search

herumi / mcl

a portable and fast pairing-based cryptography library
BSD 3-Clause "New" or "Revised" License
450 stars 151 forks source link

I have an issue on pairing equality, i want to compute a non-witness of an accumulator. #207

Closed jesili closed 2 weeks ago

jesili commented 2 weeks ago

I have the following code, to compute $e(g_1^{a-b/(c+d)}, g_2^{c+d})=e(g_1^ag^{-b}, g_2)$ but the equality is not hold

Mcl.SystemInit(Mcl.BN254);
        Fr a = new Fr(10);
        Fr b = new Fr(2);
        Fr c = new Fr(3);
        Fr d = new Fr(1);
        Fr c_d = new Fr();
        G1 g1 = new G1();
        Mcl.hashAndMapToG1(g1, "hello".getBytes());
        G2 g2 = new G2();
        Mcl.hashAndMapToG2(g2, "world".getBytes());
        GT e1 = new GT();
        GT e2 = new GT();

        G1 Wy = new G1();
        G1 ACC = new G1();
        Mcl.mul(ACC, g1, a);
        G2 g2cd = new G2();
        Mcl.add(c_d, c, d);

        Fr uy = new Fr();
        Mcl.neg(uy, b);

        Mcl.mul(g2cd, g2, c_d);

        G1 g1uy = new G1();
        Mcl.mul(g1uy, g1, b);

        G1 ACCUy = new G1();
        Mcl.add(ACCUy, ACC, g1uy);
        Fr a_b = new Fr();
        Fr abcd = new Fr();
        Mcl.sub(a_b, a, b);
        Mcl.div(abcd, a_b, c_d);
        Mcl.mul(Wy, g1, abcd);
        Mcl.pairing(e1, Wy, g2cd);
        Mcl.pairing(e2, ACCUy, g2);
        System.out.println(e1.equals(e2));
jesili commented 2 weeks ago

And i found that $g_1^{0}$ is equal to 0, since it's the add group?

herumi commented 2 weeks ago

to compute e(g1^a-b/(c+d), g2^(c+d)) = e(g1^a g1^-b, g2) but the equality is not hold

The equation does not hold.

$e(g_1^{(a-b)/(c+d)}, g_2^{c+d})=e(g_1^a g_1^{-b}, g2)$ is correct.

My library treas G1 and G2 as additive groups and GT as a multiplicative group.

jesili commented 2 weeks ago

to compute e(g1^a-b/(c+d), g2^(c+d)) = e(g1^a g1^-b, g2) but the equality is not hold

The equation does not hold.

e(g1(a−b)/(c+d),g2c+d)=e(g1ag1−b,g2) is correct.

My library treas G1 and G2 as additive groups and GT as a multiplicative group.

Sorry, i type wrong. But the code is computed as the right equation

herumi commented 2 weeks ago 
Mcl.mul(g1uy, g1, b);

It is not correct.

Mcl.mul(g1yu, g1, uy); // g1^(-b)

Then, it shows true.

jesili commented 2 weeks ago

Thank you very much, I've found that most of my errors are due to carelessness. I have addressed this problem, excited!