Keywords

2010 Mathematics Subject Classification: 11G05 , 11T06 , 14H52.

1 Introduction

The problem of finding encoding functions from a finite field \(\mathbb {F}_q\) into the \(\mathbb {F}_q\)-rational points of the given curve was stated by Schoof in 1985 [16]. Such an encoding function is a crucial requirement in the curve-based cryptosystems. For instance, the public key for identity \(id \in \lbrace 0,1 \rbrace ^*\) in the IBE scheme, is a \(\mathbb {F}_q\)-rational point \(Q_{id}=\mathfrak {H}(id)\), where \(\mathfrak {H}\) is the desired encoding function. This function is also a requirement for PAKE (Password Authenticated Key Exchange) [5] such as SPEKE (Simple Password Exponential Key Exchange) [13], and PSI (Private Set Intersection) protocols [15].

Bernstein et al. in [3] explained that the traditional methods for encoding to elliptic curves do not disguise the points properly so the encoded points are distinguishable from uniform random bit strings, and consequently, censors can recognize patterns in the transmitted data. To avoid this important drawback, they suggested using a bijection between bit strings and about half of all \(\mathbb {F}_q\)-rational points of an elliptic curve \(E\) (of \(j\)-invariant not equal to 1728) over \(\mathbb {F}_q\) with odd \(q\), where \(E\) has a \(\mathbb {F}_q\)-rational point of order 2. In the other word, they suggested using injective encoding function, which allows to correspond the set of bit strings \(\{0,1\}^n\) to a subset of \(E(\mathbb {F}_q)\). When we use injective encoding function \(f: \{0,1\}^{n}\rightarrow E(\mathbb {F}_q)\), instead of transferring a point \(P\in f(\{0,1\}^{n})\subset E(\mathbb {F}_q)\) we easily transfer the corresponding bit string of \(P\). So far, injective encoding functions are presented for ordinary elliptic curves with non-trivial 3 torsion point by Farashahi [8], non-trivial 4 torsion point by Fouque et al. [9] and non-trivial 2 torsion point by Bernstein et al. [3]. However, for binary ordinary elliptic curves, up to now the only injective encoding function is proposed for binary Hessian elliptic curves [8]. After that, Aranha et al. in [2] using \(\lambda \)-affine coordinate and some computational tricks improved the algorithm in [4] [Appendix E]. But, they did not propose any injective encoding function to binary elliptic curves. To the best of our knowledge, no injective encoding function to ordinary binary elliptic curves has been presented, and this is the main contribution of this paper.

The motivation of this paper is constructing injective encoding function for all ordinary binary elliptic curves, because the previous injective encoding is restricted to binary elliptic curves with a point of order 3 [8]. Two approaches will be proposed in this paper, the first one is applicable to ordinary binary elliptic curves \(y^2 +xy= x^3 + a x^2 + b\) where \(\mathrm {Tr}(a)=1\). And, the second is for ordinary binary elliptic curves \(y^2+xy=x^3+ax^2+b\) where \(\mathrm {Tr}(a+1)=0\). In fact, ordinary elliptic curves \(y^2+xy=x^3+ax^2+b\) over prime extensions of \(\mathbb {F}_2\) with \(\mathrm {Tr}(a)=1\), which are of paramount importance in binary elliptic curve cryptography, belong to both classes at the same time. For instant, all of the five recommended binary elliptic curves by NIST have cofactor 2 i.e. the recommended curves are of the form \(y^2+xy =x^3 +ax^2+b\) with \(\mathrm {Tr}(a)=1\). The proposed algorithms can be applied in protocols which require admissible encoding function to binary elliptic curves. Moreover, since the encoding is injective it behaves as the same as Elligator 2 in [3].

This paper is organized as follows: In Sect. 2, we talk about some different encoding methods from \(\mathbb {F}_{2^n}\) to binary elliptic curves and explain what kind of encoding functions are appropriate for cryptography. Besides, we explain an injective function from bit strings to binary finite fields. In Sect. 3, we briefly review the injective encoding function to the binary Hessian curves, and then we will explain our approaches for finding injective encodings to binary elliptic curves.

Throughout the paper, the cardinality of a finite set \({\mathcal S}\) is shown by \(\#{\mathcal S}\) and \(||\) denote the concatenation. Also, \(\mathcal {H}\) shows a standard hash function.

2 Background

2.1 Elliptic Curves

An elliptic curve is a smooth projective genus 1 curve over a field \(\mathbb {F}\), with a given \(\mathbb {F}\)-rational point. Traditionally, an elliptic curve \(E\) over a field \(\mathbb {F}\) is presented by the Weierstrass equation

$$\begin{aligned} E :\quad y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6, \end{aligned}$$
(1)

where the coefficients \(a_1, a_2, a_3, a_4, a_6\in \mathbb {F}\). Using suitable change of variables, Eq. (1) can be written in the following forms

$$\begin{aligned}&E: y^2 = x^3 + a x^2 + b x + c,&\mathrm {char}(\mathbb {F})\ne 2,~~&\nonumber \\&E: y^2 +xy= x^3 + a x^2 + b,&\mathrm {char}(\mathbb {F})=2,~&j(E)\ne 0,~ \varDelta (E) = b,\end{aligned}$$
(2)
$$\begin{aligned}&E: y^2 +cy= x^3 + a x + b,&\mathrm {char}(\mathbb {F})=2,~&j(E)=0,~ \varDelta (E) = a^3, \end{aligned}$$
(3)

where \(\varDelta (E)\) and \(j(E)\) are the discriminant and the \(j\)-invariant of the elliptic curve. Elliptic curves in Eqs. (2) and (3) are called ordinary and supersingular binary elliptic curves, respectively. Elliptic curves can be represented by several other models such as Edwards, Hessian, Montgomery, Jacobi intersection, and Jacobi quartic ([1, Chap. 13], [19, Chap. 2], [17]).

The trace function \(\mathrm {Tr}: \mathbb {F}_{2^n}\rightarrow \mathbb {F}_2\) is a linear transformation that is defined as follows:

$$\mathrm {Tr}(a)=\sum _{k=0}^{n-1} a^{2^{k}}.$$

In addition, for \(n\) odd, the half trace is the function \(\mathrm {HTr}: \mathbb {F}_{2^n}\rightarrow \mathbb {F}_{2^n}\), where

$$\begin{aligned}&\mathrm {HTr}(c)=\sum _{k=0}^{\frac{n-1}{2}} c^{2^{2k}}. \end{aligned}$$

An ordinary binary elliptic curve such as \(E\) can be transformed into the equation \(z^2+z= g(x)\), where \(z=\frac{y}{x}\) and \(g(x)=\frac{x^3+ax^2+b}{x^2}\). Consequently, points on \(E\) can be found using the solutions of equation \(z^2+z= g(x)\). Also, It is well-known that the equation \(z^2+z=c\) over \(\mathbb {F}_{2^n}\) has solution if and only if \(\mathrm {Tr}(c)=0\). And, if \(z_0\) is a solution of this equation then \(z_0+1\) is one other. More precisely, let \(y \in \mathbb {F}_{2^n}\) be an element of trace 1. If \(\mathrm {Tr}(c)=0\) then the solution of equation \(z^2+z=c\) is as follows:

$$\begin{aligned} \mathrm {Z}(c) = \left\{ \begin{array}{l l} {\mathop {\sum }\nolimits _{k=0}^{\frac{n-3}{2}} c^{2^{2k+1}}} ~~~ &{}\text{ if } n \text{ is } \text{ odd, } \\ {\mathop {\sum }\nolimits _{k=0}^{n-1}(\sum _{j=0}^{k} c^{2^{j}}} ) y^{2^{k}} ~~~ &{}\text{ if } n \text{ is } \text{ even, } \end{array}\right. \end{aligned}$$
(4)

Hence, having an element \(y \in \mathbb {F}_{2^n}\), where \(\mathrm {Tr}(y)=1\), we can deterministically compute the roots of quadratic equation \(z^2+z=c\) where \(\mathrm {Tr}(c)=0\).

It is well-known that two ordinary elliptic curves

$$\begin{aligned}&E_1: y^2 +xy= x^3 + a x^2 + b, \quad \varDelta (E_1)=b,\\&E_2: y^2 +xy= x^3 + \overline{a} x^2 + \overline{b}, \quad \varDelta (E_2)=\overline{b}, \end{aligned}$$

over \(\mathbb {F}_{2^n}\) are isomorphic over \(\mathbb {F}_{2^n}\) if and only if \(b=\overline{b}\) and \(\mathrm {Tr}(a)=\mathrm {Tr}(\overline{a})\) [11]. As a result, we conclude that the number of isomorphism classes of ordinary elliptic curves over \(\mathbb {F}_{2^n}\) is \(2^{n+1} -2\). More precisely, fix two elements \(\mu , \gamma \in \mathbb {F}_{2^n}\) with \(\mathrm {Tr}(\mu )=0\) and \(\mathrm {Tr}(\gamma )=1\). The set of representative of the isomorphism classes is

$$\mathcal {I}=\mathcal {I}_\mu \cup \mathcal {I}_\gamma ,$$

where \(\mathcal {I}_a=\{y^2 +xy= x^3 + a x^2 + b~|~ b\in \mathbb {F}^*_{2^n} \}\) for \(a \in \mathbb {F}_{2^n}\).

Also, any given elliptic curve \(E\in \mathcal {I}\) has a non-trivial 2 torsion group, and \(\#E(\mathbb {F}_{2^n})\) is divisible by 4 if and only if \(E\in \mathcal {I}_\mu .\)

Now, we partition \(\mathcal {I}\) in terms of \(n\) as follows, because we want to investigate different cases separately, according to the requirement of Algorithms 4 and 6.

  1. 1.

    \(n\) is odd. Since, \(\mathrm {Tr}(1)=1\) we have

    $$\mathcal {I}=\mathcal {I}_1\cup \mathcal {I}_0,$$
  2. 2.

    \(n\) is even. Since, \(\mathrm {Tr}(1)=0\) we have

    $$\mathcal {I}=\mathcal {I}_\gamma \cup \mathcal {I}_1,$$

    where \(\mathrm {Tr}(\gamma )=1.\)

In Sect. 3, we provide injective encoding algorithms for all ordinary binary elliptic curves \( y^2+x y= x^3 + a x^2 + b \) over \(\mathbb {F}_{2^n}\) with \(\mathrm {Tr}(a)=1\) as well as those with \(\mathrm {Tr}(a+1)=0\).

2.2 Encoding into Elliptic Curves

Encoding into Elliptic Curves: Boneh, et al. in [7] proposed the try-and-increment method. This method is probabilistic, hence it does not run in a constant time so is vulnerable to timing attacks. A variant form of the try-and-increment for elliptic curves over \(\mathbb {F}_{2^n}\) with \(n\) odd is as follows:

figure a

The probability of success for any arbitrary \(M\in \left\{ 0,1 \right\} ^*\) is close to \(\frac{1}{2}\). Hence, the probability of failure after up to \(k\) rounds is about \(2^{-k},\) and by taking \(k\approx 128\) we are sure that the algorithm will be successful unless in a very rare situations.

Boneh and Franklin in [6] suggested a deterministic method of encoding into elliptic curves, but their method was restricted to the supersingular elliptic curves of the form \(E: y^2=x^3+b\) over \(\mathbb {F}_q\), where \(q \equiv 2 ~\pmod {3}\). Although their method was efficient, the MOV attack [14] can be used for transforming the elliptic curve discrete logarithm problem to the finite field version, which has subexponential complexity. They also introduced the following notion of admissible encoding.

Definition 1

([6]) A function \(f:~S\rightarrow ~R\), where \(S\) and \(R\) are two finite sets, is an admissible encoding if it satisfies the following conditions:

1: Computable: \(f\) is computable in deterministic polynomial time.

2: l to 1: for any \(r \in R\), \(\#{f^{-1}(r)}=l\).

3: Samplable: there exists a probabilistic polynomial time algorithm that for any \(r \in R\), it returns a random element \(s \in f^{-1}(r)\).

Let \(\mathfrak {f}:\mathbb {F}_{2^n} \rightarrow \mathfrak {f}(\mathbb {F}_{2^n}) \subset E(\mathbb {F}_{2^n})\) be an admissible encoding and \(\mathfrak {h}: \{0, 1\}^* \rightarrow \mathbb {F}_{2^n}\) be a random oracle. Brier et al. in [4] proved that \(\mathbf {h}: \{0, 1\}^* \rightarrow E(\mathbb {F}_{2^n})\), where \(\mathbf {h}(m)=\mathfrak {f}(\mathfrak {h}(m))\), is indifferentiable from a random oracle to \(\mathfrak {f}(\mathbb {F}_{2^n}) \subseteq E(\mathbb {F}_{2^n})\). So, having an admissible encoding function \(\mathfrak {f}:\mathbb {F}_{2^n} \rightarrow \mathfrak {f}(\mathbb {F}_{2^n}) \subset E(\mathbb {F}_{2^n})\) is required for having a random oracle into \(E(\mathbb {F}_{2^n})\). Also, the inverse function of injective encoding functions can be used in representing points of binary elliptic curves in a way that the preimage is indistinguishable from a uniform bit-string. Now, we review important encoding methods and state their drawbacks.

Icart’s Method: As it was stated above, the Boneh et al.’s encoding function can just be applied to supersingular elliptic curves \( y^2=x^3+b\). Icart in [12] extended their method and proposed an explicit encoding to elliptic curves \(y^2=x^3+ax+b\) over \(\mathbb {F}_q\) where \(q \equiv 2~ \pmod {3}\), and ordinary elliptic curves \(E: y^2+x y= x^3 + a x^2 + b\) over \(\mathbb {F}_{2^n}\) where \(n\) is odd. His binary encoding function is as follows:

$$\begin{aligned} f_{a,b}:&~\mathbb {F}_{2^n} \rightarrow E(\mathbb {F}_{2^n})\\&u \rightarrow (x,ux+v^2), \end{aligned}$$

where \(v=a+u+u^2\) and \(x=(v^4+v^3+b)^\frac{1}{3}+v\). In addition, \(\#{f_{a,b}}^{-1}(P)\le 4\) so it is not \(l:1\), for some small positive integer, and as a result it is not an admissible encoding.

SW Method: Another completely different method that was given before Icart’s method is the Shallue-Woestijne’s method. Their method covers all isomorphism classes of elliptic curves over all finite fields [18], but it was at most 8:1 and as a result it is not an admissible encoding. Here, we recall the binary case of the SW method for ordinary elliptic curves.

Let \(E\) be an ordinary binary elliptic curve \(y^2 +xy=x^3 +ax^2+b\), \(g(x) = {(x^3+ax^2+b)}/{x^{2}}\) and

$$\begin{aligned} \begin{array}{c} X_{1}(t,w)=\frac{t (a+w+w^2)}{1+t+t^2}, \qquad X_{2}(t,w)=t.X_{1}(t,w) +(a+w+w^2),\\ X_{3}(t,w)= \frac{X_{1}(t,w).X_{2}(t,w)}{X_{1}(t,w)+X_{2}(t,w)} \cdot \end{array} \end{aligned}$$
(5)

Then

$$g(X_{1}(t,w))+g(X_{2}(t,w))+g(X_{3}(t,w)) \in h(\mathbb {F}_{2^n}),$$

where \(h: \mathbb {F}_{2^n} \rightarrow \mathbb {F}_{2^n}\) and \(h(z)=z^2+z\). Since the trace function is a linear transformation on \(\mathbb {F}_{2^n}\), then either one or all of \(g(X_{i})\in h(\mathbb {F}_{2^n})\). In the other words, we have \(\mathrm {Tr}(g(X_{i}))=0\) for either one of \(i\in \{1,2,3\}\) or all of them. Given such \(X_i\), the solutions of equation \(z^2+z= g(X_i)\) is computable, so the Algorithm 2 always returns 2 or 6 solutions.

Remark 1

We use \(\mathrm {Z}(c)\) for computing the root of the equation \(z^2+z=c\) in all of the following algorithm. However, for \(n\) odd \(\mathrm {Z}(c)\) is exactly the same as the \(\mathrm {HTr}(c)\).

Algorithm 2 is the Shallue-Woestijne algorithm for binary elliptic curves over \(\mathbb {F}_{2^n}\), where \(n\) is odd and \(w\) is fixed.

figure b

The equation of elliptic curve \(y^2 + xy = x^3 + ax^2 + b\) in the \(\lambda -\)affine coordinate is of the form \((\lambda ^2 + \lambda + a)x^2 = x^4 + b\), where \(\lambda =x+\frac{y}{x}\). Aranha et al. in [2] improved Algorithm 2 using the \(\lambda -\)affine coordinate of elliptic curves. More precisely, they fixed \(t\) and considered \(w\) as the variable parameter and showed that the number of inversions in the Eq. 5 can be decreased to one inversion by using the pre-computed values \(\frac{t}{t^2+t+1}\), \(\frac{t+1}{t^2+t+1}\), \(\frac{t^2+t}{t^2+t+1}\). They also used the \(\lambda -\)affine coordinates as a computational trick to eliminate computing inversion to have more efficient binary elliptic curve arithmetic.

2.3 Injective Functions from Bit Strings to \(\mathbb {F}_{2^n}\)

To construct an injective encoding function to binary elliptic curves we require an injective encoding from \(\{0,1\}^{n-1}\) to a determined subset S of \(\mathbb {F}_{2^n}\). Here, we explain function \(\kappa ^l\) for \(l\in \{0,1\}\) and we use it in Sect. 3.

Let \(\Lambda =\{\lambda _1, \ldots , \lambda _{n}\}\) be an arbitrary basis for \(\mathbb {F}_{2^n}\). Then every element \(b \in \mathbb {F}_{2^n}\) is uniquely represented by a bit string \(b_1, b_2, \cdots , b_n\) with \(b= \sum _{j=1}^n b_j\lambda _j\). In particular, \(1=\sum _{j=1}^n c_j \lambda _j\), with \(c_i\ne 0\) for a fixed \(i\). Let \(\mathcal {B}^l\), for \(l \in \{0,1\}\), be the subset of \(\mathbb {F}_{2^n}\) given by

$$\mathcal {B}^l=\{b : \; b \in \mathbb {F}_{2^n} ~|~ b_i=l\}.$$

Now, we can define the function \(\kappa ^l: \{0,1\}^{n-1}\rightarrow \mathcal {B}^l\subset \mathbb {F}_{2^n}\), where

$$\kappa ^l (b_1,\cdots ,b_{i-1},b_{i+1},\cdots ,b_n)= \sum _{j=1}^n b_j\lambda _j$$

and \(b_i=l\). Clearly, function \(\kappa ^l\) is a bijective function and none of the elements of \(b=(b_1,\cdots ,b_{i-1},b_{i+1},\cdots ,b_n)\in \{0,1\}^{n-1}\) is sent to \(\sum _{j=1}^n (b_j+c_j) \lambda _j=1+\sum _{j=1}^n b_j \lambda _j\). As a result, for any \(w \in \mathbb {F}_{2^n}\) one and only one of \(w\) or \(w+1\) belongs to \(\mathcal {B}^l\).

For example, if \(\Lambda =\{1, \alpha , \alpha ^2, \cdots , \alpha ^{n-1}\}\) is the polynomial basis of \(\mathbb {F}_{2^n}\), then \(\mathcal {B}^l\) is the set of elements in \(\mathbb {F}_{2^n}\) with the least significant bit \(l\), where \(l\in \{0,1\}\). Now, we can define the bijective functions \(\kappa ^l : \{0,1\}^{n-1} \rightarrow \mathcal {B}^l \subset \mathbb {F}_{2^n}\) for \(l\in \{0,1\}\), where

$$\begin{aligned}&\kappa ^l (b_2, b_3, \cdots , b_n)= l + \sum _{j=2}^{n} b_{j}\alpha ^{j-1}. \end{aligned}$$

Hereafter, we let \(\kappa =\kappa ^0\).

3 Injective Encoding to Binary Elliptic Curves

In this section, we first recall the injective encoding function to binary elliptic curves with a point of order 3 [8]. Then, we present two Algorithms which bring about injective encoding for all ordinary binary elliptic curves \(E : y^2 +xy=x^3 +ax^2+b\) with \(\mathrm {Tr}(a)=1\) or \(\mathrm {Tr}(a+1)=0\), respectively.

3.1 Encoding into Hessian Curves

Up to now, the only injective encoding to binary elliptic curves has been given for the Hessian form of elliptic curves over \(\mathbb {F}_{2^n}\) with \(n\) odd [8]. A binary Hessian elliptic curve has a point of order 3, therefore that injective encoding is applicable only to the family of binary elliptic curves with a point of order 3. More precisely, let

$$\begin{aligned} \mathrm {H}_{d}~:~x^3+y^3+1=dxy, \end{aligned}$$

where \(d \in \mathbb {F}_{2^n}\) and \(d^3\ne 1\), be an Hessian curve over a finite field \(\mathbb {F}_{2^n}\) with \(n\) odd [10]. It is shown in [8] that there is an injective function \(\texttt {elt}: \{0,1\}^{n-1}\rightarrow \mathbb {F}_{2^n}\) in which \(\mathrm {Tr}(d^3({\texttt {elt}(b)}^2+\texttt {elt}(b)))=0\), for all \(b\in \{0,1\}^{n-1}\). Therefore, the following map is well defined and injective.

$$\begin{aligned} \texttt {i}_d : \left\{ 0,1\right\} ^{n-1} \longrightarrow \mathrm {H}_{d}(\mathbb {F}_{2^n}) \end{aligned}$$

where \(\texttt {i}_{d}(b)=(x,y)\) if \(\texttt {elt}(b) \ne 0\), and \(x=duv, ~ y=d(u+v)\) with

$$\begin{aligned}&u=\frac{1}{d}\left( \frac{w}{\texttt {elt}(b)} \right) ^{1/3}, \quad v=\frac{1}{d}\left( \frac{w+1}{\texttt {elt}(b)} \right) ^{1/3}, \\&w^2+w=d^3({\texttt {elt}(b)}^2+\texttt {elt}(b)), \end{aligned}$$

and \(\texttt {i}_{d}(b)=(1,0)\) if \(\texttt {elt}(b)=0\).

3.2 Injective Encoding to Binary Elliptic Curves with \(\mathrm {Tr}(a)=1.\)

Let \(E\) be the following ordinary binary elliptic curve

$$\begin{aligned} E: y^2+xy =x^3 +ax^2+b, ~~\qquad ~\mathrm {Tr}(a)=1. \end{aligned}$$
(6)

Here, we explain our first approach for finding injective encoding function from \(\{0,1\}^{n-1}\) to elliptic curves with Eq. (6).

As we recall, Eq. (5) is a two variables function in \(w\) and \(t\). The main idea for finding a new injective encoding from \(\{0,1\}^{n-1}\) to the ordinary binary elliptic curves, is fixing \(t\) and going through all \(w\in \mathbb {F}_{2^n}\). However, to achieve such injective encoding we require to have \(\mathrm {Tr}(a)=1\), and binary elliptic curves which are used in elliptic curve cryptography are exactly ordinary binary elliptic curves with \(\mathrm {Tr}(a)=1\). SW algorithm for binary elliptic curves \(y^2+xy =x^3 +ax^2+b,\) when we fix \(t\in \mathbb {F}_{2^n}\) and consider \(w \in \mathbb {F}_{2^n}\) as a variable, is the following algorithm and we use the notation \(\mathfrak {f}\) for Algorithm 3 to call it in Algorithm 4.

figure c

Remark 2

Clearly, \(\mathfrak {f}(w)=P\) if and only if \(\mathfrak {f}(w+1)=P\), so for a given point \(P\in \mathfrak {f}(\mathbb {F}_{2^n})\), \(\mathcal {V}_P=\{w_1,w_1+1,w_2,w_2+1,w_3,w_3+1\}\subset \mathbb {F}_{2^n}\) is the largest possible preimage set of \(P\) and by considering the set \(\mathcal {W}_P=\{w_1,w_2,w_3\}\subset \mathcal {V}_P\) as the preimage set of \(P\), we do not lose information about the preimages of \(P\).

The following proposition shows that there is an interesting feature in Algorithm 3 which can be used for providing a 2:1 encoding from \(\mathbb {F}_{2^n}\) to binary elliptic curves of Eq. (6).

Proposition 3

If \(\mathrm {Tr}(a)=1\), then Algorithm 3 is at most \(4:1\).

Proof

Since \(\mathrm {Tr}(a)=1\) we conclude that at most two elements of \(\mathbb {F}_{2^n}\) are sent to \(\mathcal {O}\). Now, suppose that we are given a point \(P=(x_0,y_0)\in \mathfrak {f}(\mathbb {F}_{2^n})\subset E(\mathbb {F}_{2^n})\). We consider two possibilities.

  1. 1.

    If \(X_1=\frac{t}{t^2+t+1} (a+w+w^2)\ne x_0\) for all \(w\in \mathbb {F}_{2^n}\). Clearly, \(\#\mathfrak {f}^{-1}(P)\le 4\) because \(\deg (X_2)=\deg (X_3)=2\), and we are done.

  2. 2.

    If \(X_1(w_1)=X_1(w_1+1)=\frac{t}{t^2+t+1} (a+w_1+w_1^2)= x_0\). In this case, it is impossible that we have \(X_2(w_2)=\frac{t+1}{t^2+t+1}(w_2^2+w_2+a)=x_0\) and \(X_3(w_3)=\frac{t(t+1)}{t^2+t+1}(w_3^2+w_3+a)=x_0\) simultaneously. Because, if this happens then \(\mathfrak {f}^{-1}(P)=\{w_1,w_1+1,w_2,w_2+1,w_3,w_3+1\}\subset \mathbb {F}_{2^n}\) and we have

    $$\begin{aligned}&x_0=\frac{t}{t^2+t+1}(w_1^2+w_1+a)=\frac{t+1}{t^2+t+1}(w_2^2+w_2+a),\end{aligned}$$
    (7)
    $$\begin{aligned}&x_0=\frac{t}{t^2+t+1}(w_1^2+w_1+a)=\frac{t(t+1)}{t^2+t+1}(w_3^2+w_3+a), \end{aligned}$$
    (8)

    or equivalently

    $$\begin{aligned}&w_2^2+w_2+(\frac{t(w_1^2+w_1)+ a}{t+1})=0, \end{aligned}$$
    (9)
    $$\begin{aligned}&w_3^2+w_3+(\frac{w_1^2+w_1+t a}{t+1})=0. \end{aligned}$$
    (10)

    Now, if we let \(A=\frac{t(w_1^2+w_1)+a}{t+1}\) and \(B=\frac{w_1^2+w_1+ t a}{t+1}\), we see that \(A+B=w_1^2+w_1+a\) and \(\mathrm {Tr}(A+B)=\mathrm {Tr}(w_1^2+w_1+a)=\mathrm {Tr}(a)=1\). Therefore, we conclude that one and only one of the Eqs. (9) or (10) has solution. Hence, one of the Eqs. (7) or (8) is held and \(\#\mathfrak {f}^{-1}(P)= 4\). \(\square \)

Now, let we are given a point \(P\in \mathfrak {f}(\mathbb {F}_{2^n})\). Since \(P\) has at most four preimages, we have to first modify Algorithm 3 to have a 2:1 encoding function then using the bijective function in Sect. 2.3 we can construct our desired injective encoding from \(\{0,1\}^{n-1}\) to \(E(\mathbb {F}_{2^n})\).

Theorem 4

Let \(E\) be the elliptic curve of Eq. (6). There is a function \(\mathfrak {g}: \mathbb {F}_{2^n}\rightarrow E(\mathbb {F}_{2^n})\) which is 2:1. In addition, \(\mathfrak {g}^{-1}\) is computable.

Proof

Since \(\mathrm {Tr}(a)=1\), by Proposition 3 we conclude that Algorithm 3 is at most \(4:1\). So, we have two main possibilities for the preimage set of any point \(P=(x_0,y_0) \in \mathfrak {f}(\mathbb {F}_{2^n})\).

  1. 1.

    \(\#\mathfrak {f}^{-1}(P)=4\). Let \(\mathcal {W}_P=\{w,\lambda \}\) be the preimage set of \(\mathfrak {f}^{-1}(P)\), then \(\mathcal {W}_P=\{w_i,w_j\}\), where \(i, j \in \{1,2,3\}\) and \(i\ne j\). Also, the index \(i\) of \(w_i\) refers to the index of \(X_i\) which produces point \(P\). So, we have the following three cases.

    1. (a)

      \(\{w,\lambda \}=\{w_1, w_2\}.\) Let \(R_1\) and \(R_{31}\) be the sets of roots of equations

      $$\begin{aligned}&x^2+x+(\frac{t(w^2+w)+a}{t+1})=0,\\&x^2+x+\frac{(t+1)(w^2+w)+a}{t}=0. \end{aligned}$$

      These two equations are related to each other, in the sense that if we simplify the first equation regarding to \(w\) and swap \(x\) with \(w\), we get the other equation and vice versa. Now, there are two cases

      1. i.

        If \(w=w_1\) and \(\lambda =w_2\) then \(R_1\subseteq \{\lambda ,\lambda +1\}\) and \(R_{31}\subseteq \{\zeta , \zeta +1\}.\)

      2. ii.

        If \(w=w_2\) and \(\lambda =w_1\) then \(R_1\subseteq \{\zeta , \zeta +1\}\) and \(R_{31}\subseteq \{w,w+1\},\)

      where \(\{\zeta , \zeta +1\}\cap \mathfrak {f}^{-1}(P) =\emptyset \). In each case, we can use the function \(\mathfrak {f}\) of Algorithm 3 to investigate which set is the suitable set. For the first case, we define \(\mathfrak {g}(w)=\mathfrak {f}(w)\), and for the second case we define \(\mathfrak {g}(w)=-\mathfrak {f}(w).\)

    2. (b)

      \(\{w,\lambda \}=\{w_1, w_3\}.\) Let \(R_2\) and \(R_{32}\) be the sets of roots of equations

      $$\begin{aligned}&x^2+x+\frac{w^2+w+ t a}{t+1}=0,\\&x^2+x+(t+1)(w^2+w)+t a=0. \end{aligned}$$
      1. i.

        If \(w=w_1\) and \(\lambda =w_3\) then \(R_2\subseteq \{\lambda ,\lambda +1\}\) and \(R_{32}\subseteq \{\zeta , \zeta +1\}.\)

      2. ii.

        If \(w=w_3\) and \(\lambda =w_1\) then \(R_2\subseteq \{\zeta , \zeta +1\}\) and \(R_{32}\subseteq \{w,w+1\},\)

      where again \(\{\zeta , \zeta +1\}\cap \mathfrak {f}^{-1}(P) =\emptyset \). Similar to the first case, we use the function \(\mathfrak {f}\) to investigate which set is the suitable set. For the first case, we define \(\mathfrak {g}(w)=\mathfrak {f}(w)\), and for the second case we define \(\mathfrak {g}(w)=-\mathfrak {f}(w).\)

    3. (c)

      \(\{w,\lambda \}=\{w_2, w_3\}.\) Let \(R_4\) and \(R_5\) be the sets of roots of equations

      $$\begin{aligned}&x^2+x+\frac{w^2+w+(t+1) a}{t}=0,\\&x^2+x+t(w^2+w)+(t+1)a=0. \end{aligned}$$
      1. i.

        If \(w=w_2\) and \(\lambda =w_3\) then \(R_4\subseteq \{\lambda ,\lambda +1\}\) and \(R_5\subseteq \{\zeta , \zeta +1\}.\)

      2. ii.

        If \(w=w_3\) and \(\lambda =w_2\) then \(R_4\subseteq \{\zeta , \zeta +1\}\) and \(R_5\subseteq \{w,w+1\}.\)

      Like the previous cases, for the first case we define \(\mathfrak {g}(w)=\mathfrak {f}(w)\), and for the second case we define \(\mathfrak {g}(w)=-\mathfrak {f}(w).\)

  2. 2.

    \(\#\mathfrak {f}^{-1}(P)=2\). Let \(\mathcal {W}_P=\{w\}.\) In this case, none of the sets of \(R_1,R_2,R_{31},R_{32},R_4\) and \(R_5\) are allowed to output. So, we just define \(\mathfrak {g}(w)=\mathfrak {f}(w)\).

For computing \(\mathfrak {g}^{-1}(P)\), where \(P=(x,y) \in \mathfrak {g}(\mathbb {F}_{2^n})\), we consider the list

$$L=[a+x(t+1+s_1), a+x(t+s_2),a+x(1+s_1 s_2)],$$

where \(s_1=\frac{1}{t}, s_2=\frac{1}{t+1}\) and since \(t\) is fixed we only use the precomputed value of \(s_1\) and \(s_2\). The preimage of \(P\) is the element \(l\in L\) which satisfies the necessary property \(\mathrm {Tr}(l)=0\). For such \(l\in L\), we accept the solution \(w_0=\mathrm {Z}(l)\) of the equation \(w^2+w+l=0\) as the desired preimage if \(\mathfrak {g}(w_0)=P\). \(\square \)

figure d

Algorithm 5 explains details of computing the preimage of a point \(P \in \mathfrak {g}(\mathbb {F}_{2^n})\). It should be mentioned that we don’t require the exact preimage of a point \(P\). In fact, since \(\mathfrak {g}^{-1}(P)=\{w,w+1\}\) we are able to find another preimage of \(P\) using output of Algorithm 5 and that is sufficient for constructing our injective encoding function.

The following proposition describes how we can extract an injective encoding function by composing the functions \(\mathfrak {g}\) and \(\kappa : \{0,1\}^{n-1}\rightarrow \mathbb {F}_{2^n}\).

Proposition 5

Function \(\mathfrak {g}\circ \kappa : \{0,1\}^{n-1}\rightarrow E(\mathbb {F}_{2^n})\) is an injective encoding function.

Proof

Function \(\mathfrak {g}\) is 2:1 with this property that, for all \(w\in \mathbb {F}_{2^n}\), \(\mathfrak {g}(w)=\mathfrak {g}(w+1)\). On the other hand, the injective function \(\kappa : \{0,1\}^{n-1}\rightarrow \mathbb {F}_{2^n}\) covers one and only one of the elements \(w\) or \(w+1\). Therefore, function \(\mathfrak {g}\circ \kappa : \{0,1\}^{n-1}\rightarrow E(\mathbb {F}_{2^n})\) will be the desired injective encoding function.\(\square \)

figure e

3.3 Injective Encoding to Binary Elliptic Curves with \(\mathrm {Tr}(a+1)=0\)

Here, we describe our second simple approach for finding an injective encoding to the family of binary elliptic curves

$$\begin{aligned} E: y^2+xy= x^3+ax^2+b, \qquad ~~\mathrm {Tr}(a+1)=0. \end{aligned}$$
(11)

We remark that, this method can be seen as simplified SW algorithm.

Proposition 6

Let \(E\) be an elliptic curve over \(\mathbb {F}_{2^n}\) given by the Eq. (11). Then, for every \(t\in \mathbb {F}_{2^n}\) there exits a point \(P\) on \(E\) with \(x(P)\) equals \(t\), \(t+1\) or \(t^2+t\).

Proof

For \(t\) where \(t^2+t=0\) we have the point \(P=(0,\sqrt{b})\). Now, let \(g(x)=x+a+\frac{b}{x^2}\). Then, for all \(t\in \mathbb {F}_{2^n}^*\), we have \(g(t)+g(t+1)+g(t^2+t)=t^2+t+a+1\). Using the linearity of Trace function, we have

$$\mathrm {Tr}(g(t))+\mathrm {Tr}(g(t+1))+\mathrm {Tr}(g(t^2+t))=\mathrm {Tr}(t^2+t+a+1)=0.$$

So, there exist a point \(P\) on \(E\) where \(x(P) \in \{t, t+1, t^2+t\}\) and \(y(P)=x(P)Z(g(x(P)))\) (see Eq. 4). \(\square \)

The trivial solution to correspond an element \(t \in \mathbb {F}_{2^n}\) to a point on binary elliptic curve \(E\), is to check whether there is a point with \(x\)-coordinate equals \(t\) or \(t+1\). But, what about the case if it fails? For the family of elliptic curves \(E\) of the form (11), Proposition  6 shows there is a point on \(E\) with \(x\)-coordinate equals \(t^2+t\) if there is no points with \(x\)-coordinate equal to \(t\) and \(t+1\). To make this encoding uniform 2:1, the first step is to find a point on \(E\) for the value \(t^2+t\) and if it fails the second step is for the values \(t\) and \(t+1\). Here the output of encoding is the same for input values \(t\) and \(t+1\). Also, the main technical point is using the negation map on \(E\) to make a distinction between these two steps.

Now, we present Algorithm 6 which is 2:1 from \(\mathbb {F}_{2^n}\) to \(E(\mathbb {F}_{2^n})\), where \(E\) is the elliptic curve with Eq. (11). Using Algorithm 6 we can construct our desired injective encoding from \(\{0,1\}^{n-1}\) to \(E(\mathbb {F}_{2^n})\).

figure f

Theorem 7

Function \(\mathfrak {e} : \mathbb {F}_{2^n}\rightarrow E(\mathbb {F}_{2^n})\) given by Algorithm 6 is 2:1. Furthermore, \({\mathfrak {e}}^{-1}(P)\) is computable.

Proof

Let \(P=(u,v)\) be an affine point of \(E(\mathbb {F}_{2^n})\). Clearly \(P=(u,v)\in \mathfrak {e} (\mathbb {F}_{2^n})\) only if there exists some \(t \in \mathbb {F}_{2^n}\) such that \(u\) equals \(t, t+1\) or \(t^2+t\). In other words \(\mathfrak {e}^{-1}(P) \subset \{u, u+1, w, w+1\}\), where \(w \in \mathbb {F}_{2^n}\) and \(w^2+w=u\). Obviously, to compute \(\mathfrak {e}^{-1}(P)\), we find elements \(t \in \{u, u+1, w, w+1\}\) that is mapped to \(P\) by \(\mathfrak {e}\).

If \(u=0\) then \(P=(0,\sqrt{b})\). Clearly, \(\mathfrak {e}^{-1}(P)= \{0,1\}\). From now on, we assume \(u\ne 0\). For \(x \in \mathbb {F}_{2^n}^*\), let \(g(x)=x+a+b/x^2\) and \(T(x)=\mathrm {Tr}(g(x))\). Clearly there exists a point \(P=(u,v)\) on \(E\) if and only if \(T(u)=0\). Then we have, \(v=u\mathrm {Z}(g(u))\) or \(v=u(\mathrm {Z}(g(u))+1)\) (see Sect. 2.1). For the point \(P=(u,v)\) on \(E\) with \(u \ne 0\), let \(c(P)=v/u+\mathrm {Z}(g(u))\). Then, \(P=(u, u(\mathrm {Z}(g(u))+c(P)))\). Clearly the compression of point \(P\) or \(-P\) is given by \(x(P)=x(-P)=u\) and the bit \(c(P)\) or \(1+c(P)\) respectively.

We consider the following cases for \(u\).

  1. 1.

    Let \(u\) be such that \(\mathrm {Tr}(u)=0\), then let fix \(w \in \mathbb {F}_{2^n}\) such that \(w^2+w=u\). Then

    $$\mathfrak {e}^{-1}(P) \subset \{u, u+1, w, w+1\}.$$

    For the point \(P\) with \(u=1\), we have \(\mathfrak {e}^{-1}(P)=\{w,w+1\}\) if \(c(P)=1\) and \(\mathfrak {e}^{-1}(P)=\emptyset \) otherwise. Now, we assume \(u \ne 1\). From Proposition 6, we have

    $$T(u)+T(u+1)+T(u^2+u)=0, \qquad T(w)+T(w+1)+T(u)=0.$$

    Since \(T(u)=0\), there are 4 possibilities for the values \(T(w), T(w+1), T(u+1)\) and \(T(u^2+u)\). From Algorithm 6, we check the output of \(\mathfrak {e}\) for following cases of the input \(t\).

    • For all \(t \in \{u, u+1\}\), if \(T(u^2+u)=0\) we have \(x(\mathfrak {e}(t))=u^2+u \ne u\), since \(u \ne 0\), so \(\mathfrak {e}(t) \ne \pm P\). Also, if \(T(u^2+u)=1\), we have \(\mathfrak {e}(t)=P\) if \(c(P)=0\) and \(\mathfrak {e}(t)=-P\) if \(c(P)=1\).

    • For all \(t \in \{w, w+1\}\), we have \(x(\mathfrak {e}(t))=w^2+w=u\). Then \(y(\mathfrak {e}(t))=u(\mathrm {Z}(g(u))+1) \ne y(P)\) if \(c(P)=0\), and \(y(\mathfrak {e}(t))=u(\mathrm {Z}(g(u))+1) = y(P)\) if \(c(P)=1\). In other words, for all \(t \in \{w, w+1\}\), we have \(\mathfrak {e}(t)=-P\) if \(c(P)=0\) and \(\mathfrak {e}(t)=P\) if \(c(P)=1\).

    Then, we compute \(\mathfrak {e}^{-1}(P)\) for all possible cases of \(c(P)\) and \(T(u^2+u)\).

    • If \(c(P)=0\) and \(T(u^2+u)=0\), then we have \(\mathfrak {e}^{-1}(P)=\emptyset \).

    • If \(c(P)=0\) and \(T(u^2+u)=1\), then we see that \(\mathfrak {e}^{-1}(P)=\{u,u+1\}\).

    • If \(c(P)=1\) then \(\mathfrak {e}^{-1}(P)=\{w, w+1\}\).

  2. 2.

    If \(\mathrm {Tr}(u)=1\), then there is no element \(w \in \mathbb {F}_{2^n}\) such that \(w^2+w=u\). So,

    $$\mathfrak {e}^{-1}(P) \subset \{u, u+1\}.$$

    Similar to the previous case, we have \(T(u)+T(u+1)+T(u^2+u)=0\). Also, \(\mathfrak {e}^{-1}(P)=\{u,u+1\}\) if \(T(u^2+u)=1\) and \(c(P)=0\) and \(\mathfrak {e}^{-1}(P)=\emptyset \) otherwise.

Briefly, for all \(P=(u,v)\in \mathfrak {e} (\mathbb {F}_{2^n})\), we have

$$ \mathfrak {e}^{-1}(P)= \left\{ \begin{array}{ll} \displaystyle \{u,u+1\} &{} \text { if } u=0, \\ \displaystyle \{u,u+1\} &{} \text { if } c(P)=0 \text { and } \mathrm {Tr}(a+\frac{b}{u^4+u^2})=1,\; u \ne 0,1, \\ \displaystyle \{w, w+1\} &{} \text { if } c(P)=1 \text { and } \mathrm {Tr}(u)=0, \\ \displaystyle ~~~~~~\emptyset &{} \text { otherwise} . \end{array} \right. $$

Hence, the function \(\mathfrak {e}\) is 2:1. \(\square \)

Algorithm 7 describes computing preimage of a point \(P\in \mathfrak {e}(\mathbb {F}_{2^n})\).

Proposition 8

Function \(\mathfrak {e}\circ \kappa : \{0,1\}^{n-1}\rightarrow E(\mathbb {F}_{2^n})\), \(l\in \{0,1\}\), is an injective encoding function.

Proof

The proof line is the same as Proposition 5.\(\square \)

Note that Algorithm 7 for a given point \(P\in E(\mathbb {F}_{2^n})\) outputs an element \(t\) in \(\mathbb {F}_{2^n}\) or gives nothing. Notice, \(t\) is represented by a bit string of length \(n\). For computing the preimage of \(P\) by \(\mathfrak {e}\circ \kappa \), the required output is a bit sting of length \(n-1\), where simply is obtained by removing a single bit of \(t\) in the suitable fixed position. More precisely, for the basis \(\Lambda =\{\lambda _1, \ldots , \lambda _{n}\}\) of \(\mathbb {F}_{2^n}\), let fix \(i\) such that \(1=\sum _{j=1}^n c_j \lambda _j\), with \(c_i\ne 0\). From Sect. 2.3, we recall the injective functions \(\kappa ^l: \{0,1\}^{n-1}\rightarrow \mathbb {F}_{2^n}\), for \(l=0,1\). The preimage of \(t=\sum _{j=1}^n t_j\lambda _j\) by one of these functions is the required output bit string \((t_1,\cdots ,t_{i-1},t_{i+1},\cdots ,t_n)\) in \(\{0,1\}^{n-1}\).

figure g

4 Concluding Remarks

It is well-known that the encoding functions from \(\mathbb {F}_{2^n}\) to the binary elliptic curves are non-uniform. In fact, the SW-method and the Icart’s method, are at most 6:1 and 4:1, respectively. But, we require to have uniform encoding function, because the transmitted data have to be indistinguishable from the uniform bit strings. In this regard, we can use the injective encoding function to the binary elliptic curves as an admissible encoding. So far, the only injective encoding function to binary elliptic curves is given for those with a point of order 3. In this paper, we studied the general case of binary elliptic curves, and we proposed encoding algorithms which provide us injective encoding functions into binary elliptic curves. Algorithms 4 and 6 covers elliptic curves with equation \(y^2+xy=x^3+ax^2+b\) with \(\mathrm {Tr}(a)=1\) and \(\mathrm {Tr}(a+1)=0\), respectively. These algorithms are both 2:1 and the preimage of a point \(P\) in the image of functions is \(\{w, w+1\}\), for some \(w \in \mathbb {F}_{2^n}\). So using a suitable injective function \(\kappa : \{0,1\}^{n-1}\rightarrow \mathbb {F}_{2^n}\), which covers one and only one of the elements of the set \(\{w, w+1\}\), we construct injective encoding function from \(\left\{ 0,1\right\} ^{n-1}\) to the given elliptic curves.