Paper 2020/969

Hashing to elliptic curves of $j=0$ and quadratic imaginary orders of class number $2$

Dmitrii Koshelev

Abstract

Let $\mathbb{F}_{\!q}$ be a finite field of characteristic $p > 5$ and $E_b\!: y_0^2 = x_0^3 + b$ be an elliptic $\mathbb{F}_{\!q}$-curve of $j$-invariant $0$. In this article we produce the simplified SWU encoding to ordinary curves $E_b$ having an $\mathbb{F}_{\!q^2}$-isogeny of degree $5$. For example, this condition is fulfilled for some Barreto--Naehrig curves, including BN512 from the standard ISO/IEC 15946-5. Moreover, we show how to implement the simplified SWU encoding in constant time of one exponentiation in $\mathbb{F}_{\!q}$ (for any $j$-invariant), namely without quadratic residuosity tests and inversions in $\mathbb{F}_{\!q}$. Thus in addition to the protection against timing attacks, the new encoding $h\!: \mathbb{F}_{\!q} \to E_b(\mathbb{F}_{\!q})$ turns out to be much more efficient than the (universal) SWU encoding, which generally requires to perform two quadratic residuosity tests.