Impossibility of surjective icart-like encodings

Abstract

Since then, many other encoding functions have been proposed, and constructions are known for all elliptic curves. They fit into two broad families: Icart-like encodings, which are generalizations of the original Boneh–Franklin encoding starting with a construction due to Icart (CRYTPO 2009), and SWU-like encodings, related to the Shallue–van de Woestijne construction (ANTS 2006). So far, however, almost none of these numerous encodings has replicated the very useful bijectivity property of the Boneh–Franklin encoding. In this paper, we focus on Icart-like encodings, and investigate the possibility of constructing such encodings f : Fq → E(Fq) that are almost bijective like Boneh and Franklin’s, or achieve a weaker property like “almost surjectivity” (in the sense that #f(Fq) = q + o(q)). And we show that the lack of such constructions is no wonder: almost surjective Icart-like encoding cannot exist to non-supersingular elliptic curves. Many cryptographic protocols based on elliptic curves rely on the possibility of representing integer values or bit strings as elliptic curve points, or vice versa, in an invertible way. The most practical approach proposed to achieve this for an elliptic curve E/Fq has been the use of (piecewise) algebraic maps f : Fq → E(Fq) called (deterministic, constant-time) “encoding functions”, for which numerous constructions have been proposed in recent years, starting with the very simple encoding of Boneh and Franklin (CRYPTO 2001), which maps a value u ∈ Fq to ((u2 − b)1/3, u) on the elliptic curve E: y2 = x3 + b over Fq, q ≡ 2 mod 3. That encoding is almost a bijection between Fq and E(Fq), which makes it very convenient for security proofs, as well as for applications like covertness, but it is only defined for a very limited class of elliptic curves, all of them supersingular, and hence quite inefficient.