Abstract
This paper continues previous ones about compression of points on elliptic curves \(E_b\!: y^2 = x^3 + b\) (with j-invariant 0) over a finite field \(\mathbb {F}_{\!q}\) of characteristic \(p > 3\). It is shown in detail how any two (resp., three) points from \(E_b(\mathbb {F}_{\!q})\) can be quickly compressed to two (resp., three) elements of \(\mathbb {F}_{\!q}\) (apart from a few auxiliary bits) in such a way that the corresponding decompression stage requires to extract only one cubic (resp., sextic) root in \(\mathbb {F}_{\!q}\). As a result, for many fields \(\mathbb {F}_{\!q}\) occurring in practice, the new compression-decompression methods are more efficient than the classical one with the two (resp., three) x or y coordinates of the points, which extracts two (resp., three) roots in \(\mathbb {F}_{\!q}\). As a by-product, it is also explained how to sample uniformly at random two (resp., three) “independent” \(\mathbb {F}_{\!q}\)-points on \(E_b\) essentially at the cost of only one cubic (resp., sextic) root in \(\mathbb {F}_{\!q}\). Finally, the cases of four and more points from \(E_b(\mathbb {F}_{\!q})\) are commented on as well.
Similar content being viewed by others
References
Aranha, D.F., Pagnin, E., Rodríguez-Henríquez, F.: LOVE a pairing. In: Longa, P., Ràfols, C. (eds.) Progress in Cryptology - LATINCRYPT 2021. Lecture Notes in Computer Science, vol. 12912, pp. 320–340. Springer, Cham (2021)
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) Advances in Cryptology - CRYPTO 2014. Lecture Notes in Computer Science, vol. 8617, pp. 276–294. Springer, Berlin, Heidelberg (2014)
Bernstein, D.J., Yang, B.Y.: Fast constant-time GCD computation and modular inversion. IACR Trans. Cryptogr. Hardware Embedd. Syst. 2019(3), 340–398 (2019)
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)
Boneh, D., Goh, E.J., Nissim, K.: Evaluating \(2\)-DNF formulas on ciphertexts. In: Kilian, J. (ed.) Theory of Cryptography. TCC 2005. Lecture Notes in Computer Science, vol. 3378, pp. 325–341. Springer, Berlin, Heidelberg (2005)
Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) Advances in Cryptology - EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004, pp. 573–592. Springer, Berlin, Heidelberg (2006)
Botrel, G., El Housni, Y.: Faster Montgomery multiplication and multi-scalar-multiplication for SNARKs. IACR Trans. Cryptogr. Hardware Embedd. Syst. (TCHES) 2023(3), 504–521 (2023)
Catanese, F., Oguiso, K., Verra, A.: On the unirationality of higher dimensional Ueno-type manifolds. Rev. Roumaine Math. Pures Appl. 60(3), 337–353 (2015)
Chatterjee, S., Hankerson, D., Menezes, A.: On the efficiency and security of pairing-based protocols in the type \(1\) and type \(4\) settings. In: Hasan, M.A., Helleseth, T. (eds.) Arithmetic of Finite Fields. WAIFI 2010. Lecture Notes in Computer Science, vol. 6087, pp. 114–134. Springer, Berlin, Heidelberg (2010)
El Housni, Y., Guillevic, A.: Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science, vol. 12579, pp. 259–279. Springer, Cham (2020)
El Mrabet, N., Joye, M. (eds.): Guide to Pairing-Based Cryptography. Cryptography and Network Security Series, Chapman and Hall/CRC, New York (2017)
Ethereum Foundation: ethereum/kzg-ceremony (2022), https://github.com/ethereum/kzg-ceremony
Fan, X., Otemissov, A., Sica, F., Sidorenko, A.: Multiple point compression on elliptic curves. Des. Codes Crypt. 83(3), 565–588 (2017)
Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) Advances in Cryptology - EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 44–61. Springer, Berlin, Heidelberg (2010)
Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, New York (2012)
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.S. (eds.) Advances in Cryptology - EUROCRYPT 2016. Lecture Notes in Computer Science, vol. 9665, pp. 305–326. Springer, Berlin, Heidelberg (2016)
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) Advances in Cryptology - EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965, pp. 415–432. Springer, Berlin, Heidelberg (2008)
Guillevic, A.: Comparing the pairing efficiency over composite-order and prime-order elliptic curves. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol. 7954, pp. 357–372. Springer, Berlin, Heidelberg (2013)
Hartshorne, R.: Algebraic Geometry, Graduate Texts in Mathematics, vol. 52. Springer, New York, 8 edition (1997)
Hopwood, D.: Pluto/Eris supporting evidence (2021), https://github.com/daira/pluto-eris
Hopwood, D.: The pasta curves for Halo \(2\) and beyond (2020), https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond
Joye, M., Lapiha, O., Nguyen, K., Naccache, D.: The eleventh power residue symbol. J. Math. Cryptol. 15(1), 111–122 (2021)
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) Advances in Cryptology - ASIACRYPT 2010. Lecture Notes in Computer Science, vol. 6477, pp. 177–194. Springer, Berlin, Heidelberg (2010)
Khabbazian, M., Gulliver, T.A., Bhargava, V.K.: Double point compression with applications to speeding up random point multiplication. IEEE Trans. Comput. 56(3), 305–313 (2007)
Koshelev, D.: Generation of “independent” points on elliptic curves by means of Mordell–Weil lattices (2022), https://eprint.iacr.org/2022/794
Koshelev, D.: Generation of two “independent” points on an elliptic curve of \(j\)-invariant \(\ne 0, 1728\) (2023), https://eprint.iacr.org/2023/785
Koshelev, D.: Magma code (2022), https://github.com/dishport/Batch-point-compression-in-the-context-of-advanced-pairing-based-protocols
Koshelev, D.: Some remarks on how to hash faster onto elliptic curves (2021), https://eprint.iacr.org/2021/1082
Koshelev, D.: Faster point compression for elliptic curves of \(j\)-invariant \(0\). Math. Aspects Cryptogr. 12(4), 115–123 (2021)
Koshelev, D.: New point compression method for elliptic \(\mathbb{F} _{\!q^2}\)-curves of \(j\)-invariant \(0\). Finite Fields Appl. 69, 101774 (2021)
Koshelev, D.: Indifferentiable hashing to ordinary elliptic \(\mathbb{F} _{\!q}\)-curves of \(j = 0\) with the cost of one exponentiation in \(\mathbb{F} _{\!q}\). Des. Codes Crypt. 90(3), 801–812 (2022)
Lang, S.: Algebra, Graduate Texts in Mathematics, vol. 211, 3rd edn. Springer, New York (2002)
Müller, S.: On the computation of square roots in finite fields. Des. Codes Crypt. 31(3), 301–312 (2004)
Oguiso, K., Truong, T.T.: Explicit examples of rational and Calabi-Yau threefolds with primitive automorphisms of positive entropy. J. Math. Sci. Univ. Tokyo 22, 361–385 (2015)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO 1991. Lecture Notes in Computer Science, vol. 576, pp. 129–140. Springer, Berlin, Heidelberg (1992)
Pornin, T.: Optimized binary GCD for modular inversion (2020), https://eprint.iacr.org/2020/972
Rubin, K., Silverberg, A.: Compression in finite fields and torus-based cryptography. SIAM J. Comput. 37(5), 1401–1428 (2008)
Sakemi, Y., Kobayashi, T., Saito, T., Wahby, R.S.: Pairing-friendly curves (2022), https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves
Ueno, K.: Classification of algebraic varieties. I. Compos. Math. 27(3), 277–342 (1973)
Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR Trans. Cryptogr. Hardware Embedd. Syst. 2019(4), 154–179 (2019)
ZPRIZE competition (2022), https://www.zprize.io
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A. Compressing \(E_{b}(\mathbb {F}_{\!q^2}) \!\times \!E_{b_2}(\mathbb {F}_{\!q})\)
Throughout the current supplementary section, we will assume that \(q \equiv 1 \ (\textrm{mod} \ 3)\) or, equivalently, \(\omega \in \mathbb {F}_{\!q}\). Unlike the main part of the paper, here the opposite situation would be drastically different as it becomes clear below. Given \(\gamma \in \mathbb {F}_{\!q}^* {\setminus } (\mathbb {F}_{\!q}^*)^2\), let \(b = b_0 + b_1\sqrt{\gamma }\) and \(b_0, b_1, b_2 \in \mathbb {F}_{\!q}\) such that \(bb_2 \ne 0\). Our goal is to simultaneously compress points \((x, y) = (x_0 + x_1\sqrt{\gamma }, y_0 + y_1\sqrt{\gamma })\) and \((x_2, y_2)\) from the sets \(E_{b}(\mathbb {F}_{\!q^2})\), \(E_{b_2}(\mathbb {F}_{\!q})\), respectively (here \(x_j, y_j \in \mathbb {F}_{\!q}\)). This problem is relevant for pairing delegation [1] and type 4 pairings [9, Section 3] whenever the embedding degree of the curve \(E_{b_2}\) is equal to 12. In this popular case, \(E_b\) is a sextic twist of \(E_{b_2}\) over the field \(\mathbb {F}_{\!q^2}\). See [11, Section 3.2.5] to understand the significance of twists in pairing-based cryptography.
For compressing \(E_{b}(\mathbb {F}_{\!q^2})\), it is suggested to apply the method from [30]. The given method extracts a cubic root in \(\mathbb {F}_{\!q}\) in the decompression stage. Therefore, the concatenation of its result \(z_0\), \(z_1\) with \(x_2\) gives rise to the compression method for \(E_{b}(\mathbb {F}_{\!q^2}) \!\times \!E_{b_2}(\mathbb {F}_{\!q})\) with the cost of a sextic root in \(\mathbb {F}_{\!q}\), by analogy with compressing three \(\mathbb {F}_{\!q}\)-points in Sect. 4.
Table 4 exhibits a complexity comparison (all the operations are carried out in \(\mathbb {F}_{\!q}\)) of the compression-decompression methods for points in the projective or Jacobian coordinates. As is customary, the addition, subtraction, and multiplication operations in \(\mathbb {F}_{\!q}\) are omitted, because they are much cheaper. We use the fact (e.g., from [11, Section 5.2.1]) that an inverse element (resp., square root) in \(\mathbb {F}_{\!q^2}\) can be expressed via an inverse element (resp., two square roots) in \(\mathbb {F}_{\!q}\). However, to the author’s knowledge, a cubic root in \(\mathbb {F}_{\!q^2}\) is not computed through a few radicals in \(\mathbb {F}_{\!q}\). As a result, in comparison with Table 2, the new table does not contain the very slow methods with the coordinates \(y_0\), \(y_1\), \(x_2\) or \(y_0\), \(y_1\), \(y_2\).
The method of [30] is similar to the one of Sects. 2, 3. It is based on \(\mathbb {F}_{\!q}\)-rationality of the surface
where \(\alpha (t):= 3t^2 + \gamma \) and \(\beta (t):= t(t^2 + 3\gamma )\). The latter is nothing but the generalized Kummer surface \(R_b/[\omega ]_2\) (up to a birational \(\mathbb {F}_{\!q}\)-isomorphism). Here,
is the Weil restriction (see, e.g., [37, Section 4]) of \(E_b\), equipped with the \(\mathbb {F}_{\!q}\)-automorphism
of order 3. Notice that
Although [30] does not deal with the case \(q \equiv 1 \ (\textrm{mod} \ 4)\) (including the BLS12-377 curve), it is not difficult to generalize the results to the given case if desired. We are not going to do this, because our purpose is opposite, namely to specify the \(\mathbb {F}_{\!q}\)-parametrization of \(GK_b\) as clearly as possible on the example of the BLS12-381 curve (\(b_0 = b_1 = 4\) and \(\gamma = -1\)). That makes sense, since the description in [30, Section 3.1] is not sufficiently explicit.
First, \(\sqrt{6} = \sqrt{-1} \!\cdot \! \sqrt{2} \!\cdot \! \sqrt{-3} \in \mathbb {F}_{\!q}\), because \(\sqrt{-3} = 2\omega + 1 \in \mathbb {F}_{\!q}\), but \(\sqrt{2} \not \in \mathbb {F}_{\!q}\). Indeed, \(4^2 \!\cdot \! 2\) is the norm of \(b = 4(1 + \sqrt{-1})\) with respect to the extension \(\mathbb {F}_{\!q^2}/\mathbb {F}_{\!q}\) and \(\sqrt{b} \not \in \mathbb {F}_{\!q^2}\) by virtue of [30, Remark 2]. Second, there is the birational \(\mathbb {F}_{\!q}\)-isomorphism
where
and
It turns out that
where
and
All the written formulas are checked in Magma, namely in [27]. As usual, to compress any points from \(E_{b}(\mathbb {F}_{\!q^2})\) it remains to process the degenerate cases when the denominators equal zero. In order not to complicate the text this is left as an elementary exercise.
Appendix B. Compressing \(E_b(\mathbb {F}_{\!q^2})\) sub-optimally in such a way that decompressing is for free
Let’s stick to the notation of the previous section. This one contains formulas obtained in the same way as in [24, Section 3.1] for compressing \(E_b^2(\mathbb {F}_{\!q})\) to \(\approx 3\lceil \log _2(q)\rceil \) bits. The new formulas are very simple and important, but the author did not find them anywhere else. So, the appendix is a good place to write out them. Probably, the similar approach from [24, Section 3.2] in the 3-dimensional case may be also adapted for compressing \(E_{b}(\mathbb {F}_{\!q^2}) \!\times \!E_{b_2}(\mathbb {F}_{\!q})\) to \(\approx 4\lceil \log _2(q)\rceil \) bits.
Given a non-zero point \(P = (x,y) \in E_b(\mathbb {F}_{\!q^2})\), consider the \(\mathbb {F}_{\!q}\)-elements
Obviously, \(\gamma \ne 1\). By looking at the defining equations of \(R_b\), it is readily checked (see also [27]) that \(y_1 = Y_1\) whenever \(Y \ne 0\). Therefore, we get the compression map
The corresponding decompression map has the form
Table 5 exhibits a complexity comparison (all the operations are carried out in \(\mathbb {F}_{\!q}\)) of the compression-decompression methods for \(\mathbb {F}_{\!q^2}\)-points on \(E_{b}\). It is worth noting that all the remarks given for Table 4 still hold for the new one.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Koshelev, D. Batch point compression in the context of advanced pairing-based protocols. AAECC (2023). https://doi.org/10.1007/s00200-023-00625-3
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00200-023-00625-3