Fast Hashing to G 2 on Pairing-Friendly Curves

Abstract: Abstract. When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order r involved in the pairing. Of these G1 is a group of points on the base field E(F p ) and G 2 is instantiated as a group of points with coordinates on some extension field, over a twisted curve E (F p d ), where d divides the embedding degree k. While hashing to G 1 is relatively … Show more

“…In Table 3, we compare our results to the work of Scott et al [27,28]. In the proceedings version [27] of their work, the authors assume that the identity Φ k (ψ)P = ∞ holds for all points P inẼ(F q ).…”

“…In order to hash to G 2 , it suffices to hash to a random point Q ∈Ẽ(F q ) followed by a multiplication by the cofactor c = #Ẽ(F q )/r, to obtain the element cQ ∈Ẽ(F q )[r]. Let φ :Ẽ → E be an efficiently-computable isomorphism defined over F q d and let π be the pth power Frobenius on E. Scott et al [27] observed that the endomorphism ψ = φ −1 • π • φ can be used to speed up the computation of Q → cQ. The endomorphism ψ satisfies…”

“…In the proceedings version [27] of their work, the authors assume that the identity Φ k (ψ)P = ∞ holds for all points P inẼ(F q ). However, there exist concrete examples showing that this identity does not hold for some curves.…”

“…Galbraith and Scott [10] reduce the computational cost of this task by means of an endomorphism ofẼ. This idea was further exploited by Scott et al [27], where explicit formulae for hashing to G 2 were given for several pairing-friendly curves.…”

Faster Hashing to ${\mathbb G}_2$

“…In Table 3, we compare our results to the work of Scott et al [27,28]. In the proceedings version [27] of their work, the authors assume that the identity Φ k (ψ)P = ∞ holds for all points P inẼ(F q ).…”

“…In order to hash to G 2 , it suffices to hash to a random point Q ∈Ẽ(F q ) followed by a multiplication by the cofactor c = #Ẽ(F q )/r, to obtain the element cQ ∈Ẽ(F q )[r]. Let φ :Ẽ → E be an efficiently-computable isomorphism defined over F q d and let π be the pth power Frobenius on E. Scott et al [27] observed that the endomorphism ψ = φ −1 • π • φ can be used to speed up the computation of Q → cQ. The endomorphism ψ satisfies…”

“…In the proceedings version [27] of their work, the authors assume that the identity Φ k (ψ)P = ∞ holds for all points P inẼ(F q ). However, there exist concrete examples showing that this identity does not hold for some curves.…”

“…Galbraith and Scott [10] reduce the computational cost of this task by means of an endomorphism ofẼ. This idea was further exploited by Scott et al [27], where explicit formulae for hashing to G 2 were given for several pairing-friendly curves.…”

Faster Hashing to ${\mathbb G}_2$

“…The third and more recent wave of research has focussed on reducing the loop length of Miller's algorithm [35,26,3,32] to be as short as possible [42,25]. Along the way, there have been several other clever optimizations that give faster pairings in certain scenarios, including compressed pairings [36], single coordinate pairings [21], efficient methods of hashing to pairing-friendly groups [38], and techniques that achieve a faster final exponentiation [24,39].…”

Faster Pairing Computations on Curves with High-Degree Twists

Compact Multi-signatures for Smaller Blockchains