<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Parag Mali - tag: elliptic-curves</title><description>Posts tagged elliptic-curves.</description><link>https://paragmali.com/</link><language>en-US</language><lastBuildDate>Sun, 19 Jul 2026 05:08:47 GMT</lastBuildDate><atom:link href="https://paragmali.com/tags/elliptic-curves/rss.xml" rel="self" type="application/rss+xml"/><item><title>The Log Was Never the Weak Part: How Discrete-Log Cryptography Actually Breaks</title><link>https://paragmali.com/blog/the-log-was-never-the-weak-part-how-discrete-log-cryptograph/</link><guid isPermaLink="true">https://paragmali.com/blog/the-log-was-never-the-weak-part-how-discrete-log-cryptograph/</guid><description>For a well-chosen group the discrete log is optimally hard. Every faster break exploits the group&apos;s structure, not the log -- only Shor survives a clean one.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
For a well-chosen group the discrete logarithm is essentially as hard as it can be: the best generic attack is Pollard&apos;s rho at about $0.886\sqrt{\ell}$ steps, and Shoup proved no *generic* algorithm does better. So every faster classical break -- anomalous curves, MOV and Frey-Ruck pairing transfers, weak twists, invalid-curve shadow groups, Weil descent, the Number Field Sieve, Logjam&apos;s shared-prime precomputation, and small-characteristic quasi-polynomial descent -- is never a cleverer logarithm; it is a receipt for a structural property of the *group that was chosen*. Strip every such property away and only one known break remains, and it changes the machine: Shor&apos;s quantum algorithm -- &quot;as far as is known,&quot; since the elliptic-curve discrete-log problem is still unproven to be hard.
&lt;h2&gt;1. The 256-Bit Paradox&lt;/h2&gt;
&lt;p&gt;Four cryptographic groups walk onto the internet. NIST P-256 and Curve25519 -- both 256 bits wide -- each advertise roughly $2^{128}$ security, and after two decades of public scrutiny neither has been broken [@safecurves]. A &lt;em&gt;third&lt;/em&gt; 256-bit curve, differing from the first two only in a hidden arithmetic property, can be broken on a laptop in polynomial time [@smart-1999]. And a 1024-bit finite-field group -- four times the bit length of the curves -- is a realistic target for a well-funded adversary [@logjam-adrian-2015]. The operation an attacker has to invert is the &lt;em&gt;same discrete logarithm&lt;/em&gt; in all four groups.&lt;/p&gt;
&lt;p&gt;The variable that decided their fates was never the logarithm. It was the group.&lt;/p&gt;
&lt;p&gt;That sentence runs against the way most of us first meet the subject. We are taught that a one-way function is hard, that a bigger key makes it harder, and that &quot;solving the discrete log&quot; is a single monolithic feat an attacker either can or cannot perform. This article argues the opposite, and it argues it as a claim you should not yet believe: &lt;strong&gt;the discrete logarithm is essentially never the weak part. The weak part is always the group&lt;/strong&gt; -- some extra structure it carries, or the wrong group quietly substituted for the right one.&lt;/p&gt;
&lt;p&gt;Two settings recur throughout. The first is the multiplicative group of a prime field, written $\mathbb{F}_p^*$, the home of classic finite-field Diffie-Hellman, DSA, and ElGamal. The second is the group of points on an elliptic curve over a finite field, the home of ECDH, ECDSA, and EdDSA. The plan is a guided tour of every known way the discrete log &quot;breaks.&quot; Each stop will turn out to exploit a structural property of a &lt;em&gt;chosen&lt;/em&gt; group rather than compute a faster logarithm, and the tour ends at the one break that survives even a flawless group: Shor&apos;s quantum algorithm.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is a structural cryptanalysis -- an argument about the mathematics of the group itself. Side-channel leaks, fault and power attacks, implementation bugs, weak random-number generators, and protocol misuse are out of scope, named only to mark the boundary. Those failures are real and often more common in practice, but they belong to the empirical sibling of this piece, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life: PS3, CurveBall, Logjam, and Biased Nonces.&quot; When a break here has an implementation trigger, this article hands that trigger to the sibling and keeps only the group mathematics.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;By the end you will be able to look at any of the ten attacks in the literature and name, in one phrase, the structural property of the group it needs -- and see that a well-chosen group simply does not have it. To understand why the group is the variable, we have to go back to the moment the discrete log became something worth attacking at all.&lt;/p&gt;
&lt;h2&gt;2. What the Discrete Log Actually Is, and Where It Lives&lt;/h2&gt;
&lt;p&gt;In November 1976, Whitfield Diffie and Martin Hellman published &quot;New Directions in Cryptography&quot; and handed two strangers a way to agree on a shared secret over a wiretapped line without ever having met [@diffie-hellman-1976]. Their construction is simple enough to state in a sentence, and in stating it they turned an obscure number-theoretic puzzle into the thing standing between an eavesdropper and your traffic.&lt;/p&gt;

Fix a cyclic group with a public generator $g$. Alice picks a secret $a$ and publishes $g^a$; Bob picks a secret $b$ and publishes $g^b$. Each raises the other&apos;s value to their own secret, so both compute $g^{ab}$ -- the shared key. An eavesdropper sees $g$, $g^a$, and $g^b$, and must find $g^{ab}$. The obvious route is to recover $a$ from $g^a$, which is exactly the discrete logarithm.

Given a cyclic group generated by $g$ and an element $h = g^x$, find the exponent $x$. In the integers this is easy -- it is just division on a logarithmic scale. Inside a finite group the exponent &quot;wraps around&quot; unpredictably, and no efficient general method to recover $x$ is known. The security of Diffie-Hellman, DSA, ElGamal, ECDH, ECDSA, and EdDSA all rest on this one problem being hard in the group they use.
&lt;p&gt;The instant the DLP became a security assumption, a very old question acquired stakes: how hard is it, actually? And the first answer was unsettling, because it showed that the difficulty had nothing to do with the size of the numbers involved.&lt;/p&gt;
&lt;p&gt;Priority is disputed. At GCHQ, James Ellis, Clifford Cocks, and Malcolm Williamson developed classified &quot;non-secret encryption&quot; and a key-exchange analogue between 1969 and 1974, work declassified only in 1997 [@ellis-1997]. The public invention, and the framing of the discrete log as a security assumption, are Diffie and Hellman&apos;s.&lt;/p&gt;

timeline
    title Fifty years of attacking the discrete logarithm
    section The problem and its floor
      1976 : Diffie-Hellman make the discrete log a security assumption
      1978 : Pohlig-Hellman shatters smooth-order groups : Pollard rho sets the sqrt-time floor
    section The escape to curves
      1985 : Miller and Koblitz move the log onto elliptic curves
      1993 : MOV pairing transfer : Gordon adapts the Number Field Sieve to prime fields
      1994 : Shor reduces the discrete log to quantum period-finding
    section Structure strikes back
      1998 : Anomalous trace-one curves fall in polynomial time
      2002 : Weil descent breaks special binary curves
    section Records and frontiers
      2015 : Logjam weaponizes shared-prime precomputation
      2019 : A 795-bit prime-field record : quasi-polynomial small-characteristic descent proven
&lt;h3&gt;The first structural lesson: Pohlig-Hellman&lt;/h3&gt;
&lt;p&gt;In January 1978, Stephen Pohlig and Martin Hellman proved something that should have set the tone for the entire field [@pohlig-hellman-1978]. Suppose the order of the group -- the number of elements -- factors into small primes, $n = p_1^{e_1} p_2^{e_2} \cdots p_r^{e_r}$. Then the discrete log does not have to be solved in the big group at all. It can be solved separately in each prime-power piece, where the numbers are tiny, and the answers glued back together with the Chinese Remainder Theorem.&lt;/p&gt;
&lt;p&gt;The total work is on the order of $\sum_i e_i(\log n + \sqrt{p_i})$ -- dominated by the &lt;em&gt;largest&lt;/em&gt; prime factor, not by the size of $n$.&lt;/p&gt;
&lt;p&gt;Read that again with the thesis in mind. A group can be astronomically large and still offer no security, if its order happens to be a product of small primes. A 4096-bit group whose order is smooth falls instantly.&lt;/p&gt;
&lt;p&gt;Security was never a property of &quot;the log&quot; or of the key length. It was a property of the &lt;em&gt;group&apos;s order&lt;/em&gt; -- specifically, whether that order contains a large prime factor. The first thing anyone proved about the discrete log moved the weakness off the logarithm and onto a structural feature of the chosen group. Everything that follows is a variation on that move.&lt;/p&gt;
&lt;h3&gt;The escape that defines the rest of the article&lt;/h3&gt;
&lt;p&gt;By the mid-1980s, the multiplicative group $\mathbb{F}_p^*$ had a second problem beyond smooth orders: it admitted &lt;em&gt;index calculus&lt;/em&gt;, a family of sub-exponential attacks we will meet in Section 6. The response, arriving independently from two directions, was not a better logarithm algorithm. It was a change of group.&lt;/p&gt;
&lt;p&gt;In 1985, Victor Miller [@miller-1986] and, independently, Neal Koblitz [@koblitz-1987] proposed replacing $\mathbb{F}_p^*$ with the group of points on an elliptic curve over a finite field. Their motivation was explicit and structural: the multiplicative group hands index calculus something to grip, and a general elliptic curve does not, so the same security should be reachable with far smaller keys.&lt;/p&gt;
&lt;p&gt;This is the thesis in its constructive form -- &lt;em&gt;when a group is weak, do not sharpen the attack, choose a group with less structure&lt;/em&gt; -- and it introduces the lens we will look through for the rest of the article: the distinction between a &lt;strong&gt;generic&lt;/strong&gt; group, whose elements are opaque handles you can only combine with the group operation, and a &lt;strong&gt;structured&lt;/strong&gt; group, whose elements leak extra arithmetic an attacker can exploit.&lt;/p&gt;
&lt;p&gt;Miller and Koblitz had escaped one kind of structure. The question their move raised -- and the one the next section answers -- is what an attacker can do against a group that has &lt;em&gt;nothing&lt;/em&gt; wrong with it. If Pohlig-Hellman is defeated by a large prime order, how hard is the log then?&lt;/p&gt;
&lt;h2&gt;3. The Generic Floor: Why Square-Root Time Is the Best You Can Do&lt;/h2&gt;
&lt;p&gt;Here is a number that has barely moved in fifty years. Against a well-chosen group, the best known generic attack on the discrete log runs in about $0.886\sqrt{\ell}$ steps, where $\ell$ is the largest prime factor of the group&apos;s order. Not only is that the best anyone has found -- there is a &lt;em&gt;proof&lt;/em&gt; you cannot do fundamentally better generically. To see why that floor exists, and why it is a floor and not a ceiling waiting to be lowered, start with the simplest attack that hits it.&lt;/p&gt;
&lt;h3&gt;Baby-step giant-step: sorting your way to the log&lt;/h3&gt;
&lt;p&gt;In 1971 Daniel Shanks described a deterministic method that trades memory for time [@shanks-1971]. To solve $h = g^x$ with $x$ below some bound $N$, precompute and store the &quot;baby steps&quot; $g^0, g^1, \ldots, g^{m-1}$ for $m \approx \sqrt{N}$, then take &quot;giant steps&quot; $h \cdot g^{-jm}$ for $j = 0, 1, 2, \ldots$ until one lands in the stored table. A match pins down $x = i + jm$. The running time is $O(\sqrt{N})$ and so is the memory -- and remarkably, this square-root cost is essentially the same one that still bounds the state of the art.&lt;/p&gt;
&lt;p&gt;The clean &quot;given $g$ and $h$, find $x$&quot; statement of the DLP that every textbook now opens with is partly a later reconstruction; Shanks&apos;s 1971 paper framed the computation in the language of class numbers and genera, and the crisp cryptographic phrasing was settled in references like the Handbook of Applied Cryptography [@hac-1996].&lt;/p&gt;
&lt;p&gt;The memory is the problem. Storing $\sqrt{\ell}$ group elements is fine for a 40-bit group and impossible for a 256-bit one. The breakthrough was getting the same square-root &lt;em&gt;time&lt;/em&gt; with almost no memory at all.&lt;/p&gt;

A *generic* algorithm treats group elements as opaque tokens: it can multiply them, invert them, and test equality, but it cannot read anything from their representation -- no bits, no size, no factorization. A group is effectively *generic* for an attacker when no such extra structure is exposed. The whole thesis of this article lives in this word: the square-root floor is proven only for *generic* algorithms, and every faster attack works precisely by treating the group as *non*-generic.
&lt;h3&gt;Pollard&apos;s rho: a random walk that traps itself&lt;/h3&gt;

Walk pseudo-randomly through the group with a function $f$ that also tracks how each point is built from the generator $g$ and the target $Q$, as $g^a Q^b$. Because the group is finite, the walk must eventually revisit a point, and the birthday bound makes that first self-collision appear after only about $\sqrt{\ell}$ steps. When it does, two different expressions $g^{a_1}Q^{b_1}$ and $g^{a_2}Q^{b_2}$ name the same element, which rearranges into $(a_1 - a_2) \equiv x\,(b_2 - b_1) \pmod{\ell}$ -- and the log $x$ drops out.
&lt;p&gt;John Pollard published this in 1978 [@pollard-rho-1978]. Its beauty is the memory: using Floyd&apos;s or Brent&apos;s cycle-finding, you need to remember only a couple of points, so the cost is about $0.886\sqrt{\ell} = \sqrt{\pi/4},\sqrt{\ell}$ group operations at $O(1)$ space. The name comes from the shape the walk traces -- a tail that runs into a loop, like the Greek letter rho.&lt;/p&gt;

Two effects stack. A pseudo-random walk through a set of $\ell$ elements is expected to run into its own past after on the order of $\sqrt{\ell}$ steps, and working that expected value through the birthday integral gives $\sqrt{\pi/2}\,\sqrt{\ell} \approx 1.2533\sqrt{\ell}$ -- the pure birthday constant. On an elliptic curve a second, curve-specific discount then applies: because $P$ and $-P$ share an $x$-coordinate, the walk can run on equivalence classes under point negation, a $\sqrt{2}$ speedup that pulls the constant down to $\sqrt{\pi/4}\,\sqrt{\ell} \approx 0.886\sqrt{\ell}$ -- the figure SafeCurves quotes for the elliptic-curve discrete log [@safecurves]. Half a century of refinement -- distinguished points, that negation map, better step functions -- has improved the constant but never the exponent. The square root is the wall.

flowchart TD
    A[Start at a known element, tracking exponents a and b] --&amp;gt; B[Apply the pseudo-random step f]
    B --&amp;gt; C[Land on the next element of the walk]
    C --&amp;gt; D{&quot;Element seen before?&quot;}
    D --&amp;gt;|No, keep walking| B
    D --&amp;gt;|Yes, collision| E[Two products in g and Q name the same element]
    E --&amp;gt; F[The collision becomes a linear equation in the unknown x]
    F --&amp;gt; G[Read off the discrete log x]
&lt;p&gt;You can watch the birthday collision happen on a toy group. The subgroup below has prime order $\ell = 509$, so $\sqrt{\ell} \approx 23$; the walk finds its self-collision in a few dozen steps and reads off the secret exponent.&lt;/p&gt;
&lt;p&gt;{`&lt;/p&gt;
Group: the order-509 subgroup of the integers mod 1019. Q = g^x; recover x.
&lt;p&gt;p, l, g = 1019, 509, 4      # p = 2*l + 1 (safe prime); g has prime order l
x_secret = 137              # the exponent the attacker does not know
Q = pow(g, x_secret, p)&lt;/p&gt;
&lt;p&gt;def step(X, a, b):
    # A three-way pseudo-random walk that also tracks X = g^a * Q^b (mod p).
    r = X % 3
    if r == 0:   return (X * Q) % p, a, (b + 1) % l
    elif r == 1: return (X * X) % p, (2 * a) % l, (2 * b) % l
    else:        return (X * g) % p, (a + 1) % l, b&lt;/p&gt;
&lt;p&gt;seen = {}                   # a table only to make the collision visible
X, a, b = g, 1, 0           # start at X = g^1 * Q^0
for i in range(1, l + 5):
    if X in seen:
        a2, b2 = seen[X]
        den = (b - b2) % l
        x = ((a2 - a) * pow(den, -1, l)) % l   # solve the collision for x
        print(&quot;collision at step&quot;, i, &quot; (sqrt(l) is about&quot;, round(l ** 0.5), &quot;)&quot;)
        print(&quot;recovered x =&quot;, x, &quot; true x =&quot;, x_secret, &quot; match:&quot;, x == x_secret)
        break
    seen[X] = (a, b)
    X, a, b = step(X, a, b)
`}&lt;/p&gt;
&lt;p&gt;A production attacker drops the table and uses constant memory, restarting on the rare degenerate collision where the bookkeeping cancels. What matters is the exponent: the cost scales as the &lt;em&gt;square root&lt;/em&gt; of the subgroup order, and nothing about the group&apos;s size changes that scaling.&lt;/p&gt;
&lt;p&gt;A close cousin, Pollard&apos;s kangaroo (or lambda) method, solves the DLP when $x$ is known to lie in a short interval, at cost proportional to the square root of the interval width rather than of $\ell$.&lt;/p&gt;
&lt;h3&gt;Parallelism does not change the exponent&lt;/h3&gt;
&lt;p&gt;In 1999, Paul van Oorschot and Michael Wiener turned rho into a production weapon [@vanoorschot-wiener-1999]. Many machines walk independently and report only &lt;em&gt;distinguished points&lt;/em&gt; -- points with a rare, easy-to-test property such as a run of leading zero bits. A collision between any two chains is caught by a central server, and the speedup is near-linear: $m$ machines finish in about $\sqrt{\ell}/m$ wall-clock time. Parallelism buys you a smaller constant and a division by your budget. It does not touch the square root.&lt;/p&gt;
&lt;h3&gt;The floor is a theorem, not a lack of imagination&lt;/h3&gt;
&lt;p&gt;Why be sure no cleverer generic walk exists? Because in 1997 Victor Shoup proved a matching lower bound: any algorithm that uses only the group operation must make $\Omega(\sqrt{\ell})$ queries to solve the discrete log, where $\ell$ is the largest prime factor of the order [@shoup-1997]. Pollard&apos;s upper bound and Shoup&apos;s lower bound close on the same exponent.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; On a group with no exploitable structure, the best attack anyone knows -- Pollard rho at about $0.886\sqrt{\ell}$ steps -- is provably the best attack anyone generically &lt;em&gt;can&lt;/em&gt; know, because Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound meets it. The two bounds coincide at $\Theta(\sqrt{\ell})$. The hardness is not a property of &quot;the logarithm.&quot; It is fixed entirely by one number: the largest prime factor of the group&apos;s order. The variable has moved from the operation to the group.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That is why &quot;security level&quot; is &lt;em&gt;defined&lt;/em&gt; as the rho cost. A 256-bit curve is a $2^{128}$ target, not a $2^{256}$ one, because rho gets a square-root discount that no key-size increase can revoke.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Curve (256-bit unless noted)&lt;/th&gt;
&lt;th&gt;Pollard rho cost&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Curve25519&lt;/td&gt;
&lt;td&gt;$2^{125.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-256, secp256k1&lt;/td&gt;
&lt;td&gt;$2^{127.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;brainpoolP256&lt;/td&gt;
&lt;td&gt;$2^{127.5}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-384 (384-bit)&lt;/td&gt;
&lt;td&gt;$2^{191.8}$&lt;/td&gt;
&lt;td&gt;about 192-bit security [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SafeCurves &quot;anomalous&quot; curve (about 204-bit)&lt;/td&gt;
&lt;td&gt;$2^{101.6}$ by size alone&lt;/td&gt;
&lt;td&gt;a red herring -- its real break is polynomial-time SSSA (Section 4), off the rho scale entirely [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;

State-of-the-art attacks on the elliptic-curve discrete log are still within a factor of two of Shanks&apos;s 1971 method. Half a century of cryptanalysis against a clean curve has bought a factor of two.
&lt;p&gt;The records bear this out. The largest discrete log ever solved on a generic, randomly chosen prime-field elliptic curve is a 112-bit curve, secp112r1, cracked in 2009 by a parallel rho computation [@bos-112bit-2009]. The only solves that have reached higher leaned on exploitable curve structure rather than a stronger generic attack, which is the thesis in miniature. Set that against the finite-field records we are about to meet, where the numbers run past 795 bits, and the gap tells the whole story: against a clean curve there is no better attack than the square-root walk, so records crawl.&lt;/p&gt;
&lt;p&gt;This is the wall every attacker hits -- unless the group hands them a crack. So where are the cracks? They start with the curve you choose.&lt;/p&gt;
&lt;h2&gt;4. The Curve as the Weak Part, I: Special Curves That Transfer the Log Away&lt;/h2&gt;
&lt;p&gt;The move to elliptic curves was supposed to strip out structure. But the first generation of curve choices smuggled it back in, and the way each weakness works is the quiet engine of this whole article. None of them computes a faster logarithm. Each one &lt;strong&gt;moves the logarithm out of the curve&lt;/strong&gt; and into a different group where the log was never hard to begin with.&lt;/p&gt;

flowchart TD
    A[ECDLP on the chosen curve E] --&amp;gt; B{&quot;What structure did the curve leak?&quot;}
    B --&amp;gt;|Trace equals 1, so the point count equals p| C[Additive transfer, the SSSA map]
    B --&amp;gt;|Small embedding degree k| D[Pairing transfer, MOV and Frey-Ruck]
    C --&amp;gt; E[Log now lives in the additive group of F_p, which has no hardness]
    D --&amp;gt; F[Log now lives in a finite field where index calculus finishes it]
    E --&amp;gt; G[Recovered in polynomial time]
    F --&amp;gt; H[Recovered in sub-exponential time]
&lt;h3&gt;Anomalous curves: a trapdoor hiding in the point count&lt;/h3&gt;
&lt;p&gt;Every elliptic curve over a prime field $\mathbb{F}_p$ has a point count governed by a single integer. Hasse&apos;s theorem says $#E(\mathbb{F}_p) = p + 1 - t$, where $t$ is the &lt;em&gt;trace of Frobenius&lt;/em&gt; and $|t| \le 2\sqrt{p}$. That one number, $t$, decides whether the curve is world-class or worthless.&lt;/p&gt;

The trace of Frobenius $t$ measures how the number of points on $E$ over $\mathbb{F}_p$ deviates from $p + 1$, via $\#E(\mathbb{F}_p) = p + 1 - t$. A curve is *anomalous* when $t = 1$, so that $\#E(\mathbb{F}_p) = p$ exactly -- the group of points has the same order as the additive group of the field it sits over. That coincidence is fatal.
&lt;p&gt;When the group order equals $p$, a map exists -- built from the $p$-adic (formal) logarithm and expressible through Fermat quotients -- that sends the elliptic-curve discrete log straight into $(\mathbb{F}_p, +)$, the additive group of the field. And addition has no discrete-log hardness at all: recovering $x$ from $x \cdot a$ in $(\mathbb{F}_p, +)$ is one modular division. The transfer runs in &lt;strong&gt;polynomial time&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;This was worked out in 1998 and 1999 by Nigel Smart [@smart-1999], and independently by Igor Semaev [@semaev-1998] and by Takakazu Satoh and Kiyomichi Araki [@satoh-araki-1998]; the attack is often abbreviated SSSA after the four names.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Size buys nothing here. A 256-bit anomalous curve -- indistinguishable at a glance from a strong one, same field size, same key length -- falls in polynomial time, essentially instantly, while its 256-bit clean neighbor stands at about $2^{125.8}$ operations [@safecurves]. The only thing that changed is the trace. The defense is one check: confirm that $#E(\mathbb{F}_p) \neq p$.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;There is a subtlety worth flagging so you can spot a common mis-citation: this 1998-99 break is the &lt;em&gt;additive&lt;/em&gt;, formal-logarithm transfer. It is not Semaev&apos;s later 2004 work on summation polynomials [@semaev-2004], which is a different line of attack we will meet in Section 10. Trace one is a coincidence in the point count; summation polynomials are an index-calculus program. Conflating them is the classic error in retellings of this attack.&lt;/p&gt;
&lt;h3&gt;Low embedding degree: a bridge into a weaker field&lt;/h3&gt;
&lt;p&gt;The second transfer needs a different structural flaw. Every prime-order subgroup of a curve has an &lt;em&gt;embedding degree&lt;/em&gt;, and if it is small, a bridge opens into a finite field where the log is soft.&lt;/p&gt;

For a subgroup of prime order $\ell$ on a curve over $\mathbb{F}_q$, the embedding degree $k$ is the least positive integer such that $\ell \mid q^k - 1$. Equivalently, $k$ is the smallest extension field $\mathbb{F}_{q^k}$ whose multiplicative group contains a copy of the subgroup. When $k$ is small, that copy is reachable, and the finite-field discrete log there is sub-exponential rather than square-root.
&lt;p&gt;The bridge itself is a bilinear pairing.&lt;/p&gt;

A pairing is a map $e$ that takes two curve points to an element of $\mathbb{F}_{q^k}^*$ and is *bilinear*: $e(aP, bQ) = e(P, Q)^{ab}$. Bilinearity is what turns a curve log into a field log, but there is a subtlety most retellings get wrong. The *Weil* pairing that MOV uses is *alternating*: $e(P, P) = 1$ for every $P$, so a naive $e(P, P)^x$ is just $1$ and carries no information. MOV instead pairs $Q = xP$ with a *second, linearly independent* order-$\ell$ point $R \notin \langle P \rangle$, giving $e(Q, R) = e(P, R)^x$ in $\mathbb{F}_{q^k}^*$ -- an ordinary finite-field discrete log in the nontrivial root of unity $e(P, R)$. On the classic supersingular victims that independent $R$ arrives for free from a *distortion map* $\psi$, an endomorphism that moves $P$ off its own subgroup so that $R = \psi(P)$ works [@verheul-2004] [@galbraith-2012]. Frey and Ruck use the *Tate* pairing, which is not alternating and does admit a nontrivial self-pairing, so there the bare $e(P, P)^x$ form is the legitimate one.
&lt;p&gt;Menezes, Okamoto, and Vanstone published the Weil-pairing reduction in 1993 [@mov-1993]; Frey and Ruck gave the companion Tate-pairing version in 1994 [@frey-ruck-1994]. The classic victims are supersingular curves, which have embedding degree $k \le 6$. Once transferred into $\mathbb{F}_{q^k}^*$ with small $k$, the log falls to the sub-exponential Number Field Sieve of Section 6.&lt;/p&gt;
&lt;p&gt;The escape to a curve is undone by a curve that quietly kept a low-degree door into a field. The defense, again, is a property of the curve you &lt;em&gt;choose&lt;/em&gt;: demand a large embedding degree, which the pairing textbook literature treats as a standard selection criterion [@hankerson-mv-2004].&lt;/p&gt;

There is a twist worth savoring. The very property MOV and Frey-Ruck exploit -- a workable pairing into a small field -- became the foundation of an entire branch of cryptography. Identity-based encryption, BLS signatures, and much of what makes modern threshold and aggregate signatures possible are *built on* pairing-friendly curves with deliberately small embedding degree. The supersingular curves that MOV destroyed for plain ECDLP found a second career as the substrate of constructive pairing-based cryptography. The same distortion maps that hand MOV its independent second point are what make Antoine Joux&apos;s one-round tripartite Diffie-Hellman work -- a three-party key agreement in a single round, and the first purpose-built pairing protocol [@joux-tripartite-2000]. A structural feature is only a weakness relative to what you are trying to do with it.
&lt;p&gt;Step back and notice what both attacks have in common with each other and with Pohlig-Hellman before them.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Neither the anomalous break nor the pairing break computes a faster logarithm. Each one &lt;em&gt;transfers&lt;/em&gt; the log: the anomalous curve&apos;s log is mapped into $(\mathbb{F}&lt;em&gt;p, +)$, where addition is trivial; the low-embedding-degree curve&apos;s log is mapped into $\mathbb{F}&lt;/em&gt;{q^k}^*$, where index calculus finishes it. The attacker never out-computes the logarithm on the curve. They relocate it to a group that was never hard. Structure, not speed, is the entire game.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Trace one and small embedding degree are properties an attacker can only &lt;em&gt;hope&lt;/em&gt; the designer chose badly. The next family of breaks is nastier, because they can be triggered by the attacker&apos;s own inputs, or by a field chosen one level up from the curve.&lt;/p&gt;
&lt;h2&gt;5. The Curve as the Weak Part, II: Twists, Shadow Groups, and Descent&lt;/h2&gt;
&lt;p&gt;The cleanest structural weakness of all does not live in the curve you publish. It lives in the curve&apos;s twin.&lt;/p&gt;
&lt;h3&gt;Twist attacks: falling off the curve onto its shadow&lt;/h3&gt;
&lt;p&gt;Fast elliptic-curve implementations often work with $x$-coordinates only -- the Montgomery ladder, used by X25519, never computes a $y$-coordinate at all. That is a real speed and safety win, but it introduces a subtlety: an $x$ value the attacker sends might not correspond to any point on $E$.&lt;/p&gt;

Over $\mathbb{F}_p$, a curve $E$ has a *quadratic twist* $E&apos;$ -- a sibling curve that becomes isomorphic to $E$ only over the larger field $\mathbb{F}_{p^2}$. The key fact for $x$-only arithmetic is that every $x$ in $\mathbb{F}_p$ is the $x$-coordinate of a point on *either* $E$ *or* $E&apos;$. So an attacker-supplied $x$ that is not on $E$ is silently processed as a point on the twist. A curve is *twist-secure* when both $E$ and $E&apos;$ have near-prime order.
&lt;p&gt;Here is the attack. If the twist $E&apos;$ has a &lt;em&gt;smooth&lt;/em&gt; order -- a product of small primes -- then a scalar multiplication the victim performs on that twist leaks the secret modulo each small prime, exactly the Pohlig-Hellman shattering from Section 2, now triggered by an attacker&apos;s chosen input rather than by the designer&apos;s bad luck. Collect enough small residues and the Chinese Remainder Theorem reassembles the key.&lt;/p&gt;
&lt;p&gt;The weakness is real, and again it is a property of the group the designer &lt;em&gt;chose&lt;/em&gt;: it is defeated by requiring the twist&apos;s order, not just the curve&apos;s, to be near-prime. Curve25519 was designed to be twist-secure from the start [@bernstein-curve25519-2006], and SafeCurves treats twist security as a first-class criterion [@safecurves].&lt;/p&gt;
&lt;h3&gt;Invalid-curve shadow groups: arithmetic that forgets its own curve&lt;/h3&gt;
&lt;p&gt;The next mechanism is sharper still, and it exposes something almost philosophical about how curve arithmetic works.&lt;/p&gt;

For a short-Weierstrass curve $y^2 = x^3 + ax + b$, the standard point-addition formulas use $a$ but never use $b$. So if you feed the arithmetic a point that satisfies $y^2 = x^3 + ax + c$ for the *wrong* constant $c$, every formula still returns a well-defined answer -- computed as if on a different, weaker &quot;shadow&quot; curve. If that shadow curve has smooth order, the secret is confined to small subgroups, just as in a twist attack.
&lt;p&gt;Biehl, Meyer, and Muller analyzed this in 2000 [@biehl-meyer-muller-2000], and SafeCurves states the load-bearing fact plainly: the standard formulas do not involve the constant coefficient $b$ [@safecurves]. What makes this a &quot;shadow group&quot; rather than a single weak curve is that the attacker gets to choose $c$, and so gets a whole &lt;em&gt;family&lt;/em&gt; of weaker curves to hunt through for one with a smooth order.&lt;/p&gt;
&lt;p&gt;Do not confuse invalid-curve attacks with small-subgroup confinement in the Lim-Lee sense. The former uses many &lt;em&gt;different&lt;/em&gt; off-curve shadow curves reached by varying $c$; the latter feeds a single low-order element inside &lt;em&gt;one&lt;/em&gt; group. Both end in Pohlig-Hellman, but the structural handle is different.&lt;/p&gt;
&lt;p&gt;Now, the honest boundary. The &lt;em&gt;mechanism&lt;/em&gt; above is pure group arithmetic -- a genuine structural property of the short-Weierstrass addition law -- and that is what belongs here. What makes it fire in a real system is a missing check: the software accepted a point without verifying it was on the intended curve. That trigger is an implementation gap, not curve mathematics, and this article deliberately stops at the mathematics.&lt;/p&gt;

This piece keeps a strict contract: it analyzes only the mathematics of the group. The moment a break depends on a missing input validation, a leaked nonce, a fault injected into a signature, a downgrade negotiated on the wire, or a manipulated parameter, it crosses into implementation and protocol territory. Those are the domain of the empirical sibling, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life: PS3, CurveBall, Logjam, and Biased Nonces,&quot; which covers the PlayStation 3 repeated-nonce disaster, the CurveBall certificate-validation flaw, the Logjam downgrade handshake, and the biased-nonce lattice attacks. When you finish here knowing *which group properties* are dangerous, that article shows *how deployments trip over them*. The invalid-curve trigger -- &quot;the code forgot to validate the point&quot; -- is handed there in full.
&lt;h3&gt;Weil descent: a weakness chosen one level up, in the field&lt;/h3&gt;
&lt;p&gt;The last structural break in this pair does not need a bad curve so much as a badly chosen &lt;em&gt;field&lt;/em&gt;. Some curves live over binary extension fields $\mathbb{F}_{2^n}$. When the extension degree $n$ is composite, a technique called Weil restriction can re-express the curve&apos;s group as points on a higher-genus curve over a smaller subfield -- and on that higher-genus object, &lt;em&gt;index calculus&lt;/em&gt; applies and beats the generic square-root floor.&lt;/p&gt;
&lt;p&gt;Gaudry, Hess, and Smart formalized this in 2002 [@ghs-2002], and the title of their paper is itself a summary of this whole section: &quot;Constructive and destructive facets of Weil descent on elliptic curves.&quot; The precondition is structural and specific: a composite-degree binary extension field. The defense is equally specific: use prime fields, or at worst prime-degree extensions, so there is no subfield to descend into.&lt;/p&gt;
&lt;p&gt;Every curve break in these two sections has needed a &lt;em&gt;particular&lt;/em&gt; structural precondition -- trace one, small embedding degree, a smooth twist, $b$-independent arithmetic, a composite extension field. Not one has been a faster logarithm. Now cross the aisle to the group the whole field was fleeing in 1985. There, the structure is not an accident of a bad curve. It is built into the group itself.&lt;/p&gt;
&lt;h2&gt;6. The Finite-Field Side: When the Group Itself Has Structure&lt;/h2&gt;
&lt;p&gt;An anomalous curve is a &lt;em&gt;bad choice&lt;/em&gt; -- pick a different curve and the weakness is gone. The multiplicative group $\mathbb{F}_p^*$ is different. It is not a bad choice; it is &lt;em&gt;inherently&lt;/em&gt; structured. Its elements are ordinary integers, and integers can be multiplied and factored. That single property -- the one thing an elliptic-curve group pointedly does not have -- is exactly what the fastest classical attack needs.&lt;/p&gt;
&lt;h3&gt;Index calculus: turning multiplication into linear algebra&lt;/h3&gt;

Fix a *factor base* of small primes. An element is *smooth* if it factors completely over that base. Index calculus hunts for powers $g^k$ that are smooth; each one factors as a product of factor-base primes, and taking logs turns that product into a *linear equation* relating the unknown logs of the base primes. Collect more smooth relations than there are base primes, solve the linear system once, and you know the log of every prime in the base. To finish a specific target $h$, nudge it by random powers of $g$ until $h \cdot g^k$ is smooth, and read the answer off the precomputed base logs.
&lt;p&gt;Notice what index calculus consumes: the ability to &lt;em&gt;factor&lt;/em&gt; group elements into small pieces. In $\mathbb{F}_p^*$ that ability is free, because the elements are integers. On an elliptic curve there is no such thing as a &quot;small&quot; point, no factor base, no notion of a smooth point at all. The attack has nothing to grip. That absence is not a minor detail -- it is the entire reason elliptic-curve cryptography exists.&lt;/p&gt;
&lt;h3&gt;The Number Field Sieve, pointed at the logarithm&lt;/h3&gt;
&lt;p&gt;The mature form of this idea is the Number Field Sieve. Built for factoring by Lenstra, Lenstra, Manasse, and Pollard in 1990 [@nfs-llmp-1990], it was adapted to the discrete log in a prime field by Daniel Gordon in 1993 [@gordon-1993].&lt;/p&gt;
&lt;p&gt;Its pipeline has four stages: choose number fields tuned to $p$ (polynomial selection), sieve for smooth relations (relation collection), solve the resulting sparse linear system modulo the group order (linear algebra), and then peel off each individual target log (descent). The first three stages depend only on the prime $p$ -- a fact that looks academic here and becomes a weapon in the next section.&lt;/p&gt;

Cryptographers measure these costs with $L_p[\alpha, c] = \exp\!\big((c + o(1))(\ln p)^{\alpha}(\ln\ln p)^{1-\alpha}\big)$. The exponent $\alpha$ interpolates between two worlds: $\alpha = 1$ is fully exponential (Pollard rho on a $b$-bit group costs about $2^{b/2}$, an $L_p[1, 1/2]$ cost), and $\alpha = 0$ is polynomial. The Number Field Sieve sits at $\alpha = 1/3$, deep in *sub-exponential* territory -- vastly faster than the generic square root, and the same complexity class as integer factoring.
&lt;p&gt;Gordon&apos;s 1993 algorithm put the finite-field discrete log in the sub-exponential $L_p[1/3]$ class, with heuristic constant $3^{2/3} \approx 2.08$ [@gordon-1993]; later refinements sharpened that constant to the modern $(64/9)^{1/3} \approx 1.923$. To feel what the difference between $\alpha = 1/2$ and $\alpha = 1/3$ does to real key sizes, run the estimator: the finite-field cost grows like a &lt;em&gt;cube root&lt;/em&gt; of the bit length in the exponent, while the elliptic-curve cost grows &lt;em&gt;linearly&lt;/em&gt;. That is why the two settings need such different key sizes for the same security.&lt;/p&gt;
&lt;p&gt;{`
import math&lt;/p&gt;
&lt;p&gt;def nfs_bits(bits):
    # Leading-term model of the NFS-DL cost L_p[1/3, (64/9)^(1/3)] for a &apos;bits&apos;-bit prime.
    lnp = bits * math.log(2)
    c = (64 / 9) ** (1 / 3)                  # about 1.923
    return c * lnp ** (1/3) * math.log(lnp) ** (2/3) / math.log(2)&lt;/p&gt;
&lt;p&gt;def rho_bits(order_bits):
    return order_bits / 2                    # Pollard rho: half the bit length&lt;/p&gt;
&lt;p&gt;print(&quot;Finite-field DH (cost grows like a cube root in the exponent):&quot;)
for b in [512, 1024, 2048, 3072]:
    print(f&quot;  {b:&amp;gt;4}-bit prime  ~  2^{nfs_bits(b):5.1f}&quot;)
print(&quot;Elliptic curve (cost grows linearly):&quot;)
for m in [160, 224, 256]:
    print(f&quot;  {m:&amp;gt;4}-bit curve   ~  2^{rho_bits(m):5.1f}&quot;)&lt;/p&gt;
The leading term runs a little high; calibrated against real records, standard
practice reads 1024-bit as roughly 80-bit and 3072-bit as roughly 128-bit security.
&lt;p&gt;`}&lt;/p&gt;
&lt;p&gt;The scaling is the point. A clean 256-bit curve and a 3072-bit prime deliver comparable security -- the curve does it with an eighth of the key length -- precisely because the curve denies the sieve its factor base. This is the thesis at its sharpest: the &lt;em&gt;same&lt;/em&gt; discrete logarithm, but a group whose structure leaks drops the attack from square-root time all the way to $L_p[1/3]$.&lt;/p&gt;

Same discrete log. On a generic curve, the largest ever solved is 112 bits and the records crawl. In a prime field, the record is 795 bits and climbing. The logarithm did not change -- the group did.
&lt;p&gt;The records make the gap concrete. The current prime-field discrete-log record is 795 bits (240 decimal digits), set in 2019 by Boudot, Gaudry, Guillevic, Heninger, Thome, and Zimmermann, with the discrete-log computation costing roughly 3,100 core-years [@boudot-795bit-2020]; the previous record was 768 bits [@kleinjung-768bit-2017]. Against the 112-bit generic-curve ceiling of Section 3, the sieve&apos;s structural advantage is not subtle. The multiplicative group hands the attacker a factor base; the curve hands them nothing. The results corroborate the standard textbook accounting of index calculus and its consequences for finite-field sizing [@hac-1996].&lt;/p&gt;
&lt;p&gt;A sub-exponential attack still sounds expensive -- years of computation for a single prime. So why is a 1024-bit Diffie-Hellman group a &lt;em&gt;practical&lt;/em&gt; target rather than a merely theoretical one? Because the expensive part only has to be done once.&lt;/p&gt;
&lt;h2&gt;7. Logjam: Precomputation as a Structural Property&lt;/h2&gt;
&lt;p&gt;The most misunderstood word in &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;forward secrecy&lt;/a&gt; is &quot;fresh.&quot; A new ephemeral key on every connection &lt;em&gt;feels&lt;/em&gt; like it should defeat any precomputed attack -- surely a one-time secret cannot be broken by work done in advance. Against a &lt;em&gt;shared&lt;/em&gt; prime, that intuition is simply wrong, and seeing why is the sharpest lesson the finite-field side has to teach.&lt;/p&gt;
&lt;p&gt;Recall the four stages of the Number Field Sieve. Three of them -- polynomial selection, relation collection, and the enormous linear-algebra solve -- depend only on the prime $p$. They produce the discrete logs of the entire factor base, and that output is reusable for &lt;em&gt;every&lt;/em&gt; discrete log computed in that same prime field. Only the final descent step depends on the particular target. The Logjam researchers put it in one line on the project page: the first step of the number field sieve is dependent only on this prime [@logjam-adrian-2015].&lt;/p&gt;

flowchart TD
    subgraph PC[&quot;Precomputation, depends only on the prime p&quot;]
      A[Polynomial selection] --&amp;gt; B[Relation collection by sieving]
      B --&amp;gt; C[Linear algebra, logs of the whole factor base]
    end
    C --&amp;gt; D[Per-target descent, one quick step per connection]
    D --&amp;gt; E[Discrete log of this specific ephemeral key]
    F[Every connection that shares p reuses the same precomputation] -.-&amp;gt; D
&lt;p&gt;So a fresh ephemeral does not help if the prime behind it is shared and undersized. The attacker pays the sieve cost once, for the prime, and then every &quot;fresh&quot; handshake using that prime falls in the cheap descent step. Freshness protects the &lt;em&gt;key&lt;/em&gt;; it does nothing for a &lt;em&gt;shared group&lt;/em&gt;.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Precomputation is not a shortcut around the math -- it &lt;em&gt;is&lt;/em&gt; the structure being exploited. The weakness Logjam turns into a live threat is the amortized cost of a shared, undersized prime, spread across millions of connections. It is not a faster logarithm and not a smaller key in isolation. It is the fact that everyone reused the same group.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The blast radius came from exactly that reuse. A handful of 1024-bit primes were hard-coded into standards and shipped in software everywhere. Adrian and colleagues measured the exposure [@logjam-adrian-2015]. The immediate Logjam downgrade, forcing connections to 512-bit export-grade Diffie-Hellman, initially left 8.4% of the Top 1 Million HTTPS domains vulnerable.&lt;/p&gt;
&lt;p&gt;Looking forward, a single precomputation against one common 1024-bit prime would let a passive eavesdropper read roughly 18% of the Top 1 Million HTTPS domains; precomputing a second common 1024-bit prime would reach about 66% of VPNs and 26% of SSH servers. A nation-state budget for one very large computation buys passive decryption of a striking fraction of the internet, all because the primes were shared.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The lesson people take away from Logjam is usually &quot;use bigger primes,&quot; and that is half right. The deeper point is that a 1024-bit prime is dangerous mainly because it is &lt;em&gt;shared and precomputed&lt;/em&gt;, not merely because it is 1024 bits. A &lt;em&gt;unique&lt;/em&gt;, per-organization 2048-bit or larger prime denies the attacker the amortization that makes the sieve economical at internet scale. Shared-and-precomputed versus unique is the real axis; size is secondary [@logjam-adrian-2015].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;There is a further twist this article names only to hand off: a prime can be &lt;em&gt;maliciously&lt;/em&gt; constructed so that a hidden special-number-field-sieve structure makes it far weaker than it looks, a trapdoor invisible to anyone who did not build it. That, along with the wire-level mechanics of how a downgrade is actually negotiated, is deployment and protocol territory -- the empirical sibling&apos;s ground, not this article&apos;s.&lt;/p&gt;
&lt;p&gt;Logjam attacks a field whose prime was too small and, above all, shared. But there is a family of fields where the sieve does not merely amortize -- it changes complexity class entirely, from sub-exponential to almost polynomial. The only question is which fields, and the answer is, once again, a structural property someone chose.&lt;/p&gt;
&lt;h2&gt;8. Small Characteristic: The Quasi-Polynomial Frontier&lt;/h2&gt;
&lt;p&gt;For one specific family of fields, the discrete log came close to &lt;em&gt;collapsing&lt;/em&gt; -- and the story teaches the same lesson one more time, in its most dramatic form: the characteristic you choose is a structural gift to the attacker.&lt;/p&gt;
&lt;p&gt;Finite fields come in two flavors that matter here. Prime fields $\mathbb{F}&lt;em&gt;p$ have large characteristic $p$. Extension fields like $\mathbb{F}&lt;/em&gt;{2^n}$ and $\mathbb{F}_{3^n}$ have &lt;em&gt;small&lt;/em&gt;, fixed characteristic (2 or 3) and a large extension degree $n$. For decades both were treated as roughly comparable homes for the discrete log. Then, in the span of a few years, the small-characteristic case fell apart.&lt;/p&gt;
&lt;p&gt;In 2013, Antoine Joux broke the long-standing $L[1/3]$ barrier for small-characteristic fields with a new index-calculus algorithm of complexity $L[1/4 + o(1)]$, published at Selected Areas in Cryptography [@joux-2013-l14]. That was the crack in the dam. In 2014, Barbulescu, Gaudry, Joux, and Thome went much further, giving a &lt;em&gt;heuristic quasi-polynomial&lt;/em&gt; algorithm -- cost $n^{O(\log n)}$ -- for the discrete log in finite fields of small characteristic [@bgjt-2014]. Quasi-polynomial is not merely faster than sub-exponential; it is a different universe of growth, far below $L[1/3]$.&lt;/p&gt;
&lt;p&gt;Then in 2019, Kleinjung and Wesolowski removed the heuristics, proving that the discrete log in a fixed-characteristic field can be solved in expected time $(pn)^{2\log_2(n) + O(1)}$ -- a genuine theorem, not a conjecture backed by experiments [@kleinjung-wesolowski-2019].&lt;/p&gt;
&lt;p&gt;Why does small characteristic collapse when a prime field does not? The whole descent turns on one structural gift. In a field like $\mathbb{F}_{2^n}$ every element is a low-degree polynomial over a tiny base field, and the Frobenius map $x \mapsto x^p$ acts &lt;em&gt;linearly&lt;/em&gt; on that representation, because $(a + b)^p = a^p + b^p$ in characteristic $p$. Those two facts hand the attacker a cheap, self-replenishing supply of low-degree relations: the algorithm presents the field through a low-degree identity linking an element to its Frobenius image, so a single relation spawns a whole orbit of them essentially for free.&lt;/p&gt;
&lt;p&gt;The attack then &lt;em&gt;descends on degree&lt;/em&gt;. It rewrites the logarithm of a degree-$d$ target as a combination of logarithms of strictly lower-degree elements, recurses ($d \to d/2 \to \cdots$), and bottoms out at degree-one elements whose logs are read off directly. Because each step roughly halves the degree while spawning only quasi-polynomially many sub-problems, the descent tree has depth about $\log d$ and terminates in $n^{O(\log n)}$ time -- that logarithmic recursion depth is exactly why the exponent is &quot;quasi-,&quot; not fully, polynomial.&lt;/p&gt;
&lt;p&gt;A prime field $\mathbb{F}_p^*$ offers none of this. Its elements are integers modulo $p$, with no subfield tower, no element degree to shrink, and no small-characteristic Frobenius to make relations cheap. The descent has nothing to grip, which is precisely why the Number Field Sieve at $L_p[1/3]$ stays the best attack there.&lt;/p&gt;
&lt;p&gt;The practical consequence was immediate: this line of work retired small-characteristic pairing choices, including the supersingular binary curves once proposed for pairing-based cryptography, whose security rested on a small-characteristic field discrete log. The field that was supposed to be the hard part evaporated.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The quasi-polynomial result applies to &lt;em&gt;small, fixed characteristic&lt;/em&gt; only: $\mathbb{F}&lt;em&gt;{2^n}$, $\mathbb{F}&lt;/em&gt;{3^n}$, and their relatives. It does &lt;strong&gt;not&lt;/strong&gt; extend to prime fields $\mathbb{F}_p$, where the Number Field Sieve at $L_p[1/3]$ remains the best known attack. Dropping the words &quot;small characteristic&quot; would produce a dangerous falsehood -- that prime-field Diffie-Hellman is quasi-polynomially broken. It is not. Finite-field DH over a properly sized, unique prime is still standing; only the small-characteristic cousins collapsed [@kleinjung-wesolowski-2019].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The calibration is almost comical in scale. The record discrete log in a fixed-characteristic field now stands at $\mathrm{GF}(2^{30750})$, computed in 2019 [@disclog-records-wiki]. That field is roughly thirty-nine times larger in bit length than the 795-bit &lt;em&gt;prime-field&lt;/em&gt; record from the same era. Same &quot;discrete logarithm&quot;; the characteristic of the chosen field decides whether the records sit near 800 bits or sail past 30,000.&lt;/p&gt;
&lt;p&gt;This reinforced a standards trend already under way. NIST SP 800-186 &lt;em&gt;deprecates&lt;/em&gt; the binary and Koblitz curves defined over small-characteristic fields, and FIPS 186-5 &lt;em&gt;removes&lt;/em&gt; them from the approved list entirely [@nist-sp800-186]. The precision matters: deprecation and removal are two distinct regulatory steps, and the small-characteristic results are part of why both happened.&lt;/p&gt;
&lt;p&gt;Eight sections, eight breaks, and one relentless pattern: every classical break so far -- Pohlig-Hellman, the anomalous transfer, MOV and Frey-Ruck, twists, invalid-curve shadows, Weil descent, the Number Field Sieve, and now small-characteristic descent -- needs a &lt;em&gt;specific&lt;/em&gt; structural property of the chosen group. But a pattern is only convincing if you can see all of it at once. Lay every attack on a single table, and the thesis stops being a claim you have to trust and becomes something you can read straight off a column.&lt;/p&gt;
&lt;h2&gt;9. A Map of Where the Weakness Lives&lt;/h2&gt;
&lt;p&gt;One table, read down one column, is the whole argument. Here is every attack in this article, each with the structural property it requires, the easy group it reduces the log to, its cost, and the one question that matters -- does a well-chosen group have that property?&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack&lt;/th&gt;
&lt;th&gt;Group property it needs&lt;/th&gt;
&lt;th&gt;Reduces the log to&lt;/th&gt;
&lt;th&gt;Complexity&lt;/th&gt;
&lt;th&gt;Clean group has it?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Pollard rho [@pollard-rho-1978]&lt;/td&gt;
&lt;td&gt;none (generic)&lt;/td&gt;
&lt;td&gt;nothing; it &lt;em&gt;is&lt;/em&gt; the floor&lt;/td&gt;
&lt;td&gt;$\approx 0.886\sqrt{\ell}$&lt;/td&gt;
&lt;td&gt;the baseline&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pohlig-Hellman [@pohlig-hellman-1978]&lt;/td&gt;
&lt;td&gt;smooth group order&lt;/td&gt;
&lt;td&gt;small subgroups plus CRT&lt;/td&gt;
&lt;td&gt;$\sum_i e_i(\log n + \sqrt{p_i})$&lt;/td&gt;
&lt;td&gt;No: large prime order&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Anomalous / SSSA [@smart-1999]&lt;/td&gt;
&lt;td&gt;trace $t = 1$, so $#E = p$&lt;/td&gt;
&lt;td&gt;addition in $(\mathbb{F}_p, +)$&lt;/td&gt;
&lt;td&gt;polynomial&lt;/td&gt;
&lt;td&gt;No: require $#E \neq p$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MOV / Frey-Ruck [@mov-1993]&lt;/td&gt;
&lt;td&gt;small embedding degree $k$&lt;/td&gt;
&lt;td&gt;DLP in $\mathbb{F}_{q^k}^*$&lt;/td&gt;
&lt;td&gt;sub-exponential&lt;/td&gt;
&lt;td&gt;No: large $k$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Twist confinement [@safecurves]&lt;/td&gt;
&lt;td&gt;smooth twist plus x-only ladder&lt;/td&gt;
&lt;td&gt;small subgroups on the twist&lt;/td&gt;
&lt;td&gt;small-subgroup cost&lt;/td&gt;
&lt;td&gt;No: twist-secure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Invalid-curve shadow [@biehl-meyer-muller-2000]&lt;/td&gt;
&lt;td&gt;$b$-independent arithmetic plus weak shadow&lt;/td&gt;
&lt;td&gt;small subgroups on a shadow curve&lt;/td&gt;
&lt;td&gt;small-subgroup cost&lt;/td&gt;
&lt;td&gt;No: twist-secure and validated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Weil descent / GHS [@ghs-2002]&lt;/td&gt;
&lt;td&gt;composite-degree binary field&lt;/td&gt;
&lt;td&gt;index calculus on a higher-genus curve&lt;/td&gt;
&lt;td&gt;sub-exponential&lt;/td&gt;
&lt;td&gt;No: prime field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NFS-DL [@gordon-1993]&lt;/td&gt;
&lt;td&gt;a factor base (multiplicative smoothness)&lt;/td&gt;
&lt;td&gt;linear algebra on smooth relations&lt;/td&gt;
&lt;td&gt;$L_p[1/3,, 1.923]$&lt;/td&gt;
&lt;td&gt;No: a curve has no factor base&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small-char quasi-poly [@kleinjung-wesolowski-2019]&lt;/td&gt;
&lt;td&gt;small, fixed characteristic&lt;/td&gt;
&lt;td&gt;function-field descent&lt;/td&gt;
&lt;td&gt;quasi-polynomial&lt;/td&gt;
&lt;td&gt;No: prime field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Shor [@shor-1997]&lt;/td&gt;
&lt;td&gt;none (changes the machine)&lt;/td&gt;
&lt;td&gt;quantum period-finding&lt;/td&gt;
&lt;td&gt;polynomial in $\log \ell$&lt;/td&gt;
&lt;td&gt;Yes, but needs a quantum computer&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Read the &quot;group property it needs&quot; column from top to bottom. Every classical attack that beats square-root time names a &lt;em&gt;specific&lt;/em&gt; structural precondition -- a smooth order, trace one, low embedding degree, a smooth twist, $b$-independent arithmetic, a composite extension field, a factor base, small characteristic. The only two rows needing &lt;em&gt;no&lt;/em&gt; structure are Pollard rho, which &lt;em&gt;is&lt;/em&gt; the square-root floor, and Shor, which leaves the classical world entirely. Not one classical row is a faster generic logarithm. That is the thesis, rendered as a table.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The same pattern shows up in what a working engineer actually chooses between. Line up the deployed groups and the story is not &quot;big keys versus small keys&quot; -- it is &quot;which structural weakness is present.&quot;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Group&lt;/th&gt;
&lt;th&gt;Advertised security&lt;/th&gt;
&lt;th&gt;Public-key size&lt;/th&gt;
&lt;th&gt;Best known classical attack&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;FFDH-1024 (shared prime)&lt;/td&gt;
&lt;td&gt;about 80-bit, broken in practice&lt;/td&gt;
&lt;td&gt;1024-bit&lt;/td&gt;
&lt;td&gt;NFS-DL plus shared-prime precomputation [@logjam-adrian-2015]&lt;/td&gt;
&lt;td&gt;Deprecated, nation-state target&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FFDH-2048 / 3072 (shared or unique)&lt;/td&gt;
&lt;td&gt;about 112 / 128-bit&lt;/td&gt;
&lt;td&gt;2048 / 3072-bit&lt;/td&gt;
&lt;td&gt;NFS-DL, but precomputation is infeasible at this size&lt;/td&gt;
&lt;td&gt;Acceptable if unavoidable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-256&lt;/td&gt;
&lt;td&gt;about 128-bit ($2^{127.8}$ rho)&lt;/td&gt;
&lt;td&gt;256-bit&lt;/td&gt;
&lt;td&gt;Pollard rho, generic [@safecurves]&lt;/td&gt;
&lt;td&gt;Active, FIPS&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Curve25519 / X25519&lt;/td&gt;
&lt;td&gt;about 128-bit ($2^{125.8}$ rho)&lt;/td&gt;
&lt;td&gt;256-bit&lt;/td&gt;
&lt;td&gt;Pollard rho, generic [@safecurves]&lt;/td&gt;
&lt;td&gt;Active, twist-secure and rigid&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The two 256-bit curves and the 3072-bit prime all deliver about 128-bit security -- the curves with an eighth of the key length -- because a clean curve denies the sieve its factor base. And the two finite-field rows differ not by size alone but by &lt;em&gt;sharing&lt;/em&gt;: the 1024-bit row is a target because its prime is common and precomputed, not merely because it is 1024 bits.&lt;/p&gt;
&lt;p&gt;The table has one uncomfortable empty space. Every row is a break that needs structure, and a clean group has none of those structures. But is there a &lt;em&gt;proof&lt;/em&gt; that a structure-free group is actually safe -- or have we simply never found the crack? To answer honestly, we have to admit what the entire edifice rests on.&lt;/p&gt;
&lt;h2&gt;10. Theoretical Limits: Is the Log Itself Ever the Weak Part?&lt;/h2&gt;
&lt;p&gt;Here is the admission the whole subject rests on, and it is more unsettling than most textbooks let on: &lt;strong&gt;nobody has proved the discrete log is hard.&lt;/strong&gt; Not for $\mathbb{F}_p^*$, not for a clean elliptic curve, not for any group that carries real traffic. The security of a large fraction of the internet rests on a problem no one can prove is difficult.&lt;/p&gt;
&lt;p&gt;The only proven wall is Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound from Section 3 [@shoup-1997] -- and its scope is precisely the catch. It holds &lt;em&gt;in the generic-group model&lt;/em&gt;, where the algorithm may not read anything from the encoding of group elements. It is a statement about structure-blind algorithms, not about the discrete log as such.&lt;/p&gt;
&lt;p&gt;This is exactly why index calculus is not a paradox. The Number Field Sieve beats Shoup&apos;s $\sqrt{\ell}$ floor for $\mathbb{F}_p^&lt;em&gt;$ not because the proof is wrong but because $\mathbb{F}_p^&lt;/em&gt;$ is &lt;em&gt;not a generic group&lt;/em&gt;: its elements are integers, the algorithm reads their factorizations, and the generic model&apos;s central assumption simply does not apply. Every faster attack in this article is another group that leaves the generic model through some door of its own. The matching bound of Section 3 is real, and it is real only inside a model that structured groups escape.&lt;/p&gt;

The gap has two values, and keeping them straight is the difference between understanding this subject and sloganeering about it. *In the generic-group model* the question is CLOSED: Pollard rho&apos;s $O(\sqrt{\ell})$ upper bound meets Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound at $\Theta(\sqrt{\ell})$, a rare matching pair. *Unconditionally* it is WIDE OPEN: there is no proof the discrete log is hard at all. The space between the generic wall and reality is exactly what index calculus and the curve transfers exploit. And there is a structural reason a hardness proof is out of reach: the DLP lies in $\mathrm{NP} \cap \mathrm{coNP}$ -- given the factorization of the group order, both a claimed logarithm and its absence are efficiently checkable -- so it is *not expected* to be NP-complete, since an NP-complete problem in $\mathrm{NP} \cap \mathrm{coNP}$ would collapse $\mathrm{NP} = \mathrm{coNP}$ [@galbraith-2012] [@hac-1996]. Proving the discrete log hard would be a complexity-theory landmark far beyond anything currently in reach. That is why &quot;only Shor breaks a clean group&quot; must always be read &quot;as far as is known.&quot;
&lt;p&gt;The sharpest open question sits one level down, and it is the one that keeps elliptic-curve cryptographers honest: does a sub-exponential, index-calculus-style algorithm exist for the ECDLP over a &lt;em&gt;prime&lt;/em&gt; field? If it did, it would do to elliptic curves what the Number Field Sieve did to finite-field Diffie-Hellman -- collapse the square-root advantage that justifies 256-bit keys.&lt;/p&gt;
&lt;p&gt;This is the correct home for Semaev&apos;s &lt;em&gt;summation polynomials&lt;/em&gt; and the related Gröbner-basis point-decomposition program, from 2004 onward [@semaev-2004] -- a genuine attempt to build an ECDLP index calculus. It must not be confused with the 1998-99 anomalous-curve transfer of Section 4, which is a different mechanism entirely. Over prime fields the summation-polynomial approach remains &lt;em&gt;exponential&lt;/em&gt;: it is the live frontier, not a solved attack.&lt;/p&gt;
&lt;p&gt;So, classically and as far as anyone knows, a clean group leaves the square-root floor standing. There is no known sub-exponential attack on a well-chosen prime-field curve, and the conjecture that none exists is exactly that -- a conjecture, the working hypothesis behind every ECC key-size recommendation.&lt;/p&gt;
&lt;p&gt;Even the improvements that do exist stay on their side of the line. The extended Tower Number Field Sieve of Kim and Barbulescu sharpens the &lt;em&gt;constants&lt;/em&gt; for medium- and non-prime-characteristic fields, but it does not move the $1/3$ exponent for prime fields [@kim-barbulescu-2016]. Prime-field discrete logs have been stuck at $L_p[1/3]$ since Gordon in 1993.&lt;/p&gt;
&lt;p&gt;If the log&apos;s classical hardness is unproven yet unbroken on a clean group, then the only &lt;em&gt;known&lt;/em&gt; way to break such a group is not a cleverer algorithm in the same world. It is to change worlds -- to a machine that computes on a fundamentally different substrate.&lt;/p&gt;
&lt;h2&gt;11. The Third Road: Shor, and Why a Clean Group Leaves Only Quantum&lt;/h2&gt;
&lt;p&gt;Strip a group of every exploitable structure and the classical attacker is back at Pollard&apos;s 1978 random walk, hitting the square-root wall with no crack to exploit. The one thing left that beats that wall does not compute a cleverer logarithm. It runs on a different machine.&lt;/p&gt;
&lt;p&gt;In 1994, Peter Shor showed that a quantum computer could solve both integer factoring and the discrete log in polynomial time [@shor-1997]. The discrete-log algorithm does not attack the group&apos;s structure the way index calculus does. It rewrites the problem into a shape a quantum computer is uniquely good at.Framed abstractly, Shor&apos;s discrete-log routine solves a &lt;em&gt;hidden subgroup problem&lt;/em&gt;: the secret $x$ hides a subgroup of $\mathbb{Z}&lt;em&gt;\ell \times \mathbb{Z}&lt;/em&gt;\ell$ generated by $(x, 1)$, and the quantum Fourier transform is the tool that exposes it [@childs-vandam-2010]. The abelian hidden-subgroup problem is the common engine behind Shor&apos;s factoring and discrete-log algorithms alike.&lt;/p&gt;

Shor&apos;s move is to recast the discrete log as *period-finding*. From the target one builds a function whose period encodes the secret exponent $x$. A classical machine cannot see that period without effectively searching for it, but a quantum machine can evaluate the function over a superposition of inputs and apply the quantum Fourier transform, which concentrates measurement probability on the period. Each measurement then returns a pair $(\alpha, \beta)$ obeying a linear relation $\alpha x + \beta \equiv 0 \pmod{\ell}$, and a few such relations pin down $x$ by classical linear algebra mod $\ell$ -- not the continued-fractions step that finishes Shor&apos;s *factoring* routine.

flowchart TD
    A[Target: Q equals x times P on a clean curve] --&amp;gt; B[Build a function periodic in the unknown x]
    B --&amp;gt; C[Evaluate it over a superposition on the quantum register]
    C --&amp;gt; D[Quantum Fourier transform makes the period observable]
    D --&amp;gt; E[Measure: each shot yields a linear relation in x, mod l]
    E --&amp;gt; F[Solve the linear congruences for the discrete log x, polynomial in log of the order]
&lt;p&gt;The consequence is the one classical cryptanalysis can never deliver: the cost is &lt;em&gt;polynomial in $\log \ell$&lt;/em&gt;, so &lt;strong&gt;key size is no defense.&lt;/strong&gt; Doubling the curve size barely moves Shor&apos;s cost. And it needs none of the structural preconditions from the table in Section 9 -- no trace one, no small embedding degree, no smooth twist, no factor base. It breaks a &lt;em&gt;correct key on a flawless group&lt;/em&gt;. Shor is the empty cell filled in: the only known attack that does not require the group to be badly chosen.&lt;/p&gt;
&lt;p&gt;Crucially, the progress since 1994 has been &lt;em&gt;algorithmic&lt;/em&gt;, not hardware. The first ECDLP-specific quantum circuit came from Proos and Zalka in 2003, who made a structural observation that still holds: elliptic curves are an &lt;em&gt;easier&lt;/em&gt; quantum target than equal-security &lt;a href=&quot;https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/&quot; rel=&quot;noopener&quot;&gt;RSA&lt;/a&gt; [@proos-zalka-2003].&lt;/p&gt;
&lt;p&gt;The modern resource estimate, from Roetteler, Naehrig, Svore, and Lauter in 2017, is concrete: a 256-bit ECDLP needs about 2,330 logical qubits -- following their count of $9n + 2\lceil\log_2 n\rceil + 10$, which for $n = 256$ gives $2304 + 16 + 10 = 2330$ -- and on the order of $1.3 \times 10^{11}$ Toffoli gates, versus roughly 6,146 logical qubits for RSA-3072 [@roetteler-2017]. The curve&apos;s small keys, its great classical advantage, make it the &lt;em&gt;cheaper&lt;/em&gt; thing to break once a quantum computer exists.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Shor is structural mathematics against an asymmetric primitive: it breaks the discrete-log problem itself, in polynomial time, on a flawless group -- squarely the subject of this article. Grover&apos;s algorithm is a different animal: a generic square-root speedup for unstructured search that halves the effective key length of &lt;em&gt;symmetric&lt;/em&gt; ciphers and hashes. It is not a structural break of the discrete log, and simply doubling a symmetric key neutralizes it. Grover is named here only to be set aside.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two honest boundaries close this section. First, no cryptographically-relevant quantum computer exists today, and this article asserts &lt;em&gt;no timeline&lt;/em&gt; for when, or whether, one will. The resource estimates set a migration clock, not a countdown. Second, the genuine successor to discrete-log cryptography is &lt;em&gt;post-quantum cryptography&lt;/em&gt; -- schemes built on entirely &lt;em&gt;different&lt;/em&gt; hard problems such as lattices, error-correcting codes, and hash functions. That is a separate research program, out of scope here, and its independence is the point: it is not a faster discrete log but a different foundation.&lt;/p&gt;
&lt;p&gt;That post-quantum cryptography is a genuinely different problem, not a continuation of the discrete-log genealogy, is underscored by how young and unsettled it still is: several proposed post-quantum schemes have themselves been broken during standardization -- the SIDH/SIKE isogeny key-exchange scheme fell to an efficient classical key-recovery attack [@castryck-decru-2022], and the Rainbow signature finalist was broken on a laptop in a single weekend [@beullens-2022] -- which would be impossible if they were merely the discrete log in disguise. Different problems fail in different ways.&lt;/p&gt;
&lt;p&gt;So the mathematics is settled enough to act on. Choose a group with no weak part, and the classical attacker is stranded at the square-root floor; the only remaining break is one you cannot out-size, and the response to it is migration, not a bigger key. That leaves one practical question: how do you actually choose a group with no weak part? Every criterion is a scar from an attack in this article.&lt;/p&gt;
&lt;h2&gt;12. Choosing a Group With No Weak Part&lt;/h2&gt;
&lt;p&gt;Every line on a curve-selection checklist is a scar from a specific attack in this article. Read the checklist not as arbitrary hygiene but as a map of defeated enemies -- each criterion exists because someone, somewhere, lost a key to the attack it blocks.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Criterion&lt;/th&gt;
&lt;th&gt;Attack it defeats&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Large prime subgroup order&lt;/td&gt;
&lt;td&gt;Pohlig-Hellman [@pohlig-hellman-1978]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small cofactor&lt;/td&gt;
&lt;td&gt;small-subgroup leakage&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Trace not one, so $#E \neq p$&lt;/td&gt;
&lt;td&gt;anomalous / SSSA transfer [@smart-1999]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Large embedding degree&lt;/td&gt;
&lt;td&gt;MOV / Frey-Ruck [@mov-1993]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Twist-security (curve and twist near-prime order)&lt;/td&gt;
&lt;td&gt;twist confinement; in a single-coordinate ladder it also confines an off-curve input to the secure twist. The full-coordinate invalid-curve shadow needs input-point validation instead, an implementation check handed to the sibling [@safecurves] [@biehl-meyer-muller-2000]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Prime field, no small characteristic, no composite extension&lt;/td&gt;
&lt;td&gt;Weil descent / GHS [@ghs-2002], small-char quasi-poly [@kleinjung-wesolowski-2019]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Rigidity (fully explained, manipulation-resistant parameters)&lt;/td&gt;
&lt;td&gt;hidden-structure and backdoor suspicion [@bernstein-curve25519-2006]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Two of these checks are easy enough to run on a toy example, which makes the abstract concrete: a curve is anomalous exactly when its point count equals the field prime, and it has a dangerous embedding degree exactly when the subgroup order divides $p^k - 1$ for some small $k$.&lt;/p&gt;
&lt;p&gt;{`
def embedding_degree(l, p, bound=200):
    # least k with l dividing p^k - 1; small k means a MOV / Frey-Ruck door
    r = p % l
    for k in range(1, bound + 1):
        if r == 1:
            return k
        r = (r * p) % l
    return None  # beyond the search bound: safely large&lt;/p&gt;
&lt;p&gt;def score(p, n, l):
    flags = []
    if n == p:
        flags.append(&quot;ANOMALOUS: #E equals p, trace one -&amp;gt; polynomial-time SSSA transfer&quot;)
    if n % l == 0:
        k = embedding_degree(l, p)
        if k is not None and k &amp;lt;= 6:
            flags.append(&quot;LOW EMBEDDING DEGREE k=&quot; + str(k) + &quot; -&amp;gt; MOV / Frey-Ruck transfer&quot;)
        if n // l &amp;gt; 8:
            flags.append(&quot;LARGE COFACTOR &quot; + str(n // l) + &quot; -&amp;gt; small-subgroup leakage&quot;)
    else:
        flags.append(&quot;subgroup order does not divide the point count (bad parameters)&quot;)
    return flags or [&quot;no structural red flag on these two checks&quot;]&lt;/p&gt;
&lt;p&gt;print(&quot;anomalous toy (p = n = 23):&quot;, score(23, 23, 23))
print(&quot;low-k toy (p=23, points=24, order=3):&quot;, score(23, 24, 3))
print(&quot;clean toy (p=101, points=order=83):&quot;, score(101, 83, 83))
`}&lt;/p&gt;
&lt;h3&gt;The decision, in one flow&lt;/h3&gt;

flowchart TD
    A{&quot;What are you building?&quot;} --&amp;gt;|New system, free choice| B[X25519 for key exchange, Ed25519 for signatures]
    A --&amp;gt;|FIPS-constrained| C[NIST P-256]
    A --&amp;gt;|Finite-field DH is forced| D[A standard RFC 7919 group of at least 2048 bits, never a shared 1024-bit prime]
    B --&amp;gt; E[Verify large prime order, small cofactor, trace not one, large embedding degree, twist-secure, rigid]
    C --&amp;gt; E
    D --&amp;gt; F[Plan a post-quantum or hybrid migration for the Shor horizon]
    E --&amp;gt; F
&lt;p&gt;For a new system with a free hand, use X25519 for key exchange and Ed25519 for signatures [@rfc7748] [@rfc8032]: they are twist-secure and rigid by construction, and they close every classical door in the table above. Where a standard mandates the NIST curves, &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;P-256&lt;/a&gt; is a sound choice with the same generic-floor security [@nist-sp800-186]. If finite-field Diffie-Hellman is genuinely unavoidable, use a standard RFC 7919 group of at least 2048 bits -- its shared named groups are safe at this size because the sieve precomputation is infeasible -- or a dedicated unique prime; never a shared or legacy 1024-bit prime, whose danger was the entire lesson of Logjam [@rfc7919].&lt;/p&gt;
&lt;p&gt;And across the board, avoid the families this article condemned: anomalous curves, low-embedding-degree curves, small-characteristic fields, and the binary and Koblitz curves that NIST now deprecates and FIPS 186-5 removes [@nist-sp800-186].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For roughly 128-bit security you can carry a 256-bit elliptic-curve key or a 3072-bit finite-field prime -- an eighth of the size for the same strength, with the gap widening at higher security levels. That is not a small optimization; it is why elliptic curves dominate new deployments. Unless a specific standard forces finite-field Diffie-Hellman, prefer X25519 and Ed25519 for smaller keys and faster, twist-secure operations [@safecurves] [@rfc7748].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One caveat belongs to the sibling article, not this one: choosing a strong group is necessary but not sufficient. A flawless curve still fails if the software forgets to validate an input point, reuses a nonce, or leaks timing -- the implementation failures catalogued in &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life.&quot; This article guarantees only that the &lt;em&gt;mathematics&lt;/em&gt; of a well-chosen group offers no purchase. The code still has to hold up its end.&lt;/p&gt;
&lt;p&gt;That covers what to do. The questions careful engineers keep asking -- and the misconceptions that trip up even good ones -- deserve direct answers.&lt;/p&gt;
&lt;h2&gt;13. Frequently Asked Questions&lt;/h2&gt;

No -- it gives about 128-bit security. Because Pollard rho solves the discrete log in roughly the square root of the group order, a 256-bit curve is a $2^{128}$ target, not a $2^{256}$ one. SafeCurves lists NIST P-256 at about $2^{127.8}$ and Curve25519 at about $2^{125.8}$ operations [@safecurves]. The bit length of the key is double the security level, not equal to it.

Only for two of the problems. A bigger key raises the generic square-root floor, and a larger, unique prime defeats undersized or shared finite-field Diffie-Hellman. But a *structural* break ignores key size entirely: an anomalous curve falls in polynomial time regardless of its bit length [@smart-1999], a shared precomputed prime falls no matter how fresh the ephemeral [@logjam-adrian-2015], and Shor is polynomial in the log of the order, so doubling the curve barely moves its cost [@shor-1997]. Against structure, size is no defense.

No. On a well-chosen group it is, as far as anyone knows, as hard as it can be -- the best generic attack is Pollard rho, and Shoup proved no generic algorithm does better [@shoup-1997]. Every real break in the literature exploited a structural property of a *chosen* group, not the logarithm itself. The honest caveat is that elliptic-curve discrete-log hardness is *unproven*: no one can prove it is hard, only observe that no one has broken a clean curve.

Because $\mathbb{F}_p^*$ has a factor base and a clean curve does not. The multiplicative group&apos;s elements are integers you can factor, which is exactly what the sub-exponential Number Field Sieve needs [@gordon-1993]. A well-chosen elliptic curve has no notion of a &quot;smooth&quot; point, so the sieve has nothing to grip, and the best attack stays at the square-root floor. The Logjam exposure came from that structural difference meeting a shared, undersized prime [@logjam-adrian-2015].

No. The expensive first stage of the Number Field Sieve depends only on the *prime*, not on any individual key, so it amortizes across every connection that shares that prime [@logjam-adrian-2015]. Freshness protects the ephemeral key; it does nothing about a shared group. A unique prime, not a fresh ephemeral, is what denies the attacker the precomputation.

Shor. It reduces the discrete log to quantum period-finding and solves it in polynomial time on a flawless group, which is a structural break and squarely in scope [@shor-1997]. Grover&apos;s algorithm is only a generic square-root speedup for unstructured search; it shortens *symmetric* keys and is neutralized by doubling them. Grover is not a structural break of the discrete log at all, and it is named here only to be set aside.

No. The only proven wall is Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound, and it holds only in the *generic-group* model -- index calculus beats it for $\mathbb{F}_p^*$ precisely because that group is not generic [@shoup-1997]. There is no unconditional hardness proof, and one is not expected soon: the discrete log sits in $\mathrm{NP} \cap \mathrm{coNP}$, so it is believed not to be NP-complete, which puts a hardness proof far beyond current complexity theory [@galbraith-2012]. &quot;Only Shor breaks a clean group&quot; always carries the silent rider &quot;as far as is known.&quot;
&lt;h2&gt;The Log Was Never the Weak Part&lt;/h2&gt;
&lt;p&gt;Return to the four groups from the opening. NIST P-256 and Curve25519 stand at about $2^{128}$ because they have large prime order, trace not one, large embedding degree, twist-security, and rigid parameters -- every structural door bolted shut, leaving only the square-root floor.&lt;/p&gt;
&lt;p&gt;The third 256-bit curve dies in polynomial time for one reason: its trace is one, so its log transfers into simple addition. And the 1024-bit finite-field group is a nation-state target because its group is inherently factorable and its prime was shared and precomputed. Four groups, the same discrete logarithm, three different fates -- and in every case the deciding variable was the group.&lt;/p&gt;

Same discrete log, radically different fates. The variable was never the logarithm. It was the group.
&lt;p&gt;That is the pattern under all ten attacks. Pohlig-Hellman needs a smooth order. The anomalous transfer needs trace one. MOV and Frey-Ruck need a small embedding degree. Twist attacks need a smooth twist. Invalid-curve shadows need $b$-independent arithmetic. Weil descent needs a composite extension field. The Number Field Sieve needs a factor base. Logjam needs a shared prime. Small-characteristic descent needs a small characteristic. Every classical break is a receipt for a structural property of a &lt;em&gt;chosen&lt;/em&gt; group, and never once a faster generic logarithm.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Strip a group of every exploitable structure -- give it a large prime order, a small cofactor, trace not one, a large embedding degree, twist-security, rigidity, a prime field, no small characteristic, and a unique well-sized prime -- and the classical attacker is thrown all the way back to Pollard&apos;s 1978 random walk. The only thing left that beats it does not compute a cleverer logarithm; it changes the machine. The logarithm was never the weak part. The group always was.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Which is why the rational response has two halves. Choose a clean group -- the checklist in Section 12 is really a list of defeated attacks -- and begin preparing for the one break you cannot out-size, by planning the migration to &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;post-quantum primitives&lt;/a&gt; before a quantum computer forces the issue.&lt;/p&gt;
&lt;p&gt;For the failures that live in code rather than mathematics -- unvalidated points, repeated nonces, timing leaks, negotiated downgrades -- turn to the empirical sibling, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life.&quot; The mathematics here gives you a group with no weak part. The engineering there decides whether your system keeps it that way.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-discrete-log-would-break&quot; keyTerms={[
  { term: &quot;Discrete logarithm problem (DLP)&quot;, definition: &quot;Given g and h = g to the x in a cyclic group, recover the exponent x. The hardness assumption behind Diffie-Hellman, DSA, ECDH, ECDSA, and EdDSA.&quot; },
  { term: &quot;Generic group&quot;, definition: &quot;A group whose elements are opaque tokens with no readable structure; the setting in which the square-root floor is proven.&quot; },
  { term: &quot;Pollard rho&quot;, definition: &quot;A low-memory pseudo-random walk that solves the DLP in about 0.886 times the square root of the group order via a birthday collision.&quot; },
  { term: &quot;Pohlig-Hellman&quot;, definition: &quot;Reduction that shatters a smooth-order group into small prime-power subgroups, so security requires a large prime factor of the order.&quot; },
  { term: &quot;Trace of Frobenius&quot;, definition: &quot;The integer t with number of points equal to p plus 1 minus t; a curve is anomalous when t equals 1.&quot; },
  { term: &quot;Anomalous curve&quot;, definition: &quot;A curve with point count equal to p, whose discrete log transfers into the additive group of the field and falls in polynomial time (SSSA).&quot; },
  { term: &quot;Embedding degree&quot;, definition: &quot;The least k with the subgroup order dividing q to the k minus 1; a small k opens the MOV and Frey-Ruck pairing transfers.&quot; },
  { term: &quot;Quadratic twist and twist-security&quot;, definition: &quot;The sibling curve reached by off-curve x-coordinates; twist-security requires both curve and twist to have near-prime order.&quot; },
  { term: &quot;Index calculus&quot;, definition: &quot;A DLP attack using a factor base of small primes and smooth relations; it needs factorable elements, which a clean curve lacks.&quot; },
  { term: &quot;L-notation&quot;, definition: &quot;Sub-exponential cost measure L[alpha, c]; alpha equal to 1 is exponential, 0 is polynomial, and 1/3 is the Number Field Sieve regime.&quot; },
  { term: &quot;Number Field Sieve for discrete logs&quot;, definition: &quot;The sub-exponential attack on finite-field DLP at L[1/3]; its precomputation depends only on the prime, which Logjam exploits.&quot; },
  { term: &quot;Period-finding&quot;, definition: &quot;The quantum subroutine at the heart of Shor&apos;s algorithm; it recovers the discrete log in polynomial time on any clean group.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>cryptography</category><category>discrete-logarithm</category><category>elliptic-curves</category><category>diffie-hellman</category><category>cryptanalysis</category><category>quantum-computing</category><category>number-field-sieve</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>The Doorway Into the Group: A Field Guide to Hashing a String Onto an Elliptic Curve (RFC 9380)</title><link>https://paragmali.com/blog/the-doorway-into-the-group-a-field-guide-to-hashing-a-string/</link><guid isPermaLink="true">https://paragmali.com/blog/the-doorway-into-the-group-a-field-guide-to-hashing-a-string/</guid><description>Turning a string into an elliptic-curve point is a two-decade problem behind a one-line API. Why H(m)*G and hunt-and-peck both fail, and how RFC 9380 fixes it.</description><pubDate>Sun, 12 Jul 2026 15:35:47 GMT</pubDate><content:encoded>
**Turning a string into an elliptic-curve point is a two-decade research problem hiding behind a one-line API.** A safe map must produce a point whose discrete log is unknown, in time that does not depend on the input, with a distribution a proof can treat as a random oracle. The two obvious shortcuts each fail one of those tests: $H(m)\cdot G$ publishes the discrete log (forge BLS, break OPRFs), and try-and-increment leaks the input through timing (the Dragonblood attack read WPA3 passwords) [@rfc9380] [@vr20]. RFC 9380 (2023) finally delivers all three at once by hashing to two field elements, mapping each with a per-curve function, and adding the points [@rfc9380]. The standard is now quietly load-bearing under BLS on Ethereum, every elliptic-curve OPRF, OPAQUE, Privacy Pass, and WPA3&apos;s constant-time fix. This guide shows you why the naive maps fail, how the standard works, and exactly which suite to use for your curve and protocol.
&lt;h2&gt;1. They Timed the Handshake and Read the Wi-Fi Password&lt;/h2&gt;
&lt;p&gt;In April 2019, two researchers announced they could recover your Wi-Fi password without guessing it, phishing it, or breaking any cipher. They simply &lt;em&gt;timed&lt;/em&gt; how long WPA3 took to turn the password into a point on an elliptic curve, and the clock spelled out the secret [@vr20] [@dragonblood-site]. The flaw was not in the encryption or the key exchange. It lived in a single, overlooked step that nearly every discrete-log protocol quietly leans on: the map that carries an arbitrary string into the group.&lt;/p&gt;
&lt;p&gt;Get that one step wrong in the &lt;em&gt;other&lt;/em&gt; obvious way, computing the point as $H(m)\cdot G$, and you leak a different secret entirely. Now &lt;em&gt;anyone&lt;/em&gt; can forge the signatures that map was supposed to protect [@rfc9380] [@bls01]. Two shortcuts, two spilled secrets, one primitive. This is the field guide to getting it right.&lt;/p&gt;

A function that maps an arbitrary byte string to a point on an elliptic curve, such that the point&apos;s discrete logarithm (its relationship to the group generator) is unknown even to the party computing it. RFC 9380 standardizes the interface as `hash_to_curve` and `encode_to_curve` [@rfc9380].
&lt;p&gt;The primitive looks trivial. Hash the input, get a point, move on. But &quot;get a point&quot; hides a genuine algorithm, because on an elliptic curve only about half of the field elements are valid $x$-coordinates. The two things every engineer tries first are the two things you must never ship, and each betrays a different secret. So before you write a single line, ask three questions.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; When you turn a string into a curve point, ask: (1) do you know the point&apos;s discrete log; (2) does your running time depend on the input; and (3) is the output distribution one your protocol&apos;s proof can treat as a random oracle? Every safe construction answers &lt;strong&gt;no, no, yes&lt;/strong&gt;. Every named failure in this article is a wrong answer to exactly one of these.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;WPA3-Personal answered the second question wrong. Its handshake, Simultaneous Authentication of Equals (SAE), derives a &quot;password element&quot; by hunt-and-peck: hash the password with a counter, test whether the result is a valid coordinate, and increment until it is [@rfc7664]. The number of iterations depends on the password, so the time the handshake takes is a function of the secret. Mathy Vanhoef and Eyal Ronen showed that an attacker within range can measure that timing and mount an offline dictionary attack, recovering the password without ever seeing a valid login [@vr20] [@dragonblood-site].&lt;/p&gt;

sequenceDiagram
    participant STA as Client (victim)
    participant AP as Access point
    participant Atk as Attacker (passive)
    Note over STA,AP: WPA3-SAE, password shared by both sides
    STA-&amp;gt;&amp;gt;STA: Derive password element by hunt-and-peck
    Note over STA: Iteration count depends on the password
    STA-&amp;gt;&amp;gt;AP: Send SAE Commit after the loop finishes
    Atk--&amp;gt;&amp;gt;STA: Measure time from trigger to Commit
    Note over Atk: Timing reveals the iteration count
    Atk-&amp;gt;&amp;gt;Atk: Offline dictionary attack narrows candidates
&lt;p&gt;RFC 9380, the standard that finally settled this primitive, is blunt about why try-and-increment is unsafe.&lt;/p&gt;

&quot;The running time of this method, which is generally referred to as a probabilistic try-and-increment algorithm, depends on the input string. As such, it is not safe to use in protocols sensitive to timing side channels, as was exemplified by the Dragonblood attack.&quot; -- RFC 9380, Appendix A [@rfc9380]
&lt;p&gt;The story got worse before it got better. The Wi-Fi Alliance&apos;s first attempt at a fix switched SAE to Brainpool curves, which &lt;em&gt;reintroduced&lt;/em&gt; a leak: the encoder now had to loop to find a hash smaller than the prime, and the number of iterations depended on the password &lt;em&gt;and&lt;/em&gt; the client&apos;s MAC address [@dragonblood-site].This second act is the whole lesson in miniature: constant time cannot be patched in curve by curve. The disclosure site concludes that &quot;implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard&quot; [@dragonblood-site]. Two rounds of the same class of bug, in the handshake now standard across WPA3 Wi-Fi.&lt;/p&gt;
&lt;p&gt;Now hold that failure next to its mirror image. Suppose BLS signatures had mapped a message the naive way, $H(m) = H_n(m)\cdot G$ for a public hash $H_n$. A BLS signature is $\sigma = [sk]\cdot H(m)$, so it would equal $[sk]\cdot H_n(m)\cdot G = H_n(m)\cdot([sk]\cdot G) = H_n(m)\cdot PK$, where $PK$ is the public key [@rfc9380] [@bls01]. Every term on the right is public. Anyone forges any signature with no secret key at all. One shortcut leaked a low-entropy password through the clock; the other would hand out the signing key&apos;s power to the entire world. The primitive that sits between them is where the security of BLS, every elliptic-curve OPRF, and every password PAKE is actually won or lost.&lt;/p&gt;
&lt;p&gt;This is the sibling of a claim Part 15 made about the curve itself: &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;the elliptic-curve discrete-log problem&lt;/a&gt; was hard; the danger was the soft gap around it. Here the gap has a name and a shape. It is the doorway, the map that carries untrusted strings into the group. Get the doorway wrong and you publish the discrete log, leak the password through the clock, or hand your proof a distribution it never agreed to. To see why &quot;hash to a point&quot; is an algorithm and not a one-liner, we have to go back to the moment it stopped being free.&lt;/p&gt;
&lt;h2&gt;2. When Hashing to a Group Stopped Being Free&lt;/h2&gt;
&lt;p&gt;For a generation of cryptographers, &quot;hash into the group&quot; was not a problem worth naming. In a prime field $\mathbb{F}_p^&lt;em&gt;$, the discrete-log setting Diffie and Hellman worked in, you hash your input to an integer and reduce it modulo $p$, and you are already inside the group. Every nonzero residue is a group element, so the map is a single modular reduction with nothing to prove.This is the free lunch elliptic curves took away. In $\mathbb{F}_p^&lt;/em&gt;$ the group &lt;em&gt;is&lt;/em&gt; the set of nonzero field elements, so any nonzero hash output is already a valid element. On a curve, the group is a sparse subset of the plane, and most field elements are not on it.&lt;/p&gt;
&lt;p&gt;Elliptic curves broke the deal. When Victor Miller and Neal Koblitz independently proposed elliptic-curve cryptography in 1985 and 1987, they replaced $\mathbb{F}_p^*$ with the points of a curve $y^2 = x^3 + ax + b$ [@miller85] [@koblitz87]. That change bought smaller keys and harder discrete logs, but it quietly created a new problem: for a random field element $x$, the quantity $x^3 + ax + b$ is a perfect square only about half the time, and only then is $x$ the coordinate of an actual point. &quot;Hash to a group element&quot; stopped being a reduction and became a search.&lt;/p&gt;
&lt;p&gt;Nobody worried, because for a decade nobody needed to hash &lt;em&gt;to a point&lt;/em&gt;. Ordinary ECDSA and ECDH hash to a &lt;em&gt;scalar&lt;/em&gt; and multiply a fixed generator, which never leaves the safe world of exponents.Hashing to a scalar is trivial and always safe: any integer modulo the group order is a valid exponent. Hashing to a &lt;em&gt;point&lt;/em&gt; is the hard problem, because most field elements are not on the curve.&lt;/p&gt;
&lt;p&gt;Then, around the turn of the millennium, the demand arrived from two directions at once, and both directions needed a point.&lt;/p&gt;

A signature scheme by Boneh, Lynn, and Shacham built on a bilinear pairing. The signature on a message $m$ is $\sigma = [sk]\cdot H(m)$, where $H(m)$ is the message hashed *to a curve point* and $sk$ is the secret key. Verification checks a pairing equation. Security requires that $H(m)$ have unknown discrete log, or signatures become forgeable [@bls01].
&lt;p&gt;The first direction was pairing-based cryptography. In 2001 Boneh, Lynn, and Shacham introduced BLS short signatures, whose entire construction rests on hashing the message to a curve point of unknown discrete log, because the signature &lt;em&gt;is&lt;/em&gt; that point scaled by the secret key [@bls01]. The same year, Boneh and Franklin built identity-based encryption on the identical primitive, hashing an identity string to a point [@bf01]. BLS shipped with the first answer anyone reaches for: &lt;code&gt;MapToGroup&lt;/code&gt;, a try-and-increment loop [@bls01]. Boneh and Franklin instead gave a &lt;em&gt;deterministic&lt;/em&gt; map, but only for certain supersingular curves over fields of characteristic $p \equiv 2 \pmod 3$, too narrow a class to serve as general infrastructure [@bf01].&lt;/p&gt;
&lt;p&gt;The second direction was password-authenticated key exchange. In 2008 Dan Harkins proposed Simultaneous Authentication of Equals, a balanced PAKE that maps a &lt;em&gt;password&lt;/em&gt; to a group element and then runs a zero-knowledge proof of it [@sae08]. To do the mapping it introduced hunt-and-peck, the same try-and-increment idea aimed at a secret input. SAE was standardized as RFC 7664 in 2015, including its &quot;Hunting and Pecking with ECC Groups&quot; derivation, and then shipped to consumers in 2018 as the core of WPA3-Personal [@rfc7664] [@vr20].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Pairing signatures and password PAKEs look unrelated, but both need the same thing: a hash whose output is a curve point of unknown discrete log. Pairing crypto needs it so a signature can &lt;em&gt;be&lt;/em&gt; that point; a PAKE needs it so the password element hides the password. The primitive was born load-bearing under two families of protocols in the same decade [@bls01] [@sae08].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;A scoping note worth keeping honest: not every PAKE maps a password to a curve point. SPAKE2 uses fixed, independently generated group elements $M$ and $N$ rather than hashing the password onto the curve, and SRP works in an integer group, not on an elliptic curve at all. The &quot;everything depends on hash-to-curve&quot; claim is precise, not universal, and it applies to the named constructions in this article: SAE, CPace, OPAQUE&apos;s OPRF, the RFC 9497 OPRFs, and BLS.The lesson for a field guide: SPAKE2 and SRP are the counterexamples that keep &quot;all PAKEs need hash-to-curve&quot; from being true, and they stop you hunting for the primitive where it is not.&lt;/p&gt;
&lt;p&gt;So by 2008 the problem was named and both naive answers were on the table, shipped in real systems: $H(m)\cdot G$ carried the finite-field intuition onto curves, and try-and-increment searched for a valid coordinate. Each was correct in the sense that it produced a usable point. Each was also a disaster, and for opposite reasons. To see exactly what each one leaks, we have to look at the two shortcuts side by side.&lt;/p&gt;
&lt;h2&gt;3. Two Shortcuts, Two Spilled Secrets&lt;/h2&gt;
&lt;p&gt;Both obvious maps are correct in the ordinary sense: they produce a point on the curve, quickly, with a few lines of code. That is exactly what makes them dangerous. Each satisfies most of the three properties and fails precisely one, and the property each fails is different, which is why they leak different secrets.&lt;/p&gt;
&lt;h3&gt;Shortcut A: compute the point as a known multiple of the generator&lt;/h3&gt;
&lt;p&gt;Hash the message to an integer $H_n(m)$ and scalar-multiply the generator: $P = H_n(m)\cdot G$. The output is uniform on the group, costs one scalar multiplication, and is trivially constant-time. It assumes nothing about the curve. It is the finite-field intuition carried straight onto the curve, and it violates Property 1: whoever computed $P$ knows its discrete log, because they chose it.&lt;/p&gt;
&lt;p&gt;RFC 9380 does not hedge about the consequence.&lt;/p&gt;

&quot;The resulting point has a known discrete log relationship to $P$. Thus, except in cases where this method is specified by the protocol, it must not be used; doing so risks catastrophic security failures.&quot; -- RFC 9380, Appendix A [@rfc9380]
&lt;p&gt;&quot;Catastrophic&quot; is exact, not rhetorical. Take BLS. The public key is $PK = [sk]\cdot G$, and a signature is $\sigma = [sk]\cdot H(m)$. If the map were $H(m) = [H_n(m)]\cdot G$ for a public hash $H_n$, then&lt;/p&gt;
&lt;p&gt;$$\sigma = [sk]\cdot H(m) = [sk]\cdot[H_n(m)]\cdot G = [H_n(m)]\cdot([sk]\cdot G) = [H_n(m)]\cdot PK.$$&lt;/p&gt;
&lt;p&gt;Every quantity on the right -- $H_n(m)$ from the public message, $PK$ from the wire -- is public. Anyone computes the valid signature on any message directly, with no access to $sk$ [@rfc9380] [@bls01]. This is not an edge case or a timing quirk. It is total, structural forgeability on every input. The same knife cuts elsewhere: for an OPRF, knowing the discrete log of the mapped input breaks obliviousness; for a PAKE, a password element with known discrete log no longer hides the password.&lt;/p&gt;
&lt;p&gt;{`
// ILLUSTRATION, NOT AN IMPLEMENTATION.
// We model the group as integers mod a small prime order n, with
// &quot;scalar mult&quot; [k]*P written as (k * P) mod n. Discrete log is trivial
// here on purpose -- the point is the STRUCTURE of the forgery, not hardness.
function scalarMul(k, P, n) { return ((k % n) * (P % n)) % n; }&lt;/p&gt;
&lt;p&gt;const n = 97;          // toy prime group order
const G = 1;           // generator
const sk = 42;         // signer&apos;s SECRET key
const PK = scalarMul(sk, G, n);   // public key = [sk]*G&lt;/p&gt;
&lt;p&gt;// The UNSAFE map: H(m) = [Hn(m)]*G, so its discrete log Hn(m) is public.
const Hn_m = 7;                    // public hash of the message
const Hm = scalarMul(Hn_m, G, n);  // the mapped point (known DL!)&lt;/p&gt;
&lt;p&gt;// Honest signer computes sigma = [sk]*H(m)
const legitSig = scalarMul(sk, Hm, n);&lt;/p&gt;
&lt;p&gt;// Attacker never sees sk. Uses only Hn(m) and PK:
const forgedSig = scalarMul(Hn_m, PK, n);   // [Hn(m)]*PK&lt;/p&gt;
&lt;p&gt;console.log(&quot;legit signature :&quot;, legitSig);
console.log(&quot;forged signature:&quot;, forgedSig, &quot;(computed with NO secret key)&quot;);
console.log(&quot;forgery succeeds:&quot;, legitSig === forgedSig);
`}&lt;/p&gt;
&lt;h3&gt;Shortcut B: search for a valid coordinate&lt;/h3&gt;
&lt;p&gt;The other reflex fixes Property 1 and breaks Property 2. Hash the input together with a counter, test whether the candidate is a valid $x$-coordinate, and loop until it is.&lt;/p&gt;

A map that hashes the input with a counter to a candidate $x$, tests whether $x^3 + ax + b$ is a quadratic residue (a valid coordinate), and increments the counter until it is. A random $x$ works about half the time, so the expected number of tries is two [@rfc9380]. The output has *unknown* discrete log, but the number of iterations depends on the input.
&lt;p&gt;Because nobody chose the output as a multiple of $G$, its discrete log is genuinely unknown, so Property 1 holds. That is exactly why BLS and SAE could ship with it and be functionally correct. The flaw is Property 2: the loop count is a function of the input, so the running time is too. When the input is a secret -- a password, a pre-shared key -- the clock becomes an oracle. That is Dragonblood [@vr20] [@rfc9380].&lt;/p&gt;
&lt;p&gt;{`
// ILLUSTRATION, NOT AN IMPLEMENTATION.
// Count hunt-and-peck iterations for several secret inputs over a toy field.
// A constant-time map would take the SAME work for every input; this does not.
const p = 103;                 // toy prime, p = 3 mod 4
const a = 2, b = 3;            // toy curve y^2 = x^3 + a x + b&lt;/p&gt;
&lt;p&gt;function modpow(base, exp, mod) {
  let r = 1; base = base % mod;
  while (exp &amp;gt; 0) {
    if (exp &amp;amp; 1) r = (r * base) % mod;
    base = (base * base) % mod;
    exp = exp &amp;gt;&amp;gt; 1;
  }
  return r;
}
// Euler&apos;s criterion: x is a nonzero square mod p iff x^((p-1)/2) == 1
function isSquare(x, p) { return x === 0 ? true : modpow(x, (p - 1) / 2, p) === 1; }&lt;/p&gt;
&lt;p&gt;// A stand-in for H(input || ctr): deterministic, input-dependent pseudo-x.
function candidateX(seed, ctr, p) { return ((seed * 131 + ctr * 419 + 17) % p + p) % p; }&lt;/p&gt;
&lt;p&gt;function iterations(seed) {
  for (let ctr = 1; ctr &amp;lt; 200; ctr++) {
    const x = candidateX(seed, ctr, p);
    const g = (((x * x % p) * x % p) + a * x + b) % p;
    if (isSquare(g, p)) return ctr;
  }
  return -1;
}&lt;/p&gt;
&lt;p&gt;for (const pw of [11, 23, 37, 58, 71, 90]) {
  console.log(&quot;secret input &quot; + pw + &quot; -&amp;gt; &quot; + iterations(pw) + &quot; iterations&quot;);
}
console.log(&quot;Different inputs, different work: that difference is the leak.&quot;);
`}&lt;/p&gt;
&lt;p&gt;Here is the table that makes the whole article click. Two maps, three properties, and each map fails a different one.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Map&lt;/th&gt;
&lt;th align=&quot;center&quot;&gt;Unknown discrete log (Prop 1)&lt;/th&gt;
&lt;th align=&quot;center&quot;&gt;Constant time (Prop 2)&lt;/th&gt;
&lt;th align=&quot;center&quot;&gt;Right distribution (Prop 3)&lt;/th&gt;
&lt;th&gt;The secret it spills&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;$H(m)\cdot G$&lt;/td&gt;
&lt;td align=&quot;center&quot;&gt;&lt;strong&gt;Violated&lt;/strong&gt; (DL is $H_n(m)$)&lt;/td&gt;
&lt;td align=&quot;center&quot;&gt;Satisfied&lt;/td&gt;
&lt;td align=&quot;center&quot;&gt;Satisfied (uniform)&lt;/td&gt;
&lt;td&gt;The signing key&apos;s power -- universal forgery [@rfc9380] [@bls01]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Try-and-increment&lt;/td&gt;
&lt;td align=&quot;center&quot;&gt;Satisfied&lt;/td&gt;
&lt;td align=&quot;center&quot;&gt;&lt;strong&gt;Violated&lt;/strong&gt; (loop depends on input)&lt;/td&gt;
&lt;td align=&quot;center&quot;&gt;Roughly satisfied&lt;/td&gt;
&lt;td&gt;The secret input -- via handshake timing [@rfc9380] [@vr20]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;

Try-and-increment is only a *vulnerability* when the mapped input is secret. A BLS signature over a *public* message runs the same variable-time loop, but the message is public, so the timing reveals nothing an attacker did not already have. The Dragonblood break works because a Wi-Fi password is a low-entropy secret. This is why the accuracy-critical phrasing is &quot;variable time is dangerous when the input is secret,&quot; never &quot;variable time is always dangerous&quot; [@rfc9380] [@vr20].
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; If the input to your map is a password, a PSK, or any low-entropy secret, a data-dependent loop over it is a timing oracle. Use a constant-time map. RFC 9380 declines to even specify try-and-increment &quot;because the goal is to specify algorithms that can plausibly be computed in constant time&quot; [@rfc9380].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;So the requirement is now sharp, and it looks almost contradictory. You need a map whose output has unknown discrete log, like try-and-increment, but whose running time is fixed, unlike try-and-increment. You need the safety of the search without the search. For a few years it was not obvious such a thing existed. The story of how the field built it, one property at a time, is the evolution of the primitive itself.&lt;/p&gt;
&lt;h2&gt;4. Moving Each Property Into the Curve&lt;/h2&gt;
&lt;p&gt;The next thirteen years read like a chain of defenses in which the defenders keep advancing. Each generation takes one property that used to depend on the implementer&apos;s care and locks it into the construction, where it holds by mathematics rather than by discipline. Three of those steps are true property wins. The rest are the engineering that made the winning map cheap enough and general enough to run on every curve real protocols use. Being honest about which is which is the difference between a clean story and a true one.&lt;/p&gt;

flowchart TD
    Naive[&quot;Naive maps: known DL or variable time&quot;] --&amp;gt;|&quot;one leaks the DL, one leaks timing&quot;| G1[&quot;SvdW 2006: constant time, unknown DL&quot;]
    G1 --&amp;gt;|&quot;cheaper per-curve maps&quot;| G2[&quot;Icart and Simplified SWU, 2007 to 2010&quot;]
    G1 --&amp;gt;|&quot;a single map is not a random oracle&quot;| G3[&quot;BCIMRT 2010: sum of two maps&quot;]
    G2 --&amp;gt;|&quot;still a single map&quot;| G3
    G3 --&amp;gt;|&quot;map per curve family&quot;| G4[&quot;Elligator 2, 2013: Montgomery and Edwards&quot;]
    G3 --&amp;gt;|&quot;pairing curves with A zero&quot;| G5[&quot;Isogeny SSWU, 2019: BLS12-381&quot;]
    G4 --&amp;gt; RFC[&quot;RFC 9380, 2023: one interface&quot;]
    G5 --&amp;gt; RFC
&lt;h3&gt;The first constant-time map: Shallue-van de Woestijne (2006)&lt;/h3&gt;
&lt;p&gt;The contradiction from the last section -- unknown discrete log without a search -- was resolved in 2006 by Andrew Shallue and Christiaan van de Woestijne. Their map is the &quot;SW&quot; in &quot;SSWU.&quot; Given a field element $u$, algebraic identities guarantee that among a small fixed set of candidate $x$-values derived from $u$, at least one is a valid coordinate [@sw06]. So you compute the candidates, test them in a fixed order with a constant number of operations, and select a valid one. There is no rejection loop, which means no data-dependent branch, which means constant time by construction [@sw06] [@rfc9380]. The discrete log stays unknown. For the first time, a single map was simultaneously unknown-DL and constant-time on almost any curve with characteristic other than 2 or 3.&lt;/p&gt;
&lt;p&gt;The idea had roots. Schinzel and Skalba had constructed curve points deterministically for a restricted class of curves in 2004, and Skalba generalized it in 2005; Shallue and van de Woestijne further generalized and simplified that line [@ss04] [@s05] [@rfc9380]. Boneh and Franklin&apos;s 2001 supersingular map was a deterministic co-origin, but too narrow to be general infrastructure [@bf01]. SvdW survives today in RFC 9380 as the universal fallback for any curve the specialized maps do not cover [@rfc9380].&lt;/p&gt;
&lt;p&gt;But SvdW carried a flaw that every deterministic map after it would share, and it is the one no amount of cleverness in a single map can dodge.&lt;/p&gt;
&lt;h3&gt;The wall every single map hits&lt;/h3&gt;
&lt;p&gt;RFC 9380 states the obstacle plainly: the deterministic maps &quot;map to some fraction of the points&quot; on the curve, &quot;not the entire curve,&quot; which &quot;means that they cannot be used directly to construct a random oracle that outputs points on the curve&quot; [@rfc9380]. A single SvdW map hits only a constant fraction of the points and is statistically distinguishable from uniform. Any proof that models the map as a random oracle -- BLS&apos;s unforgeability, an OPRF&apos;s pseudorandomness, a password mapping -- does not go through. This is Property 3, and it is missing.&lt;/p&gt;

A formal criterion, defined by Maurer, Renner, and Holenstein in 2004, for when a constructed function can safely stand in for an ideal object such as a random oracle inside a security proof. A hash-to-curve construction is &quot;indifferentiable from a random oracle&quot; when no efficient distinguisher can separate it from a true random oracle, even given access to the underlying building blocks [@mrh04].
&lt;p&gt;Before that wall was scaled, the field spent a few years making the map cheaper.&lt;/p&gt;
&lt;h3&gt;Cheaper maps: Ulas, Icart, Simplified SWU (2007-2010)&lt;/h3&gt;
&lt;p&gt;Ulas simplified SvdW in 2007 (the &quot;U&quot; in SWU) [@u07]. Icart gave an independent closed-form map in 2009 for fields with $p \equiv 2 \pmod 3$, built on a single cube root [@icart09]. Brier and coauthors published the &quot;Simplified SWU&quot; map in 2010 for fields with $p \equiv 3 \pmod 4$ [@bcimrt10]. Each is a fixed rational formula costing roughly one field exponentiation plus a few multiplications and one inversion -- cheaper and easier to implement in constant time than SvdW&apos;s heavier parameterization.&lt;/p&gt;

A closed-form rational map from a field element to a short-Weierstrass curve point $y^2 = x^3 + Ax + B$, descended from the Shallue-van de Woestijne map via Ulas and Brier et al. In its base form it applies when $p \equiv 3 \pmod 4$ and $A\cdot B \neq 0$, and costs about one square root plus constant-time conditional selects [@u07] [@bcimrt10] [@rfc9380].
&lt;p&gt;This was progress, but not on Property 3. Cheaper did not mean uniform: each remained a single map hitting a fraction of the curve, still unusable as a random oracle [@rfc9380]. And the modular conditions left gaps. Icart needs $p \equiv 2 \pmod 3$; Simplified SWU needs $p \equiv 3 \pmod 4$; neither covers curves with $A = 0$ such as secp256k1 and BLS12-381. The deeper question was sharper and universal: could you build something provably indifferentiable out of these non-uniform pieces? The answer arrived, remarkably, in the very same 2010 paper that gave Simplified SWU.&lt;/p&gt;
&lt;h3&gt;The breakthrough: add two maps (2010)&lt;/h3&gt;
&lt;p&gt;Here is the shift the whole standard turns on. A single deterministic map cannot be a random oracle. But the &lt;em&gt;sum of two independent maps&lt;/em&gt; can be. Hash the message to two field elements, map each to a point, and add the points:&lt;/p&gt;
&lt;p&gt;$$H(m) = f\big(H_0(m)\big) + f\big(H_1(m)\big).$$&lt;/p&gt;
&lt;p&gt;Brier, Coron, Icart, Madore, Randriam, and Tibouchi proved this construction indifferentiable from a random oracle, and it recovers Property 3 while keeping Properties 1 and 2 [@bcimrt10] [@mrh04]. All three properties, at last, guaranteed at once.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; A single deterministic map can &lt;em&gt;never&lt;/em&gt; be a random oracle: it reaches only a fraction of the curve and is distinguishable from uniform. The fix is structural, not a cleverer single map. Hash to two field elements, map each, and add the two points. The sum is indifferentiable from a random oracle. This is exactly why &lt;code&gt;hash_to_curve&lt;/code&gt; (the &lt;code&gt;_RO_&lt;/code&gt; suites) costs twice what &lt;code&gt;encode_to_curve&lt;/code&gt; (the &lt;code&gt;_NU_&lt;/code&gt; suites) costs: the second map is not waste, it is what buys the distribution [@bcimrt10] [@ffstv13] [@rfc9380].&lt;/p&gt;
&lt;/blockquote&gt;

flowchart TD
    M[&quot;msg and DST&quot;] --&amp;gt; HF[&quot;hash_to_field to two elements&quot;]
    HF --&amp;gt; Q0[&quot;map_to_curve of u0 gives Q0&quot;]
    HF --&amp;gt; Q1[&quot;map_to_curve of u1 gives Q1&quot;]
    Q0 --&amp;gt; ADD[&quot;add points: Q0 plus Q1&quot;]
    Q1 --&amp;gt; ADD
    ADD --&amp;gt; RO[&quot;sum is indifferentiable from a random oracle&quot;]
    RO --&amp;gt; CC[&quot;clear_cofactor&quot;]
    CC --&amp;gt; P[&quot;point in the prime-order subgroup&quot;]
&lt;p&gt;Precision matters here, because it is easy to over-credit. Brier et al. proved the sum-of-two construction indifferentiable &lt;em&gt;specifically for Icart&apos;s map&lt;/em&gt;. The general result -- that summing two copies of essentially &lt;em&gt;any&lt;/em&gt; deterministic map yields a random oracle -- is due to Farashahi, Fouque, Shparlinski, Tibouchi, and Voloch in 2013.Attribute the general theorem to FFSTV13, not to BCIMRT. RFC 9380&apos;s Appendix A is careful about this: BCIMRT proved it for Icart&apos;s method; FFSTV13 &quot;improve the analysis, showing that it applies to essentially all deterministic mappings&quot; [@rfc9380] [@ffstv13]. After 2010, nothing about Property 3 was left to invent. What remained was coverage: the sum-of-two construction needs a concrete constant-time inner map for &lt;em&gt;your&lt;/em&gt; curve family, and two families were still uncovered.&lt;/p&gt;
&lt;h3&gt;Covering the remaining curves: Elligator 2 (2013) and isogeny SSWU (2019)&lt;/h3&gt;
&lt;p&gt;The Montgomery and twisted-Edwards curves -- Curve25519, Curve448, and the Edwards forms behind modern signature and OPRF suites -- needed their own map, because SSWU targets short-Weierstrass curves. Elligator 2 supplied it.&lt;/p&gt;

An efficient, invertible map from a field element to a point on any curve that has a point of order 2 (Montgomery or twisted-Edwards form), introduced by Bernstein, Hamburg, Krasnova, and Lange in 2013. RFC 9380 uses it for the Curve25519/448 and edwards25519/448 families and the ristretto255/decaf448 groups [@bhkl13] [@rfc9380].
&lt;p&gt;Elligator&apos;s origin is a small marvel. It was built for censorship resistance, a way to make a public key look like uniform random bytes so a network censor cannot even tell a key exchange is happening.The elligator.org site records the pivot in its own words: a number of protocols &quot;need a way to map an arbitrary input to an elliptic curve point whose factorisation is unknown (&apos;hashing to an elliptic curve&apos;), such as verifiable random functions (VRFs) and oblivious pseudorandom functions (OPRFs).&quot; A steganography tool became hash-to-curve infrastructure [@elligator-site]. The tool built to &lt;em&gt;hide&lt;/em&gt; a key exchange became the constant-time inner map for an entire curve family&apos;s hashing.&lt;/p&gt;
&lt;p&gt;The last gap was the pairing-friendly curve BLS needs. BLS12-381 has $A = 0$, exactly where Simplified SWU does not apply. In 2019 Riad Wahby and Dan Boneh closed it: map with SSWU onto an &lt;em&gt;isogenous&lt;/em&gt; curve where the parameters are admissible, then push the point back to the target curve through a fixed isogeny of small degree [@wb19] [@rfc9380]. The result is constant-time and works in any characteristic, and it is what made constant-time hashing to BLS12-381 practical at blockchain scale. Their headline measurement is the number that ends an old excuse: the constant-time functions run &quot;within 9% of the fastest, non-constant-time alternatives&quot; [@wb19].&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Generation&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Key idea&lt;/th&gt;
&lt;th&gt;Time&lt;/th&gt;
&lt;th&gt;What it secured&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;$H(m)\cdot G$&lt;/td&gt;
&lt;td&gt;~2001&lt;/td&gt;
&lt;td&gt;scalar-mult the generator&lt;/td&gt;
&lt;td&gt;constant&lt;/td&gt;
&lt;td&gt;nothing (DL is known)&lt;/td&gt;
&lt;td&gt;never safe as a map [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Try-and-increment&lt;/td&gt;
&lt;td&gt;2001-2008&lt;/td&gt;
&lt;td&gt;search for a valid coordinate&lt;/td&gt;
&lt;td&gt;variable&lt;/td&gt;
&lt;td&gt;unknown discrete log&lt;/td&gt;
&lt;td&gt;deprecated for secret inputs [@bls01] [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SvdW&lt;/td&gt;
&lt;td&gt;2006&lt;/td&gt;
&lt;td&gt;rational parameterization, no loop&lt;/td&gt;
&lt;td&gt;constant&lt;/td&gt;
&lt;td&gt;constant time by construction&lt;/td&gt;
&lt;td&gt;general fallback [@sw06]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ulas / Icart / Simplified SWU&lt;/td&gt;
&lt;td&gt;2007-2010&lt;/td&gt;
&lt;td&gt;cheaper closed-form maps&lt;/td&gt;
&lt;td&gt;constant&lt;/td&gt;
&lt;td&gt;efficiency, per-curve forms&lt;/td&gt;
&lt;td&gt;inner maps [@u07] [@icart09] [@bcimrt10]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;BCIMRT sum-of-two&lt;/td&gt;
&lt;td&gt;2010&lt;/td&gt;
&lt;td&gt;add two mapped points&lt;/td&gt;
&lt;td&gt;constant&lt;/td&gt;
&lt;td&gt;random-oracle distribution&lt;/td&gt;
&lt;td&gt;the &lt;code&gt;_RO_&lt;/code&gt; core [@bcimrt10] [@ffstv13]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Elligator 2&lt;/td&gt;
&lt;td&gt;2013&lt;/td&gt;
&lt;td&gt;invertible map for order-2 curves&lt;/td&gt;
&lt;td&gt;constant&lt;/td&gt;
&lt;td&gt;Montgomery/Edwards coverage&lt;/td&gt;
&lt;td&gt;active [@bhkl13]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Isogeny SSWU&lt;/td&gt;
&lt;td&gt;2019&lt;/td&gt;
&lt;td&gt;map via an isogenous curve&lt;/td&gt;
&lt;td&gt;constant&lt;/td&gt;
&lt;td&gt;$A=0$ pairing-curve coverage&lt;/td&gt;
&lt;td&gt;active [@wb19]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Every curve family that deployed protocols use now has a constant-time, unknown-DL inner map, and the sum-of-two construction wraps any of them into a random oracle. All three properties are achievable everywhere. But an implementer still has to assemble the hashing, the map, the cofactor clearing, the domain separation, and the choice of variant, by hand, and any one of those is a place to slip. What packages the whole lineage so you cannot get it wrong?&lt;/p&gt;
&lt;h2&gt;5. RFC 9380: All Three Properties at Once&lt;/h2&gt;
&lt;p&gt;In August 2023 the CFRG published RFC 9380, &quot;Hashing to Elliptic Curves,&quot; by Armando Faz-Hernandez, Sam Scott, Nick Sullivan, Riad Wahby, and Christopher Wood [@rfc9380]. It invents no new map. It does something more useful: it folds two decades of maps into a single interface an ordinary engineer cannot easily misuse, and it makes every security-relevant choice legible in the name.&lt;/p&gt;
&lt;p&gt;The pipeline has three stages [@rfc9380]:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;&lt;code&gt;hash_to_field&lt;/code&gt;&lt;/strong&gt; turns the input and a domain tag into one or more field elements, using &lt;code&gt;expand_message_xmd&lt;/code&gt; for fixed-output hashes like SHA-256 and &lt;code&gt;expand_message_xof&lt;/code&gt; for extendable-output functions like SHAKE.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;code&gt;map_to_curve&lt;/code&gt;&lt;/strong&gt; sends each field element to a curve point using the map that fits the curve: Simplified SWU for short-Weierstrass curves, isogeny-SSWU for the $A = 0$ pairing curves, Elligator 2 for Montgomery and Edwards curves, and SvdW as the general fallback.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;code&gt;clear_cofactor&lt;/code&gt;&lt;/strong&gt; forces the result into the prime-order subgroup.&lt;/li&gt;
&lt;/ol&gt;

flowchart TD
    IN[&quot;input msg and DST&quot;] --&amp;gt; HF[&quot;hash_to_field&quot;]
    HF --&amp;gt; BR{&quot;which variant&quot;}
    BR --&amp;gt;|&quot;_RO_ hash_to_curve&quot;| TWO[&quot;two field elements, two maps, add&quot;]
    BR --&amp;gt;|&quot;_NU_ encode_to_curve&quot;| ONE[&quot;one field element, one map&quot;]
    TWO --&amp;gt; CC[&quot;clear_cofactor&quot;]
    ONE --&amp;gt; CC
    CC --&amp;gt; OUT[&quot;point in the prime-order subgroup&quot;]
&lt;h3&gt;The two-element margin is a proven bound&lt;/h3&gt;
&lt;p&gt;The first stage hides a subtlety worth pausing on. Reducing a uniformly random integer modulo $p$ is not exactly uniform, because the top of the range wraps around. RFC 9380 fixes this by oversampling.&lt;/p&gt;

The first pipeline stage: expand the input and the domain tag into field elements. It draws $L = \lceil(\lceil\log_2 p\rceil + k)/8\rceil$ bytes per element and reduces modulo $p$, so each element is within statistical distance $2^{-k}$ of uniform. The standard suites set $k = 128$, giving a $2^{-128}$ margin [@rfc9380].
&lt;p&gt;That $2^{-128}$ is a proven statistical bound, not a hopeful heuristic, and it is exactly why the byte-length formula is what it is [@rfc9380].&lt;/p&gt;
&lt;h3&gt;The variant is in the name&lt;/h3&gt;
&lt;p&gt;The choice between a uniform, proof-usable point and a cheaper nonuniform one is encoded directly in the suite name. &lt;code&gt;hash_to_curve&lt;/code&gt;, the &lt;code&gt;_RO_&lt;/code&gt; family, runs the two-element sum-of-two construction and is indifferentiable from a random oracle. &lt;code&gt;encode_to_curve&lt;/code&gt;, the &lt;code&gt;_NU_&lt;/code&gt; family, runs a single map at about half the cost and produces a nonuniform distribution [@rfc9380]. The trailing tag is not decoration; it tells you whether the output is safe to feed a proof that assumes a random oracle.&lt;/p&gt;
&lt;p&gt;RFC 9380 suite identifiers follow the pattern &lt;code&gt;CURVE_XMD:HASH_MAP_VARIANT_&lt;/code&gt;. Once you can read one, you can read them all.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Field&lt;/th&gt;
&lt;th&gt;In &lt;code&gt;BLS12381G2_XMD:SHA-256_SSWU_RO_&lt;/code&gt;&lt;/th&gt;
&lt;th&gt;What it fixes&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Curve / group&lt;/td&gt;
&lt;td&gt;&lt;code&gt;BLS12381G2&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;the target group: BLS12-381, subgroup G2&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Expander&lt;/td&gt;
&lt;td&gt;&lt;code&gt;XMD&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;expand_message_xmd&lt;/code&gt; (a fixed-output hash)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Hash&lt;/td&gt;
&lt;td&gt;&lt;code&gt;SHA-256&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;the underlying hash function&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Inner map&lt;/td&gt;
&lt;td&gt;&lt;code&gt;SSWU&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Simplified SWU (isogeny variant here, since $A=0$)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Variant&lt;/td&gt;
&lt;td&gt;&lt;code&gt;RO&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;_RO_&lt;/code&gt;: uniform, indifferentiable from a random oracle&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read &lt;code&gt;edwards25519_XMD:SHA-512_ELL2_RO_&lt;/code&gt; the same way and it decodes itself: the edwards25519 group, XMD expansion over SHA-512, the Elligator 2 map, uniform variant [@rfc9380]. The name is the spec.&lt;/p&gt;
&lt;p&gt;{`
// Decompose an RFC 9380 suite ID: CURVE_EXPANDER:HASH_MAP_VARIANT_
function parseSuite(id) {
  const [left, right] = id.split(&quot;:&quot;);
  const leftParts = left.split(&quot;&lt;em&gt;&quot;);
  const expander = leftParts.pop();          // XMD or XOF
  const curve = leftParts.join(&quot;&lt;/em&gt;&quot;);         // e.g. BLS12381G2, edwards25519
  const rp = right.split(&quot;&lt;em&gt;&quot;).filter(function (s) { return s.length &amp;gt; 0; });
  const hash = rp[0];                         // SHA-256, SHA-512, SHAKE256
  const variant = rp[rp.length - 1];          // RO or NU
  const map = rp.slice(1, rp.length - 1).join(&quot;&lt;/em&gt;&quot;); // SSWU, ELL2, SVDW
  return { curve: curve, expander: expander, hash: hash, map: map,
           variant: variant,
           uniform: variant === &quot;RO&quot; ? &quot;uniform (random oracle)&quot; : &quot;nonuniform&quot; };
}&lt;/p&gt;
&lt;p&gt;[&quot;BLS12381G2_XMD:SHA-256_SSWU_RO_&quot;,
 &quot;edwards25519_XMD:SHA-512_ELL2_RO_&quot;,
 &quot;P256_XMD:SHA-256_SSWU_NU_&quot;].forEach(function (id) {
  console.log(id);
  console.log(&quot;   &quot;, JSON.stringify(parseSuite(id)));
});
`}&lt;/p&gt;
&lt;h3&gt;The two steps you must not skip&lt;/h3&gt;
&lt;p&gt;Two pipeline stages are easy to forget and dangerous to omit. The first is the domain tag.&lt;/p&gt;

A byte string, unique to a protocol and its version, mixed into `hash_to_field` so the same input maps to different points in different protocols. RFC 9380 makes it mandatory; DSTs longer than 255 bytes are themselves hashed before use. Without a unique DST, two protocols that share a curve can be driven to collide [@rfc9380].
&lt;p&gt;The second is cofactor clearing, the final stage that lands the point where the group arithmetic is safe.&lt;/p&gt;

The final pipeline stage: multiply the mapped point (or apply a faster endomorphism-based equivalent) by the curve&apos;s cofactor to force it into the prime-order subgroup, closing off small-subgroup attacks. edwards25519 has cofactor 8; BLS12-381&apos;s G1 and G2 have large cofactors with fast clearing methods [@rfc9380].
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The everyday act is now tiny: name a suite. The suite ID fixes the curve, the expander, the hash, the inner map, and the distribution variant, and a vetted library does the rest. You are not choosing a construction. You are declaring your curve and your distribution need, and RFC 9380 has already made the safe choice for each [@rfc9380].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Step back and the three properties resolve into one sentence. The mapped point had to be a &lt;em&gt;stranger&lt;/em&gt; -- its discrete log unknown, or forgery follows. It had to &lt;em&gt;arrive on time&lt;/em&gt; -- in work independent of the input, or the clock leaks the secret. And it had to &lt;em&gt;look the part&lt;/em&gt; -- drawn from a distribution the proof can treat as a random oracle, or the proof does not hold.&lt;/p&gt;

The point had to be a stranger, arrive on time, and look the part. RFC 9380 is the standard that guarantees all three, and encodes which ones you asked for in a single suite name.
&lt;p&gt;That framing also closes the loop this article opened. WPA3&apos;s answer to Dragonblood is Hash-to-Element, or H2E.&lt;/p&gt;

After Dragonblood, WPA3-Personal replaced hunt-and-peck with H2E, a constant-time, SSWU-based derivation of the SAE password element, and the Wi-Fi standard was updated to compute the password element &quot;in constant time&quot; [@dragonblood-site]. RFC 9380 supplies the governing principle: a constant-time map is required when the input is secret [@rfc9380]. The hostap and w1.fi advisories track the corresponding constant-time SAE patches shipped to real deployments [@w1fi-security]. The precise IEEE 802.11 clause is not reproduced here; the point is that the fix is exactly the constant-time approach this standard consolidates.
&lt;p&gt;The doorway is finally built to spec. The natural next question is who is actually walking through it, because the answer is: far more of your daily software than you would guess.&lt;/p&gt;
&lt;h2&gt;6. Who Quietly Depends on This Today&lt;/h2&gt;
&lt;p&gt;You have almost certainly relied on hash-to-curve this week without noticing. It sits under signatures that finalize blockchains, under the private authentication that hides your browsing from a token issuer, under the password login protocol that never sees your password, and under WPA3. None of these advertise the primitive. All of them break if it is wrong.&lt;/p&gt;

flowchart TD
    BLS[&quot;BLS signatures on Ethereum&quot;] --&amp;gt; H2C[&quot;RFC 9380 hash-to-curve&quot;]
    OPRF[&quot;OPRF and VOPRF (RFC 9497)&quot;] --&amp;gt;|&quot;one HashToGroup call&quot;| H2C
    OPAQUE[&quot;OPAQUE aPAKE (RFC 9807)&quot;] --&amp;gt;|&quot;indirect&quot;| OPRF
    PP[&quot;Privacy Pass (RFC 9578)&quot;] --&amp;gt; OPRF
    CPace[&quot;CPace PAKE (draft)&quot;] --&amp;gt; H2C
    SAE[&quot;WPA3-Personal SAE&quot;] --&amp;gt;|&quot;H2E&quot;| H2C
&lt;h3&gt;BLS signatures and Ethereum consensus&lt;/h3&gt;
&lt;p&gt;The highest-volume deployment, by signature-verification throughput, is BLS. Every BLS signature hashes its message to a point in G2 and scales it by the secret key, so &lt;code&gt;hash_to_point&lt;/code&gt; is not an accessory but the heart of the scheme [@draft-bls-signature-07]. Ethereum&apos;s consensus specification fixes this for validator signatures: it adopts the suite &lt;code&gt;BLS12381G2_XMD:SHA-256_SSWU_RO_&lt;/code&gt; -- the isogeny-SSWU map wrapped in the &lt;code&gt;_RO_&lt;/code&gt; construction -- so every consensus client hashes exactly this way [@eth-consensus-specs] [@draft-bls-signature-07] [@rfc9380]. The &lt;code&gt;_RO_&lt;/code&gt; variant is not optional here: the unforgeability proof models the map as a random oracle, so a nonuniform &lt;code&gt;_NU_&lt;/code&gt; map would void the guarantee. Notably, the scheme the entire Ethereum validator set relies on is still specified only by an Internet-Draft, which the consensus spec references directly [@eth-consensus-specs] [@draft-bls-signature-07].Unlike ECDSA, BLS is deterministic and uses no per-signature nonce, so it sidesteps the &lt;a href=&quot;https://paragmali.com/blog/one-number-used-twice-how-a-repeated-nonce-hands-over-your-p/&quot; rel=&quot;noopener&quot;&gt;nonce-reuse failures that have repeatedly broken ECDSA deployments&lt;/a&gt; (Part 8). Its one hash-to-curve call becomes the security-critical primitive in place of the nonce [@draft-bls-signature-07].&lt;/p&gt;
&lt;h3&gt;OPRFs, and everything built on them&lt;/h3&gt;
&lt;p&gt;The second large consumer is the oblivious pseudorandom function and its verifiable and partially-oblivious variants, standardized in RFC 9497 [@rfc9497].&lt;/p&gt;

A two-party protocol in which a client learns $F(k, x)$ for its input $x$ and the server&apos;s key $k$, while the server learns neither $x$ nor the result. The client&apos;s first step hashes $x$ to a curve point and blinds it; that single `HashToGroup` call is the protocol&apos;s entire hash-to-curve surface [@rfc9497].
&lt;p&gt;The dependency is remarkably concentrated. The client&apos;s &lt;code&gt;Blind(input)&lt;/code&gt; computes &lt;code&gt;HashToGroup(input)&lt;/code&gt; and then blinds the point; every other message is scalar arithmetic and proofs. So the whole hash-to-curve exposure of an OPRF is one call, instantiated with Elligator 2 for ristretto255 and SSWU for the P-256, P-384, and P-521 suites [@rfc9497].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For an OPRF, the entire hash-to-curve attack surface is the single &lt;code&gt;HashToGroup&lt;/code&gt; call in the client&apos;s &lt;code&gt;Blind&lt;/code&gt; step. Get that one call right -- correct suite, correct DST, identity element rejected on the wire -- and the primitive is handled. Get it wrong and obliviousness or correctness collapses [@rfc9497].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Because OPRFs are a building block, their hash-to-curve dependency propagates. OPAQUE, the augmented PAKE standardized as RFC 9807 in July 2025, lets a server authenticate a user by password without ever learning the password, and it does so by running an OPRF; its hash-to-curve dependency is indirect but real, flowing through RFC 9497 [@rfc9807] [@rfc9497]. &lt;a href=&quot;https://paragmali.com/blog/the-age-gate-that-doesnt-know-your-age-how-anonymous-credent/&quot; rel=&quot;noopener&quot;&gt;Privacy Pass&lt;/a&gt;, standardized across RFC 9576, RFC 9577, and RFC 9578 in June 2024, issues anonymous authentication tokens; its privately verifiable issuance is &quot;based on the Oblivious Pseudorandom Function,&quot; with token type 0x0001 being a VOPRF over P-384, which is the SSWU path [@rfc9578] [@rfc9576] [@rfc9577].&lt;/p&gt;
&lt;h3&gt;PAKEs and Wi-Fi&lt;/h3&gt;
&lt;p&gt;Two more consumers map a secret rather than a public message. CPace, a balanced PAKE still in CFRG draft with datatracker status &quot;Waiting for IRTF Chair,&quot; maps the password to a session generator using SSWU or Elligator 2 depending on the group [@draft-cpace]. And WPA3-Personal&apos;s SAE now derives its password element with the constant-time H2E map, the fix that closed Dragonblood [@dragonblood-site].&lt;/p&gt;
&lt;p&gt;The whole deployed picture fits in one adoption map.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Consumer&lt;/th&gt;
&lt;th&gt;Where hash-to-curve is called&lt;/th&gt;
&lt;th&gt;Suite / map&lt;/th&gt;
&lt;th&gt;Standard status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;BLS / Ethereum consensus&lt;/td&gt;
&lt;td&gt;&lt;code&gt;hash_to_point(msg)&lt;/code&gt; into G2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;BLS12381G2_XMD:SHA-256_SSWU_RO_&lt;/code&gt; [@draft-bls-signature-07]&lt;/td&gt;
&lt;td&gt;Internet-Draft [@draft-bls-signature-07]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OPRF / VOPRF / POPRF&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Blind&lt;/code&gt; calls &lt;code&gt;HashToGroup&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;ristretto255 to Elligator 2; P-curves to SSWU [@rfc9497]&lt;/td&gt;
&lt;td&gt;RFC 9497 (2023) [@rfc9497]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OPAQUE (aPAKE)&lt;/td&gt;
&lt;td&gt;indirect, via its OPRF&lt;/td&gt;
&lt;td&gt;inherits the OPRF suite [@rfc9807]&lt;/td&gt;
&lt;td&gt;RFC 9807 (2025) [@rfc9807]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Privacy Pass&lt;/td&gt;
&lt;td&gt;VOPRF token issuance&lt;/td&gt;
&lt;td&gt;P-384 VOPRF to SSWU [@rfc9578]&lt;/td&gt;
&lt;td&gt;RFC 9576/9577/9578 (2024) [@rfc9578]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CPace (balanced PAKE)&lt;/td&gt;
&lt;td&gt;password to session generator&lt;/td&gt;
&lt;td&gt;SSWU or Elligator 2 by group [@draft-cpace]&lt;/td&gt;
&lt;td&gt;draft, &quot;Waiting for IRTF Chair&quot; [@draft-cpace]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;WPA3-Personal (SAE)&lt;/td&gt;
&lt;td&gt;password element (PWE)&lt;/td&gt;
&lt;td&gt;H2E, constant-time SSWU [@dragonblood-site]&lt;/td&gt;
&lt;td&gt;IEEE 802.11&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;h3&gt;What actually ships&lt;/h3&gt;
&lt;p&gt;Under all of this sit a few load-bearing libraries. The blst library implements BLS12-381 hash-to-curve in C and assembly, is compliant with RFC 9380, was audited by NCC Group in January 2021, and is the subject of an ongoing Galois formal-verification effort [@blst] [@blst-verification]. Cloudflare&apos;s CIRCL provides RFC 9380 hash-to-curve and RFC 9497 OPRFs in Go, though it labels itself experimental and cautions against production use of parts of it [@circl]. In Rust, curve25519-dalek exposes an Elligator-based one-way map through &lt;code&gt;RistrettoPoint::from_uniform_bytes&lt;/code&gt; [@curve25519-dalek].&lt;/p&gt;
&lt;p&gt;The headline is quiet by design: the primitive is standardized and load-bearing under a stack of shipping protocols, and almost nobody who depends on it has to think about it. That is what a well-built doorway looks like. Which raises a fair question: if every consumer just names a suite, is there ever a real choice to make, or has the standard decided everything for you?&lt;/p&gt;
&lt;h2&gt;7. The Decision Matrix&lt;/h2&gt;
&lt;p&gt;There is no &quot;best&quot; hash-to-curve, and that is a feature. Almost every knob is set for you by something structural: the curve you already committed to, or the distribution your proof already assumes. The value of a field guide is naming which axis governs which choice, and where a wrong turn is a vulnerability rather than a mere preference.&lt;/p&gt;
&lt;h3&gt;Distribution need decides the variant&lt;/h3&gt;
&lt;p&gt;The &lt;code&gt;_RO_&lt;/code&gt; versus &lt;code&gt;_NU_&lt;/code&gt; choice is governed by one question: does your proof need a random oracle? For BLS, OPRFs, and password mapping, it does, so &lt;code&gt;_RO_&lt;/code&gt; is the default. The &lt;code&gt;_NU_&lt;/code&gt; variant is an optimization you reach for only with a specific proof that non-uniformity is acceptable, because its output is measurably not uniform.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;&lt;code&gt;hash_to_curve&lt;/code&gt; (&lt;code&gt;_RO_&lt;/code&gt;)&lt;/th&gt;
&lt;th&gt;&lt;code&gt;encode_to_curve&lt;/code&gt; (&lt;code&gt;_NU_&lt;/code&gt;)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Field elements and maps&lt;/td&gt;
&lt;td&gt;2 elements, 2 maps, 1 addition&lt;/td&gt;
&lt;td&gt;1 element, 1 map&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Relative cost&lt;/td&gt;
&lt;td&gt;about twice &lt;code&gt;_NU_&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;baseline, about half of &lt;code&gt;_RO_&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Output distribution&lt;/td&gt;
&lt;td&gt;indifferentiable from a random oracle [@rfc9380]&lt;/td&gt;
&lt;td&gt;nonuniform: at least one eighth of G, weights vary by up to a factor of four [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Proof compatibility&lt;/td&gt;
&lt;td&gt;usable where a proof assumes a random oracle&lt;/td&gt;
&lt;td&gt;only where non-uniformity is provably sufficient&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Decision rule&lt;/td&gt;
&lt;td&gt;default for BLS, OPRF, PAKE mapping&lt;/td&gt;
&lt;td&gt;optimization only, with a proof&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Getting this backward is a shippable misuse: a &lt;code&gt;_NU_&lt;/code&gt; map where the proof assumed &lt;code&gt;_RO_&lt;/code&gt; produces a point from a distribution the proof never agreed to, which is the third of our three failures made concrete [@rfc9380].&lt;/p&gt;
&lt;h3&gt;Curve family decides the map&lt;/h3&gt;
&lt;p&gt;The choice among the inner maps is not a matter of taste at all. It is fixed by the shape of your curve.&lt;/p&gt;

flowchart TD
    Q{&quot;what curve do you have&quot;}
    Q --&amp;gt;|&quot;short Weierstrass, p is 3 mod 4&quot;| SSWU[&quot;Simplified SWU&quot;]
    Q --&amp;gt;|&quot;A is zero: secp256k1, BLS12-381&quot;| ISO[&quot;Isogeny SSWU&quot;]
    Q --&amp;gt;|&quot;Montgomery or Edwards&quot;| ELL[&quot;Elligator 2&quot;]
    Q --&amp;gt;|&quot;none of the above&quot;| SVDW[&quot;SvdW fallback&quot;]
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Map&lt;/th&gt;
&lt;th&gt;Curve condition&lt;/th&gt;
&lt;th&gt;Curves in RFC 9380&lt;/th&gt;
&lt;th&gt;Dominant cost&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Simplified SWU&lt;/td&gt;
&lt;td&gt;short-Weierstrass, $p \equiv 3 \pmod 4$, $AB \neq 0$&lt;/td&gt;
&lt;td&gt;P-256, P-384, P-521&lt;/td&gt;
&lt;td&gt;about one square root plus selects&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Isogeny SSWU&lt;/td&gt;
&lt;td&gt;$A = 0$ Weierstrass&lt;/td&gt;
&lt;td&gt;secp256k1, BLS12-381 G1/G2&lt;/td&gt;
&lt;td&gt;SSWU on $E&apos;$ plus one isogeny evaluation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Elligator 2&lt;/td&gt;
&lt;td&gt;curve with a point of order 2&lt;/td&gt;
&lt;td&gt;curve25519/448, edwards25519/448, ristretto255/decaf448&lt;/td&gt;
&lt;td&gt;about one exponentiation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SvdW&lt;/td&gt;
&lt;td&gt;any curve, characteristic other than 2 or 3&lt;/td&gt;
&lt;td&gt;fallback when none of the above fit&lt;/td&gt;
&lt;td&gt;a few exponentiations and inversions&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; If you find yourself deliberating between SSWU and Elligator 2, stop: your curve has already decided. SSWU serves short-Weierstrass curves, isogeny-SSWU serves the $A=0$ pairing curves, and Elligator 2 serves Montgomery and Edwards curves. The only choice genuinely left to you is the variant, &lt;code&gt;_RO_&lt;/code&gt; or &lt;code&gt;_NU_&lt;/code&gt;, and the default is &lt;code&gt;_RO_&lt;/code&gt; [@rfc9380].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;The two knobs that are real, but small&lt;/h3&gt;
&lt;p&gt;Two remaining choices are genuine but low-stakes. The expander, &lt;code&gt;expand_message_xmd&lt;/code&gt; versus &lt;code&gt;expand_message_xof&lt;/code&gt;, follows your hash family: XMD for SHA-2, XOF for SHAKE, and neither dominates on security, so you pick the hash you already have [@rfc9380]. And within BLS, you can hash to either pairing group.&lt;/p&gt;

BLS can hash to either pairing group. Hashing to G2 is more expensive, because G2 lives over the larger field $\mathbb{F}_{p^2}$ and has a larger cofactor, but the minimal-pubkey-size setting Ethereum uses signs in G2. Minimal-signature-size deployments hash to the cheaper G1 instead. This is a real cost-versus-size trade-off, not a security decision, and it is why fast G2 hashing has its own literature [@rfc9380] [@sbcdk09].
&lt;h3&gt;The number that ends an old argument&lt;/h3&gt;
&lt;p&gt;For years, the excuse for variable-time hunt-and-peck was that constant-time maps were too slow. Wahby and Boneh&apos;s nine-percent measurement retired it: constant time is essentially free here, and simpler to implement correctly, which is why RFC 9380 can require it without asking anyone to pay for the safety [@wb19].&lt;/p&gt;
&lt;p&gt;It is worth remembering how strange this matrix would look to a cryptographer of 1995. In a finite field, hashing into the group is a single modular reduction with no decision matrix at all [@miller85]. Elliptic curves bought hard discrete logs and small keys, and the bill came due as this exact table: a real algorithm, with real parameters, that you must get right. Two maps, an oversampling margin, a distribution that is deliberately &quot;almost uniform&quot;: none of it is arbitrary. The next section proves they are the right choices, not just good ones.&lt;/p&gt;
&lt;h2&gt;8. Why Two Maps, and How Uniform Is &quot;Uniform&quot;&lt;/h2&gt;
&lt;p&gt;The two-map construction can feel like a clever hack. It is not. It is the provable optimum, and the theory that says so also explains the oversampling margin and the one caveat you must respect.&lt;/p&gt;
&lt;h3&gt;The lower bound that forces two maps&lt;/h3&gt;
&lt;p&gt;Start with what a single map cannot do. No efficient deterministic map to a general elliptic curve is both surjective and uniform. Its image is only a constant fraction of the curve, with some points weighted more heavily than others. RFC 9380 quantifies the residual for the single-map case exactly: the output distribution &quot;includes at least one eighth of the points in G,&quot; and the probability of points &quot;varies by at most a factor of four&quot; [@rfc9380]. Those bounds descend from the analyses of the individual maps [@sw06] [@bhkl13] [@ft12]. A distribution that misses seven-eighths of the group in the worst case and re-weights the rest simply cannot be indifferentiable from a uniform random oracle. One map is not enough, and this is why.&lt;/p&gt;
&lt;h3&gt;The matching upper bound&lt;/h3&gt;
&lt;p&gt;Now the other side. Hashing to two field elements, mapping each, and adding the points &lt;em&gt;is&lt;/em&gt; indifferentiable from a random oracle, proven for Icart&apos;s map by Brier et al. and generalized to essentially all maps by Farashahi et al. [@bcimrt10] [@ffstv13] [@mrh04]. The lower bound says one map cannot suffice; the upper bound says two do. The gap is closed. The &lt;code&gt;_RO_&lt;/code&gt; construction is the tight, achievable answer to &quot;produce a uniform, proof-usable point,&quot; and RFC 9380 standardizes precisely that optimum, no more and no less [@rfc9380].&lt;/p&gt;
&lt;h3&gt;Why the oversampling margin is what it is&lt;/h3&gt;
&lt;p&gt;The same &quot;prove it, do not hope it&quot; discipline governs &lt;code&gt;hash_to_field&lt;/code&gt;. Reducing a uniform $L$-byte integer modulo $p$ leaves a small bias from the wrap-around at the top of the range. Oversampling by $k$ bits, with&lt;/p&gt;
&lt;p&gt;$$L = \left\lceil \frac{\lceil \log_2 p \rceil + k}{8} \right\rceil,$$&lt;/p&gt;
&lt;p&gt;drives the statistical distance from uniform below $2^{-k}$. RFC 9380 fixes $k = 128$, so every field element is within $2^{-128}$ of uniform [@rfc9380]. That is a proven bound, which is why truncating the byte length is not a harmless optimization but a real weakening of the margin.&lt;/p&gt;
&lt;h3&gt;The one caveat that survives all of this&lt;/h3&gt;
&lt;p&gt;Here the humility arrives. &quot;Indifferentiable from a random oracle&quot; does not mean &quot;safe to drop into any random-oracle proof.&quot;&lt;/p&gt;

RFC 9380 cites Ristenpart, Shacham, and Shrimpton for the sharpest limit on the whole approach: &quot;not all security proofs that rely on random oracles continue to hold when those oracles are replaced by indifferentiable functionalities&quot; [@rfc9380]. So `_RO_` is the right default, but a protocol&apos;s proof still has to be the composable kind that survives the substitution. Indifferentiability is a strong guarantee, not an unconditional one.
&lt;p&gt;There is a smaller but instructive caveat in the same spirit. Either encoding can, with probability roughly $1/r$ for a random input, output the identity element.That probability is negligible and it is infeasible to find such an input deliberately, so RFC 9380 says protocols &quot;SHOULD NOT add a special case to detect and &apos;fix&apos; the identity element.&quot; The special case is itself a bug surface, more likely to introduce a flaw than to prevent one [@rfc9380]. The right move is to do nothing special, which is counterintuitive enough that people get it wrong by trying too hard.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For classical elliptic curves the core problem is solved in the strongest sense available: a single map provably cannot be a uniform random oracle, the two-map sum provably is, and RFC 9380 standardizes exactly that optimum. What is left is not the classical mathematics. It is implementation assurance and the post-quantum question [@rfc9380] [@ffstv13].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One boundary is worth stating precisely, because it sets up everything still open. The &quot;unknown discrete log&quot; property adds no new hardness assumption: it inherits the elliptic-curve discrete-log hardness of the target group, the same assumption Part 15 examined [@rfc9380]. And so, like all elliptic-curve cryptography, it falls to Shor&apos;s algorithm on a fault-tolerant quantum computer. Post-quantum &lt;em&gt;signatures&lt;/em&gt; sidestep the primitive entirely, because they use no curve. But the &lt;em&gt;consumers that specifically need a point of unknown discrete log&lt;/em&gt; -- OPRFs and VRFs -- have no such escape. That is where the frontier actually is.&lt;/p&gt;
&lt;h2&gt;9. Where It Is Still Moving&lt;/h2&gt;
&lt;p&gt;A solved primitive with live frontiers sounds like a contradiction, but hash-to-curve is exactly that. The classical mathematics is settled; the engineering, the assurance, and the post-quantum future are not.&lt;/p&gt;
&lt;h3&gt;Constant time, all the way down&lt;/h3&gt;
&lt;p&gt;RFC 9380 guarantees constant time at the interface: no data-dependent loop. The guarantee has to hold much further down, though, through the field primitives the map calls -- the square root, the sign function &lt;code&gt;sgn0&lt;/code&gt;, the zero-guarded inversion &lt;code&gt;inv0&lt;/code&gt;, general inversion, and the conditional selects -- each of which can leak through timing, cache, or micro-architecture if written naively [@rfc9380]. And the map runs on secrets: passwords in SAE and CPace, blinded inputs in OPRFs. A leak in one field routine re-opens the exact class of attack Dragonblood exploited.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Constant time must be structural in the map and then verified down to the field primitives, not patched in after the fact. Dragonblood&apos;s second act (Section 1) is the standing proof: fixing timing curve by curve is how you get burned twice [@rfc9380] [@dragonblood-site].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;The expensive curves&lt;/h3&gt;
&lt;p&gt;Hashing to G2 of BLS12-381, over the field $\mathbb{F}_{p^2}$ and with a large cofactor, is markedly costlier than hashing to G1. Faster maps and faster cofactor clearing are open engineering targets, and they matter because Ethereum verifies huge volumes of signatures, so every millisecond of G2 hashing multiplies across the network. Wahby and Boneh brought constant-time hashing within nine percent of variable-time, and the fast-G2 cofactor-clearing line descends from work like Scott and coauthors&apos; &quot;Fast Hashing to G2,&quot; but G2 remains the expensive path, and each new pairing-friendly curve keeps the problem alive [@wb19] [@sbcdk09].&lt;/p&gt;
&lt;h3&gt;Machine-checked implementations&lt;/h3&gt;
&lt;p&gt;Because constant time is hard to get right, the field increasingly wants implementations proven correct by machine, not just audited by eye. The leading edge is visible in blst, the highest-volume hash-to-G2 implementation: it was audited by NCC Group in January 2021, and its formal verification by Galois is, in the project&apos;s own words, ongoing [@blst] [@blst-verification]. That is the honest status: verification of a deployed hash-to-curve path is in progress, not finished. Full end-to-end machine-checked hash-to-curve -- map, cofactor clearing, and constant time, across curve families -- remains open.&lt;/p&gt;
&lt;h3&gt;The genuinely open frontier: post-quantum&lt;/h3&gt;
&lt;p&gt;The deepest gap is post-quantum. Signatures have a post-quantum future without curves, so they abandon hash-to-curve. The unknown-DL consumers do not have that luxury. OPRFs and VRFs -- and therefore OPAQUE, Privacy Pass, and anonymous-credential systems built on them -- rest on the hardness of the elliptic-curve discrete log, and a quantum adversary breaks that foundation.Lattice- and isogeny-based OPRF and VRF constructions exist in the research literature, but none is competitive with the elliptic-curve versions in bandwidth or round complexity, and none is standardized. This guide states the frontier without pinning a specific paper, holding to the same citation standard as the rest of the series. There is no drop-in &quot;post-quantum hash-to-curve,&quot; because the whole unknown-DL abstraction has to be rebuilt on different assumptions, and the competitive replacement does not yet exist.&lt;/p&gt;
&lt;h3&gt;Steady-state engineering&lt;/h3&gt;
&lt;p&gt;Finally, the everyday work: as deployments adopt new pairing-friendly curves (BLS12-377 and BW6 are recent examples) and new prime-order abstractions, each needs its admissible map and cofactor-clearing constants worked out and folded into the suite registry [@rfc9380]. This keeps the &quot;which map for which curve&quot; table a living document rather than a finished one. Given all of it, the practical question remains: what should you actually do on Monday?&lt;/p&gt;
&lt;h2&gt;10. The Decision Rules, Made Operational&lt;/h2&gt;
&lt;p&gt;Here is the spine turned into something you can apply to a code review this afternoon. The rules are short because the standard did the hard part; your job is to name the right suite and not undo its work.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Use a vetted suite, never a hand-rolled map.&lt;/strong&gt; Always call a RFC 9380 suite from a constant-time library for your curve. Never compute $H(m)\cdot G$, and never write your own map. The two most catastrophic errors in this whole area are the two shortcuts from Section 3 [@rfc9380].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Default to &lt;code&gt;_RO_&lt;/code&gt;.&lt;/strong&gt; Use &lt;code&gt;hash_to_curve&lt;/code&gt; (&lt;code&gt;_RO_&lt;/code&gt;) unless you hold a specific proof that non-uniformity is acceptable, in which case &lt;code&gt;encode_to_curve&lt;/code&gt; (&lt;code&gt;_NU_&lt;/code&gt;) halves the cost [@rfc9380].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Always set a unique DST.&lt;/strong&gt; Make the domain-separation tag specific to your protocol and version, hash it if it exceeds 255 bytes, and never share one across protocols. This is &lt;a href=&quot;https://paragmali.com/blog/one-secret-is-not-one-key-the-discipline-of-key-derivation-w/&quot; rel=&quot;noopener&quot;&gt;domain separation&lt;/a&gt;, the same discipline Part 13 develops for keys [@rfc9380].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Map by curve, not by taste.&lt;/strong&gt; Short-Weierstrass with $p \equiv 3 \pmod 4$ uses SSWU; $A = 0$ uses isogeny-SSWU; Montgomery and Edwards use Elligator 2; anything else uses SvdW [@rfc9380].&lt;/p&gt;
&lt;p&gt;Then the per-protocol specifics:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;BLS:&lt;/strong&gt; use &lt;code&gt;BLS12381G2_XMD:SHA-256_SSWU_RO_&lt;/code&gt; for minimal-pubkey-size, or the G1 suite for minimal-signature-size; &lt;code&gt;_RO_&lt;/code&gt; is required for the unforgeability proof; clear the cofactor [@draft-bls-signature-07].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;OPRF, VOPRF, OPAQUE:&lt;/strong&gt; call RFC 9497&apos;s &lt;code&gt;HashToGroup&lt;/code&gt; and &lt;code&gt;HashToScalar&lt;/code&gt; at the ciphersuite&apos;s suite; do not substitute your own map; reject the identity element on the wire [@rfc9497].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;PAKE mapping a password (SAE, CPace):&lt;/strong&gt; use a constant-time map only, never hunt-and-peck a secret, and pre-hash the password with &lt;a href=&quot;https://paragmali.com/blog/the-one-job-of-a-password-hash-why-fast-is-the-enemy-and-mem/&quot; rel=&quot;noopener&quot;&gt;a slow KDF such as PBKDF2, scrypt, or Argon2&lt;/a&gt; before mapping, so an adversary who sees an intermediate value still faces a slow dictionary attack [@rfc9380]. Part 12&apos;s password-entropy argument is exactly why this matters.&lt;/li&gt;
&lt;/ul&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Pick the suite for your curve, default to &lt;code&gt;_RO_&lt;/code&gt;, set a unique DST, and clear the cofactor. Four decisions, each with a safe default, and RFC 9380 has already made three of them for you the moment you name the suite [@rfc9380].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The mirror image of the rules is the list of things that never belong in a diff. Each is a real, shippable bug that maps to exactly one of the three properties, or to the two guardrails around them.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Misuse&lt;/th&gt;
&lt;th&gt;What it violates&lt;/th&gt;
&lt;th&gt;The fix&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;$P = H(m)\cdot G$ instead of a map&lt;/td&gt;
&lt;td&gt;Unknown discrete log&lt;/td&gt;
&lt;td&gt;use a real RFC 9380 map [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Hunt-and-peck over a secret&lt;/td&gt;
&lt;td&gt;Constant time&lt;/td&gt;
&lt;td&gt;constant-time suite; H2E for SAE [@rfc9380] [@dragonblood-site]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;_NU_&lt;/code&gt; where the proof needs &lt;code&gt;_RO_&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Random-oracle distribution&lt;/td&gt;
&lt;td&gt;default to &lt;code&gt;_RO_&lt;/code&gt; [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Missing or shared DST&lt;/td&gt;
&lt;td&gt;Domain separation&lt;/td&gt;
&lt;td&gt;unique per-protocol, per-version DST [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Skipped cofactor clearing&lt;/td&gt;
&lt;td&gt;Subgroup safety&lt;/td&gt;
&lt;td&gt;clear the cofactor; check the subgroup [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Truncated &lt;code&gt;hash_to_field&lt;/code&gt; output&lt;/td&gt;
&lt;td&gt;Uniformity margin&lt;/td&gt;
&lt;td&gt;use the full $L$ bytes [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Raw password without a slow KDF&lt;/td&gt;
&lt;td&gt;Offline-guessing resistance&lt;/td&gt;
&lt;td&gt;PBKDF2, scrypt, or Argon2 first [@rfc9380]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Vetted RFC 9380 suite for the curve. &lt;code&gt;_RO_&lt;/code&gt; unless a proof licenses &lt;code&gt;_NU_&lt;/code&gt;. Unique, versioned DST, hashed if over 255 bytes. Cofactor cleared and subgroup confirmed. Full &lt;code&gt;L&lt;/code&gt;-byte &lt;code&gt;hash_to_field&lt;/code&gt;. For secrets, a constant-time map and a slow KDF first. For OPRFs, identity rejected on the wire. Anything else is a finding [@rfc9380] [@rfc9497].&lt;/p&gt;
&lt;/blockquote&gt;

RFC 9380 ships official test vectors for every suite. Before you trust an implementation, feed it the standard&apos;s sample inputs and DSTs and confirm the output points match byte for byte. A library that reproduces the vectors implements the pipeline correctly; one that does not should never touch a secret [@rfc9380].
&lt;p&gt;A checklist answers &quot;what to do.&quot; The last thing to handle is the set of &quot;but why can&apos;t I just...&quot; questions that every reviewer and implementer keeps asking, because the answers are where the understanding finally sets.&lt;/p&gt;
&lt;h2&gt;11. FAQ and Common Misuse&lt;/h2&gt;


Because its discrete log is $H_n(m)$, which is public, so the point is not a stranger to anyone. In BLS this is fatal: a signature $[sk]\cdot H(m)$ becomes $[H_n(m)]\cdot PK$, which anyone computes from the public message and public key with no secret key. The same known-discrete-log flaw breaks OPRF obliviousness and a PAKE&apos;s password element [@rfc9380] [@bls01].


Only when the input is public and you need neither constant time nor a random-oracle distribution. Over a secret input the loop count is a function of the secret, so the running time leaks it. That is precisely the Dragonblood attack that recovered WPA3 passwords, and it is why RFC 9380 declines to specify the method [@rfc9380] [@vr20].


Yes. The `_NU_` output is provably not a random oracle: it covers at least one eighth of the group with weights varying by up to a factor of four [@rfc9380]. If your proof assumes a random oracle -- as the BLS, OPRF, and PAKE proofs do -- you need `_RO_`. Use `_NU_` only with a specific proof that non-uniformity is acceptable [@rfc9380].


Always. The DST is domain separation, not decoration: without a unique, protocol-and-version-specific tag, two protocols sharing a curve can be driven to collide. RFC 9380 makes it mandatory and hashes tags longer than 255 bytes [@rfc9380].


You don&apos;t; the curve decides. Curve25519 and edwards25519 use Elligator 2, because they have a point of order 2. BLS12-381 uses isogeny-SSWU, because $A = 0$. The map is a structural consequence of the curve, not a preference [@rfc9380].


No. It is bound to elliptic-curve cryptography and falls to Shor&apos;s algorithm. Post-quantum signatures avoid the primitive entirely because they use no curve, but the consumers that need a point of unknown discrete log -- OPRFs and VRFs, and the systems built on them -- have no settled, efficient post-quantum replacement yet [@rfc9380].


No. `encode_to_curve` (`_NU_`) runs one map and produces a nonuniform point at about half the cost. `hash_to_curve` (`_RO_`) hashes to two field elements, maps each, and adds the points, which is indifferentiable from a random oracle. The extra map is what buys the distribution [@rfc9380].

&lt;h2&gt;The Point Had to Be a Stranger, Arrive on Time, and Look the Part&lt;/h2&gt;
&lt;p&gt;Look back at the failures with the whole picture in hand, and they line up with eerie precision. Each was a wrong answer to exactly one of the three questions. Computing $H(m)\cdot G$ published the discrete log: the point was not a &lt;em&gt;stranger&lt;/em&gt;, and universal forgery followed [@rfc9380] [@bls01]. Hunt-and-peck leaked the password through the clock: the point did not &lt;em&gt;arrive on time&lt;/em&gt;, and Dragonblood read it off the handshake [@vr20]. Reaching for &lt;code&gt;_NU_&lt;/code&gt; where a proof needs &lt;code&gt;_RO_&lt;/code&gt; handed the proof a distribution it never agreed to: the point did not &lt;em&gt;look the part&lt;/em&gt; [@rfc9380]. Three questions, three ways to fail, three real systems that failed them.&lt;/p&gt;
&lt;p&gt;That is the sibling claim to the one Part 15 made about the curve itself. The elliptic-curve arithmetic was sound; the danger was the soft gap around it. Here the gap has a name and a shape. It is the doorway, the single step that carries an untrusted string into the group, and getting it right means answering all three questions at once: unknown discrete log, constant time, and a proof-usable distribution. RFC 9380 is the standard that guarantees all three and encodes which ones you asked for in a suite name you can read at a glance.&lt;/p&gt;
&lt;p&gt;For classical curves, the doorway is finally built to spec. The two-map construction is the provable optimum, the oversampling margin is a proven bound, and a handful of audited libraries carry the whole load quietly under BLS, OPRFs, OPAQUE, Privacy Pass, and WPA3. The open frontier has moved elsewhere: to machine-checked implementations of what already ships, to the stubbornly expensive pairing curves, and above all to a post-quantum world where the unknown-DL consumers have no settled replacement.&lt;/p&gt;
&lt;p&gt;So the next time you call a one-line hash-to-curve API, you will know to ask the three questions it answers for you. Do you know the point&apos;s discrete log? Does your running time depend on the input? Can your proof model the output as a random oracle? For any construction worth shipping, the answers are the same three words this whole field spent two decades earning: no, no, yes.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;hashing-to-elliptic-curves-rfc-9380&quot; keyTerms={[
  { term: &quot;Hash-to-curve&quot;, definition: &quot;A map from an arbitrary byte string to a curve point of unknown discrete log; standardized by RFC 9380.&quot; },
  { term: &quot;BLS signature&quot;, definition: &quot;A pairing-based signature where the signature is the hashed message point scaled by the secret key.&quot; },
  { term: &quot;Try-and-increment&quot;, definition: &quot;Hash with a counter until the result is a valid coordinate; unknown DL but variable time.&quot; },
  { term: &quot;Indifferentiability&quot;, definition: &quot;A formal criterion for when a construction can safely replace an ideal object such as a random oracle.&quot; },
  { term: &quot;Simplified SWU&quot;, definition: &quot;A closed-form map to short-Weierstrass curves with p equal to 3 mod 4 and nonzero A and B.&quot; },
  { term: &quot;Elligator 2&quot;, definition: &quot;An invertible map for curves with a point of order 2, used for Montgomery and Edwards curves.&quot; },
  { term: &quot;hash_to_field&quot;, definition: &quot;The first pipeline stage: expand input and DST into field elements within 2^-128 of uniform.&quot; },
  { term: &quot;Domain Separation Tag&quot;, definition: &quot;A mandatory, protocol-and-version-specific tag mixed into hashing to prevent cross-protocol collisions.&quot; },
  { term: &quot;Cofactor clearing&quot;, definition: &quot;The final stage that forces the mapped point into the prime-order subgroup.&quot; },
  { term: &quot;Oblivious PRF&quot;, definition: &quot;A protocol where the client learns a keyed function of its input while the server learns neither input nor output.&quot; }
]} flashcards={[
  { front: &quot;Why is P = H(m) times G unsafe?&quot;, back: &quot;Its discrete log is public, so anyone forges BLS signatures as Hn(m) times PK with no secret key.&quot; },
  { front: &quot;Why does try-and-increment leak?&quot;, back: &quot;Its iteration count depends on the input, so timing reveals a secret input. This is Dragonblood.&quot; },
  { front: &quot;Why does hash_to_curve run two maps?&quot;, back: &quot;A single map cannot be a random oracle; the sum of two mapped points is indifferentiable from one.&quot; },
  { front: &quot;Which map for BLS12-381?&quot;, back: &quot;Isogeny-SSWU, because A is zero. The curve chooses the map, not you.&quot; },
  { front: &quot;Is hash-to-curve quantum-safe?&quot;, back: &quot;No. It falls to Shor. PQ signatures avoid it; PQ OPRFs and VRFs are unsolved.&quot; }
]} questions={[
  { q: &quot;State the three properties a safe hash-to-curve map must satisfy.&quot;, a: &quot;Unknown discrete log, constant running time, and a distribution indifferentiable from a random oracle.&quot; },
  { q: &quot;Which property does each naive map violate, and what does each leak?&quot;, a: &quot;H(m) times G violates unknown discrete log and leaks universal forgery; try-and-increment violates constant time and leaks a secret input by timing.&quot; },
  { q: &quot;Why is the RO variant the provable optimum?&quot;, a: &quot;A single map cannot be uniform and surjective; the sum of two maps is indifferentiable; RFC 9380 standardizes exactly that.&quot; },
  { q: &quot;What is a DST for, and when must it be hashed?&quot;, a: &quot;Domain separation between protocols; it must be hashed when longer than 255 bytes and unique per protocol and version.&quot; },
  { q: &quot;Where is the open frontier?&quot;, a: &quot;Post-quantum OPRFs and VRFs, formal verification of deployed implementations, and efficient hashing to G2.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>hash-to-curve</category><category>elliptic-curves</category><category>rfc-9380</category><category>bls-signatures</category><category>oprf</category><category>pake</category><category>applied-cryptography</category><category>side-channels</category><author>noreply@paragmali.com (Parag Mali)</author></item></channel></rss>