Do you know protocols, where it is necessary to obtain several "independent" points on the same elliptic curve?

Question

Consider an elliptic curve $E$ defined over a finite field $\mathbb{F}_{\!q}$ with a fixed non-zero $\mathbb{F}_{\!q}$-point $P$. For simplicity, let the order of the $\mathbb{F}_{\!q}$-point group $E(\mathbb{F}_{\!q})$ be prime and hence the group is generated by $P$. For the sake of security, in numerous protocols of elliptic cryptography (e.g., in a safe version of Dual_EC_DRBG) we need to generate yet another "independent" $\mathbb{F}_{\!q}$-point $Q$ on $E$.

Please answer the question. Do you know protocols, where it is necessary to obtain more "independent" $\mathbb{F}_{\!q}$-points on the same curve ? In other words, a party deals with "independent" $\mathbb{F}_{\!q}$-points $Q_1$, $Q_2$, $\ldots$, $Q_n$ in addition to $P$. By "independent" I mean such points that no one knows the discrete logarithms relative to each other.

I ask you, because for some $E$ and $n$ I know how to produce simultaneously several $Q_i$ faster than separate generation of them. I would like to understand whether my approach is worthy of publication in a good scientific journal. Or maybe it even has something to do with real world cryptography.

Answer 1

Do you know protocols where it is necessary to obtain several "independent" points on the same elliptic curve?

One obvious place where this occurs if you are implementing a Pedersen commitment of a vector of values; you commit to a vector $(x_1, x_2, ..., x_n)$ by publishing the value $rH + x_1G_1 + x_2G_2 + ... + x_nG_n$; for this to work, you obviously need $n+1$ independent points $H, G_1, G_2, ..., G_n$

While this is a tad obscure, this does come up; a quick Google finds this paper, and so there is some applicability; certainly more than some papers I have seen...

Answer 2

There is a "hash-to-point" function used in several schemes, where it is necessary to generate an EC point where the discrete log w.r.t. any other EC point is unknown. In particular:

1. A linkable ring signature. A 'key image' needs to be generated, where the correctness of the 'key image' declared with a signature is verifiable, and where if the same signer (using the same private key) were to create a ring signature again (even with different other ring member public key participants), it would be clear that they have used the same private key to sign again. See here for details.

2. An oblivious psuedo-random function uses hash-to-point to encode the PRF input values as EC points. here.

3. Oblivious transfer uses hash-to-point, and EC El Gamal can use hash-to-point if you only need the encoding of messages into points to go in one direction. See an example of both here.

4. This non-membership proof uses hash-to-point for a variation on Pedersen commitments where the commitment needs to be blinded, but does not need to be additively homomorphic.

Answer 3

Your question is essentially: Is it useful to be able to sample a tuple $(Q_1, Q_2, \dots, Q_n) \in E(F)^n$ such that no relation is known among the points, but the tuple is not sampled from the uniform distribution.

From a practical point of view, there are two issues:

• Often, these points are sampled during the generation of system parameters, which does not happen very often and is not time critical.
• Many schemes seem secure even if the points have not been sampled from the uniform distribution.

That is, practically it is often not very useful, but also often not insecure, seemingly at least.

The main objection would be that the security proofs of these schemes sometimes rely on being able to sample the tuple $(Q_1, \dots, Q_n)$ with some trapdoor embedded, and this is often hard to do if you need a non-uniform distribution on the tuple. This would then ruin the security proof. (Example: Suppose I want to be able to equivocate openings of Pedersen multi-commitments.)

Some people may not care about that, but I think most cryptographers would be very reluctant to accept this without any clear benefit to be had.

In other words, I would expect the algorithm you have to be mostly not useful and sometimes unusable.

That said, the algorithm you have come up with may be interesting to some people for some reason, regardless of these obstacles. Or it may have other interesting properties. So it may be worthwhile publishing anyway.