Deterministic Encoding into Twisted Edwards Curves.

This paper describes a deterministic encoding f from a finite field $$\\mathbb {F}_{q}$$ to a twisted Edwards curve E when $$q\\equiv 2\\pmod 3$$. This encoding f satisfies all 3 properties of deterministic encoding in Boneh-Franklin's identity-based scheme. We show that the construction fhm is a hash function if hm is a classical hash function. We present that for any nontrivial character $$\\chi $$ of $$E\\mathbb {F}_q$$, the character sum $$S_f\\chi $$ satisfies $$ S_f\\chi \\leqslant 20\\sqrt{q}+2 $$. It follows that $$fh_1m+fh_2m$$ is indifferentiable from a random oracle in the random oracle model for $$h_1$$ and $$h_2$$ by Farashahi, Fouque, Shparlinski, Tibouchi, and Voloch's framework. This encoding saves 3 field inversions and 3 field multiplications compared with birational equivalence composed with Icart's encoding; saves 2 field inversions and 2 field multiplications compared with Yu and Wang's encoding at the cost of 2 field squarings; and saves 2 field inversions, 3 field multiplications and 3 field squarings compared with Alasha's encoding. Practical implementations show that f is 46.1﾿%,35.7﾿%, and 38.9﾿% faster than the above encodings respectively.