[curves] encoding points -> bitstrings: indistinguishability, PAKE?

Rene Struik rstruik.ext at gmail.com
Tue Jun 22 11:16:57 PDT 2021

Hi Trevor:

I do think Tibouchi et al's 2017 paper [2] does provide easy randomized 
representations (for curves over prime fields). See also Appendices 
K.5-6 of the IETF draft [2], which refers to this paper and exemplifies 
this for NIST curves, Brainpool curves, secp256k1, and CFRG curves.

Best regards, Rene

[1]M. Tibouchi, "Elligator Squared -- Uniform Points on Elliptic Curves 
of Prime Order as Uniform Random Strings", Financial Cryptography 2014, 
Lecture Notes in Computer Science, Vol. 8437, New York: Springer-Verlag, 
[2] T. Kim, M. Tibouchi, "Improved Elliptic Curve Hashing and Point 
Representation", DCC 2017, Des. Codes Cryptogr., Vol. 82, pp. 161-177, 
New York: Springer-Verlag, 2017.

On 2021-06-22 2:04 p.m., Trevor Perrin wrote:
> Hi,
> Does anyone know the state-of-the-art for encoding/decoding an
> elliptic curve point into a random-looking bit string, such that the
> mapping covers all points and bit strings?  Is it Elligator-squared?
> https://eprint.iacr.org/2014/043.pdf
> I'm interested in this partly as a way of making handshake protocols
> (e.g. Noise) indistinguishable from random (e.g. censorship
> resistance).
> Also if such a protocol was encoding its ephemeral DH public keys in
> this form, I believe (?) this would enable a PAKE almost for free:
> simply XOR the encoded DH ephemeral public values (or even just one of
> them) with the password or hash(password), per Bellovin and Merrit's
> 1992 EKE paper:
> https://www.cs.columbia.edu/~smb/papers/neke.pdf
> ?
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

More information about the Curves mailing list