Ask Your Question
0

"points must be on same curve" ( ate_pairing, BLS12-381)

asked 2023-11-20 20:44:37 +0100

anonymous user

Anonymous

updated 2023-11-21 08:00:07 +0100

FrédéricC gravatar image

Hi

I'd like to perform the ate pairing on points p1 in G1 and p2 in G2 of the BLS12-381curve. The library function returns error: "ValueError: Points must both be on the same curve". Indeed, the points I am supplying are _not_ in the same curve: per the definition of BLS12-381 groups G1 and G2 are from different curves.

What must be done to the following code to obtain intended results ?

# parameters for BLS12-381 
z = -0xd201000000010000
p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
q = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
h1 = 0x396c8c005555e1568c00aaab0000aaab
h2 = 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5

# Curve for G1 
F = GF(p)
EFp = EllipticCurve(F, [0,4])

# Curve for G2 
Fp2.<X> = GF(p^2, modulus=[1, 0, 1])
EFp2 = EllipticCurve(Fp2, [0, 4 * (1 + X)])


# Generators of G1 and G2 (from hzzps://aandds.com/blog/bls.html)  

x1 = 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb
y1 = 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1

g1 = EFp((x1,y1))

x2 = 0x024AA2B2F08F0A91260805272DC51051C6E47AD4FA403B02B4510B647AE3D1770BAC0326A805BBEFD48056C8C121BDB8 + 0x13E02B6052719F607DACD3A088274F65596BD0D09920B61AB5DA61BBDC7F5049334CF11213945D57E5AC7D055D042B7E * X
y2 = 0x0CE5D527727D6E118CC9CDC6DA2E351AADFD9BAA8CBDD3A76D429A695160D12C923AC9CC3BACA289E193548608B82801 + 0x0606C4A02EA734CC32ACD2B02BC28B99CB3E287E85A763AF267492AB572E99AB3F370D275CEC1DA1AAA9075FF05F79BE * X

g2 = EFp2((x2,y2))

# Some assertions to demonstrate values are consistent

assert(p == z + (( z^4 - z^2 + 1)*(z-1)^2)/3 )
assert(h1 ==  (z-1)**2 // 3)
assert( h1 * q == EFp.order() ) 
assert(q == (z**4 - z**2 + 1))
assert(EFp2.order() / q == h2)


#Make arbitraty points using the generators    
p1 = g1 * 3
p2 = g2 * 7


k = 12
t = p + 1 - EFp.order()


ate = p1.ate_pairing(p2, q, k, t, p)



print("----")
print("ate: " + str(ate))
print("----")
edit retag flag offensive close merge delete

Comments

Posting as anonymous has some drawbacks... it may be a good idea to get please a user name... The question starts by introducing a lot of notations, then mentioning which error appears. Instead, making some order in the objects, introducing them one by one, giving them the mathematical sense, and getting a minimal situation where something does not work would be a better idea. All this is written only to make you understand that sharing the effort is please a better way for the community.

dan_fulea gravatar imagedan_fulea ( 2023-11-21 00:08:11 +0100 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2023-11-21 01:21:12 +0100

dan_fulea gravatar image

The following works for me:

# parameters for BLS12-381 
z = -0xd201000000010000    # this is z = -15132376222941642752
q = (z^4 - z^2 + 1)
p = ZZ( z + q*(z - 1)^2/3 )

h1 = ZZ( (z - 1)^2 / 3 )
h2 = ZZ( (z^8 - 4*z^7 + 5*z^6 - 4*z^4 + 6*z^3 - 4*z^2-4*z + 13) / 9 )

# we work over one and only one common field, L, with p^12 elements.
F = GF(p)
L.<a> = GF(p^12)
RF.<T> = PolynomialRing(F12)
j = (T^2 + 1).roots(ring=F12, multiplicities=0)[0]

# L contains F canonically.
# L also contains F[j] by construction

E0 = EllipticCurve(F  , [0, 4])
E1 = EllipticCurve(F12, [0, 4])
E2 = EllipticCurve(F12, [0, 4 + 4*j])

# Generators of G1 and G2 (from https://aandds.com/blog/bls.html)
x1 = 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb
y1 = 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1
g1 = E1( (x1, y1) )

x2 = ( 0x024AA2B2F08F0A91260805272DC51051C6E47AD4FA403B02B4510B647AE3D1770BAC0326A805BBEFD48056C8C121BDB8
       + 0x13E02B6052719F607DACD3A088274F65596BD0D09920B61AB5DA61BBDC7F5049334CF11213945D57E5AC7D055D042B7E * j )
y2 = ( 0x0CE5D527727D6E118CC9CDC6DA2E351AADFD9BAA8CBDD3A76D429A695160D12C923AC9CC3BACA289E193548608B82801
       + 0x0606C4A02EA734CC32ACD2B02BC28B99CB3E287E85A763AF267492AB572E99AB3F370D275CEC1DA1AAA9075FF05F79BE * j )
g2 = E2( (x2, y2) )

phi = E2.isomorphism_to(E1)

p1 = 3 * g1
p2 = 7 * g2

k = 12
t = p + 1 - E0.order()

ate = p1.ate_pairing(phi(p2), q, k, t, p)

The code works over a field, where there is an isomorphism from one group to the other one, in fact from some curve to an other one. The crypto-papers are but so cryptic, that one is not able to isolate structure from the usual humanly chosen path and story that puts together data for the curves, CPU performances, possible attacks and recommended bits, and in between some (iso)morphism (that may be a hash table in part).

As a reference, i would link

https://crypto.stackexchange.com/questions/95836/isomorphic-mapping-of-bls12-381-g2-points-to-g1

for the part, where we need a bridge from $\Bbb G_2$ to $\Bbb G_1$.

In our case, $\Bbb G_1$ is $E_0(F)=E_0(\Bbb F_p)$, and $E_1$ is a curve that becomes isomorphic to $E_0$, when making a base change to $\Bbb F_{p^{12}}$. Our $k$ is this $12$. $\Bbb G_2$ is a subgroup (of same order as $\Bbb G_1$, when i correctly understood what happens) of $E_1(\Bbb F_{p^2})$.

The code above implements thus the pairing: $$ \Bbb G_1\times \Bbb G_2= E_0(\Bbb F_p)\times E_1(\Bbb F_{p^2}) \to E_0(\Bbb F_{p^k})\times E_1(\Bbb F_{p^k}) \overset{1\times\varphi}\longrightarrow E_0(\Bbb F_{p^k})\times E_0(\Bbb F_{p^k}) \overset{\langle\ ,\ \rangle}\longrightarrow \Bbb F_{p^k}\ . $$ At the last step, we insert the $8$-pairing... So for short, $$ (P_1,P_2)\to\langle\ P_1\ ,\ \varphi(P_2)\ \rangle\ . $$

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-11-20 20:33:58 +0100

Seen: 548 times

Last updated: Nov 21 '23