Abstract
Pairing-friendly elliptic curves in the Barreto-Lynn-Scott family are seeing a resurgence in popularity because of the recent result of Kim and Barbulescu that improves attacks against other pairing-friendly curve families. One particular Barreto-Lynn-Scott curve, called BLS12-381, is the locus of significant development and deployment effort, especially in blockchain applications. This effort has sparked interest in using the BLS12-381 curve for BLS signatures, which requires hashing to one of the groups of the bilinear pairing defined by BLS12-381.While there is a substantial body of literature on the problem of hashing to elliptic curves, much of this work does not apply to Barreto-Lynn-Scott curves. Moreover, the work that does apply has the unfortunate property that fast implementations are complex, while simple implementations are slow.In this work, we address these issues. First, we show a straightforward way of adapting the “simplified SWU” map of Brier et al. to BLS12-381. Second, we describe optimizations to this map that both simplify its implementation and improve its performance; these optimizations may be of interest in other contexts. Third, we implement and evaluate. We find that our work yields constant-time hash functions that are simple to implement, yet perform within 9% of the fastest, non–constant-time alternatives, which require much more complex implementations.
Highlights
IntroductionThe Barreto-Lynn-Scott family of pairing-friendly elliptic curves [BLS03], and in particular the elliptic curve BLS12-381 [Bow17] (§2.1), has recently seen widespread adoption (e.g., in pairing-based SNARKs [GGPR13, PHGR13, BCTV14, Gro16]), largely because of the recent result of Kim and Barbulescu [KB16] that speeds up attacks on the discrete log problem in finite field extensions (for more information, see [MSS16]).The availability of high-quality BLS12-381 implementations combined with the desire for aggregatable signatures [BGLS03] has sparked interest [Chi, Eth, BGWZ19, YKS19] in using BLS12-381 for BLS signatures [BLS01] (§2.2)
The Barreto-Lynn-Scott family of pairing-friendly elliptic curves [BLS03], and in particular the elliptic curve BLS12-381 [Bow17] (§2.1), has recently seen widespread adoption, largely because of the recent result of Kim and Barbulescu [KB16] that speeds up attacks on the discrete log problem in finite field extensions
We proposed an “indirect” SWU map for Barreto-Lynn-Scott curves
Summary
The Barreto-Lynn-Scott family of pairing-friendly elliptic curves [BLS03], and in particular the elliptic curve BLS12-381 [Bow17] (§2.1), has recently seen widespread adoption (e.g., in pairing-based SNARKs [GGPR13, PHGR13, BCTV14, Gro16]), largely because of the recent result of Kim and Barbulescu [KB16] that speeds up attacks on the discrete log problem in finite field extensions (for more information, see [MSS16]).The availability of high-quality BLS12-381 implementations combined with the desire for aggregatable signatures [BGLS03] has sparked interest [Chi, Eth, BGWZ19, YKS19] in using BLS12-381 for BLS signatures [BLS01] (§2.2). The BLS signature scheme requires a hash function to points in a prime-order subgroup of a pairing-friendly curve For this purpose, the authors suggest a method based on folklore that they call MapToGroup [BLS01, §3.3] (we call this method “hash-and-check”), which works roughly as follows: pick a random element in the elliptic curve’s base field and check whether it is the x-coordinate of a rational point on the curve. The authors suggest a method based on folklore that they call MapToGroup [BLS01, §3.3] (we call this method “hash-and-check”), which works roughly as follows: pick a random element in the elliptic curve’s base field and check whether it is the x-coordinate of a rational point on the curve If it is, return that point, otherwise try again.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
