Pair-based cryptography with MIRACL \(e(U1+U2,V)=e(U1,V) \times e(U2,V)\)

[Back] With pair-based cryptography we have two cyclic groups (\(G_1\) and \(G_2\)), and which are of an order of a prime number (\(n\)). A pairing on \((G_1,G_2,G_T)\) defines the function \(e:G_1 \times G_2 \rightarrow G_T\), and where \(g_1\) is a generator for \(G_1\) and \(g_2\) is a generator for \(G_2\). If we have the points of \(U_1\) and \(U_2\) on \(G_1\) and \(V_1\) and \(V_2\) on \(G_2\), we get the bilinear mapping of:

\(e(U_1+U_2,V_1) =e(U_1,V_1) \times e(U_2,V_1)\)

\(e(U_1,V_1+V_2) =e(U_1,V_1) \times e(U_1,V_2)\)

If \(U\) is a point on \(G_1\), and \(V\) is a point on \(G_2\), we get:

\(e(aU,bV) = e(U,V)^{ab}\)

In this example, we will prove these mappings for a pairing for \(e(U1+U2,V)=e(U1,V) \times e(U2,V)\).

U1=(0948d920900000006e8d1360000000021848400000000004e9c0000000000009,17361ed1680000011460b070000000053cb4a0000000000c4860000000000003) U2=(2523648240000001ba344d80000000086121000000000013a700000000000012,0000000000000000000000000000000000000000000000000000000000000001) V=([061a10bb519eb62feb8d8c7e8c61edb6a4648bbb4898bf0d91ee4224c803fb2b,0516aaf9ba737833310aa78c5982aa5b1f4d746bae3784b70d8c34c1e7d54cf3],[021897a06baf93439a90e096698c822329bd0ae6bdbe09bd19f0e07891cd2b9a,0ebb2b0e7c8b15268f6d4456f5f38d37b09006ffd739c9578a2d1aec6b3ace9b]) Pairing: e(U1+U2,V)=e(U1,V)*e(U2,V) Pairing: [[[1958eeeb60db1c8c2a63ad94e5f646dc8e94fdc32f11d8d02d26ddc8af9b0c06,0bc61719e86ad825f16d9d1f34aeb236fafcdd3ff466841424597ace9aa67872],[105d0c40559d5116162718c78586ffb7ca442170bd869176cb24cfbbd5225534,1d8e6c0d1f8404ba675711786a51599498981c0ff11d3462a1f0e191b37b150b]],[[139e5c34b4e2a31f3a1ac5bce7cb6782959a297d52682fb053aa115c1934941f,1f551b6ff6358b15a0cff575834549100c29de2911c78f008f633d34b9546c36],[24b3bd14fb0f222fe26755eea0de06935c6efef27ebb9153a27a74a1dab1d68b,033f1a5f2b484c0619eb14138cdc0b6d84ad24ba846cca766afe61857661c843]],[[01b5d285f3595e47bf663d15a1a6cd5601b9b104543228390742090c6fbe3e5f,088c77265783aabd1e2f4196826444f52463ff642e51813131e8a23551770d51],[022e2e6d26fc832deafa732e9a78af49e1fc0be44c1a86cab5e7b90ddaedf800,239243673bfb2cbde4da1cd9f957e3b7f2a3f21995eb69a382c085be4a18a6c2]]] P1 e(U1+U2,V) Hex (first 20 bytes): 0x1958eeeb60db1c8c2a63ad94e5f646dc8e94fdc3 P2 e(U1,V)*e(U2,V) Hex (first 20 bytes): 0x1958eeeb60db1c8c2a63ad94e5f646dc8e94fdc3 Pairing 1 [e(U1+U2,V)] is equal to Pairing 2 [e(U1,V)*e(U2,V)]

Background

With key pairing we have two cyclic groups (\(G_1\) and \(G_2\)), and which are of an order of a prime number (\(n\)). A pairing on \((G_1,G_2,G_T)\) defines the function \(e:G_1 \times G_2 \rightarrow G_T\), and where \(g_1\) is the generator for \(G_1\) and \(g_2\) is the generator for \(G_2\). If we have the points of \(U_1\) and \(U_2\) on \(G_1\) and \(V_1\) and \(V_2\) on \(G_2\), we get the bilinear mapping of:

\(e(U_1+U_2,V_1) =e(U_1,V_1) \times e(U_2,V_1)\)

\(e(U_1,V_1+V_2) =e(U_1,V_1) \times e(U_1,V_2)\)

If \(U\) is a point on \(G_1\), and \(V\) is a point on \(G_2\), we get:

\(e(aU,bV) =e(U,V)^{ab}\)

If \(G_1\) and \(G_2\) are the same group, we get a symmetric grouping (\(G_1 = G_2 = G\)), and the following commutative property will apply:

\(e(U^a,V^b) = e(U^b,V^a) = e(U,V)^{ab} = e(V,U)^{ab}\)

The computation of \(e\) should be efficient in computation time.

Coding

The outline coding using the library from the MIRACL library [here] is

package main

import (

	"fmt"
	"github.com/miracl/core/go/core/BN254"

)
func FP12toByte(F *BN254.FP12) []byte {

	const MFS int = int(BN254.MODBYTES)
	var t [12 * MFS]byte

	F.ToBytes(t[:])
	return(t[:])
}

func main() {

 
	U1 := BN254.ECP_generator()
	U2 := BN254.ECP_generator()


	V := BN254.ECP2_generator()

	p2 := BN254.Ate(V,U1)	
	p2 = BN254.Fexp(p2)

	p3 := BN254.Ate(V,U2)	
	p3 = BN254.Fexp(p3)

	p3.Mul(p2)


	U1.Add(U2)
	p1 := BN254.Ate(V,U1)	
	p1 = BN254.Fexp(p1)


	fmt.Printf("U1=%s\nU2=%s\n",U1.ToString(),U2.ToString())
	fmt.Printf("V=%s\n\n",V.ToString())
	fmt.Printf("Pairing: e(U1+U2,V)=e(U1,V)*e(U2,V)\n")

	fmt.Printf("\nPairing: %s\n",p1.ToString())
        fmt.Printf("P1 e(U1+U2,V) Hex (first 20 bytes):\t0x%x\n",FP12toByte(p1)[:20])
        fmt.Printf("P3 e(U1,V)*e(U2,V) Hex (first 20 bytes):\t0x%x\n",FP12toByte(p3)[:20])


	if p1.Equals(p3) { fmt.Printf("\nPairing 1 [e(U1+U2,V)] is equal to Pairing 2 [e(U1,V)*e(U2,V)]")}	

}

A sample run:

U1=(0948d920900000006e8d1360000000021848400000000004e9c0000000000009,17361ed1680000011460b070000000053cb4a0000000000c4860000000000003)
U2=(2523648240000001ba344d80000000086121000000000013a700000000000012,0000000000000000000000000000000000000000000000000000000000000001)
V=([061a10bb519eb62feb8d8c7e8c61edb6a4648bbb4898bf0d91ee4224c803fb2b,0516aaf9ba737833310aa78c5982aa5b1f4d746bae3784b70d8c34c1e7d54cf3],[021897a06baf93439a90e096698c822329bd0ae6bdbe09bd19f0e07891cd2b9a,0ebb2b0e7c8b15268f6d4456f5f38d37b09006ffd739c9578a2d1aec6b3ace9b])

Pairing: e(U1+U2,V)=e(U1,V)*e(U2,V)

Pairing: [[[1958eeeb60db1c8c2a63ad94e5f646dc8e94fdc32f11d8d02d26ddc8af9b0c06,0bc61719e86ad825f16d9d1f34aeb236fafcdd3ff466841424597ace9aa67872],[105d0c40559d5116162718c78586ffb7ca442170bd869176cb24cfbbd5225534,1d8e6c0d1f8404ba675711786a51599498981c0ff11d3462a1f0e191b37b150b]],[[139e5c34b4e2a31f3a1ac5bce7cb6782959a297d52682fb053aa115c1934941f,1f551b6ff6358b15a0cff575834549100c29de2911c78f008f633d34b9546c36],[24b3bd14fb0f222fe26755eea0de06935c6efef27ebb9153a27a74a1dab1d68b,033f1a5f2b484c0619eb14138cdc0b6d84ad24ba846cca766afe61857661c843]],[[01b5d285f3595e47bf663d15a1a6cd5601b9b104543228390742090c6fbe3e5f,088c77265783aabd1e2f4196826444f52463ff642e51813131e8a23551770d51],[022e2e6d26fc832deafa732e9a78af49e1fc0be44c1a86cab5e7b90ddaedf800,239243673bfb2cbde4da1cd9f957e3b7f2a3f21995eb69a382c085be4a18a6c2]]]
P1 e(U1+U2,V) Hex (first 20 bytes):	0x1958eeeb60db1c8c2a63ad94e5f646dc8e94fdc3
P3 e(U1,V)*e(U2,V) Hex (first 20 bytes):	0x1958eeeb60db1c8c2a63ad94e5f646dc8e94fdc3

Pairing 1 [e(U1+U2,V)] is equal to Pairing 2 [e(U1,V)*e(U2,V)]