.C.C.F., Zanon, G.: Subgroup security in pairing-based cryptography. In: Lauter, K., Rodriguez-Henriquez, F. (eds.) Progress in Cryptology—LATINCRYPT 2015, LNCS, vol. 9230, pp. 245–265. Springer, Cham (2015)
Spagni, R.: https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html (2017)
Barker, E., Chen, L., Roginsky, A., Vassilev, A., Davis, R.: Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography (NIST SP 800-56A Rev. 3). https://csrc.nist.gov/Pubs/sp/800/56/a/r3/Final (2018)
Dai, Y., Lin, K., Zhao, C.-A., Zhou, Z.: Fast subgroup membership testings for \(\mathbb{G} _1\), \(\mathbb{G} _2\) and \(\mathbb{G} _T\) on pairing-friendly curves. Des. Codes Crypt. 91(10), 3141–3166 (2023)
Granger, R., Smart, N.P.: On computing products of pairings. https://eprint.iacr.org/2006/172 (2006)
El Housni, Y., Guillevic, A.: Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) Cryptology and Network Security. CANS 2020, LNCS, vol. 12579, pp. 259–279. Springer, Cham (2020)
Vlasov A.: EIP-2539: BLS12-377 curve operations. https://eips.ethereum.org/EIPS/eip-2539 (2020)
Koshelev, D.: Indifferentiable hashing to ordinary elliptic \(\mathbb{F} _{q}\)-curves of \(j=0\) with the cost of one exponentiation in \(\mathbb{F} _{q}\). Des Codes Cryptogr. 90(3), 801–812 (2022)
Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves. In: Rabin, T. (ed.) Advances in Cryptology—CRYPTO 2010, LNCS, vol. 6223, pp. 237–254. Springer, Berlin (2010)
Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(4), 154–179 (2019)
Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications, vol. 34. Chapman and Hall/CRC, New York (2005)
Koshelev, D.: Magma code. https://github.com/Dimitri-Koshelev/Some-remarks-on-how-to-hash-faster-onto-elliptic-curves(2022)
Supranational: blst/src/sqrt-addchain.h. https://github.com/supranational/blst/blob/c76b5ac69a0044432d16cfd2cce60c93c8b01872/src/sqrt-addchain.h (2020)
Koshelev, D.: Sage code. https://github.com/Dimitri-Koshelev/Indifferentiable-hashing-to-ordinary-elliptic-curves-of-j-0-with-the-cost-of-one-exponentiation (2022)
Zhang, Z.: Rust code. https://github.com/zhenfeizhang/indifferentiable-hashing (2023)
Tibouchi, M., Kim, T.: Improved elliptic curve hashing and point representation. Des. Codes Cryptogr. 82(1–2), 161–177 (2017)
Farashahi, R.R., Fouque, P.-A., Shparlinski, I.E., Tibouchi, M., Voloch, J.F.: Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comput. 82(281), 491–512 (2013)
Koshelev, D.: The most efficient indifferentiable hashing to elliptic curves of \(j\)-invariant 1728. J. Math. Cryptol. 16(1), 298–309 (2022)
Hao, F.: Prudent practices in security standardization. IEEE Commun. Stand. Mag. 5(3), 40–47 (2021)
Crypto Forum Research Group (CFRG): PAKE selection process. https://github.com/cfrg/pake-selection (2020)
Abdalla, M., Haase, B., Hesse, J.: CPace, a balanced composable PAKE. https://datatracker.ietf.org/doc/draft-irtf-cfrg-cpace (2023)
Bourdrez, D., Krawczyk, H., Lewi, K., Wood, C.A.: The OPAQUE asymmetric PAKE protocol. https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque (2023)
Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) Advances in Cryptology—CRYPTO 2000, LNCS, vol. 1880, pp. 271–286. Springer, Berlin (2000)
Tessaro, S., Zhu, C.: Short pairing-free blind signatures with exponential security. In: Dunkelman, O., Dziembowski, S. (eds.) Cryptology—EUROCRYPT 2022, LNCS, vol. 13276, pp. 782–811. Springer, Cham (2022)
Davidson, A., Faz-Hernández, A., Sullivan, N., Wood, C.A.: Oblivious pseudorandom functions (OPRFs) using prime-order groups. https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf (2023)
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology—ASIACRYPT 2014, LNCS, vol. 8874, pp. 233–253. Springer, Berlin (2014)
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: how to protect your Bitcoin wallet online). In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 276–291 (2016)
Icart T.: How to hash into elliptic curves. In: Halevi, S. (eds.) Advances in Cryptology—CRYPTO 2009, LNCS, vol. 5677, pp. 303–316. Springer, Berlin (2009)
Koshelev, D.: Faster point compression for elliptic curves of \(j\)-invariant 0. Math. Asp. Cryptogr. 12(4), 115–123 (2021)
Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI): Avis relatif aux paramètres de courbes elliptiques définis par l’Etat français. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000024668816 (2011)
Chen, L., Moody, D., Regenscheid, A., Robinson, A., Randall, K.: Recommendations for discrete logarithm-based cryptography: elliptic curve domain parameters (NIST SP 800-186). https://csrc.nist.gov/publications/detail/sp/800-186/final (2023)
Alekseev, E.K., Nikolaev, V.D., Smyshlyaev, S.V.: On the security properties of Russian standardized elliptic curves. Math. Asp. Cryptogr. 9(3), 5–32 (2018)
Fried, M.D.: Global construction of general exceptional covers, with motivation for applications to encoding. In: Mullen, G.L., Shiue, P.J. (eds.) Finite Fields: Theory, Applications, and Algorithms. Contemporary Mathematics, vol.168, pp. 69–100. American Mathematical Society, Providence (1994)
Tibouchi, M.: Impossibility of surjective Icart-like encodings, In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) Provable Security. ProvSec 2014, LNCS, vol. 8782, pp. 29–39. Springer, Cham (2014)
Koshelev, D.: Optimal encodings to elliptic curves of \(j\)-invariants 0, 1728. SIAM J. Appl. Algebra Geom. 6(4), 600–617 (2022)
Levi, S. (ed.) The Eightfold Way: The Beauty of Klein’s Quartic Curve. Mathematical Sciences Research Institute Publications, vol. 35. Cambridge University Press, Cambridge (1999)
Magma group: Automorphism groups of curves. https://magma.maths.usyd.edu.au/magma/handbook/text/1417#16052
Gasnier, J., Guillevic, A.: An algebraic point of view on the generation of pairing-friendly curves. https://hal.science/hal-04205681 (2023)
Skałba, M.: Points on elliptic curves over finite fields. Acta Arith. 117(3), 293–301 (2005)
Shallue, A., van de Woestijne, C.E.: Construction of rational points on elliptic curves over finite fields. In: Hess, F., Pauli, S., Pohst, M. (eds.) Algorithmic Number Theory. ANTS 2006, LNCS, vol. 4076, pp. 510–524. Springer, Berlin (2006)
Koshelev, D.: Hashing to elliptic curves through Cipolla–Lehmer–Müller’s square root algorithm. https://eprint.iacr.org/2023/390 (2023)
Pornin, T.: X25519 implementation for ARM Cortex-M0/M0+. https://github.com/pornin/x25519-cm0 (2020)
Hamburg, M.: Computing the Jacobi symbol using Bernstein–Yang. https://eprint.iacr.org/2021/1271 (2021)
Moret-Bailly, L.: Variétés stablement rationnelles non rationnelles, Séminaire Bourbaki: volume 1984/85, report no. 643. Astérisque 133–134, 223–236 (1986)
Kollár, J., Mella, M.: Quadratic families of elliptic curves and unirationality of degree 1 conic bundles. Am. J. Math. 139(4), 915–936 (2017)
Aranha, D.F., El Housni, Y., Guillevic, A.: A survey of elliptic curves for proof systems. Des. Codes Cryptogr. 91(11), 3333–3378 (2023)
Bernstein, D.J.: Faster square roots in annoying finite fields. https://cr.yp.to/papers.html#sqroot (2001)
Herold, G.: field_element_square_root.go. https://github.com/GottfriedHerold/Bandersnatch/blob/main/bandersnatch/fieldElements/field_element_square_root.go (2023)
Hagopian, I.: Bandersnatch sqrt optimization notes. https://hackmd.io/@jsign/bandersnatch-optimized-sqrt-notes (2023)
Bernstein, D.J.: Cache-timing attacks on AES. https://cr.yp.to/papers.html#cachetiming (2005)
Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23, 37–71 (2010)
Müller, S.: On the computation of square roots in finite fields. Des. Codes Cryptogr. 31(3), 301–312 (2004)
Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, New York (2012)
Postl, H.: Fast evaluation of Dickson polynomials. Contrib. Gen. Algebra 6, 223–225 (1988)
Joye, M., Quisquater, J.-J.: Efficient computation of full Lucas sequences. Electron. Lett. 32(6), 537–538 (1996)
Lambert, R.J.: Method to calculate square roots for elliptic curve cryptography. United States patent No. 9148282B2. https://patents.google.com/patent/US9148282B2/en (2013)
Stark curve. https://docs.starkware.co/starkex/crypto/stark-curve.html
Starkjub. https://github.com/hashcloak/starkjub (2023)
Bernstein, D.J., De Feo, L., Leroux, A., Smith, B.: Faster computation of isogenies of large prime degree. The Open Book Series 4(1), 39–55 (2020)
Adj, G., Chi-Domínguez, J.J., Rodríguez-Henríquez, F.: Karatsuba-based square-root Vélu’s formulas applied to two isogeny-based protocols. J. Cryptogr. Eng. 13(1), 89–106 (2023)
Sato, H., Hakuta, K.: An efficient method of generating rational points on elliptic curves. J. Math Ind. 1(A), 33–44 (2009)
Shparlinski, I.E., Voloch, J.F.: Generators of elliptic curves over finite fields. Bull. Inst. Math. Acad. Sinica (New Ser.) 9(4), 657–670 (2014)
Acknowledgements
The author expresses his gratitude to Antonio Sanso, Daira Hopwood, Evgeny Alekseev, Gottfried Herold, Jeffrey Burdges, Justin Drake, Oleg Taraskin, Sergey Vasilyev, and Yu Dai for useful comments on the present paper and on the role of hashing to elliptic curves in real-world cryptography. In addition, it is impossible not to note the financial support provided by the Web3 Foundation (W3F) grant “Implementation of the new hash function to BLS12 curves”.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest.
The author states no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Dmitrii Koshelev was supported by Ethereum Foundation.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Koshelev, D. Some remarks on how to hash faster onto elliptic curves. J Comput Virol Hack Tech (2024). https://doi.org/10.1007/s11416-024-00514-4
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11416-024-00514-4