From 22dc6d01b469d61c7d22e69c1773b6d033d6939b Mon Sep 17 00:00:00 2001 From: erhant Date: Wed, 13 Mar 2024 00:13:07 +0300 Subject: [PATCH] exc 94 --- ERRATA.md | 1 + README.md | 2 +- elliptic-curves/README.ipynb | 105 +++++++++++++++++++++++++++++++---- elliptic-curves/README.md | 79 ++++++++++++++++++++++---- 4 files changed, 165 insertions(+), 22 deletions(-) diff --git a/ERRATA.md b/ERRATA.md index 1cea12b..579fff6 100644 --- a/ERRATA.md +++ b/ERRATA.md @@ -32,6 +32,7 @@ Some possible errors in version 1.1.1. - Page 103, Example 92, "doing this for 815730721 _elements_ is a bit too slow..." - Page 108, top of the page says "add this to references" - Page 110, Algorithm 9, should be $y^2 \gets x^3 + a\cdot x + b$ +- Page 119, $y^2 = x^3 + 4^2 + 4 cdot 4^3$, that $4^2$ seems wrong? ## Chapter 6 diff --git a/README.md b/README.md index 3d7d1d7..fc7ad88 100644 --- a/README.md +++ b/README.md @@ -54,4 +54,4 @@ The README file are copied under the [`.book`](./.book/) directory and a build i Contributions -Please feel free to open an issue or create a pull-request if something is not clear, could have been better, or is missing references. +Please feel free to open an issue or create a pull-request if something is not clear, could have been better, or is missing references. For the chapters with notebooks, please write the changes in the notebook and then generate the README files with `make markdown`. diff --git a/elliptic-curves/README.ipynb b/elliptic-curves/README.ipynb index 9700a47..70e55a0 100644 --- a/elliptic-curves/README.ipynb +++ b/elliptic-curves/README.ipynb @@ -14,7 +14,7 @@ "\n", "Some commonly used curves in this section:\n", "\n", - "- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage)\n", + "- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage) (also known as [BN254](https://hackmd.io/@jpw/bn254))\n", "- [secp256k1](https://neuromancer.sk/std/secg/secp256k1)\n", "- [bls12-381](https://neuromancer.sk/std/bls/BLS12-381)\n", "\n", @@ -1310,9 +1310,9 @@ "cell_type": "markdown", "metadata": {}, "source": [ - "We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with @bufferhe4d and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements.\n", + "We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with [@bufferhe4d](https://github.com/bufferhe4d) and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements.\n", "\n", - "Let's compute the pairing groups now:\n" + "Let's compute the pairing groups now:" ] }, { @@ -1597,14 +1597,14 @@ }, { "cell_type": "code", - "execution_count": 55, + "execution_count": 4, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ - "147946756881789318990833708069417712967\n", + "Trace of Frobenius: 147946756881789318990833708069417712967\n", "curve contains less elements than Fp\n" ] } @@ -1623,7 +1623,7 @@ "\n", "# trace of Frobenius\n", "t = p + 1 - q\n", - "print(t)\n", + "print(\"Trace of Frobenius:\", t)\n", "\n", "if q < p:\n", " print(\"curve contains less elements than Fp\")\n", @@ -1637,11 +1637,54 @@ "source": [ "We see that the curve `alt_bn128` contains less elements than its base field.\n", "\n", - "## Exercise 88 🔴\n", + "## Exercise 88\n", "\n", "> Consider `alt_bn128` curve. Write a Sage program that computes the $j$-invariant for `alt_bn128`.\n", "\n", - "TODO\n", + "The $j$-invariant is computed as follows (as shown in section 5.6.2):\n", + "\n", + "$$\n", + "j(E(\\mathbb{F}_q)) = 1728 \\cdot \\frac{4 \\cdot a^3}{4 \\cdot a^3 + 27 \\cdot b^2} \\bmod{q}\n", + "$$\n", + "\n", + "Here, $a, b$ are the curve parameters and $q$ is the order of the base field $\\mathbb{F}_q$. Let's write that in Sage:" + ] + }, + { + "cell_type": "code", + "execution_count": 3, + "metadata": {}, + "outputs": [ + { + "name": "stdout", + "output_type": "stream", + "text": [ + "J invariant: 0\n" + ] + } + ], + "source": [ + "from sage.all import GF, EllipticCurve\n", + "\n", + "# curve parameters\n", + "p = 21888242871839275222246405745257275088696311157297823662689037894645226208583\n", + "a, b = 0, 3\n", + "\n", + "def j_invariant(a, b, q):\n", + " return (1728 * (4 * (a ** 3)) / (4 * (a ** 3) + 27 * (b ** 2))) % q\n", + "\n", + "# note that we use p to denote order of base field, instead of q here\n", + "j_inv = j_invariant(a, b, p)\n", + "print(\"J invariant:\", int(j_inv))\n", + "\n", + "# also check with Sage\n", + "assert j_inv == EllipticCurve(GF(p), [a, b]).j_invariant()" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ "\n", "## Exercise 89 🔴\n", "\n", @@ -1671,9 +1714,41 @@ "\n", "> Consider the point $P = (9, 2)$. Show that $P$ is a point on the `BLS6_6` curve and compute the scalar product $[3]P$\n", "\n", - "TODO\n", + "BLS6\\_6 has the curve equation $y^2 = x^3 + 6$ for values defined over $\\mathbb{F}_{43}$. We can check if the equation holds for the given point:\n", + "\n", + "$$\n", + "\\begin{align*}\n", + "2^2 &= 9^3 + 6 \\\\\n", + "4 &= 41 + 6 \\\\\n", + "4 &= 4\n", + "\\end{align*}\n", + "$$\n", + "\n", + "Indeed the point is on curve. Now, remember that the order of scalar field for BLS6\\_6 is 39, which factorizes as $13 \\cdot 3$. We are given the addition table of the subgroup of order 13 (page 128), and the point $(9, 2)$ does not appear there. This means that our point belongs to the subgroup of order $3$. Therefore, $[3](9, 2)$ results in the point at infinity.\n", + "\n", + "TODO: find out why\n", + "\n", + "We can verify this with Sage:" + ] + }, + { + "cell_type": "code", + "execution_count": 1, + "metadata": {}, + "outputs": [], + "source": [ + "from sage.all import GF, EllipticCurve\n", + "\n", + "BLS6_6 = EllipticCurve(GF(43), [0, 6])\n", + "assert BLS6_6(9, 2) * 3 == BLS6_6(13, 15)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ "\n", - "## Exercise 94 🔴\n", + "## Exercise 94\n", "\n", "> Compute the following expressions:\n", ">\n", @@ -1682,7 +1757,15 @@ "> - $(35, 15) \\oplus \\mathcal{O}$\n", "> - $(27, 9) \\oplus (33, 9)$\n", "\n", - "TODO\n", + "We can use the addition table of BLS6\\_6 (page 128) to solve this quite easily. We can also keep in mind that BLS6\\_6 is defined over the base field $\\mathbb{F}_{43}$.\n", + "\n", + "- $-(26, 34)$ corresponds to the number that when added to $(26, 34)$ results in $\\mathcal{O}$. We see that $(26, 9)$ is the point we are looking for. We could also remember that $-(x, y) = (x, -y)$ in Short Weierstrass curves, so $-(26, 34) = (26, -34) = (29, 9)$ works too.\n", + "\n", + "- $(26, 9) \\oplus (13, 28)$ results in $(27, 9)$, as seen in the table.\n", + "\n", + "- $(35, 15) \\oplus \\mathcal{O}$ results in $(35, 15)$ since the point-at-infinity is neutral. We can confirm this by looking at the first row or the first column in the table.\n", + "\n", + "- $(27, 9) \\oplus (33, 9)$ results in $(26, 34)$, as seen in the table.\n", "\n", "## Exercise 95 🔴\n", "\n", diff --git a/elliptic-curves/README.md b/elliptic-curves/README.md index e34aa2a..ed6452c 100644 --- a/elliptic-curves/README.md +++ b/elliptic-curves/README.md @@ -8,7 +8,7 @@ Also see this for great animations, especially about Some commonly used curves in this section: -- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage) +- [alt_bn128](https://github.com/scipr-lab/libff/blob/master/libff/algebra/curves/alt_bn128/alt_bn128.sage) (also known as [BN254](https://hackmd.io/@jpw/bn254)) - [secp256k1](https://neuromancer.sk/std/secg/secp256k1) - [bls12-381](https://neuromancer.sk/std/bls/BLS12-381) @@ -999,12 +999,11 @@ print(TJJ_1_tor) {(4 : 0 : 1), (0 : 1 : 0)} -We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with @bufferhe4d and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements. +We would expect $r^2$ elements (i.e. 4) in the full-torsion group, which is NOT the case here! After lengthy discussions with [@bufferhe4d](https://github.com/bufferhe4d) and his further discussions with more people, we have come to conclusion that the $r^2$ requirement is not strict when $k=1$. In some cases, we can have $r$ elements. Let's compute the pairing groups now: - ```python INF = TJJ(0) # point at infinity @@ -1233,7 +1232,7 @@ q = E.order() # trace of Frobenius t = p + 1 - q -print(t) +print("Trace of Frobenius:", t) if q < p: print("curve contains less elements than Fp") @@ -1241,17 +1240,46 @@ else: print("curve contains more elements than Fp") ``` - 147946756881789318990833708069417712967 + Trace of Frobenius: 147946756881789318990833708069417712967 curve contains less elements than Fp We see that the curve `alt_bn128` contains less elements than its base field. -## Exercise 88 🔴 +## Exercise 88 > Consider `alt_bn128` curve. Write a Sage program that computes the $j$-invariant for `alt_bn128`. -TODO +The $j$-invariant is computed as follows (as shown in section 5.6.2): + +$$ +j(E(\mathbb{F}_q)) = 1728 \cdot \frac{4 \cdot a^3}{4 \cdot a^3 + 27 \cdot b^2} \bmod{q} +$$ + +Here, $a, b$ are the curve parameters and $q$ is the order of the base field $\mathbb{F}_q$. Let's write that in Sage: + + +```python +from sage.all import GF, EllipticCurve + +# curve parameters +p = 21888242871839275222246405745257275088696311157297823662689037894645226208583 +a, b = 0, 3 + +def j_invariant(a, b, q): + return (1728 * (4 * (a ** 3)) / (4 * (a ** 3) + 27 * (b ** 2))) % q + +# note that we use p to denote order of base field, instead of q here +j_inv = j_invariant(a, b, p) +print("J invariant:", int(j_inv)) + +# also check with Sage +assert j_inv == EllipticCurve(GF(p), [a, b]).j_invariant() +``` + + J invariant: 0 + + ## Exercise 89 🔴 @@ -1281,9 +1309,32 @@ TODO > Consider the point $P = (9, 2)$. Show that $P$ is a point on the `BLS6_6` curve and compute the scalar product $[3]P$ -TODO +BLS6\_6 has the curve equation $y^2 = x^3 + 6$ for values defined over $\mathbb{F}_{43}$. We can check if the equation holds for the given point: + +$$ +\begin{align*} +2^2 &= 9^3 + 6 \\ +4 &= 41 + 6 \\ +4 &= 4 +\end{align*} +$$ -## Exercise 94 🔴 +Indeed the point is on curve. Now, remember that the order of scalar field for BLS6\_6 is 39, which factorizes as $13 \cdot 3$. We are given the addition table of the subgroup of order 13 (page 128), and the point $(9, 2)$ does not appear there. This means that our point belongs to the subgroup of order $3$. Therefore, $[3](9, 2)$ results in the point at infinity. + +TODO: find out why + +We can verify this with Sage: + + +```python +from sage.all import GF, EllipticCurve + +BLS6_6 = EllipticCurve(GF(43), [0, 6]) +assert BLS6_6(9, 2) * 3 == BLS6_6(13, 15) +``` + + +## Exercise 94 > Compute the following expressions: > @@ -1292,7 +1343,15 @@ TODO > - $(35, 15) \oplus \mathcal{O}$ > - $(27, 9) \oplus (33, 9)$ -TODO +We can use the addition table of BLS6\_6 (page 128) to solve this quite easily. We can also keep in mind that BLS6\_6 is defined over the base field $\mathbb{F}_{43}$. + +- $-(26, 34)$ corresponds to the number that when added to $(26, 34)$ results in $\mathcal{O}$. We see that $(26, 9)$ is the point we are looking for. We could also remember that $-(x, y) = (x, -y)$ in Short Weierstrass curves, so $-(26, 34) = (26, -34) = (29, 9)$ works too. + +- $(26, 9) \oplus (13, 28)$ results in $(27, 9)$, as seen in the table. + +- $(35, 15) \oplus \mathcal{O}$ results in $(35, 15)$ since the point-at-infinity is neutral. We can confirm this by looking at the first row or the first column in the table. + +- $(27, 9) \oplus (33, 9)$ results in $(26, 34)$, as seen in the table. ## Exercise 95 🔴