Cryptology ePrint Archive: Report 2019/1294

Hashing to elliptic curves of $j$-invariant $1728$

Dmitrii Koshelev

Abstract: This article generalizes the simplified Shallue--van de Woestijne--Ulas (SWU) method of a deterministic finite field mapping $h\!: \mathbb{F}_{\!q} \to E_a(\mathbb{F}_{\!q})$ to the case of any elliptic $\mathbb{F}_{\!q}$-curve $E_a\!: y^2 = x^3 - ax$ of $j$-invariant $1728$. In comparison with the (classical) SWU method the simplified SWU method allows to avoid one quadratic residuosity test in the field $\mathbb{F}_{\!q}$, which is a quite painful operation in cryptography with regard to timing attacks. More precisely, in order to derive $h$ we obtain a rational $\mathbb{F}_{\!q}$-curve $C$ (and its explicit quite simple proper $\mathbb{F}_{\!q}$-parametrization) on the Kummer surface $K^\prime$ associated with the direct product $E_a \!\times\! E_a^\prime$, where $E_a^\prime$ is the quadratic $\mathbb{F}_{\!q}$-twist of $E_a$. Our approach of finding $C$ is based on the fact that every curve $E_a$ has a vertical $\mathbb{F}_{\!q^2}$-isogeny of degree $2$.

Category / Keywords: implementation / finite fields, pairing-based cryptography, elliptic curves of $j$-invariant $1728$, Kummer surfaces, rational curves, Weil restriction, isogenies

Date: received 7 Nov 2019, last revised 21 Jun 2021

Contact author: dishport at ya ru

Available format(s): PDF | BibTeX Citation

Version: 20210621:181854 (All versions of this report)

Short URL: ia.cr/2019/1294


[ Cryptology ePrint archive ]