Skip to main content
SpringerLink
Log in

Hashing to Elliptic Curves Through Cipolla–Lehmer–Müller’s Square Root Algorithm

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

The present article provides a novel hash function \({\mathcal {H}}\) to any elliptic curve of j-invariant \(\ne 0, 1728\) over a finite field \({\mathbb {F}}_{\!q}\) of large characteristic. The unique bottleneck of \({\mathcal {H}}\) consists of extracting a square root in \({\mathbb {F}}_{\!q}\) as well as for most hash functions. However, \({\mathcal {H}}\) is designed in such a way that the root can be found by (Cipolla–Lehmer–)Müller’s algorithm in constant time. Violation of this security condition is known to be the only obstacle to applying the given algorithm in the cryptographic context. When the field \({\mathbb {F}}_{\!q}\) is highly 2-adic and \(q \equiv 1 \ (\textrm{mod} \ 3)\), the new batching technique is the state-of-the-art hashing solution except for some sporadic curves. Indeed, Müller’s algorithm costs \(\approx 2\log _2(q)\) multiplications in \({\mathbb {F}}_{\!q}\). In turn, original Tonelli–Shanks’s square root algorithm and all of its subsequent modifications have the algebraic complexity \(\varTheta (\log (q) + g(\nu ))\), where \(\nu \) is the 2-adicity of \({\mathbb {F}}_{\!q}\) and a function \(g(\nu ) \ne O(\nu )\). As an example, it is shown that Müller’s algorithm actually needs several times fewer multiplications in the field \({\mathbb {F}}_{\!q}\) (whose \(\nu = 96\)) of the standardized curve NIST P-224.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Algorithm 1

Similar content being viewed by others

References

  1. Stark Curve. https://docs.starkware.co/starkex/crypto/stark-curve.html

  2. Starkjub (2023). https://github.com/hashcloak/starkjub

  3. T. Andreescu, D. Andrica, Quadratic Diophantine Equations. Developments in Mathematics, vol. 40 (Springer, New York, 2015)

    Google Scholar 

  4. D.F. Aranha, Y. El Housni, A. Guillevic, A survey of elliptic curves for proof systems. Des. Codes Cryptogr. 91(11), 3333–3378 (2023)

    Article  MathSciNet  Google Scholar 

  5. D.F. Aranha, B. Salling Hvass, B. Spitters, M. Tibouchi, Faster constant-time evaluation of the Kronecker symbol with application to elliptic curve hashing, in CCS 2023: ACM SIGSAC Conference on Computer and Communications Security (Association for Computing Machinery, New York, 2023), pp. 3228–3238

  6. P. Bottinelli, Breaking Pedersen hashes in practice (2023). https://research.nccgroup.com/2023/03/22/breaking-pedersen-hashes-in-practice

  7. E. Brier, J.S. Coron, T. Icart, D. Madore, H. Randriam, M. Tibouchi, Efficient indifferentiable hashing into ordinary elliptic curves, in T. Rabin, editors, Advances in Cryptology—CRYPTO 2010. Lecture Notes in Computer Science, vol. 6223 (Springer, Berlin, 2010), pp. 237–254

  8. G. Cardona, \(\mathbb{Q}\)-curves and abelian varieties of \({\rm GL}_2\)-type from dihedral genus \(2\) curves, in J.E. Cremona, J.C. Lario, J. Quer, K.A. Ribet, editors, Modular Curves and Abelian Varieties. Progress in Mathematics, vol. 224 (Birkhäuser, Basel, 2004), pp. 45–52

  9. G. Cardona, J. Quer, Curves of genus \(2\) with group of automorphisms isomorphic to \({{\rm D}}_8\) or \({{\rm D}}_{12}\). Trans. Am. Math. Soc. 359(6), 2831–2849 (2007)

    Article  Google Scholar 

  10. L. Chen, D. Moody, A. Regenscheid, A. Robinson, K. Randall, Recommendations for discrete logarithm-based cryptography: elliptic curve domain parameters (NIST Special Publication 800-186) (2023). https://csrc.nist.gov/publications/detail/sp/800-186/final

  11. J. Chávez-Saab, F. Rodríguez-Henríquez, M. Tibouchi, SWIFTEC: Shallue-van de Woestijne indifferentiable function to elliptic curves, in S. Agrawal, D. Lin, editors, Advances in Cryptology—ASIACRYPT 2022. Lecture Notes in Computer Science, vol. 13791 (Springer, Cham, 2022), pp. 63–92

  12. F. Châtelet, Points rationnels sur certaines courbes et surfaces cubiques. L’Enseign. Math. 5(3), 153–170 (1959)

    MathSciNet  Google Scholar 

  13. M. Cipolla, Un metodo per la risolutione della congruenza di secondo grado. Rend. dell’Accad. Sci. Fis. Mat. 9, 154–163 (1903)

    Google Scholar 

  14. J. Cremona, D. Rusin, Efficient solution of rational conics. Math. Comput. 72(243), 1417–1441 (2003)

    Article  MathSciNet  Google Scholar 

  15. N. El Mrabet, M. Joye, (eds.) Guide to Pairing-Based Cryptography. Cryptography and Network Security Series (Chapman and Hall/CRC, New York, 2017)

    Google Scholar 

  16. R.R. Farashahi, P.A. Fouque, I.E. Shparlinski, M. Tibouchi, J.F. Voloch, Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comput. 82(281), 491–512 (2013)

    Article  MathSciNet  Google Scholar 

  17. A. Faz-Hernandez, S. Scott, N. Sullivan, R.S. Wahby, C.A. Wood, Hashing to elliptic curves (RFC 9380) (2023). https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve

  18. S.D. Galbraith, Mathematics of Public Key Cryptography. Cambridge University Press, New York (2012)

    Book  Google Scholar 

  19. R. Hartshorne, Algebraic Geometry. Graduate Texts in Mathematics, 8 edn., vol. 52 (Springer, New York, 1997)

    Google Scholar 

  20. D. Hopwood, The Pasta curves for Halo \(2\) and beyond (2020). https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond

  21. D. Hopwood, Pluto/Eris supporting evidence (2021). https://github.com/daira/pluto-eris

  22. E.W. Howe, F. Leprévost, B. Poonen, Large torsion subgroups of split Jacobians of curves of genus two or three. Forum Math. 12(3), 315–364 (2000)

    Article  MathSciNet  Google Scholar 

  23. T. Icart, How to hash into elliptic curves, in S. Halevi, editors, Advances in Cryptology—CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 303–316

  24. J. Kollár, Unirationality of cubic hypersurfaces. J. Inst. Math. Jussieu 1(3), 467–476 (2002)

    Article  MathSciNet  Google Scholar 

  25. J. Kollár, M. Mella, Quadratic families of elliptic curves and unirationality of degree \(1\) conic bundles. Am. J. Math. 139(4), 915–936 (2017)

    Article  MathSciNet  Google Scholar 

  26. D. Koshelev, New point compression method for elliptic \({\mathbb{F} }_{\!q^2}\)-curves of \(j\)-invariant \(0\). Finite Fields Appl. 69, 101774 (2021)

    Article  MathSciNet  Google Scholar 

  27. D. Koshelev, Some remarks on how to hash faster onto elliptic curves (2021). https://eprint.iacr.org/2021/1082

  28. D. Koshelev, Indifferentiable hashing to ordinary elliptic \({\mathbb{F} }_{\!q}\)-curves of \(j = 0\) with the cost of one exponentiation in \({\mathbb{F} }_{\!q}\). Des. Codes Cryptogr 90(3), 801–812 (2022)

    Article  MathSciNet  Google Scholar 

  29. D. Koshelev, The most efficient indifferentiable hashing to elliptic curves of \(j\)-invariant \(1728\). J. Math. Cryptol. 16(1), 298–309 (2022)

    Article  MathSciNet  Google Scholar 

  30. D. Koshelev, Optimal encodings to elliptic curves of \(j\)-invariants \(0\), \(1728\). SIAM J. Appl. Algebra Geom. 6(4), 600–617 (2022)

    Article  MathSciNet  Google Scholar 

  31. D. Koshelev, Batch point compression in the context of advanced pairing-based protocols. Appl. Algebra Eng. Commun. Comput. (2023). https://doi.org/10.1007/s00200-023-00625-3

    Article  Google Scholar 

  32. D. Koshelev, Hashing to elliptic curves over highly \(2\)-adic fields \({\mathbb{F}}_{\!q}\) with \({O}(\log q)\) operations in \({\mathbb{F}}_{\!q}\) (2023). https://eprint.iacr.org/2023/121

  33. D. Koshelev, Magma code (2023). https://github.com/dishport/Hashing-to-elliptic-curves-through-Cipolla-Lehmer-Muller-square-root-algorithm

  34. R.J. Lambert, Method to calculate square roots for elliptic curve cryptography (2013). https://patents.google.com/patent/US9148282B2/en, United States patent No. 9148282B2

  35. D.H. Lehmer, Computer technology applied to the theory of numbers, in W.J. LeVeque, editors, Studies in Number Theory. Studies in Mathematics, vol. 6 (Mathematical Association of America, Washington, 1969), pp. 117–151

  36. R. Lidl, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its Applications, vol. 20 (Cambridge University Press, Cambridge, 1997)

    Google Scholar 

  37. S. Müller, On the computation of square roots in finite fields. Des. Codes Cryptogr 31(3), 301–312 (2004)

    Article  MathSciNet  Google Scholar 

  38. T. Pornin, Optimized discrete logarithm computation for faster square roots in finite fields (2023). https://eprint.iacr.org/2023/828

  39. V. Sedlacek, V. Suchanek, A. Dufka, M. Sys, V. Matyas, DiSSECT: distinguisher of standard and simulated elliptic curves via traits, in L. Batina, J. Daemen, editors, Progress in Cryptology—AFRICACRYPT 2022. Lecture Notes in Computer Science, vol. 13503 (Springer, Cham, 2022), pp. 493–517

  40. A. Shallue, C.E. van de Woestijne, Construction of rational points on elliptic curves over finite fields, in F. Hess, S. Pauli, M. Pohst, editors, Algorithmic Number Theory Symposium. ANTS 2006. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 510–524

  41. D. Shanks, Five number-theoretic algorithms, in R.S.D. Thomas, H.C. Williams, editors, Proceedings of the Second Manitoba Conference on Numerical Mathematics. Congressus Numerantium, vol. 7 (Utilitas Mathematica Publishing Inc., Winnipeg, 1973), pp. 51–70

  42. V. Shoup, A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge, 2 edn. (2008)

    Book  Google Scholar 

  43. M. Skałba, Points on elliptic curves over finite fields. Acta Arith. 117(3), 293–301 (2005)

    Article  MathSciNet  Google Scholar 

  44. A.V. Sutherland, Structure computation and discrete logarithms in finite abelian \(p\)-groups. Math. Comput. 80(273), 477–500 (2011)

    Article  MathSciNet  Google Scholar 

  45. P. Swinnerton-Dyer, Rational points on some pencils of conics with \(6\) singular fibres. Ann. Fac. Sci. Toulouse Math. (Sér. 6) 8(2), 331–341 (1999)

    Article  MathSciNet  Google Scholar 

  46. T.W. Sze, On taking square roots without quadratic nonresidues over finite fields. Math. Comput. 80(275), 1797–1811 (2011)

    Article  MathSciNet  Google Scholar 

  47. M. Tibouchi, T. Kim, Improved elliptic curve hashing and point representation. Des. Codes Cryptogr. 82(1–2), 161–177 (2017)

    Article  MathSciNet  Google Scholar 

  48. A. Tonelli, Bemerkung über die auflösung quadratischer congruenzen. Nachrichten von der Königlichen Gesellschaft der Wissenschaften und der Georg-Augusts-Universität zu Göttingen (1891), pp. 344–346

  49. R.S. Wahby, D. Boneh, Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(4), 154–179 (2019)

    Article  Google Scholar 

Download references

Acknowledgements

The author expresses his gratitude to Damien Stehlé for hiring him as a postdoc at École Normale Supérieure de Lyon.

Author information

Authors and Affiliations

  1. Parallel Computation Laboratory, École Normale Supérieure de Lyon, Lyon, France

    Dmitrii Koshelev

Authors
  1. Dmitrii Koshelev
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dmitrii Koshelev.

Additional information

Communicated by Paulo L. Barreto.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

https://www.researchgate.net/profile/dimitri-koshelev.

The author was supported by Ethereum Foundation.

This paper was reviewed by Diego Aranha and by two anonymous reviewers.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Koshelev, D. Hashing to Elliptic Curves Through Cipolla–Lehmer–Müller’s Square Root Algorithm. J Cryptol 37, 11 (2024). https://doi.org/10.1007/s00145-024-09490-w

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-024-09490-w

Keywords

Search

Navigation