How to have a hash function that maps from a group element to a binary string of a certain size in charm-crypto?

Question

I am facing a problem in programming with the charm-crypto library. The hash functions for pairing group elements in charm-crypto can only map from a string to a specific field: $\mathbb Z_r$, $G_1$ or $G_2$.

Examples: $$\begin{align} H_1: \{0, 1\}^*\to\ &G_1\\ H_2: \{0, 1\}^*\to\ &Z_r\\ H_3: \{0, 1\}^*\to\ &G_2\\ \end{align}$$

I am implementing a certificateless public key encryption scheme with keyword search from this research paper. And in this algorithm in the global setup part I want a hash function as $H_4: G_2\to \{0, 1\}^n$ for some length $n$ i.e., mapping from group element to a binary string of length $n$. In this case the group $G_2$ consists of points on an elliptic curve.

Can someone please guide me how to implement the hash mapping $H4$ in charm-crypto? I would be grateful for any help in this regard.

Answer 1

I want a hash function as $H_4: G_2\to \{0, 1\}^n$ for some length $n$ i.e., mapping from group element to a binary string of length $n$. In this case the group $G_2$ consists of points on an elliptic curve.

If $r\in G_2$, we can define $H_4(r)$ as $\operatorname{SHAKE256}(R,n)$ where $R$ is a unique representation of $r$ as bitstring, and $\operatorname{SHAKE256}$ as defined in FIPS 202.

One way to obtain $R$: if the point $r$ has Cartesian coordinates $(x,y)$ in field $\mathbb F_p$ with $p$ prime, $2^{8(\ell-1)}<p<2^{8\ell}$, $0\le x<p$, $0\le y<q$, then we can use $R=\operatorname{I2OSP}(x,\ell)\mathbin\|\operatorname{I2OSP}(y,\ell)$ where $\operatorname{I2OSP}$ is standard big-endian conversion to octet string (as used in e.g. PKCS#1). This can be adapted to other fields.

If $\operatorname{SHAKE256}$ is used to construct the other hashes $H_1$, $H_2$, $H_3$, it's prudent to prefix the input of $\operatorname{SHAKE256}$ with distinct constants.