diff --git a/abstract-algebra-charles-pinter-notes.pdf b/abstract-algebra-charles-pinter-notes.pdf index a4f2f4c..f1f3462 100644 Binary files a/abstract-algebra-charles-pinter-notes.pdf and b/abstract-algebra-charles-pinter-notes.pdf differ diff --git a/abstract-algebra-charles-pinter-notes.tex b/abstract-algebra-charles-pinter-notes.tex index 6c2c2f1..ddd2e25 100644 --- a/abstract-algebra-charles-pinter-notes.tex +++ b/abstract-algebra-charles-pinter-notes.tex @@ -179,7 +179,7 @@ Every subgroup of a cyclic group is cyclic. \end{theorem} \begin{theorem}[Lagrange's theorem] - Let $G$ be a finite group, and $H$ any subgroup of $G$. The order of $G$ is a multiple of the order of $H$. + Let $G$ be a finite group, and $H$ any subgroup of $G$. The order of $G$ is a multiple of the order of $H$. $|H|$ divides $|G|$. \end{theorem} Lagrange's theorem can be easily seen by the facts that: \begin{enumerate}[i.] @@ -187,7 +187,6 @@ Every subgroup of a cyclic group is cyclic. \item $|Ha| = |H|$ (each coset has the same order as H). \end{enumerate} - By consequence, \begin{theorem} If $G$ is a group with a prime number $p$ of elements, then $G$ is a cyclic group. Furthermore, any element $a \neq e$ in $G$ is a generator of $G$. @@ -371,6 +370,18 @@ From the last two theorems: every integer $m$ can be factored into primes, and t $$a^{p-1} \equiv 1 \pmod p, \forall a \not\equiv 0 \pmod p$$ \\ So, by taking $a^{p-2} \cdot a \equiv 1 \pmod p$, where $a^{p-2} \equiv a^{-1} \pmod p$ (the inverse modulo p), we see that $a^p \equiv a \pmod p, \forall a \in \mathbb{Z}$, so $a^p - a$ is a multiple of $p$. + + ~\\\emph{Relation to Lagrange's theorem:}\\ + Let $G = \mathbb{Z}_p$, and let $H$ be the multiplicative subgroup of $G$ generated by $a$ (ie. $H = \{ 1, a, a^2, \ldots \}$). The order of $H$ ($h = |H|$), is also the order of $a$ (ie. smallest $n>1$ s.t. $a^n=1~mod~p$). + + By Lagrange's theorem, $h~|~|G| = p - 1$, so $p-1 = h \cdot m$, thus + $$ + a^{p-1} = (a^h)^m \equiv 1^m \equiv 1~mod~p + $$ + + ~\\\emph{Another perspective:}\\ + We have $a^p \equiv a \pmod{p}$, by dividing by $a$ on both sides, we obtain $a^{p-1} \equiv 1 \pmod{p}$. + \end{theorem} \begin{theorem}[Euler's $\phi$ function] diff --git a/blind-sign-over-ec.sage b/blind-sign-over-ec.sage index 6b7d82e..6ef25fc 100644 --- a/blind-sign-over-ec.sage +++ b/blind-sign-over-ec.sage @@ -52,19 +52,19 @@ def verify(G, Q, sig, m): # ethereum elliptic curve -p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F +p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F # base field a = 0 b = 7 -F = GF(p) +F = GF(p) # base field E = EllipticCurve(F, [a,b]) GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 g = E(GX,GY) n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 -q = g.order() +q = g.order() # order of Fp assert is_prime(p) assert is_prime(q) -Fq = GF(q) +Fq = GF(q) # scalar field diff --git a/fft.sage b/fft.sage index c01d17e..c5494fd 100644 --- a/fft.sage +++ b/fft.sage @@ -105,21 +105,25 @@ print("nth roots of unity:", w) print("Vandermonde matrix:") print(ft) -a = vector([3,4,5,9]) -print("a:", a) +fa_eval = vector([3,4,5,9]) +print("fa_eval:", fa_eval) # interpolate f_a(x) -fa_coef = ft_inv * a +fa_coef = ft_inv * fa_eval print("fa_coef:", fa_coef) P. = PolynomialRing(F) fa = P(list(fa_coef)) print("f_a(x):", fa) -# check that evaluating fa(x) at the roots of unity returns the expected values of a -for i in range(len(a)): - assert fa(w[i]) == a[i] +# check that evaluating fa(x) at the roots of unity returns the expected values of fa_eval +for i in range(len(fa_eval)): + assert fa(w[i]) == fa_eval[i] +# go from coefficient form to evaluation form +fa_eval2 = ft * fa_coef +print("fa_eval'", fa_eval) +assert fa_eval2 == fa_eval # Fast polynomial multiplicaton using FFT diff --git a/ipa.sage b/ipa.sage index 55dbada..f5e2158 100644 --- a/ipa.sage +++ b/ipa.sage @@ -181,7 +181,7 @@ class IPA_halo: # a, b, G have length=1 # l, r are random blinding factors # L, R are the "cross-terms" of the inner product - return a[0], b[0], G[0], l, r, L, R + return a[0], l, r, L, R def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R): print("methid verify()") @@ -358,7 +358,7 @@ class TestUtils(unittest.TestCase): class TestIPA_bulletproofs(unittest.TestCase): - def test_inner_product(self): + def test_inner_product_argument(self): d = 8 ipa = IPA_bulletproofs(Fq, E, g, d) @@ -374,9 +374,6 @@ class TestIPA_bulletproofs(unittest.TestCase): v = ipa.evaluate(a, b) print("v", v) - # verifier - # r = int(ipa.F.random_element()) - # verifier generate random challenges {uแตข} โˆˆ ๐•€ and U โˆˆ ๐”พ U = ipa.E.random_element() k = int(math.log(d, 2)) @@ -418,7 +415,7 @@ class TestIPA_halo(unittest.TestCase): vc_c = vc_a + vc_b assert vc_c == expected_vc_c - def test_inner_product(self): + def test_inner_product_argument(self): d = 8 ipa = IPA_halo(Fq, E, g, d) @@ -428,7 +425,7 @@ class TestIPA_halo(unittest.TestCase): x = ipa.F(3) x_powers = powers_of(x, ipa.d) # = b - # verifier + # blinding factor r = int(ipa.F.random_element()) # prover @@ -438,6 +435,8 @@ class TestIPA_halo(unittest.TestCase): print("v", v) # verifier generate random challenges {uแตข} โˆˆ ๐•€ and U โˆˆ ๐”พ + # This might be obtained from the hash of the transcript + # (Fiat-Shamir heuristic for non-interactive version) U = ipa.E.random_element() k = int(math.log(ipa.d, 2)) u = [None] * k @@ -449,7 +448,7 @@ class TestIPA_halo(unittest.TestCase): P = P + int(v) * U # prover - a_ipa, b_ipa, G_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U) + a_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U) # verifier print("P", P) diff --git a/notes_bls-sig.pdf b/notes_bls-sig.pdf index 537b48f..524afbb 100644 Binary files a/notes_bls-sig.pdf and b/notes_bls-sig.pdf differ diff --git a/notes_bls-sig.tex b/notes_bls-sig.tex index 9b3b925..257c558 100644 --- a/notes_bls-sig.tex +++ b/notes_bls-sig.tex @@ -73,7 +73,7 @@ Unfold: $$\fbox{e(pk_{aggr}, H(m))}= e(pk_1 + pk_2 + \ldots + pk_n, H(m)) =$$ $$=e([sk_1] \cdot g_1 + [sk_2] \cdot g_1 + \ldots + [sk_n] \cdot g_1, H(m))=$$ $$=e([sk_1 + sk_2 + \ldots + sk_n] \cdot g_1, H(m))=$$ -$$=e(g_1, H(m))^{(sk_1 + sk_2 + \ldots + sk_n)}=$$ +$$=[sk_1 + sk_2 + \ldots + sk_n]~\cdot~e(g_1, H(m))=$$ $$=e(g_1, [sk_1 + sk_2 + \ldots + sk_n] \cdot H(m))=$$ $$=e(g_1, [sk_1] \cdot H(m) + [sk_2] \cdot H(m) + \ldots + [sk_n] \cdot H(m))=$$ $$=e(g_1, \sigma_1 + \sigma_2 + \ldots + \sigma_n)= \fbox{e(g_1, \sigma_{aggr})}$$ diff --git a/pairings.pdf b/pairings.pdf new file mode 100644 index 0000000..a01ba7f Binary files /dev/null and b/pairings.pdf differ diff --git a/pairings.tex b/pairings.tex new file mode 100644 index 0000000..4195bc4 --- /dev/null +++ b/pairings.tex @@ -0,0 +1,123 @@ +\documentclass{article} +\usepackage[utf8]{inputenc} +\usepackage{amsfonts} +\usepackage{amsthm} +\usepackage{amsmath} +\usepackage{amssymb} +\usepackage{enumerate} +\usepackage{hyperref} +\hypersetup{ + colorlinks, + citecolor=black, + filecolor=black, + linkcolor=black, + urlcolor=blue +} +% \usepackage{xcolor} + +% prevent warnings of underfull \hbox: +% \usepackage{etoolbox} +% \apptocmd{\sloppy}{\hbadness 4000\relax}{}{} + +\theoremstyle{definition} +\newtheorem{definition}{Def}[section] +\newtheorem{theorem}[definition]{Thm} +\newtheorem{innersolution}{} +\newenvironment{solution}[1] +{\renewcommand\theinnersolution{#1}\innersolution} +{\endinnersolution} + + +\title{Bilinear Pairings - study} +\author{arnaucube} +\date{August 2022} + +\begin{document} + +\maketitle + +\begin{abstract} + Notes taken from \href{https://sites.google.com/site/matanprasma/artifact}{Matan Prsma} math seminars and also while reading about Bilinear Pairings. Usually while reading papers and books I take handwritten notes, this document contains some of them re-written to $LaTeX$. + + The notes are not complete, don't include all the steps neither all the proofs. I use these notes to revisit the concepts after some time of reading the topic. +\end{abstract} + +\tableofcontents + +\section{Weil reciprocity} + +\section{Generic Weil Pairing} + +\begin{definition}{Divisor} + $$D= \sum_{P \in E(\mathbb{K})} n_p \cdot [P]$$ +\end{definition} + +\begin{definition}{Degree \& Sum} + $$deg(D)= \sum_{P \in E(\mathbb{K})} n_p$$ + $$sum(D)= \sum_{P \in E(\mathbb{K})} n_p \cdot P$$ +\end{definition} + +\begin{definition}{Principal divisor} + iff $deg(D)=0$ and $sum(D)=0$ +\end{definition} +$D \sim D'$ iff $D - D'$ is principal. + + +\begin{definition}{Evaluation of a rational function} + $$r(D)= \prod r(P)^{n_p}$$ +\end{definition} + +\subsection{Generic Weil Pairing} +Let $E(\mathbb{K})$, with $\mathbb{K}$ of char $p$, $n$ s.t. $p \nmid n$. + +$\mathbb{K}$ large enough: $E(\mathbb{K})[n] = E(\mathbb{\overline{K}}) = \mathbb{Z}_n \oplus \mathbb{Z}_n$ (with $n^2$ elements). + +$P, Q \in E[n]$: +$$D_P \sim [P] - [0]$$ +$$D_Q \sim [Q] - [0]$$ +We need them to have disjoint support: +$$D_P \sim [P] - [0]$$ +$$D_Q \sim [Q+T] - [T]$$ + +$$\Delta D = D_Q - D_Q' = [Q] - [0] - [Q+T] + [T]$$ + + +\section{Exercises} +\emph{An Introduction to Mathematical Cryptography, 2nd Edition} - Section 6.8. Bilinear pairings on elliptic curves + +\begin{solution}{6.29} + $div(R(x) \cdot S(x)) = div( R(x)) + div( S(x))$, where $R(x), S(x)$ are rational functions. + \\proof:\\ + \emph{Norm} of $f$: $N_f = f \cdot \overline{f}$, and we know that $N_{fg} = N_f \cdot N_g~\forall~\mathbb{K}[E]$,\\ + then $$deg(f) = deg_x(N_f)$$\\ + and $$deg(f \cdot g) = deg(f) + deg(g)$$ + + Proof: + $$deg(f \cdot g) = deg_x(N_{fg}) = deg_x(N_f \cdot N_g)$$ + $$= deg_x(N_f) + deg_x(N_g) = deg(f) + deg(g)$$ + + So, $\forall P \in E(\mathbb{K}),~ ord_P(rs) = ord_P(r) + ord_P(s)$.\\ + As $div(r) = \sum_{P\in E(\mathbb{K})} ord_P(r)[P]$, $div(s) = \sum ord_P(s)[P]$. + + So, + $$div(rs) = \sum ord_P(rs)[P]$$ + $$= \sum ord_P(r)[P] + \sum ord_P(s)[P] = div(r) + div(s)$$ +\end{solution} + +\vspace{0.5cm} + +\begin{solution}{6.31} + $$e_m(P, Q) = e_m(Q, P)^{-1} \forall P, Q \in E[m]$$ + Proof: + We know that $e_m(P, P) = 1$, so: + $$1 = e_m(P+Q, P+Q) = e_m(P, P) \cdot e_m(P, Q) \cdot e_m(Q, P) \cdot e_m(Q, Q)$$ + + and we know that $e_m(P, P) = 1$, then we have: + $$1 = e_m(P, Q) \cdot e_m(Q, P)$$ + $$\Longrightarrow e_m(P, Q) = e_m(Q, P)^{-1}$$ +\end{solution} + + + + +\end{document} diff --git a/sigma-or-notes.pdf b/sigma-or-notes.pdf index e3a8705..6481642 100644 Binary files a/sigma-or-notes.pdf and b/sigma-or-notes.pdf differ