A Note on Hashing to BN Curves

A number of recent works have considered the problem of constructing constant-time hash functions to various families of elliptic curves over nite elds. In the relevant literature, it has been occasionally asserted (including by the author of this note) that constant-time hashing to certain special elliptic curves, namely those of j-invariant 0, was an open problem. That is actually incorrect, as the problem was previously solved in full generality by Shallue and van de Woestijne, back in 2006. The purpose of this note is to introduce the problem of hashing to elliptic curves, and make Shallue and van de Woestijne's solution explicit as well as suggest possible optimizations in the most important of the aforementioned special cases, that of Barreto-Naehrig pairing-friendly elliptic curves.

[1]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[2]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[3]  Guénaël Renault,et al.  Encoding Points on Hyperelliptic Curves over Finite Fields in Deterministic Polynomial Time , 2010, Pairing.

[4]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[5]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[6]  Xavier Boyen,et al.  Multipurpose Identity-Based Signcryption (A Swiss Army Knife for Identity-Based Cryptography) , 2003, CRYPTO.

[7]  Reza Rezaeian Farashahi Hashing into Hessian Curves , 2011, AFRICACRYPT.

[8]  Jung Hee Cheon,et al.  An Identity-Based Signature from Gap Diffie-Hellman Groups , 2003, Public Key Cryptography.

[9]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[10]  Jean-Jacques Quisquater,et al.  Efficient Signcryption with Key Privacy from Gap Diffie-Hellman Groups , 2004, Public Key Cryptography.

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[13]  A. Schinzel,et al.  On equations y^2=x^n+k in a finite field , 2004 .

[14]  Christiaan E. van de Woestijne,et al.  Construction of Rational Points on Elliptic Curves over Finite Fields , 2006, ANTS.

[15]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[16]  M. Skalba Points on elliptic curves over finite fields , 2005 .

[17]  Keisuke Hakuta,et al.  An efficient method of generating rational points on elliptic curves , 2009 .

[18]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[19]  M. Ulas Rational points on certain hyperelliptic curves over finite fields , 2007, 0706.1448.

[20]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[21]  Benoît Chevallier-Mames,et al.  An Efficient CDH-Based Signature Scheme with a Tight Security Reduction , 2005, CRYPTO.

[22]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[23]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[24]  Joonsang Baek,et al.  Identity-Based Threshold Decryption , 2004, Public Key Cryptography.

[25]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[26]  Jean-Sébastien Coron,et al.  Efficient Indifferentiable Hashing into Ordinary Elliptic Curves , 2010, CRYPTO.

[27]  Igor E. Shparlinski,et al.  Indifferentiable deterministic hashing to elliptic and hyperelliptic curves , 2012, Math. Comput..

[28]  Jean-Gabriel Kammerer,et al.  The geometry of flex tangents to a cubic curve and its parameterizations , 2011, J. Symb. Comput..

[29]  Kwangjo Kim,et al.  ID-Based Blind Signature and Ring Signature from Pairings , 2002, ASIACRYPT.

[30]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.