February 18, 2026
Armando Faz Hernandez - Cloudflare @ USA
Abstract:
In cryptography, hashing typically means mapping a variable-length input to a fixed-length bit string, such as a SHA-256 hash. However, many modern protocols require a different output: a valid point (x, y) on an elliptic curve (e.g. y^2=x^3+ax+b). Until recently, there was no unified, secure standard for this "hash-to-curve" operation. In this talk, I will share our experience in designing RFC 9380, a comprehensive specification for hash-to-curve functions created within the IETF’s Crypto Forum Research Group (CFRG).
Many Elliptic Curve Cryptography (ECC) protocols rely on the "Random Oracle Model"—a security assumption that the hash function behaves like a perfectly random source. Historically, implementations often used "rejection sampling," a trial-and-error method that can introduce timing side-channel vulnerabilities or fail to meet the rigorous uniformity requirements of security proofs. Insecure hashing has, in fact, led to the compromise of several real-world protocols.
As modern applications increasingly depend on these specialized functions, the need for a standardized, secure approach has become critical. I will discuss the challenges of distilling complex academic research into a unified, constant-time framework designed for real-world deployment. We will examine how RFC 9380 provides "off-the-shelf" security and interoperability for modern cryptographic protocols—including identity-based encryption, threshold signatures, and zero-knowledge proofs—ensuring a more robust and consistent cryptographic ecosystem.
Based on joint work between: Armando Faz Hernandez, Sam Scott, Nick Sullivan, Riad S. Wahby, Christopher A. Wood.
- RFC 9380: Hashing to Elliptic Curves: https://datatracker.ietf.org/doc/html/rfc9380
- Hash-to-element in WPA3-SAE: https://wizardfi.com/security/2024/03/29/hash-to-curve.html
