### Efficient Indifferentiable Hashing into Ordinary Elliptic Curves [chapter]

Eric Brier, Jean-Sébastien Coron, Thomas Icart, David Madore, Hugues Randriam, Mehdi Tibouchi
2010 Lecture Notes in Computer Science
We provide the first construction of a hash function into ordinary elliptic curves that is indifferentiable from a random oracle, based on Icart's deterministic encoding from Crypto 2009. While almost as efficient as Icart's encoding, this hash function can be plugged into any cryptosystem that requires hashing into elliptic curves, while not compromising proofs of security in the random oracle model. We also describe a more general (but less efficient) construction that works for a large class
more » ... of encodings into elliptic curves, for example the Shallue-Woestijne-Ulas (SWU) algorithm. Finally we describe the first deterministic encoding algorithm into elliptic curves in characteristic 3. Hashing into elliptic curves is also required for some passwords based authentication protocols, for instance the SPEKE (Simple Password Exponential Key Exchange)  and the PAK (Password Authenticated Key exchange)  , and also for discrete-log based signature schemes such as  when instantiated over an elliptic curve. In all those previous cryptosystems, security is proven when the hash function is seen as a random oracle into the curve. However, it remains to determine which hashing algorithm should be used, and whether it is reasonable to see it as a random oracle. In , Boneh and Franklin use a particular supersingular elliptic curve E for which, in addition to the pairing operation, there exists a one-to-one mapping f from the base field F p to E(F p ). This enables to hash using H 1 (m) = f (h(m)) where h is a classical hash function from {0, 1} * to F p . The authors show that their IBE scheme remains secure when h is seen as a random oracle into F p (instead of H 1 being seen as a random oracle into E(F p )). However, when no pairing operation is required (as in [11, 14, 24] ), it is more efficient to use ordinary elliptic curves, since supersingular curves require much larger security parameters due to the MOV attack  . For hashing into an ordinary elliptic curve, the classical approach is inherently probabilistic: one can first compute an integer hash value x = h(m) and then determine whether x is the abscissa of a ⋆ An extended abstract of this paper will appear at crypto 2010. This is the full version. ⋆⋆ Research carried out while working at Sagem Sécurité. ⋆ ⋆ ⋆ Research carried out while on a visit to the Okamoto Research Laboratory at the NTT Information Sharing Platform. Pr D C h ,h = 1 − Pr D H,S H = 1 < ε C h is said to be indifferentiable from H if ε is a negligible function of the security parameter k, for polynomially bounded q D , t D and t S .