Hashing to G2 on BLS pairing-friendly curves

When a pairing e : G 1 × G 2 → G T , on an elliptic curve E defined over F q , is exploited in a cryptographic protocol, there is often the need to hash binary strings into G 1 and G 2 . Traditionally, if E admits a twist E ~ of order d, then G 1 = E(F q )E[r], where r is a prime integer, and G 2 = E ~ (F qk/d )E ~ [r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing a binary string into G 1 and G 2 is to map it to general points P 2 E(F q ) and P 0 2 E ~ (F qk/d ), and then multiply them by the cofactors c = #E(F q )/r and c 0 = #E ~ (F qk/d )/r respectively. Usually, the multiplication by c 0 is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al.) have been proposed. In this poster we consider these two methods for BLS pairing-friendly curves having k 2 {12,24,30,42,48}, providing efficiency comparisons. When k = 42,48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.