Mapping of message onto elliptic curve and reverse it?

Question

I would like to perform a variant of Elliptic Curve ElGamal in java using the BouncyCastle libraries.

I currently face the difficulty of mapping a message $m$ onto the elliptic curve $E_p$. I have so far multiplied the generator $g$ of $E_p$ by the message $m$. However, this is hardly reversible. Hence I cannot retrieve the original message without storing a lookup table for my whole message space.

The post ElGamal with EC quotes that some reversible mapping exists, described in Elliptic Curve Cryptosystem, Koblitz.

After doing some research, I found Mapping an Arbitrary Message to an Elliptic Curve when Defined over $GF(2^n)$, King et al.. However it looks quite cryptic to me, and I believe there must exist some library doing this already.

Is there any widely used mapping available? Also, is there any library implementing this?

Answer 1

When using ElGamal on elliptic curves you have two possibilities:

Encoding free Version of El Gamal

Use a version of ElGamal such as "hashed ElGamal" that avoids the task of mapping messages to points on the curve. In standard ElGamal on elliptic curves you would compute the ciphertext as $(C_1,C_2)=(kP,M+kY)$ where $k$ is a random integer, $M$ the message $m$ mapped to a point on the curve, $Y$ the public key and $P$ the generator point.

In hashed ElGamal, the ciphertext is $(C_1,C_2)=(kP,m\oplus H(kY))$ where $H:G\rightarrow \{0,1\}^n$ is a hash function that maps points on the curve to $n$ bit strings. Consequently, you can encrypt $n$ bit messages, for instance 256 bit if you use SHA-256 for $H$. For the input to $H$ you need to encode the points of the curve in a suitable way.

What you describe in your question, i.e., encode $m$ as $mP$, is also known as exponential ElGamal and typically used to make it additively homomorphic. But in this case, you have to compute discrete logarithms after decrypting. Note that decryption will yield $mP$ and you have to compute $m=\log_P mP$ which means you have to solve the elliptic curve discrete logarithm problem. This is only practical for small messages.

Map Messages to the Curve

A standard probabilistic encoding that can be used for curves over $\mathbb{F}_p$ (for a large prime $p$) is that you fix some value $\ell$, for instance half the bitlength of $p$, and then simply choose a random integer from $\mathbb{Z}_p$ and set the least significant bits of this value to represent your message, i.e., you have a value $r\|m$. Then, treat this value $r\|m$ as the $x$ coordinate of a (potential) point on the curve (in affine coordinates). If it is on the curve, take one of the two possible $y$ values and you have your encoding of the message to a point. Otherwise, start over again with a new $x$ value.

This is one probabilistic encoding and if you want to have injective maps that are also efficiently invertible take a look here as pointed out in my comment.

Third possibility: Avoid ElGamal

As @poncho pointed out, you could simply replace ElGamal with another elliptic curve encryption scheme such as ECIES. It is a hybrid encryption scheme and avoids the task of mapping messages to points on the curve. In practice this seems to best solution if you want to use your scheme simply for encryption (and do not need it as a building block in protocols which require proofs of knowledge or stuff the like).