## Cryptology ePrint Archive: Report 2021/301

Indifferentiable hashing to ordinary elliptic $\mathbb{F}_{\!q}$-curves of $j=0$ with the cost of one exponentiation in $\mathbb{F}_{\!q}$

Dmitrii Koshelev

Abstract: Let $\mathbb{F}_{\!q}$ be a finite field and $E_b\!: y^2 = x^3 + b$ be an ordinary (i.e., non-supersingular) elliptic curve (of $j$-invariant $0$) such that $\sqrt{b} \in \mathbb{F}_{\!q}$ and $q \not\equiv 1 \: (\mathrm{mod} \ 27)$. For example, these conditions are fulfilled for the curve BLS12-381 ($b=4$). It is a de facto standard in the real world pairing-based cryptography at the moment. This article provides a new constant-time hash function $H\!: \{0,1\}^* \to E_b(\mathbb{F}_{\!q})$ indifferentiable from a random oracle. Its main advantage is the fact that $H$ computes only one exponentiation in $\mathbb{F}_{\!q}$. In comparison, the previous fastest constant-time indifferentiable hash functions to $E_b(\mathbb{F}_{\!q})$ compute two exponentiations in $\mathbb{F}_{\!q}$. In particular, applying $H$ to the widely used BLS multi-signature with $m$ different messages, the verifier should perform only $m$ exponentiations rather than $2m$ ones during the hashing phase.

Category / Keywords: implementation / cubic residue symbol and cubic roots, hashing to ordinary elliptic curves of $j$-invariant $0$, indifferentiability from a random oracle, pairing-based cryptography

Date: received 7 Mar 2021, last revised 29 Sep 2021

Contact author: dimitri koshelev at gmail com

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2021/301

[ Cryptology ePrint archive ]