Re: What's the code for doing the reverse of this code over the altbn128

Laël Cellier on Fri, 18 Jul 2025 19:40:39 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: What's the code for doing the reverse of this code over the altbn128 curve

To: pari-users <pari-users@pari.math.u-bordeaux.fr>, aurel.page@normalesup.org
Subject: Re: What's the code for doing the reverse of this code over the altbn128 curve
From: Laël Cellier <lael.cellier@gmail.com>
Date: Fri, 18 Jul 2025 19:40:24 +0200
Delivery-date: Fri, 18 Jul 2025 19:40:39 +0200
Disposition-notification-to: Laël Cellier <lael.cellier@gmail.com>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752860436; x=1753465236; darn=pari.math.u-bordeaux.fr; h=content-transfer-encoding:in-reply-to:disposition-notification-to :content-language:references:reply-to:to:from:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=uzgq18hG2CxRRELOcmiO2VSvqdjqy8rDJsq84E1PtGk=; b=j+dipg6nMJoFy1bPivERv1pKNxTQDXn+WDCZu9g3RYXkCrhk0hFFY3o5P6RzU1KVeo sNbqwAjxHhDT6Bt8dcVMEHHXp4PhfrdWTN7t8ie8xuQbX297C81AKPtMwXxWUaaF626n 8G82lHAejgo1/nRlDFKHUhqo5oPYjD7jIAFxawd+SkgSzxqyQQlSiiLy8pKGSbL+ciYx YTm8Gyx23FvHuXovu1ie1EDHp8If3JlYFu/fledUALbjQfLvMyfQYDnDorHxB8jyx6vJ ej8efQtO59pIKG3grujufqWxK3vNzIiclYSw2KKgXqjruQA2N1KoezXRo5glghX8KIhr cEJQ==
In-reply-to: <05ee1716-d860-4a71-9cd1-2c5ea1f6289a@gmail.com>
References: <c76f361b-daea-4cd1-8b5e-ce4896987783@gmail.com> <05ee1716-d860-4a71-9cd1-2c5ea1f6289a@gmail.com>
Reply-to: lael.cellier@laposte.net
User-agent: Thunderbird Daily

Thank you. I suppose there’s no way to preserve the discrete logarithmif the point contains elements not in F_p(w) ?

This is because I need to use the algorithm 4.1 inhttps://eprint.iacr.org/2019/385.pdf page 8. And in needs a specificinput point which mean either I can select the right F_p² that will bemapped to the expected F_p¹² or I select the right F_p¹² direct but inway that it can be mapped back to F_p²


Anyway, here’s the algorithm in Pari/ɢᴘ to try if a point is valid :

miller_function_eval(E, Q, m, P)={
local(bb, T, f, i, lambda, x2T, y2T, xTQ, yTQ, x, y);
    bb = binary(m);
    [x, y] = P;
    T = Q;
    f = 1;
    for(i = 2, #bb,
        lambda = (3*T[1]^2 + E.a4) / (2*T[2]);
        x2T = lambda^2 - 2*T[1];
        y2T = -T[2] - lambda * (x2T - T[1]);
        f = f^2 * (y - T[2] - lambda * (x - T[1])) / (x + 2*T[1] - lambda^2);
        T = [x2T, y2T];
        if (bb[i] == 1,
            lambda = (T[2] - Q[2]) / (T[1] - Q[1]);
            xTQ = lambda^2 - T[1] - Q[1];
            yTQ = -T[2] - lambda * (xTQ - T[1]);
            f = f * (y - T[2] - lambda * (x - T[1])) / (x + (Q[1] + T[1]) - lambda^2);
            T = [xTQ, yTQ];
        );
    );
    f = f * (x - T[1]);
    return(f);
}
pairing_invert(E,q,k,ell,d,x,v,A)={
local(r,s,u,x1,x2,y2,L,i);
    r = q^k;
    if (k % 2 != 0, print("embedding degree must be even!"); return; );
    s = q^(k/2);
    if (ellcard(E) % ell != 0, print("ell must divide #E(Fq)."); return; );
    if (d % ell != 0 || (s+1) % d != 0, print("Require ell|d and d|(q^k/2+1)."); return; );
    u = (v^((s+1)/d))^((s+1)/2);
    if (u^s != u, print("u not in F_{q^k/2}, there is no inversion."); return; );
    x1 = A[1] + u; x2 = A[1] - u;
    L = List();
    y2 = x1^3 + E.a4*x1 + E.a6;
    if (y2^((s-1)/2) == 1, listput(L,[x1,sqrt(y2)]); listput(L,[x1,-sqrt(y2)]); );
    y2 = x2^3 + E.a4*x2 + E.a6;
    if (y2^((s-1)/2) == 1, listput(L,[x2,sqrt(y2)]); listput(L,[x2,-sqrt(y2)]); );
    for(i = 1, #L,
        Q = L[i];
        if (ellorder(E,Q) == ell && miller_function_eval(E, A, d, Q) == v, return (Q); );
    );
    print("there is no inversion.");
    return;
}

Even if the implementation is incorrect miller inversion can work withthe result of Weil pairing on this curve.

> This has nothing to do with the order of points, it simply identifieselements of F_p(w) that are in fact in F_p(i), and applies this to thecoordinates of the points.

>
> Aurel

References:
- What's the code for doing the reverse of this code over the altbn128 curve
  - From: Laël Cellier <lael.cellier@gmail.com>
- Re: What's the code for doing the reverse of this code over the altbn128 curve
  - From: Laël Cellier <lael.cellier@gmail.com>

Prev by Date: Re: What's the code for doing the reverse of this code over the altbn128 curve
Next by Date: Re: What's the code for doing the reverse of this code over the altbn128 curve
Previous by thread: Re: What's the code for doing the reverse of this code over the altbn128 curve
Next by thread: Re: What's the code for doing the reverse of this code over the altbn128 curve
Index(es):
- Date
- Thread