3

Through " Why do we need to convert hashes to points on an elliptic curve? ", I found out why Hashing to Point is necessary.

However, using the algorithm below can sign and verify without Hasing to Point?

  • $a$ is secret key
  • $H$ is scalar hash function

Sign:

  • $k = random (mod\ r)$
  • $r = kG_2$
  • $s = a (H(m||r) + k)$ : If don't know k, won't know a. Also hashing both m and r to prevent tamper.

Verify:

  • $e(G_1, sG_2) == e(aG_1, r + H(m||r)G_2)$
  • So $e(G_1, G_2)^{a(H(m||r) + k)} == e(G_1, G_2)^{a(k + H(m||r))}$

If these methods weren't used before, why would they?

Would that be more inefficient than finding a Point with a Hash?

Or maybe it's not safe?

swineone
  • 880
  • 6
  • 17
user212942
  • 301
  • 1
  • 8

1 Answers1

1

This scheme feels similar to the Sakai-Kashara identity-based scheme and I can't immediately see a security issue.

The reason that BLS signatures and their hash-to-curve approach are preferred is due to the signature size. A BLS signature can be represented using a single point of $G_1$ whereas your scheme requires both a point on $G_2$ and a scalar multiple (its a simple matter to make this a point on $G_1$ and a scalar, but this would still be several hundred bits larger than a BLS signature). There are also other useful features for BLS such as aggregated verification

If one is not too worried about signature size and other bells and whistles, then it ECDSA and EdDSA signatures are generally considered a more efficient signature scheme than pairing-based schemes in terms of both signing and verification. They too do not use hash-to-point.

Daniel S
  • 29,316
  • 1
  • 33
  • 73