在BLS配对友好曲线上哈希到G2

ACM Commun. Comput. Algebra Pub Date : 2019-02-16 DOI:10.1145/3313880.3313884

Alessandro Budroni, Federico Pintore

{"title":"在BLS配对友好曲线上哈希到G2","authors":"Alessandro Budroni, Federico Pintore","doi":"10.1145/3313880.3313884","DOIUrl":null,"url":null,"abstract":"When a pairing e : G1 x G2 → GT, on an elliptic curve E defined over Fq, is exploited in a cryptographic protocol, there is often the need to hash binary strings into G1 and G2. Traditionally, if E admits a twist Ẽ of order d, then G1 = E(Fq)⋂E[r], where r is a prime integer, and G2 = Ẽ(Fqk/d)⋂Ẽ[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing a binary string into G1 and G2 is to map it to general points P∈E(Fq) and P′ ∈ Ẽ(Fqk/d), and then multiply them by the cofactors c = #E(Fq)/r and c′ = #Ẽ(Fqk/d)/r respectively. Usually, the multiplication by c′ is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al.) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having k ∈ {12, 24, 30, 42,48}, providing efficiency comparisons. When k = 42,48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.","PeriodicalId":7093,"journal":{"name":"ACM Commun. Comput. Algebra","volume":"22 1","pages":"63-66"},"PeriodicalIF":0.0000,"publicationDate":"2019-02-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Hashing to G2 on BLS pairing-friendly curves\",\"authors\":\"Alessandro Budroni, Federico Pintore\",\"doi\":\"10.1145/3313880.3313884\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"When a pairing e : G1 x G2 → GT, on an elliptic curve E defined over Fq, is exploited in a cryptographic protocol, there is often the need to hash binary strings into G1 and G2. Traditionally, if E admits a twist Ẽ of order d, then G1 = E(Fq)⋂E[r], where r is a prime integer, and G2 = Ẽ(Fqk/d)⋂Ẽ[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing a binary string into G1 and G2 is to map it to general points P∈E(Fq) and P′ ∈ Ẽ(Fqk/d), and then multiply them by the cofactors c = #E(Fq)/r and c′ = #Ẽ(Fqk/d)/r respectively. Usually, the multiplication by c′ is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al.) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having k ∈ {12, 24, 30, 42,48}, providing efficiency comparisons. When k = 42,48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.\",\"PeriodicalId\":7093,\"journal\":{\"name\":\"ACM Commun. Comput. Algebra\",\"volume\":\"22 1\",\"pages\":\"63-66\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-02-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Commun. Comput. Algebra\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3313880.3313884\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Commun. Comput. Algebra","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3313880.3313884","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

当在Fq上定义的椭圆曲线e上的配对e: G1 x G2→GT在加密协议中被利用时，通常需要将二进制字符串散列为G1和G2。传统上，如果E允许d阶的扭转Ẽ，则G1 = E(Fq) E[r]，其中r为素数整数，G2 = Ẽ(Fqk/d) Ẽ[r]，其中k为E w.r.t. r的嵌入度。将二进制字符串哈希到G1和G2的标准方法是将其映射到一般点P∈E(Fq)和P '∈Ẽ(Fqk/d)，然后分别乘以它们的协因式c = #E(Fq)/r和c ' = #Ẽ(Fqk/d)/r。通常，乘以c '在计算上是很昂贵的。为了加快计算速度，提出了两种不同的方法(由Scott等人和Fuentes等人提出)。在这张海报中，我们考虑这两种方法对于k∈{12,24,30,42,48}的BLS配对友好曲线，提供效率比较。当k = 42,48时，Fuentes等人的方法需要昂贵的一次性预计算，这对于我们所拥有的计算能力是不可行的。在这些情况下，我们理论上得到了遵循Fuentes等人想法的哈希映射。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Hashing to G2 on BLS pairing-friendly curves

When a pairing e : G₁ x G₂ → G_T, on an elliptic curve E defined over F_q, is exploited in a cryptographic protocol, there is often the need to hash binary strings into G₁ and G₂. Traditionally, if E admits a twist Ẽ of order d, then G₁ = E(F_q)⋂E[r], where r is a prime integer, and G₂ = Ẽ(F_q^k/d)⋂Ẽ[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing a binary string into G₁ and G₂ is to map it to general points P∈E(F_q) and P′ ∈ Ẽ(F_q^k/d), and then multiply them by the cofactors c = #E(F_q)/r and c′ = #Ẽ(F_q^k/d)/r respectively. Usually, the multiplication by c′ is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al.) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having k ∈ {12, 24, 30, 42,48}, providing efficiency comparisons. When k = 42,48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助