Paper 2026/590
On the Security of Constraint-Friendly Map-to-Curve Relations
Abstract
Standard hash-to-curve constructions first hash the message to a field element through a cryptographic hash-to-field step, then map this field element to an elliptic-curve point. Inside constraint systems, this inner cryptographic hash is often the dominant cost. Groth, Malvai, Miller and Zhang (Asiacrypt 2025) introduced constraint-friendly map-to-elliptic-curve-group relations that bypass the inner cryptographic hash when hashing to elliptic curve groups inside constraint systems, achieving substantial reductions in circuit size. Their security proof works in the Elliptic Curve Generic Group Model (EC-GGM). We identify three gaps. First, the security bound is not explicitly analyzed, and the bounds stated for the concrete instantiations are loose. Second, the EC-GGM does not capture the algebraic structure of most deployed curves; we exhibit a concrete signature forgery using the parameters claimed secure. Third, the construction requires a congruence condition on the field that is not satisfied by all deployed curves; we extend it to any field. As a countermeasure we propose a y-increment variant that neutralises the algebraic attack, removes the field restriction, and preserves a comparable constraint count. We implement and benchmark both constructions in the open-source gnark (Go) library; the attack is additionally demonstrated via a self-contained SageMath simulation and confirmed at the circuit level against the authors’ own Noir (Rust) implementation.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- Elliptic curveHash-to-curveSNARKLattice attackimplementation
- Contact author(s)
-
youssef elhousni @ consensys net
bb @ nyu edu - History
- 2026-05-20: revised
- 2026-03-24: received
- See all versions
- Short URL
- https://ia.cr/2026/590
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2026/590,
author = {Youssef El Housni and Benedikt Bünz},
title = {On the Security of Constraint-Friendly Map-to-Curve Relations},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/590},
year = {2026},
url = {https://eprint.iacr.org/2026/590}
}