Indifferentiable Hashing to Barreto–Naehrig Curves

  • Pierre-Alain Fouque
  • Mehdi Tibouchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7533)


A number of recent works have considered the problem of constructing constant-time hash functions to various families of elliptic curves over finite fields. In the relevant literature, it has been occasionally asserted that constant-time hashing to certain special elliptic curves, in particular so-called BN elliptic curves, was an open problem. It turns out, however, that a suitably general encoding function was constructed by Shallue and van de Woestijne back in 2006.

In this paper, we show that, by specializing the construction of Shallue and van de Woestijne to BN curves, one obtains an encoding function that can be implemented rather efficiently and securely, that reaches about 9/16ths of all points on the curve, and that is well-distributed in the sense of Farashahi et al., so that one can easily build from it a hash function that is indifferentiable from a random oracle.


Elliptic curve cryptography BN curves hashing random oracle 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baek, J., Zheng, Y.: Identity-based threshold decryption. In: Bao et al. [2], pp. 262–276Google Scholar
  2. 2.
    Bao, F., Deng, R., Zhou, J. (eds.): PKC 2004. LNCS, vol. 2947. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  3. 3.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing Elliptic Curves with Prescribed Embedding Degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-Friendly Elliptic Curves of Prime Order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Barthe, G., Grégoire, B., Heraud, S., Olmedo, F., Zanella Béguelin, S.: Verified Indifferentiable Hashing into Elliptic Curves. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 209–228. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme. In: Desmedt [17], pp. 31–46Google Scholar
  7. 7.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297–319 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Boyen, X.: Multipurpose Identity-Based Signcryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient Indifferentiable Hashing into Ordinary Elliptic Curves. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 237–254. Springer, Heidelberg (2010)Google Scholar
  14. 14.
    Cha, J.C., Cheon, J.H.: An identity-based signature from Gap Diffie-Hellman groups. In: Desmedt [17], pp. 18–30Google Scholar
  15. 15.
    Chevallier-Mames, B.: An Efficient CDH-Based Signature Scheme with a Tight Security Reduction. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 511–526. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    Couveignes, J.-M., Kammerer, J.-G.: The geometry of flex tangents to a cubic curve and its parameterizations. Journal of Symbolic Computation 47(3), 266–281 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Desmedt, Y.G. (ed.): PKC 2003. LNCS, vol. 2567. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  18. 18.
    Farashahi, R.R.: Hashing into Hessian Curves. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 278–289. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Farashahi, R.R., Fouque, P.-A., Shparlinski, I.E., Tibouchi, M., Voloch, J.F.: Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comput. (to appear, 2012)Google Scholar
  20. 20.
    Farashahi, R.R., Shparlinski, I.E., Voloch, J.F.: On hashing into elliptic curves. J. Math. Cryptology 3, 353–360 (2010)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Fouque, P.-A., Tibouchi, M.: Deterministic encoding and hashing to odd hyperelliptic curves. In: Joye et al. [28], pp. 265–277Google Scholar
  22. 22.
    Fouque, P.-A., Tibouchi, M.: Estimating the Size of the Image of Deterministic Hash Functions to Elliptic Curves. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 81–91. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Fried, M.D., Jarden, M.: Field arithmetic, 2nd edn. Ergebnisse der Mathematik und ihrer Grenzgebiete, vol. 11. Springer, Berlin (2005)zbMATHGoogle Scholar
  24. 24.
    Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng [43], pp. 548–566Google Scholar
  25. 25.
    Horwitz, J., Lynn, B.: Toward Hierarchical Identity-Based Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Icart, T.: How to Hash into Elliptic Curves. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 303–316. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Jablon, D.P.: Strong password-only authenticated key exchange. SIGCOMM Comput. Commun. Rev. 26, 5–26 (1996)CrossRefGoogle Scholar
  28. 28.
    Groth, J.: Pairing-Based Non-interactive Zero-Knowledge Proofs. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 206–206. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Kammerer, J.-G., Lercier, R., Renault, G.: Encoding points on hyperelliptic curves over finite fields in deterministic polynomial time. In: Joye et al. [28], pp. 278–297Google Scholar
  31. 31.
    Kappe, L.-C., Warren, B.: An elementary test for the Galois group of a quartic polynomial. Amer. Math. Monthly 96(2), 133–137 (1989)MathSciNetzbMATHCrossRefGoogle Scholar
  32. 32.
    Libert, B., Quisquater, J.-J.: Efficient signcryption with key privacy from Gap Diffie-Hellman groups. In: Bao et al. [2], pp. 187–200Google Scholar
  33. 33.
    Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  34. 34.
    Pereira, G.C.C.F., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. The Journal of Systems and Software 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
  35. 35.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  36. 36.
    Sato, H., Hakuta, K.: An efficient method of generating rational points on elliptic curves. J. Math-for-Industry 1(A), 33–44 (2009)MathSciNetzbMATHGoogle Scholar
  37. 37.
    Schinzel, A., Skałba, M.: On equations y 2 = x n + k in a finite field. Bull. Pol. Acad. Sci. Math. 52(3), 223–226 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Shallue, A., van de Woestijne, C.E.: Construction of Rational Points on Elliptic Curves over Finite Fields. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 510–524. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  39. 39.
    Skałba, M.: Points on elliptic curves over finite fields. Acta Arith. 117, 293–301 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  40. 40.
    Tibouchi, M.: Hachage vers les courbes elliptiques et cryptanalyse de schémas RSA. PhD thesis, Univ. Paris 7 and Univ. Luxembourg, Introduction in French, main matter in English (2011)Google Scholar
  41. 41.
    Tibouchi, M.: A note on hasing to BN curves. In: Miyaji, A. (ed.) SCIS. IEICE (2012)Google Scholar
  42. 42.
    Zhang, F., Kim, K.: ID-based blind signature and ring signature from pairings. In: Zheng [43], pp. 533–547Google Scholar
  43. 43.
    Zheng, Y. (ed.): ASIACRYPT 2002. LNCS, vol. 2501. Springer, Heidelberg (2002)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Pierre-Alain Fouque
    • 1
  • Mehdi Tibouchi
    • 2
  1. 1.École Normale Supérieure and INRIA RennesFrance
  2. 2.NTT Secure Platform LaboratoriesJapan

Personalised recommendations