[CFRG] Indifferentiable hashing to ordinary elliptic curves of j-invariant 0 with the cost of one exponentiation
Dimitri Koshelev <dimitri.koshelev@gmail.com> Fri, 08 July 2022 09:54 UTC
Return-Path: <dimitri.koshelev@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94080C157B4A for <cfrg@ietfa.amsl.com>; Fri, 8 Jul 2022 02:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSBGKcedqfnY for <cfrg@ietfa.amsl.com>; Fri, 8 Jul 2022 02:54:01 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32D23C14CF18 for <cfrg@irtf.org>; Fri, 8 Jul 2022 02:54:01 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id f39so35480871lfv.3 for <cfrg@irtf.org>; Fri, 08 Jul 2022 02:54:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=9xjvn6N6AwUGatO2LICnLW4Zzgpxnv532ikRWVQAhGg=; b=eFewGN4526oVlJju2/u1RfvGDq/zjmykIsW9JHYN2dMakjz6umbxLV7wZs0JP1+ZSO O9V/so9++s/a9XY7Tfr+TaSzUSSYBXjQNy95Yj3Nx4F/nrjiOz9fRTQVBG3MiVjMTUq4 ztotsh/zOS1PnIFNblIShkjwgCOtCHks41fTWMl256ni9rxO8z/EUWIxee78TdAma42i EYEtI3weUe6IBMmPWgIoCfMxLp5ylIRUtuN/9fOc3puV7LBCpzRBczydz+1cNhLZT1IA jIND+l9YZ/LIOlWvH/G3m08R2tVE6IfDo/W/7KlnHqJBhIO0c9QkYQjN5kxRLfTVTfcN KeRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=9xjvn6N6AwUGatO2LICnLW4Zzgpxnv532ikRWVQAhGg=; b=WvzJnVkivsNFq1Wbx43H+syqHY0vQTNwTBzfM2edoRTaUxrkP4NJ5dgPwoFu4y1ntY AfAbuJUQAPiercu7G3Oeb9HNAZahxKoRhscVX6B+xJCwAY1KYNg9FzfuUf+ePVo+/Q3Z uLSegCtWdVR5FObdIQPwOMpYVR+9+MtHcFrKZlgV2lfyXNNJOwslYosN5lCutI+9Rrhi MKkU35pi9X8Y8qIpPPc5Uo1g9cQKx2qphhpHZXf3J3SV4gPlF5xdNCQvYVyN9GCZuxj/ pGnU17D6ZkFDQpPnf0X5RHxsxXhnYRFePC0KrCjZtMaV8S6q8yvI68dickMMpw1JhG4S DuYw==
X-Gm-Message-State: AJIora8qT4ucQKIUwZuqsG3K1z7PGe9dThUBwT5a70CuT+2rBENo1wDk 2p2mE9LtNt/lQ3L9R+1i8nImPEM1zQe+OGcWLTvQ8wRR2wY=
X-Google-Smtp-Source: AGRyM1s/C1jGuFfHgAV5HKWh8HhsxgRNTytutH79i6RHNFj9rg/pvVi0rmbA+zNFmx1dJbxtuaUFRJ++rQNbAu0ShOo=
X-Received: by 2002:a05:6512:3b8c:b0:47f:a2f4:5180 with SMTP id g12-20020a0565123b8c00b0047fa2f45180mr1792669lfv.348.1657274039041; Fri, 08 Jul 2022 02:53:59 -0700 (PDT)
MIME-Version: 1.0
From: Dimitri Koshelev <dimitri.koshelev@gmail.com>
Date: Fri, 08 Jul 2022 11:53:45 +0200
Message-ID: <CAAi1Lr2SH0UPDAXKdeNFu7MWCWOU8Qp4XptSxUKrk-hw_7duow@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000064839b05e3482ef5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/P4B8uR3ntm_b_s2J3PId1XC2WFI>
Subject: [CFRG] Indifferentiable hashing to ordinary elliptic curves of j-invariant 0 with the cost of one exponentiation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 09:54:05 -0000
Dear CFRG participants, As this is the broadest form for discussing the CFRG hash-to-curve draft <https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/>, I wanted to mention my optimization. You'll find the paper on the IACR eprint server <https://eprint.iacr.org/2021/301> or published at DCC <https://link.springer.com/article/10.1007/s10623-022-01012-8>. This paper provides a new hash function H (indifferentiable from a random oracle) to many ordinary elliptic curves y^2 = x^3 + b (of j-invariant 0), including most pairing-friendly curves of the family BLS12 (Barreto-Lynn-Scott) of embedding degree 12. Hash functions to such curves are actively used in numerous protocols such as the BLS (Boneh-Lynn-Shacham) aggregate signature. My hash function H is much faster than previous state-of-the-art ones, including the Wahby-Boneh indirect map to (the prime-order subgroup G1 of) the curve BLS12-381 over a prime field Fp. As is known, this curve is a de facto standard in today's real-world pairing-based cryptography. The indifferentiable Wahby-Boneh hash function requires to extract two square roots (i.e., to compute two exponentiations) in the field Fp. In comparison, H extracts only one cubic root, which can be also expressed via one exponentiation in Fp. And according to Section 1.1 of my other article <https://eprint.iacr.org/2021/1082> the exponentiations for square and cubic roots in Fp have short addition chains of about the same length. I prepared a proof-of-concept implementation <https://github.com/dishport/Indifferentiable-hashing-to-ordinary-elliptic-curves-of-j-0-with-the-cost-of-one-exponentiation> in Sage. You can also see a low-level implementation <https://github.com/zhenfeizhang/indifferentiable-hashing> in Rust of my colleague. The new hash is actually more efficient than the universal SW (Shallue-van de Woestijne) hash. The colleague is not able to compare with the Wahby-Boneh hash, because the latter is not yet implemented in arkworks <https://github.com/arkworks-rs/curves>. He used this library as a base. At the same time, H appears to be unimprovable, because it is highly unlikely that there is a hash function to an elliptic curve without exponentiations at all (even if it is supersingular). Is there much interest in including the new hash function in the CFRG hash-to-curve draft ? Best regards, Dimitri.
- [CFRG] Indifferentiable hashing to ordinary ellip… Dimitri Koshelev