Hashing to G2 on BLS pairing-friendly curves

Abstract

When a pairing e : G 1 x G 2 → G T , on an elliptic curve E defined over F q , is exploited in a cryptographic protocol, there is often the need to hash binary strings into G 1 and G 2 . Traditionally, if E admits a twist Ẽ of order d, then G 1 = E (F q )⋂ E [ r ], where r is a prime integer, and G 2 = Ẽ(F q k/d )⋂ Ẽ [ r ], where k is the embedding degree of E w.r.t. r. The standard approach for hashing a binary string into G 1 and G 2 is to map it to general points P∈E ( F q ) and P′ ∈ Ẽ (F q k/d ), and then multiply them by the cofactors c = #E (F q )/ r and c ′ = #Ẽ (F q k/d )/ r respectively. Usually, the multiplication by c′ is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al. ) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having k ∈ {12, 24, 30, 42,48}, providing efficiency comparisons. When k = 42,48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.