[curves] encoding points -> bitstrings: indistinguishability, PAKE?
rstruik.ext at gmail.com
Tue Jun 22 11:16:57 PDT 2021
I do think Tibouchi et al's 2017 paper  does provide easy randomized
representations (for curves over prime fields). See also Appendices
K.5-6 of the IETF draft , which refers to this paper and exemplifies
this for NIST curves, Brainpool curves, secp256k1, and CFRG curves.
Best regards, Rene
M. Tibouchi, "Elligator Squared -- Uniform Points on Elliptic Curves
of Prime Order as Uniform Random Strings", Financial Cryptography 2014,
Lecture Notes in Computer Science, Vol. 8437, New York: Springer-Verlag,
 T. Kim, M. Tibouchi, "Improved Elliptic Curve Hashing and Point
Representation", DCC 2017, Des. Codes Cryptogr., Vol. 82, pp. 161-177,
New York: Springer-Verlag, 2017.
On 2021-06-22 2:04 p.m., Trevor Perrin wrote:
> Does anyone know the state-of-the-art for encoding/decoding an
> elliptic curve point into a random-looking bit string, such that the
> mapping covers all points and bit strings? Is it Elligator-squared?
> I'm interested in this partly as a way of making handshake protocols
> (e.g. Noise) indistinguishable from random (e.g. censorship
> Also if such a protocol was encoding its ephemeral DH public keys in
> this form, I believe (?) this would enable a PAKE almost for free:
> simply XOR the encoded DH ephemeral public values (or even just one of
> them) with the password or hash(password), per Bellovin and Merrit's
> 1992 EKE paper:
> Curves mailing list
> Curves at moderncrypto.org
email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
More information about the Curves