Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mapping to G1/G2 #10

Closed
arybczak opened this issue Apr 27, 2017 · 3 comments
Closed

Mapping to G1/G2 #10

arybczak opened this issue Apr 27, 2017 · 3 comments

Comments

@arybczak
Copy link
Contributor

I've looked at the "Indifferentiable hashing to Barreto Naehrig curves" paper and for Fp254BNb the assumption that g(1) = 1 + b is a nonzero quare in Fp does not hold, which I assume is the reason why mapping fails for sqrt(-3) and -sqrt(-3). I didn't study these proofs closely to see whether the broken assumption leads to other values that will not be mappable. Do you know of any? Also, what about G2?

As a side note, page 3 of the paper has an interesting remark:

like Icart’s encoding and many others, this encoding f will not yield a gener-
ically secure hash function construction if we simply compose it with a ran-
dom oracle to the base field (e.g. it is easy to distinguish such a hash function
from a random oracle to the curve since its image has a simple algebraic de-
scription and only contains a constant fraction of all points). However, we
show (in Section 5) that it is well-distributed in the sense of Farashahi et al.
[17]. This implies
 that if h1 , h2 are random oracles to the base field, then
m -> f(h1(m)) + f(h2(m)) is a good, generically secure hash function to the
BN curve (it is indifferentiable from a random oracle);

However, it seems this is what BN256_G1_hashAndMapTo (and G2 variant) do, i.e. they just hash a message to a value in Fp and then map this value to get a point on the curve.
@arybczak
Copy link
Contributor Author

arybczak commented Apr 27, 2017
edited
Loading

Presumably the latter issue can be solved by hashing a message with SHA512, then mapping upper half to one point, lower half to another (although it seems like truncation of SHA-2 hashes is fine if you take leftmost bits, I didn't find anything about rightmost bits, so it might not be a good approach) mapping both to a curve point and adding them.

@herumi
Copy link
Owner

herumi commented Apr 28, 2017
edited
Loading

whether the broken assumption leads to other values that will not be mappable.

Algorithm 1 Step 2 in page 15 of the paper, the denominator 1 + b + t^2 is equal to 0 if t = sqrt(-3) or -sqrt(-3).

@herumi
Copy link
Owner

herumi commented Apr 28, 2017

I don't know detail of security of map function.
I'll read Indifferentiable Deterministic Hashing to Elliptic and Hyperelliptic Curves. But if f(h1(m)) + f(h2(m)) is necessary for some application, it is easy to make it with MapToT<Fp> in the software.

@herumi herumi closed this as completed May 29, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@herumi @arybczak