**Indifferentiable hashing to ordinary elliptic $\mathbb{F}_{\!q}$-curves of $j=0$ with the cost of one exponentiation in $\mathbb{F}_{\!q}$**

*Dmitrii Koshelev*

**Abstract: **Let $\mathbb{F}_{\!q}$ be a finite field and $E_b\!: y^2 = x^3 + b$ be an ordinary (i.e., non-supersingular) elliptic curve (of $j$-invariant $0$) such that $\sqrt{b} \in \mathbb{F}_{\!q}$ and $q \not\equiv 1 \: (\mathrm{mod} \ 27)$. For example, these conditions are fulfilled for the group $\mathbb{G}_1$ of the curves BLS12-381 ($b=4$) and BLS12-377 ($b=1$) and for the group $\mathbb{G}_2$ of the curve BW6-761 ($b=4$). The curves mentioned are a de facto standard in the real world pairing-based cryptography at the moment. This article provides a new constant-time hash function $H\!: \{0,1\}^* \to E_b(\mathbb{F}_{\!q})$ indifferentiable from a random oracle. Its main advantage is the fact that $H$ computes only one exponentiation in $\mathbb{F}_{\!q}$. In comparison, the previous fastest constant-time indifferentiable hash functions to $E_b(\mathbb{F}_{\!q})$ compute two exponentiations in $\mathbb{F}_{\!q}$. In particular, applying $H$ to the widely used BLS multi-signature with $m$ different messages, the verifier should perform only $m$ exponentiations rather than $2m$ ones during the hashing phase.

**Category / Keywords: **implementation / cubic residue symbol and cubic roots, hashing to ordinary elliptic curves of $j$-invariant $0$, indifferentiability from a random oracle, pairing-based cryptography

**Date: **received 7 Mar 2021, last revised 3 Apr 2021

**Contact author: **dishport at ya ru

**Available format(s): **PDF | BibTeX Citation

**Version: **20210403:200641 (All versions of this report)

**Short URL: **ia.cr/2021/301

[ Cryptology ePrint archive ]