Faster Hashing to ${\mathbb G}_2$

An asymmetric pairing $e\colon{\mathbb{G}}_2\times{\mathbb{G}}_1\to{\mathbb{G}}_T$ is considered such that ${\mathbb{G}}_1=E({\mathbb F}_p)[r]$ and ${\mathbb{G}}_2=\tilde E({\mathbb F}_{p^{k/d}})[r]$ , where k is the embedding degree of the elliptic curve $E/{\mathbb F}_p$ , r is a large prime divisor of $\# E({\mathbb F}_p)$ , and $\tilde E$ is the degree-d twist of E over ${\mathbb F}_{p^{k/d}}$ with $r \mid \tilde E ({\mathbb F}_{p^{k/d}} )$ . Hashing to ${\mathbb{G}}_1$ is considered easy, while hashing to ${\mathbb{G}}_2$ is done by selecting a random point Q in $\tilde E({\mathbb F}_{p^{k/d}})$ and computing the hash value cQ, where c·r is the order of $\tilde E({\mathbb F}_{p^{k/d}})$ . We show that for a large class of curves, one can hash to ${\mathbb{G}}_2$ in $\textup{O}(1/\varphi (k)\log c)$ time, as compared with the previously fastest-known $\textup{O}(\log p)$ . In the case of BN curves, we are able to double the speed of hashing to ${\mathbb{G}}_2$ . For higher-embedding-degree curves, the results can be more dramatic. We also show how to reduce the cost of the final-exponentiation step in a pairing calculation by a fixed number of field multiplications.