Pairings can imply quite a lot of associated issues in group idea, however for our functions a pairing is a bilinear mapping from two teams to a 3rd group.
e: G1 × G2 → GT
Sometimes the group operation on G1 and G2 is written addititvely and the group operation on GT is written multiplicatively. Actually, GT will at all times be the multiplicative group of a finite discipline, i.e. GT consists of the non-zero parts of a finite discipline below multiplication. (The “T” stands for “goal.”)
Right here bilinear [1] implies that if P is a component of G1 and Q is a component of G2 , and a and b are nonnegative integers,
e(aP, bQ) = e(P, Q)ab.
There are just a few provisos …
First, the pairing should be non-degenerate, i.e. e(P, Q) ≠ 1 for some P and Q.
Second, the pairing should be effectively computable.
Third, the embedding diploma should not be “too excessive.” Which means that if GT is the multiplicative group of a discipline with pok parts, ok will not be too massive. We are going to take a look at two examples by which ok = 12.
The second and third provisos are essential despite the fact that they’re not acknowledged rigorously.
Cryptography typically speaks of pairing elliptic curves, however in reality it makes use of pairings of prime-order subgroups of the additive teams of elliptic curves. As a result of the subgroups have prime order, they’re cyclic, and so the pairing is decided by its worth on a generator from every subgroup.
Instance: BN254
The earlier submit briefly talked about a pairing between two elliptic curves, BN254 and alt_bn128, that’s utilized in Ethereum and was utilized in Zcash within the authentic Sprout shielded protocol.
The elliptic curve BN254 is outlined over the sector Fp, the integers mod p, the place
p = 21888242871839275222246405745257275088696311157297823662689037894645226208583.
and the elliptic curve alt_bn128 is outlined over the sector Fp[i], i.e. the sector Fp, with an imaginary aspect i adjoined.
Each elliptic curves have a subgroup of order
r = 21888242871839275222246405745257275088548364400416034343698204186575808495617,
which is prime. So within the pairing the teams G1 and G2 are isomorphic to the integers mod r. The goal group GT has order p12 − 1 and so the embedding diploma ok equals 12, and so the embedding diploma is “not too excessive.”
Instance: BLS12-381
One other instance additionally comes from Ethereum and Zcash. Ethereum makes use of BN254 in good contracts, however it makes use of BLS12-381 in its consensus layer. Zcash switched from BN254 to BLS12-381 within the Sapling launch.
BLS12-381 is outlined over a main order discipline with on the order of two381 parts and has embedding order 12, therefore 12-381. The BLS stands for Paulo Barreto, Ben Lynn, and Michael Scott. Elliptic curve names typically look mysterious, however they’re really fairly descriptive. I focus on BLS12-381 in additional element right here. As within the instance above, BLS12-381 is outlined over a discipline Fp and is paired with a curve over Fp[i], i.e. the identical discipline with an imaginary aspect adjoined. The equation for BLS12-381 is
y² = x³ + 4
and the equation for the curve it’s paired with is
y² = x³ + 4(1 + i)
As earlier than the goal group is the multiplicative group of a finite discipline of order p12.
Associated posts
[1] You’ll additionally see bilinearity outlined by
e(P + Q, R) = e(P, R) e(Q, R)
and
e(P, R + S) = e(P, R) e(P, S).
These definitions are equal. To see that the definition right here implies the definition on the high, write out aP as P + P + … + P and so forth.
Since we’re working in subgroups of prime order, there’s a generator for every subgroup. Write out every aspect as a a number of of a generator, then the definition on the high implies the definition right here.
