Paper 2026/590

On the Security of Constraint-Friendly Map-to-Curve Relations

Youssef El Housni, Consensys, Linea
Benedikt Bünz, New York University
Abstract

Standard hash-to-curve constructions first hash the message to a field element through a cryptographic hash-to-field step, then map this field element to an elliptic-curve point. Inside constraint systems, this inner cryptographic hash is often the dominant cost. Groth, Malvai, Miller and Zhang (Asiacrypt 2025) introduced constraint-friendly map-to-elliptic-curve-group relations that bypass the inner cryptographic hash when hashing to elliptic curve groups inside constraint systems, achieving substantial reductions in circuit size. Their security proof works in the Elliptic Curve Generic Group Model (EC-GGM). We identify three gaps. First, the security bound is not explicitly analyzed, and the bounds stated for the concrete instantiations are loose. Second, the EC-GGM does not capture the algebraic structure of most deployed curves; we exhibit a concrete signature forgery using the parameters claimed secure. Third, the construction requires a congruence condition on the field that is not satisfied by all deployed curves; we extend it to any field. As a countermeasure we propose a y-increment variant that neutralises the algebraic attack, removes the field restriction, and preserves a comparable constraint count. We implement and benchmark both constructions in the open-source gnark (Go) library; the attack is additionally demonstrated via a self-contained SageMath simulation and confirmed at the circuit level against the authors’ own Noir (Rust) implementation.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Elliptic curveHash-to-curveSNARKLattice attackimplementation
Contact author(s)
youssef elhousni @ consensys net
bb @ nyu edu
History
2026-05-20: revised
2026-03-24: received
See all versions
Short URL
https://ia.cr/2026/590
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2026/590,
      author = {Youssef El Housni and Benedikt Bünz},
      title = {On the Security of Constraint-Friendly Map-to-Curve Relations},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/590},
      year = {2026},
      url = {https://eprint.iacr.org/2026/590}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.