Closed Loryerba closed 6 months ago
elliptic-shiho
commented
6 months ago @Loryerba How did you used a parameter?
Currently, the distortion map has been implemented that for $\mathbb{F} _ {p^2}$ only:
So If you want to use it on a prime field, you should compute distortion map by hand. In this situation, you can use tate_pairing function instead of symmetric_tate_pairing.
elliptic-shiho
commented
6 months ago If you want more details, I recommend to read following texts:
However, certainly, I think this behaviour is not kindly for users, so I may be fixed this problem (in the future).
Loryerba
commented
6 months ago Sorry dude, i made a mistake by me. I didn't read the doc about distortion map. I'm trying to implement the Catalano & Fiore Vector Commitment based on CDH and I need:
I do that in this way:
F, E, G, n = EllipticCurveRepository('secp256k1') newpoint = tate_pairing(E,G,newg,n)
I think that is right, I work on prime order groups on finite field (not extended). Thank you so much.
elliptic-shiho
commented
6 months ago The Tate/Weil pairing function can compute for any elliptic curve and points principally; however, the distortion map cannot. Therefore, we cannot compute symmetric pairing (i.e. $e(P, \varphi(Q))$ instead of $e(P, Q)$ where $\varphi$ is a distortion map) for general situation as the map is a special isogeny. More precisely, we know the following fact (Lemma IX.14 and Theorem IX.15. of "Advances in Elliptic Curve Cryptography"):
Lemma IX.14. Let $P\in E(\mathbb{F} q)$ have prime order $r$ and suppose $k\gt 1$. Suppose that $E(\mathbb{F} {q^k})$ has no points of order $r^2$. Let $\phi$ be an endomorphism of $E$. If $\phi(P)\notin E(\mathbb{F} _ q)$, then $e(P, \phi(P)) \ne 1$.
Theorem IX.15. Let $E$ be an elliptic curve over $\mathbb{F} _ q$ which has a distortion map. Then $E$ is supersingular.
The secp256k1 is not supersingular. so it does not have a distortion map. Furthermore, if you want to use a distortion map on an elliptic curve on a prime field for symmetric pairing computation, you need to search for an elliptic curve and a generator point that satisfy an embedding degree equals one (excepted on above discussion).
You can choose between two routes:
Regardless, I believe you need to delve deeper into the topic.
If you choose (1.), you can use Zhi Hu, Lin Wang, Maozhi Xu, and Guoliang Zhang. 2013. Generation and Tate Pairing Computation of Ordinary Elliptic Curves with Embedding Degree One. There may be easier methods, but I am not aware of them. The related discussion is found in Section IX.7.2, 'Self-Pairings,' in "Advances in Elliptic Curve Cryptography."
On the other hand, If you choose (2.), you can use ecpy and other easier methods. For example, ecpy can generate supersingular EC that has a computable distortion map using the gen_supersingular_ec(bits) function. However, ecpy currently lacks order computation, so you must use other software (e.g. SageMath or Pari/GP) for the generated curve's order / generator computation.
Loryerba
commented
6 months ago Ok thank you so much. But how can i do that: gvalue where g is the point generator of the curve? I tried gvalue but g is a FiniteFieldEllipticCurvePoint.
elliptic-shiho
commented
6 months ago Do you mean https://eprint.iacr.org/2011/495.pdf as the "Catalano & Fiore Vector Commitment"?
Firstly, we know that the Weil pairing on the elliptic curve $E$ is defined by $e_n\colon E\lbrack n\rbrack\times E\lbrack n\rbrack\to \mathbf{\mu}_n$. On the other hand, the Tate pairing on $E(\mathbb{F}_q)$ is defined by $t_n\colon E(\mathbb{F}_q)\lbrack n\rbrack\times E(\mathbb{F}_q)\lbrack n\rbrack / nE(\mathbb{F}_q)\to \mathbb{F}_q^\ast / (\mathbb{F}_q^\ast)^n$.
These "pairing functions" have very similar definitions, so we can consider a more general definition as follows: Let $\mathbb{G}_1$, $\mathbb{G}_2$ be two cyclic groups of prime order $q$, and $\mathbb{G}_T$ be another cyclic group of prime order $p$. A pairing is a map $e\colon\mathbb{G}_1 \times \mathbb{G}_2\to \mathbb{G}_T$ which satisfies certain properties (i.e., bilinearity, non-degeneracy, and computability).
This notation is a standard convention in pairing-related papers because it eliminates the need to consider the differences in actual pairing functions.
When using this notation, we should translate elliptic curve arithmetic to cyclic group arithmetic. If $\mathbb{G}_1$ and $\mathbb{G}_2$ are additive groups, we can use the same symbols and operators. However, if these cyclic groups use the multiplicative operation, we need to translate accordingly.
The document 2011/495 seems to use the multiplicative operation, so you need to translate it. In other words, you should interpret $g^\mathrm{value}$ as $\mathrm{value}\cdot G$ where $g\in\mathbb{G}$ and $G\in E$.
Loryerba
commented
6 months ago Yeah i mean that paper. So when he use g^value he means g * value accordingly to modular aritmethic and not to group on elliptic curve?
elliptic-shiho
commented
6 months ago ah, no, $\mathbb{G}$ is an elliptic curve subgroup $E\lbrack n\rbrack$, but the paper use "multiplicative notation" like $G^x$ as "additive notation" $xG$. so we need to reinterpret that.
Loryerba
commented
6 months ago Ok so how can i implement g**x as described in the paper?
elliptic-shiho
commented
6 months ago Consider trying to solve it yourself; it's a good way to learn, and you already have all the materials you need for that
Loryerba
commented
6 months ago Yeah i try but i don't understand the root of the problem. In the paper they use multiplicative notation but the library support only additive notation?
elliptic-shiho
commented
6 months ago Yes, ecpy is only supported additive notation.
Because this software is aimed to provide a concrete implementation of the pairings and elliptic curve arithmetic. these notation is just theoretical difference, and It is programmer's duty that translate from theoretical notation (by cyclic group) to concrete (by elliptic curve arithmetic) implementation.
elliptic-shiho
commented
6 months ago However "A helper class for using that as multiplicative notation" is a good idea for me so It may be implemented in the future(?)
Loryerba
commented
6 months ago Ok so id understand everything, ecoy impelements only additive notation such as x * g (equals to g+g+g x times) but in the paper it seems to use g*x (equals to gggg*). The only thing where im stucked is, how can i multiply different times a point which have coordinates x:y?
elliptic-shiho
commented
6 months ago simple scalar multiplication? you can use P = E(x, y) and a * P. like:
Loryerba
commented
6 months ago Yeah sorry i mean, if i need to evaluate g**x, i can multiply x times g for g, but g is a point and i can't multiply a point for a point
elliptic-shiho
commented
6 months ago addition translated to multiply and vice versa. so $P+Q$ translated to $PQ$ and vice versa.
your problem can represent as following proposition. we can proof this easily, so you can try it.
Let $E$ be an elliptic curve over $\mathbb{F} _ q$, $\mathbb{G} := E\lbrack n\rbrack$, and $\cdot\colon \mathbb{G}\times\mathbb{G} \ni (P, Q)\mapsto P+Q\in \mathbb{G}$. then:
- $(\mathbb{G}, \cdot)$ is a cyclic group.
- $\varphi\colon E\lbrack n\rbrack\ni P \mapsto P\in\mathbb{G}$ is a group isomorphism.
Loryerba
commented
6 months ago So the answer to my question "how can i implement multiplicative notion such as g*x (like g g * g x times) is equals of g + g + g x times?
elliptic-shiho
commented
6 months ago Yes.
Loryerba
commented
6 months ago Thank you so much. I tried all night some tests. I just do that to get g^k. Tell me if I make mistakes:
`field ,ec,generator,order = EllipticCurveRepository('secp256k1')
while(k>0): generator = generator.add(generator) k-=1
print(generator)`
Loryerba
commented
6 months ago field ,ec,generator,order = EllipticCurveRepository('secp256k1')
while(k>0):
generator = generator.__add__(generator)
k-=1
print(generator)
Loryerba
commented
6 months ago The only thing that i didn't understand is: Ok in paper multiplicative notation (G^x) is equals to (G*x) on EC. But in the library when I need to compute G^x, i have to perform G.add(g) for x-times or G.mul(x)? @elliptic-shiho
Loryerba
commented
6 months ago Hi @elliptic-shiho , i just solved everything in my code (you can see my public repo about Vector Commitments) but still have problem with tate_pairing, i'm getting different value but the proof and commitment are evaluted correctly ;(
Loryerba
commented
6 months ago Do you have any suggestion?
elliptic-shiho
commented
6 months ago I have main job responsibilities, so I may not be able to respond immediately. If you are affiliated with a laboratory or similar institution, it might be quicker to seek assistance from your professor.
Additionally, I would like to close this thread as it is no longer related to ecpy issues.
I am happy to assist with your research, but please note that I am not your professor, so my availability for this thread may be limited. I apologize for any inconvenience.
If you have more questions, you can reply to my Twitter account (@elliptic_shiho).
Im trying do run this code print (symmetric_tate_pairing(E,G,newg,n) == symmetric_tate_pairing(E,G,newg,n)) but i get this error " 'FiniteField' object has no attribute 't' "