The most efficient indifferentiable hashing to elliptic curves of j-invariant 1728

1 Introduction

Let F q be a finite field of char ( F q ) > 3 and E a : y 2 = x 3 + a x be an elliptic F q -curve whose j-invariant equals 1728. The curves E a are studied with interest in elliptic cryptography at least at the research level. The point is that (apart from elliptic curves of j = 0 ) they have a non-trivial automorphism group, which leads to more efficient scalar multiplication and pairing computation on them (see details in [1, Sections 6.2.2 and 3.3.2] respectively). This article focuses on ordinary curves because supersingular ones pose special challenges for the security of discrete logarithm cryptography by virtue of [1, Remark 2.22]. According to [2, Example V.4.5], the ordinariness of E a results in the restriction q ≡ 1 ( mod 4 ) , i.e., i ≔ − 1 ∈ F q .

Examples of pairing-friendly curves of j = 1728 are represented, e.g., in [1, Section 4.5.2]. Curiously, unlike curves of j-invariant 0, some curves E a (e.g., do255e from [3, Section 5.2]) can be so-called double-odd elliptic curves [3,4], that is, their order equals two times an odd (prime) number. Double-odd curves are a trade-off between prime order curves and twisted Edwards curves [1, Section 6.4.1] whose cofactor is always a multiple of four. Thus, double-odd curves enjoy simpler subgroup membership testing than twisted Edwards ones and, at the same time, faster complete addition formulas than prime order ones. These notions are discussed in the remarkable article [5] and in references therein.

Many cryptographic protocols (e.g., the popular aggregate Boneh–Lynn–Shacham signature [6]) use a hash function of the form H : { 0 , 1 } ∗ → E a ( F q ) . If it is necessary, the value of H can be subsequently moved into a prime order subgroup of E a ( F q ) by clearing the cofactor [7, Section 7]. There is the regularly updated draft [7] on the topic of hashing to elliptic curves. Due to [7, Section 10], it is highly desirable and often inevitable that H is indifferentiable from a random oracle in the sense of Maurer et al. [8, Section 4.2]. By the way, [3, Section 3.7] raises the question of efficient indifferentiable hashing to curves E a , but that article does not answer this question in an acceptable way.

Almost all previously proposed indifferentiable hash functions are obtained as the composition H ≔ e ⊗ 2 ∘ h of a hash function h : { 0 , 1 } ∗ → F q 2 and the tensor square

for some map e : F q → E a ( F q ) . Such a map is often called an encoding. For the given H its indifferentiability follows from [9, Theorem 1] if h is indifferentiable and e ⊗ 2 is admissible in the sense of [9, Definition 4]. It is worth noting that the admissibility property in particular requires an encoding e to be constant-time, that is, informally speaking, the computation time of its value is independent of an input argument.

The previous state-of-the-art encoding, valid for any curve E a , is proposed by the author in [10] after a refinement of the work [11]. This encoding e (resp. e ⊗ 2 ) can be implemented by extracting one (resp. two) square root(s) in F q . As is customary (see, e.g., [1, Section 5.1.7]), a square root is expressed via one exponentiation in F q at least when q ≢ 1 ( mod 8 ) . Taking into account the condition q ≡ 1 ( mod 4 ) , we obtain q ≡ 5 ( mod 8 ) .

This work (again, for any a ∈ F q ∗ ) directly provides an admissible map h : F q 2 → E a ( F q ) , which requires to extract one quartic root in F q . We will show that for q ≡ 5 ( mod 8 ) , this operation is also nothing but one exponentiation in F q . In other words, the tensor square is in fact superfluous for curves E a , and, hence, we get rid of one exponentiation in F q in comparison with e ⊗ 2 . Moreover, it is worth emphasizing that h is given by quite simple formulas with small coefficients. Therefore, the new result seems interesting both from theoretical and practical points of view.

By definition, pairings act from two groups traditionally denoted by G 1 and G 2 . As said in [1, Section 3.2.5], in practice, G 1 ⊂ E a ( F q ) for a prime q and G 2 ⊂ E a ′ ( F q n ) for some n ∈ N and a ′ ∈ F q n ∗ . Moreover, the extension degree n is often even. In this case, due to [1, Algorithm 5.18], a square root in F q n can be expressed via two square roots in F q n / 2 . To our knowledge, there is no analogous expression for a quartic root in F q n . So, unlike e , the new map h is not relevant for hashing to G 2 whenever 2 ∣ n . Fortunately, as explained in [12, Section 1.2], in combination with clearing the (large) cofactor # E a ′ ( F q n ) / # G 2 it is sufficient to apply e : F q n → E a ′ ( F q n ) only once. Thus, the best solution is to utilize the map h (resp. e ) in the case of G 1 (resp. G 2 ). By looking at [12, Tables 1 and 2], the reader can realize the significance of e and h in the general classification of maps to elliptic curves.

An approach to produce h is based on an explicit F q -parametrization φ : A 2 ⇢ T of a (uni-)rational F q -surface [13, Section 4.9] on some algebraic threefold T , that is, dim ( T ) = 3 . Then, h is just the composition of φ (restricted to F q -points) and an auxiliary map h ′ : T ( F q ) → E a ( F q ) . More concretely, there is an elementary rational F q -map ℰ ⇢ T from a threefold enjoying some elliptic fibration ℰ → A 2 (see, e.g., [14, Section 2]). The desired φ is immediately obtained from an infinite order F q -section ψ : A 2 ⇢ ℰ of this fibration.

Ideologically, the described approach is almost the same as in [15], but, of course, with different technique details. In particular, in that article, the suggested threefold is itself elliptic, i.e., T = ℰ in our notation. There, provided that b ∈ F q , the author constructs one more admissible map from F q 2 to the F q -point group of an ordinary elliptic curve E b : y 2 = x 3 + b (of j-invariant 0). Moreover, this map equally performs only one exponentiation in F q , namely a cubic root extraction.

There is the long-standing open question of whether every elliptic F q -curve E has a random oracle { 0 , 1 } ∗ → E ( F q ) with the cost of one exponentiation (cf. [12, Conjecture 1]). Recently, the independent work [16] arose on this topic. It contains an indifferentiable hash function (under the name SwiftEC) being a modification of the classical Shallue–van de Woestijne (SW) encoding [17]. However, SwiftEC is not relevant for most curves E a , unlike all ordinary curves E b and many others of the remaining j-invariants.

The SW encoding is based on yet another threefold, although a rational F q -curve (of geometric genus 0) is taken on it instead of a unirational F q -surface. Fortunately, in [18, Lemma 3], Skałba provides such a surface and hence a (probably admissible) map F q 2 → E ( F q ) whenever j ( E ) ≠ 0 . Unfortunately, the Skałba map is given by too cumbersome formulas unsuitable as a practical matter. In turn, SwiftEC is produced by means of another surface admitting a simpler rational F q -parametrization. This is achieved at the price of generality loss.

Interestingly, all the threefolds, appeared in the scientific domain under consideration, turn out to be Calabi–Yau varieties, which are applied over the field C in theoretical physics (see, e.g., [19]). However, since we will work over non-closed fields, it is also reasonable to cite a source (such as [20]) on the arithmetic of Calabi–Yau varieties. It is worth noting that one-dimensional Calabi–Yau varieties are exactly elliptic curves. So, it is not surprising that their high-dimensional analog occurs in the context of elliptic cryptography.

2 Geometric results

As discussed in Section 1, throughout the article, we assume that i ≔ − 1 ∈ F q . Consequently, the curve E a : y 2 = x 3 + a x possesses the F q -automorphism [ i ] ( x , y ) ≔ ( − x , i y ) of order 4. Obviously, E a [ 2 ] = { O , P 0 , P ± } , where

Besides, any two F q -curves of j = 1728 are isomorphic (at most over F q 4 ) by means of the map

where α ≔ a ′ / a 4 . As a result, up to an F q -isomorphism, there are exactly four twists for E a , namely E a c j for j ∈ Z / 4 and c ∈ F q ∗ ⧹ ( F q ∗ ) 2 .

It is suggested to consider the F q -threefold

It seems that T is birationally F q -isomorphic to the quotient of A ≔ E a × E a c × E a c 3 by the order 4 diagonal automorphism δ ≔ [ − 1 ] × [ i ] × [ i ] . This quotient is similar to the one from [15, Lemma 1]. Since the given fact is not necessary for our purposes, we do not prove it. However, this is a useful observation, because age ( δ ) = 1 (as well as for the automorphism [ ω ] × 3 from [15, Section 1]), where the age is defined in [21]. So by virtue, [21, Theorem 13], the quotient A / δ enjoys at least a rational curve over the algebraic closure F q ¯ . Thus, there is a justified hope of obtaining a rational F q -surface on T .

Curiously, our T (like the one from [15, Lemma 1]) can also be interpreted as a Schoen threefold [22], that is, the fiber product [23, Section 4.5] of two rational elliptic surfaces with a section [13, Chapter 7]. Indeed, S j ⊂ A ( x j , y j , t ) 3 are nothing but singular del Pezzo surfaces of degree 2 (see, e.g., [24, Section 8.7]) having the projection to t as an elliptic fibration with the section O . Moreover, they are clearly isomorphic over F q 2 , hence T fits the definition of a banana threefold [25]. To sum up, we see a confirmation that T (or, formally speaking, some of its smooth projective models) is a Calabi–Yau threefold.

The threefold T is embedded in a weighted projective space as follows:

where the variables y 0 and y 1 are of the weight 2. Furthermore, on the affine chart t ≠ 0 , the threefold T ¯ possesses the following form:

Thus, we have the birational isomorphisms

We can look at V as a curve in A ( v 0 , v 1 , v 2 ) 3 given by the intersection of two quadratic surfaces over the rational function field F q ( u 0 , u 1 ) . The existence of an F q ( u 0 , u 1 ) -point on V is not clear, hence we apply the base change χ : u j ≔ c t j 2 , which leads to

For the sake of compactness, put F ≔ F q ( t 0 , t 1 ) . At infinity, i.e., in P 3 ⧹ A ( v 0 , v 1 , v 2 ) 3 , there are F -points on ℰ of the form

It is proposed to take P + as the neutral element in the Mordell–Weil group ℰ ( F ) .

We will rely on some Magma calculations [26] that can be verified in the free calculator on the official site of this computer algebra system. The next lemmas are proved by means of the reduction to a Weierstrass form of ℰ .

The last lemma can be alternatively proved by using the geometric interpretation of the group law for ℰ ( F ) , described, e.g., in [2, Exercise 3.10]. Similarly, the reader is invited to check that for φ ± ≔ ( ± b , b , b ) , the point φ from [15, Theorem 1] coincides with 2 φ − with respect to φ + as the zero point. Among other things, the author verified that a base change for the elliptic threefold T from [15, Lemma 1] (in contrast to ours χ ) does not yield a visible F q -section of infinite order if b ∉ F q . Therefore, the restriction b ∈ F q in that article seems essential.

For v , x ∈ F q and j ∈ Z / 2 , we will need the following F q -curves on A ( t 0 , t 1 ) 2 :

Incidentally, the F q 2 -involution ( t 0 , t 1 ) ↦ ( t 1 / c , t 0 c ) gives the isomorphisms C j → C j + 1 and D j , x → D j + 1 , x . Note that always

and in accordance with [27, Section 2.3.3], the arithmetic genera are equal to

In the degenerate cases, we obtain

where β ≔ ( i a ) − 1 and

The curves F ± are nothing but Fermat quartics, hence they are non-singular of genus 3. By the way, all the lines L j , k intersect at the origin ( 0 , 0 ) .

3 New hash function

This section clarifies how the rational F q -map φ ≔ τ ∘ χ ∘ ψ : A ( t 0 , t 1 ) 2 ⇢ T (from the previous one) results in a constant-time map h : ( F q ∗ ) 2 → E a ( F q ) . First, given an element γ ∈ F q ∗ , we denote by γ q 4 ≔ γ ( q − 1 ) / 4 the quartic residue symbol [29, Section 4.B]. It is is evidently a group homomorphism F q ∗ → { i j } j = 0 3 . Note that γ q 4 = ± 1 if and only if γ ∈ F q . Moreover, γ q 4 = 1 if and only if γ 4 ∈ F q .

To be definite, we assign i ≔ c q 4 for a fixed quadratic non-residue c ∈ F q ∗ . Also, for the sake of compactness, let f ≔ t 3 + a t and hence T = { y j 2 = x j 3 + a c 2 j + 1 f x j } j = 0 1 . Note that the isomorphism σ a c 2 j + 1 f , a is defined over F q whenever f q 4 = ( − 1 ) j + 1 i . One of the crucial components of h is the auxiliary map given as follows:

Unfortunately, in this form, the value of h ′ is computed no faster than using two exponentiations in F q : the first for f q 4 and the second for f , c f 4 , or c 3 f 4 respectively. Instead, we provide an equivalent definition of h ′ (up to the automorphisms [ i ] j , where j ∈ Z / 4 ) below.

We will restrict ourselves to the case q ≡ 5 ( mod 8 ) justified in Section 1. The next lemma is useful itself.

By the way, the substitution γ = i in this lemma gives i q 4 = i r . At the same time, for γ = f (i.e., θ = f n ) and j ∈ Z / 4 , we obtain the following criteria:

Therefore,

Furthermore, when j ∈ { 1 , 3 } , the isomorphism σ a c j f , a is defined over F q if and only if