Efficient hash maps to G2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_2$$\end{document} on BLS curves

When a pairing e:G1×G2→GT\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e: {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_{T}$$\end{document}, on an elliptic curve E defined over a finite field Fq\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {F}}_q$$\end{document}, is exploited for an identity-based protocol, there is often the need to hash binary strings into G1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_1$$\end{document} and G2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_2$$\end{document}. Traditionally, if E admits a twist E~\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\tilde{E}}$$\end{document} of order d, then G1=E(Fq)∩E[r]\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_1=E({\mathbb {F}}_q) \cap E[r]$$\end{document}, where r is a prime integer, and G2=E~(Fqk/d)∩E~[r]\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_2={\tilde{E}}({\mathbb {F}}_{q^{k/d}}) \cap {\tilde{E}}[r]$$\end{document}, where k is the embedding degree of E w.r.t. r. The standard approach for hashing into G2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_2$$\end{document} is to map to a general point P∈E~(Fqk/d)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P \in {\tilde{E}}({\mathbb {F}}_{q^{k/d}})$$\end{document} and then multiply it by the cofactor c=#E~(Fqk/d)/r\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c=\#{\tilde{E}}({\mathbb {F}}_{q^{k/d}})/r$$\end{document}. Usually, the multiplication by c is computationally expensive. In order to speed up such a computation, two different methods—by Scott et al. (International conference on pairing-based cryptography. Springer, Berlin, pp 102–113, 2009) and by Fuentes-Castaneda et al. (International workshop on selected areas in cryptography)—have been proposed. In this paper we consider these two methods for BLS pairing-friendly curves having k∈{12,24,30,42,48}\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$k \in \{12,24,30,42,48\}$$\end{document}, providing efficiency comparisons. When k=42,48\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$k=42,48$$\end{document}, the application of Fuentes et al. method requires expensive computations which were infeasible for the computational power at our disposal. For these cases, we propose hashing maps that we obtained following Fuentes et al. idea.


Pairings in cryptography
Pairings on elliptic curves have been first used in cryptography to transport elliptic curve discrete logarithms into finite field discrete logarithms [15,28], for which there are index-calculus algorithms running in subexponential time. In recent years, several protocols have been proposed with pairings on elliptic curves as building blocks. Among them, it is possible to enumerate Joux's three party key agreement protocol [21], a non-interactive key-exchange [32], an identity-based encryption [8], and a short signatures scheme [9].
Traditionally, pairings that have been considered for applications are the Tate and Weil pairings on elliptic curves over finite fields, and other related pairings, for example the Eta pairing [5], the Ate pairing [20], and their generalisations [19]. For a given finite field q and an elliptic curve E defined over it, all these pairings take as inputs points on E( q ) or on E( q k ) -where q k is an extension field of the base field q -and return as outputs elements of ( q k ) * .
In this paper we will only consider asymmetric pairings e. In particular, given a prime r such that r||#E( q ) (i.e. r|#E( q ) but r 2 ∤ #E( q ) ), then e will be of the form: where 1 and 2 are elliptic curve subgroups of order r defined as: while T is a subgroup of order r of ( q k ) * . With k is denoted the embedding degree of E with respect to r, i.e. the smallest positive integer such that r | q k − 1.
For pairing-based cryptosystems to be secure, the discrete logarithm problems on both E( q ) and ( q k ) * must be computationally infeasible. Those elliptic curves providing a fixed level of security along with efficiency of computations are called pairing-friendly elliptic curves.

Families of pairing-friendly elliptic curves
The first formal definition of pairing-friendly elliptic curves has been formulated by Freeman et al. in their comprehensive paper [14]. The works of Balasubramanian and Koblitz [2] and Luca et al. [26] show that pairing-friendly elliptic curves are rare, and hence they require dedicated constructions. In recent years a number of methods for constructing such curves have been proposed [6,7,10,13,22,29]. The general pattern is the same for all of them: given an embedding degree k, three integers n, r, q for which there exists an elliptic curve E defined over q and such that • #E( q ) = n, e ∶ 1 × 2 → T 1 3 Efficient hash maps to on BLS curves • r||n, • k is the embedding degree of E w.r.t. r are computed. Then the complex multiplication (CM) method [31] is used to determine the equation of the above elliptic curve E.
However, instead of producing single pairing-friendly elliptic curves by means of specific integers k, n, r, q, all the cited methods produce families of pairing-friendly elliptic curves. In particular, the integers n, r, q are replaced by suitable polynomials n(x), r(x), q(x) ∈ ℚ[x] . For some appropriate x 0 ∈ ℤ , n(x 0 ), r(x 0 ), q(x 0 ) are integers such that there exists an elliptic curve E defined over q(x 0 ) , having n(x 0 ) rational points, with r(x 0 )||n(x 0 ) , and k as embedding degree w.r.t. r(x 0 ) . The triple {n(x), r(x), q(x)} defines a family of pairing-friendly elliptic curves, each of them parametrised by the integers n(x 0 ), r(x 0 ), q(x 0 ) for some x 0 ∈ ℤ . If for every x 0 ∈ ℤ there exists an elliptic curve with n(x 0 ), r(x 0 ), q(x 0 ) as parameters, the family defined by {n(x), r(x), q(x)} is said complete, otherwise it is called sparse.

Hashing to 2
When pairings on elliptic curves are exploited for identity-based protocols, there is often the need to map binary strings into 1 or 2 in a seemingly random fashion. These problems are known as hashing to 1 and hashing to 2 respectively.
Hashing to 1 is relatively easy. In fact, since 1 is the unique subgroup of order r in E( q ) (thanks to the assumption r||#E( q ) ), the standard approach is to hash to a general point P ∈ E( q ) and then multiply it by the cofactor c = #E( q )∕r . On the other hand, if E admits a twist of degree d that divides k, then 2 is isomorphic to Ẽ ( q k∕d ) ∩Ẽ[r] for a unique degree d twist Ẽ of E [20]. Consequently the same approach can be used for hashing into 2 . Nevertheless, the latter requires a multiplication by a large cofactor and hence expensive computations.
We note that the intermediate step of hashing into a general rational point should be handled carefully for efficiency and security reasons. In particular, some cryptosystems are proved to be secure when such an intermediate hash function is modelled as a random oracle into the curve. In order to guarantee its secure replacement with the random oracle, the concept of indifferentiable hash function has been introduced [11].

Related work
In 2009, Scott et al. [33] exploited an efficiently-computable endomorphism ∶Ẽ →Ẽ to reduce the computational cost of the cofactor multiplication required for hashing to 2 . An improvement of this method was then proposed by Fuentes et al. [16]. Since pairing-friendly families vary significantly, in order to highlight the benefits of the two methods, families of curves were considered case-by-case in [33] and in [16]. In particular, both papers focus on BN curves with k = 12 , Freeman curves with k = 10 and KSS curves with k = 8, 18 . However, new advances on the Number Field Sieve ( [4,23,24]) for computing discrete logarithms in multiplicative groups of finite fields, and hence in T , have decreased the security of some asymmetric parings, including those built on BN curves [3,27]. In the light of these results, BLS curves are attracting more interest for efficiency reasons, since their security has been only slightly reduced by recent NFS advances [3,27].
A developer using pairings on BLS curves for cryptosystems needing to hash to 2 during their execution, has to tackle the expensive cofactor multiplications in 2 . Scott et al. and Fuentes et al. methods are the only two proposed so far, that improve on standard point multiplication on elliptic curves. In the light of this, the developer has to choose one of these two methods in order to optimise their implementation. However, to the best of our knowledge, there are not published sources explicitly applying both Scott et al. and Fuentes et al. methods to BLS curves with k ∈ {12, 24, 30, 42, 48} , and providing efficiency comparison of the outcomes.

Contributions and outline
In this paper that gap is filled for BLS curves having k = 12, 24, 30 , and efficiency comparisons of the results obtained with the two methods are presented. Such a comparison contrasts with a recently-published book [12], where it is stated that, for BLS curves with k = 12, 24 , the most efficient method for mapping into 2 is the one proposed by Scott et al.
Scott et al. and Fuentes et al. methods both require a pre-computation to obtain parameterised hashing formulas valid for all the curves that belong to a specific family of pairing-friendly curves. In particular, Scott et al. method needs polynomial modular arithmetic, while Fuentes et al. method goes through the application of a generalisation of the LLL algorithm to a polynomial matrix, in order to obtain a lattice's polynomial h(z) having small coefficients. We executed the former computation not just for BLS curves with k ∈ {12, 24, 30} , but also for BLS curves having k = 42, 48 . On the other hand, the latter computation is prohibitive as the embedding degree k grows. Consequently, we were able to explicitly apply Scott et al. method also to BLS curves with k = 42, 48 , but we were not able to accomplish the same for Fuentes et al. method. Nevertheless, for the cases k = 42 and k = 48 here we propose suitable polynomials (z) having bounded coefficients, which allow to speed up the execution of cofactor multiplications with respect to Scott

3
Efficient hash maps to on BLS curves

Known methods for efficiently mapping into 2
The problem of generating random points in 2 , known as hashing to 2 , is usually solved selecting a random point P ∈Ẽ( q k∕d ) and then computing [c]P, where c is the cofactor defined as c = #Ẽ( q k∕d )∕r . Due to the size of c, this scalar multiplication is generally expensive and consequently a bottleneck in hashing to 2 .
In [18], Gallant, Lambert and Vanstone give a method to speed up scalar mul- . This method is based on the knowledge of a nontrivial multiple of the point P, that is obtained from an efficiently computable endomorphism ∶ E → E such that (P) is a multiple of P. Building on this idea, Galbraith and Scott [17] reduced the computational cost of multiplying by the cofactor c introducing a suitable group endomorphism ∶Ẽ →Ẽ . Such an endomorphism is defined as = −1 • • , where is the q-power Frobenius on E and is an isomorphism from the twist curve Ẽ to E. The endomorphism satisfies for all P ∈Ẽ( q k∕d ) . In the above relation t is the trace of Frobenius q + 1 − #E( q ) . Galbraith and Scott proposed to first express the cofactor c to the base q as and then use (1) to simplify the multiplication cP as where | g i |< q for every i.

Scott et al. method
The above approach was further developed by Scott et al. in [33], where it is applied to several families of pairing-friendly curves. In particular, the curves taken into account in [33] are: the MNT curves for the case k = 6 , the BN curves with k = 12 , the Freeman curves with k = 10 and the KSS curves for the cases k = 8 and k = 18 . It is important to highlight that all these families are composed by curves defined over a prime field p , with p, the order r and the trace t expressed as polynomials having rational coefficients. Consequently, also the cofactor c can be described as a polynomial in ℚ[x] . Thanks to such a parameterisation, Scott et al. speed up the cofactor multiplication [c]P reducing it to the evaluation of a polynomial of the powers i (P) , with coefficients that are polynomials in x. Such coefficients are obtained by means of polynomial modular arithmetic. In particular, due to Euclidean Division, all these coefficients have degrees smaller than deg(p(x)) (for the same reason, numerical coefficients g i are bounded by q).

Fuentes et al. method
Fuentes et al. [16] improved Scott et al. method observing that, in order to obtain a non-zero multiple of P ∈Ẽ( k∕d q ) having order r, it is sufficient to multiply P by c ′ , a multiple of c such that c � ≢ 0 (mod r) . In particular they proved the following result (see [16], page 11): , then there exists a polynomial such that: We note that here stands for the Euler's totient function, while is the efficiently computable endomorphism satisfying (1).
The first condition about h(z) gives a tool for computing a multiple of [c]P as the sum of some scalar multiplications. These multiplications are computationally light since their scalar factors are bounded thanks to the second condition satisfied by h(z).
The proof of Thereom 1 is by construction and, exploiting the LLL algorithm of Lenstra, Lenstra and Lovasz [25], it leads to a procedure to explicitly compute h(z). For the sake of easy reference we briefly sketch the proof's steps.
With ñ we denote the cardinality #Ẽ( q k∕d ) = q k∕d + 1 −t , with f the integer such that t 2 − 4q k∕d = Df 2 (where D is square-free) and, analougously, with f the integer for which t 2 − 4q = Df 2 holds.
First of all it is observed that, for every point P ∈Ẽ( q k∕d ) , it holds (P) = [a]P with: and therefore h( )P = [h(a)]P . Then, the relation is obtained. Hence k (a) ≡ 0 (modñ) , where k is the k-th cyclotomic polynomial (which has degree equal to (k) ). This allows to restrict the search of h(z) into the set of all polynomials of ℤ[z] having degree less than (k) . Denoting with a the column vector with i-entry −a i , if we consider the vectors of the integer lattice generated by the matrix such that h(a) ≡ 0 (mod c) . Finally, it is observed that the considered lattice and the convex set generated by all vectors of the form have non-empty intersection. A lattice element lying in this intersection could be obtained using the LLL algorithm [25]; such an element determines the coefficients of a polynomial h(z) ∈ ℤ[z] with the desired properties.
In [16], such a polynomial is obtained for the BN curves with k = 12 , the Freeman curves with k = 10 , the KSS curves for the cases k = 8 and k = 18 . As already observed, these families are composed by curves defined over a prime field p , with p, the order r and the trace t expressed as polynomials having rational coefficients. Consequently, also the cofactor c and the scalar a can be described as a polynomials in ℚ[x].
The matrix M obtained considering the parameterised forms of c and a is where a(x) is the column vector with i-entry −a i (x) (mod c(x)) , and it generates a lattice in ℚ[x] (k) . Exploiting the algorithm in [30], the matrix M could be transformed into a new matrix M ′ having as rows the elements of a reduced basis for the lattice. Considering the polynomials composing a row of M ′ as coefficients of 1, z, z 2 , … , z (k)−1 respectively, Fuentes et al. were able to obtain a polynomial [z] satisfying the following two conditions: where is the Euler's totient function.
The first condition assures that [a(x 0 )]P is a non-zero multiple of [c(x 0 )]P for every value x 0 ∈ ℤ of the parameter x, and that such a multiple can be computed as the sum of some scalar multiplications. These multiplications are computationally light thanks to the second condition in which scalar factors are bounded.
Consequently, for each of the curves in the above pairing-friendly families, Fuentes et al. compute a formula for hashing into 2 that is valid for every curve in the family itself. In particular, the cofactor multiplication [c(x)]P is reduced to the evaluation of a polynomial of the powers i (P) , with coefficients that are polynomials in x. Comparing their computational results with those of Scott et al. method for the same families, Fuentes et al. provided evidence that their method is faster for all the considered curves.

BLS curves
Families of pairing-friendly curves vary significantly, hence it is not possible to a priori determine if one of the two above hashing methods is more efficient than the other for a given family. BLS curves are recently gaining increasing interest [3,27]. Thus it is of great concern to determine also for these curves which is, among Scott  were infeasible for the computational power at our disposal. Nevertheless, in Sect. 5 we propose two polynomials (z) , for the cases k = 42 and k = 48 , that fully satisfies and almost fully satisfies conditions (CI), (CII), respectively. In particular, in both cases (a(x)) is congruent to a multiple of c(x) modulo ñ(x) , i.e. ( )P is a multiple of [c(x)]P for all P ∈Ẽ( q k∕d ) . Furthermore, for k = 48 the proposed polynomial satisfies the relation deg( i (x)) ≤ deg(c(x))∕ (k) for every i, while for k = 42 this condition holds for every i (x) except 0 (x) , that has degree equal to ⌊deg(c(x))∕ (k)⌋ + 1.
We conclude this section briefly recalling BLS curves' parameters. Barreto, Lynn and Scott [6], and Brezing and Weng [10] proposed a polynomial parameterisation for complete families of pairing-friendly curves having prime fields p as basefields, fixed embedding degrees, and short Weierstrass equations of the form In the following, we consider only those BLS curves with embedding degree k ≡ 0 (mod 6) , and such that 18 ∤ k . This choice is due to efficiency reasons, since each of such curves admits a twist having the highest possible degree d = 6 [20], allowing to consider 2 as a subgroup of Ẽ ( p k∕6 ) . In this case BLS curves are parameterised by the following polynomials [14]: where k is the cyclotomic polynomial of order k.

3
Efficient hash maps to on BLS curves

Scott et al. method on BLS curves
In this section Scott et al. hashing method is applied to BLS curves having embedding degree k equal to 12, 24, 30, 42 and 48 respectively. Such an application requires first to determine the cardinality ñ( in what follows, is always equal to 6 -and then to execute polynomial modular arithmetic as briefly described in the previous section (for further details the reader could refer to Algorithm 2 in [33]).

BLS-12
For BLS curves with k = 12 , the prime p and the group order r are parameterised by the polynomials: Since k∕d = 2 , the group 2 is expressed as a subgroup of Ẽ ( p(x) 2 ) and the cofactor c(x) is:  (7) can be computed at the cost of 6 point additions, 2 point doublings, 3 scalar multiplications by the parameter x and 3 applications of .

BLS-24
With the name BLS-24 we denote the BLS family of elliptic curves having embedding degree k equal to 24. Such curves are parameterised by the polynomials: As before, we consider [3c(x)]P instead of [c(x)]P in order to ignore the common denominator of 3 that occurs writing c(x) to the base p(x). In this case 2 ⊂Ẽ( p(x) 4 ) and the cofactor is a polynomial c(x) of degree 32. Applying Scott et al. method, the scalar multiplication [3c(x)]P -where P ∈Ẽ( p(x) 4 ) -is reduced to where 0 , 1 , 2 , 3 , 4 , 5 , 6 are polynomials of ℤ[x] of degrees less than or equal to 8. For the sake of readability, these polynomials are fully reported in "Appendix". According to [12, sec. 8.5], the multiplication [3c(x)]P can be computed at the cost of 21 point additions, 4 point doublings, 8 scalar multiplications by the parameter x and 6 applications of .

BLS-30
BLS curves having embedding degree k = 30 are parameterised by: In this case the cofactor is a polynomial c(x) of degree 52 while 2 is a subgroup of order r(x) of Ẽ ( p(x) 5 ) . Given some rational point P ∈Ẽ( p(x) 5

BLS-42
In the case of BLS curves having k = 42 , 2 is the subgroup The cofactor is parameterised by a polynomial c(x) of degree 100. Writing it to the base p(x), the scalar multiplication [3c(x)]P, with P ∈Ẽ( p(x) 7 ) , is reduced to where { j | j = 0, … , 12} are polynomials in x with integral coefficients and degrees less than or equal to 15 (see "Appendix" for their complete form). Then [3c(x)]P can Efficient hash maps to on BLS curves be computed at the cost of 151 point additions, 54 point doublings, 15 scalar multiplications by the parameter x and 125 applications of .

BLS-48
For BLS curves having k = 48 , the prime p and the group order r are parameterised by the polynomials: The cofactor c(x) is a polynomial of degree 128 and 2 is a subgroup of Ẽ ( p(x) 8 ) . Given some rational point P ∈Ẽ( p(x) 8

Fuentes et al. method on BLS curves with k = 12, 24, 30
In this section we apply Fuentes et al. hashing method to BLS curves having embedding degree k equal to 12, 24 or 30. We have already noticed that this method requires an expensive one-off pre-computation in order to obtain the polynomial h(z). Such a computation was infeasible, for the computational power at our disposal, when k ∈ {42, 48} . This two cases will be considered in the next section.

BLS-12
For BLS curves with k = 12 , the parameter a, deduced from (5), is parameterised by the following polynomial in x: Reducing the matrix

BLS-24
Proceeding as in the previous case also for the BLS curves having k = 24 , we obtain a polynomial a(x) of degree 39, and h(z) defined as: with h(a(x)) congruent to (3x 4 − 3)c(x) modulo ñ(x) . Since gcd (3x 4 − 3, r(x)) = 1 , the following map sends a point P ∈Ẽ( p(x) 4 ) to a point of 2 : To compute the image of P, such a map requires 9 point additions, 1 point doubling, 4 scalar multiplications by x and 10 applications of the endomorphism .
Efficient hash maps to on BLS curves

BLS-30
In the case of BLS curves having embedding degree k = 30 , Fuentes et al. method leads to a polynomial a(x) having degree equal to 59 and to a polynomial h(z) defined as follows: with h(a(x)) congruent to (3x 5 − 3)c(x) modulo ñ(x) . Hence the following map returns a point of 2 =Ẽ( p(x) 5 ) ∩Ẽ[r(x)] when applied to P ∈Ẽ( p(x) 5 ) , since gcd(3x 5 − 3, r(x)) = 1 . The image (17) can be computed at the cost of 25 point additions, 2 point doubling, 5 scalar multiplications by the parameter x and 27 applications of .

Fuentes et al. method for BLS curves with k = 42, 48
From previous section, we can observe that the degree of the polynomial a(x) grows when k grows. The results provided in Sect. 3 show that the same holds also for c(x). This affects the sizes of the polynomials composing the matrix M, and then the computational cost necessary to reduce it. The computational power at our disposal did not allow us to complete the application of Fuentes et al. method to BLS curves with k = 42 or k = 48 . Nevertheless, the aim of this section is to provide two polynomials (z) that resemble the polynomial h(z) of Theorem 1. We begin considering the case k = 48.

BLS-48
We note that two of the polynomials h(z) obtained in the previous section, precisely (12) and (14), share some common features: • they both have degree k/6; • their leading coefficients are equal to 2; • given z i , its coefficient is When k = 48 , the polynomial (z) has the above features and, surprisingly, satisfies the two conditions (CI), (CII), as proved in the following. Proposition 2 Given a BLS curve E, defined over p(x) and having k = 48, the polynomial satisfies the two conditions:

BLS-42
The same approach does not work for the case of BLS curves with embedding degree k equal to 42. Indeed, for k = 42 , the polynomial Efficient hash maps to on BLS curves satisfies the above features but it is not a multiple of c(x). However, we observed that the following relation holds: , we were able to obtain a multiple of c(x) that almost satisfies the two conditions (CI), (CII). This is specified in the following proposition. p(x) and having k = 42, the polynomial is such that:
Denoting with 0 (x), … , 7 (x) the coefficients of (z) , it could be observed that deg( i (x)) ≤ deg(c(x))∕ (k) for all i ∈ {1, … , 7} , since c(x) has degree 100 and (42) is equal to 12. The degree of 0 (x) is equal to ⌊deg(c(x))∕ (k)⌋ + 1 . ◻ The image (20) can be computed at the cost of 33 point additions, 1 point doubling, 9 scalar multiplications by the parameter x and 42 applications of . We observe that (z) does not fully satisfies the condition (CII), since the degree instead of being of degree less than or equal to 8. A coefficient 0 with the latter degree would have save one point multiplication by the parameter x and a point addition. This gives an idea of the reason why the degrees of coefficients i are relevant in terms of efficiency.

Comparisons and conclusions
Here we present an efficiency comparison between the hash maps into 2 found in the previous three sections. In Table 1 We underline that, in each hashing map, the most significant component is the multiplication by x, since it computationally dominates the other operations. In fact, the algorithms to compute large scalar multiplications require many point additions and doublings. Furthermore, the endomorphism can be efficiently computed.
In all the cases we have examined, the hash map found following Fuentes et al. method turned out to be more efficient than the one found with Scott et al. method. The hash maps of Sect. 4 were obtained applying rigorously Fuentes et al. method. For k = 12 we see a 3/2-fold improvement, for k = 24 the hash map is twice as fast as that of Scott et al., while for k = 30 the hash map determines a 11/5-fold improvement.
Concerning BLS curves with k ∈ {42, 48} , we propose two suitable polynomials (z) : one satisfies the two conditions (CI), (CII) deduced from Theorem 1 ( k = 48) ; the other is extremely tight to a polynomial fully satisfying such conditions ( k = 42 ). The hash function deduced for the case k = 42 leads to a 15/9-fold improvement with respect to the method of Scott et al. For k = 48 , the introduced hash map is twice as fast as that of Scott et al.
Using the Apache Milagro Crypto Library [1] we implemented the hash maps (7) and (13)

3
Efficient hash maps to on BLS curves