Encoding points on hyperelliptic curves over finite fields in deterministic polynomial time

We present families of (hyper)elliptic curve which admit an efficient deterministic encoding function

The geometry of some parameterizations and encodings

We explore parameterizations by radicals of low genera algebraic curves. We prove that for $q$ a prime power that is large enough and prime to $6$, a fixed positive proportion of all genus 2 curves over the field with $q$ elements can be parameterized by $3$-radicals. This results in the existence of a deterministic encoding into these curves when $q$ is congruent to $2$ modulo $3$. We extend this construction to parameterizations by $\ell$-radicals for small odd integers $\ell$, and make it explicit for $\ell=5$

Constructing Permutation Rational Functions From Isogenies

A permutation rational function $f\in \mathbb{F}_q(x)$ is a rational function that induces a bijection on $\mathbb{F}_q$, that is, for all $y\in\mathbb{F}_q$ there exists exactly one $x\in\mathbb{F}_q$ such that $f(x)=y$. Permutation rational functions are intimately related to exceptional rational functions, and more generally exceptional covers of the projective line, of which they form the first important example. In this paper, we show how to efficiently generate many permutation rational functions over large finite fields using isogenies of elliptic curves, and discuss some cryptographic applications. Our algorithm is based on Fried's modular interpretation of certain dihedral exceptional covers of the projective line (Cont. Math., 1994)

EMBEDDING FINITE FIELDS INTO ELLIPTIC CURVES

Many elliptic curve cryptosystems require an encoding function from a finite field Fq into Fq-rational points of an elliptic curve. We propose a uniform encoding to general elliptic curves over Fq. We also discuss about an injective case of SWU encoing for hyperelliptic curves of genus 2. Moreover we discuss about an injective encoding for elliptic curves with a point of order two over a finite field and present a description for these elliptic curves

A Computational Introduction to Elliptic and Hyperelliptic Curve Cryptography

At its core, cryptography relies on problems that are simple to construct but difficult to solve unless certain information (the “key”) is known. Many of these problems come from number theory and group theory. One method of obtaining groups from which to build cryptosystems is to define algebraic curves over finite fields and then derive a group structure from the set of points on those curves. This thesis serves as an exposition of Elliptic Curve Cryptography (ECC), preceded by a discussion of some basic cryptographic concepts and followed by a glance into one generalization of ECC: cryptosystems based on hyperelliptic curves

Deterministic Encoding and Hashing to Odd Hyperelliptic Curves

The original publication is available at www.springerlink.comInternational audienceIn this paper we propose a very simple and efficient encoding function from Fq to points of a hyperelliptic curve over Fq of the form H : y2 = f(x) where f is an odd polynomial. Hyperelliptic curves of this type have been frequently considered in the literature to obtain Jacobians of good order and pairing-friendly curves. Our new encoding is nearly a bijection to the set of Fq -rational points on H . This makes it easy to construct well-behaved hash functions to the Jacobian J of H , as well as injective maps to J (Fq ) which can be used to encode scalars for such applications as ElGamal encryption. The new encoding is already interesting in the genus 1 case, where it provides a well-behaved encoding to Joux?s supersingular elliptic curves

Efficient Encodings to Hyperelliptic Curves over Finite Fields‎

Many cryptosystems are based on the difficulty of the discrete logarithm problem in finitegroups. In this case elliptic and hyperelliptic cryptosystems are more noticed because they providegood security with smaller size keys. Since these systems were used for cryptography, it hasbeen an important issue to transform a random value in finite field into a random point on anelliptic or hyperelliptic curve in a deterministic and efficient method. In this paper we proposea deterministic encoding to hyperelliptic curves over finite field. For cryptographic desires it isimportant to have an injective encoding. In finite fields with characteristic three we obtain aninjective encoding for genus two hyperelliptic curves

Improved Complexity Bounds for Counting Points on Hyperelliptic Curves

We present a probabilistic Las Vegas algorithm for computing the local zeta function of a hyperelliptic curve of genus $g$ defined over $\mathbb{F}_q$. It is based on the approaches by Schoof and Pila combined with a modeling of the $\ell$-torsion by structured polynomial systems. Our main result improves on previously known complexity bounds by showing that there exists a constant $c>0$ such that, for any fixed $g$, this algorithm has expected time and space complexity $O((\log q)^{cg})$ as $q$ grows and the characteristic is large enough.Comment: To appear in Foundations of Computational Mathematic

SwiftEC: Shallue–van de Woestijne Indifferentiable Function To Elliptic Curves

Hashing arbitrary values to points on an elliptic curve is a required step in many cryptographic constructions, and a number of techniques have been proposed to do so over the years. One of the first ones was due to Shallue and van de Woestijne (ANTS-VII), and it had the interesting property of applying to essentially all elliptic curves over finite fields. It did not, however, have the desirable property of being indifferentiable from a random oracle when composed with a random oracle to the base field. Various approaches have since been considered to overcome this limitation, starting with the foundational work of Brier et al. (CRYPTO 2011). For example, if $f\colon \mathbb{F}_q\to E(\mathbb{F}_q)$ is the Shallue--van de Woestijne (SW) map and $\mathfrak{h}_1,\mathfrak{h}_2$ are two independent random oracles to $\mathbb{F}_q$, we now know that $m\mapsto f\big(\mathfrak{h}_1(m)\big)+f\big(\mathfrak{h}_2(m)\big)$ is indifferentiable from a random oracle. Unfortunately, this approach has the drawback of being twice as expensive to compute than the straightforward, but not indifferentiable, $m\mapsto f\big(\mathfrak{h}_1(m)\big)$. Most other solutions so far have had the same issue: they are at least as costly as two base field exponentiations, whereas plain encoding maps like $f$ cost only one exponentiation. Recently, Koshelev (DCC 2022) provided the first construction of indifferentiable hashing at the cost of one exponentiation, but only for a very specific class of curves (some of those with $j$-invariant $0$), and using techniques that are unlikely to apply more broadly. In this work, we revisit this long-standing open problem, and observe that the SW map actually fits in a one-parameter family $(f_u)_{u\in\mathbb{F}_q}$ of encodings, such that for independent random oracles $\mathfrak{h}_1, \mathfrak{h}_2$ to $\mathbb{F}_q$, $F\colon m\mapsto f_{\mathfrak{h}_2(m)}\big(\mathfrak{h}_1(m)\big)$ is indifferentiable. Moreover, on a very large class of curves (essentially those that are either of odd order or of order divisible by 4), the one-parameter family admits a rational parametrization, which let us compute $F$ at almost the same cost as small $f$, and finally achieve indifferentiable hashing to most curves with a single exponentiation. Our new approach also yields an improved variant of the Elligator Squared technique of Tibouchi (FC 2014) that represents points of arbitrary elliptic curves as close-to-uniform random strings