[curves] encoding points -> bitstrings: indistinguishability, PAKE?

[Rene Struik]

Hi Trevor:

I do think Tibouchi et al's 2017 paper [2] does provide easy randomized 
representations (for curves over prime fields). See also Appendices 
K.5-6 of the IETF draft [2], which refers to this paper and exemplifies 
this for NIST curves, Brainpool curves, secp256k1, and CFRG curves.

Best regards, Rene

Ref:
[1]M. Tibouchi, "Elligator Squared -- Uniform Points on Elliptic Curves 
of Prime Order as Uniform Random Strings", Financial Cryptography 2014, 
Lecture Notes in Computer Science, Vol. 8437, New York: Springer-Verlag, 
2014.
[2] T. Kim, M. Tibouchi, "Improved Elliptic Curve Hashing and Point 
Representation", DCC 2017, Des. Codes Cryptogr., Vol. 82, pp. 161-177, 
New York: Springer-Verlag, 2017.
[3] 
https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-21#appendix-K.5

On 2021-06-22 2:04 p.m., Trevor Perrin wrote:
> Hi,
>
> Does anyone know the state-of-the-art for encoding/decoding an
> elliptic curve point into a random-looking bit string, such that the
> mapping covers all points and bit strings?  Is it Elligator-squared?
>
> https://eprint.iacr.org/2014/043.pdf
>
> I'm interested in this partly as a way of making handshake protocols
> (e.g. Noise) indistinguishable from random (e.g. censorship
> resistance).
>
> Also if such a protocol was encoding its ephemeral DH public keys in
> this form, I believe (?) this would enable a PAKE almost for free:
> simply XOR the encoded DH ephemeral public values (or even just one of
> them) with the password or hash(password), per Bellovin and Merrit's
> 1992 EKE paper:
>
> https://www.cs.columbia.edu/~smb/papers/neke.pdf
>
> ?
>
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves


-- 
email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867