TY - JOUR AU - Wahby, Riad S. AU - Boneh, Dan PY - 2019/08/09 Y2 - 2024/03/29 TI - Fast and simple constant-time hashing to the BLS12-381 elliptic curve JF - IACR Transactions on Cryptographic Hardware and Embedded Systems JA - TCHES VL - 2019 IS - 4 SE - Articles DO - 10.13154/tches.v2019.i4.154-179 UR - https://tches.iacr.org/index.php/TCHES/article/view/8348 SP - 154-179 AB - <p>Pairing-friendly elliptic curves in the Barreto-Lynn-Scott family are seeing a resurgence in popularity because of the recent result of Kim and Barbulescu that improves attacks against other pairing-friendly curve families. One particular Barreto-Lynn-Scott curve, called BLS12-381, is the locus of significant development and deployment effort, especially in blockchain applications. This effort has sparked interest in using the BLS12-381 curve for BLS signatures, which requires hashing to one of the groups of the bilinear pairing defined by BLS12-381.<br>While there is a substantial body of literature on the problem of hashing to elliptic curves, much of this work does not apply to Barreto-Lynn-Scott curves. Moreover, the work that does apply has the unfortunate property that fast implementations are complex, while simple implementations are slow.<br>In this work, we address these issues. First, we show a straightforward way of adapting the “simplified SWU” map of Brier et al. to BLS12-381. Second, we describe optimizations to this map that both simplify its implementation and improve its performance; these optimizations may be of interest in other contexts. Third, we implement and evaluate. We find that our work yields constant-time hash functions that are simple to implement, yet perform within 9% of the fastest, non–constant-time alternatives, which require much more complex implementations.</p> ER -