The most efficient indifferentiable hashing to elliptic curves ofj-invariant 1728

Abstract

AbstractThis article makes an important contribution to solving the long-standing problem of whether all elliptic curves can be equipped with a hash function (indifferentiable from a random oracle) whose running time amounts to one exponentiation in the basic finite fieldFq{{\mathbb{F}}}_{q}. More precisely, we construct a new indifferentiable hash function to any ordinary ellipticFq{{\mathbb{F}}}_{q}-curveEa{E}_{a}ofj-invariant 1728 with the cost of extracting one quartic root inFq{{\mathbb{F}}}_{q}. As is known, the latter operation is equivalent to one exponentiation in finite fields with which we deal in practice. In comparison, the previous fastest random oracles toEa{E}_{a}require to perform two exponentiations inFq{{\mathbb{F}}}_{q}. Since it is highly unlikely that there is a hash function to an elliptic curve without any exponentiations at all (even if it is supersingular), the new result seems to be unimprovable.