SwiftEC: Shallue–van de Woestijne Indifferentiable Function To Elliptic Curves

Jorge Chávez-Saab; Francisco Rodrı́guez-Henrı́quez; Mehdi Tibouchi

Paper 2022/759

SwiftEC: Shallue–van de Woestijne Indifferentiable Function To Elliptic Curves

Jorge Chávez-Saab, CINVESTAV-IPN, Technology Innovation Institute

Francisco Rodrı́guez-Henrı́quez, CINVESTAV-IPN, Technology Innovation Institute

Mehdi Tibouchi

, NTT Corporation

Abstract

Hashing arbitrary values to points on an elliptic curve is a required step in many cryptographic constructions, and a number of techniques have been proposed to do so over the years. One of the first ones was due to Shallue and van de Woestijne (ANTS-VII), and it had the interesting property of applying to essentially all elliptic curves over finite fields. It did not, however, have the desirable property of being indifferentiable from a random oracle when composed with a random oracle to the base field. Various approaches have since been considered to overcome this limitation, starting with the foundational work of Brier et al. (CRYPTO 2011). For example, if is the Shallue--van de Woestijne (SW) map and are two independent random oracles to , we now know that is indifferentiable from a random oracle. Unfortunately, this approach has the drawback of being twice as expensive to compute than the straightforward, but not indifferentiable, . Most other solutions so far have had the same issue: they are at least as costly as two base field exponentiations, whereas plain encoding maps like cost only one exponentiation. Recently, Koshelev (DCC 2022) provided the first construction of indifferentiable hashing at the cost of one exponentiation, but only for a very specific class of curves (some of those with -invariant ), and using techniques that are unlikely to apply more broadly. In this work, we revisit this long-standing open problem, and observe that the SW map actually fits in a one-parameter family of encodings, such that for independent random oracles to , is indifferentiable. Moreover, on a very large class of curves (essentially those that are either of odd order or of order divisible by 4), the one-parameter family admits a rational parametrization, which let us compute at almost the same cost as small , and finally achieve indifferentiable hashing to most curves with a single exponentiation. Our new approach also yields an improved variant of the Elligator Squared technique of Tibouchi (FC 2014) that represents points of arbitrary elliptic curves as close-to-uniform random strings.

Note: Extended version: - Added subsection 4.3 (counting compatible curves) - Extended section 4.3 (reaching more curves with 2 isogenies) - Added explicit algorithm for SwiftEC decoding (now Algorithm 1) - Added Appendix B (list of compatible curves)

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Published by the IACR in JOC 2024
DOI: 10.1007/s00145-024-09529-y
Keywords: Elliptic curve cryptography Hashing to curves Indifferentiability Elligator Algebraic geometry
Contact author(s): jorgechavezsaab @ gmail com
Francisco Rodriguez @ tii ae
mehdi tibouchi @ normalesup org
History: 2024-11-14: last of 2 revisions; 2022-06-14: received; See all versions
Short URL: https://ia.cr/2022/759
License: CC BY

BibTeX

@misc{cryptoeprint:2022/759,
      author = {Jorge Chávez-Saab and Francisco Rodrı́guez-Henrı́quez and Mehdi Tibouchi},
      title = {{SwiftEC}: Shallue–van de Woestijne Indifferentiable Function To Elliptic Curves},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/759},
      year = {2022},
      doi = {10.1007/s00145-024-09529-y},
      url = {https://eprint.iacr.org/2022/759}
}