Skip to main content
SpringerLink
Log in

Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8437))

Included in the following conference series:

Abstract

When represented as a bit string in a standard way, even using point compression, an elliptic curve point is easily distinguished from a random bit string. This property potentially allows an adversary to tell apart network traffic that makes use of elliptic curve cryptography from random traffic, and then intercept, block or otherwise tamper with such traffic.

Recently, Bernstein, Hamburg, Krasnova and Lange proposed a partial solution to this problem in the form of Elligator: an algorithm for representing around half of the points on a large class of elliptic curves as close to uniform random strings. Their proposal has the advantage of being very efficient, but suffers from several limitations:

  • Since only a subset of all elliptic curve points can be encoded as a string, their approach only applies to cryptographic protocols transmitting points that are rerandomizable in some sense.

  • Supported curves all have non-trivial \(2\)-torsion, so that Elligator cannot be used with prime-order curves, ruling out standard ECC parameters and many other cryptographically interesting curves such as BN curves.

  • For indistinguishability to hold, transmitted points have to be uniform in the whole set of representable points; in particular, they cannot be taken from a prime order subgroup, which, in conjunction with the non-trivial \(2\)-torsion, rules out protocols that require groups of primeĀ order.

In this paper, we propose an approach to overcome all of these limitations. The general idea is as follows: whereas BernsteinĀ et al. represent an elliptic curve point \(P\) as the bit string \(\iota ^{-1}(P)\), where \(\iota \) is an injective encoding to the curve (which is only known to exist for some curve families, and reaches only half of all possible points), we propose to use a randomly sampled preimage of \(P\) under an admissible encoding of the form \(f^{\otimes 2}:(u,v)\mapsto f(u)+f(v)\), where \(f\) is essentially any algebraic encoding. Such encodings \(f\) exist for all elliptic curves, and the corresponding admissible encodings \(f^{\otimes 2}\) are essentially surjective, inducing a close to uniform distribution on the curve.

As a result, our bit string representation is somewhat less compact (about twice as long as Elligator), but it has none of the limitations above, and can be computed quite efficiently when the function \(f\) is suitably chosen.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    An alternate definition frequently found in the literature differs from this one by a constant factor \(1/2\). That constant factor is irrelevant for our purposes.

  2. 2.

    For this to be well-defined, we of course need a family of random variables on increasingly large sets \(S\). Usual abuses of language apply.

  3. 3.

    With the caveat that an actual implementation transmits bit strings rather than field elements, but this is addressed in Sect.Ā 3.4.

References

  1. ANSSI. Publication dā€™un paramĆ©trage de courbe elliptique visant des applications de passeport Ć©lectronique et de lā€™administration Ć©lectronique franƧaise (2011). http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/publication-d-un-parametrage-de-courbe-elliptique-visant-des-applications-de.html

  2. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319ā€“331. Springer, Heidelberg (2006)

    ChapterĀ  Google ScholarĀ 

  3. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207ā€“228. Springer, Heidelberg (2006)

    ChapterĀ  Google ScholarĀ 

  4. Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: Elliptic-curve points indistinguishable from uniform random strings. In: Gligor, V., Yung, M. (eds.) ACM CCS (2013)

    Google ScholarĀ 

  5. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001)

    ChapterĀ  Google ScholarĀ 

  6. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297ā€“319 (2004)

    ArticleĀ  MATHĀ  MathSciNetĀ  Google ScholarĀ 

  7. Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves. Cryptology ePrint Archive, Report 2009/340 (2009). http://eprint.iacr.org/. Full version of [8]

  8. Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 237ā€“254. Springer, Heidelberg (2010)

    ChapterĀ  Google ScholarĀ 

  9. Certicom Research. SEC 2: Recommended elliptic curve domain parameters, Version 2.0, January 2010

    Google ScholarĀ 

  10. Farashahi, R.R.: Hashing into hessian curves. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 278ā€“289. Springer, Heidelberg (2011)

    ChapterĀ  Google ScholarĀ 

  11. Farashahi, R.R., Fouque, P.-A., Shparlinski, I., Tibouchi, M., Voloch, J.F.: Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comp. 82(281), 491ā€“512 (2013)

    ArticleĀ  MATHĀ  MathSciNetĀ  Google ScholarĀ 

  12. FIPS PUB 186-3. Digital Signature Standard (DSS). NIST, USA (2009)

    Google ScholarĀ 

  13. Fouque, P.-A., Joux, A., Tibouchi, M.: Injective encodings to elliptic curves. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 203ā€“218. Springer, Heidelberg (2013)

    ChapterĀ  Google ScholarĀ 

  14. Fouque, P.-A., Tibouchi, M.: Estimating the size of the image of deterministic hash functions to elliptic curves. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 81ā€“91. Springer, Heidelberg (2010)

    ChapterĀ  Google ScholarĀ 

  15. Fouque, P.-A., Tibouchi, M.: Indifferentiable hashing to Barretoā€“Naehrig curves. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 1ā€“17. Springer, Heidelberg (2012)

    ChapterĀ  Google ScholarĀ 

  16. Icart, T.: How to hash into elliptic curves. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 303ā€“316. Springer, Heidelberg (2009)

    ChapterĀ  Google ScholarĀ 

  17. Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS. LNCS, pp. 385ā€“394. Springer, Heidelberg (2000)

    Google ScholarĀ 

  18. Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 48, 203ā€“209 (1987)

    ArticleĀ  MATHĀ  MathSciNetĀ  Google ScholarĀ 

  19. Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) Brainpool standard curves and curve generation. RFC 5639 (Informational), March 2010

    Google ScholarĀ 

  20. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, pp. 417ā€“426. Springer, Heidelberg (1985)

    Google ScholarĀ 

  21. Mƶller, B.: A public-key encryption scheme with pseudo-random ciphertexts. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 335ā€“351. Springer, Heidelberg (2004)

    ChapterĀ  Google ScholarĀ 

  22. Shallue, A., van de Woestijne, C.E.: Construction of rational points on elliptic curves over finite fields. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 510ā€“524. Springer, Heidelberg (2006)

    ChapterĀ  Google ScholarĀ 

  23. Ulas, M.: Rational points on certain hyperelliptic curves over finite fields. Bull. Pol. Acad. Sci. Math. 55(2), 97ā€“104 (2007)

    ArticleĀ  MATHĀ  MathSciNetĀ  Google ScholarĀ 

  24. Weinberg, Z., Wang, J., Yegneswaran, V., Briesemeister, L., Cheung, S., Wang, F., Boneh, D.: StegoTorus: a camouflage proxy for the Tor anonymity system. In: Yu, T., Danezis, G., Gligor, V. D. (eds.) ACM CCS 2012, pp. 109ā€“120. ACM (2012)

    Google ScholarĀ 

  25. Wustrow, E., Wolchok, S., Goldberg, I., Halderman, J.A.: Telex: Anticensorship in the network infrastructure. In: USENIX Security Symposium, USENIX Association (2011)

    Google ScholarĀ 

  26. Young, A.L., Yung, M.: Space-efficient kleptography without random oracles. In: Furon, T., Cayre, F., DoĆ«rr, G., Bas, P. (eds.) IH 2007. LNCS, vol. 4567, pp. 112ā€“129. Springer, Heidelberg (2008)

    ChapterĀ  Google ScholarĀ 

  27. Young, A., Yung, M.: Kleptography from standard assumptions and applications. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 271ā€“290. Springer, Heidelberg (2010)

    ChapterĀ  Google ScholarĀ 

Download references

Author information

Authors and Affiliations

  1. NTT Secure Platform Laboratories, Tokyo, Japan

    Mehdi Tibouchi

Authors
  1. Mehdi Tibouchi
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Corresponding author

Correspondence to Mehdi Tibouchi .

Editor information

Editors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Nicolas Christin

  2. University of Calgary, Calgary, Alberta, Canada

    Reihaneh Safavi-Naini

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2014 International Financial Cryptography Association

About this paper

Cite this paper

Tibouchi, M. (2014). Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings. In: Christin, N., Safavi-Naini, R. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science(), vol 8437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45472-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-45472-5_10

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-45471-8

  • Online ISBN: 978-3-662-45472-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation