How to flexibly utilize bilinear mappings?

[121TheShuDynasty]

I have already constructed the p256 prime field, and I encountered the following issue when using bilinear pairing: 1.I used the function pc_param_set_any() to set the curve, and the returned curve is BN-256. Is there a function that allows me to set any curve I want to use, such as SM2-P256? 2.I can obtain the generator of group g1 through g1_get_gen(), but I also want to obtain other generators in group g1. What should I do？

[dfaranha]

1. Curve SM2_P256 is not pairing-friendly, thus no bilinear pairing support. I added some minimal code below for computing a pairing over SM9 if that is what you mean.
2. Any multiple of the G1 generator is also a generator (prime-order group).

include "relic.h"

int main() {
        g1_t p;
        g2_t q;
        gt_t e;

        core_init();

        ep_param_set(SM9_P256);
        ep_param_print();
        g1_rand(p);
        g1_print(p);

        ep2_curve_set_twist(RLC_EP_DTYPE);
        g2_rand(q);
        g2_print(q);

        pc_map(e, p, q);
        gt_print(e);

        core_clean();
        return 0;
}

[121TheShuDynasty]

How can I quickly determine if a curve is pairing-friendly?

[dfaranha]

If you need want to learn more about pairings, read parts of Pairings for Beginners by Costello to learn what pairing-friendly curves are, learn some SageMath, and check the parameters inside Sage.

If you just need to get the job done, pick a pairing-friendly curve from the start and stick to it. You already have two examples (BN-256 and SM9_P256).

[121TheShuDynasty]

Sorry, I'm a beginner in using bilinear mapping. I've already set the curve with ep_param_set(SM9_P256);. Why do I still need to use ep2_curve_set_twist(RLC_EP_DTYPE);?

[dfaranha]

To set up groups G2 and GT properly as well.

[121TheShuDynasty]

1.Thank you, I understand a lot. Since I am dealing with curves configured over a prime field, the groups G1, G2, and GT are all of prime order. Therefore, any multiple of the G1 generator is also a generator. Is this understanding correct? 2.The multiple of the G1 generator is obtained through the function g1_mul_gen(), right? The value of the multiple should be between 1 and g1_mul_gen(), correct?

3.In addition, does relic support multi-scalar multiplication to achieve the goal of s_1 P_1 + ... s_n P_n?

Thank you very much for your answer.

[dfaranha]

1. Yes
2. Yes, but it's a cyclic group, so there's no sense of "between".
3. Look at the g1_mul_sim functions, or g2_mul_sim for G2.

[121TheShuDynasty]

Sorry, I made a mistake. Here's the corrected question, thank you:

2. The multiple of the G1 generator is obtained through the function g1_mul_gen(), right? The value of the multiple should be between 1 and pc_get_ord(), correct?

[dfaranha]

2. Yes, but you will get a point instead of an integer multiple.

[121TheShuDynasty]

I now understand that you have set up groups G1, G2, and GT, achieving G1 X G2 → GT. If I want to achieve G1 X G1 → GT, how should I modify the above code? Do I still need to use ep2_curve_set_twist(RLC_EP_DTYPE)?

[dfaranha]

Then you need a symmetric pairing and a completely different choice of curve.

[121TheShuDynasty]

Sorry, I don't quite understand. Could you provide a simple demo?Does the relic library support it?

[dfaranha]

RELIC supports one inefficient example, as symmetric pairings are out-of-fashion for many years now: https://github.com/relic-toolkit/relic/blob/main/preset/gmp-pbc-ss1536.sh

[121TheShuDynasty]

Thank you for your answer. Another question is: does the relic library currently support ECDSA and AES algorithms?

[dfaranha]

Yes, as a very quick search would reveal.

[121TheShuDynasty]

If I use the function pc_param_set_any(), does that mean I no longer need to use ep2_curve_set_twist(RLC_EP_DTYPE) to configure the G2 group with the default curve BN256?

[dfaranha]

Yes.

[121TheShuDynasty]

Hello, I have read the relic library files, g1_t q, if we want to calculate q^k, can we only use the g1_mul() function in a loop?

[dfaranha]

Computing [k]Q (in additive notation) is just one call to g1_mul()

[121TheShuDynasty]

Yes, you are correct, but if I want to calculate Q^ k instead of k · Q, it seems that this function is not present

[dfaranha]

Q^k is [k]Q in multiplicative notation.

[121TheShuDynasty]

1.So g1_mul_gen (Q, k) is Q=G ^ k instead of Q=kG?This is a bit strange.; 2.If that's the case, how can I compute kQ? 3.I only found gt_mul(C, A, B) which means C = A * B, but I couldn't find g1_mul(C, A, B) or g2_mul(C, A, B).

[dfaranha]

Like most of the scientific literature, RELIC uses additive notation for G1 and G2, and multiplicative notation for GT. If you think this is strange, I welcome you to find another library out there with a more suitable interface.

1/2. As I told you, G^k and [k]G are the same operation, represented under different notations.

3. Because G1 and G2 are represented additively, you can use g1_add and g2_add to call the group operation (called point addition).

[121TheShuDynasty]

Thank you, I understand. Please confirm the following:

1. G1 and G2 use addition symbol, so adding k Qs results in Q + Q + .... + Q = Q^k = kQ. I can achieve Q = A + B = AB using g1_add.
2. GT uses multiplication symbol, so multiplying k Qs results in Q Q .... * Q = Q^k = kQ.
3. Does g1_is_valid already include the functionality of g1_on_curve?

[dfaranha]

Confirmed 1 and 2.

3. Yes, as a quick exam of the g1_is_valid function shows.

[121TheShuDynasty]

Thank you for your answer, greatly appreciated.

[121TheShuDynasty]

Sorry, I'd like to confirm again in the group represented by multiplication, Q * Q = Q ^2, it should not be equal to 2Q, right? Maybe my understanding is wrong. Because I think 2Q is scalar multiplication rather than dot multiplication.

[dfaranha]

We're talking about groups, they only have one operation. Q^2 is the same as 2Q, only the notation is different.

[121TheShuDynasty]

Sure, I understand a lot now, thank you very much.