Network Working Group S. Scott Internet-Draft Cornell Tech Intended status: Informational N. Sullivan Expires: January 3, 2019 Cloudflare C. Wood Apple Inc. July 02, 2018 Hashing to Elliptic Curves draft-irtf-cfrg-hash-to-curve-01 Abstract This document specifies a number of algorithms that may be used to hash arbitrary strings to Elliptic Curves. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 3, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Scott, et al. Expires January 3, 2019 [Page 1]

Internet-Draft hash-to-curve July 2018 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. Encoding . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2. Serialization . . . . . . . . . . . . . . . . . . . . 5 2.1.3. Random Oracle . . . . . . . . . . . . . . . . . . . . 5 3. Algorithm Recommendations . . . . . . . . . . . . . . . . . . 6 4. Utility Functions . . . . . . . . . . . . . . . . . . . . . . 7 5. Deterministic Encodings . . . . . . . . . . . . . . . . . . . 7 5.1. Interface . . . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Encoding Variants . . . . . . . . . . . . . . . . . . . . 7 5.2.1. Icart Method . . . . . . . . . . . . . . . . . . . . 7 5.2.2. Shallue-Woestijne-Ulas Method . . . . . . . . . . . . 9 5.2.3. Simplified SWU Method . . . . . . . . . . . . . . . . 10 5.2.4. Elligator2 Method . . . . . . . . . . . . . . . . . . 12 5.3. Cost Comparison . . . . . . . . . . . . . . . . . . . . . 13 6. Random Oracles . . . . . . . . . . . . . . . . . . . . . . . 14 6.1. Interface . . . . . . . . . . . . . . . . . . . . . . . . 14 6.2. General Construction (FFSTV13) . . . . . . . . . . . . . 14 7. Curve Transformations . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 15 12. Normative References . . . . . . . . . . . . . . . . . . . . 15 Appendix A. Related Work . . . . . . . . . . . . . . . . . . . . 17 A.1. Probabilistic Encoding . . . . . . . . . . . . . . . . . 17 A.2. Naive Encoding . . . . . . . . . . . . . . . . . . . . . 17 A.3. Deterministic Encoding . . . . . . . . . . . . . . . . . 18 A.4. Supersingular Curves . . . . . . . . . . . . . . . . . . 18 A.5. Twisted Variants . . . . . . . . . . . . . . . . . . . . 18 Appendix B. Try-and-Increment Method . . . . . . . . . . . . . . 19 Appendix C. Sample Code . . . . . . . . . . . . . . . . . . . . 19 C.1. Icart Method . . . . . . . . . . . . . . . . . . . . . . 19 C.2. Shallue-Woestijne-Ulas Method . . . . . . . . . . . . . . 21 C.3. Simplified SWU Method . . . . . . . . . . . . . . . . . . 23 C.4. Elligator2 Method . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 1. Introduction Many cryptographic protocols require a procedure which maps arbitrary input, e.g., passwords, to points on an elliptic curve (EC). Prominent examples include Simple Password Exponential Key Exchange Scott, et al. Expires January 3, 2019 [Page 2]

Internet-Draft hash-to-curve July 2018 [Jablon96], Password Authenticated Key Exchange [BMP00], Identity- Based Encryption [BF01] and Boneh-Lynn-Shacham signatures [BLS01]. Unfortunately for implementors, the precise mapping which is suitable for a given scheme is not necessarily included in the description of the protocol. Compounding this problem is the need to pick a suitable curve for the specific protocol. This document aims to address this lapse by providing a thorough set of recommendations across a range of implementations, and curve types. We provide implementation and performance details for each mechanism, along with references to the security rationale behind each recommendation and guidance for applications not yet covered. Each algorithm conforms to a common interface, i.e., it maps an element from a bitstring {0, 1}^* to a curve E. For each variant, we describe the requirements for E to make it work. Sample code for each variant is presented in the appendix. Unless otherwise stated, all elliptic curve points are assumed to be represented as affine coordinates, i.e., (x, y) points on a curve. 1.1. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Background Here we give a brief definition of elliptic curves, with an emphasis on defining important parameters and their relation to encoding. Let F be the finite field GF(p^k). We say that F is a field of characteristic p. For most applications, F is a prime field, in which case k=1 and we will simply write GF(p). Elliptic curves come in many variants, including, but not limited to: Weierstrass, Montgomery, and Edwards. Each of these variants correspond to a different category of curve equation. For example, the short Weierstrauss equation is of the form "y^2 = x^3 + Ax + B". Certain encoding functions may have requirements on the curve form and the parameters, such as A and B in the previous example. An elliptic curve E is specified by the equation, and a finite field F. The curve E forms a group, whose elements correspond to those who satisfy the curve equation, with values taken from the field F. As a group, E has order n, which is the number of points on the curve. When n is not prime, we write n = qh + r, where q is prime, and h is Scott, et al. Expires January 3, 2019 [Page 3]

Internet-Draft hash-to-curve July 2018 said to be the cofactor. It is frequently a requirement that all cryptographic operations take place in a prime order group. In this case, we may wish an encoding to return elements of order q. For a mapping outputting elements on E, we can multiply by the cofactor h to obtain an element in the subgroup. In practice, the input of a given cryptographic algorithm will be a bitstring of arbitrary length, denoted {0, 1}^*. Hence, a concern for virtually all protocols involving elliptic curves is how to convert this input into a curve point. Note that the number of points on an elliptic curve E is within 2*sqrt(p) of p by Hasse's Theorem. As a rule of thumb, for every x in GF(p), there is approximately a 1/2 chance that there exist a corresponding y value such that (x, y) is on the curve E. Since the point (x, -y) is also on the curve, then this sums to approximately p points. Ultimately, an encoding function takes a bitstring {0, 1}^* to an element of E, of order n (or q), and represented by variables in GF(p). Summary of quantities: +--------+-------------------+--------------------------------------+ | Symbol | Meaning | Relevance | +--------+-------------------+--------------------------------------+ | p | Order of finite | Curve points need to be represented | | | field, F = GF(p) | in terms of p. For prime powers, we | | | | write F = GF(p^k). | | | | | | n | Number of curve | For map to E, needs to produce n | | | points, #E(F) = n | elements. | | | | | | q | Order of prime | If n is not prime, may need mapping | | | subgroup of E, n | to q. | | | = qh + r | | | | | | | h | Cofactor of prime | For mapping to subgroup, need to | | | subgroup | multiply by cofactor. | +--------+-------------------+--------------------------------------+ 2.1. Terminology In the following, we categorize the terminology for mapping between bitstrings and elliptic curves. Scott, et al. Expires January 3, 2019 [Page 4]

Internet-Draft hash-to-curve July 2018 2.1.1. Encoding The general term "encoding" is used to refer to the process of producing an elliptic curve point given as input a bitstring. In some protocols, the original message may also be recovered through a decoding procedure. An encoding may be deterministic or probabilistic, although the latter is problematic in potentially leaking plaintext information as a side-channel. In most cases, the curve E is over a finite field GF(p^k), with p > 2. Suppose as the input to the encoding function we wish to use a fixed-length bitstring of length L. Comparing sizes of the sets, 2^L and n, an encoding function cannot be both deterministic and bijective. We can instead use an injective encoding from {0, 1}^L to E, with "L < log2(n)- 1", which is a bijection over a subset of points in E. This ensures that encoded plaintext messages can be recovered. 2.1.2. Serialization A related issue is the conversion of an elliptic curve point to a bitstring. We refer to this process as "serialization", since it is typically used for compactly storing and transporting points, or for producing canonicalized outputs. Since a deserialization algorithm can often be used as a type of encoding algorithm, we also briefly document properties of these functions. A naive serialization algorithm maps a point (x, y) on E to a bitstring of length 2*log(p), given that x, y are both elements in GF(p). However, since there are only n points in E (with n approximately equal to p), it is possible to serialize to a bitstring of length log(n). For example, one common method is to store the x-coordinate and a single bit to determine whether the point is (x, y) or (x, -y), thus requiring log(p)+1 bits. Thus exchanging computation (recovering the y coordinate) for storage. 2.1.3. Random Oracle It is often the case that the output of the encoding function Section 2.1.1 should be distributed uniformly at random on the elliptic curve. That is, there is no discernible relation existing between outputs that can be computed based on the inputs. In practice, this requirement stems from needing a random oracle which outputs elliptic curve points: one way to construct this is by first taking a regular random oracle, operating entirely on bitstrings, and applying a suitable encoding function to the output. Scott, et al. Expires January 3, 2019 [Page 5]

Internet-Draft hash-to-curve July 2018 This motivates the term "hashing to the curve", since cryptographic hash functions are typically modeled as random oracles. However, this still leaves open the question of what constitutes a suitable encoding method, which is a primary concern of this document. A random oracle onto an elliptic curve can also be instantiated using direct constructions, however these tend to rely on many group operations and are less efficient than hash and encode methods. 3. Algorithm Recommendations The following table lists algorithms recommended by use-case: +----------------+-----------------+--------------------------------+ | Application | Requirement | Additional Details | +----------------+-----------------+--------------------------------+ | SPEKE | Naive | H(x)*G | | [Jablon96] | | | | | | | | PAKE [BMP00] | Random Oracle | - | | | | | | BLS [BLS01] | Random Oracle | - | | | | | | IBE [BF01] | Random Oracle | Supersingular, pairing- | | | | friendly curve | | | | | | PRF | Injective | F(k, m) = k*H(m) | | | encoding | | +----------------+-----------------+--------------------------------+ To find the suitable algorithm, lookup the requirement from above, with the chosen curve in the below: +------------+--------------------------+---------------+ | Curve | Inj. Encoding | Random Oracle | +------------+--------------------------+---------------+ | P-256 | Simple SWU Section 5.2.3 | FFSTV(SWU) | | | | | | P-384 | Icart Section 5.2.1 | FFSTV(Icart) | | | | | | Curve25519 | Elligator2 Section 5.2.4 | ... | | | | | | Curve448 | Elligator2 Section 5.2.4 | ... | +------------+--------------------------+---------------+ Scott, et al. Expires January 3, 2019 [Page 6]

Internet-Draft hash-to-curve July 2018 4. Utility Functions Algorithms in this document make use of utility functions described below. o HashToBase(x): H(x)[0:log2(p) + 1], i.e., hash-truncate-reduce, where H is a cryptographic hash function, such as SHA256, and p is the prime order of base field Fp. o CMOV(a, b, c): If c = 1, return a, else return b. Note: We assume that HashToBase maps its input to the base field uniformly. In practice, there may be inherent biases in p, e.g., p = 2^k - 1 will have non-negligible bias in higher bits. 5. Deterministic Encodings 5.1. Interface The generic interface for deterministic encoding functions to elliptic curves is as follows: map2curve(alpha) where alpha is a message to encode on a curve. 5.2. Encoding Variants 5.2.1. Icart Method The following map2curve_icart(alpha) implements the Icart method from [Icart09]. This algorithm works for any curve over F_{p^n}, where p^n = 2 mod 3 (or p = 2 mod 3 and for odd n), including: o P384 o Curve1174 o Curve448 Unsupported curves include: P224, P256, P521, and Curve25519 since, for each, p = 1 mod 3. Mathematically, given input alpha, and A and B from E, the Icart method works as follows: Scott, et al. Expires January 3, 2019 [Page 7]

Internet-Draft hash-to-curve July 2018 u = HashToBase(alpha) x = (v^2 - b - (u^6 / 27))^(1/3) + (u^2 / 3) y = ux + v where v = ((3A - u^4) / 6u). The following procedure implements this algorithm in a straight-line fashion. It requires knowledge of A and B, the constants from the curve Weierstrass form. It outputs a point with affine coordinates. map2curve_icart(alpha) Input: alpha - value to be hashed, an octet string Output: (x, y) - a point in E Steps: 1. u = HashToBase(alpha) // {0,1}^* -> Fp 2. u2 = u^2 (mod p) // u^2 3. t2 = u2^2 (mod p) // u^4 4. v1 = 3 * A (mod p) // 3A 5. v1 = v1 - t2 (mod p) // 3A - u^4 6. t1 = 6 * u (mod p) // 6u 7. t3 = t1 ^ (-1) (mod p) // modular inverse 8. v = v1 * t3 (mod p) // (3A - u^4)/(6u) 9. x = v^2 (mod p) // v^2 10. x = x - B (mod p) // v^2 - b 11. t1 = 27 ^ (-1) (mod p) // 1/27 12. t1 = t1 * u2 (mod p) // u^4 / 27 13. t1 = t1 * t2 (mod p) // u^6 / 27 14. x = x - t1 (mod p) // v^2 - b - u^6/27 15. t1 = (2 * p) - 1 (mod p) // 2p - 1 16. t1 = t1 / 3 (mod p) // (2p - 1)/3 17. x = x^t1 (mod p) // (v^2 - b - u^6/27) ^ (1/3) 18. t2 = u2 / 3 (mod p) // u^2 / 3 19. x = x + t2 (mod p) // (v^2 - b - u^6/27) ^ (1/3) + (u^2 / 3) 20. y = u * x (mod p) // ux 21. y = y + v (mod p) // ux + v 22. Output (x, y) Scott, et al. Expires January 3, 2019 [Page 8]

Internet-Draft hash-to-curve July 2018 5.2.2. Shallue-Woestijne-Ulas Method The Shallue-Woestijne-Ulas (SWU) method, originated in part by Shallue and Woestijne [SW06] and later simplified and extended by Ulas [SWU07], deterministically encodes an artbirary string to a point on a curve. This algorithm works for any curve over F_{p^n}. Given curve equation g(x) = x^3 + Ax + B, two separate HashToBase implementations, H0 and H1, this algorithm works as follows: 1. t = H0(alpha) 2. u = H1(alpha) 3. X1 = u 4. X2 = (-B / A)(1 + 1 / (t^4 * g(u)^2 + t^2 * g(u))) 5. X3 = t^3 * g(u)^2 * g(X2) 6. If g(X1) is square, output (X1, sqrt(g(X1))) 7. If g(X2) is square, output (X2, sqrt(g(X2))) 8. Output (X3(t, u), sqrt(g(X3))) The algorithm relies on the following equality: t^3 * g(u)^2 * g(X2(t, u)) = g(X1(t, u)) * g(X2(t, u)) * g(X3(t, u)) The algorithm computes three candidate points, constructed such that at least one of them lies on the curve. The following procedure implements this algorithm. It outputs a point with affine coordinates. It requires knowledge of A and B, the constants from the curve Weierstrass form. map2curve_squ(alpha) Input: alpha - value to be hashed, an octet string H0 - HashToBase implementation H1 - HashToBase implementation Output: (x, y) - a point in E Steps: 1. t = H0(alpha) // {0,1}^* -> Fp 2. u = H1(alpha) // {0,1}^* -> Fp 3. t2 = t^2 4. t4 = t2^2 5. gu = u^3 Scott, et al. Expires January 3, 2019 [Page 9]

Internet-Draft hash-to-curve July 2018 6. gu = gu + (A * u) 7. gu = gu + B // gu = g(u) 8. x1 = u // x1 = X1(t, u) = u 9. x2 = B * -1 10. x2 = x2 / A 11. gx1 = x1^3 12. gx1 = gx1 + (A * x1) 13. gx1 = gx1 + B // gx1 = g(X1(t, u)) 14. d1 = gu^2 15. d1 = d1 * t4 16. d2 = t2 * gu 17. d3 = d1 + d2 18. d3 = d3^(-1) 19. n1 = 1 + d3 20. x2 = x2 * n1 // x2 = X2(t, u) 21. gx2 = x2^3 22. gx2 = gx2 + (A * x2) 23. gx2 = gx2 + B // gx2 = g(X2(t, u)) 24. x3 = t2 * gu 25. x3 = x3 * x2 // x3 = X3(t, u) 26. gx3 = x3^3 27. gx3 = gx3 + (A * x3) 28. gx3 = gx3 + B // gx3 = g(X3(t, u)) 29. l1 = gx1^((p - 1) / 2) 30. l2 = gx2^((p - 1) / 2) 31. s1 = gx1^(1/2) 32. s2 = gx2^(1/2) 33. s3 = gx3^(1/2) 34. if l1 == 1: 35. Output (x1, s1) 36. if l2 == 1: 37. Output (x2, s2) 38. Output (x3, s3) 5.2.3. Simplified SWU Method The following map2curve_simple_swu(alpha) implements the simplfied Shallue-Woestijne-Ulas algorithm from [SimpleSWU]. This algorithm works for any curve over F_{p^n}, where p = 3 mod 4, including: o P256 o ... Given curve equation g(x) = x^3 + Ax + B, this algorithm works as follows: Scott, et al. Expires January 3, 2019 [Page 10]

Internet-Draft hash-to-curve July 2018 1. t = HashToBase(alpha) 2. alpha = (-b / a) * (1 + (1 / (t^4 + t^2))) 3. beta = -t^2 * alpha 4. If g(alpha) is square, output (alpha, sqrt(g(alpha))) 5. Output (beta, sqrt(g(beta))) The following procedure implements this algorithm. It outputs a point with affine coordinates. It requires knowledge of A and B, the constants from the curve Weierstrass form. map2curve_simple_swu(alpha) Input: alpha - value to be encoded, an octet string Output: (x, y) - a point in E Steps: 1. t = HashToBase(alpha) 2. alpha = t^2 (mod p) 3. alpha = alpha * -1 (mod p) 4. right = alpha^2 + alpha (mod p) 5. right = right^(-1) (mod p) 6. right = right + 1 (mod p) 7. left = B * -1 (mod p) 8. left = left / A (mod p) 9. x2 = left * right (mod p) 10. x3 = alpha * x2 (mod p) 11. h2 = x2 ^ 3 (mod p) 12. i2 = x2 * A (mod p) 13. i2 = i2 + B (mod p) 14. h2 = h2 + i2 (mod p) 15. h3 = x3 ^ 3 (mod p) 16. i3 = x3 * A (mod p) 17. i3 = i3 + B (mod p) 18. h3 = h3 + i3 (mod p) 19. y1 = h2 ^ ((p + 1) // 4) (mod p) 20. y2 = h3 ^ ((p + 1) // 4) (mod p) 21. e = (y1 ^ 2 == h2) 22. x = CMOV(x2, x3, e) // If e = 1, choose x2, else choose x3 23. y = CMOV(y1, y2, e) // If e = 1, choose y1, else choose y2 24. Output (x, y) Scott, et al. Expires January 3, 2019 [Page 11]

Internet-Draft hash-to-curve July 2018 5.2.4. Elligator2 Method The following map2curve_elligator2(alpha) implements the Elligator2 method from [Elligator2]. This algorithm works for any curve with a point of order 2 and j-invariant != 1728. Given curve equation f(x) = y^2 = x(x^2 + Ax + B), i.e., a Montgomery form with the point of order 2 at (0,0), this algorithm works as shown below. (Note that any curve with a point of order 2 is isomorphic to this representation.) 1. r = HashToBase(alpha) 2. If f(-A/(1+ur^2)) is square, then output f(-A/(1+ur^2))^(1/2) 3. Else, output f(-Aur^2/(1+ur^2))^(1/2) Another way to express this algorithm is as follows: 1. r = HashToBase(alpha) 2. d = -A / (1 + ur^2) 3. e = f(d)^((p-1)/2) 4. u = ed - (1 - e)A/u Here, e is the Legendre symbol of y = (d^3 + Ad^2 + d), which will be 1 if y is a quadratic residue (square) mod p, and -1 otherwise. (Note that raising y to ((p -1) / 2) is a common way to compute the Legendre symbol.) The following procedure implements this algorithm. Scott, et al. Expires January 3, 2019 [Page 12]

Internet-Draft hash-to-curve July 2018 map2curve_elligator2(alpha) Input: alpha - value to be encoded, an octet string u - fixed non-square value in Fp. f() - Curve function Output: (x, y) - a point in E Steps: 1. r = HashToBase(alpha) 2. r = r^2 (mod p) 3. nu = r * u (mod p) 4. r = nu 5. r = r + 1 (mod p) 6. r = r^(-1) (mod p) 7. v = A * r (mod p) 8. v = v * -1 (mod p) // -A / (1 + ur^2) 9. v2 = v^2 (mod p) 10. v3 = v * v2 (mod p) 11. e = v3 * v (mod p) 12. v2 = v2 * A (mod p) 13. e = v2 * e (mod p) 14. e = e^((p - 1) / 2) // Legendre symbol 15. nv = v * -1 (mod p) 16. v = CMOV(v, nv, e) // If e = 1, choose v, else choose nv 17. v2 = CMOV(0, A, e) // If e = 1, choose 0, else choose A 18. u = v - v2 (mod p) 19. Output (u, f(u)) Elligator2 can be simplified with projective coordinates. ((TODO: write this variant)) 5.3. Cost Comparison The following table summarizes the cost of each map2curve variant. We express this cost in terms of additions (A), multiplications (M), squares (SQ), and square roots (SR). ((TODO: finish this section)) Scott, et al. Expires January 3, 2019 [Page 13]

Internet-Draft hash-to-curve July 2018 +----------------------+-------------------+ | Algorithm | Cost (Operations) | +----------------------+-------------------+ | map2curve_icart | TODO | | | | | map2curve_swu | TODO | | | | | map2curve_simple_swu | TODO | | | | | map2curve_elligator2 | TODO | +----------------------+-------------------+ 6. Random Oracles 6.1. Interface The generic interface for deterministic encoding functions to elliptic curves is as follows: hash2curve(alpha) where alpha is a message to encode on a curve. 6.2. General Construction (FFSTV13) When applications need a Random Oracle (RO), they can be constructed from deterministic encoding functions. In particular, let F : {0,1}^* -> E be a deterministic encoding function onto curve E, and let H0 and H1 be two hash functions modeled as random oracles that map input messages to the base field of E, i.e., Z_q. Farashahi et al. [FFSTV13] showed that the following mapping is indistinguishable from a RO: hash2curve(alpha) = F(H0(alpha)) + F(H1(alpha)) This construction works for the Icart, SWU, and Simplfied SWU encodings. Here, H0 and H1 could be constructed as follows: H0(alpha) = HashToBase(0 || alpha) H1(alpha) = HashToBase(1 || alpha) 7. Curve Transformations ((TODO: write this section)) Scott, et al. Expires January 3, 2019 [Page 14]

Internet-Draft hash-to-curve July 2018 8. IANA Considerations This document has no IANA actions. 9. Security Considerations Each encoding function variant accepts arbitrary input and maps it to a pseudorandom point on the curve. Points are close to indistinguishable from randomly chosen elements on the curve. Not all encoding functions are full-domain hashes. Elligator2, for example, only maps strings to "about half of all curve points," whereas Icart's method only covers about 5/8 of the points. 10. Acknowledgements The authors would like to thank Adam Langley for this detailed writeup up Elligator2 with Curve25519 [ElligatorAGL]. We also thank Sean Devlin and Thomas Icart for feedback on earlier versions of this document. 11. Contributors o Sharon Goldberg Boston University goldbe@cs.bu.edu 12. Normative References [BF01] "Identity-based encryption from the Weil pairing", n.d.. [BLS01] "Short signatures from the Weil pairing", n.d., <https://iacr.org/archive/asiacrypt2001/22480516.pdf>. [BMP00] "Provably secure password-authenticated key exchange using diffie-hellman", n.d.. [ECOPRF] "EC-OPRF - Oblivious Pseudorandom Functions using Elliptic Curves", n.d.. [Elligator2] "Elligator -- Elliptic-curve points indistinguishable from uniform random strings", n.d., <https://dl.acm.org/ ft_gateway.cfm?id=2516734&type=pdf>. [ElligatorAGL] "Implementing Elligator for Curve25519", n.d., <https://www.imperialviolet.org/2013/12/25/ elligator.html>. Scott, et al. Expires January 3, 2019 [Page 15]

Internet-Draft hash-to-curve July 2018 [FFSTV13] "Indifferentiable deterministic hashing to elliptic and hyperelliptic curves", n.d.. [hacspec] "hacspec", n.d., <https://github.com/HACS-workshop/ hacspec>. [Icart09] "How to Hash into Elliptic Curves", n.d., <https://eprint.iacr.org/2009/226.pdf>. [Jablon96] "Strong password-only authenticated key exchange", n.d.. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc- editor.org/info/rfc2119>. [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>. [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, <https://www.rfc-editor.org/info/rfc8017>. [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc- editor.org/info/rfc8032>. [SECG1] "SEC 1 -- Elliptic Curve Cryptography", n.d., <http://www.secg.org/sec1-v2.pdf>. [SimpleSWU] "Efficient Indifferentiable Hashing into Ordinary Elliptic Curves", n.d.. [SW06] "Construction of rational points on elliptic curves over finite fields", n.d.. [SWU07] "Rational points on certain hyperelliptic curves over finite fields", n.d., <https://arxiv.org/pdf/0706.1448>. Scott, et al. Expires January 3, 2019 [Page 16]

Internet-Draft hash-to-curve July 2018 Appendix A. Related Work In this chapter, we give a background to some common methods to encode or hash to the curve, motivated by the similar exposition in [Icart09]. Understanding of this material is not required in order to choose a suitable encoding function - we defer this to Section 3 - the background covered here can work as a template for analyzing encoding functions not found in this document, and as a guide for further research into the topics covered. A.1. Probabilistic Encoding As mentioned in Section 2, as a rule of thumb, for every x in GF(p), there is approximately a 1/2 chance that there exist a corresponding y value such that (x, y) is on the curve E. This motivates the construction of the MapToGroup method described by Boneh et al. [BLS01]. For an input message m, a counter i, and a standard hash function H : {0, 1}^* -> GF(p) x {0, 1}, one computes (x, b) = H(i || m), where i || m denotes concatenation of the two values. Next, test to see whether there exists a corresponding y value such that (x, y) is on the curve, returning (x, y) if successful, where b determines whether to take +/- y. If there does not exist such a y, then increment i and repeat. A maximum counter value is set to I, and since each iteration succeeds with probability approximately 1/2, this process fails with probability 2^-I. (See Appendix B for a more detailed description of this algorithm.) Although MapToGroup describes a method to hash to the curve, it can also be adapted to a simple encoding mechanism. For a bitstring of length strictly less than log2(p), one can make use of the spare bits in order to encode the counter value. Allocating more space for the counter increases the expansion, but reduces the failure probability. Since the running time of the MapToGroup algorithm depends on m, this algorithm is NOT safe for cases sensitive to timing side channel attacks. Deterministic algorithms are needed in such cases where failures are undesirable. A.2. Naive Encoding A naive solution includes computing H(m)*G as map2curve(m), where H is a standard hash function H : {0, 1}^* -> GF(p), and G is a generator of the curve. Although efficient, this solution is unsuitable for constructing a random oracle onto E, since the discrete logarithm with respect to G is known. For example, given y1 = map2curve(m1) and y2 = map2curve(m2) for any m1 and m2, it must be true that y2 = H(m2) / H(m1) * map2curve(m1). This relationship Scott, et al. Expires January 3, 2019 [Page 17]

Internet-Draft hash-to-curve July 2018 would not hold (with overwhelming probability) for truly random values y1 and y2. This causes catastrophic failure in many cases. However, one exception is found in SPEKE [Jablon96], which constructs a base for a Diffie-Hellman key exchange by hashing the password to a curve point. Notably the use of a hash function is purely for encoding an arbitrary length string to a curve point, and does not need to be a random oracle. A.3. Deterministic Encoding Shallue, Woestijne, and Ulas [SW06] first introduced a deterministic algorithm that maps elements in F_{q} to a curve in time O(log^4 q), where q = p^n for some prime p, and time O(log^3 q) when q = 3 mod 4. Icart introduced yet another deterministic algorithm which maps F_{q} to any EC where q = 2 mod 3 in time O(log^3 q) [Icart09]. Elligator (2) [Elligator2] is yet another deterministic algorithm for any odd- characteristic EC that has a point of order 2. Elligator2 can be applied to Curve25519 and Curve448, which are both CFRG-recommended curves [RFC7748]. However, an important caveat to all of the above deterministic encoding functions, is that none of them map injectively to the entire curve, but rather some fraction of the points. This makes them unable to use to directly construct a random oracle on the curve. Brier et al. [SimpleSWU] proposed a couple of solutions to this problem, The first applies solely to Icart's method described above, by computing F(H1(m)) + F(H2(m)) for two distinct hash functions H1, H2. The second uses a generator G, and computes F(H1(m)) + H2(m)*G. Later, Farashahi et al. [FFSTV13] showed the generality of the F(H1(m)) + F(H2(m)) method, as well as the applicability to hyperelliptic curves (not covered here). A.4. Supersingular Curves For supersingular curves, for every y in GF(p) (with p>3), there exists a value x such that (x, y) is on the curve E. Hence we can construct a bijection F : GF(p) -> E (ignoring the point at infinity). This is the case for [BF01], but is not common. A.5. Twisted Variants We can also consider curves which have twisted variants, E^d. For such curves, for any x in GF(p), there exists y in GF(p) such that (x, y) is either a point on E or E^d. Hence one can construct a bijection F : GF(p) x {0,1} -> E ∪ E^d, where the extra bit is needed to choose the sign of the point. This can be particularly Scott, et al. Expires January 3, 2019 [Page 18]

Internet-Draft hash-to-curve July 2018 useful for constructions which only need the x-coordinate of the point. For example, x-only scalar multiplication can be computed on Montgomery curves. In this case, there is no need for an encoding function, since the output of F in GF(p) is sufficient to define a point on one of E or E^d. Appendix B. Try-and-Increment Method In cases where constant time execution is not required, the so-called try-and-increment method may be appropriate. As discussion in Section Section 1, this variant works by hashing input m using a standard hash function ("Hash"), e.g., SHA256, and then checking to see if the resulting point E(m, f(m)), for curve function f, belongs on E. This is detailed below. 1. ctr = 0 3. h = "INVALID" 4. While h is "INVALID" or h is EC point at infinity: A. CTR = I2OSP(ctr, 4) B. ctr = ctr + 1 C. attempted_hash = Hash(m || CTR) D. h = RS2ECP(attempted_hash) E. If h is not "INVALID" and cofactor > 1, set h = h^cofactor 5. Output h I2OSP is a function that converts a nonnegative integer to octet string as defined in SectionÂ 4.1 of [RFC8017], and RS2ECP is a function that converts of a random 2n-octet string to an EC point as specified in SectionÂ 5.1.3 of [RFC8032]. Appendix C. Sample Code This section contains reference implementations for each map2curve variant built using [hacspec]. C.1. Icart Method The following hacspec program implements map2curve_icart(alpha) for P-384. from hacspec.speclib import * prime = 2**384 - 2**128 - 2**96 + 2**32 - 1 felem_t = refine(nat, lambda x: x < prime) affine_t = tuple2(felem_t, felem_t) @typechecked Scott, et al. Expires January 3, 2019 [Page 19]

Internet-Draft hash-to-curve July 2018 def to_felem(x: nat_t) -> felem_t: return felem_t(nat(x % prime)) @typechecked def fadd(x: felem_t, y: felem_t) -> felem_t: return to_felem(x + y) @typechecked def fsub(x: felem_t, y: felem_t) -> felem_t: return to_felem(x - y) @typechecked def fmul(x: felem_t, y: felem_t) -> felem_t: return to_felem(x * y) @typechecked def fsqr(x: felem_t) -> felem_t: return to_felem(x * x) @typechecked def fexp(x: felem_t, n: nat_t) -> felem_t: return to_felem(pow(x, n, prime)) @typechecked def finv(x: felem_t) -> felem_t: return to_felem(pow(x, prime-2, prime)) a384 = to_felem(prime - 3) b384 = to_felem(27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575) @typechecked def map2p384(u:felem_t) -> affine_t: v = fmul(fsub(fmul(to_felem(3), a384), fexp(u, 4)), finv(fmul(to_felem(6), u))) u2 = fmul(fexp(u, 6), finv(to_felem(27))) x = fsub(fsqr(v), b384) x = fsub(x, u2) x = fexp(x, (2 * prime - 1) // 3) x = fadd(x, fmul(fsqr(u), finv(to_felem(3)))) y = fadd(fmul(u, x), v) return (x, y) Scott, et al. Expires January 3, 2019 [Page 20]

Internet-Draft hash-to-curve July 2018 C.2. Shallue-Woestijne-Ulas Method The following hacspec program implements map2curve_swu(alpha) for P-256. Scott, et al. Expires January 3, 2019 [Page 21]

Internet-Draft hash-to-curve July 2018 from p256 import * from hacspec.speclib import * a256 = to_felem(prime - 3) b256 = to_felem(41058363725152142129326129780047268409114441015993725554835256314039467401291) @typechecked def f_p256(x:felem_t) -> felem_t: return fadd(fexp(x, 3), fadd(fmul(to_felem(a256), x), to_felem(b256))) @typechecked def x1(t:felem_t, u:felem_t) -> felem_t: return u @typechecked def x2(t:felem_t, u:felem_t) -> felem_t: coefficient = fmul(to_felem(-b256), finv(to_felem(a256))) t2 = fsqr(t) t4 = fsqr(t2) gu = f_p256(u) gu2 = fsqr(gu) denom = fadd(fmul(t4, gu2), fmul(t2, gu)) return fmul(coefficient, fadd(to_felem(1), finv(denom))) @typechecked def x3(t:felem_t, u:felem_t) -> felem_t: return fmul(fsqr(t), fmul(f_p256(u), x2(t, u))) @typechecked def map2p256(t:felem_t) -> felem_t: u = fadd(t, to_felem(1)) x1v = x1(t, u) x2v = x2(t, u) x3v = x3(t, u) exp = to_felem((prime - 1) // 2) e1 = fexp(f_p256(x1v), exp) e2 = fexp(f_p256(x2v), exp) if e1 == 1: return x1v elif e2 == 1: return x2v else: return x3v Scott, et al. Expires January 3, 2019 [Page 22]

Internet-Draft hash-to-curve July 2018 C.3. Simplified SWU Method The following hacspec program implements map2curve_simple_swu(alpha) for P-256. from p256 import * from hacspec.speclib import * a256 = to_felem(prime - 3) b256 = to_felem(41058363725152142129326129780047268409114441015993725554835256314039467401291) def f_p256(x:felem_t) -> felem_t: return fadd(fexp(x, 3), fadd(fmul(to_felem(a256), x), to_felem(b256))) def map2p256(t:felem_t) -> affine_t: alpha = to_felem(-(fsqr(t))) frac = finv((fadd(fsqr(alpha), alpha))) coefficient = fmul(to_felem(-b256), finv(to_felem(a256))) x2 = fmul(coefficient, fadd(to_felem(1), frac)) x3 = fmul(alpha, x2) h2 = fadd(fexp(x2, 3), fadd(fmul(a256, x2), b256)) h3 = fadd(fexp(x3, 3), fadd(fmul(a256, x3), b256)) exp = fmul(fadd(to_felem(prime), to_felem(-1)), finv(to_felem(2))) e = fexp(h2, exp) exp = to_felem((prime + 1) // 4) if e == 1: return (x2, fexp(f_p256(x2), exp)) else: return (x3, fexp(f_p256(x3), exp)) C.4. Elligator2 Method The following hacspec program implements map2curve_elligator2(alpha) for Curve25519. Scott, et al. Expires January 3, 2019 [Page 23]

Internet-Draft hash-to-curve July 2018 from curve25519 import * from hacspec.speclib import * a25519 = to_felem(486662) b25519 = to_felem(1) u25519 = to_felem(2) @typechecked def f_25519(x:felem_t) -> felem_t: return fadd(fmul(x, fsqr(x)), fadd(fmul(a25519, fsqr(x)), x)) @typechecked def map2curve25519(r:felem_t) -> felem_t: d = fsub(to_felem(p25519), fmul(a25519, finv(fadd(to_felem(1), fmul(u25519, fsqr(r)))))) power = nat((p25519 - 1) // 2) e = fexp(f_25519(d), power) x = 0 if e != 1: x = fsub(to_felem(-d), to_felem(a25519)) else: x = d return x Authors' Addresses Sam Scott Cornell Tech 2 West Loop Rd New York, New York 10044 United States of America Email: sam.scott@cornell.edu Nick Sullivan Cloudflare 101 Townsend St San Francisco United States of America Email: nick@cloudflare.com Scott, et al. Expires January 3, 2019 [Page 24]

Internet-Draft hash-to-curve July 2018 Christopher A. Wood Apple Inc. One Apple Park Way Cupertino, California 95014 United States of America Email: cawood@apple.com Scott, et al. Expires January 3, 2019 [Page 25]