Skip to content

Commit

Permalink
exc 94
Browse files Browse the repository at this point in the history
  • Loading branch information
@erhant
erhant committed Mar 12, 2024
1 parent f5019e1 commit 22dc6d0
Show file tree
Hide file tree
Showing 4 changed files with 165 additions and 22 deletions.
1 change: 1 addition & 0 deletions ERRATA.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ Some possible errors in version 1.1.1.
- Page 103, Example 92, "doing this for 815730721 _elements_ is a bit too slow..."
- Page 108, top of the page says "add this to references"
- Page 110, Algorithm 9, should be $y^2 \gets x^3 + a\cdot x + b$
- Page 119, $y^2 = x^3 + 4^2 + 4 cdot 4^3$, that $4^2$ seems wrong?

## Chapter 6

Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,4 @@ The README file are copied under the [`.book`](./.book/) directory and a build i
Contributions
</h3>

Please feel free to open an issue or create a pull-request if something is not clear, could have been better, or is missing references.
Please feel free to open an issue or create a pull-request if something is not clear, could have been better, or is missing references. For the chapters with notebooks, please write the changes in the notebook and then generate the README files with `make markdown`.
105 changes: 94 additions & 11 deletions elliptic-curves/README.ipynb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"\n",
"Some commonly used curves in this section:\n",
"\n",
"- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage)\n",
"- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage) (also known as [BN254](https://hackmd.io/@jpw/bn254))\n",
"- [secp256k1](https://neuromancer.sk/std/secg/secp256k1)\n",
"- [bls12-381](https://neuromancer.sk/std/bls/BLS12-381)\n",
"\n",
Expand Down Expand Up @@ -1310,9 +1310,9 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with @bufferhe4d and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements.\n",
"We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with [@bufferhe4d](https://github.com/bufferhe4d) and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements.\n",
"\n",
"Let's compute the pairing groups now:\n"
"Let's compute the pairing groups now:"
]
},
{
Expand Down Expand Up @@ -1597,14 +1597,14 @@
},
{
"cell_type": "code",
"execution_count": 55,
"execution_count": 4,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"147946756881789318990833708069417712967\n",
"Trace of Frobenius: 147946756881789318990833708069417712967\n",
"curve contains less elements than Fp\n"
]
}
Expand All @@ -1623,7 +1623,7 @@
"\n",
"# trace of Frobenius\n",
"t = p + 1 - q\n",
"print(t)\n",
"print(\"Trace of Frobenius:\", t)\n",
"\n",
"if q < p:\n",
" print(\"curve contains less elements than Fp\")\n",
Expand All @@ -1637,11 +1637,54 @@
"source": [
"We see that the curve `alt_bn128` contains less elements than its base field.\n",
"\n",
"## Exercise 88 🔴\n",
"## Exercise 88\n",
"\n",
"> Consider `alt_bn128` curve. Write a Sage program that computes the $j$-invariant for `alt_bn128`.\n",
"\n",
"TODO\n",
"The $j$-invariant is computed as follows (as shown in section 5.6.2):\n",
"\n",
"$$\n",
"j(E(\\mathbb{F}_q)) = 1728 \\cdot \\frac{4 \\cdot a^3}{4 \\cdot a^3 + 27 \\cdot b^2} \\bmod{q}\n",
"$$\n",
"\n",
"Here, $a, b$ are the curve parameters and $q$ is the order of the base field $\\mathbb{F}_q$. Let's write that in Sage:"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"J invariant: 0\n"
]
}
],
"source": [
"from sage.all import GF, EllipticCurve\n",
"\n",
"# curve parameters\n",
"p = 21888242871839275222246405745257275088696311157297823662689037894645226208583\n",
"a, b = 0, 3\n",
"\n",
"def j_invariant(a, b, q):\n",
" return (1728 * (4 * (a ** 3)) / (4 * (a ** 3) + 27 * (b ** 2))) % q\n",
"\n",
"# note that we use p to denote order of base field, instead of q here\n",
"j_inv = j_invariant(a, b, p)\n",
"print(\"J invariant:\", int(j_inv))\n",
"\n",
"# also check with Sage\n",
"assert j_inv == EllipticCurve(GF(p), [a, b]).j_invariant()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"\n",
"## Exercise 89 🔴\n",
"\n",
Expand Down Expand Up @@ -1671,9 +1714,41 @@
"\n",
"> Consider the point $P = (9, 2)$. Show that $P$ is a point on the `BLS6_6` curve and compute the scalar product $[3]P$\n",
"\n",
"TODO\n",
"BLS6\\_6 has the curve equation $y^2 = x^3 + 6$ for values defined over $\\mathbb{F}_{43}$. We can check if the equation holds for the given point:\n",
"\n",
"$$\n",
"\\begin{align*}\n",
"2^2 &= 9^3 + 6 \\\\\n",
"4 &= 41 + 6 \\\\\n",
"4 &= 4\n",
"\\end{align*}\n",
"$$\n",
"\n",
"Indeed the point is on curve. Now, remember that the order of scalar field for BLS6\\_6 is 39, which factorizes as $13 \\cdot 3$. We are given the addition table of the subgroup of order 13 (page 128), and the point $(9, 2)$ does not appear there. This means that our point belongs to the subgroup of order $3$. Therefore, $[3](9, 2)$ results in the point at infinity.\n",
"\n",
"TODO: find out why\n",
"\n",
"We can verify this with Sage:"
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"from sage.all import GF, EllipticCurve\n",
"\n",
"BLS6_6 = EllipticCurve(GF(43), [0, 6])\n",
"assert BLS6_6(9, 2) * 3 == BLS6_6(13, 15)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"\n",
"## Exercise 94 🔴\n",
"## Exercise 94\n",
"\n",
"> Compute the following expressions:\n",
">\n",
Expand All @@ -1682,7 +1757,15 @@
"> - $(35, 15) \\oplus \\mathcal{O}$\n",
"> - $(27, 9) \\oplus (33, 9)$\n",
"\n",
"TODO\n",
"We can use the addition table of BLS6\\_6 (page 128) to solve this quite easily. We can also keep in mind that BLS6\\_6 is defined over the base field $\\mathbb{F}_{43}$.\n",
"\n",
"- $-(26, 34)$ corresponds to the number that when added to $(26, 34)$ results in $\\mathcal{O}$. We see that $(26, 9)$ is the point we are looking for. We could also remember that $-(x, y) = (x, -y)$ in Short Weierstrass curves, so $-(26, 34) = (26, -34) = (29, 9)$ works too.\n",
"\n",
"- $(26, 9) \\oplus (13, 28)$ results in $(27, 9)$, as seen in the table.\n",
"\n",
"- $(35, 15) \\oplus \\mathcal{O}$ results in $(35, 15)$ since the point-at-infinity is neutral. We can confirm this by looking at the first row or the first column in the table.\n",
"\n",
"- $(27, 9) \\oplus (33, 9)$ results in $(26, 34)$, as seen in the table.\n",
"\n",
"## Exercise 95 🔴\n",
"\n",
Expand Down
79 changes: 69 additions & 10 deletions elliptic-curves/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Also see this <https://curves.xargs.org/> for great animations, especially about

Some commonly used curves in this section:

- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage)
- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage) (also known as [BN254](https://hackmd.io/@jpw/bn254))
- [secp256k1](https://neuromancer.sk/std/secg/secp256k1)
- [bls12-381](https://neuromancer.sk/std/bls/BLS12-381)

Expand Down Expand Up @@ -999,12 +999,11 @@ print(TJJ_1_tor)
{(4 : 0 : 1), (0 : 1 : 0)}


We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with @bufferhe4d and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements.
We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with [@bufferhe4d](https://github.com/bufferhe4d) and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements.

Let's compute the pairing groups now:



```python
INF = TJJ(0) # point at infinity

Expand Down Expand Up @@ -1233,25 +1232,54 @@ q = E.order()

# trace of Frobenius
t = p + 1 - q
print(t)
print("Trace of Frobenius:", t)

if q < p:
print("curve contains less elements than Fp")
else:
print("curve contains more elements than Fp")
```

147946756881789318990833708069417712967
Trace of Frobenius: 147946756881789318990833708069417712967
curve contains less elements than Fp


We see that the curve `alt_bn128` contains less elements than its base field.

## Exercise 88 🔴
## Exercise 88

> Consider `alt_bn128` curve. Write a Sage program that computes the $j$-invariant for `alt_bn128`.
TODO
The $j$-invariant is computed as follows (as shown in section 5.6.2):

$$
j(E(\mathbb{F}_q)) = 1728 \cdot \frac{4 \cdot a^3}{4 \cdot a^3 + 27 \cdot b^2} \bmod{q}
$$

Here, $a, b$ are the curve parameters and $q$ is the order of the base field $\mathbb{F}_q$. Let's write that in Sage:


```python
from sage.all import GF, EllipticCurve

# curve parameters
p = 21888242871839275222246405745257275088696311157297823662689037894645226208583
a, b = 0, 3

def j_invariant(a, b, q):
return (1728 * (4 * (a ** 3)) / (4 * (a ** 3) + 27 * (b ** 2))) % q

# note that we use p to denote order of base field, instead of q here
j_inv = j_invariant(a, b, p)
print("J invariant:", int(j_inv))

# also check with Sage
assert j_inv == EllipticCurve(GF(p), [a, b]).j_invariant()
```

J invariant: 0



## Exercise 89 🔴

Expand Down Expand Up @@ -1281,9 +1309,32 @@ TODO

> Consider the point $P = (9, 2)$. Show that $P$ is a point on the `BLS6_6` curve and compute the scalar product $[3]P$
TODO
BLS6\_6 has the curve equation $y^2 = x^3 + 6$ for values defined over $\mathbb{F}_{43}$. We can check if the equation holds for the given point:

$$
\begin{align*}
2^2 &= 9^3 + 6 \\
4 &= 41 + 6 \\
4 &= 4
\end{align*}
$$

## Exercise 94 🔴
Indeed the point is on curve. Now, remember that the order of scalar field for BLS6\_6 is 39, which factorizes as $13 \cdot 3$. We are given the addition table of the subgroup of order 13 (page 128), and the point $(9, 2)$ does not appear there. This means that our point belongs to the subgroup of order $3$. Therefore, $[3](9, 2)$ results in the point at infinity.

TODO: find out why

We can verify this with Sage:


```python
from sage.all import GF, EllipticCurve

BLS6_6 = EllipticCurve(GF(43), [0, 6])
assert BLS6_6(9, 2) * 3 == BLS6_6(13, 15)
```


## Exercise 94

> Compute the following expressions:
>
Expand All @@ -1292,7 +1343,15 @@ TODO
> - $(35, 15) \oplus \mathcal{O}$
> - $(27, 9) \oplus (33, 9)$
TODO
We can use the addition table of BLS6\_6 (page 128) to solve this quite easily. We can also keep in mind that BLS6\_6 is defined over the base field $\mathbb{F}_{43}$.

- $-(26, 34)$ corresponds to the number that when added to $(26, 34)$ results in $\mathcal{O}$. We see that $(26, 9)$ is the point we are looking for. We could also remember that $-(x, y) = (x, -y)$ in Short Weierstrass curves, so $-(26, 34) = (26, -34) = (29, 9)$ works too.

- $(26, 9) \oplus (13, 28)$ results in $(27, 9)$, as seen in the table.

- $(35, 15) \oplus \mathcal{O}$ results in $(35, 15)$ since the point-at-infinity is neutral. We can confirm this by looking at the first row or the first column in the table.

- $(27, 9) \oplus (33, 9)$ results in $(26, 34)$, as seen in the table.

## Exercise 95 🔴

Expand Down

0 comments on commit 22dc6d0

Please sign in to comment.