Add pairings initial notes

abstract-algebra-charles-pinter-notes.tex

@@ -179,7 +179,7 @@ Every subgroup of a cyclic group is cyclic.
 \end{theorem}
 
 \begin{theorem}[Lagrange's theorem]
-    Let $G$ be a finite group, and $H$ any subgroup of $G$. The order of $G$ is a multiple of the order of $H$.
+    Let $G$ be a finite group, and $H$ any subgroup of $G$. The order of $G$ is a multiple of the order of $H$. $|H|$ divides $|G|$.
 \end{theorem}
     Lagrange's theorem can be easily seen by the facts that:
     \begin{enumerate}[i.]
@@ -187,7 +187,6 @@ Every subgroup of a cyclic group is cyclic.
 	\item $|Ha| = |H|$ (each coset has the same order as H). 
     \end{enumerate}
 
-
 By consequence,
 \begin{theorem}
     If $G$ is a group with a prime number $p$ of elements, then $G$ is a cyclic group. Furthermore, any element $a \neq e$ in $G$ is a generator of $G$.
@@ -371,6 +370,18 @@ From the last two theorems: every integer $m$ can be factored into primes, and t
     $$a^{p-1} \equiv 1 \pmod p, \forall a \not\equiv 0 \pmod p$$
     \\
     So, by taking $a^{p-2} \cdot a \equiv 1 \pmod p$, where $a^{p-2} \equiv a^{-1} \pmod p$ (the inverse modulo p), we see that $a^p \equiv a \pmod p, \forall a \in \mathbb{Z}$, so $a^p - a$ is a multiple of $p$.
+
+    ~\\\emph{Relation to Lagrange's theorem:}\\
+    Let $G = \mathbb{Z}_p$, and let $H$ be the multiplicative subgroup of $G$ generated by $a$ (ie. $H = \{ 1, a, a^2, \ldots \}$). The order of $H$ ($h = |H|$), is also the order of $a$ (ie. smallest $n>1$ s.t. $a^n=1~mod~p$).
+
+    By Lagrange's theorem, $h~|~|G| = p - 1$, so $p-1 = h \cdot m$, thus
+    $$
+    a^{p-1} = (a^h)^m \equiv 1^m \equiv 1~mod~p
+    $$
+
+    ~\\\emph{Another perspective:}\\
+    We have $a^p \equiv a \pmod{p}$, by dividing by $a$ on both sides, we obtain $a^{p-1} \equiv 1 \pmod{p}$.
+
 \end{theorem}
 
 \begin{theorem}[Euler's $\phi$ function]

blind-sign-over-ec.sage

@@ -52,19 +52,19 @@ def verify(G, Q, sig, m):
 
 
 # ethereum elliptic curve
-p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
+p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F # base field
 a = 0
 b = 7
-F = GF(p)
+F = GF(p) # base field
 E = EllipticCurve(F, [a,b])
 GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
 GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
 g = E(GX,GY)
 n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
-q = g.order()
+q = g.order() # order of Fp
 assert is_prime(p)
 assert is_prime(q)
-Fq = GF(q)
+Fq = GF(q) # scalar field
 
 
 

fft.sage

@@ -105,21 +105,25 @@ print("nth roots of unity:", w)
 print("Vandermonde matrix:")
 print(ft)
 
-a = vector([3,4,5,9])
-print("a:", a)
+fa_eval = vector([3,4,5,9])
+print("fa_eval:", fa_eval)
 
 # interpolate f_a(x)
-fa_coef = ft_inv * a
+fa_coef = ft_inv * fa_eval
 print("fa_coef:", fa_coef)
 
 P.<x> = PolynomialRing(F)
 fa = P(list(fa_coef))
 print("f_a(x):", fa)
 
-# check that evaluating fa(x) at the roots of unity returns the expected values of a
-for i in range(len(a)):
-    assert fa(w[i]) == a[i]
+# check that evaluating fa(x) at the roots of unity returns the expected values of fa_eval
+for i in range(len(fa_eval)):
+    assert fa(w[i]) == fa_eval[i]
 
+# go from coefficient form to evaluation form
+fa_eval2 = ft * fa_coef
+print("fa_eval'", fa_eval)
+assert fa_eval2 == fa_eval
 
 
 # Fast polynomial multiplicaton using FFT

ipa.sage

@@ -181,7 +181,7 @@ class IPA_halo:
         # a, b, G have length=1
         # l, r are random blinding factors
         # L, R are the "cross-terms" of the inner product
-        return a[0], b[0], G[0], l, r, L, R
+        return a[0], l, r, L, R
 
     def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R):
         print("methid verify()")
@@ -358,7 +358,7 @@ class TestUtils(unittest.TestCase):
 
 
 class TestIPA_bulletproofs(unittest.TestCase):
-        def test_inner_product(self):
+        def test_inner_product_argument(self):
             d = 8
             ipa = IPA_bulletproofs(Fq, E, g, d)
 
@@ -374,9 +374,6 @@ class TestIPA_bulletproofs(unittest.TestCase):
             v = ipa.evaluate(a, b)
             print("v", v)
 
-            # verifier
-            #  r = int(ipa.F.random_element())
-
             # verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾
             U = ipa.E.random_element()
             k = int(math.log(d, 2))
@@ -418,7 +415,7 @@ class TestIPA_halo(unittest.TestCase):
             vc_c = vc_a + vc_b
             assert vc_c == expected_vc_c
 
-        def test_inner_product(self):
+        def test_inner_product_argument(self):
             d = 8
             ipa = IPA_halo(Fq, E, g, d)
 
@@ -428,7 +425,7 @@ class TestIPA_halo(unittest.TestCase):
             x = ipa.F(3)
             x_powers = powers_of(x, ipa.d) # = b
             
-            # verifier
+            # blinding factor
             r = int(ipa.F.random_element())
 
             # prover
@@ -438,6 +435,8 @@ class TestIPA_halo(unittest.TestCase):
             print("v", v)
 
             # verifier generate random challenges {uᵢ} ∈ 𝕀 and U ∈ 𝔾
+            # This might be obtained from the hash of the transcript
+            # (Fiat-Shamir heuristic for non-interactive version)
             U = ipa.E.random_element()
             k = int(math.log(ipa.d, 2))
             u = [None] * k
@@ -449,7 +448,7 @@ class TestIPA_halo(unittest.TestCase):
             P = P + int(v) * U
 
             # prover
-            a_ipa, b_ipa, G_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U)
+            a_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U)
 
             # verifier
             print("P", P)

notes_bls-sig.tex

@@ -73,7 +73,7 @@ Unfold:
 $$\fbox{e(pk_{aggr}, H(m))}= e(pk_1 + pk_2 + \ldots + pk_n, H(m)) =$$
 $$=e([sk_1] \cdot g_1 + [sk_2] \cdot g_1 + \ldots + [sk_n] \cdot g_1, H(m))=$$
 $$=e([sk_1 + sk_2 + \ldots + sk_n] \cdot g_1, H(m))=$$
-$$=e(g_1, H(m))^{(sk_1 + sk_2 + \ldots + sk_n)}=$$
+$$=[sk_1 + sk_2 + \ldots + sk_n]~\cdot~e(g_1, H(m))=$$
 $$=e(g_1, [sk_1 + sk_2 + \ldots + sk_n] \cdot H(m))=$$
 $$=e(g_1, [sk_1] \cdot H(m) + [sk_2] \cdot H(m) + \ldots + [sk_n] \cdot H(m))=$$
 $$=e(g_1, \sigma_1 + \sigma_2 + \ldots + \sigma_n)= \fbox{e(g_1, \sigma_{aggr})}$$

pairings.tex

@@ -0,0 +1,123 @@
+\documentclass{article}
+\usepackage[utf8]{inputenc}
+\usepackage{amsfonts}
+\usepackage{amsthm}
+\usepackage{amsmath}
+\usepackage{amssymb}
+\usepackage{enumerate}
+\usepackage{hyperref}
+\hypersetup{
+    colorlinks,
+    citecolor=black,
+    filecolor=black,
+    linkcolor=black,
+    urlcolor=blue
+}
+% \usepackage{xcolor}
+
+% prevent warnings of underfull \hbox:
+% \usepackage{etoolbox}
+% \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
+
+\theoremstyle{definition}
+\newtheorem{definition}{Def}[section]
+\newtheorem{theorem}[definition]{Thm}
+\newtheorem{innersolution}{}
+\newenvironment{solution}[1]
+{\renewcommand\theinnersolution{#1}\innersolution}
+{\endinnersolution}
+
+
+\title{Bilinear Pairings - study}
+\author{arnaucube}
+\date{August 2022}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+  Notes taken from \href{https://sites.google.com/site/matanprasma/artifact}{Matan Prsma} math seminars and also while reading about Bilinear Pairings. Usually while reading papers and books I take handwritten notes, this document contains some of them re-written to $LaTeX$.
+
+	The notes are not complete, don't include all the steps neither all the proofs. I use these notes to revisit the concepts after some time of reading the topic.
+\end{abstract}
+
+\tableofcontents
+
+\section{Weil reciprocity}
+
+\section{Generic Weil Pairing}
+
+\begin{definition}{Divisor}
+  $$D= \sum_{P \in E(\mathbb{K})} n_p \cdot [P]$$
+\end{definition}
+
+\begin{definition}{Degree \& Sum}
+  $$deg(D)= \sum_{P \in E(\mathbb{K})} n_p$$
+  $$sum(D)= \sum_{P \in E(\mathbb{K})} n_p \cdot P$$
+\end{definition}
+
+\begin{definition}{Principal divisor}
+  iff $deg(D)=0$ and $sum(D)=0$
+\end{definition}
+$D \sim D'$ iff $D - D'$ is principal.
+
+
+\begin{definition}{Evaluation of a rational function}
+  $$r(D)= \prod r(P)^{n_p}$$
+\end{definition}
+
+\subsection{Generic Weil Pairing}
+Let $E(\mathbb{K})$, with $\mathbb{K}$ of char $p$, $n$ s.t. $p \nmid n$.
+
+$\mathbb{K}$ large enough: $E(\mathbb{K})[n] = E(\mathbb{\overline{K}}) = \mathbb{Z}_n \oplus \mathbb{Z}_n$ (with $n^2$ elements).
+
+$P, Q \in E[n]$:
+$$D_P \sim [P] - [0]$$
+$$D_Q \sim [Q] - [0]$$
+We need them to have disjoint support:
+$$D_P \sim [P] - [0]$$
+$$D_Q \sim [Q+T] - [T]$$
+
+$$\Delta D = D_Q - D_Q' = [Q] - [0] - [Q+T] + [T]$$
+
+
+\section{Exercises}
+\emph{An Introduction to Mathematical Cryptography, 2nd Edition} - Section 6.8. Bilinear pairings on elliptic curves
+
+\begin{solution}{6.29}
+  $div(R(x) \cdot S(x)) = div( R(x)) + div( S(x))$, where $R(x), S(x)$ are rational functions.
+  \\proof:\\
+  \emph{Norm} of $f$: $N_f = f \cdot \overline{f}$, and we know that $N_{fg} = N_f \cdot N_g~\forall~\mathbb{K}[E]$,\\
+  then $$deg(f) = deg_x(N_f)$$\\
+  and $$deg(f \cdot g) = deg(f) + deg(g)$$
+
+  Proof:
+  $$deg(f \cdot g) = deg_x(N_{fg}) = deg_x(N_f \cdot N_g)$$
+  $$= deg_x(N_f) + deg_x(N_g) = deg(f) + deg(g)$$
+
+  So, $\forall P \in E(\mathbb{K}),~ ord_P(rs) = ord_P(r) + ord_P(s)$.\\
+  As $div(r) = \sum_{P\in E(\mathbb{K})} ord_P(r)[P]$, $div(s) = \sum ord_P(s)[P]$.
+
+  So,
+  $$div(rs) = \sum ord_P(rs)[P]$$
+  $$= \sum ord_P(r)[P] + \sum ord_P(s)[P] = div(r) + div(s)$$
+\end{solution}
+
+\vspace{0.5cm}
+
+\begin{solution}{6.31}
+  $$e_m(P, Q) = e_m(Q, P)^{-1} \forall P, Q \in E[m]$$
+  Proof:
+  We know that $e_m(P, P) = 1$, so:
+  $$1 = e_m(P+Q, P+Q) = e_m(P, P) \cdot e_m(P, Q) \cdot e_m(Q, P) \cdot e_m(Q, Q)$$
+
+  and we know that $e_m(P, P) = 1$, then we have:
+  $$1 = e_m(P, Q) \cdot e_m(Q, P)$$
+  $$\Longrightarrow e_m(P, Q) = e_m(Q, P)^{-1}$$
+\end{solution}
+
+
+
+
+\end{document}