Efficient hash maps to $${\mathbb {G}}_2$$ on BLS curves

Abstract

AbstractWhen a pairing $$e: {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_{T}$$ e : G 1 × G 2 → G T , on an elliptic curve E defined over a finite field $${\mathbb {F}}_q$$ F q , is exploited for an identity-based protocol, there is often the need to hash binary strings into $${\mathbb {G}}_1$$ G 1 and $${\mathbb {G}}_2$$ G 2 . Traditionally, if E admits a twist $${\tilde{E}}$$ E ~ of order d, then $${\mathbb {G}}_1=E({\mathbb {F}}_q) \cap E[r]$$ G 1 = E ( F q ) ∩ E [ r ] , where r is a prime integer, and $${\mathbb {G}}_2={\tilde{E}}({\mathbb {F}}_{q^{k/d}}) \cap {\tilde{E}}[r]$$ G 2 = E ~ ( F q k / d ) ∩ E ~ [ r ] , where k is the embedding degree of E w.r.t. r. The standard approach for hashing into $${\mathbb {G}}_2$$ G 2 is to map to a general point $$P \in {\tilde{E}}({\mathbb {F}}_{q^{k/d}})$$ P ∈ E ~ ( F q k / d ) and then multiply it by the cofactor $$c=\#{\tilde{E}}({\mathbb {F}}_{q^{k/d}})/r$$ c = # E ~ ( F q k / d ) / r . Usually, the multiplication by c is computationally expensive. In order to speed up such a computation, two different methods—by Scott et al. (International conference on pairing-based cryptography. Springer, Berlin, pp 102–113, 2009) and by Fuentes-Castaneda et al. (International workshop on selected areas in cryptography)—have been proposed. In this paper we consider these two methods for BLS pairing-friendly curves having $$k \in \{12,24,30,42,48\}$$ k ∈ { 12 , 24 , 30 , 42 , 48 } , providing efficiency comparisons. When $$k=42,48$$ k = 42 , 48 , the application of Fuentes et al. method requires expensive computations which were infeasible for the computational power at our disposal. For these cases, we propose hashing maps that we obtained following Fuentes et al. idea.