Efficient hash maps to 픾2 on BLS curves

When a pairing e : G1 × G2 → GT , on an elliptic curve E defined over Fq, is exploited for an identity-based protocol, there is often the need to hash binary strings into G1 and G2. Traditionally, if E admits a twist Ẽ of order d, then G1 = E(Fq)∩E[r], where r is a prime integer, and G2 = Ẽ(Fqk/d)∩ Ẽ[r], where k is the embedding degree of E w.r.t. r. The standard approach for hashing into G2 is to map to a general point P ∈ Ẽ(Fqk/d) and then multiply it by the cofactor c = #Ẽ(Fqk/d)/r. Usually, the multiplication by c is computationally expensive. In order to speed up such a computation, two different methods (by Scott et al. and by Fuentes et al.) have been proposed. In this paper we consider these two methods for BLS pairing-friendly curves having k ∈ {12, 24, 30, 42, 48}, providing efficiency comparisons. When k = 42, 48, the Fuentes et al. method requires an expensive one-off pre-computation which was infeasible for the computational power at our disposal. In these cases, we theoretically obtain hashing maps that follow Fuentes et al. idea.