{"title":"Hashing to G2 on BLS pairing-friendly curves","authors":"Alessandro Budroni, Federico Pintore","doi":"10.1145/3313880.3313884","DOIUrl":null,"url":null,"abstract":"When a pairing <i>e</i> : G<sub>1</sub> x G<sub>2</sub> → G<sub>T</sub>, on an elliptic curve <i>E</i> defined over F<sub>q</sub>, is exploited in a cryptographic protocol, there is often the need to hash binary strings into G<sub>1</sub> and G<sub>2</sub>. Traditionally, if <i>E</i> admits a twist Ẽ of order <i>d,</i> then G<sub>1</sub> = <i>E</i>(F<sub><i>q</i></sub>)⋂<i>E</i>[<i>r</i>], where <i>r</i> is a prime integer, and G<sub>2</sub> = Ẽ(F<i><sub>q</sub><sup>k/d</sup></i>)⋂<i>Ẽ</i>[<i>r</i>], where <i>k</i> is the embedding degree of <i>E</i> w.r.t. r. The standard approach for hashing a binary string into G<sub>1</sub> and G<sub>2</sub> is to map it to general points <i>P∈E</i>(<i>F<sub>q</sub></i>) and <i>P′ ∈ Ẽ</i>(F<i><sub>q</sub><sup>k/d</sup></i>), and then multiply them by the cofactors <i>c</i> = <i>#E</i>(F<i><sub>q</sub></i>)/<i>r</i> and <i>c</i>′ = <i>#Ẽ</i>(F<i><sub>q</sub><sup>k/d</sup></i>)/<i>r</i> respectively. Usually, the multiplication by c′ is computationally expensive. In order to speed up such a computation, two different methods (by Scott <i>et al.</i> and by Fuentes <i>et al.</i>) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having <i>k</i> ∈ {12, 24, 30, 42,48}, providing efficiency comparisons. When <i>k</i> = 42,48, the Fuentes <i>et al.</i> method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes <i>et al.</i> idea.","PeriodicalId":7093,"journal":{"name":"ACM Commun. Comput. Algebra","volume":"22 1","pages":"63-66"},"PeriodicalIF":0.0000,"publicationDate":"2019-02-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Commun. Comput. Algebra","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3313880.3313884","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
When a pairing e : G1 x G2 → GT, on an elliptic curve E defined over Fq, is exploited in a cryptographic protocol, there is often the need to hash binary strings into G1 and G2. Traditionally, if E admits a twist Ẽ of order d, then G1 = E(Fq)⋂E[r], where r is a prime integer, and G2 = Ẽ(Fqk/d)⋂Ẽ[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing a binary string into G1 and G2 is to map it to general points P∈E(Fq) and P′ ∈ Ẽ(Fqk/d), and then multiply them by the cofactors c = #E(Fq)/r and c′ = #Ẽ(Fqk/d)/r respectively. Usually, the multiplication by c′ is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al.) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having k ∈ {12, 24, 30, 42,48}, providing efficiency comparisons. When k = 42,48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
