1

I'm trying to figure out how to do a mapping between elliptic curve points and Zq without breaking homomorphic properties.

Sorry, I'll write the problem in multiplicative notation because it's easier.

I've got $a = g^bh^r \in \mathbb{G}_1$, where $g$ is a generator of $\mathbb{G}_1$, $h = g^s$ and $r, s, b$ are some values from $Z_q$. I need to have a Pedersen commitment to $g^b$, but since $g^b\in \mathbb{G}_1$ I should map it to $Z_q$ with function $F$ first i.e. $c = G^{F(g^b)}H^R$, where $G,H \in \mathbb{G}_1$ is a commitment key and $R$ is randomly selected from $Z_q$.

The point is, I need to relate $a$ and $c$, so I need to find a mapping function F such that $G^{F(a)} = G^{F(g^b) \cdot F(h^r)}$.

Do you have any idea how to chose $F$ if $\mathbb{G}_1$ is an elliptic curve? Or if it's even possible? In the finite fields, $\bmod q$ would have worked ($q$ is prime). But with points, I'm not sure what to do. Maybe homomorphic hash functions would work, not sure.

pintor
  • 558
  • 3
  • 14
  • @kelalaka, homomorphic. Thanks, fixed! – pintor Feb 21 '21 at 10:25
  • When you say $x = y \cdot h^r$ what is $h$ what is $r$ what is $y$, EC has coordinates $(x,y)$ is it $x$ or $y$? – kelalaka Feb 21 '21 at 10:31
  • @kelalaka. Maybe I used not the best notations, y and x are not related to EC coordinates. It's just some points on G1. I'll update notations – pintor Feb 21 '21 at 10:36
  • if you consider scalar multiplication on ECC write as $[k]P$ and if you extract the $x$ coordinate then $x(P)$. – kelalaka Feb 21 '21 at 10:41
  • How do you multiply two points of a Curve? – kelalaka Feb 21 '21 at 10:49
  • @kelalaka, changed it. Hope notations are better now – pintor Feb 21 '21 at 10:49
  • 1
    also, unless $q$ is prime, mod $q$ won’t work – kodlu Feb 21 '21 at 23:20
  • @kodlu, yes, q should be prime – pintor Feb 22 '21 at 08:22
  • Is the destination $(Z_q,+)$, or $(Z_q,*)$? From the expression it seems the latter, but it's impossible to map group of order $q$ to a group of order $q-1$. – Fractalice Feb 25 '21 at 08:26
  • Could you also explain your idea about how this would work in finite fields? – Fractalice Feb 25 '21 at 08:27
  • @Fractalice, in finite fields we can just use mod q (q is prime) to map elements from G1 to Zq i.e. F(x) = x mod q. Yes, there will be collisions, cause G1 is bigger, but it's fine. What matters is G^ F(xy) = G^ (xy mod q) = (G^ x mod q )^y mod q = (G^F(x) )^F(y) . But on elliptic curves (EC) mod q doesn't work. – pintor Feb 25 '21 at 09:58
  • @pintor What do you mean by mod q? Usual finite field representation - polynomials modulo an irreducible polynomial - is already mod q. – Fractalice Feb 25 '21 at 14:02
  • @Fractalice, suppose G1 is a subgroup of Zp* and is a cyclic group of prime order q with a generator g and p = 2q+1. Then g^s is an element of G1, where s is from Zq. All operations with elements in G1 are done mod p, but exponents are taken from Zq ( where for all arithmetic we use mod q). – pintor Feb 25 '21 at 14:18
  • @pintor so how would your map look like? Take discrete logarithm and compute the result modulo $q$? Why aren't you able to do the same on the elliptic cuve? – Fractalice Feb 25 '21 at 18:20
  • @Fractalice, the map F:G1->Zq will be just applying mod q to the element form G1. No logarithms. So if I want to use an element A from G1 as an exponent, I will use F(A) = A mod q instead. In EC it does not work as a holomorphic map, because in EC A is not an integer, it's a point i.e. A is defined by (x,y). – pintor Feb 26 '21 at 08:58
  • @pintor say $q=5,p=2q+1=11$. Then $F(7)=7\mod q = 2$, $F(77)=F(49 \mod 11)=F(5)\mod q =0 \ne F(7)F(7)\mod q = 2*2\mod 5=4$. It's not homomorphic – Fractalice Feb 26 '21 at 14:29
  • @Fractalice, don't do mod p after multiplication (yes, it will technically make ab, not from G1). Anyway, the idea of the map is simple - use properties of mod operator. Btw, 7 is not from the cyclic group of order 5. – pintor Feb 26 '21 at 17:53
  • @pintor if it's not a map from G1 to Z_q then what it is? I am not "doing mod p" by myself, it's the group structure of G1. I don't see how mod p mod q is anything useful, and surely it's not homomorphic. – Fractalice Feb 27 '21 at 09:49
  • @Fractalice, it's a workaround. I need to use $a$ as an exponent and I need it to be constructed as a product of 2 $Z_q$ elements i.e. $a = x\cdot y$ and $g^{x\cdot y} = (g^x)^y$. The problem is $x$ and $y$ are from $G_1$, not $Z_q$. Yes, $a$ should also be from $G_1$ if computed properly, but it's just a multiplication of two numbers. If I don't do mod p after multiplying $x$ and $y$, I'll just get a number that I can apply mod q to and use as an exponent. Point is, if elements in $G_1$ are just numbers, I can work around it. When it's not, it's the question. – pintor Mar 01 '21 at 09:17
  • @Fractalice, this workaround can be turned into a proper map from $G_1$ to $Z_q$, if $b$ and $r$ are chosen so that when we compute $g^b$ and $h^r$ separately, we see that their product will be less than p anyway and mod p will not make any difference. Anyway, the question is not about mod q, it's about elliptic curves. For those, I don't have any workaround. – pintor Mar 01 '21 at 09:23
  • @pintor the problem is that the question is quite unclear and your remark makes it even more. It seems that you are fine with a map that is homomorphic only for some inputs and only once. The latter reminds bilinear maps. Also, finding such non-trivial $b,r$ that $g^b$ and $h^r$ are small ($<\sqrt{p}$) is a hard problem. – Fractalice Mar 01 '21 at 16:46

1 Answers1

2

I think that you can use a bilinear pairing map for the function $F$. This map is defined from $G_1 \times G_2$ to $\mu_n$. This means that $F(x)=e(x,T)$ that $T \in G_2$.

The feature of this map is as:

$e(g^a,T^b)=e(g,T)^{ab}$

$e(g^bh^r,T)=e(g^b,T).e(h^r,T)=F(g^b).F(h^r)$

The amount of $\mu_n$ is in $F_{q^k}^*$. There is a map from $F_{q^k}$ to $F_q$ that is called Trace map. You can find more information about this map at "Pairing for beginners" book or http://www.m-hikari.com/ija/ija-2011/ija-21-24-2011/yadavIJA21-24-2011.pdf

Mahdi Mahdavi
  • 482
  • 2
  • 10
  • 1
    but aren't \mu_n a cyclic group too? – pintor Feb 25 '21 at 14:03
  • $\mu_n$ is a cyclic group. – Mahdi Mahdavi Feb 25 '21 at 19:33
  • Thanks, but I need a mapping to $Z_q$. So one more step in F is missing - map $\mu_n$ to $Z_q$. Do we know anything about $\mu_n$? Can it be any cyclic group of order q, for example, a subgroup of $Z^*_p$? Btw, it's type-3 pairing, right? – pintor Feb 26 '21 at 13:51
  • 1
    Or $\mu_n$ is a group of $n$-th roots of unity in $F^∗_{p^n}$? – pintor Feb 26 '21 at 14:14
  • Sorry, I cannot accept the answer as it is, because it's incomplete. Can you please edit it before bounty expires? Thanks! – pintor Mar 01 '21 at 09:25
  • $\mu$ is in $F_{q^k}$. There is a map from $F_{q^k}$ to $F_{q}$ that is called Trace map. // You can find more information about this map at http://www.m-hikari.com/ija/ija-2011/ija-21-24-2011/yadavIJA21-24-2011.pdf – Mahdi Mahdavi Mar 02 '21 at 14:45
  • The "pairing for beginners" book is very useful for this case. – Mahdi Mahdavi Mar 02 '21 at 15:45
  • wait, say we have a trace map $M$ and a pairing map $e$, so the mapping $F$ that maps $G_1$ to $Z_q$ will be $F(x) = M(e(x, T))$. I need to make sure that $g^{F(ab)} = (g^{F(a)})^{F(b)}$, but $F(ab) = M(e(ab,T)) = M(e(a,T) * e(b,T)) \neq M(e(a,T) * M(e(b,T))$. I didn't find any mentioning that trace map can support $M(AB) = M(A)*M(B)$. In fact, I think it is defined in a way that it won't support it. – pintor Mar 10 '21 at 16:19