Re: [Cfrg] Hashing to EC group elements

Michael Hamburg <> Wed, 08 January 2014 22:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 219151ACC88 for <>; Wed, 8 Jan 2014 14:52:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NtRdRlygcjsT for <>; Wed, 8 Jan 2014 14:51:58 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 344261ACC86 for <>; Wed, 8 Jan 2014 14:51:58 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 22135F2003 for <>; Wed, 8 Jan 2014 14:50:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1389221431; bh=ZnhHr8H63X9FZUDQTifFWzY8ICXHqcX4fpt5GgJ4g0o=; h=From:Subject:Date:To:From; b=at6edv/uVaBmBNAr5k0Yo4D9KESaso0SB/jOVgDFR82sNbCYZAB9MRHy2+zOA/p5/ dIqVIZX/wwxuCbfwvN8JdiT6ieWYOJi4vzLQ+7/8vWgrRDyKsgcTWBXz0UT635ue49 qC8KSMxW4PDep9xi0U0h4zFh13nGXR0Mfui2Zzuw=
From: Michael Hamburg <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_52957CD7-8990-4E7C-835B-FC347C5BCC7E"
Message-Id: <>
Date: Wed, 08 Jan 2014 14:51:41 -0800
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
X-Mailer: Apple Mail (2.1827)
Subject: Re: [Cfrg] Hashing to EC group elements
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2014 22:54:09 -0000

Hello CFRG,

It might be time to unlurk here.  Trevor Perrin asked my opinion of this topic, and since I was a co-author on Elligator, I’ve studied the matter.

Kevin Igoe wrote:
> Robert:
>   Thanks for the pointer to the paper, I'm enjoying working through it
> in more detail.
>    One of my coworkers reminded me of the Cardano's algorithm for solving
> cubic equations (published in 1545). I'd long ago consigned this to my
> ever growing list of interesting but basically useless mathematics.  
> It is a deterministic algorithm for solving cubic equations, only
> requiring the ability to solve quadratic equations and take cube roots.
> At first look this seems to be constant time, might have to stray into
> GF(q^6) arithmetic.  We're looking to see if the following idea would work:
> 	1) Pick an arbitrary y0 on GF(q).
> 	2) Use Cardano to find a root x0 \in GF(q^3) of x^3 + a*x + b = y0^2.
>       3) Apply your I + \phi + \phi(\phi) map to drive (x0,y0) back
>          to a point on (x1,y1) \in E/GF(q).
> Doesn't give indistinguishability, but it would avoid DragonFly's hunt & peck.
> At first glance it looks like it works, but I've learned the hard way to never 
> trust anything like this until I've actually programmed it up.
Unfortunately, this doesn’t work.  I recalled analyzing it before during the Elligator work, but anyway I just tested it in Sage to be sure.  If x0 isn’t in GF(q), you’ll end up on a cubic twist of E.  When you frob from that twist back to the base field, you’ll just get the identity.

I believe that the Elligator version of this, proposed by Robert, does work at least if the input to Elligator is chosen uniformly from the extension field.  However, it would be pretty horrible to implement.  Fortunately, there’s a better solution, outlined in a series of papers, most notably BCIMRT ’09:

This paper outlines how to hash deterministically to an elliptic curve, while maintaining the ability to model the hash as a random oracle.  This property is called “indifferentiability”.

I believe that full indifferentiability isn’t needed for Dragonfly, though I’m not sure of it.  In this case, a good candidate would be the SWU maps, of which some simple variants are in the BCIMRT paper.  These maps map a field element to any curve over that field, deterministically but not indifferentiably, uniformly or injectively.  However, they are at most 8-to-1 or something like that, and that might be good enough for Dragonfly.

If this isn’t good enough, then setting (r1,r2) = hash(password) and running either

Encode(password) := SWU(r1) + SWU(r2)
Encode(password) := SWU(r1) + r2 * G

is indifferentiable from a random oracle, and is therefore suitable for use anywhere that you’d use one.  The SWU maps are comparable to Elligator, but not 1:1.  In fact, Elligator 2 at least can be seen as a simplified SWU variant that only works on curves of even order.  So these techniques shouldn’t be that horrible to implement.

— Mike Hamburg