Network Working Group S. Scott
Internet-Draft Cornell Tech
Intended status: Informational N. Sullivan
Expires: January 3, 2019 Cloudflare
C. Wood
Apple Inc.
July 02, 2018
Hashing to Elliptic Curves
draft-irtf-cfrg-hash-to-curve-01
Abstract
This document specifies a number of algorithms that may be used to
hash arbitrary strings to Elliptic Curves.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Scott, et al. Expires January 3, 2019 [Page 1]
Internet-Draft hash-to-curve July 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. Encoding . . . . . . . . . . . . . . . . . . . . . . 5
2.1.2. Serialization . . . . . . . . . . . . . . . . . . . . 5
2.1.3. Random Oracle . . . . . . . . . . . . . . . . . . . . 5
3. Algorithm Recommendations . . . . . . . . . . . . . . . . . . 6
4. Utility Functions . . . . . . . . . . . . . . . . . . . . . . 7
5. Deterministic Encodings . . . . . . . . . . . . . . . . . . . 7
5.1. Interface . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Encoding Variants . . . . . . . . . . . . . . . . . . . . 7
5.2.1. Icart Method . . . . . . . . . . . . . . . . . . . . 7
5.2.2. Shallue-Woestijne-Ulas Method . . . . . . . . . . . . 9
5.2.3. Simplified SWU Method . . . . . . . . . . . . . . . . 10
5.2.4. Elligator2 Method . . . . . . . . . . . . . . . . . . 12
5.3. Cost Comparison . . . . . . . . . . . . . . . . . . . . . 13
6. Random Oracles . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. Interface . . . . . . . . . . . . . . . . . . . . . . . . 14
6.2. General Construction (FFSTV13) . . . . . . . . . . . . . 14
7. Curve Transformations . . . . . . . . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 15
12. Normative References . . . . . . . . . . . . . . . . . . . . 15
Appendix A. Related Work . . . . . . . . . . . . . . . . . . . . 17
A.1. Probabilistic Encoding . . . . . . . . . . . . . . . . . 17
A.2. Naive Encoding . . . . . . . . . . . . . . . . . . . . . 17
A.3. Deterministic Encoding . . . . . . . . . . . . . . . . . 18
A.4. Supersingular Curves . . . . . . . . . . . . . . . . . . 18
A.5. Twisted Variants . . . . . . . . . . . . . . . . . . . . 18
Appendix B. Try-and-Increment Method . . . . . . . . . . . . . . 19
Appendix C. Sample Code . . . . . . . . . . . . . . . . . . . . 19
C.1. Icart Method . . . . . . . . . . . . . . . . . . . . . . 19
C.2. Shallue-Woestijne-Ulas Method . . . . . . . . . . . . . . 21
C.3. Simplified SWU Method . . . . . . . . . . . . . . . . . . 23
C.4. Elligator2 Method . . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction
Many cryptographic protocols require a procedure which maps arbitrary
input, e.g., passwords, to points on an elliptic curve (EC).
Prominent examples include Simple Password Exponential Key Exchange
Scott, et al. Expires January 3, 2019 [Page 2]
Internet-Draft hash-to-curve July 2018
[Jablon96], Password Authenticated Key Exchange [BMP00], Identity-
Based Encryption [BF01] and Boneh-Lynn-Shacham signatures [BLS01].
Unfortunately for implementors, the precise mapping which is suitable
for a given scheme is not necessarily included in the description of
the protocol. Compounding this problem is the need to pick a
suitable curve for the specific protocol.
This document aims to address this lapse by providing a thorough set
of recommendations across a range of implementations, and curve
types. We provide implementation and performance details for each
mechanism, along with references to the security rationale behind
each recommendation and guidance for applications not yet covered.
Each algorithm conforms to a common interface, i.e., it maps an
element from a bitstring {0, 1}^* to a curve E. For each variant, we
describe the requirements for E to make it work. Sample code for
each variant is presented in the appendix. Unless otherwise stated,
all elliptic curve points are assumed to be represented as affine
coordinates, i.e., (x, y) points on a curve.
1.1. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Background
Here we give a brief definition of elliptic curves, with an emphasis
on defining important parameters and their relation to encoding.
Let F be the finite field GF(p^k). We say that F is a field of
characteristic p. For most applications, F is a prime field, in
which case k=1 and we will simply write GF(p).
Elliptic curves come in many variants, including, but not limited to:
Weierstrass, Montgomery, and Edwards. Each of these variants
correspond to a different category of curve equation. For example,
the short Weierstrauss equation is of the form "y^2 = x^3 + Ax + B".
Certain encoding functions may have requirements on the curve form
and the parameters, such as A and B in the previous example.
An elliptic curve E is specified by the equation, and a finite field
F. The curve E forms a group, whose elements correspond to those who
satisfy the curve equation, with values taken from the field F. As a
group, E has order n, which is the number of points on the curve.
When n is not prime, we write n = qh + r, where q is prime, and h is
Scott, et al. Expires January 3, 2019 [Page 3]
Internet-Draft hash-to-curve July 2018
said to be the cofactor. It is frequently a requirement that all
cryptographic operations take place in a prime order group. In this
case, we may wish an encoding to return elements of order q. For a
mapping outputting elements on E, we can multiply by the cofactor h
to obtain an element in the subgroup.
In practice, the input of a given cryptographic algorithm will be a
bitstring of arbitrary length, denoted {0, 1}^*. Hence, a concern for
virtually all protocols involving elliptic curves is how to convert
this input into a curve point.
Note that the number of points on an elliptic curve E is within
2*sqrt(p) of p by Hasse's Theorem. As a rule of thumb, for every x
in GF(p), there is approximately a 1/2 chance that there exist a
corresponding y value such that (x, y) is on the curve E. Since the
point (x, -y) is also on the curve, then this sums to approximately p
points.
Ultimately, an encoding function takes a bitstring {0, 1}^* to an
element of E, of order n (or q), and represented by variables in
GF(p).
Summary of quantities:
+--------+-------------------+--------------------------------------+
| Symbol | Meaning | Relevance |
+--------+-------------------+--------------------------------------+
| p | Order of finite | Curve points need to be represented |
| | field, F = GF(p) | in terms of p. For prime powers, we |
| | | write F = GF(p^k). |
| | | |
| n | Number of curve | For map to E, needs to produce n |
| | points, #E(F) = n | elements. |
| | | |
| q | Order of prime | If n is not prime, may need mapping |
| | subgroup of E, n | to q. |
| | = qh + r | |
| | | |
| h | Cofactor of prime | For mapping to subgroup, need to |
| | subgroup | multiply by cofactor. |
+--------+-------------------+--------------------------------------+
2.1. Terminology
In the following, we categorize the terminology for mapping between
bitstrings and elliptic curves.
Scott, et al. Expires January 3, 2019 [Page 4]
Internet-Draft hash-to-curve July 2018
2.1.1. Encoding
The general term "encoding" is used to refer to the process of
producing an elliptic curve point given as input a bitstring. In
some protocols, the original message may also be recovered through a
decoding procedure. An encoding may be deterministic or
probabilistic, although the latter is problematic in potentially
leaking plaintext information as a side-channel.
In most cases, the curve E is over a finite field GF(p^k), with p >
2. Suppose as the input to the encoding function we wish to use a
fixed-length bitstring of length L. Comparing sizes of the sets, 2^L
and n, an encoding function cannot be both deterministic and
bijective.
We can instead use an injective encoding from {0, 1}^L to E, with "L
< log2(n)- 1", which is a bijection over a subset of points in E.
This ensures that encoded plaintext messages can be recovered.
2.1.2. Serialization
A related issue is the conversion of an elliptic curve point to a
bitstring. We refer to this process as "serialization", since it is
typically used for compactly storing and transporting points, or for
producing canonicalized outputs. Since a deserialization algorithm
can often be used as a type of encoding algorithm, we also briefly
document properties of these functions.
A naive serialization algorithm maps a point (x, y) on E to a
bitstring of length 2*log(p), given that x, y are both elements in
GF(p). However, since there are only n points in E (with n
approximately equal to p), it is possible to serialize to a bitstring
of length log(n). For example, one common method is to store the
x-coordinate and a single bit to determine whether the point is (x,
y) or (x, -y), thus requiring log(p)+1 bits. Thus exchanging
computation (recovering the y coordinate) for storage.
2.1.3. Random Oracle
It is often the case that the output of the encoding function
Section 2.1.1 should be distributed uniformly at random on the
elliptic curve. That is, there is no discernible relation existing
between outputs that can be computed based on the inputs. In
practice, this requirement stems from needing a random oracle which
outputs elliptic curve points: one way to construct this is by first
taking a regular random oracle, operating entirely on bitstrings, and
applying a suitable encoding function to the output.
Scott, et al. Expires January 3, 2019 [Page 5]
Internet-Draft hash-to-curve July 2018
This motivates the term "hashing to the curve", since cryptographic
hash functions are typically modeled as random oracles. However,
this still leaves open the question of what constitutes a suitable
encoding method, which is a primary concern of this document.
A random oracle onto an elliptic curve can also be instantiated using
direct constructions, however these tend to rely on many group
operations and are less efficient than hash and encode methods.
3. Algorithm Recommendations
The following table lists algorithms recommended by use-case:
+----------------+-----------------+--------------------------------+
| Application | Requirement | Additional Details |
+----------------+-----------------+--------------------------------+
| SPEKE | Naive | H(x)*G |
| [Jablon96] | | |
| | | |
| PAKE [BMP00] | Random Oracle | - |
| | | |
| BLS [BLS01] | Random Oracle | - |
| | | |
| IBE [BF01] | Random Oracle | Supersingular, pairing- |
| | | friendly curve |
| | | |
| PRF | Injective | F(k, m) = k*H(m) |
| | encoding | |
+----------------+-----------------+--------------------------------+
To find the suitable algorithm, lookup the requirement from above,
with the chosen curve in the below:
+------------+--------------------------+---------------+
| Curve | Inj. Encoding | Random Oracle |
+------------+--------------------------+---------------+
| P-256 | Simple SWU Section 5.2.3 | FFSTV(SWU) |
| | | |
| P-384 | Icart Section 5.2.1 | FFSTV(Icart) |
| | | |
| Curve25519 | Elligator2 Section 5.2.4 | ... |
| | | |
| Curve448 | Elligator2 Section 5.2.4 | ... |
+------------+--------------------------+---------------+
Scott, et al. Expires January 3, 2019 [Page 6]
Internet-Draft hash-to-curve July 2018
4. Utility Functions
Algorithms in this document make use of utility functions described
below.
o HashToBase(x): H(x)[0:log2(p) + 1], i.e., hash-truncate-reduce,
where H is a cryptographic hash function, such as SHA256, and p is
the prime order of base field Fp.
o CMOV(a, b, c): If c = 1, return a, else return b.
Note: We assume that HashToBase maps its input to the base field
uniformly. In practice, there may be inherent biases in p, e.g., p =
2^k - 1 will have non-negligible bias in higher bits.
5. Deterministic Encodings
5.1. Interface
The generic interface for deterministic encoding functions to
elliptic curves is as follows:
map2curve(alpha)
where alpha is a message to encode on a curve.
5.2. Encoding Variants
5.2.1. Icart Method
The following map2curve_icart(alpha) implements the Icart method from
[Icart09]. This algorithm works for any curve over F_{p^n}, where
p^n = 2 mod 3 (or p = 2 mod 3 and for odd n), including:
o P384
o Curve1174
o Curve448
Unsupported curves include: P224, P256, P521, and Curve25519 since,
for each, p = 1 mod 3.
Mathematically, given input alpha, and A and B from E, the Icart
method works as follows:
Scott, et al. Expires January 3, 2019 [Page 7]
Internet-Draft hash-to-curve July 2018
u = HashToBase(alpha)
x = (v^2 - b - (u^6 / 27))^(1/3) + (u^2 / 3)
y = ux + v
where v = ((3A - u^4) / 6u).
The following procedure implements this algorithm in a straight-line
fashion. It requires knowledge of A and B, the constants from the
curve Weierstrass form. It outputs a point with affine coordinates.
map2curve_icart(alpha)
Input:
alpha - value to be hashed, an octet string
Output:
(x, y) - a point in E
Steps:
1. u = HashToBase(alpha) // {0,1}^* -> Fp
2. u2 = u^2 (mod p) // u^2
3. t2 = u2^2 (mod p) // u^4
4. v1 = 3 * A (mod p) // 3A
5. v1 = v1 - t2 (mod p) // 3A - u^4
6. t1 = 6 * u (mod p) // 6u
7. t3 = t1 ^ (-1) (mod p) // modular inverse
8. v = v1 * t3 (mod p) // (3A - u^4)/(6u)
9. x = v^2 (mod p) // v^2
10. x = x - B (mod p) // v^2 - b
11. t1 = 27 ^ (-1) (mod p) // 1/27
12. t1 = t1 * u2 (mod p) // u^4 / 27
13. t1 = t1 * t2 (mod p) // u^6 / 27
14. x = x - t1 (mod p) // v^2 - b - u^6/27
15. t1 = (2 * p) - 1 (mod p) // 2p - 1
16. t1 = t1 / 3 (mod p) // (2p - 1)/3
17. x = x^t1 (mod p) // (v^2 - b - u^6/27) ^ (1/3)
18. t2 = u2 / 3 (mod p) // u^2 / 3
19. x = x + t2 (mod p) // (v^2 - b - u^6/27) ^ (1/3) + (u^2 / 3)
20. y = u * x (mod p) // ux
21. y = y + v (mod p) // ux + v
22. Output (x, y)
Scott, et al. Expires January 3, 2019 [Page 8]
Internet-Draft hash-to-curve July 2018
5.2.2. Shallue-Woestijne-Ulas Method
The Shallue-Woestijne-Ulas (SWU) method, originated in part by
Shallue and Woestijne [SW06] and later simplified and extended by
Ulas [SWU07], deterministically encodes an artbirary string to a
point on a curve. This algorithm works for any curve over F_{p^n}.
Given curve equation g(x) = x^3 + Ax + B, two separate HashToBase
implementations, H0 and H1, this algorithm works as follows:
1. t = H0(alpha)
2. u = H1(alpha)
3. X1 = u
4. X2 = (-B / A)(1 + 1 / (t^4 * g(u)^2 + t^2 * g(u)))
5. X3 = t^3 * g(u)^2 * g(X2)
6. If g(X1) is square, output (X1, sqrt(g(X1)))
7. If g(X2) is square, output (X2, sqrt(g(X2)))
8. Output (X3(t, u), sqrt(g(X3)))
The algorithm relies on the following equality:
t^3 * g(u)^2 * g(X2(t, u)) = g(X1(t, u)) * g(X2(t, u)) * g(X3(t, u))
The algorithm computes three candidate points, constructed such that
at least one of them lies on the curve.
The following procedure implements this algorithm. It outputs a
point with affine coordinates. It requires knowledge of A and B, the
constants from the curve Weierstrass form.
map2curve_squ(alpha)
Input:
alpha - value to be hashed, an octet string
H0 - HashToBase implementation
H1 - HashToBase implementation
Output:
(x, y) - a point in E
Steps:
1. t = H0(alpha) // {0,1}^* -> Fp
2. u = H1(alpha) // {0,1}^* -> Fp
3. t2 = t^2
4. t4 = t2^2
5. gu = u^3
Scott, et al. Expires January 3, 2019 [Page 9]
Internet-Draft hash-to-curve July 2018
6. gu = gu + (A * u)
7. gu = gu + B // gu = g(u)
8. x1 = u // x1 = X1(t, u) = u
9. x2 = B * -1
10. x2 = x2 / A
11. gx1 = x1^3
12. gx1 = gx1 + (A * x1)
13. gx1 = gx1 + B // gx1 = g(X1(t, u))
14. d1 = gu^2
15. d1 = d1 * t4
16. d2 = t2 * gu
17. d3 = d1 + d2
18. d3 = d3^(-1)
19. n1 = 1 + d3
20. x2 = x2 * n1 // x2 = X2(t, u)
21. gx2 = x2^3
22. gx2 = gx2 + (A * x2)
23. gx2 = gx2 + B // gx2 = g(X2(t, u))
24. x3 = t2 * gu
25. x3 = x3 * x2 // x3 = X3(t, u)
26. gx3 = x3^3
27. gx3 = gx3 + (A * x3)
28. gx3 = gx3 + B // gx3 = g(X3(t, u))
29. l1 = gx1^((p - 1) / 2)
30. l2 = gx2^((p - 1) / 2)
31. s1 = gx1^(1/2)
32. s2 = gx2^(1/2)
33. s3 = gx3^(1/2)
34. if l1 == 1:
35. Output (x1, s1)
36. if l2 == 1:
37. Output (x2, s2)
38. Output (x3, s3)
5.2.3. Simplified SWU Method
The following map2curve_simple_swu(alpha) implements the simplfied
Shallue-Woestijne-Ulas algorithm from [SimpleSWU]. This algorithm
works for any curve over F_{p^n}, where p = 3 mod 4, including:
o P256
o ...
Given curve equation g(x) = x^3 + Ax + B, this algorithm works as
follows:
Scott, et al. Expires January 3, 2019 [Page 10]
Internet-Draft hash-to-curve July 2018
1. t = HashToBase(alpha)
2. alpha = (-b / a) * (1 + (1 / (t^4 + t^2)))
3. beta = -t^2 * alpha
4. If g(alpha) is square, output (alpha, sqrt(g(alpha)))
5. Output (beta, sqrt(g(beta)))
The following procedure implements this algorithm. It outputs a
point with affine coordinates. It requires knowledge of A and B, the
constants from the curve Weierstrass form.
map2curve_simple_swu(alpha)
Input:
alpha - value to be encoded, an octet string
Output:
(x, y) - a point in E
Steps:
1. t = HashToBase(alpha)
2. alpha = t^2 (mod p)
3. alpha = alpha * -1 (mod p)
4. right = alpha^2 + alpha (mod p)
5. right = right^(-1) (mod p)
6. right = right + 1 (mod p)
7. left = B * -1 (mod p)
8. left = left / A (mod p)
9. x2 = left * right (mod p)
10. x3 = alpha * x2 (mod p)
11. h2 = x2 ^ 3 (mod p)
12. i2 = x2 * A (mod p)
13. i2 = i2 + B (mod p)
14. h2 = h2 + i2 (mod p)
15. h3 = x3 ^ 3 (mod p)
16. i3 = x3 * A (mod p)
17. i3 = i3 + B (mod p)
18. h3 = h3 + i3 (mod p)
19. y1 = h2 ^ ((p + 1) // 4) (mod p)
20. y2 = h3 ^ ((p + 1) // 4) (mod p)
21. e = (y1 ^ 2 == h2)
22. x = CMOV(x2, x3, e) // If e = 1, choose x2, else choose x3
23. y = CMOV(y1, y2, e) // If e = 1, choose y1, else choose y2
24. Output (x, y)
Scott, et al. Expires January 3, 2019 [Page 11]
Internet-Draft hash-to-curve July 2018
5.2.4. Elligator2 Method
The following map2curve_elligator2(alpha) implements the Elligator2
method from [Elligator2]. This algorithm works for any curve with a
point of order 2 and j-invariant != 1728. Given curve equation f(x)
= y^2 = x(x^2 + Ax + B), i.e., a Montgomery form with the point of
order 2 at (0,0), this algorithm works as shown below. (Note that
any curve with a point of order 2 is isomorphic to this
representation.)
1. r = HashToBase(alpha)
2. If f(-A/(1+ur^2)) is square, then output f(-A/(1+ur^2))^(1/2)
3. Else, output f(-Aur^2/(1+ur^2))^(1/2)
Another way to express this algorithm is as follows:
1. r = HashToBase(alpha)
2. d = -A / (1 + ur^2)
3. e = f(d)^((p-1)/2)
4. u = ed - (1 - e)A/u
Here, e is the Legendre symbol of y = (d^3 + Ad^2 + d), which will be
1 if y is a quadratic residue (square) mod p, and -1 otherwise.
(Note that raising y to ((p -1) / 2) is a common way to compute the
Legendre symbol.)
The following procedure implements this algorithm.
Scott, et al. Expires January 3, 2019 [Page 12]
Internet-Draft hash-to-curve July 2018
map2curve_elligator2(alpha)
Input:
alpha - value to be encoded, an octet string
u - fixed non-square value in Fp.
f() - Curve function
Output:
(x, y) - a point in E
Steps:
1. r = HashToBase(alpha)
2. r = r^2 (mod p)
3. nu = r * u (mod p)
4. r = nu
5. r = r + 1 (mod p)
6. r = r^(-1) (mod p)
7. v = A * r (mod p)
8. v = v * -1 (mod p) // -A / (1 + ur^2)
9. v2 = v^2 (mod p)
10. v3 = v * v2 (mod p)
11. e = v3 * v (mod p)
12. v2 = v2 * A (mod p)
13. e = v2 * e (mod p)
14. e = e^((p - 1) / 2) // Legendre symbol
15. nv = v * -1 (mod p)
16. v = CMOV(v, nv, e) // If e = 1, choose v, else choose nv
17. v2 = CMOV(0, A, e) // If e = 1, choose 0, else choose A
18. u = v - v2 (mod p)
19. Output (u, f(u))
Elligator2 can be simplified with projective coordinates.
((TODO: write this variant))
5.3. Cost Comparison
The following table summarizes the cost of each map2curve variant.
We express this cost in terms of additions (A), multiplications (M),
squares (SQ), and square roots (SR).
((TODO: finish this section))
Scott, et al. Expires January 3, 2019 [Page 13]
Internet-Draft hash-to-curve July 2018
+----------------------+-------------------+
| Algorithm | Cost (Operations) |
+----------------------+-------------------+
| map2curve_icart | TODO |
| | |
| map2curve_swu | TODO |
| | |
| map2curve_simple_swu | TODO |
| | |
| map2curve_elligator2 | TODO |
+----------------------+-------------------+
6. Random Oracles
6.1. Interface
The generic interface for deterministic encoding functions to
elliptic curves is as follows:
hash2curve(alpha)
where alpha is a message to encode on a curve.
6.2. General Construction (FFSTV13)
When applications need a Random Oracle (RO), they can be constructed
from deterministic encoding functions. In particular, let F :
{0,1}^* -> E be a deterministic encoding function onto curve E, and
let H0 and H1 be two hash functions modeled as random oracles that
map input messages to the base field of E, i.e., Z_q. Farashahi et
al. [FFSTV13] showed that the following mapping is indistinguishable
from a RO:
hash2curve(alpha) = F(H0(alpha)) + F(H1(alpha))
This construction works for the Icart, SWU, and Simplfied SWU
encodings.
Here, H0 and H1 could be constructed as follows:
H0(alpha) = HashToBase(0 || alpha)
H1(alpha) = HashToBase(1 || alpha)
7. Curve Transformations
((TODO: write this section))
Scott, et al. Expires January 3, 2019 [Page 14]
Internet-Draft hash-to-curve July 2018
8. IANA Considerations
This document has no IANA actions.
9. Security Considerations
Each encoding function variant accepts arbitrary input and maps it to
a pseudorandom point on the curve. Points are close to
indistinguishable from randomly chosen elements on the curve. Not
all encoding functions are full-domain hashes. Elligator2, for
example, only maps strings to "about half of all curve points,"
whereas Icart's method only covers about 5/8 of the points.
10. Acknowledgements
The authors would like to thank Adam Langley for this detailed
writeup up Elligator2 with Curve25519 [ElligatorAGL]. We also thank
Sean Devlin and Thomas Icart for feedback on earlier versions of this
document.
11. Contributors
o Sharon Goldberg
Boston University
goldbe@cs.bu.edu
12. Normative References
[BF01] "Identity-based encryption from the Weil pairing", n.d..
[BLS01] "Short signatures from the Weil pairing", n.d.,
<https://iacr.org/archive/asiacrypt2001/22480516.pdf>.
[BMP00] "Provably secure password-authenticated key exchange using
diffie-hellman", n.d..
[ECOPRF] "EC-OPRF - Oblivious Pseudorandom Functions using Elliptic
Curves", n.d..
[Elligator2]
"Elligator -- Elliptic-curve points indistinguishable from
uniform random strings", n.d., <https://dl.acm.org/
ft_gateway.cfm?id=2516734&type=pdf>.
[ElligatorAGL]
"Implementing Elligator for Curve25519", n.d.,
<https://www.imperialviolet.org/2013/12/25/
elligator.html>.
Scott, et al. Expires January 3, 2019 [Page 15]
Internet-Draft hash-to-curve July 2018
[FFSTV13] "Indifferentiable deterministic hashing to elliptic and
hyperelliptic curves", n.d..
[hacspec] "hacspec", n.d., <https://github.com/HACS-workshop/
hacspec>.
[Icart09] "How to Hash into Elliptic Curves", n.d.,
<https://eprint.iacr.org/2009/226.pdf>.
[Jablon96]
"Strong password-only authenticated key exchange", n.d..
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017, <https://www.rfc-
editor.org/info/rfc8032>.
[SECG1] "SEC 1 -- Elliptic Curve Cryptography", n.d.,
<http://www.secg.org/sec1-v2.pdf>.
[SimpleSWU]
"Efficient Indifferentiable Hashing into Ordinary Elliptic
Curves", n.d..
[SW06] "Construction of rational points on elliptic curves over
finite fields", n.d..
[SWU07] "Rational points on certain hyperelliptic curves over
finite fields", n.d., <https://arxiv.org/pdf/0706.1448>.
Scott, et al. Expires January 3, 2019 [Page 16]
Internet-Draft hash-to-curve July 2018
Appendix A. Related Work
In this chapter, we give a background to some common methods to
encode or hash to the curve, motivated by the similar exposition in
[Icart09]. Understanding of this material is not required in order
to choose a suitable encoding function - we defer this to Section 3 -
the background covered here can work as a template for analyzing
encoding functions not found in this document, and as a guide for
further research into the topics covered.
A.1. Probabilistic Encoding
As mentioned in Section 2, as a rule of thumb, for every x in GF(p),
there is approximately a 1/2 chance that there exist a corresponding
y value such that (x, y) is on the curve E.
This motivates the construction of the MapToGroup method described by
Boneh et al. [BLS01]. For an input message m, a counter i, and a
standard hash function H : {0, 1}^* -> GF(p) x {0, 1}, one computes
(x, b) = H(i || m), where i || m denotes concatenation of the two
values. Next, test to see whether there exists a corresponding y
value such that (x, y) is on the curve, returning (x, y) if
successful, where b determines whether to take +/- y. If there does
not exist such a y, then increment i and repeat. A maximum counter
value is set to I, and since each iteration succeeds with probability
approximately 1/2, this process fails with probability 2^-I. (See
Appendix B for a more detailed description of this algorithm.)
Although MapToGroup describes a method to hash to the curve, it can
also be adapted to a simple encoding mechanism. For a bitstring of
length strictly less than log2(p), one can make use of the spare bits
in order to encode the counter value. Allocating more space for the
counter increases the expansion, but reduces the failure probability.
Since the running time of the MapToGroup algorithm depends on m, this
algorithm is NOT safe for cases sensitive to timing side channel
attacks. Deterministic algorithms are needed in such cases where
failures are undesirable.
A.2. Naive Encoding
A naive solution includes computing H(m)*G as map2curve(m), where H
is a standard hash function H : {0, 1}^* -> GF(p), and G is a
generator of the curve. Although efficient, this solution is
unsuitable for constructing a random oracle onto E, since the
discrete logarithm with respect to G is known. For example, given y1
= map2curve(m1) and y2 = map2curve(m2) for any m1 and m2, it must be
true that y2 = H(m2) / H(m1) * map2curve(m1). This relationship
Scott, et al. Expires January 3, 2019 [Page 17]
Internet-Draft hash-to-curve July 2018
would not hold (with overwhelming probability) for truly random
values y1 and y2. This causes catastrophic failure in many cases.
However, one exception is found in SPEKE [Jablon96], which constructs
a base for a Diffie-Hellman key exchange by hashing the password to a
curve point. Notably the use of a hash function is purely for
encoding an arbitrary length string to a curve point, and does not
need to be a random oracle.
A.3. Deterministic Encoding
Shallue, Woestijne, and Ulas [SW06] first introduced a deterministic
algorithm that maps elements in F_{q} to a curve in time O(log^4 q),
where q = p^n for some prime p, and time O(log^3 q) when q = 3 mod 4.
Icart introduced yet another deterministic algorithm which maps F_{q}
to any EC where q = 2 mod 3 in time O(log^3 q) [Icart09]. Elligator
(2) [Elligator2] is yet another deterministic algorithm for any odd-
characteristic EC that has a point of order 2. Elligator2 can be
applied to Curve25519 and Curve448, which are both CFRG-recommended
curves [RFC7748].
However, an important caveat to all of the above deterministic
encoding functions, is that none of them map injectively to the
entire curve, but rather some fraction of the points. This makes
them unable to use to directly construct a random oracle on the
curve.
Brier et al. [SimpleSWU] proposed a couple of solutions to this
problem, The first applies solely to Icart's method described above,
by computing F(H1(m)) + F(H2(m)) for two distinct hash functions H1,
H2. The second uses a generator G, and computes F(H1(m)) + H2(m)*G.
Later, Farashahi et al. [FFSTV13] showed the generality of the
F(H1(m)) + F(H2(m)) method, as well as the applicability to
hyperelliptic curves (not covered here).
A.4. Supersingular Curves
For supersingular curves, for every y in GF(p) (with p>3), there
exists a value x such that (x, y) is on the curve E. Hence we can
construct a bijection F : GF(p) -> E (ignoring the point at
infinity). This is the case for [BF01], but is not common.
A.5. Twisted Variants
We can also consider curves which have twisted variants, E^d. For
such curves, for any x in GF(p), there exists y in GF(p) such that
(x, y) is either a point on E or E^d. Hence one can construct a
bijection F : GF(p) x {0,1} -> E ∪ E^d, where the extra bit is
needed to choose the sign of the point. This can be particularly
Scott, et al. Expires January 3, 2019 [Page 18]
Internet-Draft hash-to-curve July 2018
useful for constructions which only need the x-coordinate of the
point. For example, x-only scalar multiplication can be computed on
Montgomery curves. In this case, there is no need for an encoding
function, since the output of F in GF(p) is sufficient to define a
point on one of E or E^d.
Appendix B. Try-and-Increment Method
In cases where constant time execution is not required, the so-called
try-and-increment method may be appropriate. As discussion in
Section Section 1, this variant works by hashing input m using a
standard hash function ("Hash"), e.g., SHA256, and then checking to
see if the resulting point E(m, f(m)), for curve function f, belongs
on E. This is detailed below.
1. ctr = 0
3. h = "INVALID"
4. While h is "INVALID" or h is EC point at infinity:
A. CTR = I2OSP(ctr, 4)
B. ctr = ctr + 1
C. attempted_hash = Hash(m || CTR)
D. h = RS2ECP(attempted_hash)
E. If h is not "INVALID" and cofactor > 1, set h = h^cofactor
5. Output h
I2OSP is a function that converts a nonnegative integer to octet
string as defined in Section 4.1 of [RFC8017], and RS2ECP is a
function that converts of a random 2n-octet string to an EC point as
specified in Section 5.1.3 of [RFC8032].
Appendix C. Sample Code
This section contains reference implementations for each map2curve
variant built using [hacspec].
C.1. Icart Method
The following hacspec program implements map2curve_icart(alpha) for
P-384.
from hacspec.speclib import *
prime = 2**384 - 2**128 - 2**96 + 2**32 - 1
felem_t = refine(nat, lambda x: x < prime)
affine_t = tuple2(felem_t, felem_t)
@typechecked
Scott, et al. Expires January 3, 2019 [Page 19]
Internet-Draft hash-to-curve July 2018
def to_felem(x: nat_t) -> felem_t:
return felem_t(nat(x % prime))
@typechecked
def fadd(x: felem_t, y: felem_t) -> felem_t:
return to_felem(x + y)
@typechecked
def fsub(x: felem_t, y: felem_t) -> felem_t:
return to_felem(x - y)
@typechecked
def fmul(x: felem_t, y: felem_t) -> felem_t:
return to_felem(x * y)
@typechecked
def fsqr(x: felem_t) -> felem_t:
return to_felem(x * x)
@typechecked
def fexp(x: felem_t, n: nat_t) -> felem_t:
return to_felem(pow(x, n, prime))
@typechecked
def finv(x: felem_t) -> felem_t:
return to_felem(pow(x, prime-2, prime))
a384 = to_felem(prime - 3)
b384 = to_felem(27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575)
@typechecked
def map2p384(u:felem_t) -> affine_t:
v = fmul(fsub(fmul(to_felem(3), a384), fexp(u, 4)), finv(fmul(to_felem(6), u)))
u2 = fmul(fexp(u, 6), finv(to_felem(27)))
x = fsub(fsqr(v), b384)
x = fsub(x, u2)
x = fexp(x, (2 * prime - 1) // 3)
x = fadd(x, fmul(fsqr(u), finv(to_felem(3))))
y = fadd(fmul(u, x), v)
return (x, y)
Scott, et al. Expires January 3, 2019 [Page 20]
Internet-Draft hash-to-curve July 2018
C.2. Shallue-Woestijne-Ulas Method
The following hacspec program implements map2curve_swu(alpha) for
P-256.
Scott, et al. Expires January 3, 2019 [Page 21]
Internet-Draft hash-to-curve July 2018
from p256 import *
from hacspec.speclib import *
a256 = to_felem(prime - 3)
b256 = to_felem(41058363725152142129326129780047268409114441015993725554835256314039467401291)
@typechecked
def f_p256(x:felem_t) -> felem_t:
return fadd(fexp(x, 3), fadd(fmul(to_felem(a256), x), to_felem(b256)))
@typechecked
def x1(t:felem_t, u:felem_t) -> felem_t:
return u
@typechecked
def x2(t:felem_t, u:felem_t) -> felem_t:
coefficient = fmul(to_felem(-b256), finv(to_felem(a256)))
t2 = fsqr(t)
t4 = fsqr(t2)
gu = f_p256(u)
gu2 = fsqr(gu)
denom = fadd(fmul(t4, gu2), fmul(t2, gu))
return fmul(coefficient, fadd(to_felem(1), finv(denom)))
@typechecked
def x3(t:felem_t, u:felem_t) -> felem_t:
return fmul(fsqr(t), fmul(f_p256(u), x2(t, u)))
@typechecked
def map2p256(t:felem_t) -> felem_t:
u = fadd(t, to_felem(1))
x1v = x1(t, u)
x2v = x2(t, u)
x3v = x3(t, u)
exp = to_felem((prime - 1) // 2)
e1 = fexp(f_p256(x1v), exp)
e2 = fexp(f_p256(x2v), exp)
if e1 == 1:
return x1v
elif e2 == 1:
return x2v
else:
return x3v
Scott, et al. Expires January 3, 2019 [Page 22]
Internet-Draft hash-to-curve July 2018
C.3. Simplified SWU Method
The following hacspec program implements map2curve_simple_swu(alpha)
for P-256.
from p256 import *
from hacspec.speclib import *
a256 = to_felem(prime - 3)
b256 = to_felem(41058363725152142129326129780047268409114441015993725554835256314039467401291)
def f_p256(x:felem_t) -> felem_t:
return fadd(fexp(x, 3), fadd(fmul(to_felem(a256), x), to_felem(b256)))
def map2p256(t:felem_t) -> affine_t:
alpha = to_felem(-(fsqr(t)))
frac = finv((fadd(fsqr(alpha), alpha)))
coefficient = fmul(to_felem(-b256), finv(to_felem(a256)))
x2 = fmul(coefficient, fadd(to_felem(1), frac))
x3 = fmul(alpha, x2)
h2 = fadd(fexp(x2, 3), fadd(fmul(a256, x2), b256))
h3 = fadd(fexp(x3, 3), fadd(fmul(a256, x3), b256))
exp = fmul(fadd(to_felem(prime), to_felem(-1)), finv(to_felem(2)))
e = fexp(h2, exp)
exp = to_felem((prime + 1) // 4)
if e == 1:
return (x2, fexp(f_p256(x2), exp))
else:
return (x3, fexp(f_p256(x3), exp))
C.4. Elligator2 Method
The following hacspec program implements map2curve_elligator2(alpha)
for Curve25519.
Scott, et al. Expires January 3, 2019 [Page 23]
Internet-Draft hash-to-curve July 2018
from curve25519 import *
from hacspec.speclib import *
a25519 = to_felem(486662)
b25519 = to_felem(1)
u25519 = to_felem(2)
@typechecked
def f_25519(x:felem_t) -> felem_t:
return fadd(fmul(x, fsqr(x)), fadd(fmul(a25519, fsqr(x)), x))
@typechecked
def map2curve25519(r:felem_t) -> felem_t:
d = fsub(to_felem(p25519), fmul(a25519, finv(fadd(to_felem(1), fmul(u25519, fsqr(r))))))
power = nat((p25519 - 1) // 2)
e = fexp(f_25519(d), power)
x = 0
if e != 1:
x = fsub(to_felem(-d), to_felem(a25519))
else:
x = d
return x
Authors' Addresses
Sam Scott
Cornell Tech
2 West Loop Rd
New York, New York 10044
United States of America
Email: sam.scott@cornell.edu
Nick Sullivan
Cloudflare
101 Townsend St
San Francisco
United States of America
Email: nick@cloudflare.com
Scott, et al. Expires January 3, 2019 [Page 24]
Internet-Draft hash-to-curve July 2018
Christopher A. Wood
Apple Inc.
One Apple Park Way
Cupertino, California 95014
United States of America
Email: cawood@apple.com
Scott, et al. Expires January 3, 2019 [Page 25]