Hashing to Elliptic Curves Through Cipolla–Lehmer–Müller’s Square Root Algorithm

IF 2.3 3区计算机科学 Q2 COMPUTER SCIENCE, THEORY & METHODS

Journal of Cryptology Pub Date : 2024-02-27 DOI:10.1007/s00145-024-09490-w

{"title":"Hashing to Elliptic Curves Through Cipolla–Lehmer–Müller’s Square Root Algorithm","authors":"","doi":"10.1007/s00145-024-09490-w","DOIUrl":null,"url":null,"abstract":"<h3>Abstract</h3> The present article provides a novel hash function \\({\\mathcal {H}}\\) to any elliptic curve of j-invariant \\(\\ne 0, 1728\\) over a finite field \\({\\mathbb {F}}_{\\!q}\\) of large characteristic. The unique bottleneck of \\({\\mathcal {H}}\\) consists of extracting a square root in \\({\\mathbb {F}}_{\\!q}\\) as well as for most hash functions. However, \\({\\mathcal {H}}\\) is designed in such a way that the root can be found by (Cipolla–Lehmer–)Müller’s algorithm in constant time. Violation of this security condition is known to be the only obstacle to applying the given algorithm in the cryptographic context. When the field \\({\\mathbb {F}}_{\\!q}\\) is highly 2-adic and \\(q \\equiv 1 \\ (\\textrm{mod} \\ 3)\\) , the new batching technique is the state-of-the-art hashing solution except for some sporadic curves. Indeed, Müller’s algorithm costs \\(\\approx 2\\log _2(q)\\) multiplications in \\({\\mathbb {F}}_{\\!q}\\) . In turn, original Tonelli–Shanks’s square root algorithm and all of its subsequent modifications have the algebraic complexity \\(\\varTheta (\\log (q) + g(\\nu ))\\) , where \\(\\nu \\) is the 2-adicity of \\({\\mathbb {F}}_{\\!q}\\) and a function \\(g(\\nu ) \\ne O(\\nu )\\) . As an example, it is shown that Müller’s algorithm actually needs several times fewer multiplications in the field \\({\\mathbb {F}}_{\\!q}\\) (whose \\(\\nu = 96\\) ) of the standardized curve NIST P-224.","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"234 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-02-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09490-w","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

The present article provides a novel hash function \({\mathcal {H}}\) to any elliptic curve of j-invariant \(\ne 0, 1728\) over a finite field \({\mathbb {F}}_{\!q}\) of large characteristic. The unique bottleneck of \({\mathcal {H}}\) consists of extracting a square root in \({\mathbb {F}}_{\!q}\) as well as for most hash functions. However, \({\mathcal {H}}\) is designed in such a way that the root can be found by (Cipolla–Lehmer–)Müller’s algorithm in constant time. Violation of this security condition is known to be the only obstacle to applying the given algorithm in the cryptographic context. When the field \({\mathbb {F}}_{\!q}\) is highly 2-adic and \(q \equiv 1 \ (\textrm{mod} \ 3)\) , the new batching technique is the state-of-the-art hashing solution except for some sporadic curves. Indeed, Müller’s algorithm costs \(\approx 2\log _2(q)\) multiplications in \({\mathbb {F}}_{\!q}\) . In turn, original Tonelli–Shanks’s square root algorithm and all of its subsequent modifications have the algebraic complexity \(\varTheta (\log (q) + g(\nu ))\) , where \(\nu \) is the 2-adicity of \({\mathbb {F}}_{\!q}\) and a function \(g(\nu ) \ne O(\nu )\) . As an example, it is shown that Müller’s algorithm actually needs several times fewer multiplications in the field \({\mathbb {F}}_{\!q}\) (whose \(\nu = 96\) ) of the standardized curve NIST P-224.

查看原文本刊更多论文

通过 Cipolla-Lehmer-Müller 的平方根算法哈希到椭圆曲线

摘要本文提供了一种新颖的哈希函数（{\mathcal {H}}），它可以在大特征的有限域\({\mathbb {F}}_{\!q}\) 上对任意 j-invariant \(\ne 0, 1728\) 的椭圆曲线进行哈希。对于大多数哈希函数来说，\({\mathcal {H}}\)的唯一瓶颈在于提取\({\mathbb {F}_{\!q}\) 中的平方根。然而，\({\mathcal {H}}\) 的设计方式使得根可以通过（Cipolla-Lehmer-）Müller 算法在恒定时间内找到。众所周知，违反这一安全条件是将给定算法应用于密码学的唯一障碍。当域 \({\mathbb {F}}_{\!q}\) 是高度 2-adic 且 \(q \equiv 1 \ (\textrm{mod} \ 3)\)因此，除了一些零星曲线外，新的批处理技术是最先进的散列解决方案。事实上，Müller 算法在 \({\mathbb {F}}_{\!q}\) 中花费了 \(\approx 2\log _2(q)\)乘法。反过来，最初的托内利-香克斯平方根算法及其随后的所有修改都具有代数复杂度（（varTheta (\log (q) + g(\nu ))\) 。其中 \(\nu \) 是 \({\mathbb {F}}_{\!q}\) 和函数 \(g(\nu ) \ne O(\nu )\) 的 2-adicity 。举例说明，在标准化曲线 NIST P-224 的域\({/mathbb {F}}_{\!q}\) （其 \(\nu = 96\) ）中，缪勒算法实际需要的乘法次数要少几倍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Cryptology 工程技术-工程：电子与电气

CiteScore

7.10

自引率

3.30%

发文量

审稿时长

18 months

期刊介绍： The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.