Introduction

This book is an ongoing effort to gather some notes about cryptography with a focus on schemes which are relevant to the decentralized web such as multiparty signatures, zero-knowledge proofs, etc.

For now it consists of the following parts:

• Mathematics:
• Cryptography:
• Proof Systems:
• ZK Hack Puzzles Walk-through:

We assume that the reader has some basic knowledge of arithmetic and algebra and of common concepts from cryptography (hash functions, signatures, ...).

Here are a number of freely available textbooks to learn more (we will point to specific sections of them when needed):

• A Computational Introduction to Number Theory and Algebra by Victor Shoup
• the Boneh-Shoup cryptography textbook
• lecture notes for an advanced graduate cryptography course by Jonathan Katz
• The Joy of Cryptography by Mike Rosulek
• Mathematics of Public Key Cryptography by Steven Galbraith
• Least Authority's MoonMath manual
• Proofs, Arguments, and Zero-Knowledge by Justin Thaler

Mathematical Notation

• Given a set $S,$ we let $S^n$ denote the set of strings of length $n$ over $S,$ and $S^{\ast }$ the set of all strings, i.e., $S^{\ast }={\cup }_{n\ge 0}{S}^n,$ where $S^0$ denotes the singleton consisting of the empty string; the length of a string $x$ is denoted $|x|.$
• Given a non-empty finite set $S,$ the sampling of a variable $s$ according to the uniform distribution is denoted $s{\leftarrow }_{\$}S.$
• Unless specified otherwise, groups are denoted additively.
• Main algebraic structures:

Note that all proofs throughout the book are collapsible:

Proof

You can choose to display it or leave it hidden forever.

Acknowledgments

This book is built with mdBook using the following preprocessors:

• mdBook-KaTeX
• mdbook-toc
• mdbook-footnote
• mdbook-mermaid
• mdbook-admonish
• mdbook-numthm
• mdbook-numeq
• mdbook-mathpunc

If you spot anything off, I'd be happy to get your feedback and acknowledge it here.

Chapter status:   🚧   draft   🚧

Basic Arithmetic

In this chapter, we cover a number of fundamental notions and results about arithmetic over integers, such as divisibility, greatest common divisors, and unique factorization. Most of them will be generalized in the chapter about rings. We will return to the axiomatic definition of integers in a later chapter (to wit, the set of integers is, up to isomorphism, the unique non-trivial, ordered, unitary commutative ring whose positive elements are well-ordered).

Contents

• Basic Definitions
• Divisibility
• Euclidean Division
• Greatest Common Divisor
• Computing GCDs and Bézout Relations
• GCDs and Ideals
• Prime Numbers

Basic Definitions

In all the following, we adopt the following notation and conventions:

• we let $\mathbb{N}$ denote the set of non-negative integers (also called natural numbers): $$\mathbb{N}:=\{0,1,2\dots \};$$
• we let ${\mathbb{N}}^{\ast }$ denote the set of positive integers: $${\mathbb{N}}^{\ast }:=\mathbb{N}\setminus \{0\}=\{1,2\dots \};$$
• we let $\mathbb{Z}$ denote the set of integers: $$\mathbb{Z}:=\{\dots ,-2,-1,0,1,2,\dots \}.$$

We will not explicitly formulate here all standard properties of addition, multiplication, and of the order relation and defer a more formal treatment to the chapter about rings.

We only state two salient properties of the integers: the cancellation law (a consequence of $\mathbb{Z}$ being a so-called integral domain) and the well-ordering principle (or well-ordering axiom), which is one of the axioms governing integers.

The absolute value of an integer $a\in \mathbb{Z},$ denoted $|a|,$ is defined as $$|a|:=\{\begin{array}{ll}a& \text{if }a>0\\ 0& \text{if }a=0\\ -a& \text{if }a<0.\end{array}$$

Proposition 3.1 (cancellation law for integers). Let $a,b,c\in \mathbb{Z}$ be integers such that $a\ne 0.$ Then $ab=ac$ implies $b=c.$

Proposition 3.2 (well-ordering axiom). Let $S\subseteq \mathbb{N}$ be a non-empty subset of $\mathbb{N}.$ Then $S$ contains a smallest element, i.e., there exists $m\in S$ such that for any $s\in S,$ $m\le s.$

It is immediate that the smallest element is necessarily unique.

Proposition 3.3. Let $S\subseteq \mathbb{N}$ be a non-empty subset of $\mathbb{N}.$ Then it has a unique smallest element.

Proof

Assume that $S$ has two smallest elements $m$ and $m^{\prime }.$ Then $m\le m^{\prime }$ (since $m$ is a smallest element) and $m^{\prime }\le m$ (since $m^{\prime }$ is a smallest element). Hence, $m=m^{\prime }.$

It is also the case that a finite non-empty subset of $\mathbb{N}$ (or $\mathbb{Z})$ has a largest element.

Proposition 3.4. Let $S\subseteq \mathbb{Z}$ be a finite non-empty subset of $\mathbb{Z}.$ Then $S$ contains a unique largest element, i.e., there exists a unique $M\in S$ such that for any $s\in S,$ $s\le M.$

Divisibility

Let $a,b\in \mathbb{Z}.$ We say that $a$ divides $b,$ or that $a$ is a divisor of $b,$ or that $b$ is a multiple of $a,$ denoted $a\mid b,$ if there exists $q\in \mathbb{Z}$ such that $b=qa.$

Let us list a number of basic properties of divisibility.

Proposition 3.5. For every $a,b\in \mathbb{Z},$ $$a\mid b⟺-a\mid b⟺a\mid -b⟺-a\mid -b.$$

Proof

Assume that $a\mid b.$ Then $b=qa$ for some $q\in \mathbb{Z}.$ This implies that $b=(-q)(-a),$ hence $-a\mid b.$ All other implications can be proven in a similar way.

Proposition 3.6. The only integers dividing $1$ are $1$ and $-1.$

Proof

Let $a\in {\mathbb{N}}^{\ast }$ be a positive divisor of $1.$ By [??], $a\ge 1.$ On the other hand, since $a\mid 1,$ there exists $q$ such that $aq=1.$ Clearly, $q$ must be positive and cannot be $0.$ Hence, by [??], $q\ge 1.$ Multiplying both sides by $a,$ we obtain $aq=1\ge a.$ Hence, we have both $a\le 1$ and $a\ge 1,$ which implies that $a=1.$

Proposition 3.7. For every $a,b,c\in \mathbb{Z}$ with $c\ne 0,$ $$a\mid b⟺ca\mid cb.$$

Proof

If $a\mid b$ then $b=qa$ for some $q\in \mathbb{Z}.$ This implies that $cb=q(ca)$ and hence $ca\mid cb.$

Conversely, assume that $ca\mid cb.$ Then $cb=q(ca)$ for some $q\in \mathbb{Z}.$ Since $c\ne 0,$ by the cancellation law for integers, $b=qa$ and hence $a\mid b.$

Proposition 3.8. For every $a,b\in \mathbb{Z},$ $$a\mid b\text{ and }b\mid a⟺a=\pm b.$$

Proof

If $a=\pm b$ then clearly $a\mid b$ and $b\mid a.$

Conversely, assume that $a\mid b$ and $b\mid a.$ Then $b=qa$ and $a=q^{\prime }b$ for some integers $q,q^{\prime }\in \mathbb{Z}.$ If $a=b=0$ then $a=\pm b$ and the conclusion holds. Assume now that either $a$ or $b$ is not zero. Let us consider the case $a\ne 0$ (the case $b\ne 0$ is similar). Multiplying $b=qa$ by $q^{\prime },$ we get $q^{\prime }b=q{q}^{\prime }a,$ hence $a=q{q}^{\prime }a.$ Since $a\ne 0,$ by the cancellation law for integers, this implies that $q{q}^{\prime }=1,$ i.e., $q^{\prime }$ divides $1.$ By Proposition 3.6, this implies $q^{\prime }=\pm 1,$ hence $a=\pm b.$

Proposition 3.9. For every $a,b,c\in \mathbb{Z},$ $$a\mid b\text{ and }b\mid c⟹a\mid c.$$

Proof

If $a\mid b$ then $b=qa$ for some $q\in \mathbb{Z}.$ Similarly, if $b\mid$c then $c=q^{\prime }b$ for some $q^{\prime }\in \mathbb{Z}.$ This implies that $c=q{q}^{\prime }a,$ i.e., $a\mid c.$

Divisibility defines an order relation over ${\mathbb{N}}^{\ast }:$

• it is reflexive since $a\mid a;$
• it is anti-symmetric since by Proposition 3.8, if $a\mid b$ and $b\mid a,$ then $a=\pm b,$ but for $a,b\in {\mathbb{N}}^{\ast }$ this implies $a=b;$
• it is transitive by Proposition 3.9.

Unlike $\le$ which is total, this order relation is only partial since there are integers $a$ and $b$ such that neither $a\mid b$ nor $b\mid a$ hold. These two order relations are "consistent" if the sense of the following proposition.

Proposition 3.10. For every $a,b\in {\mathbb{N}}^{\ast },$ $a\mid b⟹a\le b.$

Proof

Let $a,b\in {\mathbb{N}}^{\ast }$ such that $a\mid b.$ Then $b=qa$ for some $q\in \mathbb{Z}.$ We cannot have $q=0$ as this would imply $a=0.$ Moreover, $q\ge 0$ as $q<0$ would imply $b<0.$ Hence, $q\ge 1,$ which implies $b=qa\ge a.$

Euclidean Division

Proposition 3.11 (Euclid's division lemma). Let $a,n\in \mathbb{Z}$ be integers with $n>0.$ Then there exists unique integers $q$ and $r$ such that $$a=qn+r$$ and $0\le r<n.$ Moreover, $n\mid a$ if and only if $r=0.$

Proof

Let us show existence first. Consider the set $S$ defined as $$S=\{a-kn:k\in \mathbb{Z}\}\cap \mathbb{N}.$$ This set is non-empty: if $a\ge 0$ then $a=a-0n\in S$ whereas if $a<0$ then $a-an=a(1-n)\in S.$ By the well-ordering axiom, $S$ has a minimal element $r.$ Since $r\in S,$ there exists $q\in \mathbb{Z}$ such that $r=a-qn.$ Moreover, $r\ge 0$ by definition of $S.$ Assume that $r\ge n.$ Then $r-n\in S,$ contradicting the minimality of $r.$ Hence, $a=qn+r$ with $0\le r<n$ as claimed.

Let us now show uniqueness. Assume that $a=qn+r=q^{\prime }n+r$ with $0\le r<n$ and $0\le r^{\prime }<n.$ Then $$r-r^{\prime }=n(q^{\prime }-q)$$ meaning $r-r^{\prime }$ is a multiple of $n.$ But note that $$-n<r-r^{\prime }<n.$$ This implies that $r=r^{\prime }$ since the only multiple of $n$ in $\{-(n-1),\dots ,0,\dots ,n-1\}$ is $0.$ Hence, $n(q^{\prime }-q)=0,$ which by the cancellation law for integers implies that $q=q^{\prime }.$

Finally, let us show that $n\mid a$ if and only if $r=0.$ If $r=0,$ then $a=qn$ and hence $n\mid a.$ Conversely, if $n\mid a,$ then $a=q^{\prime }n$ for some $q^{\prime }\in \mathbb{Z}.$ But then uniqueness of $q$ and $r$ implies that $q=q^{\prime }$ and $r=0.$

The four integers $a,$ $n,$ $q,$ and $r$ each have a name:

• $a$ is called the dividend,
• $n$ is called the divisor,
• $q$ is called the quotient,
• $r$ is called the remainder.

Greatest Common Divisor

Let $a,b\in \mathbb{Z}$ be integers such that $a$ and $b$ are not both zero. A common divisor of $a$ and $b$ is an integer $d\in \mathbb{Z}$ such that $d$ divides both $a$ and $b.$ A greatest common divisor (GCD) of $a$ and $b$ is a common divisor $d$ of $a$ and $b$ such that $d\ge 0$ and any other common divisor of $a$ and $b$ divides $d.$

Note that this is different from the definition one usually encounters in high school, which is as follows. Consider the set $S$ of all common divisors of $a$ and $b.$ This set is non-empty since $1\in S.$ It is also finite since any common divisor $d$ of $a$ and $b$ satisfies $-a\le d\le a$ if $a\ne 0$ and $-b\le d\le b$ if $b\ne 0$ and $a$ and $b$ are not both zero. Then the GCD of $a$ and $b$ is defined as the largest element of $S,$ which by Proposition 3.4 exists and is unique.

The reason we prefer to former definition is that it is closer to the definition of a GCD in a commutative ring (the only difference is that condition $d\ge 0$ is dropped since in general, there might be no order relation over an arbitrary ring). Working with this definition, it is not immediately clear though that a greatest common divisor always exists and is unique (in fact, there exists commutative rings where two elements might not have a GCD), nor that it is equal to the GCD according to the later definition. The following proposition proves this, and more.

$${\Lambda }_{a,b}:=\{ua+bv:u,v\in \mathbb{Z}\}.$$ This set has the following interesting property: if $c\in {\Lambda }_{a,b},$ then every multiple $kc$ of $c$ also belongs to ${\Lambda }_{a,b}.$

Consider for example $a=6=2\cdot 3$ and $b=10=2\cdot 5.$ We can quickly establish (using any of the two definitions above) that the greatest common divisor of $6$ and $10$ is $2.$

Proposition 3.12 (Bézout's lemma). Let $a,b\in \mathbb{Z}$ be integers such that $a$ and $b$ are not both zero. Then there exists a unique greatest common divisor $d$ of $a$ and $b.$ Moreover, $d$ is the smallest non-negative integer which can be written as a linear combination of $a$ and $b.$ In particular, there exists integers $u,v\in \mathbb{Z}$ such that $$d=ua+vb.$$

Proof

Let us show uniqueness first. Assume that $a$ and $b$ have two GCDs $d$ and $d^{\prime }.$ Then $d\mid d^{\prime }$ and $d^{\prime }\mid d$ and hence by Proposition 3.8, one has $d=\pm d^{\prime }.$ Since a GCD must be positive, it follows that $d=d^{\prime }.$

Let us show existence by proving that the smallest non-negative integer which can be written as a linear combination of $a$ and $b$ in indeed their GCD. consider the set of all non-negative linear combinations of $a$ and $b,$ namely $$S:=\{ua+vb:u,v\in \mathbb{Z}\}\cap {\mathbb{N}}^{\ast }.$$ This set is non-empty. Indeed, assume that $a\ne 0$ (the case $b\ne 0$ is similar). Then either $a$ or $-a$ is in $S.$ By the well-ordering axiom, $S$ has a minimal element $d.$ We claim that $d$ is the GCD of $a$ and $b.$

First, we clearly have $d\ge 0.$ Second, let us show that $d$ is a common divisor of $a$ and $b.$ For this, we will show the following stronger statement: every element in $S$ is divisible by $d.$ Since $a\in S$ and $b\in S,$ this will imply in particular that $d$ divides both of them. Let $c=ua+vb$ be any element in $S.$ Since $d\in S,$ let us also write $d=u_{0}a+v_{0}b.$ By Euclid's division lemma, there exists $q$ and $r$ with $0\le r<d$ such that $$c=qd+r.$$ Then $$\begin{array}{rl}r& =c-qd\\ & =ua+bv-q(u_{0}a+b_{0}v)\\ & =(u-q{u}_0)a+(v-q{v}_0)b.\end{array}$$ Hence, $r\in S.$ But since $0\le r<d$ and $d$ is the minimal element of $S,$ one must have $r=0.$ Hence, $c=qd,$ i.e., $d$ divides $c.$

It remains to show that every common divisor $d^{\prime }$ of $a$ and $b$ divides $d.$

The greatest common divisor of $a$ and $b$ is denoted $\gcd (a,b)$ (or sometimes $(a,b)$ but this notation is confusing and will not be used here). By convention, although the set of common divisors of $a=0$ and $b=0$ is $\mathbb{Z},$ $\gcd (0,0)$ is defined as $0$ (we will see why this makes sense when relating GCDs and ideals).

Expressing the GCD as a linear combination of $a$ and $b,$ i.e., writing $$\gcd (a,b)=ua+vb$$ with explicit values $u,v\in \mathbb{Z}$ is often called a Bézout relation.

Two integers $a,b\in \mathbb{Z}$ are said coprime or relatively prime if $\gcd (a,b)=1,$ which is equivalent to $a$ and $b$ having only $1$ and $-1$ as common divisors.

Proposition 3.13. Let $a,b\in \mathbb{Z}.$ Then $a$ and $b$ are coprime if and only if there exists $u,v\in \mathbb{Z}$ such that $$ua+vb=1.$$

Proof

If $a$ and $b$ are coprime, then existence of $u,v\in \mathbb{Z}$ such that $ua+bv=1$ is established by Proposition 3.12. Conversely, assume that there exists $u,v\in \mathbb{Z}$ such that $ua+bv=1.$

Computing GCDs and Bézout Relations

The GCD can be computed using Euclid's algorithm. It relies on the following lemma.

Proposition 3.14. Let $a,b\in \mathbb{Z}$ such that $a$ and $b$ are not both zero. Then, for any $k\in \mathbb{Z},$ $$\gcd (a+kb,b)=\gcd (a,b).$$

Proof

GCDs and Ideals

In this section, we give another interpretation of GCDs in terms of ideals of $\mathbb{Z}.$ As pretty much any notion we encounter in this chapter, ideals can be defined for any ring.

A subset $\mathbb{I}\subseteq \mathbb{Z}$ of the integers is called an ideal of $\mathbb{Z}$ if it satisfies the following properties:

Proposition 3.15. Let $a,b\in \mathbb{Z}.$ Then $$a\mathbb{Z}+b\mathbb{Z}=\gcd (a,b)\mathbb{Z}.$$

Prime Numbers

Chapter status:   ✅   in good shape   ✅

TODO: some proofs missing

Groups

We cover the elementary theory of groups, one of the most fundamental algebraic structure consisting of a set with a binary operation satisfying associativity, the existence of an identity element, and the existence of an inverse for every element of the set. We focus in particular on abelian (commutative) groups and cyclic groups, which are of particular relevance for cryptography.

Contents

• Basic Definitions
• Additive/Multiplicative Notation
• Repeated Group Operation
• Direct Product
• Subgroups
• Cosets and Lagrange Theorem
• Normal Subgroups
• Quotient Groups
• Homomorphisms and Isomorphisms
• Group Generation
• Properties of Cyclic Groups
• Classification of Cyclic Groups
• Cauchy's Theorem for Abelian Groups
• Exponent of a Group
• Structure Theorem for Finite Abelian Groups
• Structure Theorem for Finitely Generated Abelian Groups

Basic Definitions

A binary operation over a set $S$ is a function $\star :S\times S\to S$ usually denoted in infix notation, meaning the image of $(a,b)\in S\times S$ is written $a\star b.$

A group is a non-empty set $\mathbb{G}$ equipped with a binary operation $\star$ satisfying the following properties:

• associativity: for every $a,b,c\in \mathbb{G},$ $$(a\star b)\star c=a\star (b\star c);$$
• identity element: there exists $e\in \mathbb{G}$ such that for every $a\in \mathbb{G},$ $$e\star a=a\star e=a;$$ such an $e$ is called the identity element of $\mathbb{G};$
• inverse element: for every $a\in \mathbb{G},$ there exists $b\in \mathbb{G}$ such that $$a\star b=b\star a=e;$$ such a $b$ is called the inverse of $a.$

The use of determiner the for the identity element and the inverse of an element $a$ is justified by the following proposition.

Proposition 5.1. Let $\mathbb{G}$ be a group. Then $\mathbb{G}$ has a unique identity element and every element $a\in \mathbb{G}$ has a unique inverse.

Proof

Assume that $\mathbb{G}$ has two identity elements $e$ and $e.$ Then $e\star e^{\prime }=e$ (because $e^{\prime }$ is an identity element) and $e\star e^{\prime }=e^{\prime }$ (because $e$ is an identity element), hence $e=e^{\prime }.$

Assume that some group element $a$ has two inverses $b$ and $b^{\prime }.$ Then $$\begin{array}{rl}b& =b\star e\\ & =b\star (a\star b^{\prime })\\ & =(b\star a)\star b^{\prime }\\ & =e\star b^{\prime }\\ & =b^{\prime }.\end{array}$$

The group consisting of a single element $e$ such that $e\star e=e$ is called the trivial group.

If the binary operation is commutative, i.e., for every $a,b\in \mathbb{G},$ $a\star b=b\star a,$ then $\mathbb{G}$ is said to be abelian.

If $\mathbb{G}$ is finite, the number of elements of $\mathbb{G}$ is called the order of $\mathbb{G}$ and denoted $\left|\mathbb{G}\right|.$ If $\mathbb{G}$ is infinite, $\mathbb{G}$ is said to have infinite order.

Additive/Multiplicative Notation

There are two standard notation types for the group operation:

• additive: the group operation is denoted $+,$ the identity element is denoted $0$ (or $0_{\mathbb{G}}$ if one wants to avoid confusion with integer $0),$ and the inverse of $a$ is denoted $-a;$
• multiplicative: the group operation is denoted $\times$ or $\cdot ,$ the identity element is denoted $1$ (or $1_{\mathbb{G}}$ if one wants to avoid confusion with integer $1),$ and the inverse of $a$ is denote $a^{-1}.$

In the case of multiplicative notation, the operation symbol might be omitted and the group law simply denoted by juxtaposition. By convention, for an "abstract" group, additive notation is restricted to abelian groups (meaning multiplicative notation is used either when the group is known to be non-abelian, or when the abelian/non-abelian character of the group is unspecified).

For the rest of this chapter, unless specified otherwise, the group operation will be denoted multiplicatively but the identity element will be denoted $e$ for clarity.

Repeated Group Operation

Give a group element $a\in \mathbb{G},$ it is possible to apply the group operation repeatedly to $a$ itself, i.e., compute $a\star a\star \cdots \star a.$

When the group operation is denoted additively, for $k\in \mathbb{Z},$ we define $$ka:=\{\begin{array}{ll}{0}_{\mathbb{G}}& \text{if }k=0\\ \underset{k\text{ terms}}{\underbrace{a+\cdots +a}}& \text{if }k>0\\ \underset{-k\text{ terms}}{\underbrace{(-a)+\cdots +(-a)}}& \text{if }k<0.\end{array}$$ This is usually called the scalar multiplication of $a$ by $k.$

When the group operation is denoted multiplicatively, for $k\in \mathbb{Z},$ we define $$a^k:=\{\begin{array}{ll}{1}_{\mathbb{G}}& \text{if }k=0\\ \underset{k\text{ terms}}{\underbrace{a\times \cdots \times a}}& \text{if }k>0\\ \underset{-k\text{ terms}}{\underbrace{a^{-1}\times \cdots \times a^{-1}}}& \text{if }k<0.\end{array}$$ This is usually called the exponentiation of $a$ by $k.$

Proposition 5.2. Let $\mathbb{G}$ be a group denoted multiplicatively. Then for every $a\in \mathbb{G}$ and every $k,\ell \in \mathbb{Z},$ one has

• $a^{k+\ell }=a^k{a}^{\ell },$
• $a^{k\ell }=(a^k{)}^{\ell }=(a^{\ell }{)}^k,$
• $(a^k{)}^{-1}=a^{-k}.$

Moreover, if $\mathbb{G}$ is abelian, then for every $a,b\in \mathbb{G}$ and every $k\in \mathbb{Z},$ $(ab{)}^k=a^k{b}^k.$

Direct Product

Let $(\mathbb{G},\star )$ and $(\mathbb{H},\bullet )$ be two groups. The direct product of $\mathbb{G}$ and $\mathbb{H}$ is the Cartesian product $$\mathbb{G}\times \mathbb{H}:=\{(a,b)\mid a\in \mathbb{G},b\in \mathbb{H}\}$$ equipped with the binary operation $\diamond$ defined component-wise: $$(a,b)\diamond (c,d)=(a\star c,b\bullet d).$$

Proposition 5.3. The direct product as defined above is a group. Its identity element is $(e_{\mathbb{G}},e_{\mathbb{H}}),$ where $e_{\mathbb{G}}$ and $e_{\mathbb{H}}$ are respectively the identity element of $\mathbb{G}$ and $\mathbb{H}.$ The inverse of $(a,b)\in \mathbb{G}\times \mathbb{H}$ is $(a^{-1},b^{-1}).$

For abelian groups, the direct product is sometimes called direct sum and denoted $\mathbb{G}\oplus \mathbb{H}.$¹

Subgroups

Let $\mathbb{G}$ be a group and $\mathbb{H}$ be a non-empty subset of $\mathbb{G}.$ The subset $\mathbb{H}$ is a subgroup of $\mathbb{G}$ if $\mathbb{H}$ equipped with the binary operation of $\mathbb{G}$ is a group.

Proposition 5.4. Let $\mathbb{G}$ be a group and $\mathbb{H}$ be subset of $\mathbb{G}.$ Then $\mathbb{H}$ is a subgroup of $\mathbb{G}$ if and only if the following three properties are satisfied:

• $e\in \mathbb{H},$
• for every $a,b\in \mathbb{H},$ $ab\in \mathbb{H},$
• for every $a\in \mathbb{H},$ $a^{-1}\in \mathbb{H}.$

The following proposition gives a slightly more compact subgroup criterion.

Proposition 5.5. Let $\mathbb{G}$ be a group and $\mathbb{H}$ be subset of $\mathbb{G}.$ Then $\mathbb{H}$ is a subgroup of $\mathbb{G}$ if and only if $e\in \mathbb{H}$ and for every $a,b\in \mathbb{H},$ $a{b}^{-1}\in \mathbb{H}.$

A subgroup of $\mathbb{G}$ is said to be proper if it is different from $\mathbb{G}.$ Any non-trivial group has at least one proper subgroup, namely $\{e\},$ called the trivial subgroup.

Proposition 5.6. The intersection of a (finite or infinite) set of subgroups is a subgroup.

Proof

Let $\mathbb{H}={\cap }_{i\in I}{\mathbb{H}}_i$ be the intersection of a collection of subgroups ${\mathbb{H}}_i,$ $i\in I.$ Then, by Proposition 5.5, $e\in {\mathbb{H}}_i$ for every $i\in I$ and hence $e\in \mathbb{H}.$ Let $a,b\in \mathbb{H}.$ Then, for every $i\in I,$ $a,b\in {\mathbb{H}}_i$ and hence $a{b}^{-1}\in {\mathbb{H}}_i$ again by Proposition 5.5. Thus, $a{b}^{-1}\in \mathbb{H}.$ It follows that $\mathbb{H}$ is a subgroup.

Cosets and Lagrange Theorem

Let $\mathbb{H}$ be a subgroup of a group $\mathbb{G}.$ Consider the relation defined by $a\sim b$ if and only if $a{b}^{-1}\in \mathbb{H}$ and the dual one defined by $a\sim b$ if and only if $b^{-1}a\in \mathbb{H}.$ The following proposition shows that these are equivalence relations.

Proposition 5.7. Let $\mathbb{G}$ be a group. Let $\mathbb{H}$ be a subgroup of $\mathbb{G}.$ Then the relation defined by $a\sim b$ if and only if $a{b}^{-1}\in \mathbb{H}$ is an equivalence relation. The proposition also holds by replacing $a{b}^{-1}\in \mathbb{H}$ by $b^{-1}a\in \mathbb{H}.$

Proof

Let $\mathbb{H}$ be a subgroup of $\mathbb{G}$ and $\sim$ be relation defined by $a\sim b$ if and only if $a{b}^{-1}\in \mathbb{H}.$ Let us show that $\sim$ is reflexive, symmetric, and transitive.

• reflexivity: $e\in \mathbb{H}$ implies that for every $a\in \mathbb{G},$ $a{a}^{-1}\in \mathbb{H}$ and hence $a\sim a;$
• symmetry: $\mathbb{H}$ being closed under under inverses implies that for every $a,b\in \mathbb{G},$ $$\begin{array}{rl}a\sim b& \Rightarrow a{b}^{-1}\in \mathbb{H}\\ & \Rightarrow (a{b}^{-1}{)}^{-1}\in \mathbb{H}\\ & \Rightarrow b{a}^{-1}\in \mathbb{H}\\ & \Rightarrow b\sim a;\end{array}$$
• transitivity: $\mathbb{H}$ being closed under the binary operation implies that for every $a,b,c\in \mathbb{G},$ $$\begin{array}{rl}(a\sim b)\wedge (b\sim c)& \Rightarrow (a{b}^{-1}\in \mathbb{H})\wedge (b{c}^{-1}\in \mathbb{H})\\ & \Rightarrow a{b}^{-1}b{c}^{-1}\in \mathbb{H}\\ & \Rightarrow a{c}^{-1}\in \mathbb{H}\\ & \Rightarrow a\sim c.\end{array}$$

The proof is similar for the relation defined by $b^{-1}a\in \mathbb{H}.$

Let $\mathbb{H}$ be a subgroup of $\mathbb{G}$ and $\sim$ be the equivalence relation $a\sim b\iff a{b}^{-1}\in \mathbb{H}.$ An equivalence class for $\sim$ is called a right coset of $\mathbb{H}.$ Being equivalence classes, right cosets form a partition of $\mathbb{G}.$ For $g\in \mathbb{G},$ the right coset to which $g$ belongs is easily seen to be $$\mathbb{H}g:=\{hg\mid h\in \mathbb{H}\}.$$ Similarly, an equivalence class for the relation relation $a\sim b\iff b^{-1}a\in \mathbb{H}$ is called a left coset of $\mathbb{H}.$ Left cosets form a partition of $\mathbb{G}$ and for $g\in \mathbb{G},$ the left coset to which $g$ belongs is $$g\mathbb{H}:=\{gh\mid h\in \mathbb{H}\}.$$

When $\mathbb{G}$ is abelian, the set of right cosets and the set of left cosets are the same, but when $\mathbb{G}$ is non-abelian this is not necessarily the case. Note that $\mathbb{H}$ itself is both a right and a left coset.

A cornerstone of group theory is Lagrange's theorem, which essentially follows from the fact that right cosets (as well as left cosets) all have the same size.

Theorem 5.1 (Lagrange's Theorem). Let $\mathbb{G}$ be a finite group. Then the order of any subgroup $\mathbb{H}$ of $\mathbb{G}$ divides the order of $\mathbb{G}.$

Proof

Let $\mathbb{H}$ be a subgroup of $\mathbb{G}.$ For every $g\in \mathbb{G},$ the mapping $h\mapsto hg$ is a bijection from $\mathbb{H}$ to the right coset $\mathbb{H}g:$ it is obviously surjective and $hg=h^{\prime }g\Rightarrow hg{g}^{-1}=h^{\prime }g{g}^{-1}\Rightarrow h=h^{\prime },$ hence it is injective. Hence, all right cosets have $|\mathbb{H}|$ elements. Since right cosets form a partition of $\mathbb{G},$ we have $$|\mathbb{G}|=n|\mathbb{H}|$$ where $n$ is the number of right cosets.

A similar reasoning with left cosets shows that the number of left cosets is equal to the number of right cosets.

The number of right (or left) cosets of $\mathbb{H}$ is called the index of $\mathbb{H}$ in $\mathbb{G}$ and denoted $[\mathbb{G}:\mathbb{H}].$ Hence, Lagrange theorem states that $$|\mathbb{G}|=[\mathbb{G}:\mathbb{H}]|\mathbb{H}|.$$

Normal Subgroups

Having defined an equivalence relation associated with a subgroup, one may ask whether the set of right (or left) cosets can be equipped with a group structure. This is where the notion of normal subgroup comes into play.

Let $\mathbb{G}$ be a group. A subgroup $\mathbb{H}$ of $\mathbb{G}$ is said to be normal if for every $g\in \mathbb{G},$ $g\mathbb{H}=\mathbb{H}g$ (i.e., left and right cosets are equal).

Normality can be characterized by a number of other equivalent conditions. The easiest to check is often the following one.

Proposition 5.8. A subgroup $\mathbb{H}$ of $\mathbb{G}$ is normal if and only if for every $g\in \mathbb{G},$ $g\mathbb{H}{g}^{-1}\subseteq \mathbb{H}.$

For abelian groups, the situation is pretty simple.

Proposition 5.9. Every subgroup of an abelian group is normal.

Proof

If $\mathbb{G}$ is abelian and $\mathbb{H}$ is a subgroup of $\mathbb{G},$ then for any $h\in \mathbb{H},$ $gh{g}^{-1}=g{g}^{-1}h=h$ and hence $g\mathbb{H}{g}^{-1}=\mathbb{H}.$ By Proposition 5.8, this implies that $\mathbb{H}$ is normal.

Let us see now how normal subgroups allow us to construct quotient groups.

Quotient Groups

Let $\mathbb{G}$ be a group and let $\sim$ be an equivalence relation on $\mathbb{G}.$ We say that $\sim$ is compatible with the group structure of $\mathbb{G}$ if $a\sim b$ and $c\sim d$ implies $ac\sim bd.$ If $\sim$ is compatible with the group structure of $\mathbb{G},$ then one can equip the quotient set $\mathbb{G}/\sim$ (the set of all equivalence classes) with a binary operation defined as $[a][b]=[ab],$ where $[a]$ denotes the equivalence class of $a\in \mathbb{G}.$ This is well defined as compatibility of $\sim$ with the group structure ensures that this binary operation does not depend on the specific representatives $a$ and $b$ of each equivalence class. The following proposition states that normal subgroups completely characterize the equivalence relations $\sim$ which are compatible with the group structure of $\mathbb{G}.$

Proposition 5.10. Let $\mathbb{G}$ be a group and $\mathbb{H}$ be a normal subgroup of $\mathbb{G}.$ Then the equivalence relation defined by $a\sim b\iff a{b}^{-1}\in \mathbb{H}$ is compatible with the group structure of $\mathbb{G}.$ Conversely, let $\sim$ be an equivalence relation compatible with the group structure of $\mathbb{G}.$ Then $\mathbb{H}:=[e]$ is a normal subgroup of $\mathbb{G}$ and $a\sim b\iff a{b}^{-1}\in \mathbb{H}.$

Proof

Let $\mathbb{H}$ be a normal subgroup of $\mathbb{G}.$ Let us show that $\sim$ defined by $a\sim b\iff a{b}^{-1}\in \mathbb{H}$ (which is an equivalence relation by Proposition 5.7) is compatible with the group structure of $\mathbb{G}.$ Let $a,b,c,d\in \mathbb{G}$ such that $a\sim b$ and $c\sim d.$ We want to show that $ac\sim bd,$ i.e., $ac(bd{)}^{-1}\in \mathbb{H}.$ Note that $$ac(bd{)}^{-1}=ac{d}^{-1}{b}^{-1}=ac{d}^{-1}{a}^{-1}a{b}^{-1}.$$ We have $c{d}^{-1}\in \mathbb{H}$ because $c\sim d,$ which implies that $g:=a(c{d}^{-1})a^{-1}\in \mathbb{H}$ because $\mathbb{H}$ is normal. We also have $a{b}^{-1}\in \mathbb{H}$ because $a\sim b,$ hence $g(a{b}^{-1})=ac{d}^{-1}{a}^{-1}a{b}^{-1}=ac(bd{)}^{-1}\in \mathbb{H}$ and $ac\sim bd.$

Conversely, assume that $\sim$ is an equivalence relation which is compatible with the group structure of $\mathbb{G}.$ Define $\mathbb{H}$ as $[e],$ the equivalence class of the identity element. Let us first show that $\mathbb{H}$ is a normal subgroup. Clearly, $e\in \mathbb{H}.$ Let $a,b\in \mathbb{H},$ i.e., $a\sim e$ and $b\sim e.$ Then, by compatibility of $\sim$ with the group structure, we have $$\begin{array}{rlrl}a\sim e& \Rightarrow a{b}^{-1}\sim e{b}^{-1}& & (b^{-1}\sim b^{-1})\\ & \Rightarrow a{b}^{-1}e\sim b^{-1}b& & (e\sim b)\\ & \Rightarrow a{b}^{-1}\sim e.& & \end{array}$$ Hence $a{b}^{-1}\in \mathbb{H}$ and by Proposition 5.5, $\mathbb{H}$ is a subgroup.

To show that $\mathbb{H}$ is normal, let us show that for every $g\in \mathbb{G},$ $g\mathbb{H}{g}^{-1}\subseteq \mathbb{H}.$ Let $g\in \mathbb{G}$ and $h\in \mathbb{H}.$ Then $$\begin{array}{rlrl}h\sim e& \Rightarrow gh\sim g& & (g\sim g)\\ & \Rightarrow gh{g}^{-1}\sim g{g}^{-1}& & (g^{-1}\sim g^{-1})\\ & \Rightarrow gh{g}^{-1}\sim e.& & \end{array}$$ Hence $gh{g}^{-1}\in \mathbb{H}$ and $\mathbb{H}$ is normal.

It remains to show $a\sim b\iff a{b}^{-1}\in \mathbb{H}.$ By compatibility of $\sim$ with the group structure, we have $a\sim b\Rightarrow a{b}^{-1}\sim b{b}^{-1}\Rightarrow a{b}^{-1}\sim e$ and $a{b}^{-1}\sim e\Rightarrow a{b}^{-1}b\sim b\Rightarrow a\sim b.$ Hence $a\sim b\iff a{b}^{-1}\sim e\iff a{b}^{-1}\in \mathbb{H},$ which concludes the proof.

Let $\mathbb{H}$ be a normal subgroup of $\mathbb{G}$ and let $\sim$ be the equivalence relation defined by $a\sim b\iff a{b}^{-1}\in \mathbb{H}.$ Then the quotient set $\mathbb{G}/\sim$ equipped with the binary operation defined by $[a][b]=[ab]$ is a group (as shown in the proposition below) called the quotient group associated with $\mathbb{H}$ and denoted $\mathbb{G}/\mathbb{H}.$ Note that the order of $\mathbb{G}/\mathbb{H}$ is $[\mathbb{G}:\mathbb{H}],$ the index of $\mathbb{H}.$

Proposition 5.11. Let $\mathbb{G}$ be a group and $\mathbb{H}$ be a normal subgroup of $\mathbb{G}.$ Then $\mathbb{G}/\mathbb{H}$ is a group. Its identity element is $[e]$ and the inverse of $[a]$ is $[a{]}^{-1}:=[a^{-1}].$ If $\mathbb{G}$ is abelian then so is $\mathbb{G}/\mathbb{H}.$

Proof

This follows straightforwardly from the definition of the binary operation $[a][b]=[ab].$

Homomorphisms and Isomorphisms

Let $\mathbb{G}$ and ${\mathbb{G}}^{\prime }$ be two groups.

• A group homomorphism is a function $f$ from $\mathbb{G}$ to ${\mathbb{G}}^{\prime }$ such that for every $a,b\in \mathbb{G},$ $f(ab)=f(a)f(b).$
• If $\mathbb{G}={\mathbb{G}}^{\prime },$ then $f$ is called a group endomorphism.
• If $f$ is bijective, then $f$ is called a group isomorphism and groups $\mathbb{G}$ and ${\mathbb{G}}^{\prime }$ are said isomorphic, denoted $\mathbb{G}\cong {\mathbb{G}}^{\prime }.$
• If $\mathbb{G}={\mathbb{G}}^{\prime }$ and $f$ is bijective, then $f$ is called a group automorphism (hence, a group automorphism is both a group endomorphism and a group isomorphism).

The following proposition gives a number of properties of group homomorphisms.

Proposition 5.12. Let $\mathbb{G}$ and ${\mathbb{G}}^{\prime }$ be two groups and $f:\mathbb{G}\to {\mathbb{G}}^{\prime }$ be a group homomorphism. Then:

• $f(e_{\mathbb{G}})=e_{{\mathbb{G}}^{\prime }};$
• for every $a\in \mathbb{G},$ $f(a^{-1})=f(a{)}^{-1};$
• for every subgroup $\mathbb{H}$ of $\mathbb{G},$ $f(\mathbb{H}):=\{f(a)\mid a\in \mathbb{H}\}$ is a subgroup of ${\mathbb{G}}^{\prime };$
• for every subgroup ${\mathbb{H}}^{\prime }$ of ${\mathbb{G}}^{\prime },$ $f^{-1}({\mathbb{H}}^{\prime }):=\{a\in \mathbb{G}\mid f(a)\in {\mathbb{H}}^{\prime }\}$ is a subgroup of $\mathbb{G};$
• if $f$ is a group isomorphism, then the inverse function $f^{-1}:{\mathbb{G}}^{\prime }\to \mathbb{G}$ is also a group isomorphism;
• if ${\mathbb{G}}^{\prime }$ is another group and $f^{\prime }:{\mathbb{G}}^{\prime }\to {\mathbb{G}}^{\prime \prime }$ is a group homomorphism, then $f^{\prime }\circ f$ is a group homomorphism from $\mathbb{G}$ to ${\mathbb{G}}^{\prime \prime }.$

Let $f:\mathbb{G}\to {\mathbb{G}}^{\prime }$ be a group homomorphism. Two sets related to $f$ are particularly important:

• The kernel of $f$ is the subset of $\mathbb{G}$ defined as $$\ker (f):=\{a\in \mathbb{G}\mid f(a)=e_{{\mathbb{G}}^{\prime }}\}.$$
• The image of $f$ is the subset of ${\mathbb{G}}^{\prime }$ defined as $$\mathrm{im}(f):=\{f(a)\mid a\in \mathbb{G}\}.$$

By Proposition 5.12, $\ker (f)$ is a subgroup of $\mathbb{G}$ since it is equal to $f^{-1}(\{e_{{\mathbb{G}}^{\prime }}\})$ and $\mathrm{im}(f)$ is a subgroup of ${\mathbb{G}}^{\prime }$ since it is equal to $f(\mathbb{G}).$

Theorem 5.2 (First Isomorphism Theorem). Let $f:\mathbb{G}\to {\mathbb{G}}^{\prime }$ be a group homomorphism. Then $\ker (f)$ is a normal subgroup of $\mathbb{G}$ and $\mathbb{G}/\ker (f)\cong \mathrm{im}(f).$

Proof

Let us first show that $\ker (f)$ is normal. Let $g\in \mathbb{G}$ and $h\in \ker (f).$ Then $$\begin{array}{rl}f(gh{g}^{-1})& =f(g)f(h)f(g^{-1})\\ & =f(g)e_{{\mathbb{G}}^{\prime }}f(g{)}^{-1}\\ & =f(g)f(g{)}^{-1}\\ & =e_{{\mathbb{G}}^{\prime }}.\end{array}$$ Hence $g\ker (f)g^{-1}\subseteq \ker (f)$ and hence $\ker (f)$ is normal.

Consider now the mapping $\bar{f}:\mathbb{G}/\ker (f)\to \mathrm{im}(f)$ defined by $\bar{f}([a])=f(a).$ It is well-defined since $$\begin{array}{rl}[a]=[b]& ⟺a{b}^{-1}\in \ker (f)\\ & ⟺f(a{b}^{-1})=e_{{\mathbb{G}}^{\prime }}\\ & ⟺f(a)=f(b).\end{array}$$ In other words, equivalence classes of $\mathbb{G}/\ker (f)$ are just subsets of elements of $\mathbb{G}$ with the same image under $f.$ Consequently, the definition of $\bar{f}$ does not depend on the representative of the equivalence class.

It is a group homomorphism since $$\begin{array}{rl}\bar{f}([a][b])& =\bar{f}([ab])\\ & =f(ab)\\ & =f(a)f(b)\\ & =\bar{f}([a])\bar{f}([b]).\end{array}$$ Moreover, it is injective since $\bar{f}([a])=\bar{f}([b])\iff f(a)=f(b)\iff [a]=[b].$ It is also surjective since any element in $h\in \mathrm{im}(f)$ is of the form $f(a)$ for some $a\in \mathbb{G}$ and hence $h=\bar{f}([a]).$ Hence, $\bar{f}$ is a group isomorphism.

There are three other isomorphism theorems but they are not as useful as the first one.

Group Generation

Let $\mathbb{G}$ be a group and $A$ be a subset of $\mathbb{G}.$ The subgroup generated by $A$, denoted $⟨A⟩,$ is the intersection of all subgroups of $\mathbb{G}$ containing $A.$ (Recall that by Proposition 5.6, an intersection of subgroups is a subgroup.) Informally, it is the "smallest" (for inclusion) subgroup of $\mathbb{G}$ which contains $A:$ any subgroup containing $A$ contains $⟨A⟩.$

The following proposition gives a more explicit characterization.

Proposition 5.13. Let $\mathbb{G}$ be a group and $A$ be a subset of $\mathbb{G}.$ Then $⟨A⟩$ is the subgroup of all elements of $\mathbb{G}$ that can be expressed as the finite product of elements of $A$ and inverse of elements of $A.$

Note in particular that $⟨\varnothing ⟩=\{e\}$ (in which case Proposition 5.13 still holds with the convention that an empty product of group elements is equal to $e).$

If $A=\{a_1,\dots ,a_k\}$ is finite, the subgroup generated by $A$ is also denoted $⟨a_1,\dots ,a_k⟩.$ When $\mathbb{G}$ is abelian, then $$⟨a_1,\dots ,a_k⟩=\left\{a_1^{z_1}\cdots a_k^{z_k}\mid z_1,\dots ,z_k\in \mathbb{Z}\right\}.$$

A group $\mathbb{G}$ is said to be finitely generated is there exists a finite number of elements $g_1,\dots g_k\in \mathbb{G}$ such that $\mathbb{G}=⟨g_1,\dots ,g_k⟩,$ in which case $\{g_1,\dots ,g_k\}$ is called a generating set of $\mathbb{G}.$

A group $\mathbb{G}$ is said cyclic (or monogenous²) if there exists $g\in \mathbb{G}$ such that $\mathbb{G}=⟨g⟩,$ in which case $g$ is called a generator of $\mathbb{G}.$

The order of an element $a\in \mathbb{G}$ is the order of the subgroup $⟨a⟩.$ If $\mathbb{G}$ has infinite order, the order of an element $a\in \mathbb{G}$ can be finite or infinite.

Below we list a number of properties of the order of an element.

Proposition 5.14. Let $\mathbb{G}$ be a group and $a\in \mathbb{G}$ be a group element. Then $a$ has finite order if and only if there exists $k\in {\mathbb{N}}^{\ast }$ such that $a^k=e.$ In that case, $a$'s order is the smallest integer $n\ge 1$ such that $a^n=e$ and one has $$⟨a⟩=\{e,a,a^2,\dots ,a^{n-1}\}.$$

Proposition 5.15. If $\mathbb{G}$ has finite order $n,$ then the order of any element $a\in \mathbb{G}$ divides $n.$ In particular, for any $a\in \mathbb{G},$ $a^n=e.$

Proof

The first part is a direct consequence of Lagrange's Theorem. For the second part, let $m$ be the order of $a$ and write $n=dm.$ Then $a^n=a^{dm}=(a^m{)}^d=e^d=e.$

Proposition 5.16. Let $\mathbb{G}$ be a group and $a\in \mathbb{G}$ be an element of order $n.$ Then for every $k\in \mathbb{Z},$ $a^k=e$ if and only if $n$ divides $k.$

Proof

If $n$ divides $k$ then $k=dn$ for some integer $d,$ which implies $a^k=a^{dn}=(a^n{)}^d=e^d=e.$ Conversely, assume that $a^k=e.$ By Euclid's division lemma, there exists $q,r\in \mathbb{Z}$ such that $k=qn+r$ and $0\le r<n.$ Then $a^k=a^{qn+r}=(a^n{)}^q{a}^r=a^r$ and consequently $a^r=e.$ This implies that $r=0$ as otherwise $a$ would have order $r<n.$ Hence, $k=qn$ and $n$ divides $k.$

Proposition 5.17. Let $\mathbb{G}$ be a group, $a\in \mathbb{G}$ be an element of order $n,$ and $k\in \mathbb{Z}.$ Then the order of $g^k$ is $n/\gcd (n,k).$

Proof

Let $d=\gcd (k,n)$ and let $\ell$ be the order of $g^k.$ Then $(g^k{)}^{\ell }=g^{k\ell }=e$ and hence by Proposition 5.16, $n\mid k\ell ,$ which implies $(\frac{n}{d})\mid (\frac{k}{d})\ell .$ Since $\gcd (\frac{n}{d},\frac{k}{d})=1,$ this implies $\frac{n}{d}\mid \ell .$

On the other hand, $(g^k{)}^{\frac{n}{d}}=(g^n{)}^{\frac{k}{d}}=e^{\frac{k}{d}}=e,$ and hence by Proposition 5.16, $\ell \mid \frac{n}{d}.$ We conclude that $\ell =n/d.$

Properties of Cyclic Groups

Proposition 5.18. Any cyclic group is abelian.

Proof

Let $\mathbb{G}$ be a cyclic group, let $g$ be a generator of $\mathbb{G},$ and let $a,b\in \mathbb{G}$ be two group elements. Then there exists $k,\ell \in \mathbb{Z}$ such that $a=g^k$ and $b=g^{\ell },$ which implies that $$ab=g^k{g}^{\ell }=g^{k+\ell }=g^{\ell }{g}^k=ba.$$

Proposition 5.19. Let $\mathbb{G}$ be a cyclic group and $\mathbb{H}$ be a subgroup of $\mathbb{G}.$ Then $\mathbb{H}$ and $\mathbb{G}/\mathbb{H}$ are cyclic.

Proof

Let $\mathbb{G}$ be a cyclic group, $g$ be a generator of $\mathbb{G},$ and $\mathbb{H}$ be a subgroup of $\mathbb{G}.$ Let us first show that $\mathbb{H}$ is cyclic. If $\mathbb{H}=\{e\}$ then $\mathbb{H}$ is clearly cyclic. Otherwise, let $n\ge 1$ be the smallest integer such that $g^n\in \mathbb{H}$ (which necessarily exists since $\mathbb{H}$ contains at least one element different from $e$ and either this element or its inverse can be written $g^m$ for some $m\ge 1).$ We will prove that $\mathbb{H}=⟨g^n⟩.$ Clearly, $⟨g^n⟩\subseteq \mathbb{H}$ since $\mathbb{H}$ is a subgroup. Conversely, let $a\in \mathbb{H}.$ Then $a=g^k$ for some $k\in \mathbb{Z}.$ By Euclid's division lemma, there exists $q,r\in \mathbb{Z}$ such that $k=qn+r$ and $0\le r<n.$ Then $a=g^k=g^{qn+r}=(g^n{)}^q{g}^r,$ and consequently $g^r\in \mathbb{H}.$ This implies that $r=0$ as otherwise this would contradict the minimality of $n.$ Hence $a=(g^n{)}^q\in ⟨g^n⟩$ and $\mathbb{H}\subseteq ⟨g^n⟩.$ Thus, $\mathbb{H}=⟨g^n⟩$ and hence $\mathbb{H}$ is cyclic.

Let us now show that $\mathbb{G}/\mathbb{H}$ is cyclic. More precisely, let us prove that $\mathbb{G}/\mathbb{H}=⟨[g]⟩.$ Let $[a]\in \mathbb{G}/\mathbb{H}$ be an element of the quotient group specified by an arbitrary representative $a\in \mathbb{G}.$ Then there exists $k\in \mathbb{Z}$ such that $a=g^k.$ Thus, $[a]=[g^k]=[g{]}^k$ and hence $[g]$ is a generator of $\mathbb{G}/\mathbb{H}.$

Proposition 5.20. Any group with prime order is cyclic and any element different from the identity element is a generator of $\mathbb{G}.$

Proof

Let $\mathbb{G}$ be a group of prime order $p.$ Let $a\in \mathbb{G}$ be an element different from the identity element and let $n$ be the order of $a.$ Since the order of an element divides the order of the group by Proposition 5.15, one has either $n=1$ or $n=p.$ Since $a\ne e,$ one cannot have $n=1,$ hence $n=p$ and $a$ generates $\mathbb{G}.$

Proposition 5.21. Let $\mathbb{G}$ be a cyclic group of order $n,$ $g$ be a generator of $\mathbb{G},$ and $k\in \mathbb{Z}.$ Then $⟨g^k⟩=\mathbb{G}$ if and only if $\gcd (n,k)=1.$ In particular, $\mathbb{G}$ has $\varphi (n)$ generators, where $\varphi$ is Euler's function.

Proof

We have $⟨g^k⟩=\mathbb{G}$ if and only if the order of $g^k$ is $n,$ which by Proposition 5.17 is equivalent to $\gcd (n,k)=1.$

For the second part of the proposition, write $\mathbb{G}=\{e,g,\dots ,g^{n-1}\}.$ Then generators of $\mathbb{G}$ are exactly elements of the form $g^k$ with $\gcd (n,k)=1$ and hence there are $\varphi (n)$ such elements.

Proposition 5.22. Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be two cyclic groups of order $n_1$ and $n_2$ respectively. Then the direct product ${\mathbb{G}}_1\times {\mathbb{G}}_2$ is cyclic if and only if $\gcd (n_1,n_2)=1.$ Moreover, $(g_1,g_2)$ is a generator of ${\mathbb{G}}_1\times {\mathbb{G}}_2$ if and only if $g_1$ is a generator of ${\mathbb{G}}_1$ and $g_2$ is a generator of ${\mathbb{G}}_2.$

Proof

Let us first show the following lemma: Let $a_1\in {\mathbb{G}}_1$ be an element of order $k_1$ and $a_2\in {\mathbb{G}}_2$ be an element of order $k_2.$ Then $(a_1,a_2)$ has order $\mathrm{lcm}(k_1,k_2).$

Let $e_1$ be the identity element of ${\mathbb{G}}_1$ and $e_2$ be the identity element of $e_2.$ Then $$\begin{array}{rl}(a_1,a_2{)}^k=(e_1,e_2)& ⟺a_1^k=e_1\wedge a_2^k=e_2\\ & ⟺k_1\mid k\wedge k_2\mid k.\end{array}$$ The smallest such positive integer $k$ is by definition $\mathrm{lcm}(k_1,k_2),$ which proves the lemma.

Let us now prove the proposition. Assume that ${\mathbb{G}}_1\times {\mathbb{G}}_2$ is cyclic and let $(g_1,g_2)$ be a generator of ${\mathbb{G}}_1\times {\mathbb{G}}_2.$ Then clearly $g_1$ must be a generator of ${\mathbb{G}}_1$ and $g_2$ a generator of ${\mathbb{G}}_2.$ By the previous lemma, $(g_1,g_2)$ has order $\mathrm{lcm}(n_1,n_2).$ On the other hand, $(g_1,g_2)$ has order $\left|{\mathbb{G}}_1\times {\mathbb{G}}_2\right|=n_1{n}_2$ as it generates ${\mathbb{G}}_1\times {\mathbb{G}}_2.$ Hence, $\mathrm{lcm}(n_1,n_2)=n_1{n}_2,$ which implies $\gcd (n_1,n_2)=1.$

Conversely, assume that $\gcd (n_1,n_2)=1$ and let $g_1$ be a generator of ${\mathbb{G}}_1$ and $g_2$ be a generator of ${\mathbb{G}}_2.$ By the lemma, $(g_1,g_2)$ has order $\mathrm{lcm}(n_1,n_2)=n_1{n}_2=\left|{\mathbb{G}}_1\times {\mathbb{G}}_2\right|$ and hence generates ${\mathbb{G}}_1\times {\mathbb{G}}_2.$

Classification of Cyclic Groups

The set of integers $$\mathbb{Z}=\{\dots ,-2,-1,0,1,2,\dots \}$$ equipped with addition is a cyclic group of infinite order with identity element $0$ and generators $1$ and $-1.$

What are its subgroups? In general, a simple way to construct subgroups of any group is given by the following proposition.

Proposition 5.23. Let $\mathbb{G}$ be a group denoted additively and $n\in \mathbb{Z}$ be an integer. Then $$n\mathbb{G}:=\{na\mid a\in \mathbb{G}\}$$ is a subgroup of $\mathbb{G}.$

Proof

First, one has $0\in n\mathbb{G}$ since $0=n0.$ Second, let $a,b\in n\mathbb{G}.$ Then $a=n{a}^{\prime }$ and $b=n{b}^{\prime }$ for some $a^{\prime },b^{\prime }\in \mathbb{G}.$ Hence, $a-b=n(a^{\prime }-b^{\prime })\in n\mathbb{G}.$ Thus, by Proposition 5.5, $n\mathbb{G}$ is a subgroup of $\mathbb{G}.$

Hence, for any integer $n\in \mathbb{N},$ the set $n\mathbb{Z}:=\{nz\mid z\in \mathbb{Z}\}$ is a subgroup of $\mathbb{Z}.$ By Proposition 5.19, it is cyclic. One can easily check that it has infinite order and that it is generated by $n$ and $-n.$ These are in fact the only subgroups of $\mathbb{Z}.$

Proposition 5.24. Let $\mathbb{G}$ be a subgroup of $\mathbb{Z}.$ Then there exists a unique $n\in \mathbb{N}$ such that $\mathbb{G}=n\mathbb{Z}.$

Proof

Le us show existence first. If $\mathbb{G}=\{0\}$ then $\mathbb{G}=0\mathbb{Z}.$ Assume now that $\mathbb{G}\ne \{0\},$ implying that $\mathbb{G}$ contains at least one positive integer (it contains at least one non-zero integer $a$ and either $a$ or $-a$ is positive). Let $n$ be the smallest positive integer in $\mathbb{G}.$ Let us show that $\mathbb{G}=n\mathbb{Z}.$ Clearly, $n\mathbb{Z}\subseteq \mathbb{G}$ since $n\in \mathbb{G}.$ Conversely, let $k\in \mathbb{G}.$ By Euclid's division lemma, there exists $q,r\in \mathbb{Z}$ such that $k=qn+r$ and $0\le r<n.$ Since $n$ and $k$ are in $\mathbb{G},$ $r=k-qn$ is also in $\mathbb{G},$ which implies $r=0$ as otherwise this would contradict the minimality of $n.$ Thus, $k=qn\in n\mathbb{Z}$ and $\mathbb{G}\subseteq n\mathbb{Z}.$ Hence, $\mathbb{G}=n\mathbb{Z}$ which proves existence.

For uniqueness, assume that $\mathbb{G}=n\mathbb{Z}=n^{\prime }\mathbb{Z}$ for $n,n^{\prime }\in \mathbb{N}.$ Then $n\in n^{\prime }\mathbb{Z}$ implies $n^{\prime }\mid n$ and $n^{\prime }\in n\mathbb{Z}$ implies $n\mid n^{\prime },$ and consequently $n=n^{\prime }$ since $n$ and $n^{\prime }$ are in $\mathbb{N}.$

For any $n\in \mathbb{N},$ we can consider the quotient group $\mathbb{Z}/n\mathbb{Z}.$ The equivalence class of $a\in \mathbb{Z}$ is $[a]=\{a+nz\mid z\in \mathbb{Z}\},$ also called the residue class of $a$ modulo $n$. There are $n$ distinct classes, namely $[[0]],\dots ,[[n-1]].$ Hence, the index of $n\mathbb{Z}$ is $n$ and $\mathbb{Z}/n\mathbb{Z}$ has order $n.$ It is cyclic with generator $[1]$ (and $[-1]).$ More generally, by Proposition 5.21, the generators of $\mathbb{Z}/n\mathbb{Z}$ are $[k]$ for $k\in \mathbb{Z}$ such that $\gcd (k,n)=1.$

Another way to think of $\mathbb{Z}/n\mathbb{Z}$ is as the set $\{0,1,\dots ,n-1\}$ equipped with "modulo $n$" addition and inverses. More precisely, let ${\mathbb{Z}}_n$ be the set of symbols $\{[[0]],[[1]],\dots ,[[n-1]]\}$ equipped with the binary operation $$[[a]]+[[b]]=[[(a+b)\mathrm{mod}n]].$$ This is a group with identity $[[0]]$ and inverse $-[[a]]=[[(-a)\mathrm{mod}n]].$ One can easily see that $\mathbb{Z}/n\mathbb{Z}$ and ${\mathbb{Z}}_n$ are isomorphic, the isomorphism being $[a]\mapsto [[a\mathrm{mod}n]].$ From now on, we will work with the latter formalism.

As for $\mathbb{Z},$ let us characterize the subgroups of ${\mathbb{Z}}_n.$ By Proposition 5.23, for any integer $m\in \mathbb{Z},$ $$m{\mathbb{Z}}_n:=\{m[[u]]\mid [[u]]\in {\mathbb{Z}}_n\}$$ is a subgroup of ${\mathbb{Z}}_n.$ What does this subgroup look like? One has $$\begin{array}{rl}[[a]]\in m{\mathbb{Z}}_n& \iff \exists [[u]]\in {\mathbb{Z}}_n,[[a]]=m[[u]]\\ & \iff \exists u\in \{0,1,\dots ,n-1\},a=mu\mathrm{mod}n\\ & \iff \exists u\in \mathbb{Z},a=mu\mathrm{mod}n\\ & \iff \exists u,v\in \mathbb{Z},a=um+vn\\ & \iff \gcd (m,n)\mid a,\end{array}$$ where the last equivalence follows from Bézout's lemma.

Hence, letting $d=\gcd (m,n),$ we see that $m{\mathbb{Z}}_n$ is the subset of ${\mathbb{Z}}_n$ containing multiples of $d,$ i.e., $$m{\mathbb{Z}}_n=\{[[kd]]\mid k=0,\dots ,n/d-1\}=d{\mathbb{Z}}_n.$$ In particular, $m{\mathbb{Z}}_n$ has order $n/d$ and index $d.$ (As we will see shorty, $m{\mathbb{Z}}_n$ being cyclic, one has $m{\mathbb{Z}}_n\cong {\mathbb{Z}}_{n/d}.$)

Again, we can show that these are in fact the only subgroups of ${\mathbb{Z}}_n.$

Proposition 5.25. Let $n\in \mathbb{N}$ and $\mathbb{G}$ be a subgroup of ${\mathbb{Z}}_n.$ Then there is a unique $d\in \mathbb{N}$ such that $d\mid n$ and $\mathbb{G}=d{\mathbb{Z}}_n.$

Proof

Let $\mathbb{G}$ be a subgroup of ${\mathbb{Z}}_n.$ Let us prove existence first. Let $$\mathbb{H}:=\{a+kn\mid [[a]]\in \mathbb{G},k\in \mathbb{Z}\}.$$ Then $\mathbb{H}$ is a subgroup of $\mathbb{Z}:$ it is clearly non-empty and for $b,b^{\prime }\in \mathbb{H},$ $b=a+kn$ and $b^{\prime }=a^{\prime }+k^{\prime }n,$ one has $$\begin{array}{rlr}b-b^{\prime }& =(a-a^{\prime })+(k-k^{\prime })n& \\ & =(a-a^{\prime }\mathrm{mod}n)+k^{\prime \prime }n& \text{for some k′′∈Z},\end{array}$$ hence $b-b^{\prime }\in \mathbb{H}.$ Thus, there exists $d\in \mathbb{N}$ such that $\mathbb{H}=d\mathbb{Z}.$ Moreover, since $0\in \mathbb{G},$ $n\in \mathbb{H}$ and hence $d\mid n.$ Since $\mathbb{G}=\{[[a]]\mid a\in \mathbb{H}\cap \{0,\dots ,n-1\}\},$ it follows that $\mathbb{G}=d{\mathbb{Z}}_n.$

Let us now prove uniqueness. Assume that $\mathbb{G}=d{\mathbb{Z}}_n=d^{\prime }{\mathbb{Z}}_n$ for $d,d^{\prime }\in \mathbb{N}$ with $d$ and $d^{\prime }$ dividing $n.$ Since $[[d]]\in d{\mathbb{Z}}_n,$ this implies $[[d]]\in d^{\prime }{\mathbb{Z}}_n=\{[[k{d}^{\prime }]]\mid k=0,\dots ,n/d^{\prime }-1\}$ and hence $d^{\prime }\mid d.$ Conversely, $d\mid d^{\prime }$ and hence $d=d^{\prime }$ since $d$ and $d^{\prime }$ are in $\mathbb{N}.$

We can now prove the following two "structure theorems" stating that, up to isomorphism, $\mathbb{Z}$ and ${\mathbb{Z}}_n$ are the only cyclic groups of infinite, resp. finite order $n.$

Theorem 5.3 (Fundamental Theorem of Cyclic Groups). Let $\mathbb{G}$ be a cyclic group. Then:

• If $\mathbb{G}$ has infinite order, then it is isomorphic to $\mathbb{Z}$ and the subgroups of $\mathbb{G}$ are exactly the subsets ${\mathbb{G}}^n:=\{a^n\mid a\in \mathbb{G}\}$ for $n\in \mathbb{N};$
• If $\mathbb{G}$ has finite order $n,$ then it is isomorphic to ${\mathbb{Z}}_n$ and the subgroups of $\mathbb{G}$ are exactly the subsets ${\mathbb{G}}^d:=\{a^d\mid a\in \mathbb{G}\}$ for $d\in \mathbb{N}$ such that $d\mid n.$ In particular, $\mathbb{G}$ has exactly one subgroup of order $d$ for each divisor $d$ of $n,$ namely ${\mathbb{G}}^{n/d}.$

Proof

Let $\mathbb{G}$ be a cyclic group and $g$ be a generator of $\mathbb{G}.$ Consider the mapping $f:\mathbb{Z}\to \mathbb{G}$ defined by $f(k)=g^k.$ Then $f$ is a group homomorphism since $f(k+\ell )=g^{k+\ell }=g^k{g}^{\ell }=f(k)f(\ell ).$ It is clearly surjective since $g$ is a generator of $\mathbb{G}.$

Consider first the case where $\mathbb{G}$ has infinite order. Let us show that $f$ is injective. Assume that $f(k)=f(\ell )$ for distinct integers $k$ and $\ell$ with $k<\ell .$ Then $f(\ell -k)=g^{\ell -k}=e,$ contradicting the fact that $g$ has infinite order. Hence, $f$ is an isomorphism from $\mathbb{Z}$ to $\mathbb{G}.$ Since the subgroups of $\mathbb{Z}$ are exactly $n\mathbb{Z}$ for $n\in \mathbb{N},$ the subgroups of $\mathbb{G}$ are exactly $$\begin{array}{rl}f(n\mathbb{Z})& =\{g^k\mid k\in n\mathbb{Z}\}\\ & =\{g^{kn}\mid k\in \mathbb{Z}\}\\ & =\{a^n\mid a\in \mathbb{G}\},\end{array}$$ where the last equality follows from $g$ being a generator and hence $\mathbb{G}=\{g^k\mid k\in \mathbb{Z}\}.$

Consider now the case where $\mathbb{G}$ has finite order $n.$ Let us show that $\ker (f)=n\mathbb{Z}.$ Since $g$ has order $n,$ by Proposition 5.16, for every $k\in \mathbb{Z},$ $g^k=e\iff k\mid n,$ which exactly means that $k\in \ker (f)\iff k\in n\mathbb{Z}.$ Hence, $\ker (f)=n\mathbb{Z}.$ By the First Isomorphism Theorem, $\mathrm{im}(f)=\mathbb{G}\cong \mathbb{Z}/n\mathbb{Z}\cong {\mathbb{Z}}_n.$

Let $\bar{f}:{\mathbb{Z}}_n\to \mathbb{G}$ be the isomorphism defined by $\bar{f}([[k]])=g^k.$ Since the subgroups of ${\mathbb{Z}}_n$ are exactly $d{\mathbb{Z}}_n$ for $d\in \mathbb{N}$ such that $d\mid n,$ the subgroups of $\mathbb{G}$ are exactly $$\begin{array}{rl}\bar{f}(d{\mathbb{Z}}_n)& =\{g^k\mid [[k]]\in d{\mathbb{Z}}_n\}\\ & =\{g^{kd}\mid k=0,\dots ,n-1\}\\ & =\{a^d\mid a\in \mathbb{G}\}.\end{array}$$

Cauchy's Theorem for Abelian Groups

Lagrange's theorem states that the order of a subgroup of a finite group divides the order of the group. Conversely, given a divisor $d$ of the order of the group, does there always exist a subgroup of order $d$? A group where this property holds is called a converse Lagrange theorem (CLT) group. The answer is no in general. However, there are specific cases where the existence of a subgroup is guaranteed. Cauchy's theorem states that for every group $\mathbb{G}$ (non-necessarily abelian) of finite order and every prime divisor $p$ of $\left|\mathbb{G}\right|,$ $\mathbb{G}$ has a subgroup of order $p.$ Cauchy's theorem is a special case of Sylow's (first) theorem.

Here, we will only prove it in the easier case where $\mathbb{G}$ is abelian. Actually, a more general result (that will follow easily from the fundamental theorem of finite abelian groups) is that any finite abelian group is CLT. In other words, for a finite abelian group of order $n,$ the existence of a subgroup of order $d$ is guaranteed for any divisor $d$ of $n,$ not only for prime divisors.

Theorem 5.4 (Cauchy's Theorem, Abelian Case). Let $\mathbb{G}$ be an abelian group of finite order $n.$ Then, for every prime divisor $p$ of $n,$ there exists a subgroup of $\mathbb{G}$ of order $p$ (or, equivalently, there exists an element of $\mathbb{G}$ of order $p).$

Proof

The equivalence between the two conclusions follows from the fact that a group of prime order is necessarily cyclic.

Let $\{a_1,\dots ,a_r\}$ be a generating set of $\mathbb{G}$ and for $i\in \{1,\dots ,r\}$ let $n_i$ denote the order of $a_i.$ Consider the mapping $f:⟨a_1⟩\times \cdots \times ⟨a_r⟩\to \mathbb{G}$ defined by $f(x_1,\dots ,x_r)=x_1\cdots x_r.$ Since $\mathbb{G}$ is abelian, it is a group homomorphism. Moreover, since $\{a_1,\dots ,a_r\}$ is a generating set, $f$ is surjective (indeed, by definition of a generating set of an abelian group, any element $y\in \mathbb{G}$ can be written as $y=a_1^{k_1}\cdots a_r^{k_r}$ for some integers $k_1,\dots ,k_r\in \mathbb{Z}$ and for each $i\in \{1,\dots ,r\},$ $a_i^{k_i}\in ⟨a_i⟩).$ By the First Isomorphism Theorem, $\mathbb{G}$ is isomorphic to $(⟨a_1⟩\times \cdots \times ⟨a_r⟩)/\ker (f),$ which implies that $$\begin{array}{rl}\left|\mathbb{G}\right|\cdot \left|\ker (f)\right|& =\left|⟨a_1⟩\times \cdots \times ⟨a_r⟩\right|\\ & =n_1\cdots n_r,\end{array}$$ and hence $n=\left|\mathbb{G}\right|$ divides $n_1\cdots n_r.$

Let $p$ be a prime divisor of $n.$ Then $p$ divides $n_1\cdots n_r$ and hence $p$ divides $n_i$ for some $i\in \{1,\dots ,r\}.$ Then we can write $n_i=kp$ and by Proposition 5.17, $a_i^k$ has order $n_i/\gcd (n_i,k)=n_i/k=p,$ which concludes the proof.

Exponent of a Group

Let $\mathbb{G}$ be a group. Consider the subset of $\mathbb{Z}$ defined as $$\{k\in \mathbb{Z}\mid \forall a\in \mathbb{G},a^k=e\}.$$ One can easily check that this is a subgroup of $\mathbb{Z}.$ Hence, by Proposition 5.24, there is a unique integer $m\in \mathbb{N}$ such that this subgroup is equal to $m\mathbb{Z}.$ This integer $m$ is called the exponent of $\mathbb{G}.$ Equivalently, it is defined as the smallest positive integer $m\ge 1$ such that $\forall g\in \mathbb{G},$ $g^m=e.$ If no such integer exists, depending on the convention, $\mathbb{G}$ is said to have exponent 0 or infinite exponent. A finite group of order $n$ necessarily has finite exponent $m$ satisfying $m\mid n$ (since by Proposition 5.15, $a^n=e$ for every $a\in \mathbb{G}$ and hence $n\in m\mathbb{Z}).$ Moreover, the order of any group element divides $m$ by Proposition 5.16. Conversely, a group with infinite exponent necessarily has infinite order. However, a group with finite exponent is not necessarily finite.

In the following, we prove that an abelian group with finite exponent $m$ always contains an element of order $m.$ This will be a key lemma for proving the fundamental theorem of finite abelian groups. Note that none of the three following propositions holds for a non-abelian group.

Proposition 5.26. Let $\mathbb{G}$ be an abelian group and $a_1$ and $a_2$ be two elements of respective order $n_1$ and $n_2$ such that $\gcd (n_1,n_2)=1.$ Then the order of $a_1{a}_2$ is $n_1{n}_2.$ More generally, if $a_1,\dots ,a_r$ are $r$ group elements of respective orders $n_1,\dots ,n_r$ such that $\gcd (n_1,\dots ,n_r)=1,$ then the order of $a_1\cdots a_r$ is $n_1\cdots n_r.$

Proof

Let $n$ be the order of $a_1{a}_2.$ Since $(a_1{a}_2{)}^{n_1{n}_2}=(a_1^{n_1}{)}^{n_2}(a_2^{n_2}{)}^{n_1}=e,$ by Proposition 5.16, we have $n\mid n_1{n}_2.$

On the other hand, since $(a_1{a}_2{)}^n=e,$ one has $a_1^n=a_2^{-n}$ and hence $a_1^n\in ⟨a_2⟩.$ This implies that $(a_1^n{)}^{n_2}=a_1^{n{n}_2}=e,$ hence $n_1\mid n{n}_2.$ But since $\gcd (n_1,n_2)=1,$ $n_1\mid n.$ Symmetrically, one also has $n_2\mid n.$ Since $\gcd (n_1,n_2)=1,$ this implies $n_1{n}_2\mid n$ and hence $n=n_1{n}_2.$ The generalization can be proved by induction on $r.$

Proposition 5.27. Let $\mathbb{G}$ be an abelian group and $a_1$ and $a_2$ be two elements of respective order $n_1$ and $n_2.$ Then there exists an element of $\mathbb{G}$ of order $\mathrm{lcm}(n_1,n_2).$

Proof

Let $p_1^{r_1}\cdots p_t^{r_t}$ be the prime factor decomposition of $\mathrm{lcm}(n_1,n_2).$ For each $i\in \{1,\dots ,t\},$ $p_i^{r_i}$ divides either $n_1$ or $n_2.$ Say it divides $n_1$ (the reasoning is similar if it divides $n_2).$ Then, by Proposition 5.17, $a_1^{n_1/p_i^{r_i}}$ has order $n_1/\gcd (n_1,n_1/p_i^{r_i})=p_i^{r_i}.$ Hence, for each $i\in \{1,\dots ,t\},$ there exists an element $b_i$ of order $p_i^{r_i}.$ By Proposition 5.26, $b_1\cdots b_r$ has order $p_1^{r_1}\cdots p_t^{r_t}=\mathrm{lcm}(n_1,n_2).$

Proposition 5.28. Let $\mathbb{G}$ be an abelian group of finite exponent $m.$ Then there exists an element of $\mathbb{G}$ of order $m.$

Proof

By Proposition 5.16, the order of any group element divides $m.$ In particular, all group elements have order at most $m$ and hence there exists a group element of maximal order $m^{\prime }\le m.$ Assume towards a contradiction that $m^{\prime }<m.$ If the order of every group element divides $m^{\prime },$ then for every $a\in \mathbb{G},$ $a^{m^{\prime }}=e,$ contradicting the minimality of $m.$ Otherwise, assume that there is a group element of order $m^{\prime \prime }$ which does not divide $m^{\prime }.$ Then, by Proposition 5.27, there exists an element of order $\mathrm{lcm}(m^{\prime },m^{\prime \prime })>m^{\prime }$ contradicting the maximality of $m^{\prime }.$ Hence, it must be that $m=m^{\prime },$ which concludes the proof.

As a direct corollary, we have that a finite abelian group is cyclic if and only if its order is equal to its exponent.

Structure Theorem for Finite Abelian Groups

This section presents the fundamental theorem of finite abelian groups, sometimes called Kronecker theorem. As we will see, finite abelian groups can be "decomposed" in two ways. The equivalence between these two decompositions relies on the following theorem.

Theorem 5.5 (Chinese Remainder Theorem for Groups). Let $n_1$ and $n_2$ be two positive integers. Then $${\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}\cong {\mathbb{Z}}_{n_1{n}_2}⟺\gcd (n_1,n_2)=1.$$

Proof

Assume that $\gcd (n_1,n_2)=1.$ Consider the mapping $f:\mathbb{Z}\to {\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}$ defined by $f(z)=(z\mathrm{mod}{n}_1,z\mathrm{mod}{n}_2).$ One can easily check that $f$ is a group homomorphism. Moreover, $z\in \ker (f)\iff (n_1\mid z)\wedge (n_2\mid z)\iff n_1{n}_2\mid z,$ where the last equivalence follows from $\gcd (n_1,n_2)=1.$ Hence, $\ker (f)=n_1{n}_2\mathbb{Z}.$ By the First Isomorphism Theorem, ${\mathbb{Z}}_{n_1{n}_2}\cong \mathbb{Z}/n_1{n}_2\mathbb{Z}$ is isomorphic to $\mathrm{im}(f).$ In particular, $\left|\mathrm{im}(f)\right|=\left|{\mathbb{Z}}_{n_1{n}_2}\right|=n_1{n}_2=\left|{\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}\right|,$ hence $\mathrm{im}(f)={\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}.$ Thus, ${\mathbb{Z}}_{n_1{n}_2}\cong {\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}.$

Conversely, assume that $\gcd (n_1,n_2)=d>1.$ By Proposition 5.22, ${\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}$ is not cyclic. As ${\mathbb{Z}}_{n_1{n}_2}$ is cyclic, these two groups cannot be isomorphic.

Theorem 5.6 (Fundamental Theorem of Finite Abelian Groups). Let $\mathbb{G}$ be a non-trivial finite abelian group. Then:

• (primary decomposition): $\mathbb{G}$ is isomorphic to a direct product of cyclic groups $${\mathbb{Z}}_{p_1^{r_1}}\times \cdots \times {\mathbb{Z}}_{p_t^{r_t}},$$ where the $p_i$'s are (not necessarily distinct) primes and the $r_i$'s are positive integers. This decomposition is unique up to the order of factors. The prime powers $p_1^{r_1},\dots ,p_t^{r_t}$ are called the elementary divisors of $\mathbb{G}.$
• (invariant factor decomposition): $\mathbb{G}$ is isomorphic to a direct product of cyclic groups $${\mathbb{Z}}_{n_1}\times \cdots \times {\mathbb{Z}}_{n_{\ell }},$$ where the $n_i$'s are positive integers such that for $i=1,\dots ,\ell -1,$ $n_i\mid n_{i+1}.$ This decomposition is unique and $n_{\ell }$ is the exponent of the group. The integers $n_1,\dots ,n_{\ell }$ are called the invariant factors of $\mathbb{G}.$

Proof

TODO

Consider for example ${\mathbb{Z}}_6\times {\mathbb{Z}}_{15}.$ What are the primary and invariant factor decompositions of this group? By the Chinese remainder theorem, we have $$\begin{array}{rl}{\mathbb{Z}}_6\times {\mathbb{Z}}_{15}& ={\mathbb{Z}}_{2\times 3}\times {\mathbb{Z}}_{3\times 5}\\ & \cong {\mathbb{Z}}_2\times {\mathbb{Z}}_3\times {\mathbb{Z}}_3\times {\mathbb{Z}}_5\\ & \cong {\mathbb{Z}}_3\times {\mathbb{Z}}_{30}.\end{array}$$ The penultimate form is the primary decomposition, while the last form is the invariant factor decomposition.

The smallest abelian non-cyclic group is ${\mathbb{Z}}_2\times {\mathbb{Z}}_2$ of order 4, usually called the Klein group.

Proposition 5.29. A finite abelian group is cyclic if and only if $\ell =1$ in its invariant factor decomposition.

For an integer $n,$ one may ask how many different abelian groups of order $n$ there are, up to isomorphism. Let $\pi$ denote the partition function defined as follows: for an integer $n,$ $\pi (n)$ is the number of distinct ways of writing $n$ as a sum of positive integers, where the order of these integers does not matter. For example, $\pi (3)=3$ since $3$ has $3$ partitions: $1+1+1,$ $1+2,$ and $3.$

Proposition 5.30 (Number of Finite Abelian Groups of Fixed Order). Let $n\ge 1$ be an integer and let its decomposition in prime factors be $n=p_1^{r_1}\cdots p_k^{r_k}.$ Then the number of abelian groups of order $n,$ up to isomorphism, is $$\pi (r_1)\cdots \pi (r_k),$$ where $\pi$ is the partition function. In particular, there is a unique abelian group of order $n$ up to isomorphism (namely ${\mathbb{Z}}_n)$ if and only if $n$ is square-free, i.e., $r_1=\cdots =r_k=1.$

For example, there is a unique (up to isomorphism) abelian group of order $15=3\times 5,$ namely ${\mathbb{Z}}_3\times {\mathbb{Z}}_5\cong {\mathbb{Z}}_{15}$ (primary/invariant factor decomposition). On the other hand, there are two (up to isomorphism) abelian groups of order $12=2^2\times 3,$ namely ${\mathbb{Z}}_4\times {\mathbb{Z}}_3\cong {\mathbb{Z}}_{12}$ and ${\mathbb{Z}}_2\times {\mathbb{Z}}_2\times {\mathbb{Z}}_3\cong {\mathbb{Z}}_2\times {\mathbb{Z}}_6.$

Structure Theorem for Finitely Generated Abelian Groups

We now consider abelian groups which are finitely generated (but not necessarily of finite order).

Let $\mathbb{G}$ be an abelian group. For $n\in {\mathbb{N}}^{\ast },$ an element $a\in \mathbb{G}$ is said to be an $n$-torsion element if $a^n=e$ (or equivalently, if $a$ has finite order $k$ dividing $n).$ An element $a\in \mathbb{G}$ is said to be a torsion element if it has finite order.

Proposition 5.31. Let $\mathbb{G}$ be an abelian group. Then the set of all $n$-torsion elements of $\mathbb{G},$ denoted $\mathbb{G}[n],$ is a subgroup called the $n$-torsion subgroup of $\mathbb{G}$ and the set of all torsion elements of $\mathbb{G},$ denoted ${\mathbb{G}}_T,$ is a subgroup called the torsion subgroup of $\mathbb{G}.$

Proof

First, $e$ is clearly an $n$-torsion element. Let $a$ and $b$ be two $n$-torsion elements. Then $(a{b}^{-1}{)}^n=a^n(b^n{)}^{-1}=e{e}^{-1}=e,$ hence $a{b}^{-1}$ is an $n$-torsion element. Hence $\mathbb{G}[n]$ is a subgroup of $\mathbb{G}$ by Proposition 5.5.

Similarly, $e$ is a torsion element. Let $a$ and $b$ be two torsion elements of order respectively $k$ and $\ell .$ Then $(a{b}^{-1}{)}^{k\ell }=a^{k\ell }(b^{\ell k}{)}^{-1}=e^{\ell }(e^k{)}^{-1}=e.$ Hence $a{b}^{-1}$ has finite order, i.e., it is a torsion element. Hence ${\mathbb{G}}_T$ is a subgroup of $\mathbb{G}.$

If $\mathbb{G}={\mathbb{G}}_T$ then $\mathbb{G}$ is called a torsion group (or periodic group). If $\mathbb{G}=\{0\}$ then $\mathbb{G}$ is said torsion-free.

Theorem 5.7 (Fundamental Theorem of Finitely Generated Abelian Groups). Let $\mathbb{G}$ be a finitely generated abelian group. Let ${\mathbb{G}}_T$ be the torsion subgroup of $\mathbb{G}.$ Then ${\mathbb{G}}_T$ is finite and abelian and there exists a free abelian subgroup $\mathbb{F}$ such that $\mathbb{G}=\mathbb{F}\times {\mathbb{G}}_T.$ In particular, there exists an integer $r\in \mathbb{N}$ (called the free rank or simply rank of $\mathbb{G})$ and integers $n_1,\dots ,n_{\ell }$ with $n_1\mid \cdots \mid n_{\ell }$ such that $$\mathbb{G}\cong {\mathbb{Z}}^r\times {\mathbb{Z}}_{n_1}\times \cdots \times {\mathbb{Z}}_{n_{\ell }}.$$ Integers $r$ and $n_1,\dots ,n_{\ell }$ are unique.

Proof

TODO

---

1: While the direct sum is the same as the direct product for a finite number of groups, this is not the case for a infinite number of groups. See this StackExchange question.

2: Sometimes cyclic is used for groups which are both monogenous and finite, which makes sense since for an infinite monogenous group such as $\mathbb{Z}$ one never "cycles back" when computing $g,g^2,\dots$

Chapter status:   👷   in progress   👷

TODO:

Polynomials

In this chapter, we cover general results about polynomials with coefficients in a ring.

We recall some abbreviations from the chapter about rings:

• UCR stands for unitary commutative ring,
• PID stands for principal ideal domain,
• UFD stands for unique factorization domain.

Contents

• Generalities
• Divisibility in Polynomial Rings
• Ring vs. Polynomial Ring: Summary
• Polynomial Evaluation and Roots
• Lagrange Interpolation
  • Generalized Polynomial Remainder Theorem
  • Computational Aspects
    • The Barycentric Formula
    • The Special Case of Roots of Unity
  • Applications

Generalities

Let $\mathbb{A}$ be a ring. A (univariate) polynomial with coefficients in $\mathbb{A}$ is an infinite sequence $(a_i{)}_{i\in \mathbb{N}}$ such that $a_i=0$ for all but a finite number of indices $i.$ Polynomials are traditionally denoted $$p(X)=a_0+a_{1}X+a_2{X}^2+\cdots =\sum _{i=0}^{\infty }{a}_i{X}^i$$ where $X$ is a symbol called indeterminate.

The set of all univariate polynomials over $\mathbb{A}$ is denoted $\mathbb{A}[X]:$ $$\mathbb{A}[X]:=\left\{\sum _{i=0}^{\infty }{a}_i{X}^i:a_i\in \mathbb{A},\exists N\in \mathbb{N},\forall i\ge N,a_i=0\right\}.$$

Polynomials can be added: $$\sum _{i=0}^{\infty }{a}_i{X}^i+\sum _{i=0}^{\infty }{b}_i{X}^i=\sum _{i=0}^{\infty }(a_i+b_i)X^i.$$

Polynomials can also be multiplied: $$\sum _{i=0}^{\infty }{a}_i{X}^i\cdot \sum _{j=0}^{\infty }{b}_j{X}^j=\sum _{k=0}^{\infty }{c}_k{X}^k\text{with}{c}_k=\sum _{i+j=k}{a}_i{b}_j.$$

Proposition 7.1. Let $\mathbb{A}$ be a ring. Then $\mathbb{A}[X]$ equipped with operations $+$ and $\cdot$ as defined above is a ring. If $\mathbb{A}$ is commutative, then so is $\mathbb{A}[X]$ and if $\mathbb{A}$ has a unity 1, then the constant polynomial $p(X)=1$ is the unity of $\mathbb{A}[X].$

The set $\mathbb{A}[X]$ is called the polynomial ring in $X$ over $\mathbb{A}.$ If we embed $\mathbb{A}$ into $\mathbb{A}[X]$ by identifying $a\in \mathbb{A}$ with the constant polynomial $p(X)=a,$ then $\mathbb{A}$ is a subring of $\mathbb{A}[X].$

The degree of a polynomial $p(X)$ is the largest power of $X$ occurring in $p(X)$ with a non-zero coefficient, with the convention that polynomial $0$ has degree $-\infty .$ Hence, $p(X)={\sum }_{i=0}^n{a}_i{X}^i$ has degree $n$ provided $a_n\ne 0.$ We let $\mathrm{deg}(p)$ denote the degree of a polynomial $p$ and ${\mathbb{A}}^{\le n}[X]$ denote the set of polynomials over $\mathbb{A}$ of degree at most $n.$ The leading term of $p(X)$ is its highest degree term $a_n{X}^n$ and the leading coefficient is $a_n.$ If the leading coefficient is 1 then the polynomial is said to be monic.

We will often drop the indeterminate from the notation, simply writing "polynomial $p$", keeping it mostly when writing the polynomial coefficients explicitly as in $p(X)={\sum }_{i=0}^n{a}_i{X}^i.$

Proposition 7.2. Let $\mathbb{A}$ be a ring and let $p$ and $q$ be two polynomials in $\mathbb{A}[X].$ Then $$\begin{array}{rl}& \mathrm{deg}(p+q)\le \max \left\{\mathrm{deg}(p),\mathrm{deg}(q)\right\}\\ & \mathrm{deg}(pq)\le \mathrm{deg}(p)+\mathrm{deg}(q).\end{array}$$ Moreover, if the leading coefficient of either $p$ or $q$ is not a zero divisor, then $$\mathrm{deg}(pq)=\mathrm{deg}(p)+\mathrm{deg}(q).$$

Proof

The first two inequalities follow straightforwardly from the definition of addition and multiplication in $\mathbb{A}[X].$ For the last part of the proposition, assume that $p$ has leading term $a{X}^n$ and $q$ has leading term $b{X}^m$ with $a\ne 0$ and $b\ne 0.$ Then $pq$ has leading term $ab{X}^{n+m}$ with $ab\ne 0$ as otherwise $a$ and $b$ would be zero divisors. Hence, $\mathrm{deg}(pq)=n+m=\mathrm{deg}(p)+\mathrm{deg}(q).$

On the other hand, when $\mathbb{A}$ has zero divisors, then one might have $\mathrm{deg}(pq)<\mathrm{deg}(p)+\mathrm{deg}(q)$ if the leading terms of $p$ and $q$ are $a{X}^n$ and $b{X}^m$ with $ab=0.$

When the coefficients are in an integral domain, we have additional properties.

Proposition 7.3. Let $\mathbb{D}$ be an integral domain. Then

• $\mathbb{D}[X]$ is an integral domain;
• for any polynomials $p,q\in \mathbb{D}[X],$ $\mathrm{deg}(pq)=\mathrm{deg}(p)+\mathrm{deg}(q);$
• the units of $\mathbb{D}[X]$ are the constant polynomials $p(X)=u$ for $u\in {\mathbb{D}}^{\ast }.$

Proof

Let $p$ and $q$ be two non-zero polynomials in $\mathbb{D}[X].$ If $p$ has leading term $a{X}^n$ and $q$ has leading term $b{X}^m$ with $a\ne 0$ and $b\ne 0,$ then $pq$ has leading term $ab{X}^{n+m}$ with $ab\ne 0$ since $\mathbb{D}$ is an integral domain. Hence, $pq$ is not the zero polynomial. This also shows that $\mathrm{deg}(pq)=\mathrm{deg}(p)+\mathrm{deg}(q).$ Clearly, for any unit $u\in {\mathbb{D}}^{\ast },$ the constant polynomial $p(X)=u$ is a unit with inverse the constant polynomial $u^{-1}.$ Conversely, if polynomials $p$ and $q$ are such that $pq=1,$ then (by the second point) necessarily $\mathrm{deg}(p)=\mathrm{deg}(q)=0,$ i.e., $p$ and $q$ are constant polynomials, and by definition these constants are units of $\mathbb{D}.$

Divisibility in Polynomial Rings

All definitions regarding divisibility that we gave for general rings apply to polynomial rings. We restate these definitions here for convenience.

Let $\mathbb{A}$ be a UCR. Given two polynomials $a$ and $b$ in $\mathbb{A}[X],$ we say that $b$ divides $a,$ or that $b$ is a factor of $a,$ or that $a$ is a multiple of $b,$ denoted $b\mid a,$ if there exists a polynomial $q\in \mathbb{A}[X]$ such that $a=qb.$

Proposition 7.4. Let $\mathbb{A}$ be a UCR and $a\in \mathbb{A}[X]$ be a non-zero polynomial. Then for every $b\in \mathbb{D}[X]$ such that the leading coefficient of $b$ is not a zero divisor, $$b\mid a\Rightarrow \mathrm{deg}(b)\le \mathrm{deg}(a).$$ In particular, this always holds when $\mathbb{A}$ is an integral domain.

Proof

Let $b$ be a polynomial dividing $a.$ By definition, there exists $q\in \mathbb{A}[X]$ such that $a=qb.$ Since the leading coefficient of $b$ is not a zero divisor, by Proposition 7.2, $$\mathrm{deg}(a)=\mathrm{deg}(q)+\mathrm{deg}(b).$$ Note that $q$ cannot be the zero polynomial as this would imply $a=0,$ hence $\mathrm{deg}(q)\ge 0$ and thus $\mathrm{deg}(a)\ge \mathrm{deg}(b).$

It is easy to see that this proposition does not hold when the leading coefficient of $b$ is a zero divisor: for example, over ${\mathbb{Z}}_4,$ $$(2X^2+1)(2X^2+1)=1$$ and hence $2X^2+1\mid 1.$

Two polynomials $a$ and $b$ are said to be associates if $a\mid b$ and $b\mid a.$ By [??], over an integral domain $\mathbb{D},$ $a,b\in \mathbb{D}[X]$ are associates if and only if there exists $u\in {\mathbb{D}}^{\ast }$ such that $a(X)=ub(X).$

In general, $\mathbb{A}[X]$ might not be Euclidean (as we will see shortly, this holds if and only if $\mathbb{A}$ is a field). However, one can perform division with remainder for polynomials as soon as the leading coefficient of the divisor is a unit.

Proposition 7.5. Let $\mathbb{A}$ be a UCR. Then for every polynomials $a,b\in \mathbb{A}[X]$ such that the leading coefficient of $b$ is in ${\mathbb{A}}^{\ast }$ (i.e., a unit), there exists unique polynomials $q$ and $r$ such that $a=bq+r$ and $\mathrm{deg}(r)<\mathrm{deg}(b).$

Proof

Consider the set of all polynomials of the form $a-cb$ for $c\in \mathbb{A}[X]:$ $$S:=\{a-cb\mid c\in \mathbb{A}[X]\}.$$ Let $r$ be a polynomial of minimal degree in $S$ and $q$ be such that $r=a-qb.$ Let us show that $\mathrm{deg}(r)<\mathrm{deg}(b).$ Indeed, assume that this does not hold. Let $u{X}^n$ and $v{X}^m$ be the leading terms of $b$ and $r$ respectively, with $m\ge n$ and $u\in {\mathbb{A}}^{\ast }.$ Consider the polynomial $r^{\prime }$ defined as $$r^{\prime }(X):=r(X)-v{u}^{-1}{X}^{m-n}b(X).$$ Then $r^{\prime }\in S.$ Since the leading terms of $r(X)$ and $v{u}^{-1}{X}^{m-n}b(X)$ are both $v{X}^m,$ they cancel and the leading term of $r^{\prime }$ has degree at most $m-1,$ so that $\mathrm{deg}(r^{\prime })<\mathrm{deg}(r),$ contradicting the assumption that $r$ has minimal degree in $S.$ Hence, $\mathrm{deg}(r)<\mathrm{deg}(b),$ which proves existence of a suitable pair $(q,r).$

Let us show uniqueness. Assume that there exists two pairs of polynomials $(q,r)\ne (q^{\prime },r^{\prime })$ such that $a=qb+r,$ $a=q^{\prime }b+r^{\prime },$ $\mathrm{deg}(r)<\mathrm{deg}(b),$ and $\mathrm{deg}(r^{\prime })<\mathrm{deg}(b).$ Then $$(q-q^{\prime })b=r^{\prime }-r.$$ Assume that $q\ne q^{\prime }.$ Note that the leading coefficient of $b$ is a unit and hence, by [??], is not a zero divisor. Hence, by Proposition 7.2, $$\mathrm{deg}(r^{\prime }-r)=\mathrm{deg}((q-q^{\prime })b)=\mathrm{deg}(q-q^{\prime })+\mathrm{deg}(b)\ge \mathrm{deg}(b),$$ where the last inequality holds because $q-q^{\prime }\ne 0.$ On the other hand, by Proposition 7.2, $$\mathrm{deg}(r-r^{\prime })\le \max \{\mathrm{deg}(r),\mathrm{deg}(r^{\prime })\}<\mathrm{deg}(b).$$ This is a contradiction and hence we must have $q=q^{\prime }$ and hence $r=r^{\prime },$ proving uniqueness.

Ring vs. Polynomial Ring: Summary

Polynomial Evaluation and Roots

Let $\mathbb{A}$ be a commutative ring. Given a polynomial $p(X)={\sum }_i{a}_i{X}^i$ in $\mathbb{A}[X]$ and an element $u\in \mathbb{A},$ the evaluation of $p(X)$ at $u,$ written $p(u),$ is ${\sum }_i{a}_i{u}^i.$ The function from $\mathbb{A}$ to $\mathbb{A}$ mapping $u$ to $p(u)$ is called the polynomial function associated with $p.$

In general, there is not a one-to-one correspondence between polynomials and polynomial functions. For example, over a finite commutative ring $\mathbb{A}=\{x_1,\dots ,x_n\},$ the polynomial $$p(X)=(X-x_1)\cdots (X-x_n)$$ evaluates to 0 at every element $x_i\in \mathbb{A}$ but $p$ is clearly different from the constant polynomial 0. Hence, this gives an example where two different polynomials yield the same polynomial function.

As wee will see below, if $\mathbb{A}$ is an infinite integral domain, though, there is a one-to-one correspondence between polynomials and polynomial functions.

We say that $u$ is a root of $p(X)$ if $p(u)=0.$ The following result gives an important sufficient and necessary condition for a ring element to be a root of a polynomial.

Theorem 7.1 (factor theorem). Let $\mathbb{A}$ be a UCR, $p\in \mathbb{A}[X]$ be a polynomial and $u\in \mathbb{A}$ be a ring element. Then $u$ is a root of $p(X)$ if and only if $X-u$ divides $p(X).$

The factor theorem is actually a special case of the following result.

Theorem 7.2 (polynomial remainder theorem). Let $\mathbb{A}$ be a UCR, $p\in \mathbb{A}[X]$ be a polynomial and $u,v\in \mathbb{A}$ be ring elements. Then $p(u)=v$ if and only if $X-u$ divides $p(X)-v.$

Proof

Assume that $X-u$ divides $p(X)-v.$ Then there exists $q\in \mathbb{A}[X]$ such that $$p(X)-v=q(X)(X-u).$$ Evaluating the two sides of this equality at $u$ yields $p(u)-v=0,$ i.e., $p(u)=v.$

Conversely, assume that $p(u)=v.$ Since the leading coefficient of $X-u$ is a unit, by Proposition 7.5, there exists polynomials $q$ and $r$ such that $$p(X)=(X-u)q(X)+r(X)$$ where $$\mathrm{deg}(r)<\mathrm{deg}(X-u)=1.$$ Hence, the polynomial $r$ must be a constant. Evaluating the polynomial equality at $u,$ we obtain that $r=p(u).$ Hence, $p(X)-v=(X-u)q(X),$ which exactly means that $X-u$ divides $p(X)-v.$

Note that the statement "$X-u$ divides $p(X)-v$" is equivalent to the statement "$v$ is the remainder of the division of $p(X)$ by $X-u$", hence the name of the theorem.

The factor theorem (which holds over any UCR) generalizes to multiple roots naturally, however only over integral domains. (We will see how the polynomial remainder theorem generalizes to multiple evaluations in a moment.)

Theorem 7.3 (generalized factor theorem). Let $\mathbb{D}$ be an integral domain, $p\in \mathbb{D}[X]$ be a polynomial, and $u_1,\dots ,u_n\in \mathbb{D}$ be $n$ distinct ring elements. Then $u_1,\dots ,u_n$ are roots of $p$ if and only if ${\prod }_{i=1}^n(X-u_i)$ divides $p.$

Proof

Assume that ${\prod }_{i=1}^n(X-u_i)$ divides $p.$ Then there exists $q\in \mathbb{D}[X]$ such that $$p(X)=q(X)\prod _{i=1}^n(X-u_i)$$ which implies that $p(u_1)=\cdots =p(u_n)=0.$

We will prove the converse by induction on $n.$ The case $n=1$ is simply the factor theorem. Assume that the implication holds for $n-1$ and let us prove that it holds for $n.$ Let $p\in \mathbb{D}[X]$ and $u_1,\dots ,u_n$ be distinct roots of $p.$ Since $u_n$ is in particular a root of $p,$ by the factor theorem, there exists $q\in \mathbb{D}[X]$ such that $$p(X)=(X-u_n)q(X).$$ Moreover, for every $i\in \{1,\dots ,n-1\},$ $$p(u_i)=(u_i-u_n)q(u_i)=0,$$ which implies that $q(u_i)=0$ since $u_i$ and $u_n$ are distinct and $\mathbb{D}$ has no zero divisors. Hence, $u_1,\dots ,u_{n-1}$ are roots of $q,$ which by the induction hypothesis implies that ${\prod }_{i=1}^{n-1}(X-u_i)$ divides $q.$ Since $p(X)=(X-u_n)q(X),$ ${\prod }_{i=1}^n(X-u_i)$ divides $p.$

This has an important consequence regarding the maximal number of roots of a polynomial.

Proposition 7.6. Let $\mathbb{D}$ be an integral domain and let $p\in \mathbb{D}[X]$ be a non-zero polynomial of degree $d.$ Then $p$ has at most $d$ distinct roots in $\mathbb{D}.$

Proof

This follows easily from the generalized factor theorem. Indeed, assume that $p$ has degree $d$ and has $n>d$ roots. Let $u_1,\dots ,u_n$ denote the roots of $p.$ Then ${\prod }_{i=1}^n(X-u_i)$ divides $p,$ a contradiction with Proposition 7.4 as a polynomial of degree $n$ cannot divide a non-zero polynomial of degree $d<n.$

Let us prove the proposition directly by induction on $d.$ The result clearly holds for $d=0.$ Let $d\ge 1$ and assume that the result holds for degree $0,\dots ,d-1.$ Let $p\in \mathbb{D}[X]$ be a polynomial of degree $d.$ If $p$ has no root then the result holds again. Otherwise, assume that $p$ has a root $u\in \mathbb{D}.$ Then, by the factor theorem, $p(X)=(X-u)q(X)$ for some polynomial $q,$ where, by Proposition 7.3, $q$ has degree $d-1.$ If $u^{\prime }$ is a root of $p$ distinct from $u,$ then $(u^{\prime }-u)q(u^{\prime })=0$ which implies that $q(u^{\prime })=0$ since $u^{\prime }-u\ne 0$ and $\mathbb{D}$ has no zero divisors. Since $q$ has at most $d-1$ distinct roots by the induction hypothesis, $p$ has at most $d$ distinct roots.

This proposition allows us to reconsider the relation between polynomials and polynomial functions.

Proposition 7.7. Let $\mathbb{D}$ be an integral domain and $p\in \mathbb{D}[X]$ be a polynomial such that for every $u\in \mathbb{D},$ $p(u)=0.$ If $\mathbb{D}$ is infinite, then $p$ is the zero polynomial.

Proof

Assume that $p$ is not the zero polynomial and let $d$ be the degree of $p.$ Then, by Proposition 7.6, $p$ has at most $d$ distinct roots in $\mathbb{D},$ a contradiction with the assumption that $p(u)=0$ for every $u\in \mathbb{D}$ since $\mathbb{D}$ is infinite. Hence, $p$ must be the zero polynomial.

Hence, over an infinite integral domain, if $p$ and $q$ are two polynomials such that $p(x)=q(x)$ for every $x\in \mathbb{D},$ then $p=q.$ In other words, there is a one-to-one mapping between polynomials and polynomial functions. However, not every function from $\mathbb{D}$ to $\mathbb{D}$ is a polynomial function: for example, the function $f$ such that $f(0)=1$ and $f(u)=0$ for $u\ne 0$ is not a polynomial since it has infinitely many roots yet it cannot be the function corresponding to the zero polynomial.

We can in fact be more precise with the following proposition.

Proposition 7.8. Let $\mathbb{D}$ be an integral domain. Let $\Phi :\mathbb{D}[X]\to \mathcal{F}(\mathbb{D})$ be the ring homomorphism mapping a polynomial to the corresponding polynomial function. Then:

1. If $\mathbb{D}$ is finite, then $\Phi$ is surjective but not injective.
2. If $\mathbb{D}$ is infinite, then $\Phi$ is injective but not surjective.

Remark 7.1. Note that being infinite and being an integral domain are two necessary conditions. Over infinite rings with zero divisors, a non-zero polynomial may evaluate to zero over the entire ring. See here.

Lagrange Interpolation

In all the following, a set $\mathcal{U}=\{u_1,\dots ,u_n\}$ of $n$ distinct field elements $u_i\in \mathbb{F}$ will be called an evaluation domain (or simply domain) of size $n.$

Theorem 7.4 (Lagrange interpolation theorem). Let $\mathbb{F}$ be a finite field and let $$\mathcal{E}=\{(u_1,v_1),\dots ,(u_n,v_n)\}\subset {\mathbb{F}}^2$$ be a set of $n$ pairs of field elements such that $u_i\ne u_j$ for $i\ne j.$ Then there is a unique polynomial $\ell (X)\in {\mathbb{F}}_{}^{(\le n-1)}[X],$ called the Lagrange interpolation polynomial for $\mathcal{E},$ such that $\ell (u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$

Proof

Uniqueness is proved as follows: assume there exists two polynomials $p(X)$ and $q(X)$ interpolating the $n$ points. Then the polynomial $p(X)-q(X)$ has $n$ roots but has degree at most $n-1,$ hence by Proposition 7.6 it must be the zero polynomial, which implies that $p(X)=q(X).$

To establish existence, one introduces the Lagrange basis associated with the domain $\mathcal{U}=\{u_1,\dots ,u_n\}.$ This is the tuple of polynomials $({\ell }_1(X),\dots ,{\ell }_n(X))$ of degree $n-1$ defined as $${\ell }_j(X):=\prod _{\begin{array}{c}1\le k\le n\\ k\ne j\end{array}}\frac{X-u_k}{u_j-u_k}.$$ One can easily check that $${\ell }_j(u_i)=\{\begin{array}{ll}0& \text{if }i\ne j\\ 1& \text{if }i=j.\end{array}$$ Then the Lagrange interpolating polynomial for $\{(u_1,v_1),\dots ,(u_n,v_n)\}$ is given by $$\ell (X):=\sum _{j=1}^n{v}_j{\ell }_j(X).$$ This polynomial has degree at most $n-1$ and it is easy to see that $\ell (u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$

Note that the Lagrange basis $({\ell }_1(X),\dots ,{\ell }_n(X))$ associated with any domain $\mathcal{U}=\{u_1,\dots ,u_n\}$ is indeed a basis for the $\mathbb{F}$-vector space ${\mathbb{F}}_{}^{(\le n-1)}[X]$ in the linear algebra sense. The coordinates of a polynomial $p\in {\mathbb{F}}_{}^{(\le n-1)}[X]$ in this basis are $(p(u_1),\dots ,p(u_n)).$

A polynomial specified by a tuple $(a_0,\dots ,a_{n-1})$ such that $p(X)={\sum }_{i=0}^{n-1}{a}_i{X}^i$ is sometimes said to be in coefficients form, while when it is specified by the values $(v_1,\dots ,v_n)$ it takes over some domain $\mathcal{U}=\{u_1,\dots ,u_n\}$ it is said to be in evaluation form. This is merely a change of basis.

Another way to look at Lagrange interpolation is as follows. Considering the coefficients $a_0,\dots ,a_{n-1}$ of a polynomial $p(X)={\sum }_{j=0}^{n-1}{a}_j{X}^j$ of degree $n-1$ as unknowns, each evaluation $p(u_i)=v_i,$ $i\in \{1,\dots ,n\}$ yields a linear equation $$\sum _{j=0}^{n-1}{u}_i^j{a}_j=v_i.$$ In matrix form, this yields $$\left(\begin{array}{ccccc}1& u_1& u_1^2& \cdots & u_1^{n-1}\\ 1& u_2& u_2^2& \cdots & u_2^{n-1}\\ & & ⋮& & \\ 1& u_n& u_n^2& \cdots & u_n^{n-1}\end{array}\right)\cdot \left(\begin{array}{c}{a}_0\\ a_1\\ ⋮\\ a_{n-1}\end{array}\right)=\left(\begin{array}{c}{v}_1\\ v_2\\ ⋮\\ v_n\end{array}\right)\text{\hspace{1em}(7.1)}$$ The matrix on the left-hand side is called a Vandermonde matrix. It is invertible if and only if the $u_i$'s are distinct, which gives another way to see that there is a unique polynomial of degree at most $n-1$ such that $p(u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$

Generalized Polynomial Remainder Theorem

Lagrange interpolation allows us to formulate a generalization of the polynomial remainder theorem. Given an evaluation domain $\mathcal{U}=\{u_1,\dots ,u_n\},$ the vanishing polynomial over $\mathcal{U},$ denoted $z_{\mathcal{U}}(X),$ is the polynomial defined by $$z_{\mathcal{U}}(X):=\prod _{i=1}^n(X-u_i).$$ It is such that $z_{\mathcal{U}}(u)=0$ for every $u\in \mathcal{U},$ but it is not the Lagrange interpolation polynomial for $\{(u_1,0),\dots ,(u_n,0)\}$ since it has degree $n$ (the Lagrange interpolation polynomial for $\{(u_1,0),\dots ,(u_n,0)\}$ is actually the zero polynomial).

Theorem 7.5 (generalized polynomial remainder theorem). Let $p\in \mathbb{F}[X]$ be a polynomial, $n\in \{1,\dots ,\mathrm{deg}(p)\}$ be an integer, $u_1,\dots ,u_n\in \mathbb{F}$ be $n$ distinct field elements, and $v_1,\dots ,v_n\in \mathbb{F}$ be $n$ field elements (not necessarily distinct). Let $z(X)$ be the vanishing polynomial for $\{u_1,\dots ,u_n\}$ and $\ell (X)$ be the Lagrange interpolation polynomial for $\{(u_1,v_1),\dots ,(u_n,v_n)\}.$ Then $p(u_i)=v_i$ for every $i\in \{1,\dots ,n\}$ if and only if $z(X)$ divides $p(X)-\ell (X),$ or equivalently if and only if $\ell (X)$ is the remainder of the division of $p(X)$ by $z(X).$

Proof

Assume that $z(X)$ divides $p(X)-\ell (X),$ i.e., there exists $q\in \mathbb{F}[X]$ such that $p(X)=q(X)z(X)+\ell (X).$ Evaluating this equality at $u_i$ and using $z(u_i)=0$ and $\ell (u_i)=v_i$ implies that $p(u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$

Conversely, assume that $p(u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$ Since $\mathbb{F}[X]$ is Euclidean, there exists polynomials $q(X)$ and $r(X)$ such that $p(X)=q(X)z(X)+r(X)$ with $\mathrm{deg}(r)<\mathrm{deg}(z)=n.$ Evaluating this equality at $u_i,$ $i\in \{1,\dots ,n\},$ yields $r(u_i)=p(u_i)=v_i.$ Since $\mathrm{deg}(r)<n,$ $r$ is necessarily the Lagrange interpolation polynomial for $\{(u_1,v_1),\dots ,(u_n,v_n)\}.$

For $n=1,$ one exactly recovers the polynomial remainder theorem since for a single point $(u,v)$ the vanishing polynomial is $X-u$ and the Lagrange interpolation polynomial is simply the constant polynomial $\ell (X)=v.$

Computational Aspects

Newton's method and Neville's algorithm have quadratic complexity.

The Barycentric Formula

Assume we are given a set of $n$ evaluations $\mathcal{E}=\{(u_1,v_1),\dots (u_n,v_n)\}$ over domain $\mathcal{U}=\{u_1,\dots ,u_n\}.$ One can consider various task related to the Lagrange interpolation polynomial $\ell$ for $\mathcal{E}.$ One is to compute the coefficients $(a_0,\dots ,a_{n-1})$ of this polynomial. Another is to evaluate $\ell$ on a field element $u\notin \{u_1,\dots ,u_n\}.$

For the first task, one may be tempted to solve Eq. (7.1). However, this requires to invert a square matrix of size $n,$ which requires $O(n^3)$ field operations.

A very useful form for Lagrange interpolation is the so-called barycentric formula [BT04]. Let $z(X)$ be the vanishing polynomial for $\{u_1,\dots ,u_n\}$ and for $j\in \{1,\dots ,n\}$ let $w_j$ denote the barycentric weights defined as $$w_j:=\frac{1}{{\prod }_{\begin{array}{c}1\le k\le n\\ k\ne j\end{array}}(u_j-u_k)}.$$ Note that the formal derivative of $z(X)$ is $$z^{\prime }(X)=\sum _{i=1}^n\prod _{\begin{array}{c}1\le k\le n\\ k\ne i\end{array}}(X-u_k),$$ hence one also has $$w_j=\frac{1}{z^{\prime }(u_j)}.$$ Then the $j$-th polynomial of the Lagrange basis is $$\begin{array}{rl}{\ell }_j(X)& :=\prod _{\begin{array}{c}1\le k\le n\\ k\ne j\end{array}}\frac{X-u_k}{u_j-u_k}\\ & =w_j\frac{z(X)}{X-u_j}\end{array}$$ from which it follows that the Lagrange interpolation polynomial for $\mathcal{E}$ can be written as $$\ell (X)=z(X)\sum _{i=1}^n\frac{w_i{v}_i}{X-u_i}.$$ This is the barycentric Lagrange interpolation formula.

Based on this, here is how one can compute the coefficients of $\ell$ and evaluate $\ell$ on a point outside $\mathcal{U}$ in quasilinear time:

• compute the coefficients of $z(X)$ using a divide-and-conquer approach (see here)
• compute the coefficients of $z^{\prime }(X)$ from the ones of $z(X)$ (this requires $O(n)$ multiplications)
• compute $w_j=z^{\prime }(u_j),$ $j\in \{1,\dots ,n\},$ using multipoint evaluation

See also this.

Once this is done, computing $\ell (u)$ for $u\notin \mathcal{U}$ takes linear time using $$\ell (u)=z(u)\sum _{i=1}^n\frac{w_i{v}_i}{u-u_i}.$$

All in all, this yields an algorithm with complexity $O(n{\log }^{2}n)$ field operations.

The Special Case of Roots of Unity

The most favorable case from a computational point of view is when $\mathcal{U}$ is the subgroup of ${\mathbb{F}}^{\ast }$ consisting of $n$-th roots of unity. Then the vanishing polynomial takes a very simple form, namely $$z(X)=X^n-1.$$ Its formal derivative is simply $$z^{\prime }(X)=n{X}^{n-1}.$$

Applications

An important application of Lagrange interpolation is Shamir's secret sharing.

Chapter status: 👷 in progress 👷

TODO:

Elliptic Curves

Contents

• Generalities
• Affine versus Projective Coordinates
  • Projective Plan
  • Elliptic Curves in Projective Coordinates

Generalities

Let $\mathbb{F}$ be a field of characteristic $p>3.$¹ Let $a,b\in \mathbb{F}$ be two field elements such that $$4a^3+27b^2\ne 0.$$ An elliptic curve in short Weierstrass form over $\mathbb{F},$ denoted $E(\mathbb{F}),$ is the set of all pairs $(x,y)\in {\mathbb{F}}^2$ that satisfy the equation $$y^2=x^3+ax+b$$ together with a distinguished element denoted $\mathcal{O}$ called the point at infinity: $$E(\mathbb{F})=\{(x,y)\in {\mathbb{F}}^2\mid y^2=x^3+ax+b\}\cup \{\mathcal{O}\}.$$ This is the so-called affine representation of points of the elliptic curve. There is another family of representations called projective (more attractive from an algorithmic point of view) that we will discuss shortly.

Hasse's bound establishes that the number of points of $E(\mathbb{F}),$ called the order of $E(\mathbb{F}),$ is $$|E(\mathbb{F})|=|\mathbb{F}|+1-t$$ where $t$ is an integer (called the Frobenius trace or simply trace of the curve) satisfying $$|t|\le 2\sqrt{|\mathbb{F}|}.$$

It is possible to equip $E(\mathbb{F})$ with a commutative group law for which the point at infinity $\mathcal{O}$ is the identity element with the so-called chord-and-tangent rule. This group operation is denoted additively and called addition law. The inverse of a point $(x,y)\in E(\mathbb{F})\setminus \{\mathcal{O}\}$ is the point $(x,-y).$

From the addition law we can define scalar multiplication: for $m\in \mathbb{Z}$ and $P\in E(\mathbb{F}),$ the scalar multiplication of $P$ by $m,$ denoted $[m]P$ or $mP$ if there is no ambiguity, is given by $$[m]P:=\{\begin{array}{ll}\mathcal{O}& \text{if }m=0\\ \underset{m\text{ times}}{\underbrace{P+\cdots +P}}& \text{if }m>0\\ -([-m]P)& \text{if }m<0.\end{array}$$

The group structure of $E(\mathbb{F})$ is either cyclic or "almost" cyclic. Namely, a general theorem establishes that $E(\mathbb{F})$ has at most two invariant factors (see Theorem 5.6 for the definition of an invariant factor). In other words, $E(\mathbb{F})$ is isomorphic to either the cyclic group ${\mathbb{Z}}_n$ or a direct product of cyclic groups ${\mathbb{Z}}_{n_1}\times {\mathbb{Z}}_{n_2}$ with $n_1\mid n_2.$

Affine versus Projective Coordinates

Earlier we saw how to defined an elliptic curve using affine coordinates. This is not how elliptic curves are usually defined by mathematicians, who usually prefer to use projective geometry.

Projective Plan

Let $\mathbb{F}$ be a finite field of order $q$ and let ${\mathbb{F}}^{\ast }:=\mathbb{F}\setminus \{0\}.$ The projective plan over $\mathbb{F},$ denoted $P^2(\mathbb{F}),$ is the set of equivalence classes of ${\mathbb{F}}^3\setminus \{(0,0,0)\}$ where two tuples $(x,y,z)$ and $(x^{\prime },y^{\prime },z^{\prime })$ are equivalent, denoted $(x,y,z)\sim (x^{\prime },y^{\prime },z^{\prime }),$ if there is a scalar $k\in {\mathbb{F}}^{\ast }$ such that $$(x^{\prime },y^{\prime },z^{\prime })=(kx,ky,kz).$$ Such an equivalence class is called a projective point. A projective point contains $q-1$ tuples $(x,y,z)\in {\mathbb{F}}^3.$ The convention is to denote projective points with capital letters and colon separators, i.e., $(X:Y:Z)$ (or sometimes $[X:Y:Z])$ will denote the equivalence class $$\{(kX,kY,kZ)\mid k\in {\mathbb{F}}^{\ast }\}.$$

Equivalently, projective points can be seen as 1-dimensional subspaces ("lines") of the 3-dimensional vector space $V={\mathbb{F}}^3$ over $\mathbb{F}.$ How many projective points are there? There are $q^3-1$ non-zero vectors in ${\mathbb{F}}^3,$ but each of the $q-1$ non-zero vectors in a subspace generates this subspace, hence the total number of 1-dimensional subspaces is $$\frac{q^3-1}{q-1}=q^2+q+1.$$

Another way to count the number of projective points is as follows:

• there are $q^2$ projective points of the form $(X:Y:1),$ $X,Y\in \mathbb{F};$
• there are $q$ projective points of the form $(1:Y:0),$ $Y\in \mathbb{F};$
• there is one projective point of the form $(0:1:0).$

It is customary to identify the ordinary "affine" plane ${\mathbb{F}}^2=\{(x,y)\mid x,y\in \mathbb{F}\}$ with the first type of projective points, meaning there is an injective map from ${\mathbb{F}}^2$ to $P^2(\mathbb{F})$ given by $(x,y)\mapsto (x:y:1).$ The inverse of this map is $(X:Y:Z)\mapsto (X/Z,Y/Z).$

The $q+1$ points of the second and third types (sharing the property that $Z=0)$ are called "points at infinity" and form the so-called "line at infinity".

It is possible to define projective lines in a similar way to projective points: projective lines are 2-dimensional subspaces of ${\mathbb{F}}^3$ (with vector $(0,0,0)$ removed). There are also $q^2+q+1$ projective lines in $P^2(\mathbb{F}),$ which is quite natural since any 1-dimensional subspace of ${\mathbb{F}}^3$ defines a unique 2-dimensional subspace via its orthogonal complement. A projective point "lies on" a projective line if it is included (in the set-theoretical sense) in the projective line. From this definition, it follows that (i) given any two projective points, there is exactly one projective line containing both of them, and (ii) given any two projective lines, there is exactly one projective point lying on both of them (meaning there are no parallel lines). Properties (i) and (ii) are in fact the axiomatic definition of a projective plan. Each projective line contains $q^2-1$ vectors $(x,y,z)\in {\mathbb{F}}^3\setminus \{(0,0,0)\},$ and is the disjoint union of $q+1$ projective points. In particular, the $q+1$ projective points of the second and third type are indeed on the same projective line corresponding to the 2-dimensional subspace orthogonal to vector $(0,0,1).$

Elliptic Curves in Projective Coordinates

To obtain the equation defining an elliptic curve in projective coordinates, we substitute $X/Z$ to $x$ and $Y/Z$ to $y$ in the affine short Weierstrass equation $$y^2=x^3+ax+b\text{\hspace{1em}(11.1)}$$ and multiply by $Z^3$ to clear the denominators. This way, we obtain the projective short Weierstrass equation: $$Y^{2}Z=X^3+aX{Z}^2+b{Z}^3.\text{\hspace{1em}(11.2)}$$

It is easy to see that a projective point $(X:Y:Z)$ with $Z\ne 0$ satisfies (11.2) if and only if the corresponding affine point $(x,y)$ with $x=X/Z$ and $y=Y/Z$ satisfies (11.1). Moreover, a projective point $(X:Y:Z)$ on the line at infinity ($Z=0)$ satisfies (11.2) if and only $X=0,$ meaning the only of the $q+1$ projective points at infinity satisfying (11.2) is $(0:1:0).$ This is the "curve point at infinity", the identity element of the group law, that we denoted $\mathcal{O}$ when we defined the elliptic curve in affine coordinates.

Hence, one of the main advantages of projective coordinates over affine ones is that it unifies ordinary points and the point at infinity $\mathcal{O},$ which now has a projective representation as any other point, namely $(0:1:0).$

Another advantage is that computing the group law is more efficient because it does not require to perform modular division (which is only required to perform projective-to-affine conversion). A ballpark estimation is that a modular inversion is 20 to 100 times more costly than a modular multiplication depending on the platform and the implementation.

The projective coordinates obtained with the substitution $x\leftarrow X/Z,$ $y\leftarrow Y/Z$ is just one possibility among others, called homogeneous projective coordinates because the resulting projective equation (11.2) for the curve is homogeneous, meaning all terms have the same total degree, 3 here. An very common alternative are Jacobian coordinates defined by the substitution $$x\leftarrow X/Z^2,y\leftarrow Y/Z^3.$$ The resulting projective equation is $$Y^2=X^3+aX{Z}^4+b{Z}^6.$$ Projective points in Jacobian coordinates are defined by the equivalence relation $$(x,y,z)\sim (x^{\prime },y{,}^{\prime },z^{\prime })\text{if}\exists k\in {\mathbb{F}}^{\ast },(x^{\prime },y^{\prime },z^{\prime })=(k^{2}x,k^{3}y,kz).$$ The point at infinity ($Z=0)$ is the equivalence class $(1:1:0)=\{(k^2,k^3,0):k\in {\mathbb{F}}^{\ast }\}.$

See http://www.hyperelliptic.org/EFD/ for a list of various other possible coordinates systems.

---

1: It is possible to define elliptic curves over fields of characteristic 2 or 3 but equations are more complicated.

Chapter status: 👷 in progress 👷

TODO:

Pairings

Pairings have allowed a great number of new applications in cryptography. They were first used by Menezes, Okamoto, and Vanstone [MOV91] to break the discrete logarithm problem in supersingular elliptic curves (this is the so-called MOV attack). Later, they were used constructively by Joux [Jou00] to obtain a tripartite Diffie-Hellman protocol and by Boneh and Franklin [BF03] to obtain an identity-based encryption scheme. This got the three of them the Gödel prize in 2013.

We will start with the abstract definition of pairing groups and then we will see how to construct such groups from specific elliptic curves.

Contents

• Abstract Definition
• Further Resources

Abstract Definition

Let ${\mathbb{G}}_1,$ ${\mathbb{G}}_2,$ and ${\mathbb{G}}_t$ be three cyclic groups of prime order $r.$ For reasons that will become clear later, we will denote ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ additively and ${\mathbb{G}}_t$ multiplicatively (in particular, ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$'s identity elements are denoted $0$ while ${\mathbb{G}}_t$'s identity element is denoted $1).$ A pairing is an efficiently computable function $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_t$ which satisfies two properties:

• non-degeneracy: $P\ne 0$ and $Q\ne 0$ implies $e(P,Q)\ne 1;$
• bilinearity: for every $P_1,P_2\in {\mathbb{G}}_1$ and $Q\in {\mathbb{G}}_2$ and for every $P\in {\mathbb{G}}_1$ and $Q_1,Q_2\in {\mathbb{G}}_2,$ $$\begin{array}{rl}e(P_1+P_2,Q)& =e(P_1,Q)e(P_2,Q)\\ e(P,Q_1+Q_2)& =e(P,Q_1)e(P,Q_2).\end{array}$$

Note that bilinearity implies the (more useful in practice) property that for every $P\in {\mathbb{G}}_1,$ $Q\in {\mathbb{G}}_2,$ and $a,b\in {\mathbb{Z}}_r,$ $$e(aP,bQ)=e(P,Q{)}^{ab}.$$

Non-degeneracy has many other definitions (all equivalent assuming bilinearity), such as:

• $e$ is not the constant function $1,$
• if $G_1$ and $G_2$ are generators of respectively ${\mathbb{G}}_1$ and ${\mathbb{G}}_2,$ then $e(G_1,G_2)$ is a generator of ${\mathbb{G}}_t.$

Constructing groups admitting a pairing is not very hard. For example, take ${\mathbb{G}}_1={\mathbb{G}}_2={\mathbb{Z}}_r$ (the group of integers mod $r$ equipped with addition), take for ${\mathbb{G}}_t$ any cyclic group of order $r,$ let $g$ be a generator of ${\mathbb{G}}_t,$ and define $e(x,y):=g^{xy}.$

However, for being useful from a cryptographic point of view, we need the discrete logarithm problem to be hard in the three groups ${\mathbb{G}}_1,$ ${\mathbb{G}}_2,$ and ${\mathbb{G}}_t.$ (In the example above, while it may be hard in ${\mathbb{G}}_t,$ it is certainly not in ${\mathbb{G}}_1$ and ${\mathbb{G}}_2.$) This is where elliptic curves come to the rescue.

Some more vocabulary: A pairing is said symmetric when ${\mathbb{G}}_1={\mathbb{G}}_2$ and asymmetric when ${\mathbb{G}}_1\ne {\mathbb{G}}_2.$ As we will see, both types can be constructed from elliptic curves. Historically, the first proposed constructions were symmetric, but nowadays the asymmetric type prevails for efficiency reasons. It is an open problem to construct a pairing such that ${\mathbb{G}}_1={\mathbb{G}}_2={\mathbb{G}}_t=\mathbb{G}$ and the discrete logarithm problem is (conjectured) hard in $\mathbb{G}.$

Further Resources

Here are some good resources about pairing-friendly elliptic curves:

• Pairings for beginners by Craig Costello
• Section 5.4 of the Moonmath manual
• Martijn Maas' master thesis
• this post about the security of pairing-friendly curves by Giacomo Pope
• a post about BLS12-381 by Ben Edgington
• a post about BN254 by Jonathan Wang.

Chapter status: in progress

TODO:

• modify advantage notation to display the scheme

Games, Models, and Assumptions

This section presents how security assumptions and security properties of cryptographic schemes are formalized. It also gives a list of cryptographic assumptions relevant for this book (see also the ECRYPT II MAYA report).

Contents

• Big-O Notation and Negligible Functions
• Cryptographic Games
  • Game: Tentative Definition
  • Notation and Conventions for Writing Games
  • Advantage
  • Reductions
• Idealized Models
  • The Random Oracle Model
  • The Generic Group Model
  • The Algebraic Group Model
• Assumptions
  • Group Setup Algorithms
  • Assumptions in Standard Groups
    • Discrete Logarithm (DL)
    • Computational Diffie-Hellman (CDH)
    • Decisional Diffie-Hellman (DDH)
    • $q$-Discrete Logarithm ($q$-DL)
  • Assumptions in Product Groups
    • $(q_1,q_2)$-co-Discrete Logarithm ($(q_1,q_2)$-co-DL)
    • Computational co-Diffie-Hellman (co-CDH)
    • Computational co-Diffie-Hellman* (co-CDH*)
    • Computational $\psi$-co-Diffie-Hellman ($\psi$-co-CDH)
    • $(q_1,q_2)$-Strong Diffie-Hellman ($(q_1,q_2)$-SDH)
  • Assumptions in Pairing Groups
    • $(q_1,q_2)$-Bilinear Diffie-Hellman Inversion ($(q_1,q_2)$-BDHI)
    • $(q_1,q_2)$-Bilinear Strong Diffie-Hellman ($(q_1,q_2)$-BSDH)

Big-O Notation and Negligible Functions

In all the following, we consider functions from $\mathbb{N}$ to ${\mathbb{R}}^{+}=\{x\in \mathbb{R}\mid x\ge 0\}$ and we let $\lambda$ denote the variable.

A function $f$ is said to be negligible if $f\in {\lambda }^{-\omega (1)}$ or equivalently if $$\forall k\in \mathbb{N},\exists n\in \mathbb{N},\forall \lambda \ge n,f(\lambda )\le {\lambda }^{-c}.$$

In words, $f$ is negligible if it approaches zero faster than the inverse of any polynomial.

The set of all negligible functions is denoted $\mathrm{negl}.$ We often write $f(\lambda )=\mathrm{negl}(\lambda )$ in place of $f\in \mathrm{negl}.$

Cryptographic Games

Game: Tentative Definition

A game consists of a main algorithm $\mathrm{GAME}$ and a (potentially empty) finite tuple of oracle algorithms ${\text{O}}_1,\dots ,{\text{O}}_n.$ Then main algorithm (to which we simply refer as the game from here) takes as input $1^{\lambda }$ where $\lambda \in \mathbb{N}$ is an integer called security parameter and runs in three phases:

• initialization: the game initializes variables and generates some input $inp;$
• attack: the game invokes an algorithm $\mathsf{A}$ called adversary on input $inp;$ the adversary has oracle access to ${\text{O}}_1,\dots ,{\text{O}}_n;$
• finalization: when the adversary halts and returns some output $out,$ the game evaluates a predicate of $out$ and all variables and returns the truth value of this predicate.

To make this definition rigorous, the programming language used to write the game should be completely specified. Here, we will content ourselves with specifying games in pseudocode.

A very simple game called ADD drawing two random $\lambda$-bit integers and returning $\mathbf{true}$ if the adversary successfully adds them would look like this:

$$\boxed{\begin{array}{l}\text{Game ADD(1λ):}\\ a,b{\leftarrow }_{\$}\{2^{\lambda -1},\dots ,2^{\lambda }-1\}\\ c\leftarrow \mathsf{A}(a,b)\\ \mathbf{return}(c=a+b)\end{array}}$$

Notation and Conventions for Writing Games

• Given a predicate $A,$ we use $\mathbf{assert}A$ as a shorthand for $\mathbf{if}\neg A\mathbf{then}\mathbf{return}\mathbf{false}$
• Games return $\mathbf{true}$ by default, meaning if the end of the game code is reached and the game has not returned yet, then it returns $\mathbf{true}.$ Finalization often consists in returning the truth vale of $A\wedge B\wedge C\wedge \cdots .$ Under this convention, the following finalization code $$\mathbf{return}A\wedge B\wedge C$$ is equivalent to $$\begin{array}{rl}& \mathbf{assert}A\\ & \mathbf{assert}B\\ & \mathbf{assert}C\end{array}$$

Advantage

For each security parameter $\lambda ,$ a game together with an adversary define a finite probability space specified by all random choices made by the game and the random coins of the adversary. This allows to define the probability of various events related to the execution of the game with a specific adversary.

In particular, given a game $\mathrm{GAME}$ and an adversary $\mathsf{A},$ we write ${\mathrm{GAME}}^{\mathsf{A}}(1^{\lambda })\Rightarrow b,$ or simply $\mathrm{GAME}\Rightarrow b$ when the context is clear, for the event that an execution of $\mathrm{GAME}$ with adversary $\mathsf{A}$ for security parameter $\lambda$ returns $b.$ When the game returns $\mathbf{true}$ we also say that the adversary "wins".

A game can be computational or decisional depending on how a quantity called advantage, measuring how well an adversary performs at winning the game, is defined.

The advantage of an adversary $\mathsf{A}$ against a game $\mathrm{GAME}$ is a function of the security parameter $\lambda \in {\mathbb{N}}^{\ast }$ into $[0,1]$ defined as $${\mathbf{Adv}}_{\mathsf{A}}^{\text{game}}(\lambda ):=\mathrm{Pr}\left[\mathrm{GAME}\Rightarrow \mathbf{true}\right]$$ if the game is computational and $${\mathbf{Adv}}_{\mathsf{A}}^{\text{game}}(\lambda ):=\left|2\mathrm{Pr}\left[\mathrm{GAME}\Rightarrow \mathbf{true}\right]-1\right|$$ if the game is decisional. (We write the name of the game in small caps in the advantage superscript to lighten notation.)

We say that a game $\mathrm{GAME}$ is computationally hard if for every probabilistic polynomial-time (ppt) algorithm $\mathsf{A},$ $${\mathbf{Adv}}_{\mathsf{A}}^{\text{game}}(\lambda )=\mathrm{negl}(\lambda ).$$ We say that a game $\mathrm{GAME}$ is statistically hard (or information-theoretically hard or unconditionally hard) if for every algorithm $\mathsf{A}$ (not necessarily polynomial-time), $${\mathbf{Adv}}_{\mathsf{A}}^{\text{game}}(\lambda )=\mathrm{negl}(\lambda ).$$ In the special case where the advantage of any algorithm is zero, one says that the game is perfectly hard (for example, a commitment scheme that can be perfectly hiding or perfectly binding).

When we simply say that a game is hard, it usually means computationally hard (but this should always be clear from the context).

Hence, for a computationally, resp. statistically hard game, every ppt, resp. unbounded adversary "wins" with probability negligible close to 0 for a computational game and with probability negligibly close to $1/2$ for a decisional game.

Reductions

Given two games $X$ and $Y,$ we say that $X$ reduces to $Y,$ denoted $X\leqq Y,$ if there exists a probabilistic polynomial-time algorithm $\mathsf{B}$ (called reduction) with access to an oracle such that for every algorithm $\mathsf{A}$ solving $Y$ with non-negligible advantage, ${\mathsf{B}}^{\mathsf{A}}$ solves $X$ with non-negligible advantage.

If $X$ reduces to $Y$ and $Y$ reduces to $X,$ we say that $X$ and $Y$ are equivalent, denoted $X\equiv Y.$

Proposition 13.1. Assume that $X$ reduces to $Y.$ Then $X$ being hard implies $Y$ being hard.

Proof

Contraposing, assume that $Y$ is not hard, which by definition means that there exists a ppt algorithm $\mathsf{A}$ such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{Y}}(\lambda )\ne \mathrm{negl}(\lambda ).$$ Consider the reduction $\mathsf{B}$ from $X$ to $Y.$ Since $\mathsf{A}$ and $\mathsf{B}$ both run in polynomial time, ${\mathsf{B}}^{\mathsf{A}}$ runs in polynomial time as well. Moreover, by definition of a reduction, $${\mathbf{Adv}}_{{\mathsf{B}}^{\mathsf{A}}}^{\text{X}}(\lambda )\ne \mathrm{negl}(\lambda ).$$ Hence, $X$ is not hard.

Thus, $X\leqq Y$ can be read as "$X$ is not harder than $Y$" or $Y$ is at least as hard as $X$".

In cryptography, we are constantly making assumptions of the form "X is hard". Proposition 13.1 can be used to compare the strength of various assumptions. Indeed, assuming we proved that $X\leqq Y,$ then the assumption that $X$ is hard implies that $Y$ is hard too. If, in addition, there are some indications that $Y\leqq X$ does not hold, then the assumption that $X$ is hard is stronger than the assumption that $Y$ is hard. Indeed, if $X\leqq Y$ but $Y\leqq X$ is not known to hold, then it might be that $Y$ is hard yet $X$ is easy.

For example, consider the discrete logarithm (DL) problem on one hand (given a group $\mathbb{G}$ and group elements $G$ and $X=xG,$ compute $x)$ and the Computational Diffie-Hellman (CDH) problem on the other hand (given a group $\mathbb{G}$ and group elements $G,$ $X=xG,$ and $Y,$ compute $xY).$ One can easily prove that CDH $\leqq$ DL (CDH reduces to DL) by constructing a reduction from CDH to DL: given an algorithm solving DL, one can solve CDH by first computing the discrete logarithm $x$ of $X$ and then computing $xY.$ However, there is no proof that DL $\leqq$ CDH (except in very specific situations). Hence, the assumption that CDH is hard is (for most groups) stronger than the assumption that DL is hard.

Another way Proposition 13.1 is often used in cryptography is for security proofs. Here, $X$ is some hardness assumption such as DL and $Y$ is a security game, say unforgeability (in the precise sense of EUF-CMA security in the random oracle model) of Schnorr signatures. Then, a security proof for Schnorr signatures consists in proving that $X$ reduces to $Y,$ i.e., the DL problem reduces to the EUF-CMA security of Schnorr signatures in the ROM. By Proposition 13.1, if DL is hard, then Schnorr signatures are EUF-CMA secure in the ROM.

Idealized Models

The Random Oracle Model

The Generic Group Model

The Algebraic Group Model

Assumptions

Group Setup Algorithms

A standard group setup algorithm is an algorithm $\mathsf{GroupSetup}$ which on input the security parameter $1^{\lambda }$ returns a pair $(\mathbb{G},p)$ where $p$ is a $2\lambda$-bit prime and $\mathbb{G}$ is a cyclic group of order $p.$

A pairing group setup algorithm is an algorithm $\mathsf{PairingSetup}$ which on input the security parameter $1^{\lambda }$ returns a tuple $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ where $r$ is a $2\lambda$-bit prime, ${\mathbb{G}}_1,$ ${\mathbb{G}}_2,$ and ${\mathbb{G}}_t$ are cyclic groups of order $r,$ and $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_t$ is an efficiently computable pairing.

We adopt the convention that group/pairing setup algorithms do not return generators of the groups. They will be explicitly sampled in the games.

One usually distinguishes three types of pairing group setup algorithms [GPS08]:

• a type-1 pairing group setup algorithm (also called symmetric pairing setup algorithm) is such that ${\mathbb{G}}_1={\mathbb{G}}_2;$
• a type-2 pairing group setup algorithm is such that ${\mathbb{G}}_1\ne {\mathbb{G}}_2$ and there exists an efficiently computable isomorphism $\psi :{\mathbb{G}}_2\to {\mathbb{G}}_1;$
• a type-3 pairing group setup algorithm is such that ${\mathbb{G}}_1\ne {\mathbb{G}}_2$ an no efficiently computable isomorphism $\psi :{\mathbb{G}}_2\to {\mathbb{G}}_1$ is known.

Type-2 and type-3 pairing group setup algorithms are called asymmetric.

In all the following, we simply talk about "type-1/2/3 pairings" rather than "type-1/2/3 pairing group setup algorithms".

Assumptions in Standard Groups

Discrete Logarithm (DL)

• type: computational
• interactive: no
• falsifiable: yes
• references:
• notes:

$$\boxed{\begin{array}{l}\text{Game DL:}\\ par\leftarrow \mathsf{GroupSetup}(1^{\lambda })\\ (\mathbb{G},p)\twoheadleftarrow par\\ G{\leftarrow }_{\$}\mathbb{G}\setminus \{0\}\\ X{\leftarrow }_{\$}\mathbb{G}\\ x\leftarrow \mathsf{A}(par,G,X)\\ \mathbf{assert}(X=xG)\end{array}}$$

Computational Diffie-Hellman (CDH)

• type: computational
• interactive: no
• falsifiable: yes
• references:
• notes: CDH $\leqq$ DL

$$\boxed{\begin{array}{l}\text{Game CDH:}\\ par\leftarrow \mathsf{GroupSetup}(1^{\lambda })\\ (\mathbb{G},p)\twoheadleftarrow par\\ G{\leftarrow }_{\$}\mathbb{G}\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_p;X:=xG\\ Y{\leftarrow }_{\$}\mathbb{G}\\ Z\leftarrow \mathsf{A}(par,G,X,Y)\\ \mathbf{assert}(Z=xY)\end{array}}$$

Decisional Diffie-Hellman (DDH)

• type: decisional
• interactive: no
• falsifiable: yes
• references:
• notes: DDH $\leqq$ CDH

$$\boxed{\begin{array}{l}\text{Game DDH:}\\ par\leftarrow \mathsf{GroupSetup}(1^{\lambda })\\ (\mathbb{G},p)\twoheadleftarrow par\\ b{\leftarrow }_{\$}\{0,1\}\\ G{\leftarrow }_{\$}\mathbb{G}\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_p;X:=xG\\ Y{\leftarrow }_{\$}\mathbb{G}\\ Z_0:=xY;Z_1{\leftarrow }_{\$}\mathbb{G}\\ b^{\prime }\leftarrow \mathsf{A}(par,G,X,Y,Z_b)\\ \mathbf{assert}(b=b^{\prime })\end{array}}$$

$q$-Discrete Logarithm ($q$-DL)

• type: computational
• interactive: no
• falsifiable: yes
• references: [Che10, Lip10, FKL18, Rot22]
• notes:
  • sometimes called $q$-strong DL or DL with $q$ auxiliary inputs
  • 1-Dl = DL
  • $(q+1)$-DL $\leqq$ $q$-DL

$$\boxed{\begin{array}{l}\text{Game q-DL:}\\ par\leftarrow \mathsf{GroupSetup}(1^{\lambda })\\ (\mathbb{G},p)\twoheadleftarrow par\\ G{\leftarrow }_{\$}\mathbb{G}\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_p\\ x^{\prime }\leftarrow \mathsf{A}(par,G,xG,x^{2}G,\dots ,x^{q}G)\\ \mathbf{assert}(x=x^{\prime })\end{array}}$$

Assumptions in Product Groups

The assumptions listed in this section are defined for a pair of groups $({\mathbb{G}}_1,{\mathbb{G}}_2)$ of equal order $r.$ They are usually applied to groups returned by a pairing group setup algorithm $\mathsf{PairingSetup}$ but don't make use of the group ${\mathbb{G}}_t$ nor the pairing $e.$ For this reason, we simply write $({\mathbb{G}}_1,{\mathbb{G}}_2,r)\twoheadleftarrow par$ when parsing the parameters $par$ returned by $\mathsf{PairingSetup}.$

$(q_1,q_2)$-co-Discrete Logarithm ($(q_1,q_2)$-co-DL)

• type: computational
• interactive: no
• falsifiable: yes
• references: [Che10, Lip10, FKL18, Rot22]
• notes:

$$\boxed{\begin{array}{l}\text{Game (q1,q2)-co-DL:}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,r)\twoheadleftarrow par\\ G_1{\leftarrow }_{\$}{\mathbb{G}}_1\setminus \{0\}\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r\\ x^{\prime }\leftarrow \mathsf{A}(par,G_1,x{G}_1,\dots ,x^{q_1}{G}_1,G_2,x{G}_2,\dots ,x^{q_2}{G}_2)\\ \mathbf{assert}(x=x^{\prime })\end{array}}$$

Computational co-Diffie-Hellman (co-CDH)

• type: computational
• interactive: no
• falsifiable: yes
• references: [BLS04]
• notes:
  • co-CDH $\leqq$ DL in ${\mathbb{G}}_2$
  • co-CDH $\equiv$ CDH in ${\mathbb{G}}_1={\mathbb{G}}_2$ for type-1 pairings
  • co-CDH $\leqq$ CDH in ${\mathbb{G}}_1$ for type-2 pairings (see Proposition 17.3)

$$\boxed{\begin{array}{l}\text{Game co-CDH:}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,r)\twoheadleftarrow par\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r;X:=x{G}_2\\ Y{\leftarrow }_{\$}{\mathbb{G}}_1\\ Z\leftarrow \mathsf{A}(par,G_2,X,Y)\\ \mathbf{assert}(Z=xY)\end{array}}$$

Computational co-Diffie-Hellman* (co-CDH*)

• type: computational
• interactive: no
• falsifiable: yes
• references: [CHKM10]
• notes:
  • sometimes simply called (confusingly) co-CDH (e.g. [BDN18])
  • co-CDH${}^{\ast }$ $\leqq$ CDH in ${\mathbb{G}}_1$
  • co-CDH${}^{\ast }$ $\leqq$ DL in ${\mathbb{G}}_2$
  • co-CDH${}^{\ast }$ $\leqq$ co-CDH
  • co-CDH${}^{\ast }$ $\equiv$ CDH in ${\mathbb{G}}_1={\mathbb{G}}_2$ for type-1 pairings (see Proposition 17.1)
  • co-CDH${}^{\ast }$ $\equiv$ co-CDH for type-2 pairings (see Proposition 17.2)

$$\boxed{\begin{array}{l}\text{Game co-CDH∗:}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,r)\twoheadleftarrow par\\ G_1{\leftarrow }_{\$}{\mathbb{G}}_1\setminus \{0\}\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r;X_1:=x{G}_1;X_2:=x{G}_2\\ Y{\leftarrow }_{\$}{\mathbb{G}}_1\\ Z\leftarrow \mathsf{A}(par,G_1,X_1,G_2,X_2,Y)\\ \mathbf{assert}(Z=xY)\end{array}}$$

Computational $\psi$-co-Diffie-Hellman ($\psi$-co-CDH)

• type: computational
• interactive: yes
• falsifiable: no (for type-3 pairings)
• references: [SV07, BDN18]
• notes:
  • $\psi$-co-CDH $\leqq$ CDH in ${\mathbb{G}}_1$
  • $\psi$-co-CDH $\leqq$ DL in ${\mathbb{G}}_2$
  • $\psi$-co-CDH $\leqq$ co-CDH${}^{\ast }$ $\leqq$ co-CDH
  • $\psi$-co-CDH $\equiv$ co-CDH for type-2 pairings (the isomorphism $\psi$ enables to compute $\text{SolveCoCDH}(U)$ efficiently as $\psi (U),$ assuming $\psi (G_2)=G_1)$

$$\boxed{\begin{array}{ll}\text{Game ψ-co-CDH:}& \text{Oracle SolveCoCDH(U):}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })& //\text{solves co-CDH for (G2,U,G1)}\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,r)\twoheadleftarrow par& \mathbf{assert}U\in {\mathbb{G}}_2\\ G_1{\leftarrow }_{\$}{\mathbb{G}}_1\setminus \{0\}& \mathbf{for}u\in {\mathbb{Z}}_r\mathbf{do}\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}& \mathbf{if}u{G}_2=U\mathbf{then}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r;X_1:=x{G}_1;X_2:=x{G}_2& \mathbf{return}u{G}_1\\ Y{\leftarrow }_{\$}{\mathbb{G}}_1& \\ Z\leftarrow {\mathsf{A}}^{\text{SolveCoCDH}}(par,G_1,X_1,G_2,X_2,Y)& \\ \mathbf{assert}(Z=xY)& \end{array}}$$

$(q_1,q_2)$-Strong Diffie-Hellman ($(q_1,q_2)$-SDH)

• type: computational
• interactive: no
• falsifiable: yes
• references: [BB08]
• notes:
  • $(q,1)$-SDH usually called $q$-SDH
  • not to be confused with another assumption named SDH introduced in [ABR01]
  • $(q_1+1,q_2)$-SDH $\leqq$ $(q_1,q_2)$-SDH
  • $(q_1,q_2+1)$-SDH $\leqq$ $(q_1,q_2)$-SDH

$$\boxed{\begin{array}{l}\text{Game (q1,q2)-SDH:}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,r)\twoheadleftarrow par\\ G_1{\leftarrow }_{\$}{\mathbb{G}}_1\setminus \{0\}\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r\\ (a,Y)\leftarrow \mathsf{A}(par,G_1,x{G}_1,\dots ,x^{q_1}{G}_1,G_2,x{G}_2,\dots ,x^{q_2}{G}_2)\\ \mathbf{assert}(Y=\frac{1}{x+a}{G}_1)\end{array}}$$

Assumptions in Pairing Groups

$(q_1,q_2)$-Bilinear Diffie-Hellman Inversion ($(q_1,q_2)$-BDHI)

• type: computational
• interactive: no
• falsifiable: yes
• references: [BB04]
• notes:
  • $(q_1+1,q_2)$-BDHI $\leqq$ $(q_1,q_2)$-BDHI
  • $(q_1,q_2+1)$-BDHI $\leqq$ $(q_1,q_2)$-BDHI

$$\boxed{\begin{array}{l}\text{Game (q1,q2)-BSDH:}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)\twoheadleftarrow par\\ G_1{\leftarrow }_{\$}{\mathbb{G}}_1\setminus \{0\}\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r\\ Y\leftarrow \mathsf{A}(par,G_1,x{G}_1,\dots ,x^{q_1}{G}_1,G_2,x{G}_2,\dots ,x^{q_2}{G}_2)\\ \mathbf{assert}(Y=e(G_1,G_2{)}^{\frac{1}{x}})\end{array}}$$

$(q_1,q_2)$-Bilinear Strong Diffie-Hellman ($(q_1,q_2)$-BSDH)

• type: computational
• interactive: no
• falsifiable: yes
• references: [KZG10a]
• notes:
  • $(q,1)$-BSDH is usually simply called $q$-BSDH
  • $(q_1+1,q_2)$-BSDH $\leqq$ $(q_1,q_2)$-BSDH
  • $(q_1,q_2+1)$-BSDH $\leqq$ $(q_1,q_2)$-BSDH
  • $(q_1,q_2)$-BSDH $\leqq$ $(q_1,q_2)$-SDH
  • $(q_1,q_2)$-BSDH $\leqq$ $(q_1,q_2)$-BDHI

$$\boxed{\begin{array}{l}\text{Game (q1,q2)-BSDH:}\\ par\leftarrow \mathsf{PairingSetup}(1^{\lambda })\\ ({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)\twoheadleftarrow par\\ G_1{\leftarrow }_{\$}{\mathbb{G}}_1\setminus \{0\}\\ G_2{\leftarrow }_{\$}{\mathbb{G}}_2\setminus \{0\}\\ x{\leftarrow }_{\$}{\mathbb{Z}}_r\\ (a,Y)\leftarrow \mathsf{A}(par,G_1,x{G}_1,\dots ,x^{q_1}{G}_1,G_2,x{G}_2,\dots ,x^{q_2}{G}_2)\\ \mathbf{assert}(Y=e(G_1,G_2{)}^{\frac{1}{x+a}})\end{array}}$$

Signatures: Generalities

In this chapter, we define the syntax of a signature scheme and explore security definitions, asking ourselves: what makes a signature scheme secure?

Syntax

A signature scheme consists of four algorithms:

• a $\mathsf{Setup}$ algorithm which takes as input the security parameter $1^{\lambda }$ and returns public parameters $par;$
• a key generation algorithm $\mathsf{KeyGen}$ which takes as input parameters $par$ and returns a secret key $sk$ and a public key $pk;$
• a signature algorithm $\mathsf{Sign}$ which takes as input parameters $par,$ a secret key $sk,$ and a message $m$ and returns a signature $\sigma ;$
• a verification algorithm $\mathsf{Verif}$ which takes as input parameters $par,$ a public key $pk,$ a message $m,$ and a signature $\sigma$ and returns $1$ if the signature is valid for the pair $(pk,m)$ and $0$ otherwise.

The scheme is correct if for every security parameter $\lambda$ and every message $m,$ the following game capturing the nominal execution of algorithms returns true with probability one:

$$\boxed{\begin{array}{rl}& par\leftarrow \mathsf{Setup}(1^{\lambda })\\ & (sk,pk)\leftarrow \mathsf{KeyGen}(par)\\ & \sigma \leftarrow \mathsf{Sign}(par,sk,m)\\ & b\leftarrow \mathsf{Verif}(par,pk,m,\sigma )\\ & \mathbf{assert}(b=1)\end{array}}$$

This syntax considers that the message space is $\{0,1{\}}^{\ast },$ meaning that the signing algorithm takes any string as input message. In practice, this is never the case: quite often, the signing algorithm starts with hashing the input message with a hash function that has a finite message space. More generally, the message space could depend on the public parameters returned by the setup algorithm (e.g., the public parameters could specify a group and admissible messages could be restricted to group elements.) This can be accommodated by adapting the syntax as follows: on input $(par,sk,m),$ the $\mathsf{Sign}$ algorithms returns either a signature $\sigma$ or a distinguished error symbol $\perp$ indicating the message is invalid (i.e., cannot be signed). Correctness must be modified to require that $b=1$ only if $\sigma \ne \perp .$ Other variables ($par,$ $sk,$ $pk,$ and $\sigma )$ usually have a specific format depending on the security parameter. Similarly, we assume that $\mathsf{KeyGen},$ $\mathsf{Sign},$ and $\mathsf{Verif}$ return an error symbol in case any input does not abide to the expected format.

EUF-CMA, the Standard Security Notion

The standard security notion for a signature scheme is existential unforgeability against chosen message attacks (EUF-CMA): no polynomial-time adversary, being given a target public key $p{k}^{\ast }$ and having access to a signature oracle for the corresponding secret key $s{k}^{\ast },$ should be able to compute a valid signature for a message it has not queried to the signature oracle, except with negligible probability. This is formally captured by the following security game:

$$\boxed{\begin{array}{cc}\begin{array}{l}\text{Game EUF-CMA:}\\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ (s{k}^{\ast },p{k}^{\ast })\leftarrow \mathsf{KeyGen}(par)\\ \mathcal{Q}:=\varnothing \\ (m^{\ast },{\sigma }^{\ast })\leftarrow {\mathsf{A}}^{\text{Sign}}(par,p{k}^{\ast })\\ \mathbf{assert}(m^{\ast }\notin \mathcal{Q})\\ \mathbf{assert}(\mathsf{Verif}(par,p{k}^{\ast },m^{\ast },{\sigma }^{\ast })=1)\end{array}& \begin{array}{l}\text{Oracle Sign(m):}\\ \sigma \leftarrow \mathsf{Sign}(par,s{k}^{\ast },m)\\ \mathcal{Q}\leftarrow \mathcal{Q}\cup \{m\}\\ \mathbf{return}\sigma \\ \\ \\ \end{array}\end{array}}$$

Here, chosen message attack means that the adversary can query the signature oracle on messages of its choice, while existential unforgeability means that the adversary wins if it returns a forgery on any message that has not been queried to the signature oracle (there exists some message $m^{\ast }$ for which the adversary can forge a signature).

One can weaken this security definition in two directions. One one hand, one can restrict how the adversary can access the signature oracle. For example, in a no message attack, the adversary does not have access to the signature oracle. In a known message attack, the adversary cannot choose the message when querying the signature oracle (the message is randomly drawn according to some specific probability distribution). On the other hand, one can modify how the adversary can choose the message for which it forges its message. For example, selective unforgeability requires the adversary to commit to the message for which it will forge at the beginning of the game, before receiving the target public key and making any query to the signature oracle. For universal unforgeability, the message is imposed by the game rather than chosen by the adversary (typically, it is drawn at random by the game according to some specific distribution).

All these weaker notions are mostly of theoretical interest (for example, there exists generic conversion methods to construct signature schemes that are EUF-CMA-secure from schemes that are only meet selective unforgeability against chosen message attacks). In practice, a signature scheme must be EUF-CMA-secure to be deployed (more precisely, conjectured EUF-CMA-secure, preferably supported by a security proof).

Strong EUF-CMA and Non-malleability

Binding

Chapter status: ✅ in good shape ✅

Related puzzles: Puzzle 1

TODO:

• add details about hashing into groups
• write a more rigorous game-based proof for BLS
• write the security proof for aggregate BLS signatures

BLS Signatures

The BLS signature scheme was proposed by Boneh, Lynn, and Shacham [BLS01] (see also the corresponding journal paper [BLS04] and the IETF draft) and was one of the first applications of pairings to cryptography (shortly after tripartite Diffie-Hellman and identity-based encryption). Note that the BLS initialism can refer to two different things in cryptography: Boneh-Lynn-Shacham signatures discussed in this chapter and Barreto-Lynn-Scott curves, a family of pairing-friendly elliptic curves. It is possible to implement BLS (signatures) on BLS (curves).

Contents

• Description of BLS
• Security of BLS
  • Security Proof
  • Discussion
• Signature Aggregation
• A Note about Non-Repudiation
• Further Topics to Cover

Description of BLS

For the general syntax and the EUF-CMA security definition, refer to the corresponding chapter.

Let $\mathsf{PairingSetup}$ be a pairing group setup algorithm. The BLS signature scheme is defined as follows:

• The $\mathsf{Setup}$ algorithm, on input the security parameter $1^{\lambda },$ runs $$({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)\leftarrow \mathsf{PairingSetup}(1^{\lambda })$$ and draws a random generator $G_2$ of ${\mathbb{G}}_2.$ It also specifies a hash function $H:\{0,1{\}}^{\ast }\to {\mathbb{G}}_1$ mapping bit strings to group elements in ${\mathbb{G}}_1.$ The public parameters consist of the tuple $$par=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e,G_2,H).$$

• The key generation algorithm $\mathsf{KeyGen}$ draws a random scalar $x{\leftarrow }_{\$}{\mathbb{Z}}_r$ and computes the point $X=x{G}_2$ on curve ${\mathbb{G}}_2;$ the secret key is $x$ and the public key is $X.$

• The signature algorithm $\mathsf{Sign},$ on input a secret key $x$ and a message $m,$ computes the point $S=xH(m)$ on curve ${\mathbb{G}}_1;$ the signature is $S.$

• The verification algorithm, on input a public key $X,$ a message $m,$ and a signature $S,$ returns 1 (i.e., declares the signature valid) if $$e(S,G_2)=e(H(m),X),\text{\hspace{1em}(17.1)}$$ otherwise it returns 0 (invalid signature).

A good way to think about BLS signatures is as follows: given a message $m$ with corresponding point $H(m)$ in ${\mathbb{G}}_1,$ the signature of $m$ is the point $S$ such that the discrete logarithm of $S$ in base $H(m)$ is equal to the discrete logarithm of $X$ in base $G_2$ (that is, the secret key $x).$ This is reminiscent of the Chaum-Antwerpen undeniable signature scheme [CA89]. Checking discrete logarithm equality is exactly what the pairing $e$ enables to do efficiently.

Note that the signature algorithm is deterministic and hence always returns the same signature for a given secret key/message pair; this is called a unique signature scheme.

The roles of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ can be swapped, in which case public keys are in ${\mathbb{G}}_1$ and signatures in ${\mathbb{G}}_2$ (recall that bit string representations of elements are larger and arithmetic is less efficient for ${\mathbb{G}}_2$ than for ${\mathbb{G}}_1,$ so the choice depends on what is more important to optimize depending on the use case). In that case, the hash function must have outputs in ${\mathbb{G}}_2$ and hence this is not possible with a type-2 pairing.

The scheme is correct, meaning that for every key pair $(x,X)$ possibly output by the key generation algorithm and every message $m,$ the signature $S$ computed by the signature algorithm is declared valid by the verification algorithm. Indeed, $$\begin{array}{rl}e(S,G_2)& =e(xH(m),G_2)\\ & =e(H(m),G_2{)}^x\\ & =e(H(m),x{G}_2)\\ & =e(H(m),X),\end{array}$$ hence Eq. (17.1) is satisfied.

Security of BLS

Security Proof

The BLS scheme is provably EUF-CMA-secure assuming the so-called co-CDH${}^{\ast }$ problem is hard for $({\mathbb{G}}_1,{\mathbb{G}}_2)$ and modeling the hash function $H$ as a random oracle. The co-CDH${}^{\ast }$ problem for two groups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ of order $r$ is defined as follows: given random generators $G_1$ and $G_2$ of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ respectively, $X_1=x{G}_1$ and $X_2=x{G}_2$ for $x{\leftarrow }_{\$}{\mathbb{Z}}_r,$ and a random group element $Y\in {\mathbb{G}}_1,$ compute $xY.$ This might be thought of as CDH in ${\mathbb{G}}_1$ with additional "hint" $(G_2,X_2=x{G}_2)\in {\mathbb{G}}_2^2.$

Theorem 17.1. Assume that the co-CDH${}^{\ast }$ problem is hard for $\mathsf{PairingSetup}.$ Then the BLS signature scheme is EUF-CMA-secure in the random oracle model for $H.$ More precisely, for any adversary $\mathsf{A}$ against the EUF-CMA security of BLS making at most $q_{\mathrm{h}}$ random oracle queries and $q_{\mathrm{s}}$ signature queries, there exists an adversary $\mathsf{B}$ for the co-CDH${}^{\ast }$ problem running in time similar to the time of $\mathsf{A}$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{euf-cma}}(\lambda )=(q_{\mathrm{h}}+1){\mathbf{Adv}}_{\mathsf{B}}^{\text{co-cdh∗}}(\lambda ).$$

Proof

Let $\mathsf{A}$ be an adversary against the EUF-CMA security of BLS making at most $q_{\mathrm{h}}$ random oracle queries and $q_{\mathrm{s}}$ signature queries. From $\mathsf{A},$ one can easily construct an adversary ${\mathsf{A}}^{\prime }$ having the same advantage as $\mathsf{A}$ and such that (i) ${\mathsf{A}}^{\prime }$ always makes the random oracle query $\text{H}(m^{\ast })$ before returning its forgery $(m^{\ast },S^{\ast })$ and (ii) ${\mathsf{A}}^{\prime }$ makes exactly $q_{\mathrm{h}}+1$ random oracle queries. From now one, we assume that $\mathsf{A}$ satisfies properties (i) and (ii).

We construct an adversary $\mathsf{B}$ for the co-CDH${}^{\ast }$ problem as follows. $\mathsf{B}$ takes as input pairing group parameters $pgpar=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ and a co-CDH${}^{\ast }$ instance $$(G_1,X_1,G_2,X_2,Y)$$ with $X_1=x{G}_1$ and $X_2=x{G}_2.$ It runs $\mathsf{A}$ on input BLS parameters $$({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e,G_2,\text{H})$$ where $\text{H}$ is the interface to the random oracle (that $\mathsf{B}$ will simulate) and public key $X_2.$ At the beginning of the simulation, $\mathsf{B}$ draws a random integer $i^{\ast }{\leftarrow }_{\$}\{1,\dots ,q_{\mathrm{h}}+1\}$ and initializes a table $T$ for storing answers of the simulated random oracle $\text{H}.$ When $\mathsf{A}$ makes a random oracle query $\text{H}(m)$ such that $T(m)$ has not been defined yet, $\mathsf{B}$ either draws ${\rho }_i{\leftarrow }_{\$}{\mathbb{Z}}_r$ and returns $T(m):={\rho }_i{G}_1$ if this is the $i$-th query, $i\ne i^{\ast },$ or returns $T(m):=Y$ if this is the $i^{\ast }$-th query. When $\mathsf{A}$ makes a signing query $\text{Sign}(m),$ then:

• if $T(m)$ is undefined, then $\mathsf{B}$ draws $\rho {\leftarrow }_{\$}{\mathbb{Z}}_r,$ sets $T(m):=\rho G_1,$ and returns the signature $S:=\rho X_1;$ note that this signature is valid since $S=\rho x{G}_1=xT(m);$
• if $T(m)$ has already been defined, this was necessarily during the query $\text{H}(m)$ made by $\mathsf{A};$ if this was the $i$-th query, $i\ne i^{\ast },$ then $\mathsf{B}$ returns the signature $S:={\rho }_i{X}_1;$ again, this signature is valid since $S={\rho }_{i}x{G}_1=xT(m);$ otherwise, if $T(m)$ was defined by the $i^{\ast }$-th query, then $\mathsf{B}$ aborts the simulation of the game and returns $\perp .$

Eventually, when $\mathsf{A}$ halts and returns its forgery $(m^{\ast },S^{\ast }),$ three cases can occur (recall that by assumption $\mathsf{A}$ made the random oracle query $\text{H}(m^{\ast }),$ hence $T(m^{\ast })$ is necessarily defined):

• if $(m^{\ast },S^{\ast })$ is not a valid forgery (either because $m^{\ast }$ was queried to the sign oracle or because the signature is invalid), then $\mathsf{B}$ returns $\perp ;$
• if $(m^{\ast },S^{\ast })$ is a valid forgery and $T(m^{\ast })$ was defined during the $i$-th query to the random oracle, $i\ne i^{\ast },$ the $\mathsf{B}$ returns $\perp ;$
• if $(m^{\ast },S^{\ast })$ is a valid forgery and $T(m^{\ast })$ was defined during the $i^{\ast }$-th query to the random oracle, then $\mathsf{B}$ returns $S^{\ast }$ as solution to the co-CDH${}^{\ast }$ instance.

In the third case, one can easily check that $S^{\ast }$ is the correct solution since $T(m^{\ast })$ was defined as $Y$ so that $S^{\ast }=xT(m^{\ast })=xY.$ Moreover, conditioned on $\mathsf{A}$ being successful, the view of $\mathsf{A}$ is independent from $i^{\ast }$ and hence the third case occurs with probability $1/(q_{\mathrm{h}}+1).$ Hence, $${\mathbf{Adv}}_{\mathsf{B}}^{\text{co-cdh∗}}(\lambda )=\frac{1}{q_{\mathrm{h}}+1}{\mathbf{Adv}}_{\mathsf{A}}^{\text{euf-cma}}(\lambda ).$$

This reduction loses a factor roughly $q_{\mathrm{h}}$ in its success probability. One can obtain a better reduction losing a factor $q_{\mathrm{s}}$ by using a slightly more careful strategy for "embedding" the challenge $Y$ in the random oracle answers, see Section 15.5.1 of the Boneh-Shoup textbook.

Discussion

The various statements and proofs of the security of BLS signatures in the literature can be confusing. The security theorem that we just proved holds for any pairing group setup algorithm. However, depending on the pairing type, it can be rephrased slightly differently.

The original conference paper [BLS01] was only considering symmetric (a.k.a. type-1) pairings (i.e., ${\mathbb{G}}_1={\mathbb{G}}_2=\mathbb{G})$ and proved EUF-CMA security assuming the CDH problem in $\mathbb{G}$ is hard. Theorem 17.1 implies this specific case since for type-1 pairings, hardness of co-CDH${}^{\ast }$ is equivalent to hardness of CDH in $\mathbb{G},$ as we prove now.

Proposition 17.1. Let $\mathsf{PairingSetup}$ be a type-1 pairing group setup algorithm. Then co-CDH${}^{\ast }$ $\equiv$ CDH.

Proof

One the one hand, co-CDH${}^{\ast }$ $\leqq$ CDH is trivial. On the other hand, CDH $\leqq$ co-CDH${}^{\ast }$ can be proved as follows. Let $\mathsf{A}$ be an algorithm for the co-CDH${}^{\ast }$ problem. We construct an algorithm $\mathsf{B}$ for solving CDH as follows. On input $(G_1,X_1=x{G}_1,Y)\in {\mathbb{G}}^3,$ $\mathsf{B}$ draws a random value $\rho {\leftarrow }_{\$}{\mathbb{Z}}_r\setminus \{0\}$ and computes $G_2:=\rho G_1$ and $X_2:=\rho X_1.$ Then $X_2=\rho x{G}_1=x{G}_2$ and $G_2$ is distributed uniformly in $\mathbb{G}\setminus \{0\}$ and independently from $G_1.$ Hence, $(G_1,X_1,G_2,X_2,Y)$ is a correctly distributed instance of co-CDH${}^{\ast }$ that $\mathsf{B}$ can pass as input to $\mathsf{A}.$ The solution $xY$ of this co-CDH${}^{\ast }$ instance is also the solution to the original CDH instance. Hence, the advantage of $\mathsf{B}$ is equal to the advantage of $\mathsf{A}.$

Later, the journal paper [BLS04] considered asymmetric pairings (${\mathbb{G}}_1\ne {\mathbb{G}}_2)$ for which an efficiently computable group isomorphism $\psi$ from ${\mathbb{G}}_2$ to ${\mathbb{G}}_1$ is available (i.e., a type-2 pairing) and proved security assuming the co-CDH problem is hard.¹ The co-CDH problem is similar to the co-CDH${}^{\ast }$ problem except the adversary is only given $G_2\in {\mathbb{G}}_2,$ $X_2=x{G}_2,$ and $Y\in {\mathbb{G}}_1,$ and must compute $xY.$ Again, Theorem 17.1 implies this specific case since for type-2 pairings, co-CDH${}^{\ast }$ is equivalent to co-CDH.

Proposition 17.2. Let $\mathsf{PairingSetup}$ be a type-2 pairing group setup algorithm. Then co-CDH${}^{\ast }$ $\equiv$ co-CDH.

Proof

On the one hand, co-CDH${}^{\ast }$ $\leqq$ co-CDH is straightforward. Conversely, one can prove that co-CDH $\leqq$ co-CDH${}^{\ast }$ as follows. Let $\mathsf{A}$ be an adversary for the co-CDH${}^{\ast }$ problem. We construct an adversary $\mathsf{B}$ for the co-CDH problem as follows. On input $(G_2,X_2=x{G}_2,Y)\in {\mathbb{G}}_2^2\times {\mathbb{G}}_1,$ $\mathsf{B}$ draws a random value $\rho {\leftarrow }_{\$}{\mathbb{Z}}_r\setminus \{0\}$ and computes $G_1:=\psi (\rho G_2)$ and $X_1:=\psi (\rho X_2).$ Then $X_1=\psi (\rho x{G}_2)=x\psi (\rho G_2)=x{G}_1$ and $G_1$ is distributed uniformly in ${\mathbb{G}}_1\setminus \{0\}$ and independently from $G_2.$ Hence, $(G_1,X_1,G_2,X_2,Y)$ is a correctly distributed instance of co-CDH${}^{\ast }$ that $\mathsf{B}$ can pass as input to $\mathsf{A}.$ The solution $xY$ of this co-CDH${}^{\ast }$ instance is also the solution to the original co-CDH instance. Hence, the advantage of $\mathsf{B}$ is equal to the advantage of $\mathsf{A}.$

Interestingly, [BLS04] gives an example of type-3 pairing group setup algorithm (i.e., such that no efficiently computable isomorphism from ${\mathbb{G}}_2$ to ${\mathbb{G}}_1$ is known) for which co-CDH is conjectured to be hard but BLS over this pairing group setup algorithm is insecure. Let ${\mathbb{G}}_2={\mathbb{G}}_t$ be a subgroup of order $r$ of the multiplicative group ${\mathbb{Z}}_p^{\ast },$ let ${\mathbb{G}}_1$ be the additive group ${\mathbb{Z}}_r,$ and let $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_2$ be defined as $e(x,y)=y^x.$ Note that DL is easy in ${\mathbb{G}}_1,$ which implies that DL in ${\mathbb{G}}_2$ reduces to co-CDH (an algorithm solving co-CDH returns $xY,$ which allows to solve for $x$ by computing the discrete log of $xY$ in base $Y$ in ${\mathbb{G}}_1).$ As DL in ${\mathbb{G}}_2$ is conjectured hard for sufficiently large $p$ and $r,$ co-CDH is conjectured hard for $({\mathbb{G}}_1,{\mathbb{G}}_2)$ for such parameters as well. Hence, maybe counter-intuitively, hardness of co-CDH does not necessarily imply hardness of DL in ${\mathbb{G}}_1$! On the other hand, DL being easy in ${\mathbb{G}}_1$ implies that BLS is not EUF-CMA-secure. This shows the necessity of the stronger co-CDH${}^{\ast }$ assumption for proving the security of BLS for type-3 pairings. For type-2 pairings, hardness of co-CDH does imply hardness of DL in ${\mathbb{G}}_2$ (obviously) but also in ${\mathbb{G}}_1,$ as shown by the following proposition.

Proposition 17.3. Let $\mathsf{PairingSetup}$ be a type-2 pairing group setup algorithm. Then $$\text{co-CDH}\leqq {\text{CDH}}_{{\mathbb{G}}_1}\leqq {\text{DL}}_{{\mathbb{G}}_1}.$$

Proof

That CDH${}_{{\mathbb{G}}_1}$ $\leqq$ DL${}_{{\mathbb{G}}_1}$ is clear. Let us show that co-CDH $\leqq$ CDH${}_{{\mathbb{G}}_1}.$ Let $\mathsf{A}$ be an algorithm for solving CDH in ${\mathbb{G}}_1.$ We construct an algorithm $\mathsf{B}$ for the co-CDH problem as follows. On input $(G_2,X_2=x{G}_2,Y)\in {\mathbb{G}}_2^2\times {\mathbb{G}}_1,$ $\mathsf{B}$ computes $G_1:=\psi (G_2)$ and $X_1:=\psi (X_2).$ Then $(G_1,X_1,Y)$ is a correctly distributed CDH instance that $\mathsf{B}$ can pass as input to $\mathsf{A}.$ The solution $xY$ of this CDH instance is also a solution of the original co-CDH instance. Hence, the advantage of $\mathsf{B}$ is equal to the advantage of $\mathsf{A}.$

To finish, we note that hardness of co-CDH${}^{\ast }$ is actually equivalent to EUF-CMA-security of BLS (even for a type-3 pairing where no efficiently computable isomorphism $\psi :{\mathbb{G}}_2\to {\mathbb{G}}_1$ is known). Indeed, given an algorithm $\mathsf{A}$ solving co-CDH${}^{\ast },$ one can construct an adversary $\mathsf{B}$ breaking BLS as follows. Given $G_2$ and a public key $X_2=x{G}_2,$ $\mathsf{B}$ makes queries $G_1:=\text{H}(m)$ and $X_1:=\text{Sign}(m)$ for an arbitrary message $m.$ Note that $X_1=x{G}_1.$ Then it chooses an arbitrary message $m^{\ast }\ne m$ and queries $Y:=\text{H}(m^{\ast }).$ It runs $\mathsf{A}$ on input $(G_1,X_1,G_2,X_2,Y)$ which is a correctly distributed co-CDH${}^{\ast }$ challenge, unless $G_1=0$ which happens with negligible probability. If $\mathsf{A}$ returns the correct answer $S^{\ast }=xY$ to this co-CDH${}^{\ast }$ challenge, then $(m^{\ast },S^{\ast })$ is a valid forgery.

This equivalence holds because we considered the "random generator" variant of co-CDH${}^{\ast }$ where $G_1$ and $G_2$ are drawn at random. As noted in [CHKM10], for type-3 pairings, it is not known whether breaking EUF-CMA-security of BLS reduces to the "fixed generator" variant of co-CDH${}^{\ast }$ where $G_1$ and $G_2$ are fixed (the previous reduction does not work anymore since there is only a negligible chance to "hit" the fixed generator $G_1$ when making queries $\text{H}(m)).$

The following figure summarizes the above results (a double-arrow between two problems meaning equivalence):

graph TD;
    A(CDH) <-- type-1 --> C(co-CDH*);
    B(co-CDH) <-- type-2 --> C;
    C <-- type-1/2/3 --> D(EUF-CMA-sec of BLS);

Note that the notion of type-1/2/3 pairing was only introduced in 2008 [GPS08], a few years after the journal version of the BLS paper [BLS04]. For more discussion about type-2/type-3 pairings and the consequences of an efficiently computable isomorphism $\psi :{\mathbb{G}}_2\to {\mathbb{G}}_1$ in security proofs of pairing-based schemes, see [SV07], [CHKM10], and [CM09].

Signature Aggregation

BLS signatures have a handy property: they can be aggregated non-interactively [BGLS03]. This means that given $n$ signature ${\sigma }_i$ for respective public key/message pairs $(p{k}_i,m_i),$ $0\le i\le n-1,$ it is possible to compute a compact aggregate signature $\sigma$ (of size similar to the one of a single signature) that proves that message $m_i$ was signed by the owner of public key $p{k}_i$ for every $i\in \{0,\dots ,n-1\}$ (exactly as the tuple $({\sigma }_0,\dots ,{\sigma }_{n-1})$ would).

To turn BLS into an aggregate signature scheme, the aggregate signature for a tuple $(S_0,\dots ,S_{n-1})\in {\mathbb{G}}_1^n$ of $n$ signatures is simply defined as the sum of all signatures $S_i:$ $$S:=\sum _{i=0}^{n-1}{S}_i.$$ Note that aggregation can be performed "publicly" by an untrusted party different from all signers. It can also be performed "incrementally", meaning new signatures can be aggregated to an aggregate signature. One can even aggregate aggregate signatures (sic). The only requirement is to keep track of all public key/message pairs the signatures of which have been aggregated.

Given $n$ public key/message pairs $(X_i,m_i),$ $0\le i\le n-1,$ an aggregate signature $S$ is valid for these $n$ pairs if $$e(S,G_2)=\prod _{i=0}^{n-1}e(H(m_i),X_i).\text{\hspace{1em}(17.2)}$$ Even though the size of the aggregate signature is $O(1),$ the complexity of verification still scales linearly with the number of signatures. Correctness of the scheme can be verified similarly to standard BLS signatures.

The EUF-CMA security notion can easily be adapted to aggregate signature schemes: no polynomial-time adversary, being given a target public key $p{k}^{\ast }$ and having access to a standard signature oracle for the corresponding secret key $s{k}^{\ast }$ (i.e., returning non-aggregate signatures), should be able to return an $n$-tuple of public key/message pairs $((p{k}_0,m_0),\dots ,(p{k}_{n-1},m_{n-1}))$ and an aggregate signature $\sigma$ such that:

• $p{k}_i=p{k}^{\ast }$ for some $i\in \{0,\dots ,n-1\},$
• $m_i$ was not queried to the signature oracle,
• $\sigma$ is valid for the tuple $((p{k}_0,m_0),\dots ,(p{k}_{n-1},m_{n-1})).$

Note that the adversary can choose extra public keys $p{k}_j$ as it wishes, in particular as a function of the target public key $p{k}^{\ast }.$

BLS aggregate signatures are provably EUF-CMA-secure assuming hardness of the $\psi$-co-CDH problem and modeling the hash function $H$ as a random oracle. There is one caveat though: messages must be distinct, otherwise a so-called rogue key attack is possible. To see why, say the adversary is given a target public key $X^{\ast }\in {\mathbb{G}}_2.$ Then it can draw $y{\leftarrow }_{\$}{\mathbb{Z}}_r$ and compute a second public key $X^{\prime }:=y{G}_2-X^{\ast }.$ Now, for any message $m,$ the adversary can compute a forgery for the pair $((X^{\ast },m),(X^{\prime },m))$ as $S:=yH(m).$ This forgery satisfies the verification equation as $$\begin{array}{rl}e(H(m),X^{\ast })\cdot e(H(m),X^{\prime })& =e(H(m),X^{\ast })\cdot e(H(m),y{G}_2-X^{\ast })\\ & =e(H(m),X^{\ast }+y{G}_2-X^{\ast })\\ & =e(H(m),y{G}_2)\\ & =e(yH(m),G_2)\\ & =e(S,G_2).\end{array}$$

Note that the adversary does not know the secret key $y-x^{\ast }$ corresponding to public key $X^{\prime }=y{G}_2-X^{\ast },$ hence the name "rogue key attack".

A simple fix against this attack is simply to prepend the public key to the message in the hash function, meaning a signature on message $m$ for secret/public key pair $(x,X)$ is redefined as $$S:=xH(X\Vert m).$$ Then, the condition that messages should be different can safely be lifted [BNN07].

This, however, precludes an interesting optimization of the verification in case all messages are equal.² Indeed, when $m_0=m_1=\cdots =m_{n-1}=m,$ Eq. (17.2) simplifies to $$e(S,G_2)=e(H(m),{\sum }_{i=0}^{n-1}{X}_i).\text{\hspace{1em}(17.3)}$$ Hence, on the right hand-side, instead of a product of $n$ pairings, we now have to compute a single pairing applied to a sum of $n$ elliptic curve points, which can be computed more efficiently.

In order to be able to use (17.3) for verification when messages are equal, a different fix can be used to thwart rogue key attacks. Namely, each user must provide a proof of possession (PoP) of the secret key associated with his public key. The notion of PoP is somewhat informal as, to the best of my knowledge, there is not rigorous definition of the security properties it should have. The idea is that it should demonstrate that the user has access to the functionality associated with his public key, namely signing. Hence, a simple PoP consists of the user signing its own public key, $\pi :=x{H}^{\prime }(X).$ Intuitively, this makes sense since in a rogue key attack, the adversary cannot compute the secret key associated with the rogue public key (which it computes as a function of the target public key). This solution was proved secure assuming the hash function used for the PoP is different from the hash function used for actual message signing, which can be achieved from a single hash function by enforcing domain separation [RY07].

A Note about Non-Repudiation

Non-repudiation is often presented as a logical consequence of existential unforgeability (if no one except Alice can produce a valid signature on message $m,$ and a valid signature on message $m$ is presented to a judge, the judge should conclude that Alice actually did sign message $m).$ But what if Alice was able to choose her secret/public key pair $(sk,pk)$ in a way that allows her to find two messages $m$ and $m^{\prime }$ and a signature $\sigma$ which is valid for both messages, i.e., $$\mathsf{Verif}(pk,m,\sigma )=\mathsf{Verif}(pk,m^{\prime },\sigma )=1.\text{\hspace{1em}(17.4)}$$ Then, confronted by the judge with a valid signature $\sigma$ for message $m,$ Alice could claim that she has in fact signed $m^{\prime }$ instead. Hence, non-repudiation should rather be seen as the combination of existential unforgeability with a second security notion, often called message biding in the literature, which demands that no malicious user be able to generate a public key $pk,$ two messages $m$ and $m^{\prime },$ and a signature $\sigma$ such that $m\ne m^{\prime }$ and (17.4) holds.

It is easy to see that standard BLS signatures are message binding if $H$ is collision-resistant. Things are more subtle though when considering aggregate signatures [Qua21]. In particular, if $t\ge 2$ users collide (or if a single malicious user controls $t\ge 2$ public keys), they can arrange to choose their public keys $X_0,\dots ,X_{t-1}$ such that $$X_0+\cdots +X_{t-1}=0.$$ Then, in the PoP-based variant of the scheme where Eq. (17.3) is used for verification, $S=0$ is a valid signature for any message $m:$ the scheme is not message binding. Note that checking that $S\ne 0$ in the verification algorithm does not thwart the attack as $S$ can be further aggregated with other valid signatures $S_t,\dots ,S_{n-1}$ for arbitrary public key/message pairs $(X_t,m_t),$ $\dots ,$ $(X_{n-1},m_{n-1}),$ resulting in an aggregate signature $S^{\prime }\ne 0$ which still does not bound signers $0,\dots t-1$ to a specific message.

Further Topics to Cover

• BLS multi-signatures [BDN18]
• BLS threshold signatures [BL22]
• use of BLS signatures in the Ethereum beacon chain

---

1: Somehow confusingly, recent papers tend to use the name co-CDH for what we call co-CDH${}^{\ast }$ here.

2: The setting where all users sign the exact same message requires a primitive slightly different from an aggregate signature scheme called a multisignature scheme.

Chapter status: ✅ in good shape ✅

Related puzzles: Puzzle 1

TODO:

Commitment Schemes

This section contains a brief introduction to commitment schemes, focusing on Pedersen commitments.

Contents

• Generalities
  • Syntax
  • Security
  • Homomorphic Commitments
• Pedersen Commitments
  • Description and Security
  • A Note About the Setup
  • Variants
• ElGamal Commitments
• Commitments and Hash Functions
• Further Resources

Generalities

A commitment scheme involves two parties, a committer (or prover) and a verifier. It allows the committer to send to the verifier a commitment $C$ to some secret value $m$ and later on to open this commitment to reveal $m.$ The commitment $C$ should not reveal any information about the message $m$ (hiding property) and the committer should not be able to open a commitment in two distinct ways (binding property).

For a physical analogy, imagine the committer as writing the message $m$ on a piece of paper and placing it in an opaque, unbreakable, locked box which he sends to the verifier. At this point, the verifier cannot learn anything about the message and the committer cannot modify the message. Later, when the committer wants to open the commitment, he sends the key opening the box to the verifier to reveal the message.

Syntax

More formally, a commitment scheme consists of three algorithms (the exact syntax can vary slightly in the literature):

• a probabilistic setup algorithm $\mathsf{Setup}$ which on input the security parameter $1^{\lambda }$ returns public parameters¹ $par$ which in particular specify a message space ${\mathcal{M}}_{par}$ (in the following, we simply denote the message space $\mathcal{M},$ leaving the dependency on $par$ implicit);
• a probabilistic commitment algorithm $\mathsf{Commit}$ which on input parameters $par$ and a message $m\in \mathcal{M}$ returns a commitment $C$ and a decommitment² $D;$
• a deterministic verification algorithm $\mathsf{Verif}$ which on input parameters $par,$ a commitment $C,$ a message $m\in \mathcal{M},$ and a decommitment $D,$ return 1 if the decommitment is valid for $(par,C,m)$ and 0 otherwise.

Quite often, the decommitment $D$ simply consists of the random coins $r$ used by the commitment algorithm, and the verification algorithm simply recomputes the commitment given $m$ and $r$ and compares with $C.$ When this is the case, we say that the commitment scheme has canonical verification and, overloading the notation, we let $\mathsf{Commit}(par,m;r)$ denote the function explicitly taking the random coins $r$ of the commitment algorithm as input and returning the commitment $C$ (letting the decommitment $D=r$ implicit in that case).

Note that what we just defined here is the syntax for a non-interactive commitment scheme, where the $\mathsf{Setup}$ algorithm is run once and for all and committing consists of a single message sent by the prover to the verifier. There exists more complex commitment schemes where committing requires some interaction between the prover and the verifier.

Correctness requires that for every security parameter $\lambda ,$ the following game capturing the nominal execution of algorithms returns true with probability 1:

$$\boxed{\begin{array}{rl}& par\leftarrow \mathsf{Setup}(1^{\lambda })\\ & m{\leftarrow }_{\$}\mathcal{M}\\ & (C,D)\leftarrow \mathsf{Commit}(par,m)\\ & b\leftarrow \mathsf{Verif}(par,C,m,D)\\ & \mathbf{assert}(b=1)\end{array}}$$

Security

A commitment scheme should satisfy two security properties informally defined as follows:

• hiding: the commitment $C$ should not reveal any information about the secret value $m$ to the verifier,
• binding: the committer should not be able to open the commitment in two different ways.

Let us formalize these two properties more precisely, starting with hiding, defined by the following game:

$$\boxed{\begin{array}{ll}\begin{array}{l}\text{Game HIDING:}\\ b{\leftarrow }_{\$}\{0,1\}\\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ b^{\prime }\leftarrow {\mathsf{A}}^{\text{Commit}}(par)\\ \mathbf{assert}(b=b^{\prime })\end{array}& \begin{array}{l}\text{Oracle Commit(m0,m1):}\\ \mathbf{assert}(m_0\in \mathcal{M})\\ \mathbf{assert}(m_1\in \mathcal{M})\\ (C,D)\leftarrow \mathsf{Commit}(par,m_b)\\ \mathbf{return}C\end{array}\end{array}}$$

In some cases, it might be necessary to check additional conditions and messages $m_0$ and $m_1$ queried to oracle $\text{Commit}$ (e.g., when $\mathcal{M}$ consists of bit strings of various lengths and $\mathsf{Commit}$ does not hide the message length, $m_0$ and $m_1$ should have the same length).

Binding is defined by the following game:

$$\boxed{\begin{array}{lc}\text{Game BINDING:}& \\ par\leftarrow \mathsf{Setup}(1^{\lambda })& \\ (C,m,D,m^{\prime },D^{\prime })\leftarrow \mathsf{A}(par)& \\ b\leftarrow \mathsf{Verif}(par,C,m,D)& \\ b^{\prime }\leftarrow \mathsf{Verif}(par,C,m^{\prime },D^{\prime })& \\ \mathbf{assert}(m\ne m^{\prime })& \\ \mathbf{assert}(b=1)& \\ \mathbf{assert}(b^{\prime }=1)& \end{array}}$$

For some commitment schemes, one of these two properties holds statistically (i.e., cannot be broken with non-negligible advantage even by a computationally unbounded adversary) or even perfectly. However, a commitment scheme cannot be both statistically hiding and statistically binding at the same time. Hence, at best, a commitment scheme can be either statistically hiding and computationally binding or computationally hiding and statistically binding.

Homomorphic Commitments

Informally, a commitment scheme is homomorphic if the message space $\mathcal{M}$ equipped with some binary operation $\star$ forms a group and given two commitments $C_1$ and $C_2$ to respectively $m_1$ and $m_2,$ anyone can compute a commitment $C$ that the committer can open to $m_1\star m_2.$

More formally, a commitment scheme is homomorphic (with respect to group operation $\star )$ if there exists two algorithms $\mathsf{HomCom}$ and $\mathsf{HomDecom}$ such that

• $\mathsf{HomCom}$ takes parameters $par$ and two commitments $C_1$ and $C_2$ and returns a commitment $C;$
• $\mathsf{HomDecom}$ takes parameters $par$ and two decommitments $D_1$ and $D_2$ and returns a decommitment $D;$
• for any security parameter $\lambda ,$ the following game returns true with probability 1: $$\boxed{\begin{array}{rl}& par\leftarrow \mathsf{Setup}(1^{\lambda })\\ & m_1,m_2{\leftarrow }_{\$}\mathcal{M}\\ & (C_1,D_1)\leftarrow \mathsf{Commit}(par,m_1)\\ & (C_2,D_2)\leftarrow \mathsf{Commit}(par,m_2)\\ & C\leftarrow \mathsf{HomCom}(par,C_1,C_2)\\ & D\leftarrow \mathsf{HomDecom}(par,D_1,D_2)\\ & b\leftarrow \mathsf{Verif}(par,C,m_1\star m_2,D)\\ & \mathbf{assert}(b=1)\end{array}}$$

Algorithms $\mathsf{HomCom}$ and $\mathsf{HomDecom}$ are often quite simple (e.g., when the commitment and decommitment spaces also have a group structure, they simply consist in applying the corresponding group operation to $C_1$ and $C_2$ or $D_1$ and $D_2$ respectively).

Pedersen Commitments

Description and Security

The Pedersen commitment scheme, initially introduced in [Ped91], is widely used, in particular to build zero-knowledge proof systems. It is specified as follows. Let $\mathsf{GroupSetup}$ be a group setup algorithm. Then:

• the setup algorithm $\mathsf{Setup},$ on input $1^{\lambda },$ runs $(\mathbb{G},p)\leftarrow \mathsf{GroupSetup}(1^{\lambda }),$ draws two random generators $G$ and $H$ of $\mathbb{G},$ and returns parameters $par=(\mathbb{G},p,G,H);$ the message space is $\mathcal{M}={\mathbb{Z}}_p;$

• the commitment algorithm $\mathsf{Commit},$ on input parameters $par=(\mathbb{G},p,G,H)$ and a message $m\in {\mathbb{Z}}_p,$ draws $r{\leftarrow }_{\$}{\mathbb{Z}}_p$ and returns a commitment $C=mG+rH$ and a decommitment $D=r;$

• the verification algorithm $\mathsf{Verif},$ on input parameters $par=(\mathbb{G},p,G,H),$ a commitment $C\in \mathbb{G},$ a message $m\in {\mathbb{Z}}_p,$ and a decommitment $D=r\in {\mathbb{Z}}_p,$ returns 1 if $mG+rH=C$ and 0 otherwise.

Theorem 18.1. The Pedersen commitment scheme is perfectly hiding, computationally binding under the discrete logarithm assumption, and homomorphic with respect to addition over ${\mathbb{Z}}_p.$

Proof

Let us sketch the proof of each property:

• perfectly hiding: as $r$ is uniformly random in ${\mathbb{Z}}_p,$ for any message $m,$ $C$ is uniformly random in $\mathbb{G}$ and hence does not reveal any information about $m;$
• computationally binding: assume an adversary can output two message/decommitment pairs $(m,r)$ and $(m^{\prime },r^{\prime })$ with $m\ne m^{\prime }$ for the same commitment $C;$ then $$(m-m^{\prime })G=(r^{\prime }-r)H,$$ which yields the discrete logarithm of $H$ in base $G$ (note that $m-m^{\prime }\ne 0$ implies $r^{\prime }-r\ne 0$ as $G$ and $H$ are generators of $\mathbb{G});$
• additively homomorphic: given two commitments $C_1=m_{1}G+r_{1}H$ and $C_2=m_{2}G+r_{2}H,$ anyone can compute $C:=C_1+C_2=(m_1+m_2)G+(r_1+r_2)H,$ and the committer can compute $r_1+r_2$ which is a valid decommitment for $C$ and message $m_1+m_2.$

A Note About the Setup

Importantly, the setup algorithm should ensure that nobody knows the discrete logarithm of $H$ in base $G.$ In particular, it is not safe to allow the committer to choose the public parameters: if the committer knows the discrete logarithm of $H$ in base $G,$ then the scheme is not binding anymore. Say the committer knows $h$ such that $H=hG.$ Then it can send $C=cG$ as commitment; later, it can open this commitment to any value $m\in {\mathbb{Z}}_p$ it wants by computing $r=h^{-1}(c-m)\mathrm{mod}p$ and sending decommitment $D=(m,r):$ it satisfies $mG+rH=(m+rh)G=cG=C.$

For this reason, Pedersen's scheme is sometimes referred to as a trapdoor (or equivocal) commitment scheme, which can be useful in security proofs but should also make us wary. However, there are secure ways to select the commitment key without a trusted third party, such as using a hash-to-group function (a.k.a. hash-to-curve function in case $\mathbb{G}$ is based on an elliptic curve) applied to some NUMS (nothing-up-my-sleeve) input. Hence, even though Pedersen commitments do not require a trusted setup, one should always verify that parameters were correctly generated. For a real-world example where this trapdoor property could have been used, see Section VI of [HLPT20] about the Scytl/SwissPost e-voting system.

Variants

The Pedersen commitment scheme can be generalized to messages which are vectors $\mathbf{m}=(m_0,\dots ,m_{n-1})\in ({\mathbb{Z}}_p{)}^n:$ the parameters are extended to $par=(\mathbb{G},p,G_0,\dots ,G_{n-1},H)$ where $G_0,\dots ,G_{n-1},$ and $H$ are uniformly random and independent generators of $\mathbb{G},$ and the commitment for message $\mathbf{m}=(m_0,\dots ,m_{n-1})$ with randomness $r$ is $$C:=\sum _{i=0}^{n-1}{m}_i{G}_i+rH.$$ This is usually called the generalized Pedersen commitment scheme, or sometimes the Pedersen vector commitment scheme, although this is somehow a misnomer as it does not have all the properties required from a vector commitment scheme [CF13]. As for the basic variant, it can be shown to be perfectly hiding, computationally binding under the DL assumption, and homomorphic with respect to addition over $({\mathbb{Z}}_p{)}^n.$

The "random" part of the commitment $rH$ is sometimes omitted, in which case the commitment algorithm becomes deterministic and the commitment is simply $$C:=\sum _{i=0}^{n-1}{m}_i{G}_i.$$ In that case, the scheme is still computationally binding under the DL assumption (and even perfectly binding for $n=1$ as the commitment function is bijective), but it is not hiding anymore (given two messages ${\mathbf{m}}_0$ and ${\mathbf{m}}_1$ and a commitment $C$ to ${\mathbf{m}}_b$ for some random bit $b,$ one can recover $b$ by simply computing the commitments corresponding to respectively ${\mathbf{m}}_0$ and ${\mathbf{m}}_1$ and comparing with $C).$ For this reason, it is sometimes referred to as the non-hiding Pedersen commitment scheme. It is however preimage-resistant under the DL assumption, meaning that given a random commitment $C\in \mathbb{G},$ it is hard to compute a message $\mathbf{m}$ such that $\mathsf{Commit}(par,\mathbf{m})=C.$

ElGamal Commitments

The Pedersen commitments scheme has a relative known as the ElGamal commitment scheme where the commitment key $ck$ is $(\mathbb{G},p,G,H)$ as for Pedersen and the commitment for message $m\in {\mathbb{Z}}_p$ with randomness $r{\leftarrow }_{\$}{\mathbb{Z}}_p$ is the pair $(C_1,C_2)=(rG,mG+rH).$ (Note the similarity with ElGamal encryption w.r.t. public key $H.$) This scheme is perfectly binding, computationally hiding under the DDH assumption, and additively homomorphic.

If the message is encoded as a group element $M\in \mathbb{G}$ and the commitment computed as $(C_1,C_2)=(rG,M+rH),$ the scheme has a trapdoor property allowing anyone with knowledge of the discrete logarithm $h$ of $H$ in base $G$ to extract the message $M$ (by "decrypting" the commitment as in ElGamal encryption, i.e., computing $M=C_2-h{C}_1).$

Commitments and Hash Functions

There is a strong connection between commitment schemes and collision-resistant hash functions.

First, let us consider the following strengthening of the binding property: We say that a commitment scheme if strongly binding if it is hard to find a commitment $C$ and two distinct message-decommitment pairs $(m,D)$ and $(m^{\prime },D^{\prime })$ such that $\mathsf{Verif}(par,C,m,D)=1$ and $\mathsf{Verif}(par,C,m^{\prime },D^{\prime })=1.$ That is, the adversary wins also when the messages $m$ and $m^{\prime }$ are equal but the decommitments $D$ and $D^{\prime }$ are different.

Given a hash function family $H_{par}:\{0,1{\}}^{\ast }\to \{0,1{\}}^{2\lambda }$ indexed by some parameter $par,$ one can define a simple commitment scheme with $$\mathsf{Commit}(par,m;r):=H_{par}(m\Vert r)$$ where $r{\leftarrow }_{\$}\{0,1{\}}^{\lambda }.$ It can be shown to be (computationally) strongly binding assuming the family $(H_{par})$ is collision-resistant. On the other hand, there is no reason for this scheme to be hiding in general ($H$ could for example reveal the first bit of the message, allowing to distinguish commitments to two messages with distinct first bits). It is however easily seen to be (computationally) hiding in the random oracle model.

Reciprocally, it is straightforward to derive a collision-resistant hash function family from a strongly binding commitment scheme.

Proposition 18.1. Consider a commitment scheme $\Pi$ with a $\mathsf{Commit}$ function taking parameters $par,$ a message $m\in \mathcal{M},$ and explicit random coins $r\in \mathcal{R}.$ If $\Pi$ is strongly binding, then the function family $$H_{par}:(m,r)\mapsto \mathsf{Commit}(par,m;r)$$ is collision-resistant.

Proof

Assume that $H$ is not collision-resistant and that there is an adversary which on input $par$ returns $(m,r)\ne (m^{\prime },r^{\prime })$ such that $H_{par}(m,r)=H_{par}(m^{\prime },r^{\prime }).$ Let $C:=H_{par}(m,r)=H_{par}(m^{\prime },r^{\prime }).$ Then $\mathsf{Verif}(par,C,m,r)=\mathsf{Verif}(par,C,m^{\prime },r^{\prime })=1,$ hence this adversary can be used to break strong binding of $\Pi .$

Note that the assumption that $\Pi$ is binding is not sufficient: it could be easy to find $(m,r)\ne (m^{\prime },r^{\prime })$ such that $\mathsf{Commit}(par,m;r)=\mathsf{Commit}(par,m^{\prime };r^{\prime })$ but with $m=m^{\prime },$ which would break collision-resistance but not binding.

It is not hard to see that the Pedersen commitment scheme is actually strongly binding, which directly gives an algebraic family of collision-resistant hash functions usually called Pedersen hashing. A specific instance of the family is specified by a tuple of parameters $par=(\mathbb{G},p,G_0,\dots ,G_{n-1})$ where $n\ge 2,$ $\mathbb{G}$ is a cyclic group of order $p,$ and $G_0,\dots ,G_{n-1}$ are generators chosen in a way such that nobody knows any discrete logarithm relation between them. Then $H_{par}$ has domain $({\mathbb{Z}}_p{)}^n,$ range $\mathbb{G},$ and is defined by $$H_{par}(m_0,\dots ,m_{n-1})=\sum _{i=0}^{n-1}{m}_i{G}_i.$$ (Note that in the context of hashing, there is no distinction between the "message" and the "randomness" as in the context of commitment schemes.)

This family of hash functions is collision-resistant assuming the discrete logarithm problem is hard.

Variants are possible: for example, if inputs are bit strings of length exactly $L,$ one can split the input $m$ into chunks of $w$ consecutive bits with $2^w\le p$ and $L=nw,$ convert the $i$-th chunk into an integer $m_i,$ and let $H_{par}(m)={\sum }_{i=0}^{n-1}{m}_i{G}_i.$

Further Resources

For more background on commitment schemes, see for example this article by Damgård and Nielsen and this lecture by Dodis.

---

1: The name can vary; these parameters are sometimes called a commitment key or a public key.

2: Again, the name can vary and it is sometimes called an opening or a hint.

Chapter status: ✅ in good shape ✅

Related puzzles: Puzzle 2 and Puzzle 4

TODO:

• cover Kohrita-Towa variant
• batch proofs for multiple polynomials [GWC19] [BDFG20]
• multivariate polynomials [PST13]
• degree-checks

Polynomial Commitment Schemes

Polynomial commitment schemes play a central role in the design of zk-SNARKs. In this section, we introduce them and present the two KZG schemes, DL-KZG and Ped-KZG.

Make sure to read the chapters about polynomials and standard commitments first.

We recall that given a field $\mathbb{F},$ we let ${\mathbb{F}}_{}^{(\le d)}[X]$ denote the set of all univariate polynomials over $\mathbb{F}$ of degree at most $d.$

Contents

• Generalities
  • Syntax
  • Security
• Informal Description of the KZG Schemes
• The DL-KZG Scheme
  • Description
  • Hiding Security
  • Binding Security
• The Ped-KZG Scheme
  • Description
  • Hiding Security
  • Binding Security
• Discussion
  • Efficiency
  • Trusted Setup
  • Summary of KZG Properties
• Multi-evaluation Proofs
  • Syntax and Security Definition
  • KZG with Multi-evaluation Proofs: Description
  • Security Proof
• A Practical Use Case
• Additional Resources

Generalities

As standard commitment schemes, a polynomial commitment scheme (PC scheme for short) involves two parties, a committer (or prover) and a verifier. It allows the committer to send to the verifier a commitment $C$ to some secret polynomial $p\in {\mathbb{F}}_{}^{(\le d)}[X]$ and later on prove that $p$ evaluates to some specific value $v\in \mathbb{F}$ at input $u\in \mathbb{F}$ (usually of the verifier's choosing), potentially for multiple inputs.

Recall that a polynomial of degree at most $d$ is specified by the tuple $\mathbf{a}=(a_0,\dots ,a_d)\in {\mathbb{F}}^{d+1}$ of coefficients such that $p(X)={\sum }_{i=0}^d{a}_i{X}^i.$ From a broader perspective, a PC scheme can be seen as the combination of a standard commitment scheme over ${\mathbb{F}}^{d+1}$ together with various proof systems for proving assertions about the committed vector $\mathbf{a}.$ In particular, proving that $p(u)=v$ is equivalent to proving that $$\sum _{i=0}^d{a}_i{u}^i=v$$ i.e., proving that the inner product of $\mathbf{a}$ with the vector $(1,u,u^2,\dots ,u^d)$ is equal to $v.$ Other assertions one may want to prove when designing SNARKs are, for example, that $p$ has degree at most $d^{\prime }<d,$ which is equivalent to $a_{d^{\prime }+1}=\cdots =a_d=0,$ or more complex relations about evaluations of $p$ such as ${\sum }_{u\in \mathcal{U}}p(u)=0$ for some subset $\mathcal{U}\subset \mathbb{F}.$

Syntax

More formally, a PC scheme is parameterized by a maximal degree $d\in \mathbb{N}$ (one can think of $d$ as being given as input to all algorithms) and consists of the five following algorithms (the exact syntax can vary slightly in the literature, here we adhere to the syntax of standard commitment schemes):

• a setup algorithm $\mathsf{Setup}$ which on input the security parameter $1^{\lambda }$ returns public parameters¹ $par;$ these parameters implicitly specify some finite field $\mathbb{F};$

• a commitment algorithm $\mathsf{Commit}$ which on input parameters $par$ and a polynomial $p\in {\mathbb{F}}_{}^{(\le d)}[X]$ returns a commitment $C$ and a decommitment $D;$

• a "polynomial" verification algorithm $\mathsf{PolyVerif}$ which on input parameters $par,$ a commitment $C,$ a polynomial $p\in {\mathbb{F}}_{}^{(\le d)}[X],$ and a decommitment $D,$ returns 1 if $D$ is a valid decommitment for $(par,C,p)$ and 0 otherwise;

• a proving algorithm $\mathsf{EvalProve}$ which on input parameters $par,$ a polynomial $p\in {\mathbb{F}}_{}^{(\le d)}[X],$ a decommitment $D,$ and a value $u\in \mathbb{F}$ returns an evaluation $v\in \mathbb{F}$ and a proof $\Pi ;$

• an "evaluation" verification algorithm $\mathsf{EvalVerif}$ which on input parameters $par,$ a commitment $C,$ a pair $(u,v)\in {\mathbb{F}}^2,$ and a proof $\Pi ,$ returns 1 if $\Pi$ is a valid proof that the polynomial committed to by $C$ evaluates to $v$ at input $u,$ and 0 otherwise.

In some cases (in particular for KZG), it might be possible to split the public parameters $par$ into a commitment key $ck$ and a verification key $vk,$ where typically only $ck$ is needed for algorithms $\mathsf{Commit},$ $\mathsf{PolyVerif},$ and $\mathsf{EvalProve}$ and only $vk$ is needed for $\mathsf{EvalVerif}.$

As already hinted, the three algorithms $\mathsf{Setup},$ $\mathsf{Commit},$ and $\mathsf{PolyVerif}$ can be regarded together as a standard commitment scheme with message space ${\mathbb{F}}_{}^{(\le d)}[X]\cong {\mathbb{F}}^{d+1}$ (with $p$ specified by the tuple $(a_0,\dots ,a_d)\in {\mathbb{F}}^{d+1}$ of its coefficients) while $\mathsf{EvalProve}$ and $\mathsf{EvalVerif}$ together form a proof system for statements of the form $p(u)=v.$

As for standard commitment schemes, what we just defined here is the syntax for a non-interactive PC scheme, where the $\mathsf{Setup}$ algorithm is run once and for all and then committing and proving an evaluation of the committed polynomial is non-interactive. More generally, committing and evaluation proving could be interactive.

As always, the scheme must be correct, meaning two things: first, $(\mathsf{Setup},\mathsf{Commit},\mathsf{PolyVerif})$ must be correct as defined for a standard commitment scheme with message space ${\mathbb{F}}^{d+1};$ second, for every security parameter $\lambda ,$ every $d\in \mathbb{N},$ every $p\in {\mathbb{F}}_{}^{(\le d)}[X],$ and every $u\in \mathbb{F},$ the following game capturing the nominal execution of algorithms for evaluation proving must return true with probability 1:

$$\boxed{\begin{array}{rl}& par\leftarrow \mathsf{Setup}(1^{\lambda })\\ & (C,D)\leftarrow \mathsf{Commit}(par,p)\\ & (v,\Pi )\leftarrow \mathsf{EvalProve}(par,p,D,u)\\ & b\leftarrow \mathsf{EvalVerif}(par,C,(u,v),\Pi )\\ & \mathbf{assert}(b=1)\end{array}}$$

Security

Defining security properties for PC schemes is rather subtle. Almost every paper about PC schemes define slightly different sets of security properties depending on the specific application being targeted. Here, we focus on the security properties proposed in the seminal paper about PC schemes [KZG10a], which are also the simplest ones.

First, a PC scheme should be hiding and binding in the standard sense when seen as a commitment to the tuple of coefficients $(a_0,\dots ,a_d)\in {\mathbb{F}}^{d+1}$ defining the polynomial $p.$ Let us the recall the corresponding games, that we call POLY-HIDING and POLY-BINDING for clarity:

$$\boxed{\begin{array}{cc}\begin{array}{l}\text{Game POLY-HIDING:}\\ b{\leftarrow }_{\$}\{0,1\}\\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ b^{\prime }\leftarrow {\mathsf{A}}^{\text{Commit}}(par)\\ \mathbf{assert}(b=b^{\prime })\end{array}& \begin{array}{l}\text{Oracle Commit(p0,p1):}\\ \mathbf{assert}(\mathrm{deg}(p_0)\le d)\\ \mathbf{assert}(\mathrm{deg}(p_1)\le d)\\ (C,D)\leftarrow \mathsf{Commit}(par,p_b)\\ \mathbf{return}C\end{array}\end{array}}$$

$$\boxed{\begin{array}{l}\text{Game POLY-BINDING:}\\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ (C,p,D,p^{\prime },D^{\prime })\leftarrow \mathsf{A}(par)\\ \mathbf{assert}(\mathrm{deg}(p)\le d)\wedge (\mathrm{deg}(p^{\prime })\le d)\\ b\leftarrow \mathsf{PolyVerif}(par,C,p,D)\\ b^{\prime }\leftarrow \mathsf{PolyVerif}(par,C,p^{\prime },D^{\prime })\\ \mathbf{assert}(p\ne p^{\prime })\\ \mathbf{assert}(b=1)\\ \mathbf{assert}(b^{\prime }=1)\end{array}}$$

It turns out that some PC schemes (such as the DL-KZG scheme) do not satisfy the poly-hiding notion (in general, when used to construct SNARKs, poly-hiding matters only if one cares about the SNARK being zero-knowledge). However, they satisfy what we call here evaluation hiding,² which informally means that for a random polynomial $p$ of degree at most $d,$ given a commitment to $p$ and at most $d$ evaluations of $p$ together with the corresponding proofs, no adversary should be able to guess the value of $p(u)$ for a new input $u.$ This is formalized by the following game:

$$\boxed{\begin{array}{cc}\begin{array}{l}\text{Game EVAL-HIDING:}\\ p(X){\leftarrow }_{\$}{\mathbb{F}}_{}^{(\le d)}[X]\\ ctr\leftarrow 0\\ \mathcal{Q}\leftarrow \varnothing \\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ (C,D)\leftarrow \mathsf{Commit}(par,p)\\ (u,v)\leftarrow {\mathsf{A}}^{\text{Prove}}(par,C)\\ \mathbf{assert}(ctr\le d)\\ \mathbf{assert}(u\notin \mathcal{Q})\\ \mathbf{assert}(p(u)=v)\end{array}& \begin{array}{l}\text{Oracle Prove(u):}\\ (v,\Pi )\leftarrow \mathsf{EvalProve}(par,p,D,u)\\ ctr\leftarrow ctr+1\\ \mathcal{Q}\leftarrow \mathcal{Q}\cup \{u\}\\ \mathbf{return}(v,\Pi )\\ \\ \\ \\ \\ \end{array}\end{array}}$$

To be completely explicit, the line $$p(X){\leftarrow }_{\$}{\mathbb{F}}_{}^{(\le d)}[X]$$ means $$\begin{array}{rl}& a_0,\dots ,a_d{\leftarrow }_{\$}\mathbb{F}\\ & p(X):=\sum _{i=0}^d{a}_i{X}^i.\end{array}$$

The condition that the adversary makes at most $d$ queries to the $\text{Prove}$ oracle is of course necessary: once the commitment has been opened at $d+1$ distinct points $u_0,$ $\dots ,$ $u_d,$ the committed polynomial has been completely revealed by virtue of Lagrange interpolation.

Regarding the binding property of evaluation proving, a PC scheme should be evaluation binding, meaning no efficient adversary can produce a commitment and two valid proofs that the committed polynomial evaluates to two different values $v\ne v^{\prime }$ at the same input $u.$ More formally, this is captured by the following game:

$$\boxed{\begin{array}{l}\text{Game EVAL-BINDING:}\\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ (C,u,(v,\Pi ),(v^{\prime },{\Pi }^{\prime }))\leftarrow \mathsf{A}(par)\\ b\leftarrow \mathsf{EvalVerif}(par,C,(u,v),\Pi )\\ b^{\prime }\leftarrow \mathsf{EvalVerif}(par,C,(u,v^{\prime }),{\Pi }^{\prime })\\ \mathbf{assert}(v\ne v^{\prime })\\ \mathbf{assert}(b=1)\\ \mathbf{assert}(b^{\prime }=1)\end{array}}$$

As for standard commitments, all these properties can hold statistically or computationally, but poly-hiding and poly-binding cannot hold both statistically for a PC scheme.

Informal Description of the KZG Schemes

Two closely related and very efficient PC schemes based on pairings were proposed by Kate, Zaverucha, and Goldberg in 2010 [KZG10a] (see also [KZG10b] for the full paper with security proofs). We will call them (for reasons that will become clear soon) DL-KZG and Ped-KZG. What is usually simply called KZG corresponds to the DL-KZG scheme.

Let us start with a high-level view of DL-KZG. For a maximal degree $d,$ the commitment and opening part is very similar to the (non-hiding version of the) generalized Pedersen commitment scheme. The public parameters consist of $d+1$ generators $(W_0,\dots ,W_d)$ of some group ${\mathbb{G}}_1$ of prime order $r.$ A polynomial $p(X)={\sum }_{i=0}^d{a}_i{X}^i$ is seen as a vector $(a_0,\dots ,a_d)\in ({\mathbb{F}}_r{)}^{d+1}$ and the corresponding commitment is $$C:=\sum _{i=0}^d{a}_i{W}_i.$$ There is a big difference though with generalized Pedersen commitments: the generators $W_0,\dots ,W_d$ are not independent. They are computed from a single generator $G_1\in {\mathbb{G}}_1$ and a secret random scalar $\tau \in {\mathbb{F}}_r$ as $$(W_0,W_1,\dots ,W_d)=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1).$$ These parameters have a precise structure. For this reason, they are also called a structured reference string (SRS). This also implies that they cannot be sampled obliviously of $\tau$ and require a trusted setup (more on this later).

As a result, the commitment $C$ is actually $p(\tau )$ in disguise: $$C=\sum _{i=0}^d{a}_i({\tau }^i{G}_1)=\left(\sum _{i=0}^d{a}_i{\tau }^i\right)G_1=p(\tau )G_1.$$

Evaluation proving relies on the polynomial remainder theorem: a polynomial $p\in \mathbb{F}[X]$ satisfies $p(u)=v$ if and only if $p(X)-v$ is divisible by $X-u,$ i.e., there exists a polynomial $q$ such that $$p(X)-v=(X-u)q(X).$$ The proving algorithm therefore consists in computing the polynomial $q(X)={\sum }_{i=0}^d{b}_i{X}^i$ explicitly and the proof $\Pi ,$ which consists in $q(\tau )$ in disguise, as $$\Pi :=\sum _{i=0}^d{b}_i({\tau }^i{G}_1)=q(\tau )G_1.$$

Evaluating this polynomial equality at $\tau ,$ we see that $$p(\tau )-v=(\tau -u)q(\tau ).$$ The verification algorithm consists in checking this equality "in the exponent" (or rather "in the scalar multiplication" here as we use additive notation). This is where pairings comes in: ${\mathbb{G}}_1$ is actually a pairing-friendly group coming with related groups ${\mathbb{G}}_2$ and ${\mathbb{G}}_t$ and a pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_t.$ The public parameters include a generator $G_2$ of ${\mathbb{G}}_2$ and the group element $H_2=\tau G_2.$ The verifier can compute $(p(\tau )-v)G_1=C-v{G}_1$ and $(\tau -u)G_2=H_2-u{G}_2$ and also knows $\Pi =q(\tau )G_1.$ Then $p(\tau )-v=(\tau -u)q(\tau )$ holds iff the following pairing equality does: $$e(C-v{G}_1,G_2)=e(\Pi ,H_2-u{G}_2).$$

The DL-KZG commitment scheme is obviously not hiding because the commitment algorithm is deterministic. The Ped-KZG scheme remedies this problem by adding a commitment to a random polynomial $\hat{p}={\sum }_{i=0}^d{\hat{a}}_i{X}^i$ with respect to another tuple of points $(H_1,\tau H_1,\dots ,{\tau }^d{H}_1):$ $$C=\sum _{i=0}^d{a}_i({\tau }^i{G}_1)+\sum _{i=0}^d{\hat{a}}_i({\tau }^i{H}_1)=p(\tau )G_1+\hat{p}(\tau )H_1.$$ Evaluation proving is adapted accordingly. The form of the commitment $C$ is reminiscent of the (hiding version) of Pedersen commitments, explaining the naming convention.

We now give a detailed description and analysis of the properties of the DL-KZG and Ped-KZG schemes.

The DL-KZG Scheme

Description

Let $\mathsf{PairingSetup}$ be an asymmetric pairing group setup algorithm.³ The DL-KZG scheme for a maximal degree $d$ is defined as follows:

• The $\mathsf{Setup}$ algorithm, on input the security parameter $1^{\lambda },$ runs $$({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)\leftarrow \mathsf{PairingSetup}(1^{\lambda }),$$ draws random generators $G_1$ and $G_2$ of respectively ${\mathbb{G}}_1$ and ${\mathbb{G}}_2,$ draws $\tau {\leftarrow }_{\$}{\mathbb{F}}_r,$ and returns public parameters $$par:=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2)\in {\mathbb{G}}_1^{d+1}\times {\mathbb{G}}_2^2.$$ Here we assume that pairing parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ are implicitly specified in $par.$⁴ The field over which polynomials are defined is ${\mathbb{F}}_r.$ The public parameters can be split into a commitment key $$ck:=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1)\in {\mathbb{G}}_1^{d+1}$$ and a verification key $$vk:=(G_1,G_2,\tau G_2)\in {\mathbb{G}}_1\times {\mathbb{G}}_2^2.$$

• The $\mathsf{Commit}$ algorithm, on input a commitment key $ck=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1)$ and a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X]$ where $p(X)={\sum }_{i=0}^d{a}_i{X}^i,$ returns the commitment $$C:=\sum _{i=0}^d{a}_i({\tau }^i{G}_1)=p(\tau )G_1$$ and an empty decommitment $D=\perp .$

• The $\mathsf{PolyVerif}$ algorithm, on input a commitment key $ck=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1),$ a commitment $C\in {\mathbb{G}}_1,$ and a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X]$ where $p(X)={\sum }_{i=0}^d{a}_i{X}^i,$ returns 1 if $C={\sum }_{i=0}^d{a}_i({\tau }^i{G}_1)$ and 0 otherwise.

• The $\mathsf{EvalProve}$ algorithm, on input a commitment key $ck=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1),$ a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X],$ and $u\in {\mathbb{F}}_r,$ computes the polynomial⁵ $$q(X):=\frac{p(X)-p(u)}{X-u}=\sum _{i=0}^d{b}_i{X}^i,$$ the group element $$\Pi :=\sum _{i=0}^d{b}_i({\tau }^i{G}_1)=q(\tau )G_1,$$ and returns $p(u)$ and the proof $\Pi .$

• The $\mathsf{EvalVerif}$ algorithm, on input a verification key $vk=(G_1,G_2,\tau G_2),$ a commitment $C,$ a pair $(u,v)\in {\mathbb{F}}_r^2,$ and a proof $\Pi ,$ returns 1 if $$e(C-v{G}_1,G_2)=e(\Pi ,\tau G_2-u{G}_2)\text{\hspace{1em}(19.1)}$$ and 0 otherwise.

It is straightforward to verify that $(\mathsf{Setup},\mathsf{Commit},\mathsf{PolyVerif})$ is correct as a standard commitment scheme. Let's check that the scheme is correct with respect to evaluation proving, i.e., if the commitment $C$ and the proof $\Pi$ have been honestly computed, then the verification passes. If $C=p(\tau )G_1$ and $\Pi =q(\tau )G_1$ where $p(X)$ and $q(X)$ are such that $$p(X)-v=(X-u)q(X),$$ then $$\begin{array}{rl}e(C-v{G}_1,G_2)& =e((p(\tau )-v)G_1,G_2)\\ & =e((\tau -u)q(\tau )G_1,G_2)\\ & =e(q(\tau )G_1,(\tau -u)G_2)\\ & =e(\Pi ,\tau G_2-u{G}_2),\end{array}$$ hence Eq. (19.1) is satisfied and $\mathsf{EvalVerif}$ returns 1.

Hiding Security

The DL-KZG scheme as described above is not poly-hiding: the commitment algorithm $\mathsf{Commit}$ is deterministic, hence, given two polynomials $p_0$ and $p_1$ and a commitment $C,$ it is trivial to distinguish whether $C$ commits to $p_0$ and $p_1$ by computing the corresponding commitments and comparing with $C.$

Regarding the eval-hiding property, note that DL-KZG cannot be statistically eval-hiding. Indeed, an unbounded adversary can compute $\tau$ from the parameters and $p(\tau )$ from the commitment and return $(\tau ,p(\tau ))$ to win the EVAL-HIDING game without making any query to the $\text{Prove}$ oracle. However, it is eval-hiding under the discrete logarithm assumption (in group ${\mathbb{G}}_1).$

Let us give the intuition before the full-fledged proof. As the committed polynomial is uniformly random in ${\mathbb{F}}_r^{(\le d)}[X],$ Lagrange interpolation ensures that given at most $d$ evaluations of $p$ at $u_1,\dots ,u_d,$ the value of $p$ on any other point $u\notin \{u_1,\dots ,u_d\}$ is uniformly random so that even an unbounded adversary can guess it with probability at most $1/\left|{\mathbb{F}}_r\right|.$ Hence, the only way an adversary can guess $p(u)$ with non-negligible probability is to compute $p(\tau )$ from $C=p(\tau )G_1.$ Together with $d$ queries to the $\text{Prove}$ oracle, this yields $d+1$ evaluations of $p,$ allowing to compute $p$ with Lagrange interpolation. But computing $p(\tau )$ requires to solve the discrete logarithm problem for challenge $C.$

Theorem 19.1. Assume that the DL problem is hard in ${\mathbb{G}}_1$ for $\mathsf{PairingSetup}.$ Then the DL-KZG scheme is (computationally) eval-hiding. More precisely, for every adversary $\mathsf{A}$ against the EVAL-HIDING game, there exists an adversary $\mathsf{B}$ for the DL problem running in time $t+O(\lambda d^2),$ where $t$ is the running time of $\mathsf{A},$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-hiding}}(\lambda )\le {\mathbf{Adv}}_{\mathsf{B}}^{\text{dl}}(\lambda )+\frac{1}{2^{2\lambda -1}}.$$

Proof

Let $\mathsf{A}$ be an adversary against the eval-hiding property of DL-KZG. Without loss of generality, we assume that $\mathsf{A}$ makes exactly $d$ queries to the $\text{Prove}$ oracle. We simply denote EH the EVAL-HIDING game. Let also $E$ denote the event that $\mathsf{A}$ queries the $\text{Prove}$ oracle on $\tau .$ By definition of the advantage, we have $$\begin{array}{rl}{\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-hiding}}(\lambda )& =\mathrm{Pr}\left[\text{EH}\to \mathbf{true}\right]\\ & =\mathrm{Pr}\left[\text{EH}\to \mathbf{true}\mid E\right]\mathrm{Pr}\left[E\right]+\mathrm{Pr}\left[\text{EH}\to \mathbf{true}\mid \neg E\right]\mathrm{Pr}\left[\neg E\right]\\ & \le \mathrm{Pr}\left[\text{EH}\to \mathbf{true}\mid E\right]+\mathrm{Pr}\left[\text{EH}\to \mathbf{true}\mid \neg E\right]\mathrm{Pr}\left[\neg E\right].\end{array}$$ Let us first show that the first term is negligible. Just before $\mathsf{A}$ returns its answer, $p$ has been evaluated on at most $d+1$ points: $\tau$ (when computing the commitment) and the $d$ queries $\{u_1,\dots ,u_d\}$ of $\mathsf{A}$ to the $\text{Prove}$ oracle. Conditioned on $\mathsf{A}$ querying $\text{Prove}$ on $\tau$ (i.e., $\tau \in \{u_1,\dots ,u_d\}),$ $p$ has been in fact evaluated on $d$ points before $\mathsf{A}$ returns its output $(u,v).$ Since $p$ is a random polynomial of degree $d,$ the value of $p(u)$ conditioned on these at most $d$ evaluations (for any $u\ne u_1,\dots ,u_d)$ is uniformly random. Hence, even a computationally unbounded adversary can guess $p(u)$ with probability at most $1/\left|{\mathbb{F}}_r\right|,$ i.e., $$\mathrm{Pr}\left[\text{EH}\to \mathbf{true}\mid E\right]=\frac{1}{\left|{\mathbb{F}}_r\right|}\le \frac{1}{2^{2\lambda -1}}.$$ Let us now upper bound the second term with a reduction. We construct an adversary $\mathsf{B}$ that solves the DL problem by simulating game EH to $\mathsf{A}$ as follows. Let $C=c{G}_1\in {\mathbb{G}}_1$ be the DL instance that $\mathsf{B}$ must solve. $\mathsf{B}$ draws $\tau {\leftarrow }_{\$}{\mathbb{F}}_r,$ computes $$par:=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2),$$ and runs $\mathsf{A}$ on input $(par,C).$ Note that $C$ implicitly commits to a polynomial $p$ such that $p(\tau )=c.$ $\mathsf{B}$ simulates the $\text{Prove}$ oracle as follows: when $\mathsf{A}$ queries the oracle on some field element $u\in {\mathbb{F}}_r\setminus \{\tau \},$ $\mathsf{B}$ draws $v{\leftarrow }_{\$}{\mathbb{F}}_r,$ computes a proof $$\Pi :=\frac{1}{\tau -u}(C-v{G}_1)$$ and returns $(v,\Pi ).$ The proof is valid because $$\begin{array}{rl}e(\Pi ,\tau G_2-u{G}_2)& =e((\tau -u{)}^{-1}(C-v{G}_1),(\tau -u)G_2)\\ & =e(C-v{G}_1,G_2)\end{array}$$ and hence the verification equation (19.1) is satisfied. Note that $\mathsf{B}$ cannot answer this way if $\mathsf{A}$ queries $\tau$ to $\text{Prove}$ since $p(\tau )$ is exactly the solution to its DL challenge. In such a case (i.e., when $E$ happens), $\mathsf{B}$ simply aborts. Conditioned on $E$ not happening, $p$ is sampled through the commitment evaluation $p(\tau )=c$ and the $d$ evaluations $\{(u_1,v_1),\dots ,(u_d,v_d)\}$ corresponding to $\text{Prove}$ queries made by $\mathsf{A},$ with $c$ and $v_1,\dots ,v_d$ uniformly random and independent. By Lagrange interpolation, this is equivalent to drawing the $d+1$ coefficients of $p$ uniformly at random and hence the EVAL-HIDING game is perfectly simulated. If $\mathsf{A}$ successfully returns a pair $(u,v)$ such that $p(u)=v,$ then $\mathsf{B}$ can interpolate the $d$ evaluations corresponding to $\text{Prove}$ queries together with $(u,v)$ to recover polynomial $p$ and compute $p(\tau )=c,$ which yields the solution to the DL challenge.

Let DL be the discrete logarithm game played with $\mathsf{B}.$ Then $$\begin{array}{rl}{\mathbf{Adv}}_{\mathsf{B}}^{\text{dl}}(\lambda )& =\mathrm{Pr}\left[\text{DL}\to \mathbf{true}\right]\\ & =\mathrm{Pr}\left[\text{DL}\to \mathbf{true}\mid E\right]\mathrm{Pr}\left[E\right]+\mathrm{Pr}\left[\text{DL}\to \mathbf{true}\mid \neg E\right]\mathrm{Pr}\left[\neg E\right]\\ & =\mathrm{Pr}\left[\text{DL}\to \mathbf{true}\mid \neg E\right]\mathrm{Pr}\left[\neg E\right]\\ & =\mathrm{Pr}\left[\text{EH}\to \mathbf{true}\mid \neg E\right]\mathrm{Pr}\left[\neg E\right]\end{array}$$ where for the last equality we used that conditioned on $\neg E,$ games DL${}^{\mathsf{B}}(\lambda )$ and EH${}^{\mathsf{A}}(\lambda )$ are identical. Hence, $${\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-hiding}}(\lambda )\le {\mathbf{Adv}}_{\mathsf{B}}^{\text{dl}}(\lambda )+\frac{1}{2^{2\lambda -1}}$$ $\mathsf{B}$ runs in time $t$ (where $t$ is the running time of $\mathsf{A})$ plus the time to interpolate $p,$ which requires at most $O(d^2{\log }_2(r))=O(\lambda d^2)$ operations.

Binding Security

The only thing that a commitment $C$ commits to, information-theoretically speaking, is the value $p(\tau ).$ Hence, the DL-KZG scheme is certainly not statistically poly-binding: an adversary able to compute $\tau$ from the public parameters can very easily decommit any commitment $C=c{G}_1$ to any polynomial $p$ such that $p(\tau )=c.$ However, for an adversary unable to compute $\tau$ from the public parameters, which is an instance of what we call the $(d,1)$-co-DL problem, there is only a negligible chance that it can find two polynomials $p$ and $q$ such that $p(\tau )G_1=q(\tau )G_1=C.$ More formally, we have the following result.

Theorem 19.2. Assume that the $(d,1)$-co-DL problem is hard for $\mathsf{PairingSetup}.$ Then the DL-KZG scheme for maximal degree $d$ is poly-binding. More precisely, for any adversary $\mathsf{A}$ against the poly-binding security of DL-KZG for maximal degree $d,$ there exists an adversary $\mathsf{B}$ for the $(d,1)$-co-DL problem running in time $t+O(\lambda d^3),$ where $t$ is the running time of $\mathsf{A},$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{poly-binding}}(\lambda )={\mathbf{Adv}}_{\mathsf{B}}^{\text{(d,1)-co-dl}}(\lambda ).$$

Proof

Let $\mathsf{A}$ be an adversary against the poly-binding security of DL-KZG for maximal degree $d.$ We construct an algorithm $\mathsf{B}$ for the $(d,1)$-co-DL problem as follows. $\mathsf{B}$ gets pairing group parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ and an instance $(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2)$ of the $(d,1)$-co-DL problem. The goal of $\mathsf{B}$ is to compute $\tau .$ It runs $\mathsf{A}$ on public parameters $$par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2).$$ Assume that $\mathsf{A}$ is successful and returns a commitment $C$ and two distinct polynomials $p$ and $p^{\prime }$ of degree at most $d$ such that $$\mathsf{PolyVerif}(par,C,p)=\mathsf{PolyVerif}(par,C,p^{\prime })=1.$$ This implies that $C=p(\tau )G_1=p^{\prime }(\tau )G_1,$ hence $p(\tau )=p^{\prime }(\tau )$ and $\tau$ is a root of the non-zero polynomial $(p-p^{\prime })(X)\in {\mathbb{F}}_r^{(\le d)}[X].$ This polynomial can be factored in time $O(d^3\log (r))$ with the Cantor–Zassenhaus algorithm, which allows $\mathsf{B}$ to compute all its roots and find $\tau .$ The success probability of $\mathsf{B}$ is the same as the one of $\mathsf{A}$ and the running time of $\mathsf{B}$ is $t+O(\lambda d^3).$

Eval-binding security relies on a stronger assumption, namely that the so-called $(q_1,q_2)$-strong Diffie-Hellman ($(q_1,q_2)$-SDH) problem is hard. This problem is as follows: given $$(G_1,x{G}_1,\dots x^{q_1}{G}_1,G_2,x{G}_2,\dots ,x^{q_2}{G}_2)\in {\mathbb{G}}_1^{q_1+1}\times {\mathbb{G}}_2^{q_2+1},$$ compute a pair $(a,Y)\in {\mathbb{F}}_r\times {\mathbb{G}}_1$ such that $Y=\frac{1}{x+a}{G}_1.$ The $(q,1)$-SDH problem is usually simply called the $q$-SDH problem.

Theorem 19.3. Assume that the $d$-SDH problem is hard for $\mathsf{PairingSetup}.$ Then the DL-KZG scheme for maximal degree $d$ is eval-binding. More precisely, for any adversary $\mathsf{A}$ against the eval-binding security of DL-KZG for maximal degree $d,$ there exists an adversary $\mathsf{B}$ for the $d$-SDH problem running in time similar to the time of $\mathsf{A}$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-binding}}(\lambda )={\mathbf{Adv}}_{\mathsf{B}}^{\text{d-sdh}}(\lambda ).$$

Proof

Let $\mathsf{A}$ be an adversary against the eval-binding security of the DL-KZG scheme for maximal degree $d.$ We construct an adversary $\mathsf{B}$ for the $d$-SDH problem. $\mathsf{B}$ gets pairing group parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ and an instance $(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2)$ of the $d$-SDH problem. The goal of $\mathsf{B}$ is to return a pair $(a,Y)$ such that $Y=\frac{1}{\tau +a}{G}_1.$ It runs $\mathsf{A}$ on public parameters $$par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2).$$ Assume that $\mathsf{A}$ is successful and returns a commitment $C,$ a field element $u\in {\mathbb{F}}_r,$ and two valid value/proof pairs $(v,\Pi )$ and $(v^{\prime },{\Pi }^{\prime })$ with $v\ne v^{\prime }.$ Then $\mathsf{B}$ proceeds as follows. First, it checks whether $u=\tau$ (e.g., by checking whether $u{G}_1$ is equal to the second group element of the parameters $par).$ If this is the case, then $\mathsf{B}$ simply picks an arbitrary element $a\in {\mathbb{F}}_r\setminus \{-\tau \}$ and returns $(a,\frac{1}{\tau +a}{G}_1).$ From now on, we assume $u\ne \tau .$ The validity of the two proofs imply that $$\begin{array}{rl}e(C-v{G}_1,G_2)& =e(\Pi ,\tau G_2-u{G}_2)\\ \text{and }e(C-v^{\prime }{G}_1,G_2)& =e({\Pi }^{\prime },\tau G_2-u{G}_2).\end{array}$$ Taking the inverse of the second equation and multiplying with the first equation, we get successively $$\begin{array}{rl}e(C-v{G}_1,G_2)e(C-v^{\prime }{G}_1,G_2{)}^{-1}& =e(\Pi ,(\tau -u)G_2)e({\Pi }^{\prime },(\tau -u)G_2{)}^{-1}\\ e(C-v{G}_1,G_2)e(-C+v^{\prime }{G}_1,G_2)& =e(\Pi ,(\tau -u)G_2)e(-{\Pi }^{\prime },(\tau -u)G_2)\\ e(C-v{G}_1-C+v^{\prime }{G}_1,G_2)& =e(\Pi -{\Pi }^{\prime },(\tau -u)G_2)\\ e((v^{\prime }-v)G_1,G_2)& =e(\Pi -{\Pi }^{\prime },(\tau -u)G_2)\\ e\left(\frac{1}{\tau -u}{G}_1,G_2\right)& =e\left(\frac{1}{v^{\prime }-v}(\Pi -{\Pi }^{\prime }),G_2\right),\end{array}$$ where for the last implication we used that $v^{\prime }-v\ne 0$ and $\tau -u\ne 0,$ which allows us to multiply by $(v^{\prime }-v{)}^{-1}(\tau -u{)}^{-1}\mathrm{mod}r.$ The last equation implies that $$Y:=\frac{1}{v^{\prime }-v}(\Pi -{\Pi }^{\prime })=\frac{1}{\tau -u}{G}_1.$$ Hence, $\mathsf{B}$ returns $(-u,Y)$ which is a valid solution of the SDH instance. The success probability of $\mathsf{B}$ is the same as the one of $\mathsf{A}$ and the running time of $\mathsf{B}$ is close to the one of $\mathsf{A}.$

The Ped-KZG Scheme

Description

As discussed in the previous section, the DL-KZG scheme is not poly-hiding because the $\mathsf{Commit}$ algorithm is deterministic. It is possible the make the scheme poly-hiding by randomizing the $\mathsf{Commit}$ algorithm. Below we present the Ped-KZG scheme. The idea is to add to the basic DL-KZG commitment $C=p(\tau )G_1$ a commitment to another random and independent polynomial $\hat{p}(X)$ with respect to another generator $H_1$ of ${\mathbb{G}}_1.$ The commitment becomes $p(\tau )G_1+\hat{p}(\tau )H_1,$ which is very similar to a Pedersen commitment, hence the name. This requires expanding the size of the public parameters and the evaluation proofs. The formal description follows.

• The $\mathsf{Setup}$ algorithm, on input the security parameter $1^{\lambda },$ runs $$({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)\leftarrow \mathsf{PairingSetup}(1^{\lambda }),$$ draws random generators $G_1$ and $H_1$ of ${\mathbb{G}}_1$ and $G_2$ of ${\mathbb{G}}_2,$ draws $\tau {\leftarrow }_{\$}{\mathbb{F}}_r,$ and returns public parameters $$par:=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,H_1,\tau H_1,\dots ,{\tau }^d{H}_1,G_2,\tau G_2)\in {\mathbb{G}}_1^{2d+2}\times {\mathbb{G}}_2^2.$$ Here we assume that pairing parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ are implicitly specified in $par.$ The field over which polynomials are defined is ${\mathbb{F}}_r.$ The public parameters can be split into a commitment key $$ck:=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,H_1,\tau H_1,\dots ,{\tau }^d{H}_1)\in {\mathbb{G}}_1^{2d+2}$$ and a verification key $$vk:=(G_1,H_1,G_2,\tau G_2)\in {\mathbb{G}}_1^2\times {\mathbb{G}}_2^2.$$

• The $\mathsf{Commit}$ algorithm, on input a commitment key $ck$ and a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X]$ where $p(X)={\sum }_{i=0}^d{a}_i{X}^i,$ draws a random polynomial $\hat{p}(X)={\sum }_{i=0}^d{\hat{a}}_i{X}^i$ with ${\hat{a}}_0,\dots ,{\hat{a}}_d{\leftarrow }_{\$}{\mathbb{F}}_r$ and returns the commitment $$C:=\sum _{i=0}^d{a}_i({\tau }^i{G}_1)+\sum _{i=0}^d{\hat{a}}_i({\tau }^i{H}_1)=p(\tau )G_1+\hat{p}(\tau )H_1$$ and the decommitment $D=\hat{p}(X).$

• The $\mathsf{PolyVerif}$ algorithm, on input a commitment key $ck,$ a commitment $C\in {\mathbb{G}}_1,$ a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X]$ where $p(X)={\sum }_{i=0}^d{a}_i{X}^i,$ and a decommitment $\hat{p}\in {\mathbb{F}}_r^{(\le d)}[X]$ where $\hat{p}(X)={\sum }_{i=0}^d{\hat{a}}_i{X}^i,$ returns 1 if $C={\sum }_{i=0}^d{a}_i({\tau }^i{G}_1)+{\sum }_{i=0}^d{\hat{a}}_i({\tau }^i{H}_1)$ and 0 otherwise.

• The $\mathsf{EvalProve}$ algorithm, on input a commitment key $ck,$ a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X],$ a decommitment $\hat{p}\in {\mathbb{F}}_r^{(\le d)}[X],$ and $u\in {\mathbb{F}}_r,$ computes the polynomials $$\begin{array}{rl}q(X)& :=\frac{p(X)-p(u)}{X-u}=\sum _{i=0}^d{b}_i{X}^i,\\ \hat{q}(X)& :=\frac{\hat{p}(X)-\hat{p}(u)}{X-u}=\sum _{i=0}^d{\hat{b}}_i{X}^i,\end{array}$$ the group element $$\Pi :=\sum _{i=0}^d{b}_i({\tau }^i{G}_1)+\sum _{i=0}^d{\hat{b}}_i({\tau }^i{H}_1)=q(\tau )G_1+\hat{q}(\tau )H_1,$$ and returns $p(u)$ and the proof $(\hat{p}(u),\Pi ).$

• The $\mathsf{EvalVerif}$ algorithm, on input a verification key $vk=(G_1,H_1,G_2,\tau G_2),$ a commitment $C,$ a pair $(u,v)\in {\mathbb{F}}_r^2,$ and a proof $(\hat{v},\Pi ),$ returns 1 if $$e(C-v{G}_1-\hat{v}{H}_1,G_2)=e(\Pi ,\tau G_2-u{G}_2)\text{\hspace{1em}(19.2)}$$ and 0 otherwise.

Correctness can be verified in a similar way to DL-KZG.

Hiding Security

Thanks to the commitment randomization, poly-hiding and eval-hiding security both hold statistically for Ped-KZG.

Theorem 19.4. The Ped-KZG scheme is perfectly poly-hiding.

Proof

For any $\tau \in {\mathbb{F}}_r$ and any polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X],$ the commitment $C$ returned by the $\mathsf{Commit}$ algorithm is uniformly random in ${\mathbb{G}}_1$ due to the addition of the term $\hat{p}(\tau ).$ Hence, the $\text{Commit}$ oracle in the POLY-HIDING game does not reveal any information about the hidden bit $b.$

Theorem 19.5. The Ped-KZG scheme is statistically eval-hiding. More precisely, for any adversary $\mathsf{A},$ one has $${\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-hiding}}\le \frac{1}{2^{2\lambda -1}}.$$

Proof

Let $\mathsf{A}$ by a (computationally unbounded) adversary against the eval-hiding property of Ped-KZG. We can assume without loss of generality that $\mathsf{A}$ is given $\tau ,$ the discrete logarithm $h$ of $H_1$ in base $G_1,$ and the discrete logarithm $c=p(\tau )+h\hat{p}(\tau )$ of the challenge commitment $C.$ Let u_i_, $i\in \{1,\dots ,d\}$ be the queries of $\mathsf{A}$ to oracle $\text{Prove}$ and $(v_i,({\hat{v}}_i,{\Pi }_i))$ be the corresponding answers. Note that ${\Pi }_i$ does not bring any additional information to $\mathsf{A}$ as it can be computed from the other quantities, namely $${\Pi }_i=\frac{1}{\tau -u_i}(C-v_i{G}_1-{\hat{v}}_i{H}_1).$$ Hence, all in all the adversary is given $d$ evaluations of $p$ and $\hat{p}$ at the same points together with the value $c=p(\tau )+h\hat{p}(\tau ).$ Note that $h\ne 0$ since $H_1$ is a generator of ${\mathbb{G}}_1.$ Hence, conditioned on $(u_i,v_i,{\hat{v}}_i)$ for $i\in \{1,\dots ,d\}$ and $c,$ the value of $p(\tau )$ is uniformly random and $\mathsf{A}$ only has $d$ evaluations of $p.$ This implies that the probability that $\mathsf{A}$ guesses $p(u)$ correctly for $u\notin \{u_1,\dots ,u_d\}$ is $1/\left|{\mathbb{F}}_r\right|\le 1/2^{2\lambda -1}.$

Binding Security

The poly-binding and eval-binding security properties hold under the same assumptions as for DL-KZG. The proofs are slightly more complex and must account for the possibility that the adversary solves the discrete logarithm problem for $H_1$ in base $G_1.$

Theorem 19.6. Assume that the $(d,1)$-co-DL problem is hard for $\mathsf{PairingSetup}.$ Then the Ped-KZG scheme for maximal degree $d$ is poly-binding. More precisely, for any adversary $\mathsf{A}$ against the poly-binding security of Ped-KZG for maximal degree $d,$ there exists an adversary $\mathsf{B}$ for the $(d,1)$-co-DL problem running in time $t+O(\lambda d^3),$ where $t$ is the running time of $\mathsf{A},$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{poly-binding}}(\lambda )=2\cdot {\mathbf{Adv}}_{\mathsf{B}}^{\text{(d,1)-co-dl}}(\lambda ).$$

Proof

Let $\mathsf{A}$ be an adversary against the poly-binding security of the Ped-KZG scheme for maximal degree $d.$ We construct an algorithm $\mathsf{B}$ for the $(d,1)$-co-DL problem as follows. $\mathsf{B}$ gets pairing group parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ and an instance $(G_1,x{G}_1,\dots ,x^d{G}_1,G_2,x{G}_2)$ of the $(d,1)$-co-DL problem. The goal of $\mathsf{B}$ is to compute $x.$

Adversary $\mathsf{B}$ randomly chooses between two indistinguishable ways to embed its instance into the parameters. Namely, it draws $b{\leftarrow }_{\$}\{0,1\}$ and proceeds as follows depending on $b:$

• If $b=0,$ then $\mathsf{B}$ draws $h{\leftarrow }_{\$}{\mathbb{F}}_r\setminus \{0\}$ and runs $\mathsf{A}$ on public parameters $$par=(G_1,x{G}_1,\dots ,x^d{G}_1,\alpha G_1,h(x{G}_1),\dots ,h(x^d{G}_1),G_2,x{G}_2).$$ This implicitly sets $\tau =x$ and $H_1=h{G}_1.$
• If $b=1,$ then $\mathsf{B}$ draws $\tau {\leftarrow }_{\$}{\mathbb{F}}_r$ and runs $\mathsf{A}$ on public parameters $$par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,x{G}_1,\tau (x{G}_1),\dots ,{\tau }^d(x{G}_1),G_2,\tau G_2).$$ This implicitly sets $H_1=x{G}_1.$

Assume that $\mathsf{A}$ is successful and returns a commitment $C$ and two distinct polynomials $p$ and $p^{\prime }$ of degree at most $d$ together with corresponding decommitments $\hat{p}$ and ${\hat{p}}^{\prime }$ such that $$\mathsf{PolyVerif}(par,C,p,\hat{p})=\mathsf{PolyVerif}(par,C,p^{\prime },{\hat{p}}^{\prime })=1.$$ This implies that $$C=p(\tau )G_1+\hat{p}(\tau )H_1=p^{\prime }(\tau )G_1+{\hat{p}}^{\prime }(\tau )H_1$$ and hence $$(p(\tau )-p^{\prime }(\tau ))G_1+(\hat{p}(\tau )-{\hat{p}}^{\prime }(\tau ))H_1=0.$$ We can distinguish two cases:

• case $p(\tau )-p^{\prime }(\tau )=0:$ If $b=1$ then $\mathsf{B}$ aborts. Otherwise, since $b=0,$ we have $x=\tau .$ Hence, $x$ is a root of the non-zero polynomial $(p-p^{\prime })(X)\in {\mathbb{F}}_r^{(\le d)}[X].$ This polynomial can be factored in time $O(d^3\log (r))$ with the Cantor–Zassenhaus algorithm, which allows $\mathsf{B}$ to compute all its roots and find $x.$
• case $p(\tau )-p^{\prime }(\tau )\ne 0:$ If $b=0$ then $\mathsf{B}$ aborts. Otherwise, since $b=1$ then $H_1=x{G}_1.$ This implies that $$p(\tau )-p^{\prime }(\tau )+x(\hat{p}(\tau )-{\hat{p}}^{\prime }(\tau ))=0.$$ Then necessarily $\hat{p}(\tau )-{\hat{p}}^{\prime }(\tau )\ne 0$ as otherwise this would contradict $p(\tau )-p^{\prime }(\tau )\ne 0.$ Hence, $\mathsf{B}$ can compute $$x=\frac{p(\tau )-p^{\prime }(\tau )}{{\hat{p}}^{\prime }(\tau )-\hat{p}(\tau )}.$$

The view of $\mathsf{A}$ is independent from $b$ and hence $\mathsf{B}$ aborts with probability $1/2,$ so that $${\mathbf{Adv}}_{\mathsf{B}}^{\text{(d,1)-co-dl}}(\lambda )=\frac{1}{2}{\mathbf{Adv}}_{\mathsf{A}}^{\text{poly-binding}}(\lambda ).$$ The running time of $\mathsf{B}$ is at most $t+O(\lambda d^3),$ which concludes the proof.

Theorem 19.7. Assume that the $d$-SDH problem is hard for $\mathsf{PairingSetup}.$ Then the Ped-KZG scheme for maximal degree $d$ is eval-binding. More precisely, for any adversary $\mathsf{A}$ against the eval-binding security of Ped-KZG for maximal degree $d,$ there exists an adversary $\mathsf{B}$ for the $d$-SDH problem running in time similar to the time of $\mathsf{A}$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-binding}}(\lambda )=2\cdot {\mathbf{Adv}}_{\mathsf{B}}^{\text{d-sdh}}(\lambda ).$$

Proof

Let $\mathsf{A}$ be an adversary against the eval-binding security of the Ped-KZG scheme for maximal degree $d.$ We construct an adversary $\mathsf{B}$ for the $d$-SDH problem. $\mathsf{B}$ gets pairing group parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ and an instance $(G_1,x{G}_1,\dots ,x^d{G}_1,G_2,x{G}_2)$ of the $d$-SDH problem. The goal of $\mathsf{B}$ is to return a pair $(a,Y)$ such that $Y=\frac{1}{x+a}{G}_1.$

Adversary $\mathsf{B}$ randomly chooses between two indistinguishable ways to embed its instance into the parameters. Namely, it draws $b{\leftarrow }_{\$}\{0,1\}$ and proceeds as follows depending on $b:$

• If $b=0,$ then $\mathsf{B}$ draws $h{\leftarrow }_{\$}{\mathbb{F}}_r\setminus \{0\}$ and runs $\mathsf{A}$ on public parameters $$par=(G_1,x{G}_1,\dots ,x^d{G}_1,\alpha G_1,h(x{G}_1),\dots ,h(x^d{G}_1),G_2,x{G}_2).$$ This implicitly sets $\tau =x$ and $H_1=h{G}_1.$
• If $b=1,$ then $\mathsf{B}$ draws $\tau {\leftarrow }_{\$}{\mathbb{F}}_r$ and runs $\mathsf{A}$ on public parameters $$par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,x{G}_1,\tau (x{G}_1),\dots ,{\tau }^d(x{G}_1),G_2,\tau G_2).$$ This implicitly sets $H_1=x{G}_1.$

Assume that $\mathsf{A}$ is successful and returns a commitment $C,$ a field element $u\in {\mathbb{F}}_r,$ and two valid value/proof pairs $(v,(w,\Pi ))$ and $(v^{\prime },(w^{\prime },{\Pi }^{\prime }))$ with $v\ne v^{\prime }.$ Then $\mathsf{B}$ proceeds as follows. First, it checks whether $u=\tau$ (e.g., by checking whether $u{G}_1$ is equal to the second group element of the parameters $par).$ If this is the case, then $\mathsf{B}$ simply picks an arbitrary element $a\in {\mathbb{F}}_r\setminus \{-\tau \}$ and returns $(a,\frac{1}{\tau +a}{G}_1).$ From now on, we assume $u\ne \tau .$ The validity of the two proofs imply that $$\begin{array}{rl}e(C-v{G}_1-w{H}_1,G_2)& =e(\Pi ,\tau G_2-u{G}_2)\\ \text{and }e(C-v^{\prime }{G}_1-w^{\prime }{H}_1,G_2)& =e({\Pi }^{\prime },\tau G_2-u{G}_2).\end{array}$$ Combining these two equations, we get $$\begin{array}{rl}e((v^{\prime }-v)G_1+(w^{\prime }-w)H_1,G_2)& =e(\Pi -{\Pi }^{\prime },(\tau -u)G_2)\\ e\left(\frac{v^{\prime }-v}{\tau -u}{G}_1+\frac{w^{\prime }-w}{\tau -u}{H}_1,G_2\right)& =e(\Pi -{\Pi }^{\prime },G_2),\end{array}$$ where we used that $u\ne \tau .$

We can now distinguish two cases:

• case $\Pi \ne {\Pi }^{\prime }:$ If $b=1$ then $\mathsf{B}$ aborts. Otherwise, since $b=0,$ we have $\tau =x$ and $\mathsf{B}$ knows the value $h$ such that $H_1=h{G}_1.$ The equation above yields $$e\left(\frac{v^{\prime }-v+h(w^{\prime }-w)}{x-u}{G}_1,G_2\right)=e(\Pi -{\Pi }^{\prime },G_2),$$ This implies in particular that $v^{\prime }-v+h(w^{\prime }-w)\ne 0$ as otherwise this would imply $\Pi ={\Pi }^{\prime }.$ Hence, $$e\left(\frac{1}{x-u}{G}_1,G_2\right)=e\left(\frac{1}{v^{\prime }-v+h(w^{\prime }-w)}(\Pi -{\Pi }^{\prime }),G_2\right)$$ which implies that $$Y:=\frac{1}{v^{\prime }-v+h(w^{\prime }-w)}(\Pi -{\Pi }^{\prime })=\frac{1}{(x-u)}{G}_1$$ Thus, $\mathsf{B}$ can return $(-u,Y)$ as solution to the $d$-SDH instance.
• case $\Pi ={\Pi }^{\prime }:$ If $b=0$ then $\mathsf{B}$ aborts. Otherwise, since $b=1;$ we have $H_1=x{G}_1$ and the equation above yields $$e\left(\frac{v^{\prime }-v+x(w^{\prime }-w)}{\tau -u}{G}_1,G_2\right)=e(0,G_2),$$ which implies $(v^{\prime }-v)+x(w^{\prime }-w)=0.$ We cannot have $w=w^{\prime }$ as this would imply $v=v^{\prime }$ whereas $v\ne v^{\prime }$ when $\mathsf{A}$ is successful. Hence, $\mathsf{B}$ can compute $x=(v^{\prime }-v)(w^{\prime }-w{)}^{-1},$ choose an arbitrary $a\in {\mathbb{F}}_r\setminus \{-x\},$ and return $(a,\frac{1}{x+a}{G}_1)$ as solution to the SDH instance.

The view of $\mathsf{A}$ is independent from $b$ and hence $\mathsf{B}$ aborts with probability $1/2,$ so that $${\mathbf{Adv}}_{\mathsf{B}}^{\text{d-sdh}}(\lambda )=\frac{1}{2}{\mathbf{Adv}}_{\mathsf{A}}^{\text{eval-binding}}(\lambda ).$$ The running time of $\mathsf{B}$ is similar to the running time of $\mathsf{A},$ which concludes the proof.

Discussion

Efficiency

DL-KZG commitments are extremely succinct and rather cheap to verify: a commitment and a proof take one elliptic curve point each (e.g., 48 bytes when using BLS12-381) and verifying an opening essentially takes two pairings. In case one has to verify many openings for the same commitment, the verification equation (19.1) can be equivalently written $$e(C,G_2)=e(G_1,G_2{)}^{v}e(\Pi ,\tau G_2-u{G}_2),$$ where $e(C,G_2)$ and $e(G_1,G_2)$ can be computed once and stored for verifying multiple openings, allowing to trade one pairing for one exponentiation in ${\mathbb{G}}_t.$ On the other hand, the size of the commitment key and the complexity of algorithms $\mathsf{Commit}$ and $\mathsf{EvalProve}$ are linear in $d,$ the maximal degree of committed polynomials (which when building SNARKs can be quite large).

Trusted Setup

The secret value $\tau$ drawn by the $\mathsf{Setup}$ algorithm must be securely deleted once the commitment key has been set up as it allows to break the evaluation binding property of the scheme. Indeed, knowing $\tau ,$ given an arbitrary commitment $C\in {\mathbb{G}}_1,$ one can open this commitment at any point $u\ne \tau$ to any value $v$ by computing the proof as $\Pi =(\tau -u{)}^{-1}(C-v{G}_1).$ Then the verification equation (19.1) is satisfied as $$\begin{array}{rl}e(\Pi ,\tau G_2-u{G}_2)& =e((\tau -u{)}^{-1}(C-v{G}_1),(\tau -u)G_2)\\ & =e(C-v{G}_1,G_2).\end{array}$$

This is quite different from the $\mathsf{Setup}$ procedure of the Pedersen commitment scheme, for which it is possible to proceed without ever generating any trapdoor explicitly. There is no (efficient) way known to implement the $\mathsf{Setup}$ procedure for KZG without explicitly sampling $\tau .$ To the best of my knowledge, there is also no proof that this is impossible. The assumption that this is impossible looks quite similar to many "knowledge of exponent" assumptions, hence the claim that running the KZG setup obliviously of $\tau$ is impossible is presumably true but not provable with known techniques. It is, however, possible to run the setup in a decentralized fashion, ensuring that the process is secure as long as a single party behaves honestly (see for example [NRBB22]).

Note that it is possible to check that the trusted setup yielded public parameters having the correct form, namely that there indeed exists $\tau \in {\mathbb{F}}_r$ such that $par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2).$ Say we are given $par=(P_0,P_1,\dots ,P_d,G_2,H_2).$ Let $\tau$ be defined as the discrete log of $H_2$ in base $G_2,$ i.e., $H_2=\tau G_2,$ and set $G_1=P_0.$ Then $ck$ has the correct form if and only if for every $i\in \{0,\dots ,d-1\},$ $e(P_i,H_2)=e(P_{i+1},G_2).$ Indeed, one has the following equivalences: $$\begin{array}{rl}e(P_i,H_2)=e(P_{i+1},G_2)& ⟺e(P_i,\tau G_2)=e(P_{i+1},G_2)\\ & ⟺e(\tau P_i,G_2)=e(P_{i+1},G_2)\\ & ⟺P_{i+1}=\tau P_i.\end{array}$$

Summary of KZG Properties

Multi-evaluation Proofs

We will see that the DL-KZG scheme can be generalized to allow proving multiple evaluations with one single proof consisting of a single ${\mathbb{G}}_1$ element. This technique can also be applied to Ped-KZG but it is much less interesting since the size of the proof for $n$ evaluations is one ${\mathbb{G}}_1$ element plus $n$ field elements, hence it grows linearly with $n.$

Recall that for a polynomial $p\in {\mathbb{F}}_{}^{(\le d)}[X],$ $p(u)=v$ is equivalent to $p(X)-v$ being divisible by $X-u.$ How does this generalize to multiple evaluations?

First, let us recall some vocabulary from the section about Lagrange interpolation. An evaluation domain (or simply domain) of size $n$ is a subset $\mathcal{U}\subset \mathbb{F}$ of size $n.$ The vanishing polynomial over $\mathcal{U}$ is the polynomial $z(X)$ defined as $$z_{\mathcal{U}}(X):=\prod _{i=1}^n(X-u_i).$$ A multi-evaluation of size $n$ is a subset $\mathcal{E}=\{(u_1,v_1),\dots ,(u_n,v_n)\}\subset {\mathbb{F}}^2$ such that $u_i\ne u_j$ for $i\ne j.$ The evaluation domain associated with $\mathcal{E}=\{(u_1,v_1),\dots ,(u_n,v_n)\}$ is $\mathcal{U}:=\{u_1,\dots ,u_n\}.$ We say that a polynomial $p\in \mathbb{F}[X]$ satisfies a multi-evaluation $\mathcal{E}=\{(u_1,v_1),\dots ,(u_n,v_n)\}$ if $p(u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$

The idea of multi-evaluation proofs relies on the generalized polynomial remainder theorem that we restate here. Let $p\in \mathbb{F}[X],$ $\mathcal{E}=\{(u_1,v_1),\dots ,(u_n,v_n)\}$ be a multi-evaluation of size $n\le \mathrm{deg}(p),$ and $\mathcal{U}:=\{u_1,\dots ,u_n\}.$ Let $z(X)$ be the vanishing polynomial for domain $\mathcal{U}$ and $\ell (X)$ be the Lagrange interpolation polynomial for $\mathcal{E},$ i.e., the unique polynomial of degree at most $n-1$ such that $\ell (u_i)=v_i$ for every $i\in \{1,\dots ,n\}.$ Then $p$ satisfies $\mathcal{E}$ if and only if $z(X)$ divides $p(X)-\ell (X).$

For $n=1,$ one recovers the standard polynomial remainder theorem since for a single point $(u,v)$ the vanishing polynomial is $X-u$ and the Lagrange interpolation polynomial is the constant polynomial $\ell (X)=v,$ hence $p$ satisfies $p(u)=v$ if and only if $X-u$ divides $p(X)-v.$

Syntax and Security Definition

Let us now see how to adapt the syntax of a PC scheme to accommodate multi-evaluation proofs. Concretely, a PC scheme with multi-evaluation proofs consists of five algorithms: $\mathsf{Setup},$ $\mathsf{Commit},$ and $\mathsf{PolyVerif}$ have the same syntax as for a standard PC scheme, while $\mathsf{EvalProve}$ and $\mathsf{EvalVerif}$ are replaced respectively by the following two algorithms:

• a $\mathsf{MultiProve}$ algorithm which on input parameters $par,$ a polynomial $p\in {\mathbb{F}}_{}^{(\le d)}[X],$ a decommitment $D,$ and a tuple $(u_1,\dots ,u_n)\in {\mathbb{F}}^n$ of $n$ distinct field elements, $n\le d,$ returns a tuple $(v_1,\dots ,v_n)\in {\mathbb{F}}^n$ and a proof $\Pi ;$

• a $\mathsf{MultiVerif}$ algorithm which on input parameters $par,$ a commitment $C,$ a multi-evaluation $\mathcal{E},$ and a proof $\Pi ,$ returns 1 if $\Pi$ is a valid proof that the polynomial committed to by $C$ satisfies $\mathcal{E}$ and 0 otherwise.

The correctness property can be straightforwardly adapted: for every security parameter $\lambda ,$ every $d\in \mathbb{N},$ every $p\in {\mathbb{F}}_{}^{(\le d)}[X],$ every $n\in \{1,\dots ,d\},$ and every subset $\{u_1,\dots ,u_n\}\subset \mathbb{F},$ the following game capturing the nominal execution of algorithms for multi-evaluation proving must return true with probability 1:

$$\boxed{\begin{array}{rl}& par\leftarrow \mathsf{Setup}(1^{\lambda })\\ & (C,D)\leftarrow \mathsf{Commit}(par,p)\\ & ((v_1,\dots ,v_n),\Pi )\leftarrow \mathsf{MultiProve}(par,p,D,(u_1,\dots ,u_n))\\ & \mathcal{E}:=\{(u_1,v_1),\dots ,(u_n,v_n)\}\\ & b\leftarrow \mathsf{MultiVerif}(par,C,\mathcal{E},\Pi )\\ & \mathbf{assert}(b=1)\end{array}}$$

We must modify the security definitions accordingly. The poly-hiding and poly-binding notion are identical to the ones defined for a standard PC scheme. The eval-hiding notion is very similar: one only needs to adapt the $\text{Prove}$ oracle so that it may be queried on domains of size larger than 1.

The eval-binding notion requires more care: we still want that no adversary can prove that a polynomial evaluates to two different values $v$ and $v^{\prime }$ at the same input point $u;$ however, now the adversary has the freedom to prove this for two different multi-evaluations $\mathcal{E}$ and ${\mathcal{E}}^{\prime }$ with the constraint that $(u,v)\in \mathcal{E}$ and $(u,v^{\prime })\in {\mathcal{E}}^{\prime }.$ To emphasize the difference, we call this adapted security notion multi-binding. It is defined via the following game.

$$\boxed{\begin{array}{l}\text{Game MULTI-BINDING:}\\ par\leftarrow \mathsf{Setup}(1^{\lambda })\\ (C,(u,v,v^{\prime }),(\mathcal{E},\Pi ),({\mathcal{E}}^{\prime },{\Pi }^{\prime }))\leftarrow \mathsf{A}(par)\\ b\leftarrow \mathsf{EvalVerif}(par,C,\mathcal{E},\Pi )\\ b^{\prime }\leftarrow \mathsf{EvalVerif}(par,C,{\mathcal{E}}^{\prime },{\Pi }^{\prime })\\ \mathbf{assert}(u,v)\in \mathcal{E}\\ \mathbf{assert}(u,v^{\prime })\in {\mathcal{E}}^{\prime }\\ \mathbf{assert}(v\ne v^{\prime })\\ \mathbf{assert}(b=1)\\ \mathbf{assert}(b^{\prime }=1)\end{array}}$$

KZG with Multi-evaluation Proofs: Description

The DL-KZG multi-evaluation PC scheme works as follows:

• The $\mathsf{Setup}$ algorithm, on input the security parameter $1^{\lambda },$ runs $$({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)\leftarrow \mathsf{PairingSetup}(1^{\lambda }),$$ draws random generators $G_1$ and $G_2$ of respectively ${\mathbb{G}}_1$ and ${\mathbb{G}}_2,$ draws $\tau {\leftarrow }_{\$}{\mathbb{F}}_r,$ and returns public parameters $$par:=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2,\dots ,{\tau }^d{G}_2)\in {\mathbb{G}}_1^{d+1}\times {\mathbb{G}}_2^{d+1}.$$

• The $\mathsf{Commit}$ and $\mathsf{PolyVerif}$ algorithms are defined exactly as for DL-KZG.

• The $\mathsf{MultiProve}$ algorithm, on input a commitment key $ck=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1),$ a polynomial $p\in {\mathbb{F}}_r^{(\le d)}[X],$ and a subset $\mathcal{U}=\{u_1,\dots ,u_n\}\subset {\mathbb{F}}_r$ of size $n\in \{1,\dots ,d\},$ computes the polynomials $$\begin{array}{rl}z(X)& :=\prod _{i=1}^n(X-u_i),\\ \ell (X)& :=\sum _{i=1}^{n}p(u_i)\prod _{\begin{array}{c}1\le j\le n\\ j\ne i\end{array}}\frac{X-u_j}{u_i-u_j},\\ q(X)& :=\frac{p(X)-\ell (X)}{z(X)}=\sum _{i=0}^d{b}_i{X}^i,\end{array}$$ and the group element $\Pi :={\sum }_{i=0}^d{b}_i({\tau }^i{G}_1)=q(\tau )G_1$ and returns $(p(u_1),\dots ,p(u_n))$ and the proof $\Pi .$

• The $\mathsf{MultiVerif}$ algorithm, on input a verification key $vk=(G_2,\tau G_2,\dots ,{\tau }^d{G}_2),$ a commitment $C,$ a multi-evaluation $\mathcal{E}=\{(u_1,v_1),\dots ,(u_n,v_n)\}$ of size $n\in \{1,\dots ,d\},$ and a proof $\Pi ,$ computes the polynomials $$\begin{array}{rl}z(X)& :=\prod _{i=1}^n(X-u_i),\\ \ell (X)& :=\sum _{i=1}^n{v}_i\prod _{\begin{array}{c}1\le j\le n\\ j\ne i\end{array}}\frac{X-u_j}{u_i-u_j},\end{array}$$ and returns 1 if $$e(C-\ell (\tau )G_1,G_2)=e(\Pi ,z(\tau )G_2)$$ and 0 otherwise.

Observe that the $\mathsf{MultiVerif}$ algorithm must compute $\ell (\tau )G_1$ and $z(\tau )G_2.$ For a multi-evaluation of size $n,$ $\ell$ has degree at most $n-1$ and $z$ has degree $n.$ Hence, if proofs for multi-evaluations of size at most $N$ are to be supported, one can restrict the public parameters to $$par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2,\dots ,{\tau }^N{G}_2)\in {\mathbb{G}}_1^{d+1}\times {\mathbb{G}}_2^{N+1}$$ and derive a commitment key $$ck=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1)\in {\mathbb{G}}_1^{d+1}$$ and a verification key $$vk=(G_1,\tau G_1,\dots ,{\tau }^{N-1}{G}_1,G_2,\tau G_2,\dots ,{\tau }^N{G}_2)\in {\mathbb{G}}_1^N\times {\mathbb{G}}_2^{N+1}.$$

Security Proof

The proof of Theorem 19.3 can be adapted to show that DL-KZG is multi-binding under a slightly different assumption called $(q_1,q_2)$-bilinear strong Diffie-Hellman ($(q_1,q_2)$-BSDH). This problem is as follows: given $$(G_1,x{G}_1,\dots x^{q_1}{G}_1,G_2,x{G}_2,\dots ,x^{q_2}{G}_2)\in {\mathbb{G}}_1^{q_1+1}\times {\mathbb{G}}_2^{q_2+1},$$ compute a pair $(a,Y)\in {\mathbb{F}}_r\times {\mathbb{G}}_t$ such that $Y=e(G_1,G_2{)}^{\frac{1}{x+a}}.$ Note that $$(q_1,q_2)\text{-BSDH}\leqq (q_1,q_2)\text{-SDH}.$$ Indeed, given a solution $(a,\frac{1}{x+a}{G}_1)$ for some SDH instance, one can compute a solution $(a,e(\frac{1}{x+a}{G}_1,G_2))$ for the corresponding BSDH instance. The converse, though, is not known to hold, so that BSDH is presumably a stronger assumption than SDH.

Theorem 19.8. Assume that the $(d,N)$-BSDH problem is hard for $\mathsf{PairingSetup}.$ Then the DL-KZG multi-evaluation scheme for maximal degree $d$ and multi-evaluations of size at most $N$ is multi-binding. More precisely, for any adversary $\mathsf{A}$ against the multi-binding security of DL-KZG, there exists an adversary $\mathsf{B}$ for the $(d,N)$-BSDH problem running in time similar to the time of $\mathsf{A}$ and such that $${\mathbf{Adv}}_{\mathsf{A}}^{\text{multi-binding}}(\lambda )={\mathbf{Adv}}_{\mathsf{B}}^{\text{(d,N)-bsdh}}(\lambda ).$$

Proof

Let $\mathsf{A}$ be an adversary against the multi-binding security of the DL-KZG scheme for maximal degree $d.$ We construct an adversary $\mathsf{B}$ for the $(d,N)$-BSDH problem. $\mathsf{B}$ gets pairing group parameters $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_t,r,e)$ and an instance $$(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2,\dots ,{\tau }^N{G}_2)$$ of the $(d,N)$-BSDH problem. The goal of $\mathsf{B}$ is to return a pair $(a,Y)$ such that $Y=e(G_1,G_2{)}^{\frac{1}{\tau +a}}.$ Adversary $\mathsf{B}$ runs $\mathsf{A}$ on input parameters $$par=(G_1,\tau G_1,\dots ,{\tau }^d{G}_1,G_2,\tau G_2,\dots ,{\tau }^N{G}_2).$$ Assume that $\mathsf{A}$ returns a commitment $C,$ a tuple $(u,v,v^{\prime })\in {\mathbb{F}}_r^3,$ and two valid multi-evaluations/proof pairs $(\mathcal{E},\Pi )$ and $({\mathcal{E}}^{\prime },{\Pi }^{\prime })$ such that $v\ne v^{\prime },$ $(u,v)\in \mathcal{E},$ and $(u,v^{\prime })\in {\mathcal{E}}^{\prime }.$ If $u=\tau$ (which $\mathsf{B}$ can verify by checking whether $u{G}_1$ is equal to the second group element of the parameters $par),$ then $\mathsf{B}$ simply picks an arbitrary element $a\in {\mathbb{F}}_r\setminus \{-\tau \}$ and returns $(a,e(G_1,G_2{)}^{\frac{1}{\tau +a}})$ as solution to the $d$-BSDH instance. From now on, we assume that $u\ne \tau .$

Let $\mathcal{U},$ resp. ${\mathcal{U}}^{\prime }$ be the evaluation domain corresponding to $\mathcal{E},$ resp. ${\mathcal{E}}^{\prime }.$ Let also $z,$ resp. $z^{\prime }$ be the vanishing polynomial for $\mathcal{U},$ resp. ${\mathcal{U}}^{\prime }$ and $\ell ,$ resp. ${\ell }^{\prime }$ be the Lagrange interpolation polynomial for $\mathcal{E},$ resp. ${\mathcal{E}}^{\prime }.$ Validity of the two proofs imply that $$\begin{array}{rl}e(C-\ell (\tau )G_1,G_2)& =e(\Pi ,z(\tau )G_2)\\ \text{and }e(C-{\ell }^{\prime }(\tau )G_1,G_2)& =e({\Pi }^{\prime },z^{\prime }(\tau )G_2).\end{array}$$ Combining these two equations, we obtain $$\begin{array}{r}e(({\ell }^{\prime }-\ell )(\tau )G_1,G_2)=e(\Pi ,z(\tau )G_2)e({\Pi }^{\prime },z^{\prime }(\tau )G_2{)}^{-1}.\end{array}$$ We know that $u$ is a root of both $z(X)$ and $z^{\prime }(X).$ Hence, there are polynomials $q$ and $q^{\prime }$ such that $z(X)=(X-u)q(X)$ and $z^{\prime }(X)=(X-u)q^{\prime }(X).$ We also know that polynomial $({\ell }^{\prime }-\ell )(X)$ evaluates to $v^{\prime }-v$ at $u.$ Hence, by the polynomial remainder theorem, there is a polynomial $q^{\prime \prime }$ such that $$({\ell }^{\prime }-\ell )(X)=v^{\prime }-v+(X-u)q^{\prime \prime }(X).$$ Note that $\mathsf{B}$ can explicitly compute $q,$ $q^{\prime },$ and $q^{\prime \prime }.$ Injecting this in the previous equation, we get $$\begin{array}{rl}& e((v^{\prime }-v)G_1,G_2)e((\tau -u)q^{\prime \prime }(\tau )G_1,G_2)=e(\Pi ,(\tau -u)q(\tau )G_2)e({\Pi }^{\prime },(\tau -u)q^{\prime }(\tau )G_2{)}^{-1}\\ & e((v^{\prime }-v)G_1,G_2)=e(\Pi ,(\tau -u)q(\tau )G_2)e({\Pi }^{\prime },(\tau -u)q^{\prime }(\tau )G_2{)}^{-1}e((\tau -u)q^{\prime \prime }(\tau )G_1,G_2{)}^{-1}\\ & e(G_1,G_2{)}^{1/(\tau -u)}=(e(\Pi ,q(\tau )G_2)e(-{\Pi }^{\prime },q^{\prime }(\tau )G_2)e(-q^{\prime \prime }(\tau )G_1,G_2){)}^{1/(v^{\prime }-v)},\end{array}$$ where for the last equality we used that $\tau -u\ne 0$ and $v^{\prime }-v\ne 0.$ Hence, $\mathsf{B}$ can return $(-u,Y),$ where $Y$ is the right-hand side of the last equation, as solution to the $(d,N)$-BSDH instance.

As a sanity check, observe that for a single evaluation ($n=1),$ one has $q(X)=q^{\prime }(X)=1$ and $q^{\prime \prime }(X)=0,$ in which case the last equation simplifies to $$e\left(\frac{1}{\tau -u}{G}_1,G_2\right)=e\left(\frac{1}{v^{\prime }-v}(\Pi -{\Pi }^{\prime }),G_2\right)$$ which allows to solve the $d$-SDH problem and recover Theorem 19.3.

A Practical Use Case

Ethereum is planning to use the KZG polynomial commitment scheme for proto-danksharding. Its properties make it a convenient solution to the data availability problem. A distributed trusted setup is being run at the time of writing.

Additional Resources

There are many resources explaining KZG out there, here are a few:

• Section 15.2 of PAZK
• this post by Andy Arditi
• this other one by Dankrad Feist
• yet another one by Alin Tomescu
• or this video by Dan Boneh.

---

1: As for standard commitment schemes, the name can vary and this is sometimes called a common reference string (crs) or structured reference string (srs) when it does not consist of random bits and has a specific "shape", as it is the case for KZG.

2: In the seminal paper introducing polynomial commitment schemes [KZG10a], evaluation hiding is simply called hiding.

3: KZG polynomial commitments are often described with a symmetric pairing (i.e., ${\mathbb{G}}_1={\mathbb{G}}_2),$ but we define them for an asymmetric pairing as this is the preferred option in practice.

4: Quite often, generators $G_1$ and $G_2$ are standard and specified in public parameters alongside ${\mathbb{G}}_1$ and ${\mathbb{G}}_2.$

5: The polynomial $q(X)$ is well-defined by the polynomial remainder theorem.

Before Starting

    ______ _   __  _   _            _
    |___  /| | / / | | | |          | |
       / / | |/ /  | |_| | __ _  ___| | __
      / /  |    \  |  _  |/ _` |/ __| |/ /
    ./ /___| |\  \ | | | | (_| | (__|   <
    \_____/\_| \_/ \_| |_/\__,_|\___|_|\_\

Over the last months, ZK Hack published a series of cryptographic puzzles. This is a fun way to learn about advanced cryptographic schemes such as BLS signatures, KZG polynomial commitments, proof systems and more, to improve its skills in Rust and Sage, and to delve into the arkworks libraries suite.

There are many great write-ups already available for every puzzle. The goal of this walk-through is to give an in-depth analysis of the cryptography underlying each puzzle.

We encourage the reader to regularly pause and try to come with its own solution!

The full code of the solutions is available at https://github.com/yannickseurin/crypto-book/tree/main/puzzles.

Prerequisites

All puzzles use Rust and require some familiarity with this language. Visit this page for installation instructions and go through the first sections of the Rust Book if you're new to Rust. You can use any text editor you like, but it is recommended to use Visual Studio Code together with the rust-analyzer plugin which provides very helpful functionalities such as inlay hints. See here and there for more advice about using VS Code fur Rust development.

We will also occasionally rely on the Sage mathematics software system to solve some of the puzzles. See here for installation instructions.

The solutions will be given for Linux but should be easily adaptable to other operating systems.

Getting Started

Each puzzle consists of a Rust package hosted on GitHub. To get started, one first need to clone the project and run it, which displays the puzzle instructions. E.g., for the first puzzle, one proceeds as follows:

$ git clone https://github.com/kobigurk/zkhack-bls-pedersen
$ cd zkhack-bls-pedersen
$ cargo run --release

This displays the puzzle description. Understanding the organization of the project's code requires some basic knowledge of Rust concepts of packages, crates, and modules. Section 7 of the Rust book contains all you need to know.

Rust Conventions and Tips

• Paths to files are given relatively to the puzzle directory.
• Most Rust snippets have an eyeball icon which will toggle the visibility of hidden lines.
• Puzzles 1 to 11 are based on version 0.3 of the arkworks libraries, but version 0.4 has been released meanwhile with a handful of breaking changes (puzzle 12 and beyond use version 0.4); we will strive to indicate those affecting the relevant part of the crates.
• We often switch between mathematical notation and Rust variables. We write $v\cong$ var or var $\cong v$ to identify the mathematical variable $v$ and the Rust variable var.

Puzzle 1: Let's Hash it Out

• puzzle page
• GitHub repository
• puzzle description:

Alice designed an authentication system in which users gain access by presenting
it a signature on a username, which Alice provided.
One day, Alice discovered 256 of these signatures were leaked publicly, but the
secret key wasn't. Phew.
The next day, she found out someone accessed her system with a username she
doesn't know! This shouldn't be possible due to existential unforgeability, as
she never signed such a message.

Can you find out how it happend and produce a signature on your username?

From the puzzle's instructions, it seems that we have to mount a universal forgery attack against the signature scheme used by Alice (universal because one should be able to forge a signature for any username). Let's find out what signature scheme Alice is using exactly by taking a look at the code (the name of the package gives us a good hint already).

Initial Inspection

As this is the first puzzle, we will go over the code in details.

The package directory is structured as follows:

zkhack-bls-pedersen
├── Cargo.toml
└── src
    ├── bin
    │   └── verify-bls-pedersen.rs
    ├── bls.rs
    ├── data.rs
    ├── hash.rs
    └── lib.rs

It has two crates:

• a library crate with root file src/lib.rs,
• a binary crate with root file src/bin/verify-bls-pedersen.rs.

Let's take a look at the code inside the file src/lib.rs.:

pub mod bls;
pub mod data;
pub mod hash;

pub const PUZZLE_DESCRIPTION: &str = r#"Alice designed an authentication system in which users gain access by presenting it a signature on a username, which Alice provided.
One day, Alice discovered 256 of these signatures were leaked publicly, but the secret key wasn't. Phew.
The next day, she found out someone accessed her system with a username she doesn't know! This shouldn't be possible due to existential unforgeability, as she never signed such a message.

Can you find out how it happend and produce a signature on your username?"#;

It simply declares three public modules named bls, data, and hash and a string slice named PUZZLE_DESCRIPTION with the text which is displayed when running the project.

Let's now have a look at the code in the binary crate's source file src/bin/verify-bls-pedersen.rs:

use bls_pedersen::bls::verify;
use bls_pedersen::data::puzzle_data;
use bls_pedersen::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (pk, ms, sigs) = puzzle_data();
    for (m, sig) in ms.iter().zip(sigs.iter()) {
        verify(pk, m, *sig);
    }

    /* Your solution here! */
    /*
      let sig = ...;
      let m = your username;
      verify(pk, m, sig);
    */
}

It first brings some items from the library crate into scope with the use keyword. Note that when a package contains both a library and a binary crate, any public item from the library crate can be used in the binary crate by starting paths with the name of the package (which is specified in the Cargo.toml file; in this case, it is bls_pedersen). It also brings into scope two functions called welcome and puzzle defined in the prompt external crate.

The main function first calls welcome and puzzle which respectively display some nice ASCII art and the puzzle description. It then calls the puzzle_data function. From the path used to bring puzzle_data into scope, we know that this function is defined in the data module of the library. Hence, we look into the file src/data.rs for its code, which looks like this:

pub fn puzzle_data() -> (G2Affine, Vec<Vec<u8>>, Vec<G1Affine>) {
    // ...
    (pk, ms, sigs)
}

This function returns a tuple made up of a public key pk of type G2Affine, a vector ms of messages of type Vec<u8>, and a vector sigs of signatures of type G1Affine. We'll come back to types G1Affine and G2Affine shortly. The main function then runs a loop which checks the validity of all message/signature pairs with respect to public key pk:

    for (m, sig) in ms.iter().zip(sigs.iter()) {
        verify(pk, m, *sig);
    }

If you don't understand the syntax of the loop, read about iterators and the zip method as this will come up quite often.

The verify function is defined in the bls module, as indicated by the path used to bring it into scope. In order to understand what this function does, make sure to read the chapters about pairings and BLS signatures. Here is the code:

use ark_bls12_381::{Bls12_381, G1Affine, G2Affine};
use ark_ec::{AffineCurve, PairingEngine};
use std::ops::Neg;

use crate::hash::hash_to_curve;
use ark_ff::One;

// --snip--

pub fn verify(pk: G2Affine, msg: &[u8], sig: G1Affine) {
    let (_, h) = hash_to_curve(msg);
    assert!(Bls12_381::product_of_pairings(&[
        (
            sig.into(),
            G2Affine::prime_subgroup_generator().neg().into()
        ),
        (h.into(), pk.into()),
    ])
    .is_one());
}

Just from the names of the functions, we can guess that it first hashes the message $m\cong$ msg by calling hash_to_curve, getting a point $H(m)\cong$ h on ${\mathbb{G}}_1,$ and then asserts that the product of two pairings is equal to $1_{{\mathbb{G}}_t},$ the identity element of group ${\mathbb{G}}_t.$ Ignoring the into method for now, we can see that the arguments for the first pairing are the signature $S\cong$ sig and the opposite of the generator $G_2$ of group ${\mathbb{G}}_2.$ The arguments for the second pairing are the hash $H(m)\cong$ h and the public key $X\cong$ pk.

Hence, what verify is asserting is whether (using our notation from the BLS signatures chapter) $$e(S,-G_2)\cdot e(H(m),X)=1_{{\mathbb{G}}_t}\text{\hspace{1em}(25.1.1)}$$ which is equivalent to the verification equation (17.1) we gave when describing BLS since $$\begin{array}{rl}e(S,-G_2)\cdot e(H(m),X)=1_{{\mathbb{G}}_t}& \iff e(S,G_2{)}^{-1}\cdot e(H(m),X)=1_{{\mathbb{G}}_t}\\ & \iff e(H(m),X)=e(S,G_2).\end{array}$$

So verify is indeed checking a BLS signature. Computing a product of pairings can be done more efficiently than computing the pairings one by one (see here), which explains why performing verification using Eq. (25.1.1) is often preferable.

What pairing-friendly curve does the signature scheme use? The arkworks libraries implement many such curves (see the list here). From the Cargo.toml file listing dependencies of the package, we can see that it includes the ark-bls12-381 library crate, where the Bls12_381 type prefixing the call to product_of_pairings is defined. Hence, the puzzle uses the BLS12-381 curve.

Our next task is to understand what the hash_to_curve function does exactly. Before that, we take a moment to explore some of the arkworks crates used in the puzzle.

Exploring the arkworks Libraries

As explained in the introduction, the ZK Hack puzzles are a great opportunity to explore the arkworks libraries. Although we have a reasonable understanding of what verify does, let us pause a moment and explain how to find its way in all the crates arkworks provides. Say we want to understand what the function Bls12_381::product_of_pairings does exactly. First, we check the path used to bring Bls12_381 into scope in the src/bls.rs module:

use ark_bls12_381::{Bls12_381, G1Affine, G2Affine};

This tells us that we need to look into the ark-bls12-381 crate.¹

The first thing to know is that there are two possible places where to look for information: Docs.rs, the documentation host for Rust crates hosted at crates.io, and the arkworks GitHub repositories.²

Second, one has to be careful about which version of the crate the puzzle requires. For this, we must inspect the Cargo.toml file which lists the package dependencies:

[dependencies]
ark-std = "0.3"
ark-ff = "0.3"
ark-ec = "0.3"
ark-serialize = "0.3"
ark-bls12-381 = "0.3"
ark-crypto-primitives = "0.3"
rand = "0.8"
rand_chacha = "0.3"
hex = "0.4"
prompt = { git = "https://github.com/kobigurk/zkhack-prompt" }
blake2s_simd = "0.5.11"

We can see that the puzzle requires version 0.3 of the ark-bls12-381 crate. Hence, we select to correct version of the ark-bls12-381 crate on Docs.rs as starting point of our exploration.

If you prefer to browse libraries on GitHub or locally, be careful to check out the correct commit: the ark-ec crate is part of the algebra repository, the releases of which are listed here.

When entering product_of_pairings in the search bar on top of the documentation page of the ark-bls12-381 crate, we don't get any hit. This probably means that this function is part of a trait that the type Bls12_381 implements using the default implementation. Hence, we search for this type instead, which leads us to its definition:

type Bls12_381 = Bls12<Parameters>;

Following the link to the definition of the Bls12 type, we see that it is defined in the models::bls12 submodule of the ark-ec crate, which contains all the generic code for curves of the BLS family with embedding degree 12:

pub struct Bls12<P: Bls12Parameters>(_);

This illustrates how arkworks uses traits to abstract common behaviour of various curves. Bls12 is an empty struct parameterized by a generic type P that must satisfy the trait bound Bls12Parameters. A specific curve of the BLS-12 family, such as BLS12-381, is then instantiated by defining an empty struct Parameters implementing the Bls12Parameters trait in a specific way.

We can now search for product_of_pairings in the ark-ec crate. We are more lucky this time as we find out that it is part of the PairingEngine trait. Let's take a look at the code:

pub trait PairingEngine: Sized + 'static + Copy + Debug + Sync + Send + Eq + PartialEq {
    // ...

    /// Computes a product of pairings.
    #[must_use]
    fn product_of_pairings<'a, I>(i: I) -> Self::Fqk
    where
        I: IntoIterator<Item = &'a (Self::G1Prepared, Self::G2Prepared)>,
    {
        Self::final_exponentiation(&Self::miller_loop(i)).unwrap()
    }

    // ...
}

We can see that a default implementation is indeed provided, computing a product of Miller loops followed by a single final exponentiation. You can keep digging from here and inspect how miller_loop and final_exponentiation are implemented for the BLS-12 family.

Note that the product_of_pairings function has been replaced in version 0.4.0 of the ark-ec crate by the multi_pairing function.

Next, we will see what the into method applied to curve points does.

Affine versus Projective Coordinates

The ark-ec library allows you to work both with affine and projective coordinates and to easily switch between them. For short Weierstrass curves, the affine representation corresponds to the GroupAffine struct implementing the AffineCurve trait:

pub struct GroupAffine<P: Parameters> {
    pub x: P::BaseField,
    pub y: P::BaseField,
    pub infinity: bool,
    // some fields omitted
}

The projective representation uses Jacobian (not homogeneous) coordinates and corresponds to the GroupProjective struct implementing the ProjectiveCurve trait:

pub struct GroupProjective<P: Parameters> {
    pub x: P::BaseField,
    pub y: P::BaseField,
    pub z: P::BaseField,
    // some fields omitted
}

Note in particular how the GroupAffine struct needs to hold a boolean field infinity indicating whether an instance is the point at infinity or not, whereas GroupProjective needs not.

The trait Parameters, an alias for ark_ec::models::SWModelParameters, contains all parameters specifying a prime-order subgroup of an elliptic curve in short Weierstrass form:

pub trait SWModelParameters: ModelParameters {
    const COEFF_A: Self::BaseField;
    const COEFF_B: Self::BaseField;
    const COFACTOR: &'static [u64];
    const COFACTOR_INV: Self::ScalarField;
    const AFFINE_GENERATOR_COEFFS: (Self::BaseField, Self::BaseField);
    fn mul_by_a(elem: &Self::BaseField) -> Self::BaseField { ... }
    fn add_b(elem: &Self::BaseField) -> Self::BaseField { ... }
}

What about types G1Affine and G2Affine? Recall that in order to define a pairing one needs two prime-order subgroups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ of elliptic curves defined on respectively ${\mathbb{F}}_p$ and some field extension ${\mathbb{F}}_{p^m}.$ Types G1Affine and G2Affine correspond to the affine representation of these two subgroups and are defined for curves of the BLS-12 family respectively here and there as:

type G1Affine<P> = GroupAffine<<P as Bls12Parameters>::G1Parameters>;
type G2Affine<P> = GroupAffine<<P as Bls12Parameters>::G2Parameters>;

Type P must implement the Bls12Parameters trait:

pub trait Bls12Parameters: 'static {
    type Fp: PrimeField + SquareRootField + Into<<Self::Fp as PrimeField>::BigInt>;
    type Fp2Params: Fp2Parameters<Fp = Self::Fp>;
    type Fp6Params: Fp6Parameters<Fp2Params = Self::Fp2Params>;
    type Fp12Params: Fp12Parameters<Fp6Params = Self::Fp6Params>;
    type G1Parameters: SWModelParameters<BaseField = Self::Fp>;
    type G2Parameters: SWModelParameters<BaseField = Fp2<Self::Fp2Params>, ScalarField = <Self::G1Parameters as ModelParameters>::ScalarField>;

    const X: &'static [u64];
    const X_IS_NEGATIVE: bool;
    const TWIST_TYPE: TwistType;
}

As expected, types G1Parameters and G2Parameters must both implement the SWModelParameters trait with a prime base field for G1Parameters and a quadratic extension field for G2Parameters.

Conversion

Conversion between affine and projective coordinates is handled by the From and Into traits. These are very general and useful traits that you can read about here and here. They provide respectively an associated function from and a method into, the latter one being generally derived from the former.

The function from for creating a point in projective coordinates from a point in affine coordinates is implemented here:

impl<P: Parameters> From<GroupAffine<P>> for GroupProjective<P> {
    #[inline]
    fn from(p: GroupAffine<P>) -> GroupProjective<P> {
        if p.is_zero() {
            Self::zero()
        } else {
            Self::new(p.x, p.y, P::BaseField::one())
        }
    }
}

The converse function, creating a point in affine coordinates from a point in projective coordinates, is implemented here:

impl<P: Parameters> From<GroupProjective<P>> for GroupAffine<P> {
    #[inline]
    fn from(p: GroupProjective<P>) -> GroupAffine<P> {
        if p.is_zero() {
            GroupAffine::zero()
        } else if p.z.is_one() {
            // If Z is one, the point is already normalized.
            GroupAffine::new(p.x, p.y, false)
        } else {
            // Z is nonzero, so it must have an inverse in a field.
            let zinv = p.z.inverse().unwrap();
            let zinv_squared = zinv.square();

            // X/Z^2
            let x = p.x * &zinv_squared;

            // Y/Z^3
            let y = p.y * &(zinv_squared * &zinv);

            GroupAffine::new(x, y, false)
        }
    }
}

Note that there are also more explicit into_affine and into_projective methods which simply call into.

All what we just said was for version 0.3 of the crate. The structs and traits have been renamed in version 0.4 as follows:

• struct GroupAffine $\to$ Affine
• trait AffineCurve $\to$ AffineRepr
• struct GroupProjective $\to$ Projective
• trait ProjectiveCurve $\to$ CurveGroup: Group.

Hopefully the code of the verify function should now make completely sense. Note in particular how elliptic curve points are converted from affine coordinates to projective coordinates using method into before being passed to product_of_pairings.

It's now time to see what the hash_to_curve function does exactly.

---

1: Note that hyphens are not valid characters in Rust identifiers, however it is possible (and idiomatic) to use them in package and crate names. Cargo automatically converts them to underscores. See here.

2: If you're curious about what guarantees we have that the source codes on github.com and crates.io are really the same, I recommend this interesting blog post by Eric Seppanen.

Understanding the hash-to-curve Function

It remains to take a look at what the hash_to_curve function defined in the src/hash module is doing exactly:

use ark_bls12_381::{G1Affine, G1Projective};
use ark_crypto_primitives::crh::{
    pedersen::{Window, CRH},
    CRH as CRHScheme,
};
use rand::SeedableRng;
use rand_chacha::ChaCha20Rng;

// --snip--

#[derive(Clone)]
struct ZkHackPedersenWindow {}

impl Window for ZkHackPedersenWindow {
    const WINDOW_SIZE: usize = 1;
    const NUM_WINDOWS: usize = 256;
}

pub fn hash_to_curve(msg: &[u8]) -> (Vec<u8>, G1Affine) {
    let rng_pedersen = &mut ChaCha20Rng::from_seed([
        1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
        1, 1,
    ]);
    let parameters = CRH::<G1Projective, ZkHackPedersenWindow>::setup(rng_pedersen).unwrap();
    let b2hash = blake2s_simd::blake2s(msg);
    (
        b2hash.as_bytes().to_vec(),
        CRH::<G1Projective, ZkHackPedersenWindow>::evaluate(&parameters, b2hash.as_bytes())
            .unwrap(),
    )
}

This function first initializes the pseudorandom number generator ChaCha20 with a 32-byte seed and feeds this RNG to the setup function. We look up the setup function in the crypto_primitives::crh::pedersen submodule (how do we know where to look? we check the use statement which brings CRH into scope at the beginning of the src/hash.rs file) and arrive here. Documentation is nonexistent so we jump to the code. Here are the relevant lines:

pub struct Parameters<C: ProjectiveCurve> {
    pub generators: Vec<Vec<C>>,
}

pub struct CRH<C: ProjectiveCurve, W: Window> {
    group: PhantomData<C>,
    window: PhantomData<W>,
}

impl<C: ProjectiveCurve, W: Window> CRHTrait for CRH<C, W> {
    const INPUT_SIZE_BITS: usize = W::WINDOW_SIZE * W::NUM_WINDOWS;
    type Output = C::Affine;
    type Parameters = Parameters<C>;

    fn setup<R: Rng>(rng: &mut R) -> Result<Self::Parameters, Error> {
        // ...
        let generators = Self::create_generators(rng);
        // ...
        Ok(Self::Parameters { generators })
    }

    // ...
}

impl<C: ProjectiveCurve, W: Window> CRH<C, W> {
    pub fn create_generators<R: Rng>(rng: &mut R) -> Vec<Vec<C>> {
        let mut generators_powers = Vec::new();
        for _ in 0..W::NUM_WINDOWS {
            generators_powers.push(Self::generator_powers(W::WINDOW_SIZE, rng));
        }
        generators_powers
    }

    pub fn generator_powers<R: Rng>(num_powers: usize, rng: &mut R) -> Vec<C> {
        let mut cur_gen_powers = Vec::with_capacity(num_powers);
        let mut base = C::rand(rng);
        for _ in 0..num_powers {
            cur_gen_powers.push(base);
            base.double_in_place();
        }
        cur_gen_powers
    }
}

Each invocation of generator_powers draws a random group element $B{\leftarrow }_{\$}{\mathbb{G}}_1$ and returns the vector $(B,2B,\dots ,2^{w-1}B)$ where $w\cong$ W::WINDOW_SIZE. This function is called $n\cong$ NUM_WINDOWS times by create_generators which then returns a vector $$((B_0,\dots ,2^{w-1}{B}_0),\dots ,(B_{n-1},\dots ,2^{w-1}{B}_{n-1}))$$ where $B_0,\dots ,B_{n-1}$ are random group elements. In hash_to_curve, this function is called with constants WINDOW_SIZE = 1 and NUM_WINDOWS = 256 as defined in the implementation of trait Window for struct ZkHackPedersenWindow. Hence, the line

let parameters = CRH::<G1Projective, ZkHackPedersenWindow>::setup(rng_pedersen).unwrap();

defines a Parameters<G1Projective> struct whose field generators holds a tuple of 256 random group elements $(B_0,\dots ,B_{255})$ of type G1Projective.

Then, the message is hashed with hash function BLAKE2s and the result is passed to the evaluate function, whose core is as follows:

    fn evaluate(parameters: &Self::Parameters, input: &[u8]) -> Result<Self::Output, Error> {
        // ...

        // Compute sum of h_i^{m_i} for all i.
        let bits = bytes_to_bits(input);
        let result = cfg_chunks!(bits, W::WINDOW_SIZE)
            .zip(&parameters.generators)
            .map(|(bits, generator_powers)| {
                let mut encoded = C::zero();
                for (bit, base) in bits.iter().zip(generator_powers.iter()) {
                    if *bit {
                        encoded += base;
                    }
                }
                encoded
            })
            .sum::<C>();

        // ...

        Ok(result.into())
    }

First, the input is converted into a vector of booleans $(b_0,\dots ,b_{\ell -1})$ using the bytes_to_bits function from the pedersen module. Then, it is split into $n\cong$ NUM_WINDOWS chunks of size $w\cong$ WINDOW_SIZE and zipped with parameters.generators which contains the points $$((B_0,\dots ,2^{w-1}{B}_0),\dots ,(B_{n-1},\dots ,2^{w-1}{B}_{n-1}))$$ returned by setup. The closure inside map takes a chunk of bits $(b_0,\dots ,b_{w-1})$ and a vector of points $(B,\dots ,2^{w-1}B)$ and returns $$\sum _{i=0}^{w-1}{b}_i{2}^{i}B=\beta B$$ where $\beta :={\sum }_{i=0}^{w-1}{b}_i{2}^i$ is the integer whose bit representation is $(b_0,\dots ,b_{w-1}).$ The final value of result is the sum over the $n$ windows of the output of this closure, i.e., $$\sum _{j=0}^{n-1}\sum _{i=0}^{w-1}{b}_{wj+i}{2}^i{B}_j=\sum _{j=0}^{n-1}{\beta }_j{B}_j$$ where ${\beta }_j={\sum }_{i=0}^{w-1}{b}_{wj+i}{2}^i$ is the integer corresponding to the $j$-th chunk of bits of the input.

In the specific case of hash_to_curve, we have $w=1$ and $n=256.$ Hence, if we let $(B_0,\dots ,B_{255})$ denote the 256 group elements returned by setup and $\mathbf{h}=(h_0,\dots ,h_{255}):=blakes2s(m)$ denote the output of the BLAKE2s hash function applied to message $m,$ seen as a vector of bits, then the hash_to_curve function applied to $m$ returns the point on ${\mathbb{G}}_1$ defined by $$H(m):=\sum _{j=0}^{255}{h}_j{B}_j.$$

Hence, $H$ can be seen as the composition of BLAKE2s and an instance of Pedersen hashing. Since both BLAKE2s and Pedersen hashing are collision-resistant (assuming hardness of the discrete logarithm problem for Pedersen hashing), $H$ is collision-resistant as well. Is it sufficient to make BLS signatures secure though?

Now that we understand all parts of the code, we can get down to solving the puzzle.

Gathering the Pieces

Recall that the BLS signature of message $m$ is the point on ${\mathbb{G}}_1$ defined as $S=xH(m),$ where $x\in {\mathbb{Z}}_r$ is the secret key. We also established in the previous section that $H(m)$ is given by $$H(m):=\sum _{j=0}^{255}{h}_j{B}_j$$ where the $h_j$'s are the bits of $blakes2s(m).$ Hence, the signature of $m$ can be expressed as $$S=xH(m)=\sum _{j=0}^{255}{h}_j(x{B}_j).$$ In other words, $S$ is a formal linear combination (with known coefficients) of secret points $(x{B}_0,\dots ,x{B}_{255}).$ As we are given 256 signatures, we should be able to forge a new signature with some linear algebra.

In the following, we let $m^{\ast }$ be the message for which we want to forge a signature, and ${\mathbf{h}}^{\ast }=(h_0^{\ast },\dots ,h_{255}^{\ast }):=blakes2s(m^{\ast })$ denote the output of the BLAKE2s hash function applied to $m^{\ast },$ seen as a vector of bits. Hence, the signature $S^{\ast }$ that we want to forge is $$S^{\ast }=xH(m^{\ast })=\sum _{j=0}^{255}{h}_j^{\ast }(x{B}_j).$$ Similarly, let $m_0,\dots ,m_{255}$ denote the 256 messages whose signature is given in the puzzle data and let ${\mathbf{h}}_i=(h_{i,j}{)}_{0\le j\le 255}:=blake2s(m_i)$ denote the hash of $m_i$ with BLAKE2s. Then the signature $S_i$ of message $m_i$ is $$S_i=\sum _{j=0}^{255}{h}_{i,j}(x{B}_j).$$

Assume that we can write ${\mathbf{h}}^{\ast }$ as a linear combination of vectors ${\mathbf{h}}_0,\dots ,{\mathbf{h}}_{255},$ i.e., we can find a vector $\mathbf{c}=(c_0,\dots ,c_{255})\in ({\mathbb{Z}}_r{)}^{256}$ such that $${\mathbf{h}}^{\ast }=\sum _{i=0}^{255}{c}_i{\mathbf{h}}_i.\text{\hspace{1em}(25.4.1)}$$ Then we can compute $S^{\ast }$ as $$\begin{array}{rl}\sum _{i=0}^{255}{c}_i{S}_i& =\sum _{i=0}^{255}\sum _{j=0}^{255}{c}_i{h}_{i,j}(x{B}_j)\\ & =\sum _{j=0}^{255}\underset{h_j^{\ast }}{\underbrace{\left(\sum _{i=0}^{255}{c}_i{h}_{i,j}\right)}}(x{B}_j)\\ & =S^{\ast }.\end{array}$$ How do we compute $\mathbf{c}$? Letting $\mathbf{M}$ denote the $256\times 256$ matrix whose rows are ${\mathbf{h}}_0,\dots ,{\mathbf{h}}_{255},$ then Eq. (25.4.1) is equivalent to $${\mathbf{h}}^{\ast }=\mathbf{c}\cdot \mathbf{M}.$$ Hence, we need to solve a linear system.

Implementing the Attack

To perform the linear algebra and compute $\mathbf{c},$ we will use Sage. For this, we first write $\mathbf{M}$ and ${\mathbf{h}}^{\ast }$ as arrays in a file sage/data.sage that we will load in Sage later on. Note that we must write the individual bits of the outputs of BLAKE2s. For this, we use the bytes_to_bits function from the pedersen module which returns a vector of booleans. Trying to write this vector yields an array of true and false strings which is not what we want, so we first need to convert these booleans into bytes.

use bls_pedersen::bls::verify;
use bls_pedersen::data::puzzle_data;
use bls_pedersen::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use bls_pedersen::hash::hash_to_curve;
use ark_crypto_primitives::crh::pedersen::bytes_to_bits;
use ark_ff::{PrimeField, Zero};
use ark_ec::{AffineCurve, ProjectiveCurve, msm::VariableBaseMSM};
use ark_bls12_381::{Fr, G1Affine, G1Projective};
use std::fs;
use std::fs::File;
use std::io::Write;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (pk, ms, sigs) = puzzle_data();
    for (m, sig) in ms.iter().zip(sigs.iter()) {
        verify(pk, m, *sig);
    }

    // --snip--

    let m = b"your_username";

    let mut data_file = File::create("sage/data.sage").unwrap();

    // write matrix M to be passed to SAGE
    data_file.write_all("M = [".as_bytes()).unwrap();
    for m in ms {
        let (hash, _) = hash_to_curve(&m);
        let bits = bytes_to_bits(&hash);
        let bits: Vec<u8> = bits.into_iter().map(|x| x as u8).collect();
        let line = format!("{:?}, ", bits);
        data_file.write_all(line.as_bytes()).unwrap();
    }
    data_file.write_all("]\n".as_bytes()).unwrap();

    // write vector h to be passed to SAGE
    data_file.write_all("h = ".as_bytes()).unwrap();
    let (hash, _) = hash_to_curve(m);
    let bits = bytes_to_bits(&hash);
    let bits: Vec<u8> = bits.into_iter().map(|x| x as u8).collect();
    let line = format!("{:?}", bits);
    data_file.write_all(line.as_bytes()).unwrap();

    // --snip--

    // read solution in coeffs.txt and cast these strings (one per line) into scalar field Fr elements
    let mut coeffs = Vec::new();
    for line in fs::read_to_string("sage/coeffs.txt").unwrap().lines() {
        // let c = Fr::from_le_bytes_mod_order(line.as_bytes()); // doesn't work
        let c: Fr = line.parse().unwrap();
        coeffs.push(c);
    }

    // --snip--

    // compute forgery using affine coordinates
    let mut aff_forge = G1Affine::zero();
    for (c, sig) in coeffs.iter().zip(sigs.iter()) {
        aff_forge = aff_forge + sig.mul(*c).into();
    }

    // compute forgery using projective coordinates
    let mut proj_forge = G1Projective::zero();
    for (c, sig) in coeffs.iter().zip(sigs.iter()) {
        proj_forge += sig.mul(*c);
    }

    // compute forgery using multi-scalar multiplication
    let coeffs: Vec<<Fr as PrimeField>::BigInt> = coeffs.iter().map(|c| (*c).into_repr()).collect();
    let msm_forge = VariableBaseMSM::multi_scalar_mul(&sigs, &coeffs);

    /* Your solution here! */

    verify(pk, m, aff_forge);
    verify(pk, m, proj_forge.into_affine());
    verify(pk, m, msm_forge.into_affine());
    println!("Puzzle solved!");
}

Then we move to Sage. We write a script sage/lin_algebra.sage that reads matrix $\mathbf{M}$ and vector ${\mathbf{h}}^{\ast }$ from file sage/data.sage and then we use the solve_left method to solve the linear system. Note that we must work over the scalar field ${\mathbb{F}}_r$ of BLS12-381 and explicitly declare that $\mathbf{M}$ and ${\mathbf{h}}^{\ast }$ are defined over ${\mathbb{F}}_r.$ After that, we write coefficients of solution $\mathbf{c}$ returned by Sage in file sage/coeffs.txt, one coefficient per line. Note that $\mathbf{M}$ is invertible and the system has a unique solution (which was not a given). Here is the content of the sage/lin_algebra.sage file (the size $r$ of the scalar field of BLS12-381 can be found for example here):

r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
Fr = FiniteField(r)
load('sage/data.sage')
M = Matrix(Fr, M)
h = vector(Fr, h)
c = M.solve_left(h)
file = open('sage/coeffs.txt', 'w')
for coeff in c:
    file.write(str(coeff) + '\n')
file.close()

We simply run it with

$ sage ./sage/lin_algebra.sage

It remains to import the coefficients in our Rust function and compute $S^{\ast }=\sum c_i{S}_i.$ For this, we read file sage/coeffs.txt line by line, obtaining strings that we must convert into elements of the scalar field. Hence, we bring BLS12-381 scalar field into scope with use ark_bls12_381::Fr and look for how to do the conversion. Initially, I tried to use functions from_be_bytes_mod_order and from_le_bytes_mod_order of the PrimeField trait (after converting strings into slices of bytes using as_bytes): the code compiles but the forgery does not verify... A simpler solution uses the fact that the PrimeField trait has supertrait FromStr, meaning one can directly convert strings into the Fr type using the parse method.

use bls_pedersen::bls::verify;
use bls_pedersen::data::puzzle_data;
use bls_pedersen::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use bls_pedersen::hash::hash_to_curve;
use ark_crypto_primitives::crh::pedersen::bytes_to_bits;
use ark_ff::{PrimeField, Zero};
use ark_ec::{AffineCurve, ProjectiveCurve, msm::VariableBaseMSM};
use ark_bls12_381::{Fr, G1Affine, G1Projective};
use std::fs;
use std::fs::File;
use std::io::Write;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (pk, ms, sigs) = puzzle_data();
    for (m, sig) in ms.iter().zip(sigs.iter()) {
        verify(pk, m, *sig);
    }

    // --snip--

    let m = b"your_username";

    let mut data_file = File::create("sage/data.sage").unwrap();

    // write matrix M to be passed to SAGE
    data_file.write_all("M = [".as_bytes()).unwrap();
    for m in ms {
        let (hash, _) = hash_to_curve(&m);
        let bits = bytes_to_bits(&hash);
        let bits: Vec<u8> = bits.into_iter().map(|x| x as u8).collect();
        let line = format!("{:?}, ", bits);
        data_file.write_all(line.as_bytes()).unwrap();
    }
    data_file.write_all("]\n".as_bytes()).unwrap();

    // write vector h to be passed to SAGE
    data_file.write_all("h = ".as_bytes()).unwrap();
    let (hash, _) = hash_to_curve(m);
    let bits = bytes_to_bits(&hash);
    let bits: Vec<u8> = bits.into_iter().map(|x| x as u8).collect();
    let line = format!("{:?}", bits);
    data_file.write_all(line.as_bytes()).unwrap();

    // --snip--

    // read solution in coeffs.txt and cast these strings (one per line) into scalar field Fr elements
    let mut coeffs = Vec::new();
    for line in fs::read_to_string("sage/coeffs.txt").unwrap().lines() {
        // let c = Fr::from_le_bytes_mod_order(line.as_bytes()); // doesn't work
        let c: Fr = line.parse().unwrap();
        coeffs.push(c);
    }

    // --snip--

    // compute forgery using affine coordinates
    let mut aff_forge = G1Affine::zero();
    for (c, sig) in coeffs.iter().zip(sigs.iter()) {
        aff_forge = aff_forge + sig.mul(*c).into();
    }

    // compute forgery using projective coordinates
    let mut proj_forge = G1Projective::zero();
    for (c, sig) in coeffs.iter().zip(sigs.iter()) {
        proj_forge += sig.mul(*c);
    }

    // compute forgery using multi-scalar multiplication
    let coeffs: Vec<<Fr as PrimeField>::BigInt> = coeffs.iter().map(|c| (*c).into_repr()).collect();
    let msm_forge = VariableBaseMSM::multi_scalar_mul(&sigs, &coeffs);

    /* Your solution here! */

    verify(pk, m, aff_forge);
    verify(pk, m, proj_forge.into_affine());
    verify(pk, m, msm_forge.into_affine());
    println!("Puzzle solved!");
}

We are now ready to compute the forgery. Scalar multiplication is performed using the mul method. One can choose to work with affine or projective coordinates. One thing to note is that mul applied to a point in affine coordinates returns a point in projective coordinates. In order to add it to an affine point afterwards, it must be converted back into affine form using method into. There is also the option to use the multi_scalar_mul function (replaced by msm in version 0.4.0 of the library) implementing multi-scalar multiplication directly. However, the scalars in vector coeffs must first be cast into their "big integer" representation using the into_repr method. The code below uses the three possibilities. Note that the += operator does not work for affine representation.

use bls_pedersen::bls::verify;
use bls_pedersen::data::puzzle_data;
use bls_pedersen::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use bls_pedersen::hash::hash_to_curve;
use ark_crypto_primitives::crh::pedersen::bytes_to_bits;
use ark_ff::{PrimeField, Zero};
use ark_ec::{AffineCurve, ProjectiveCurve, msm::VariableBaseMSM};
use ark_bls12_381::{Fr, G1Affine, G1Projective};
use std::fs;
use std::fs::File;
use std::io::Write;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (pk, ms, sigs) = puzzle_data();
    for (m, sig) in ms.iter().zip(sigs.iter()) {
        verify(pk, m, *sig);
    }

    // --snip--

    let m = b"your_username";

    let mut data_file = File::create("sage/data.sage").unwrap();

    // write matrix M to be passed to SAGE
    data_file.write_all("M = [".as_bytes()).unwrap();
    for m in ms {
        let (hash, _) = hash_to_curve(&m);
        let bits = bytes_to_bits(&hash);
        let bits: Vec<u8> = bits.into_iter().map(|x| x as u8).collect();
        let line = format!("{:?}, ", bits);
        data_file.write_all(line.as_bytes()).unwrap();
    }
    data_file.write_all("]\n".as_bytes()).unwrap();

    // write vector h to be passed to SAGE
    data_file.write_all("h = ".as_bytes()).unwrap();
    let (hash, _) = hash_to_curve(m);
    let bits = bytes_to_bits(&hash);
    let bits: Vec<u8> = bits.into_iter().map(|x| x as u8).collect();
    let line = format!("{:?}", bits);
    data_file.write_all(line.as_bytes()).unwrap();

    // --snip--

    // read solution in coeffs.txt and cast these strings (one per line) into scalar field Fr elements
    let mut coeffs = Vec::new();
    for line in fs::read_to_string("sage/coeffs.txt").unwrap().lines() {
        // let c = Fr::from_le_bytes_mod_order(line.as_bytes()); // doesn't work
        let c: Fr = line.parse().unwrap();
        coeffs.push(c);
    }

    // --snip--

    // compute forgery using affine coordinates
    let mut aff_forge = G1Affine::zero();
    for (c, sig) in coeffs.iter().zip(sigs.iter()) {
        aff_forge = aff_forge + sig.mul(*c).into();
    }

    // compute forgery using projective coordinates
    let mut proj_forge = G1Projective::zero();
    for (c, sig) in coeffs.iter().zip(sigs.iter()) {
        proj_forge += sig.mul(*c);
    }

    // compute forgery using multi-scalar multiplication
    let coeffs: Vec<<Fr as PrimeField>::BigInt> = coeffs.iter().map(|c| (*c).into_repr()).collect();
    let msm_forge = VariableBaseMSM::multi_scalar_mul(&sigs, &coeffs);

    /* Your solution here! */

    verify(pk, m, aff_forge);
    verify(pk, m, proj_forge.into_affine());
    verify(pk, m, msm_forge.into_affine());
    println!("Puzzle solved!");
}

The attack requires to run the Rust binary to write the file sage/data.sage, then the Sage script, and then the Rust binary again to read sage/coeffs.txt. Not great, but I have no idea how to call the Sage script from the Rust main function. Feel free to improve this, for example with a bash script.

Conclusion

The key takeaway of this puzzle is that Pedersen hashing does not behave as a random oracle. Although it is provably collision-resistant assuming the discrete logarithm problem is hard, it has a rich algebraic structure which makes it unsuitable for cases where a hash function behaving as a random oracle is required, such as BLS signatures.

Which hash-to-curve function should be used to make BLS secure then? The easy solution is to hash the message together with a counter into the base field of the elliptic curve until the result is the x-coordinate of a point on the curve.¹ The drawback is that it is not possible to implement it in constant time and that security of this construction is not known to hold in the strong sense of being indifferentiable from a random oracle [BCI+10]. For the specific case of BLS12-381, an efficient solution based on isogenies was recently proposed by Wahby and Boneh [WB19]. See also RFC 9380 specifying various hash-to-curve constructions.

---

1: Note that hashing into the scalar field to get $h(m)\in {\mathbb{F}}_r$ and letting $H(m)=h(m)G_1$ is completely insecure: one single signature $S=xH(m)=x(h(m)G_1)$ on some message $m$ reveals $x{G}_1=h(m{)}^{-1}S,$ which allows to forge a signature on any other message $m^{\prime }$ by computing $S^{\prime }=h(m^{\prime })(x{G}_1)=xH(m^{\prime }).$

Puzzle 2: Group Dynamics

• puzzle page
• GitHub repository
• puzzle description:

Alice has computed a trusted setup for a Groth16 proof scheme.
She decided to use a 128-bit long secret, and she swears that she does not know
the secret s needed to get this setup.
The trusted setup is constructed as follows using two additional scalars α and β:
* [s^i] G1 for 0 ⩽ i ⩽ 62,
* [α s^i] G1 for 0 ⩽ i ⩽ 31,
* [β s^i] G1 for 0 ⩽ i ⩽ 31,
* [s^i] G2 for 0 ⩽ i ⩽ 31.

Can you recover the secret anyway?

Heads-up: although the puzzle description refers to the Groth16 zk-SNARK [Gro16], there's no need to know anything about Groth16 to solve the puzzle. Suffice it to say, Groth16 uses a so-called structured reference string (or common reference string) generated during a trusted setup which has a form similar to the one of the puzzle data, meaning it consists of points on some pairing-friendly pair of curves computed somehow similarly to what is described in the puzzle instructions. Anyone able to retrieve the secret values $(s,\alpha ,\beta )$ (the simulation trapdoor, sometimes referred to as "toxic waste" as it must absolutely be discarded after the trusted setup) would be able to break the soundness of the proof system, meaning it could produce valid proofs for false statements.

Another important scheme where such structured parameters show up is the KZG polynomial commitment scheme.

Let's take a look at the code to see what this is about.

Initial Inspection

On the surface, this puzzle looks like a discrete logarithm problem: we must recover some secret value $s$ given $G_1,$ $s{G}_1,$ etc. Actually, this variant where additional points $s^2{G}_1,$ $s^3{G}_1,$ ... $s^q{G}_1$ are given is sometimes called the $q$-discrete logarithm (or $q$-strong discrete logarithm) problem. In some cases, this auxiliary information enables to speed up the computation of $s$ using Cheon's algorithm [Che10]. Note also that the assumption that the $q$-discrete log problem is hard implies the soundness of the Groth16 proof system in a restricted model of computation called the algebraic group model [FKL18].

Let's take a look at the code. The package directory is organized as follows:

zkhack-trusted-setup
├── Cargo.toml
└── src
    ├── bin
    │   └── verify-trusted-setup.rs
    ├── data.rs
    └── lib.rs

As with the previous puzzle, the package has two crates: a library crate with root file src/lib.rs which simply declares a module data and a string slice with the puzzle description and a binary crate with root file src/bin/verify-trusted-setup.rs which contains the following code:

use ark_bls12_381::Fr;
use ark_ec::AffineCurve;
use prompt::{puzzle, welcome};
use std::str::FromStr;
use trusted_setup::data::puzzle_data;
use trusted_setup::PUZZLE_DESCRIPTION;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (_ts1, _ts2) = puzzle_data();

    /* Your solution here! (s in decimal)*/
    let s = Fr::from_str("0").unwrap();

    assert_eq!(_ts1[0].mul(s), _ts1[1]);
    assert_eq!(_ts2[0].mul(s), _ts2[1]);
}

We can see that the main function simply loads the puzzle data and expects us to replace "0" with the correct value for $s$ so that the two final assertions evaluate to true and the program does not panic anymore. Note that ark_bls12_381::Fr, the scalar field of the BLS12-381 pairing-friendly elliptic curve, is brought into scope.

The code for the data module in src/data.rs, where the puzzle_data function is defined, looks like this:

use ark_bls12_381::{G1Affine, G2Affine};
use ark_serialize::CanonicalDeserialize;
use std::io::Cursor;

pub fn puzzle_data() -> ([G1Affine; 2 * 32 - 1 + 32 + 32], [G2Affine; 32]) {
    // ...
}

The puzzle_data function returns two arrays: _ts1 which holds 127 elements of type G1Affine (the type representing elements of group ${\mathbb{G}}_1$ of BLS12-381 in affine representation) and _ts2 which holds 32 elements of type G2Affine (the type representing elements of group ${\mathbb{G}}_2$ of BLS12-381 in affine representation). From this and the puzzle description we can infer that _ts1 holds $$[G_1,s{G}_1,\dots ,s^{62}{G}_1,\alpha G_1,\alpha s{G}_1,\dots ,\alpha s^{31}{G}_1,\beta G_1,\beta s{G}_1,\dots ,\beta s^{31}{G}_1]$$ while _ts2 holds $$[G_2,s{G}_2,\dots ,s^{31}{G}_2].$$

Importantly, $G_1$ and $G_2$ above do not refer to the commonly agreed subgroup generators of BLS12-381 but to the points _ts1[0] and _ts2[0] provided by Alice.

Taking a closer look at how these values are defined, we can see that puzzle_data calls an associated function named deserialize_unchecked. What is it that this function does not check?

We head up towards the ark-ec-0.3.0 crate documentation and search for deserialize_unchecked, which leads us here. This function is part of the ark_serialize::CanonicalDeserialize trait. The documentation simply says:

fn deserialize_unchecked<R: Read>(reader: R) -> Result<Self, SerializationError>

Reads self from reader without compression, and without performing validity checks. Should be used only when the input is trusted.

Not very informative, so we jump to the source code:

fn deserialize_unchecked<R: Read>(mut reader: R) -> Result<Self, SerializationError> {
    let x: P::BaseField = CanonicalDeserialize::deserialize(&mut reader)?;
    let (y, flags): (P::BaseField, SWFlags) =
        CanonicalDeserializeWithFlags::deserialize_with_flags(&mut reader)?;
    let p = GroupAffine::<P>::new(x, y, flags.is_infinity());
    Ok(p)
}

This function simply reads two base field elements $x$ and $y$ from the buffer and creates a new point $(x,y)$ in affine coordinates. What could go wrong? If there's a deserialize_unchecked function, maybe there's a sibling which actually checks something? Indeed, the function just above in the source code reads:

fn deserialize_uncompressed<R: Read>(
    reader: R,
) -> Result<Self, ark_serialize::SerializationError> {
    let p = Self::deserialize_unchecked(reader)?;

    if !p.is_in_correct_subgroup_assuming_on_curve() {
        return Err(SerializationError::InvalidData);
    }
    Ok(p)
}

(There is also a deserialize function which does something similar for points in compressed form, meaning they are encoded with their $x$-coordinate and the sign of $y.$) Here we are: the crucial property which is not checked by deserialize_unchecked is whether the curve point it returns is in the correct subgroup. What does that mean exactly?

Small Subgroup Attacks

Actually, the puzzle webpage was giving us a hint by advising us to read a paper by Cremers and Jackson [CJ19] about so-called small subgroup attacks. Small subgroup attacks (more specifically, small subgroup key recovery attacks, as there are other flavors such as small subgroup confinement attacks that we won't touch here) have been proposed by Lim and Lee in 1997 [LL97] and vulnerable implementations have been found in the wild [VAS+17].

In a nutshell, small subgroup attacks occur when some party, holding some secret scalar $x,$ is tricked into computing $xP$ thinking $P$ generates some subgroup $\mathbb{G}$ (of some larger group $\mathbb{H})$ where the discrete logarithm problem is hard whereas in fact $P$ generates another subgroup ${\mathbb{G}}^{\prime }$ of $\mathbb{H}$ where the discrete logarithm problem is much easier. This can happen for example in Diffie-Hellman key exchange or in some blind signing protocols where the party computing the scalar multiplication $xP$ gets the point $P$ from another (potentially malicious) party rather than from trusted parameters. Before going into details, we need to recall some basic facts about groups and their subgroups.

Computing Discrete Logarithms in Groups of Composite Order

Let $\mathbb{G}$ be a finite group of order $n.$ Then, by Lagrange's Theorem, the order of any subgroup of $\mathbb{G}$ divides $n.$ Moreover, if $\mathbb{G}$ is cyclic, then every subgroup of $\mathbb{G}$ is also cyclic (Proposition 5.19) and by the Fundamental Theorem of Cyclic Groups, for each divisor $d$ of $n$ there exists a unique subgroup of order $d.$

Small subgroup attacks derive from a simple observation about the discrete logarithm problem in groups of composite order. Let $\mathbb{G}$ by a cyclic group of composite order $n=n_1{n}_2$ where $n_1$ and $n_2$ are coprime and let $G$ be a generator of $\mathbb{G}.$ Say we want to solve the discrete logarithm problem for a group element $X\in \mathbb{G}$ in base $G,$ i.e., we want to find the unique integer $x\in \{0,\dots ,n-1\}$ such that $X=xG.$ Then, we can take advantage of the structure of group $\mathbb{G}$ as follows:

• First, we compute $G_1^{\prime }=n_{2}G$ and $X_1^{\prime }=n_{2}X.$ Then $G_1^{\prime }$ has order $n_1$ (why?) and $$X_1^{\prime }=n_2(xG)=x(n_{2}G)=x{G}_1^{\prime }.$$ If we let $x_1\in \{0,\dots ,n_1-1\}$ denote the discrete logarithm of $X_1^{\prime }$ in base $G_1^{\prime },$ which can be computed in $O(\sqrt{n_1})$ group operations with generic algorithms, then $X_1^{\prime }=x{G}_1^{\prime }$ implies that $x=x_1\mathrm{mod}{n}_1.$
• Similarly, one can compute $G_2^{\prime }=n_{1}G$ and $X_2^{\prime }=n_{1}X.$ Then the discrete logarithm $x_2$ of $X_2^{\prime }$ in base $G_2^{\prime }$ can be computed in $O(\sqrt{n_2})$ group operations and satisfies $x=x_2\mathrm{mod}{n}_2.$
• Finally, one can combine the two equations $x=x_1\mathrm{mod}{n}_1$ and $x=x_2\mathrm{mod}{n}_2$ using the Chinese remainder theorem to obtain $x$ (modulo $n_1{n}_2=n).$

All in all, $x$ has been computed in $O(\sqrt{n_1}+\sqrt{n_2})$ rather than $O(\sqrt{n_1{n}_2})$ group operations.

The procedure above is the basis of the Pohlig-Hellman algorithm which computes discrete logarithms in a group of order $n=\prod p_i^{e_i}$ in $O(\sum e_i\sqrt{p_i})$ group operations, assuming the factorization of $n$ is known. Hence, if one wants 128-bit security for the discrete logarithm problem, a necessary condition is that the order of the group has a prime factor of size at least 256 bits.

This explains why cryptographers are so obsessed with groups of prime order: by Lagrange's theorem, groups of prime order don't have any subgroups other than the trivial ones (itself and the subgroup of order 1 consisting of the identity element) and hence the discrete logarithm problem cannot be "broken" into smaller pieces as above (which, of course, does not imply that the DL problem cannot by broken by other, non-generic means).

Small Subgroup Attacks

Groups used in cryptography often have composite order. For example, the multiplicative group ${\mathbb{Z}}_p^{\ast }$ of integers modulo some prime number $p$ has order $p-1,$ which is always even. For elliptic curves, although it is possible to construct secure curves with a prime number of points such as secp256k1, many curves that are attractive for efficiency reasons (such as twisted Edwards curves) have order $h\ast p,$ where $p$ is prime and $h$ is small (usually 4 or 8).

When using such groups of composite order $n,$ a "base" point $G$ of prime order $r$ is usually specified. As long as group elements used in a protocol are computed as multiples of $G,$ one never "gets out" of the prime-order subgroup $⟨G⟩.$ The index of subgroup $⟨G⟩,$ i.e., the ratio $h:=n/r,$ is often called the cofactor of $G$ in a cryptographic context.

However, what happens if Alice, holding some secret value $x,$ is tricked by an attacker into computing $Q:=xP$ where $P$ is not in subgroup $⟨G⟩$? If $Q$ is made available to the attacker, then it can use the Pohlig-Hellman algorithm to compute $x\mathrm{mod}k$ where $k$ is the "smooth" part of $P$'s order (meaning, informally, the product of all "small" prime factors of $P$'s order), which might be somewhere between a few bits (if $h$ is $4$ or $8)$ to enough to retrieve $x$ entirely. Note that $P$ does not have have to actually be in a small subgroup for the attack to work, the only condition is that some multiples of $P$ be in small subgroups (equivalently, that $⟨P⟩$ has small subgroups). If, for example, $P$ generates the entire ambient group of order $n=h\ast r,$ then one can "project" the discrete logarithm on the subgroup of order $h$ by computing $P^{\prime }=rP$ and $Q^{\prime }=rQ$ and work with the pair $(P^{\prime },Q^{\prime })$ instead.

Observe that the maximal amount of information that can leak about secret $x$ in a small subgroup attack is ${\log }_{2}h$ bits, hence having a "small" cofactor as 4 or 8 might seem benign. However, there are actually plenty of other ways a small cofactor can mess with your protocol, an interesting example being Monero's multiple-spend bug.

What about pairing-based cryptography? While there exists families of pairing-friendly curve pairs where the first "small" curve has prime order, such as Baretto-Naehrig (BN) curves [BN05], the second "large" curve always has composite order with a very large cofactor. For members of the BLS family, even the first small curve has composite order. Hence, small subgroup attacks are especially relevant when using pairing-based cryptographic primitives. For more information, see [BCM+15].

Subgroup Membership Tests

How can we prevent small subgroup attacks? By performing a subgroup membership test. Given a group $\mathbb{G}$ of composite order $n$ and a prime factor $r$ of $n,$ an element $P$ is in the subgroup of order $r$ if and only if $rP=0_{\mathbb{G}}.$ This test is simple yet rather costly since $r$ is large. However, there are a number of tricks to make subgroup membership testing more efficient [HGP22]. For curves with small cofactors (4 or 8), some techniques such as Decaf [Ham15] or Ristretto allow to "eliminate the cofactor" and construct a prime-order group.

Invalid Curve Attacks

Finally, assuming we work with a prime-order curve such as secp256k1, is it safe to use any point $P$ received from an untrusted source without verification? If the curve has prime order $r,$ any point other than 0 has order $r,$ right? Well, not exactly: if $P$ was receive in so-called "uncompressed" form (meaning both coordinates $x$ and $y$ were explicitly given), $P$ might not be on the curve at all! It might be on another curve with a different equation but where the same addition formulas apply. If this "ghost" curve has a smooth order, computing $sP$ might end up leaking information about the secret scalar $s$ exactly as described above. This is called an invalid curve attack and has affected for example some implementations of TLS [JSS15] and the Bluetooth protocol [BN19].

Let's now see how to apply all this to the puzzle.

Solving the Puzzle

Subgroup Membership Checks

Now that we know about small subgroup attacks, a natural idea is to check whether $G_1$ and $G_2$ are in the "correct" subgroups, i.e., the subgroups of large prime order specified by the BLS12-381 parameters. Fortunately, the arkworks library has methods for that:

use ark_bls12_381::Fr;
use ark_ec::AffineCurve;
use prompt::{puzzle, welcome};
use std::str::FromStr;
use trusted_setup::data::puzzle_data;
use trusted_setup::PUZZLE_DESCRIPTION;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (_ts1, _ts2) = puzzle_data();

    // --snip--

    // check that G1 and G2 are not in the correct group
    if _ts1[0].is_on_curve() {
        println!("G1 is on the curve.");
    } else {
        println!("G1 is not on the curve.");
    }

    if _ts1[0].is_in_correct_subgroup_assuming_on_curve() {
        println!("G1 is in the correct subgroup.");
    } else {
        println!("G1 is not in the correct subgroup.");
    }

    if _ts2[0].is_on_curve() {
        println!("G2 is on the curve.");
    } else {
        println!("G2 is not on the curve.");
    }

    if _ts2[0].is_in_correct_subgroup_assuming_on_curve() {
        println!("G2 is in the correct subgroup.");
    } else {
        println!("G2 is not in the correct subgroup.");
    }

    // printing points to copy-paste them in sage script
    println!("G1 = {}", _ts1[0]);
    println!("s * G1 = {}", _ts1[1]);
    println!("G2 = {}", _ts2[0]);
    println!("s * g2 = {}", _ts2[1]);

    /* Your solution here! (s in decimal)*/
    let s = Fr::from_str("114939083266787167213538091034071020048").unwrap();
    println!("Checking the solution...");
    assert_eq!(_ts1[0].mul(s), _ts1[1]);
    assert_eq!(_ts2[0].mul(s), _ts2[1]);
    println!("It works!");
}

which yields

G1 is on the curve.
G1 is not in the correct subgroup.
G2 is on the curve.
G2 is not in the correct subgroup.

Nice! So we know that we must mount a small subgroup attack to retrieve $s$ and solve the puzzle.

You can have a look at the code of methods is_on_curve and is_in_correct_subgroup_assuming_on_curve here. Note that if the point that is being tested is not for certain on the curve, one should call both methods: indeed, is_in_correct_subgroup_assuming_on_curve could return true when applied to a point which is not on the curve (see invalid curve attacks).

Solving the Puzzle with Sage

From now on we will be using Sage as it is quite convenient to do all kinds of computations on elliptic curves, as we'll see.

Recall that BLS12-381 actually consists of two curves in short Weierstrass form:

• $E_1({\mathbb{F}}_p):y^2=x^3+a_{1}x+b_1,$ defined over the prime field ${\mathbb{F}}_p$ where $p$ is a 381-bit prime,
• $E_2({\mathbb{F}}_{p^2}):y^2=x^3+a_{2}x+b_2,$ defined over the quadratic extension of ${\mathbb{F}}_p$ obtained from the irreducible polynomial $u^2+1.$

The BLS12-381 parameters also specify two points $P_1$ and $P_2$ (more usually denoted $G_1$ and $G_2$ but this conflicts with the puzzle notation), both of prime order $r,$ but we won't need them here.

Although I'm not aware of any normative reference for BLS12-381, all the parameters can be found in the IETF Internet-Draft for pairing-friendly curves. With that, we can construct the two curves in Sage (see here for the Sage documentation about elliptic curves over finite fields):

p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
F1 = GF(p)
a1 = 0
b1 = 4
E1 = EllipticCurve(F1, [a1, b1])

R.<x> = PolynomialRing(F1)
F2.<u> = F1.extension(x^2+1)
a2 = 0
b2 = 4*(1+u)
E2 = EllipticCurve(F2, [a2, b2])

Although we know that $G_1$ is not in the subgroup of large prime order $r,$ we don't know $G_1$'s order yet. We will compute it with Sage. For this, we display this point by using println!("G1 = {}", _ts1[0]); in the main function of the puzzle and we get:

G1 = GroupAffine(x=Fp384 "(0F99F411A5F6C484EC5CAD7B9F9C0F01A3D2BB73759BB95567F1FE4910331D32B95ED87E36681230273C9A6677BE3A69)",
 y=Fp384 "(12978C5E13A226B039CE22A0F4961D329747F0B78350988DAB4C1263455C826418A667CA97AC55576228FC7AA77D33E5)")

We can now copy-paste these values into our Sage file to define $G_1$ there and ask Sage to compute $G_1$'s order $n_1$ and even factor it:

G1 = E1(0x0F99F411A5F6C484EC5CAD7B9F9C0F01A3D2BB73759BB95567F1FE4910331D32B95ED87E36681230273C9A6677BE3A69, \
        0x12978C5E13A226B039CE22A0F4961D329747F0B78350988DAB4C1263455C826418A667CA97AC55576228FC7AA77D33E5)
n1 = G1.order()
L1 = list(n1.factor())
print("The factorization of G1's order n1 is:")
for l in L1:
    print(l)

which prints the list of prime factors together with their addicity:

The factorization of G1's order n1 is:
(3, 1)
(11, 1)
(10177, 1)
(859267, 1)
(52437899, 1)
(52435875175126190479447740508185965837690552500527637822603658699938581184513, 1)

The largest prime factor is actually $r,$ the order of subgroups ${\mathbb{G}}_1=⟨P_1⟩$ and ${\mathbb{G}}_2=⟨P_2⟩$ one is supposed to work with when using BLS12-381. It's 255-bit, no way we're gonna be able to compute $s\mathrm{mod}r$ of course. On the other hand, the other factors seem small enough so that we can apply the small subgroup attack to compute $s\mathrm{mod}{k}_1$ where $k_1=n_1/r.$ As $k_1$ is a 64-bit number (check with print(numerical_approx(log(n1/r, 2)))), we'll be able to get roughly 64 bits of information about $s,$ a good start.

Recall the overall principle of the attack as described earlier. Let $H_1=s{G}_1$ (this is _ts1[1] from the puzzle data). We compute $G_1^{\prime }=r{G}_1$ (whose order is $k_1=n_1/r)$ and $H_1^{\prime }=r{H}_1.$ Then $$H_1^{\prime }=r(s{G}_1)=s(r{G}_1)=s{G}_1^{\prime }=(s\mathrm{mod}{k}_1)G_1^{\prime },$$ where the last equality follows from the fact that $G_1^{\prime }$ has order $k_1.$ We can now compute the discrete logarithm $s_1$ of $H_1^{\prime }$ in base $G_1^{\prime },$ which will give us our first equation $s\mathrm{mod}{k}_1=s_1.$

Sage has a generic discrete_log function (where generic means it works over any group) which uses various algorithms (Pohlig-Hellman, Pollard-rho, ...) and that we can call directly here:

H1 = E1(0x16C2385B2093CC3EDBC0F2257E8F23E98E775F8F6628767E5F4FC0E495285B95B1505F487102FE083E65DC8E9E3A9181, \
         0x0F4B73F63C6FD1F924EAE2982426FC94FBD03FCEE12D9FB01BAF52BE1246A14C53C152D64ED312494A2BC32C4A3E7F9A)
s1 = discrete_log(r*H1, r*G1, operation='+')
print("s mod k1 =")
print(s1)

We get:

s mod k1 =
2335387132884273659

How do we continue from here? Could we use information contained in points $(s^2{G}_1,\dots ,s^{62}{G}_1)$? Repeating all the above with $s^2{G}_1$ for example would allow us to compute $s^2\mathrm{mod}{k}_1,$ but this is simply $s_1^2\mathrm{mod}{k}_1$ which we can compute from $s_1$ so this does not give us new information.

Maybe we could use points $(\alpha G_1,\alpha s{G}_1,\dots ,\alpha s^{31}{G}_1,\beta G_1,\beta s{G}_1,\dots ,\beta s^{31}{G}_1)$ then? This seems implausible though: as $\alpha$ and $\beta$ are just random scalars independent from $s,$ we could just have generated points with the same distribution by ourselves from $G_1,s{G}_1,\dots ,s^{31}{G}_1$ by drawing random values for $\alpha$ and $\beta$ and computing the corresponding scalar multiplications. These extra points rather look like some red herring.

Hence, we now consider the set of points on the second curve $E_2({\mathbb{F}}_{p^2}).$ Again, we define point $G_2$ in Sage and try to compute its order:

G2 = E2(0x1173F10AD9F2DBEE8B6C0BB2624B05D72EEC87925F5C3633E2C000E699A580B842D3F35AF1BE77517C86AEBCA1130AE4 \
      + 0x0434043A97DA28EF7100AE559167FC613F057B85451476ABABB27CFF0238A32831A0B4D14BA83C4F97247C8AC339841F * u, \
        0x0BEBEC70446CB91BB3D4DC5C8412915E99D612D8807C950AB06BC41583F528FDA9F42EC0FE7CD2991638187EF44258D3 \
      + 0x19528E3B5C90C73A7092BB9AFDC73F86C838F551CCD9DBBA5CC6244CF76AB3372193DBE5B62383FAAE728728D4C1E649 * u)
n2 = G2.order()

Unlike for $G_1$ where Sage returned the answer pretty quickly, this seems to take quite some time (I killed the process after a few minutes). To understand why, one has to keep two things in mind:

• First, the second curve $E_2({\mathbb{F}}_{p^2})$ is much bigger than the first one. By Hasse's bound, its order is close to $p^2$ (hence roughly 762-bit long). Sage can compute it very quickly with E2.cardinality(), however if we try to factor it, this seems quite long again, presumably because it has at least two large prime factors.
• Second, computing the order of $G_2$ efficiently actually requires the factorization of the order of the ambient group, i.e., $|E_2|$ (see Algorithm 4.79 of Chapter 4 of the Handbook of Applied Cryptography).

Hence, the reason why G2.order() takes so much time is presumably that it tries to factor $|E_2|$ first. Could we help Sage here? We know at least one large prime factor of $|E_2|,$ namely $r,$ the prime order of subgroup ${\mathbb{G}}_2=⟨P_2⟩$ defined by BLS12-381 parameters. The number $c_2=|E_2|/r$ is called the cofactor of subgroup ${\mathbb{G}}_2$ in $E_2.$ We can compute it in Sage and try to factor it:

E2_order = E2.cardinality()
c2 = E2_order/r
L2 = list(c2.factor())
print("The factorization of cofactor c2 = |E2|/r is:")
for l in L2:
    print(l)

This gives:

The factorization of cofactor c2 = |E2|/r is:
(13, 2)
(23, 2)
(2713, 1)
(11953, 1)
(262069, 1)
(402096035359507321594726366720466575392706800671181159425656785868777272553337714697862511267018014931937703598282857976535744623203249, 1)

We can see that the cofactor has a very large (448-bit long) prime factor that will be denoted $r^{\prime }$ in the following. What prevented Sage from factoring $|E_2|$ efficiently was the $r{r}^{\prime }$ part, but Sage can factor $|E_2|/r$ very quickly because it has only one large prime factor.

Now that we know the factorization of $|E_2|,$ can we hint it to Sage so that it can compute $G_2$'s order efficiently? It turns out that there is another function called order_from_multiple to which we can pass a multiple $m$ of $G_2$'s order (we will use $m=|E_2|$ as $G_2$'s order necessarily divides $|E_2|)$ and the factorization of $m.$ So we give it a try (after inserting the missing factor $r$ in the list to obtain the factorization of $|E_2|):$

L2.insert(5, (r,1))
n2 = order_from_multiple(G2, E2_order, factorization=L2, operation='+')

This time, Sage returns instantly. Trying to factor the result again takes time, meaning $G_2$'s order $n_2$ is a multiple of $r{r}^{\prime },$ but as before we can factor $n_2/r$ and insert $r$ afterwards to get the result quickly:

L3 = list((n2/r).factor())
print("The factorization of n2/r is:")
for l in L3:
    print(l)
L3.insert(5, (r,1))
print("The factorization of G2's order n2 is:")
for l in L3:
    print(l)

We obtain:

The factorization of G2's order n2 is:
(13, 1)
(23, 1)
(2713, 1)
(11953, 1)
(262069, 1)
(52435875175126190479447740508185965837690552500527637822603658699938581184513, 1)
(402096035359507321594726366720466575392706800671181159425656785868777272553337714697862511267018014931937703598282857976535744623203249, 1)

Now we have all the information we need and can perform a second small subgroup attack by clearing the large factor $r{r}^{\prime }$ from $G_2$'s order, which will give us $s\mathrm{mod}{k}_2$ where $k_2=n_2/(r{r}^{\prime }),$ which is a 52-bit integer. So we compute $G_2^{\prime }=(r{r}^{\prime })G_2$ and $H_2^{\prime }=(r{r}^{\prime })H_2$ and ask sage to compute the discrete logarithm of $H_2^{\prime }$ in base $G_2^{\prime }.$ There is a catch though: as we're working in $E_2,$ the order of which Sage cannot factor quickly, we need to pass Sage the order of $G_2^{\prime },$ namely $k_2:$

s2 = discrete_log(r * rp * H2, r * rp * G2, ord=k2, operation='+')
print("s mod k2 =")
print(s2)

We get:

s mod k2 =
712318409117070

As $k_1$ and $k_2$ are coprime, we can now combine the two equations using the Chinese remainder theorem to compute $s_{1,2}=s\mathrm{mod}(k_1{k}_2):$

s12 = crt([s1, s2], [k1, k2])
print("s mod k1 * k2 =")
print(s12)

We get

s mod k1 * k2 =
5592216610550884993006174526481245

As $k=k_1{k}_2$ is a 115-bit integer and $s$ is 128-bit long, we miss roughly 13 bit of information, which is sufficiently small to allow exhaustive search: writing $s=ik+s_{1,2},$ we can loop through all integers $i=0,\dots ,2^{13}$ and check whether $(ik+s_{1,2})G_1=H_1:$

for i in range(2^13):
	s = i*k + s12
	if s * G1 == H1:
		print("discrete log found:")
		print(s)
		break

We're finally done:

discrete log found:
114939083266787167213538091034071020048

Conclusion

Keep in mind that it is possible to create instances of the GroupAffine type which are not in the correct subgroup of the related curve through the deserialize_unchecked function. Hence, subgroup membership tests should always be performed before creating an instance whose coordinates come from an untrusted source. If you feel this is a step aside from the type safety philosophy of Rust, it is possible to define an enum such as

enum ECPoint<P> {
    Checked(GroupAffine<P>),
    Unchecked(GroupAffine<P>),
}

and to implement a public constructor for it that will never return an Unchecked variant if there is a possibility that the corresponding point is not in the correct subgroup.

Puzzle 3: Double Trouble

• puzzle page
• GitHub repository
• puzzle description:

Bob has developed a new zero-knowledge inner-product proof allows proving that
the inner product of a hidden, committed vector `a` with a public vector `b`
equals the claimed value `v` that is committed. He's released the protocol
license-free below, but still wants to profit from his invention. So, he
developed a proprietary prover that he claims is 2x faster than the standard one
described below, but without sacrificing zero-knowledge: it still hides all
information about the committed vector `a`. To back up his claim, he has
published a few proofs generated by this proprietary prover for the same `a` but
with respect to different `b` vectors, and has challenged people to recover `a`
from just these proofs.

Can you rise to the challenge and recover the vector `a`?.


The inner-product proof is obtained by applying the Fiat--Shamir transform to
the following sigma protocol:

Before proof:
During proof of inner product with public vector b:
        Prover                                           Verifier
=================================================================================================
Offline phase (before `b` is available):
1. Prover computes
    C_a := PedersenCOMM(a; α)
         = sum_i (a_i * G_i) + α * H
    where G_i and H are random group elements,
    and s is sampled randomly.
                            --------- C_a ---------->

Online phase for a given public vector `b` (can be repeated for different `b`s):

1. Prover samples a random vector r
    and random elements ρ, τ, υ.
2. Prover computes
    C_r := PedersenCOMM(r; ρ)
    C_1 := PedersenCOMM(<a, b>; τ) // <x, y> denotes inner product of x and y.
    C_2 := PedersenCOMM(<r, b>; υ)
                            ---- C_r, C_1, C_2 ----->
                            <- random challenge γ ---
3. Prover computes
    s := a + γr,
    u := α + γρ
    t := τ + γυ,
                            -------- s, u, t ------->
                                                // Check that `s` really is a + γr,
                                                Check PedersenCOMM(s; u) = C_a + γC_r
                                                // Check that the inner product is committed in C_1.
                                                Check PedersenCOMM(<s, b>; t) = C_1 + γC_2
==================================================================================================

This puzzle is about a zero-knowledge poof system allowing to prove some kind of inner-product relation between committed values. The puzzle instruction asks us to retrieve the witness of some instance and hence to break the zero-knowledge property of the scheme. It is recommended to read the chapters about commitments and zero-knowledge proofs before starting.

Initial Inspection

First, let us try to define more precisely the goal of the puzzle just from the instructions, without looking into the code yet.

Notation

Given a group $\mathbb{G}$ of order $q,$ we will write vectors of scalars and vectors of group elements in bold font, e.g. $\mathbf{a}=(a_0,\dots ,a_{n-1})\in ({\mathbb{Z}}_q{)}^n$ and $\mathbf{G}=(G_0,\dots ,G_{n-1})\in {\mathbb{G}}^n.$ For two vectors $\mathbf{a}=(a_0,\dots ,a_{n-1})\in ({\mathbb{Z}}_q{)}^n$ and $\mathbf{b}=(b_0,\dots ,b_{n-1})\in ({\mathbb{Z}}_q{)}^n,$ their scalar product is defined as $$⟨\mathbf{a},\mathbf{b}⟩:=\sum _{i=0}^{n-1}{a}_i{b}_i\mathrm{mod}q.$$ Similarly, given $\mathbf{a}=(a_0,\dots ,a_{n-1})\in ({\mathbb{Z}}_q{)}^n$ and $\mathbf{G}=(G_0,\dots ,G_{n-1})\in {\mathbb{G}}^n,$ we let $$⟨\mathbf{a},\mathbf{G}⟩:=\sum _{i=0}^{n-1}{a}_i{G}_i.$$

Definition of the Proof System

Let us first try to specify the language for which the proof system is designed. We assume that the cyclic group $\mathbb{G}$ of prime order $q$ and generators $\mathbf{G}=(G_0,\dots ,G_{n-1})$ and $H$ are agreed upon by the prover and the verifier. Then, from the puzzle's description (and also from the code, as we will see), the language $\mathcal{L}$ of interest is defined by the relation $$\mathcal{R}=\{(x,w)\mid x=(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n,w=(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q,C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H\}.$$

Recall that the language $\mathcal{L}$ defined by this relation consists of all instances $x$ such that there exists a witness $w$ such that $(x,w)\in \mathcal{R}.$

The protocol itself goes as follows:

$$\boxed{\begin{array}{lcl}\text{Prover}& & \text{Verifier}\\ \text{parameters: }(\mathbb{G},q,\mathbf{G},H)& & \text{parameters: }(\mathbb{G},q,\mathbf{G},H)\\ \text{instance: }(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n& & \text{instance: }(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n\\ \text{witness: }(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q& & \\ \text{relation: }{C}_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H& & \\ \mathbf{r}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n& & \\ \rho ,\tau ,\nu {\leftarrow }_{\$}{\mathbb{Z}}_q& & \\ C_r:=⟨\mathbf{r},\mathbf{G}⟩+\rho H& & \\ C_1:=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H& & \\ C_2:=⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H& & \\ & \stackrel{C_r,C_1,C_2}{\to }& \\ & & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \stackrel{\gamma }{\leftarrow }& \\ \mathbf{s}:=\mathbf{a}+\gamma \mathbf{r}\mathrm{mod}q& & \\ u:=\alpha +\gamma \rho \mathrm{mod}q& & \\ t:=\tau +\gamma \nu \mathrm{mod}q& & \\ & \stackrel{\mathbf{s},u,t}{\to }& \\ & & \text{check that}\\ & & ⟨\mathbf{s},\mathbf{G}⟩+uH=C_a+\gamma C_r\\ & & ⟨\mathbf{s},\mathbf{b}⟩G_1+tH=C_1+\gamma C_2\end{array}}$$

The protocol is complete, meaning that for any instance $(C_a,\mathbf{b})\in \mathcal{L},$ an honestly generated proof is always accepted by the verifier. This holds because $$\begin{array}{rl}⟨\mathbf{s},\mathbf{G}⟩+uH& =⟨\mathbf{a}+\gamma \mathbf{r},\mathbf{G}⟩+(\alpha +\gamma \rho )H\\ & =(⟨\mathbf{a},\mathbf{G}⟩+\alpha H)+\gamma (⟨\mathbf{r},\mathbf{G}⟩+\rho H)\\ & =C_a+\gamma C_r\end{array}$$ and $$\begin{array}{rl}⟨\mathbf{s},\mathbf{b}⟩G_1+tH& =⟨\mathbf{a}+\gamma \mathbf{r},\mathbf{b}⟩G_1+(\tau +\gamma \nu )H\\ & =(⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H)+\gamma (⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H)\\ & =C_1+\gamma C_2.\end{array}$$

Proof of Knowledge

One can also check that the proof system is extractable, which follows from a property called special soundness: for any instance in language $\mathcal{L},$ given two accepting transcripts with the same commitments $(C_r,C_1,C_2)$ but different challenges ${\gamma }^{(1)}$ and ${\gamma }^{(2)},$ one can compute a witness. Indeed, let $$\begin{array}{rl}& ((C_r,C_1,C_2),{\gamma }^{(1)},({\mathbf{s}}^{(1)},u^{(1)},t^{(1)})),\\ & ((C_r,C_1,C_2),{\gamma }^{(2)},({\mathbf{s}}^{(2)},u^{(2)},t^{(2)}))\end{array}$$ be two accepting transcripts for some instance $(C_a,\mathbf{b})$ such that ${\gamma }^{(1)}\ne {\gamma }^{(2)}.$ Let $$\begin{array}{r}\mathbf{a}:=\frac{{\gamma }^{(1)}{\mathbf{s}}^{(2)}-{\gamma }^{(2)}{\mathbf{s}}^{(1)}}{{\gamma }^{(1)}-{\gamma }^{(2)}},\\ \alpha :=\frac{{\gamma }^{(1)}{u}^{(2)}-{\gamma }^{(2)}{u}^{(1)}}{{\gamma }^{(1)}-{\gamma }^{(2)}}.\end{array}$$ Since both transcripts are accepting, we have $$\begin{array}{rl}& ⟨{\mathbf{s}}^{(1)},\mathbf{G}⟩+u^{(1)}H=C_a+{\gamma }^{(1)}{C}_r,\\ & ⟨{\mathbf{s}}^{(2)},\mathbf{G}⟩+u^{(2)}H=C_a+{\gamma }^{(2)}{C}_r.\end{array}$$ Then $$\begin{array}{rl}⟨\mathbf{a},\mathbf{G}⟩+\alpha H& =\frac{1}{{\gamma }^{(1)}-{\gamma }^{(2)}}\left({\gamma }^{(1)}⟨{\mathbf{s}}^{(2)},\mathbf{G}⟩-{\gamma }^{(2)}⟨{\mathbf{s}}^{(1)},\mathbf{G}⟩+{\gamma }^{(1)}{u}^{(2)}H-{\gamma }^{(2)}{u}^{(1)}H\right)\\ & =\frac{1}{{\gamma }^{(1)}-{\gamma }^{(2)}}\left({\gamma }^{(1)}(C_a+{\gamma }^{(2)}{C}_r-u^{(2)}H)-{\gamma }^{(2)}(C_a+{\gamma }^{(1)}{C}_r-u^{(1)}H)+{\gamma }^{(1)}{u}^{(2)}H-{\gamma }^{(2)}{u}^{(1)}H\right)\\ & =C_a.\end{array}$$ Hence, the relation defining the language is satisfied and $(\mathbf{a},\alpha )$ is indeed a witness that the instance $(C_a,\mathbf{b})$ is in $\mathcal{L}.$

Zero-Knowledge?

The puzzle instructions asks us to find $\mathbf{a},$ which is part of the witness, from a few proofs generated by Bob. If the protocol is zero-knowledge, this shouldn't be possible. Is it zero-knowledge, though, from a theoretical point of view?

The answer is yes. Namely, the interactive protocol as defined above can be shown to be honest-verifier zero-knowledge. The simulator, whose task is to generate a fake transcript distributed as a true transcript between a prover and an honest verifier without knowing the witness $(\mathbf{a},\alpha ),$ works as follows:

$$\begin{array}{rl}& \mathbf{s}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n,u{\leftarrow }_{\$}{\mathbb{Z}}_q,t{\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & C_r:={\gamma }^{-1}(⟨\mathbf{s},\mathbf{G}⟩+uH-C_a)\\ & C_1{\leftarrow }_{\$}\mathbb{G}\\ & C_2:={\gamma }^{-1}(⟨\mathbf{s},\mathbf{b}⟩G_1+tH-C_1)\\ & \mathbf{return}((C_r,C_1,C_2),\gamma ,(\mathbf{s},u,t))\end{array}$$

Something Strange

There is something odd with the way we described the proof system: vector $\mathbf{b}$ plays no role in the relation $$\mathcal{R}=\{(x,w)\mid x=(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n,w=(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q,C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H\}.$$ In particular, note that the proof that the system is extractable did not use the second equation checked by the verifier (meaning extractability still holds even if this check is omitted).

For this reason, it would make more sense to actually include $C_1,$ the commitment to the inner product $⟨\mathbf{a},\mathbf{b}⟩,$ in the instance and randomness $\tau$ in the witness and to define the relation as $$\begin{array}{r}{\mathcal{R}}^{\prime }=\{(\sigma ,\omega )\mid \sigma =(C_a,C_1,\mathbf{b})\in \mathbb{G}\times \mathbb{G}\times ({\mathbb{Z}}_q{)}^n,\omega =(\mathbf{a},\alpha ,\tau )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q\times {\mathbb{Z}}_q,\\ C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H,C_1=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H\}.\end{array}$$

By doing this, the protocol would now be specified as follows:

$$\boxed{\begin{array}{lcl}\text{Prover}& & \text{Verifier}\\ \text{parameters: }(\mathbb{G},q,\mathbf{G},H)& & \text{parameters: }(\mathbb{G},q,\mathbf{G},H)\\ \text{instance: }& & \text{instance: }\\ (C_a,C_1,\mathbf{b})\in \mathbb{G}\times \mathbb{G}\times ({\mathbb{Z}}_q{)}^n& & (C_a,C_1,\mathbf{b})\in \mathbb{G}\times \mathbb{G}\times ({\mathbb{Z}}_q{)}^n\\ \text{witness: }& & \\ (\mathbf{a},\alpha ,\tau )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q\times {\mathbb{Z}}_q& & \\ \text{relation: }& & \\ C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H& & \\ C_1=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H& & \\ \mathbf{r}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n& & \\ \rho ,\nu {\leftarrow }_{\$}{\mathbb{Z}}_q& & \\ C_r:=⟨\mathbf{r},\mathbf{G}⟩+\rho H& & \\ C_2:=⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H& & \\ & \stackrel{C_r,C_2}{\to }& \\ & & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \stackrel{\gamma }{\leftarrow }& \\ \mathbf{s}:=\mathbf{a}+\gamma \mathbf{r}\mathrm{mod}q& & \\ u:=\alpha +\gamma \rho \mathrm{mod}q& & \\ t:=\tau +\gamma \nu \mathrm{mod}q& & \\ & \stackrel{\mathbf{s},u,t}{\to }& \\ & & \text{check that}\\ & & ⟨\mathbf{s},\mathbf{G}⟩+uH=C_a+\gamma C_r\\ & & ⟨\mathbf{s},\mathbf{b}⟩G_1+tH=C_1+\gamma C_2\end{array}}$$

However, this is not important for solving the puzzle and we will stick to the original, albeit unnatural, description.

Exploring the Code

Let us recall the proof system here before digging into the code:

$$\boxed{\begin{array}{lcl}\text{Prover}& & \text{Verifier}\\ \text{parameters: }(\mathbb{G},q,\mathbf{G},H)& & \text{parameters: }(\mathbb{G},q,\mathbf{G},H)\\ \text{instance: }(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n& & \text{instance: }(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n\\ \text{witness: }(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q& & \\ \text{relation: }{C}_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H& & \\ \mathbf{r}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n& & \\ \rho ,\tau ,\nu {\leftarrow }_{\$}{\mathbb{Z}}_q& & \\ C_r:=⟨\mathbf{r},\mathbf{G}⟩+\rho H& & \\ C_1:=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H& & \\ C_2:=⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H& & \\ & \stackrel{C_r,C_1,C_2}{\to }& \\ & & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \stackrel{\gamma }{\leftarrow }& \\ \mathbf{s}:=\mathbf{a}+\gamma \mathbf{r}\mathrm{mod}q& & \\ u:=\alpha +\gamma \rho \mathrm{mod}q& & \\ t:=\tau +\gamma \nu \mathrm{mod}q& & \\ & \stackrel{\mathbf{s},u,t}{\to }& \\ & & \text{check that}\\ & & ⟨\mathbf{s},\mathbf{G}⟩+uH=C_a+\gamma C_r\\ & & ⟨\mathbf{s},\mathbf{b}⟩G_1+tH=C_1+\gamma C_2\end{array}}$$

The package directory is organized as follows:

zkhack-double-trouble
├── Cargo.toml
└── src
    ├── bin
    │   └── verify-double-trouble.rs
    ├── inner_product_argument
    │   ├── data_structures.rs
    │   └── utils.rs
    ├── data.rs
    ├── inner_product_argument.rs
    └── lib.rs

The proof system is implemented in the inner_product_argument module of the library crate and follows closely the specification from the puzzle's description. The puzzle uses the ark-ed-on-bls12-381 library which implements the so-called Jubjub curve developed by the Zcash team. This curve was designed to have its base field equal to the scalar field of BLS12-381, allowing to efficiently prove statements about cryptographic schemes based on Jubjub (such a Pedersen commitments, Schnorr signatures, etc) using a proof system based on BLS12-381. The affine group and the scalar field of this curve are brought into scope with

use ark_ed_on_bls12_381::{EdwardsAffine as GAffine, Fr};

Two structures Instance and Witness corresponding respectively to the instance $(C_a,\mathbf{b})$ and the witness $(\mathbf{a},\alpha )$ are defined directly in src/inner_product_argument.rs:

pub struct Instance {
    pub comm_a: GAffine,
    pub b: Vec<Fr>,
}

pub struct Witness {
    pub a: Vec<Fr>,
    pub comm_a_rand: Fr,
}

Four additional structures are defined in src/inner_product_argument/data_structures.rs:

• the commitment key CommitKey $\cong (\mathbf{G},H),$
• the proof commitment (first message sent by the prover in the interactive protocol) ProofCommitment $\cong (C_r,C_1,C_2),$
• the proof response (second message sent by the prover in the interactive protocol) ProofResponse $\cong (\mathbf{s},u,t),$
• and a fourth structure Proof which simply combines ProofCommitment and ProofResponse.

Here is the code defining these four structures:

pub struct CommitKey {
    pub generators: Vec<GAffine>,
    pub hiding_generator: GAffine,
}

pub struct ProofCommitment {
    pub comm_r: GAffine,
    pub comm_1: GAffine,
    pub comm_2: GAffine,
}

pub struct ProofResponse {
    pub s: Vec<Fr>,
    pub u: Fr,
    pub t: Fr,
}

pub struct Proof {
    pub commitment: ProofCommitment,
    pub response: ProofResponse,
}

The rest of the code in the inner_product_argument module and sub-modules does not show anything surprising. As said in the puzzle description, the proof system is made non-interactive using the Fiat-Shamir transform. Namely, the challenge $\gamma$ is computed by hashing the commitment key, the instance, and the commitment:

    let challenge = challenge(ck, instance, &commitment);

where function challenge is defined in inner_product_argument/utils.rs:

pub fn b2s_hash_to_field<C: CanonicalSerialize>(input: &C) -> Fr {
    let bytes = input.hash::<blake2::Blake2s>();
    Fr::from_le_bytes_mod_order(&bytes)
}

pub fn challenge(ck: &CommitKey, instance: &Instance, proof_comm: &ProofCommitment) -> Fr {
    b2s_hash_to_field(&(ck.clone(), instance.clone(), proof_comm.clone()))
}

Let's take a look at the binary crate and its main function:

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (ck, [instance_and_proof_1, instance_and_proof_2]) = puzzle_data();
    let (instance1, proof1) = instance_and_proof_1;
    let (instance2, proof2) = instance_and_proof_2;
    assert!(verify(&ck, &instance1, &proof1));
    assert!(verify(&ck, &instance2, &proof2));

    let (a, comm_a_rand): (Vec<Fr>, Fr) = {
        // Your solution here!
        todo!()
    };
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance1.comm_a
    );
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance2.comm_a
    );
}

The puzzle_data function simply deserializes some data and returns a commitment key ck and two instance/proof pairs. We can print the structures we're interested in:

#![allow(unused, unreachable_code)]
use ark_ed_on_bls12_381::Fr;
use ark_ff::Field;
use double_trouble::data::puzzle_data;
use double_trouble::inner_product_argument::utils::challenge;
use double_trouble::verify;
use double_trouble::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use double_trouble::CommitKey;
use ark_ec::AffineCurve;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (ck, [instance_and_proof_1, instance_and_proof_2]) = puzzle_data();
    let (instance1, proof1) = instance_and_proof_1;
    let (instance2, proof2) = instance_and_proof_2;
    assert!(verify(&ck, &instance1, &proof1));
    assert!(verify(&ck, &instance2, &proof2));

    // --snip--

    println!("commitment key:");
    for (i, ck_i) in ck.generators.iter().enumerate() {
        println!("ck.generators[{}] = {}", i, ck_i);
    }
    println!("ck.hiding_generator = {}\n", ck.hiding_generator);
    println!("instance 1, C_a:\n {}\n", instance1.comm_a);
    println!("instance 2, C_a:\n {}\n", instance2.comm_a);
    println!("instance 1, b:");
    for (i, b_i) in instance1.b.iter().enumerate() {
        println!("instance1.b[{}] = {}", i, b_i);
    }
    println!("");
    println!("instance 2, b:");
    for (i, b_i) in instance2.b.iter().enumerate() {
        println!("instance2.b[{}] = {}", i, b_i);
    }
    println!("");

    // --snip--

    assert_eq!(instance1, instance2);
    assert_eq!(ck, CommitKey::sample(8));

    // --snip--

    println!("proof1, comm_r:\n {}", proof1.commitment.comm_r);
    println!("proof1, comm_1:\n {}", proof1.commitment.comm_1);
    println!("proof1, comm_2:\n {}\n", proof1.commitment.comm_2);

    println!("proof2, comm_r:\n {}", proof2.commitment.comm_r);
    println!("proof2, comm_1:\n {}", proof2.commitment.comm_1);
    println!("proof2, comm_2:\n {}\n", proof2.commitment.comm_2);

    // --snip--

    if proof1.commitment.comm_r.mul(2) == proof2.commitment.comm_r {
        println!("C_r in the second proof is twice C_r in the first proof\n");
    }

    // --snip--

    let gamma1 = challenge(&ck, &instance1, &proof1.commitment);
    let gamma2 = challenge(&ck, &instance2, &proof2.commitment);
    let s1 = proof1.response.s;
    let s2 = proof2.response.s;
    let u1 = proof1.response.u;
    let u2 = proof2.response.u;
    let k = (gamma1 - Fr::from(2) * gamma2).inverse().unwrap();
    let my_a: Vec<Fr> = s1
        .iter()
        .zip(s2.iter())
        .map(|(c1, c2)| k * (gamma1 * c2 - Fr::from(2) * gamma2 * c1))
        .collect();
    let my_comm_a_rand = k * (gamma1 * u2 - Fr::from(2) * gamma2 * u1);

    let (a, comm_a_rand): (Vec<Fr>, Fr) = {
        // Your solution here!
        (my_a, my_comm_a_rand)
    };
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance1.comm_a
    );
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance2.comm_a
    );
    println!("Puzzle solved!");
}

We get:

commitment key:
ck.generators[0] = GroupAffine(x=Fp256 "(198B8C3FC05A64DF64DEC6C0C9CF997E1AFA1DBB5C191ED0DFD5C771467F089D)", y=Fp256 "(5AE26A746DDBBCC5ECC3C970E715AEC48BB2551DD9DDE8AE7A7DA7032E161577)")
ck.generators[1] = GroupAffine(x=Fp256 "(4B92D491ACE817177026CD40C5020D04B30759F240CFDFF8DD795629E3307C5E)", y=Fp256 "(6604E7622969E8E968970E74DB648CF8226DCB0B67FF8E6313A3B9CAD7353701)")
ck.generators[2] = GroupAffine(x=Fp256 "(70F5E9698EF8F51B85D089DBBCC2F25190C905F6113976696F109307D347ACBA)", y=Fp256 "(3BD293E00769FE7963674BFA0745B4FE316AF189856418E679DBEF49B00A9085)")
ck.generators[3] = GroupAffine(x=Fp256 "(3FF005D6FE8FE85EA40051BF5051464AB69F0B587BE571B2800C08F4B93AD452)", y=Fp256 "(445D24D6D0EDEFC80B3785F27613FD072E4E69EBFC6A0B9716036F19E15C6ABF)")
ck.generators[4] = GroupAffine(x=Fp256 "(5174580F00FB73C60E3CA1D0A0EBF328FDAC3A018D15F6ED81B39D833927C079)", y=Fp256 "(26053B0E29A8E735673D8ACC0C0353EA6326DF6F81A2EE0AC65A8C1A853241F5)")
ck.generators[5] = GroupAffine(x=Fp256 "(65B0213A6DE2BC0DDAD9648179372A2B3939B06A1062CF0D58F731ABF7D6B742)", y=Fp256 "(11C6904D697A2638441B3125D0A3316507A03C16D79FCB3F5A19CF3ECFD649E6)")
ck.generators[6] = GroupAffine(x=Fp256 "(50644971731D58AFB54EB92D6F0C7700F06774B2AF10E72B646C0D5A93AA6347)", y=Fp256 "(1C282A3A58C4AD917587EBE68DC84A4CAC0E4A914FA83618439373528617AAAF)")
ck.generators[7] = GroupAffine(x=Fp256 "(3181568CB6D37D00412E3348F2C08C1579DB32492A768F41EAC49D8E7E6F9BBF)", y=Fp256 "(27EDAEA9068A61645B11E8D5C15E9569340E59E3963AE78CAADD2282451F10F4)")
ck.hiding_generator = GroupAffine(x=Fp256 "(3A2ED8E0E81BED90A83FA22E58FA8A0F08752AAB03CD4BA9BB558965B9A57B32)", y=Fp256 "(3C603EF0D0BB80987AD83208034C552F8919C5F8FEACC5404DEBCC16FE3B947F)")

instance 1, C_a:
 GroupAffine(x=Fp256 "(6AE271E04FBB0AE9FB89506FF7180F5C06A8D60F802D934987965F694228BF8A)", y=Fp256 "(2BFBFA9CCF2151F01E71A069366DAD9398960B64684888D1AABB50D4D57BDF32)")

instance 2, C_a:
 GroupAffine(x=Fp256 "(6AE271E04FBB0AE9FB89506FF7180F5C06A8D60F802D934987965F694228BF8A)", y=Fp256 "(2BFBFA9CCF2151F01E71A069366DAD9398960B64684888D1AABB50D4D57BDF32)")

instance 1, b:
instance1.b[0] = Fp256 "(08180E66A534AADEBC88D09E1397DC7C33E2014115EB973B489E7D5CDBF839CD)"
instance1.b[1] = Fp256 "(036AFB822FAC04AC9191CCEEF5BF4E27ADA6DC0440C88ECF3E06DC2FAFB162E6)"
instance1.b[2] = Fp256 "(0DE7FE23DCF79F2A041E2C21876F9B9AEB3F2BC628E07B87F52DF460408334F2)"
instance1.b[3] = Fp256 "(0891BBE1E3DA5717F7ED59288C9F51186E7BBAE018C9DA56F4BC8B4BBBD7457E)"
instance1.b[4] = Fp256 "(05D81F4C416350A3D02B1685176BFE5A98FA15D51C84DBD47680326F9F005E96)"
instance1.b[5] = Fp256 "(06D5E58667508A24F3A3FFBB244575DE29ECB3408D6EBC6D3DCDEFF02AA9453C)"
instance1.b[6] = Fp256 "(06BC47A67C6BD353EE624051B4C4A6A28E7F8CEDB6ED65A007D897AC071CBDCB)"
instance1.b[7] = Fp256 "(0CF6D9D35E0B6F2309568E5BB7C19448D993D2EFFEF7B3D77C137A26C524315A)"

instance 2, b:
instance2.b[0] = Fp256 "(08180E66A534AADEBC88D09E1397DC7C33E2014115EB973B489E7D5CDBF839CD)"
instance2.b[1] = Fp256 "(036AFB822FAC04AC9191CCEEF5BF4E27ADA6DC0440C88ECF3E06DC2FAFB162E6)"
instance2.b[2] = Fp256 "(0DE7FE23DCF79F2A041E2C21876F9B9AEB3F2BC628E07B87F52DF460408334F2)"
instance2.b[3] = Fp256 "(0891BBE1E3DA5717F7ED59288C9F51186E7BBAE018C9DA56F4BC8B4BBBD7457E)"
instance2.b[4] = Fp256 "(05D81F4C416350A3D02B1685176BFE5A98FA15D51C84DBD47680326F9F005E96)"
instance2.b[5] = Fp256 "(06D5E58667508A24F3A3FFBB244575DE29ECB3408D6EBC6D3DCDEFF02AA9453C)"
instance2.b[6] = Fp256 "(06BC47A67C6BD353EE624051B4C4A6A28E7F8CEDB6ED65A007D897AC071CBDCB)"
instance2.b[7] = Fp256 "(0CF6D9D35E0B6F2309568E5BB7C19448D993D2EFFEF7B3D77C137A26C524315A)"

We can note a couple of interesting things. First, points instance1.comm_a and instance2.comm_a are equal and vectors instance1.b and instance2.b are equal, meaning the two instances are exactly the same (whereas the puzzle description said that the proofs published by Bob where for different different b vectors). Second, ck.generators (vector $\mathbf{G}=(G_0,\dots ,G_{n-1})$ in the description above) has length $n=8.$ Where does this commitment key come from? The CommitKey structure has an associated function allowing to sample a commitment key:

impl CommitKey {
    pub fn sample(size: usize) -> Self {
        let mut rng = ChaChaRng::from_seed(*b"zkHack IPA puzzle for 2021-10-26");
        let generators = sample_vector::<GAffine, _>(size, &mut rng)
            .into_iter()
            .map(Into::into)
            .collect();
        let hiding_generator = GProjective::rand(&mut rng).into();
        Self {
            generators,
            hiding_generator,
        }
    }
    // ...
}

We can verify that ck provided in the puzzle data is indeed the commitment key returned by this function. These two observations can be checked directly with

#![allow(unused, unreachable_code)]
use ark_ed_on_bls12_381::Fr;
use ark_ff::Field;
use double_trouble::data::puzzle_data;
use double_trouble::inner_product_argument::utils::challenge;
use double_trouble::verify;
use double_trouble::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use double_trouble::CommitKey;
use ark_ec::AffineCurve;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (ck, [instance_and_proof_1, instance_and_proof_2]) = puzzle_data();
    let (instance1, proof1) = instance_and_proof_1;
    let (instance2, proof2) = instance_and_proof_2;
    assert!(verify(&ck, &instance1, &proof1));
    assert!(verify(&ck, &instance2, &proof2));

    // --snip--

    println!("commitment key:");
    for (i, ck_i) in ck.generators.iter().enumerate() {
        println!("ck.generators[{}] = {}", i, ck_i);
    }
    println!("ck.hiding_generator = {}\n", ck.hiding_generator);
    println!("instance 1, C_a:\n {}\n", instance1.comm_a);
    println!("instance 2, C_a:\n {}\n", instance2.comm_a);
    println!("instance 1, b:");
    for (i, b_i) in instance1.b.iter().enumerate() {
        println!("instance1.b[{}] = {}", i, b_i);
    }
    println!("");
    println!("instance 2, b:");
    for (i, b_i) in instance2.b.iter().enumerate() {
        println!("instance2.b[{}] = {}", i, b_i);
    }
    println!("");

    // --snip--

    assert_eq!(instance1, instance2);
    assert_eq!(ck, CommitKey::sample(8));

    // --snip--

    println!("proof1, comm_r:\n {}", proof1.commitment.comm_r);
    println!("proof1, comm_1:\n {}", proof1.commitment.comm_1);
    println!("proof1, comm_2:\n {}\n", proof1.commitment.comm_2);

    println!("proof2, comm_r:\n {}", proof2.commitment.comm_r);
    println!("proof2, comm_1:\n {}", proof2.commitment.comm_1);
    println!("proof2, comm_2:\n {}\n", proof2.commitment.comm_2);

    // --snip--

    if proof1.commitment.comm_r.mul(2) == proof2.commitment.comm_r {
        println!("C_r in the second proof is twice C_r in the first proof\n");
    }

    // --snip--

    let gamma1 = challenge(&ck, &instance1, &proof1.commitment);
    let gamma2 = challenge(&ck, &instance2, &proof2.commitment);
    let s1 = proof1.response.s;
    let s2 = proof2.response.s;
    let u1 = proof1.response.u;
    let u2 = proof2.response.u;
    let k = (gamma1 - Fr::from(2) * gamma2).inverse().unwrap();
    let my_a: Vec<Fr> = s1
        .iter()
        .zip(s2.iter())
        .map(|(c1, c2)| k * (gamma1 * c2 - Fr::from(2) * gamma2 * c1))
        .collect();
    let my_comm_a_rand = k * (gamma1 * u2 - Fr::from(2) * gamma2 * u1);

    let (a, comm_a_rand): (Vec<Fr>, Fr) = {
        // Your solution here!
        (my_a, my_comm_a_rand)
    };
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance1.comm_a
    );
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance2.comm_a
    );
    println!("Puzzle solved!");
}

(For this, one needs to derive the PartialEq trait for structures CommitKey and Instance).

As we explained in the section about Pedersen commitments, the knowledge of discrete log relations between the group elements in the commitment key constitutes a trapdoor allowing to break the binding property of the commitment scheme. However, this does not seem like a promising avenue to solve the puzzle. On the one hand, this trapdoor does not allow to break the hiding property of the commitment scheme, which is what we would need to recover $\mathbf{a}.$ On the other hand, function sample does things correctly by sampling uniformly random and independent group elements using a pseudorandom number generator seeded with NUMS string "zkHack IPA puzzle for 2021-10-26".

A side note about the code: in function sample, generators could be defined more simply as

        let generators = sample_vector::<GAffine, _>(size, &mut rng);

Indeed, sample_vector::<GAffine, _>(size, &mut rng) returns an object of type Vec<GAffine> so there is no need to apply into to each element. On the other hand, there does not seem to be any good reason for sampling hiding_generator as a GProjective and then cast it into a GAffine using into.

Solving the Puzzle

Where are we left at after this code analysis? The proof system seems to be well designed, so presumably the problem is with the "proprietary prover" developed by Bob. Actually, a very well-known implementation vulnerability of sigma protocols is randomness reuse. In the context of discrete-log based signatures such as Schnorr or ECDSA signatures, repeating a nonce allows anyone to compute the private key from just two signatures. Vulnerable implementations lead, for example, to the jailbreaking of Sony's Play Station 3 and the theft of some bitcoins from Android wallets. Even if nonces are not repeated, seemingly small biases in nonce randomness [BH19] or partial information leakage (typically through side channels) [ANT+20] can be sufficient to retrieve the private key.

For the proof system of this puzzle, note how the proof that the system is extractable exploits the fact that from two accepting transcripts with the same commitments $(C_r,C_1,C_2)$ but different challenges $\gamma ,$ one can compute a witness $(\mathbf{a},\alpha ).$ This property, which is used in the security proof in a "positive" sense, can actually give rise to a real attack in case a prover reuses the same randomness $(\rho ,\tau ,\nu )$ (and hence the same commitments) in two runs of the (interactive) protocol with different challenges. Here, because the Fiat-Shamir transform is used and the challenge is actually computed by hashing the commitment key, the instance, and the commitments, this would actually result in the same challenge and hence exactly the same transcript! (If you think of the corresponding attack for Schnorr signatures, the challenges are different if the victim signs different messages while reusing the same nonce.) However, one can check that the attack would work if the same randomness was reused for two different instances $(C_a,\mathbf{b})$ and $(C_a,{\mathbf{b}}^{\prime }):$ the challenges obtained via Fiat-Shamir would be different (because $\mathbf{b}\ne {\mathbf{b}}^{\prime })$ but the reasoning of the extractability proof still applies.

Ca we apply this attack here? Let us display the commitments in the two proofs:

#![allow(unused, unreachable_code)]
use ark_ed_on_bls12_381::Fr;
use ark_ff::Field;
use double_trouble::data::puzzle_data;
use double_trouble::inner_product_argument::utils::challenge;
use double_trouble::verify;
use double_trouble::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use double_trouble::CommitKey;
use ark_ec::AffineCurve;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (ck, [instance_and_proof_1, instance_and_proof_2]) = puzzle_data();
    let (instance1, proof1) = instance_and_proof_1;
    let (instance2, proof2) = instance_and_proof_2;
    assert!(verify(&ck, &instance1, &proof1));
    assert!(verify(&ck, &instance2, &proof2));

    // --snip--

    println!("commitment key:");
    for (i, ck_i) in ck.generators.iter().enumerate() {
        println!("ck.generators[{}] = {}", i, ck_i);
    }
    println!("ck.hiding_generator = {}\n", ck.hiding_generator);
    println!("instance 1, C_a:\n {}\n", instance1.comm_a);
    println!("instance 2, C_a:\n {}\n", instance2.comm_a);
    println!("instance 1, b:");
    for (i, b_i) in instance1.b.iter().enumerate() {
        println!("instance1.b[{}] = {}", i, b_i);
    }
    println!("");
    println!("instance 2, b:");
    for (i, b_i) in instance2.b.iter().enumerate() {
        println!("instance2.b[{}] = {}", i, b_i);
    }
    println!("");

    // --snip--

    assert_eq!(instance1, instance2);
    assert_eq!(ck, CommitKey::sample(8));

    // --snip--

    println!("proof1, comm_r:\n {}", proof1.commitment.comm_r);
    println!("proof1, comm_1:\n {}", proof1.commitment.comm_1);
    println!("proof1, comm_2:\n {}\n", proof1.commitment.comm_2);

    println!("proof2, comm_r:\n {}", proof2.commitment.comm_r);
    println!("proof2, comm_1:\n {}", proof2.commitment.comm_1);
    println!("proof2, comm_2:\n {}\n", proof2.commitment.comm_2);

    // --snip--

    if proof1.commitment.comm_r.mul(2) == proof2.commitment.comm_r {
        println!("C_r in the second proof is twice C_r in the first proof\n");
    }

    // --snip--

    let gamma1 = challenge(&ck, &instance1, &proof1.commitment);
    let gamma2 = challenge(&ck, &instance2, &proof2.commitment);
    let s1 = proof1.response.s;
    let s2 = proof2.response.s;
    let u1 = proof1.response.u;
    let u2 = proof2.response.u;
    let k = (gamma1 - Fr::from(2) * gamma2).inverse().unwrap();
    let my_a: Vec<Fr> = s1
        .iter()
        .zip(s2.iter())
        .map(|(c1, c2)| k * (gamma1 * c2 - Fr::from(2) * gamma2 * c1))
        .collect();
    let my_comm_a_rand = k * (gamma1 * u2 - Fr::from(2) * gamma2 * u1);

    let (a, comm_a_rand): (Vec<Fr>, Fr) = {
        // Your solution here!
        (my_a, my_comm_a_rand)
    };
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance1.comm_a
    );
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance2.comm_a
    );
    println!("Puzzle solved!");
}

We get:

proof1, comm_r:
 GroupAffine(x=Fp256 "(54103849E3BA52CCE4C2C7485134A683257413F5B9A1E0DD8B04FAF09D18EC28)", y=Fp256 "(245981A43B6DB2323AB5DD6B59A72428238E1F7416DA0C30E239D3AD8EFC7CF1)")
proof1, comm_1:
 GroupAffine(x=Fp256 "(0ADC9FA9FE8D825BD5DA31F56D60EEB608EA5C47AF990736C3D27FAC048C11E1)", y=Fp256 "(46202BAFFE0145321B52334023D0A64C70B0283EB02A542C788FDF182C06ED4A)")
proof1, comm_2:
 GroupAffine(x=Fp256 "(19FD6B1FBA846B5212FD91F823E1D3CDD944FE641035B2E459876BB67C2A20F5)", y=Fp256 "(63BE5660CDF347C66B93E5CD5F53BED2AC02172EF99A960D5D13B7BE896952BD)")

proof2, comm_r:
 GroupAffine(x=Fp256 "(10098E91DCAF5036082E598F953E71B128BF1DA198D1CC39364272EE6A0FCD20)", y=Fp256 "(2DD073C47A020602A0CEF1C13E6D1365CB0ADC716935AE1A010E1546DF2BF7A1)")
proof2, comm_1:
 GroupAffine(x=Fp256 "(2F6A95827C2DF00431A43567CE757DCA4FABA1439EE6B09EB0A8CE88DF06B68C)", y=Fp256 "(2F06AC079158FC73402C6C4AF49DA4E9A957283439C4B45C25D116F340107C06)")
proof2, comm_2:
 GroupAffine(x=Fp256 "(110DE1B6E88AABFFAA4ED784B5EEF7BF359D5D02C7EDF745A873ED28221C208B)", y=Fp256 "(2A7594A3D6F65B338A8817D79F5ED22FC2751EBDDD5246A88645D25C8510FD85)")

The values of the commitments $(C_r,C_1,C_2)$ in the two proofs provided by the puzzle are different, hence we are not dealing with mere "randomness reuse" here. The puzzle description gives us a hint:

he [Bob] developed a proprietary prover that he claims is 2x faster than the standard one described below, but without sacrificing zero-knowledge

So maybe there is a simple relation between the commitments used in the two proofs, allowing to compute several proofs faster? Indeed, one can check that the commitment $C_r$ in the second proof is twice the one in the first proof (arguably there is some guess work here...):

#![allow(unused, unreachable_code)]
use ark_ed_on_bls12_381::Fr;
use ark_ff::Field;
use double_trouble::data::puzzle_data;
use double_trouble::inner_product_argument::utils::challenge;
use double_trouble::verify;
use double_trouble::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use double_trouble::CommitKey;
use ark_ec::AffineCurve;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (ck, [instance_and_proof_1, instance_and_proof_2]) = puzzle_data();
    let (instance1, proof1) = instance_and_proof_1;
    let (instance2, proof2) = instance_and_proof_2;
    assert!(verify(&ck, &instance1, &proof1));
    assert!(verify(&ck, &instance2, &proof2));

    // --snip--

    println!("commitment key:");
    for (i, ck_i) in ck.generators.iter().enumerate() {
        println!("ck.generators[{}] = {}", i, ck_i);
    }
    println!("ck.hiding_generator = {}\n", ck.hiding_generator);
    println!("instance 1, C_a:\n {}\n", instance1.comm_a);
    println!("instance 2, C_a:\n {}\n", instance2.comm_a);
    println!("instance 1, b:");
    for (i, b_i) in instance1.b.iter().enumerate() {
        println!("instance1.b[{}] = {}", i, b_i);
    }
    println!("");
    println!("instance 2, b:");
    for (i, b_i) in instance2.b.iter().enumerate() {
        println!("instance2.b[{}] = {}", i, b_i);
    }
    println!("");

    // --snip--

    assert_eq!(instance1, instance2);
    assert_eq!(ck, CommitKey::sample(8));

    // --snip--

    println!("proof1, comm_r:\n {}", proof1.commitment.comm_r);
    println!("proof1, comm_1:\n {}", proof1.commitment.comm_1);
    println!("proof1, comm_2:\n {}\n", proof1.commitment.comm_2);

    println!("proof2, comm_r:\n {}", proof2.commitment.comm_r);
    println!("proof2, comm_1:\n {}", proof2.commitment.comm_1);
    println!("proof2, comm_2:\n {}\n", proof2.commitment.comm_2);

    // --snip--

    if proof1.commitment.comm_r.mul(2) == proof2.commitment.comm_r {
        println!("C_r in the second proof is twice C_r in the first proof\n");
    }

    // --snip--

    let gamma1 = challenge(&ck, &instance1, &proof1.commitment);
    let gamma2 = challenge(&ck, &instance2, &proof2.commitment);
    let s1 = proof1.response.s;
    let s2 = proof2.response.s;
    let u1 = proof1.response.u;
    let u2 = proof2.response.u;
    let k = (gamma1 - Fr::from(2) * gamma2).inverse().unwrap();
    let my_a: Vec<Fr> = s1
        .iter()
        .zip(s2.iter())
        .map(|(c1, c2)| k * (gamma1 * c2 - Fr::from(2) * gamma2 * c1))
        .collect();
    let my_comm_a_rand = k * (gamma1 * u2 - Fr::from(2) * gamma2 * u1);

    let (a, comm_a_rand): (Vec<Fr>, Fr) = {
        // Your solution here!
        (my_a, my_comm_a_rand)
    };
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance1.comm_a
    );
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance2.comm_a
    );
    println!("Puzzle solved!");
}

How can we exploit this fact?

Coding the Attack

In all the following, we will denote quantities related to the first proof with exponent $(1)$ and quantities related to the second proof with exponent $(2),$ e.g., $C_r^{(1)},$ $C_r^{(2)},$ ${\gamma }^{(1)},$ ${\gamma }^{(2)},$ etc.

We have noticed that $C_r^{(2)}=2C_r^{(1)}.$ How can we exploit this information? Presumably, the prover is using ${\mathbf{r}}^{(2)}=2{\mathbf{r}}^{(1)}$ and ${\rho }^{(2)}=2{\rho }^{(1)}$ in the second proof. Hence, we have the following system of equations: $$\begin{array}{rl}{\mathbf{s}}^{(1)}& =\mathbf{a}+{\gamma }^{(1)}{\mathbf{r}}^{(1)}\\ {\mathbf{s}}^{(2)}& =\mathbf{a}+2{\gamma }^{(2)}{\mathbf{r}}^{(1)}.\end{array}$$

We can get rid of ${\mathbf{r}}^{(1)}$ by multiplying the first equation by $2{\gamma }^{(2)},$ the second equation by ${\gamma }^{(1)},$ and substracting both equations, which yields $${\gamma }^{(1)}{\mathbf{s}}^{(2)}-2{\gamma }^{(2)}{\mathbf{s}}^{(1)}={\gamma }^{(1)}\mathbf{a}-2{\gamma }^{(2)}\mathbf{a}$$ and hence, letting $k:=({\gamma }^{(1)}-2{\gamma }^{(2)}{)}^{-1},$ $$\mathbf{a}=k({\gamma }^{(1)}{\mathbf{s}}^{(2)}-2{\gamma }^{(2)}{\mathbf{s}}^{(1)}).$$ Similarly, from ${\rho }^{(2)}=2{\rho }^{(1)}$ we obtain $$\alpha =k({\gamma }^{(1)}{u}^{(2)}-2{\gamma }^{(2)}{u}^{(1)}).$$

Here is the code computing $\mathbf{a}$ and $\alpha$ and checking that they yield the correct commitment $C_a:$

#![allow(unused, unreachable_code)]
use ark_ed_on_bls12_381::Fr;
use ark_ff::Field;
use double_trouble::data::puzzle_data;
use double_trouble::inner_product_argument::utils::challenge;
use double_trouble::verify;
use double_trouble::PUZZLE_DESCRIPTION;
use prompt::{puzzle, welcome};

// additional items brought into scope for puzzle solving
use double_trouble::CommitKey;
use ark_ec::AffineCurve;

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);
    let (ck, [instance_and_proof_1, instance_and_proof_2]) = puzzle_data();
    let (instance1, proof1) = instance_and_proof_1;
    let (instance2, proof2) = instance_and_proof_2;
    assert!(verify(&ck, &instance1, &proof1));
    assert!(verify(&ck, &instance2, &proof2));

    // --snip--

    println!("commitment key:");
    for (i, ck_i) in ck.generators.iter().enumerate() {
        println!("ck.generators[{}] = {}", i, ck_i);
    }
    println!("ck.hiding_generator = {}\n", ck.hiding_generator);
    println!("instance 1, C_a:\n {}\n", instance1.comm_a);
    println!("instance 2, C_a:\n {}\n", instance2.comm_a);
    println!("instance 1, b:");
    for (i, b_i) in instance1.b.iter().enumerate() {
        println!("instance1.b[{}] = {}", i, b_i);
    }
    println!("");
    println!("instance 2, b:");
    for (i, b_i) in instance2.b.iter().enumerate() {
        println!("instance2.b[{}] = {}", i, b_i);
    }
    println!("");

    // --snip--

    assert_eq!(instance1, instance2);
    assert_eq!(ck, CommitKey::sample(8));

    // --snip--

    println!("proof1, comm_r:\n {}", proof1.commitment.comm_r);
    println!("proof1, comm_1:\n {}", proof1.commitment.comm_1);
    println!("proof1, comm_2:\n {}\n", proof1.commitment.comm_2);

    println!("proof2, comm_r:\n {}", proof2.commitment.comm_r);
    println!("proof2, comm_1:\n {}", proof2.commitment.comm_1);
    println!("proof2, comm_2:\n {}\n", proof2.commitment.comm_2);

    // --snip--

    if proof1.commitment.comm_r.mul(2) == proof2.commitment.comm_r {
        println!("C_r in the second proof is twice C_r in the first proof\n");
    }

    // --snip--

    let gamma1 = challenge(&ck, &instance1, &proof1.commitment);
    let gamma2 = challenge(&ck, &instance2, &proof2.commitment);
    let s1 = proof1.response.s;
    let s2 = proof2.response.s;
    let u1 = proof1.response.u;
    let u2 = proof2.response.u;
    let k = (gamma1 - Fr::from(2) * gamma2).inverse().unwrap();
    let my_a: Vec<Fr> = s1
        .iter()
        .zip(s2.iter())
        .map(|(c1, c2)| k * (gamma1 * c2 - Fr::from(2) * gamma2 * c1))
        .collect();
    let my_comm_a_rand = k * (gamma1 * u2 - Fr::from(2) * gamma2 * u1);

    let (a, comm_a_rand): (Vec<Fr>, Fr) = {
        // Your solution here!
        (my_a, my_comm_a_rand)
    };
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance1.comm_a
    );
    assert_eq!(
        ck.commit_with_explicit_randomness(&a, comm_a_rand),
        instance2.comm_a
    );
    println!("Puzzle solved!");
}

Conclusion

The lesson of this puzzle is that one should never try to optimize a Sigma protocol (or any kind of ZK proof) by compromising on the quality of the randomness used by the prover. It is not enough for commitments in different runs of a sigma protocol to be different, they must be computed using independent and fresh randomness in each run. In case the prover does not have access to a reliable source of randomness, one can use proof systems satisfying the stronger resettable zero-knowledge notion [CGGM00].

Puzzle 12: Gamma Ray

• puzzle page
• GitHub repository
• puzzle description:

Bob was deeply inspired by the Zcash design [1] for private transactions
and had some pretty cool ideas on how to adapt it for his requirements.
He was also inspired by the Mina design for the lightest blockchain and
wanted to combine the two. In order to achieve that, Bob used the MNT6753
cycle of curves to enable efficient infinite recursion, and used elliptic
curve public keys to authorize spends. He released a first version of the
system to the world and Alice soon announced she was able to double spend
by creating two different nullifiers for the same key...

ZCash, Mina, MNT curves, nullifiers... Let's jump into the code to see what this is about.

Code Analysis

The package directory is organized as follows:

puzzle-gamma-ray
├── Cargo.toml
├── leaked_secret.bin
├── leaves.bin
├── proof_keys.bin
└── src
    ├── main.rs
    └── poseidon_parameters.rs

Files leaked_secret.bin, leaves.bin, and proof_keys.bin contain raw data that will be used to initialize variables, as we will see.

The main.rs file brings a lot of items from various arkworks crates into scope, notably for MNT4-753 and MNT6-753 curves, Groth16 proofs, R1CS arithmetization, etc. We will come back to this shortly.

The first thing the main function does is to define a number of variables for the puzzle, in particular:

• a proving key and a verification key for the Groth16 [Gro16] proof system over the MNT4-753 curve:

    let (pk, vk): (
        <Groth16<MNT4_753> as SNARK<MNT4BigFr>>::ProvingKey,
        <Groth16<MNT4_753> as SNARK<MNT4BigFr>>::VerifyingKey,
    ) = from_file("./proof_keys.bin");

• a "leaked secret" of type MNT4BigFr (the scalar field of the MNT4-753 curve) used by Alice to spend one of her coins:

    let leaked_secret: MNT4BigFr = from_file("./leaked_secret.bin");

• a Merkle tree, with leaf leaf at index i = 2 playing a special role:

    let leaves: Vec<Vec<MNT4BigFr>> = from_file("./leaves.bin");
    // ...
    let leaf_crh_params = poseidon_parameters::poseidon_parameters();
    let i = 2;
    let two_to_one_crh_params = leaf_crh_params.clone();
    // ...
    let tree = MntMerkleTree::new(
        &leaf_crh_params,
        &two_to_one_crh_params,
        leaves.iter().map(|x| x.as_slice()),
    )
    .unwrap();
    let root = tree.root();
    let leaf = &leaves[i];

The hash function used to build the Merkle tree is the SNARK-friendly Poseidon hash function [GKR+21] with parameters specified in the poseidon_parameters.rs file. In particular, the underlying field is also the scalar field MNT4BigFr of the MNT4-753 curve. One can also print the leaves of the Merkle tree:

use ark_ec::AffineRepr;
use ark_ff::PrimeField;
use ark_mnt4_753::{Fr as MNT4BigFr, MNT4_753};
use ark_mnt6_753::G1Affine;
use ark_mnt6_753::{constraints::G1Var, Fr as MNT6BigFr};

use ark_crypto_primitives::merkle_tree::{Config, MerkleTree, Path};
use ark_crypto_primitives::{crh::TwoToOneCRHScheme, snark::SNARK};
use ark_groth16::Groth16;
use ark_r1cs_std::fields::fp::FpVar;
use ark_r1cs_std::prelude::*;
use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError};
use ark_serialize::{CanonicalDeserialize, Read};

use prompt::{puzzle, welcome};

use std::fs::File;
use std::io::Cursor;

pub mod poseidon_parameters;

type ConstraintF = MNT4BigFr;

use ark_crypto_primitives::{
    crh::{poseidon, *},
    merkle_tree::constraints::*,
    merkle_tree::*,
};
use ark_std::rand::SeedableRng;

type LeafH = poseidon::CRH<ConstraintF>;
type LeafHG = poseidon::constraints::CRHGadget<ConstraintF>;

type CompressH = poseidon::TwoToOneCRH<ConstraintF>;
type CompressHG = poseidon::constraints::TwoToOneCRHGadget<ConstraintF>;

type LeafVar = [FpVar<ConstraintF>];
struct MntMerkleTreeParamsVar;
impl ConfigGadget<MntMerkleTreeParams, ConstraintF> for MntMerkleTreeParamsVar {
    type Leaf = LeafVar;
    type LeafDigest = <LeafHG as CRHSchemeGadget<LeafH, ConstraintF>>::OutputVar;
    type LeafInnerConverter = IdentityDigestConverter<FpVar<ConstraintF>>;
    type InnerDigest = <CompressHG as TwoToOneCRHSchemeGadget<CompressH, ConstraintF>>::OutputVar;
    type LeafHash = LeafHG;
    type TwoToOneHash = CompressHG;
}

type MntMerkleTree = MerkleTree<MntMerkleTreeParams>;

struct MntMerkleTreeParams;

impl Config for MntMerkleTreeParams {
    type Leaf = [ConstraintF];

    type LeafDigest = <LeafH as CRHScheme>::Output;
    type LeafInnerDigestConverter = IdentityDigestConverter<ConstraintF>;
    type InnerDigest = <CompressH as TwoToOneCRHScheme>::Output;

    type LeafHash = LeafH;
    type TwoToOneHash = CompressH;
}

#[derive(Clone)]
struct SpendCircuit {
    pub leaf_params: <LeafH as CRHScheme>::Parameters,
    pub two_to_one_params: <LeafH as CRHScheme>::Parameters,
    pub root: <CompressH as TwoToOneCRHScheme>::Output,
    pub proof: Path<MntMerkleTreeParams>,
    pub secret: ConstraintF,
    pub nullifier: ConstraintF,
}

impl ConstraintSynthesizer<ConstraintF> for SpendCircuit {
    fn generate_constraints(
        self,
        cs: ConstraintSystemRef<ConstraintF>,
    ) -> Result<(), SynthesisError> {
        // Allocate Merkle Tree Root
        let root = <LeafHG as CRHSchemeGadget<LeafH, _>>::OutputVar::new_input(
            ark_relations::ns!(cs, "new_digest"),
            || Ok(self.root),
        )?;

        // Allocate Parameters for CRH
        let leaf_crh_params_var =
            <LeafHG as CRHSchemeGadget<LeafH, _>>::ParametersVar::new_constant(
                ark_relations::ns!(cs, "leaf_crh_parameter"),
                &self.leaf_params,
            )?;
        let two_to_one_crh_params_var =
            <CompressHG as TwoToOneCRHSchemeGadget<CompressH, _>>::ParametersVar::new_constant(
                ark_relations::ns!(cs, "two_to_one_crh_parameter"),
                &self.two_to_one_params,
            )?;

        let secret = FpVar::new_witness(ark_relations::ns!(cs, "secret"), || Ok(self.secret))?;
        let secret_bits = secret.to_bits_le()?;
        Boolean::enforce_smaller_or_equal_than_le(&secret_bits, MNT6BigFr::MODULUS)?;

        let nullifier = <LeafHG as CRHSchemeGadget<LeafH, _>>::OutputVar::new_input(
            ark_relations::ns!(cs, "nullifier"),
            || Ok(self.nullifier),
        )?;

        let nullifier_in_circuit =
            <LeafHG as CRHSchemeGadget<LeafH, _>>::evaluate(&leaf_crh_params_var, &[secret])?;
        nullifier_in_circuit.enforce_equal(&nullifier)?;

        let base = G1Var::new_constant(ark_relations::ns!(cs, "base"), G1Affine::generator())?;
        let pk = base.scalar_mul_le(secret_bits.iter())?.to_affine()?;

        // Allocate Leaf
        let leaf_g: Vec<_> = vec![pk.x];

        // Allocate Merkle Tree Path
        let cw: PathVar<MntMerkleTreeParams, ConstraintF, MntMerkleTreeParamsVar> =
            PathVar::new_witness(ark_relations::ns!(cs, "new_witness"), || Ok(&self.proof))?;

        cw.verify_membership(
            &leaf_crh_params_var,
            &two_to_one_crh_params_var,
            &root,
            &leaf_g,
        )?
        .enforce_equal(&Boolean::constant(true))?;

        Ok(())
    }
}

fn from_file<T: CanonicalDeserialize>(path: &str) -> T {
    let mut file = File::open(path).unwrap();
    let mut buffer = Vec::new();
    file.read_to_end(&mut buffer).unwrap();
    T::deserialize_uncompressed_unchecked(Cursor::new(&buffer)).unwrap()
}

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);

    let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(0u64);

    let leaves: Vec<Vec<MNT4BigFr>> = from_file("./leaves.bin");
    let leaked_secret: MNT4BigFr = from_file("./leaked_secret.bin");
    let (pk, vk): (
        <Groth16<MNT4_753> as SNARK<MNT4BigFr>>::ProvingKey,
        <Groth16<MNT4_753> as SNARK<MNT4BigFr>>::VerifyingKey,
    ) = from_file("./proof_keys.bin");

    let leaf_crh_params = poseidon_parameters::poseidon_parameters();
    let i = 2;
    let two_to_one_crh_params = leaf_crh_params.clone();

    let nullifier = <LeafH as CRHScheme>::evaluate(&leaf_crh_params, vec![leaked_secret]).unwrap();

    let tree = MntMerkleTree::new(
        &leaf_crh_params,
        &two_to_one_crh_params,
        leaves.iter().map(|x| x.as_slice()),
    )
    .unwrap();
    let root = tree.root();
    let leaf = &leaves[i];

    let tree_proof = tree.generate_proof(i).unwrap();
    assert!(tree_proof
        .verify(
            &leaf_crh_params,
            &two_to_one_crh_params,
            &root,
            leaf.as_slice()
        )
        .unwrap());

    let c = SpendCircuit {
        leaf_params: leaf_crh_params.clone(),
        two_to_one_params: two_to_one_crh_params.clone(),
        root: root.clone(),
        proof: tree_proof.clone(),
        nullifier: nullifier.clone(),
        secret: leaked_secret.clone(),
    };

    let proof = Groth16::<MNT4_753>::prove(&pk, c.clone(), rng).unwrap();

    // --snip--

    for (i, leaf) in leaves.iter().enumerate() {
        for (j, p) in leaf.iter().enumerate() {
            println!("leaves[{}][{}]: {}", i, j, p);
        }
    }
    println!("");

    assert!(Groth16::<MNT4_753>::verify(&vk, &vec![root, nullifier], &proof).unwrap());

    // --snip--

    /* Enter your solution here */

    // cast leaked_secret as big integer...
    let s: num_bigint::BigUint = leaked_secret.into();
    // ... and then as an element of MNT6BigFr
    let s_as_mnt6bigfr = MNT6BigFr::from_le_bytes_mod_order(&s.to_bytes_le());
    // take the opposite and cast it again as a big integer...
    let secret_hack_as_bigint: num_bigint::BigUint = (-s_as_mnt6bigfr).into();
    // and finally cast it back to an element of MNT4BigFr
    let secret_hack = MNT4BigFr::from_le_bytes_mod_order(&secret_hack_as_bigint.to_bytes_le());
    // compute the corresponding nullifier
    let nullifier_hack =
        <LeafH as CRHScheme>::evaluate(&leaf_crh_params, vec![secret_hack]).unwrap();
    println!("nullifier_hack: {}", nullifier_hack);
    println!("secret_hack: {}", secret_hack_as_bigint);

    /* End of solution */

    assert_ne!(nullifier, nullifier_hack);

    let c2 = SpendCircuit {
        leaf_params: leaf_crh_params.clone(),
        two_to_one_params: two_to_one_crh_params.clone(),
        root: root.clone(),
        proof: tree_proof.clone(),
        nullifier: nullifier_hack.clone(),
        secret: secret_hack.clone(),
    };

    let proof = Groth16::<MNT4_753>::prove(&pk, c2.clone(), rng).unwrap();

    assert!(Groth16::<MNT4_753>::verify(&vk, &vec![root, nullifier_hack], &proof).unwrap());

    println!("Puzzle solved!");
}

const PUZZLE_DESCRIPTION: &str = r"
Bob was deeply inspired by the Zcash design [1] for private transactions [2] and had some pretty cool ideas on how to adapt it for his requirements. He was also inspired by the Mina design for the lightest blockchain and wanted to combine the two. In order to achieve that, Bob used the MNT7653 cycle of curves to enable efficient infinite recursion, and used elliptic curve public keys to authorize spends. He released a first version of the system to the world and Alice soon announced she was able to double spend by creating two different nullifiers for the same key... 

[1] https://zips.z.cash/protocol/protocol.pdf
";

There are four leaves, each consisting of a single MNT4BigFr element. At this point it's not clear what these leaves represent but we will clarify this in a moment.

Then, a Merkle proof (a proof that a specific leaf contains a specific element) is computed for the leaf at index i = 2:

    let tree_proof = tree.generate_proof(i).unwrap();

If you're unfamiliar with how ZCash works, the state of the chain is encoded in a Merkle tree where each leaf represents a coin. Attached to this leaf is a public key and a nullifier (originally called coin serial number in the ZeroCash paper [BCG+14]) whose role is to prevent double spends: when a coin is spent, the corresponding nullifier is revealed and recorded and the protocol later ensures that any transaction using the same nullifier (and hence trying to spend the same coin) is invalid. Note in particular that leaves of the Merkle tree do not represent UTXOs but rather all coins that ever existed, spent or unspent. For more details about how nullifiers work, this blog post by Ariel Gabizon explains it very well.

Here, we can see that the nullifier is computed as the hash of the secret allowing to spend a coin:

    let nullifier = <LeafH as CRHScheme>::evaluate(&leaf_crh_params, vec![leaked_secret]).unwrap();

In order to spend the coin represented by leaf at index i = 2, Alice needs to provide a Groth16 proof that her transaction is valid:

    let c = SpendCircuit {
        leaf_params: leaf_crh_params.clone(),
        two_to_one_params: two_to_one_crh_params.clone(),
        root: root.clone(),
        proof: tree_proof.clone(),
        nullifier: nullifier.clone(),
        secret: leaked_secret.clone(),
    };

    let proof = Groth16::<MNT4_753>::prove(&pk, c.clone(), rng).unwrap();

    assert!(Groth16::<MNT4_753>::verify(&vk, &vec![root, nullifier], &proof).unwrap());

We will get into what SpendCircuit is shortly, but before that, let's take a look at the part where we need to work to solve the puzzle:

    /* Enter your solution here */

    let nullifier_hack = MNT4BigFr::from(0);
    let secret_hack = MNT4BigFr::from(0);

    /* End of solution */

    assert_ne!(nullifier, nullifier_hack);

    let c2 = SpendCircuit {
        leaf_params: leaf_crh_params.clone(),
        two_to_one_params: two_to_one_crh_params.clone(),
        root: root.clone(),
        proof: tree_proof.clone(),
        nullifier: nullifier_hack.clone(),
        secret: secret_hack.clone(),
    };

    let proof = Groth16::<MNT4_753>::prove(&pk, c2.clone(), rng).unwrap();

    assert!(Groth16::<MNT4_753>::verify(&vk, &vec![root, nullifier_hack], &proof).unwrap());

As we can see, we must find another nullifier nullifier_hack (different from nullifier) and another secret secret_hack allowing to spend the same coin again (this is the same coin because the second Groth16 proof uses the same Merkle root root and the same Merkle proof tree_proof as the first Groth16 proof).

Next, let us unravel what the spending circuit does.

Understanding the Spending Circuit

Let us try to understand what the circuit for which Groth16 proofs are generated does. It is specified by the generate_constraints method from the ConstraintSynthesizer trait implemented on the SpendCircuit struct:

impl ConstraintSynthesizer<ConstraintF> for SpendCircuit {
    fn generate_constraints(
        self,
        cs: ConstraintSystemRef<ConstraintF>,
    ) -> Result<(), SynthesisError> {

    // ...

    }
}

This method generates R1CS constraints (over the field ConstraintF = MNT4BigFr, the scalar field of the MNT4-753 curve) to which the Groth16 proof system is then applied. There is no need to understand precisely how R1CS arithmetization works exactly, just getting what the circuit does will be enough to solve the puzzle. For this, having a quick look at the arkworks R1CS tutorial can help. Let's go step by step into the definition of the circuit. A circuit can have public inputs (the "instance", declared with the new_input method of the AllocVar trait) and private inputs (the "witness", declared with the new_witness method of the AllocVar trait): the proof generation function takes public and private inputs and generates a proof that together they "satisfy" the circuit; the verification function takes only the public inputs and the proof and returns 0 or 1 (valid/invalid). It can also have constants declared with the new_constant of the same AllocVar trait.

Here, the public inputs consist of the Merkle root and the nullifier:

        // Allocate Merkle Tree Root
        let root = <LeafHG as CRHSchemeGadget<LeafH, _>>::OutputVar::new_input(
            ark_relations::ns!(cs, "new_digest"),
            || Ok(self.root),
        )?;

        // ...

        let nullifier = <LeafHG as CRHSchemeGadget<LeafH, _>>::OutputVar::new_input(
            ark_relations::ns!(cs, "nullifier"),
            || Ok(self.nullifier),
        )?;

The private inputs consist of the secret secret and the Merkle proof (the field proof of the SpendCircuit struct):

        let secret = FpVar::new_witness(ark_relations::ns!(cs, "secret"), || Ok(self.secret))?;

        // ...

        // Allocate Merkle Tree Path
        let cw: PathVar<MntMerkleTreeParams, ConstraintF, MntMerkleTreeParamsVar> =
            PathVar::new_witness(ark_relations::ns!(cs, "new_witness"), || Ok(&self.proof))?;

Then, the generate_constraints method calls a number of "gadgets" to implement the logic of the circuit. First, it checks that the secret is less than the size of the scalar field of the MNT6-763 curve:

        let secret_bits = secret.to_bits_le()?;
        Boolean::enforce_smaller_or_equal_than_le(&secret_bits, MNT6BigFr::MODULUS)?;

It also checks that the hash of the secret is equal to the nullifier passed as input:

        let nullifier_in_circuit =
            <LeafHG as CRHSchemeGadget<LeafH, _>>::evaluate(&leaf_crh_params_var, &[secret])?;
        nullifier_in_circuit.enforce_equal(&nullifier)?;

Then, it computes the public key associated with secret:

        let base = G1Var::new_constant(ark_relations::ns!(cs, "base"), G1Affine::generator())?;
        let pk = base.scalar_mul_le(secret_bits.iter())?.to_affine()?;

Note that the G1Affine type here represents the group of points of the MNT6-753 curve in short Weierstrass affine representation, meaning pk here is a point on this curve, encoded as a pair $(x,y)$ of elements of the base field ${\mathbb{F}}_{q_6}$ of the MNT6-753 curve, and computed as $P=sG$ where $G$ is the generator of this group corresponding to variable base and $s$ corresponds to secret.

Finally, the circuit verifies that the Merkle proof passed as private input to the circuit is valid for the root passed as public input and the leaf defined as pk.x, the $x$-coordinate of pk.

        // Allocate Leaf
        let leaf_g: Vec<_> = vec![pk.x];

        // ...

        cw.verify_membership(
            &leaf_crh_params_var,
            &two_to_one_crh_params_var,
            &root,
            &leaf_g,
        )?
        .enforce_equal(&Boolean::constant(true))?;

Something might seem strange here at first. Point pk lies on the MNT6-753 curve, hence pk.x is an element of its base field ${\mathbb{F}}_{q_6}.$ Yet we saw previously that leaves of the Merkle tree were defined as elements of the scalar field of the MNT4-753 curve. In fact, this is fine because MNT4-753 and MNT6-753 form a "cycle of curves", meaning the scalar field of one is the base field of the other. If ${\mathbb{F}}_{q_4}$ and ${\mathbb{F}}_{r_4}$ denote respectively the base field and the scalar field of MNT4-753 and ${\mathbb{F}}_{q_6}$ and ${\mathbb{F}}_{r_6}$ denote the base field and the scalar field of MNT6-753, then forming a cycle means that $q_6=r_4$ and $q_4=r_6.$

Cycles of curves were proposed in [BCTV14] to solve the "field mismatch" problem when composing SNARKs recursively [BCCT13]. For more background, see for example [AHG23].

This concludes our inspection of the spending circuit. In short, to spend a coin, Alice must compute a Groth16 proof of satisfiability of the spending circuit using the secret key corresponding to the ($x$-coordinate of the) public key of the leaf representing the coin, a valid Merkle proof for this public key, and the corresponding nullifier, i.e., the hash of the secret.

We are now ready to solve the puzzle.

Solving the Puzzle

Recall that our task is to find another secret/nullifier pair that will satisfy the spending circuit. We are not allowed to modify the Merkle root nor the Merkle proof, meaning this secret/nullifier pair must correspond to the exact same leaf of the Merkle tree.

But wait, the leaf does not really encode the public key pk, only its $x$-coordinate! This is the key insight to solve the puzzle. Indeed, for any point $P=(x,y)$ on the curve (different from the point at infinity), there is another point on the curve with the same $x$-coordinate, namely $-P=(x,-y).$ This point simply correspond to secret $-s\mathrm{mod}{r}_6$ where $r_6$ is the size of the scalar field of the MNT6-753 curve since $(-s\mathrm{mod}{r}_6)G=-(sG)=-P.$

Hence, all we have to do to solve the puzzle is to take the opposite of leaked_secret mod $r_6$ and compute the corresponding nullifier! There's a catch though: leaked_secret is defined as an element in the scalar field of MNT4-753, hence simply defining secret_hack = - leaked_secret won't work as this will compute $-s\mathrm{mod}{r}_4$ where $r_4$ is the size of the scalar field of MNT4-753.

There are probably several options here, but a simple one is to cast leaked_secret as a big integer first. For this, we need to add the num-bigint crate to the project:

$ cargo add num-bigint

Here is the code allowing to solve the puzzle:

use ark_ec::AffineRepr;
use ark_ff::PrimeField;
use ark_mnt4_753::{Fr as MNT4BigFr, MNT4_753};
use ark_mnt6_753::G1Affine;
use ark_mnt6_753::{constraints::G1Var, Fr as MNT6BigFr};

use ark_crypto_primitives::merkle_tree::{Config, MerkleTree, Path};
use ark_crypto_primitives::{crh::TwoToOneCRHScheme, snark::SNARK};
use ark_groth16::Groth16;
use ark_r1cs_std::fields::fp::FpVar;
use ark_r1cs_std::prelude::*;
use ark_relations::r1cs::{ConstraintSynthesizer, ConstraintSystemRef, SynthesisError};
use ark_serialize::{CanonicalDeserialize, Read};

use prompt::{puzzle, welcome};

use std::fs::File;
use std::io::Cursor;

pub mod poseidon_parameters;

type ConstraintF = MNT4BigFr;

use ark_crypto_primitives::{
    crh::{poseidon, *},
    merkle_tree::constraints::*,
    merkle_tree::*,
};
use ark_std::rand::SeedableRng;

type LeafH = poseidon::CRH<ConstraintF>;
type LeafHG = poseidon::constraints::CRHGadget<ConstraintF>;

type CompressH = poseidon::TwoToOneCRH<ConstraintF>;
type CompressHG = poseidon::constraints::TwoToOneCRHGadget<ConstraintF>;

type LeafVar = [FpVar<ConstraintF>];
struct MntMerkleTreeParamsVar;
impl ConfigGadget<MntMerkleTreeParams, ConstraintF> for MntMerkleTreeParamsVar {
    type Leaf = LeafVar;
    type LeafDigest = <LeafHG as CRHSchemeGadget<LeafH, ConstraintF>>::OutputVar;
    type LeafInnerConverter = IdentityDigestConverter<FpVar<ConstraintF>>;
    type InnerDigest = <CompressHG as TwoToOneCRHSchemeGadget<CompressH, ConstraintF>>::OutputVar;
    type LeafHash = LeafHG;
    type TwoToOneHash = CompressHG;
}

type MntMerkleTree = MerkleTree<MntMerkleTreeParams>;

struct MntMerkleTreeParams;

impl Config for MntMerkleTreeParams {
    type Leaf = [ConstraintF];

    type LeafDigest = <LeafH as CRHScheme>::Output;
    type LeafInnerDigestConverter = IdentityDigestConverter<ConstraintF>;
    type InnerDigest = <CompressH as TwoToOneCRHScheme>::Output;

    type LeafHash = LeafH;
    type TwoToOneHash = CompressH;
}

#[derive(Clone)]
struct SpendCircuit {
    pub leaf_params: <LeafH as CRHScheme>::Parameters,
    pub two_to_one_params: <LeafH as CRHScheme>::Parameters,
    pub root: <CompressH as TwoToOneCRHScheme>::Output,
    pub proof: Path<MntMerkleTreeParams>,
    pub secret: ConstraintF,
    pub nullifier: ConstraintF,
}

impl ConstraintSynthesizer<ConstraintF> for SpendCircuit {
    fn generate_constraints(
        self,
        cs: ConstraintSystemRef<ConstraintF>,
    ) -> Result<(), SynthesisError> {
        // Allocate Merkle Tree Root
        let root = <LeafHG as CRHSchemeGadget<LeafH, _>>::OutputVar::new_input(
            ark_relations::ns!(cs, "new_digest"),
            || Ok(self.root),
        )?;

        // Allocate Parameters for CRH
        let leaf_crh_params_var =
            <LeafHG as CRHSchemeGadget<LeafH, _>>::ParametersVar::new_constant(
                ark_relations::ns!(cs, "leaf_crh_parameter"),
                &self.leaf_params,
            )?;
        let two_to_one_crh_params_var =
            <CompressHG as TwoToOneCRHSchemeGadget<CompressH, _>>::ParametersVar::new_constant(
                ark_relations::ns!(cs, "two_to_one_crh_parameter"),
                &self.two_to_one_params,
            )?;

        let secret = FpVar::new_witness(ark_relations::ns!(cs, "secret"), || Ok(self.secret))?;
        let secret_bits = secret.to_bits_le()?;
        Boolean::enforce_smaller_or_equal_than_le(&secret_bits, MNT6BigFr::MODULUS)?;

        let nullifier = <LeafHG as CRHSchemeGadget<LeafH, _>>::OutputVar::new_input(
            ark_relations::ns!(cs, "nullifier"),
            || Ok(self.nullifier),
        )?;

        let nullifier_in_circuit =
            <LeafHG as CRHSchemeGadget<LeafH, _>>::evaluate(&leaf_crh_params_var, &[secret])?;
        nullifier_in_circuit.enforce_equal(&nullifier)?;

        let base = G1Var::new_constant(ark_relations::ns!(cs, "base"), G1Affine::generator())?;
        let pk = base.scalar_mul_le(secret_bits.iter())?.to_affine()?;

        // Allocate Leaf
        let leaf_g: Vec<_> = vec![pk.x];

        // Allocate Merkle Tree Path
        let cw: PathVar<MntMerkleTreeParams, ConstraintF, MntMerkleTreeParamsVar> =
            PathVar::new_witness(ark_relations::ns!(cs, "new_witness"), || Ok(&self.proof))?;

        cw.verify_membership(
            &leaf_crh_params_var,
            &two_to_one_crh_params_var,
            &root,
            &leaf_g,
        )?
        .enforce_equal(&Boolean::constant(true))?;

        Ok(())
    }
}

fn from_file<T: CanonicalDeserialize>(path: &str) -> T {
    let mut file = File::open(path).unwrap();
    let mut buffer = Vec::new();
    file.read_to_end(&mut buffer).unwrap();
    T::deserialize_uncompressed_unchecked(Cursor::new(&buffer)).unwrap()
}

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);

    let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(0u64);

    let leaves: Vec<Vec<MNT4BigFr>> = from_file("./leaves.bin");
    let leaked_secret: MNT4BigFr = from_file("./leaked_secret.bin");
    let (pk, vk): (
        <Groth16<MNT4_753> as SNARK<MNT4BigFr>>::ProvingKey,
        <Groth16<MNT4_753> as SNARK<MNT4BigFr>>::VerifyingKey,
    ) = from_file("./proof_keys.bin");

    let leaf_crh_params = poseidon_parameters::poseidon_parameters();
    let i = 2;
    let two_to_one_crh_params = leaf_crh_params.clone();

    let nullifier = <LeafH as CRHScheme>::evaluate(&leaf_crh_params, vec![leaked_secret]).unwrap();

    let tree = MntMerkleTree::new(
        &leaf_crh_params,
        &two_to_one_crh_params,
        leaves.iter().map(|x| x.as_slice()),
    )
    .unwrap();
    let root = tree.root();
    let leaf = &leaves[i];

    let tree_proof = tree.generate_proof(i).unwrap();
    assert!(tree_proof
        .verify(
            &leaf_crh_params,
            &two_to_one_crh_params,
            &root,
            leaf.as_slice()
        )
        .unwrap());

    let c = SpendCircuit {
        leaf_params: leaf_crh_params.clone(),
        two_to_one_params: two_to_one_crh_params.clone(),
        root: root.clone(),
        proof: tree_proof.clone(),
        nullifier: nullifier.clone(),
        secret: leaked_secret.clone(),
    };

    let proof = Groth16::<MNT4_753>::prove(&pk, c.clone(), rng).unwrap();

    // --snip--

    for (i, leaf) in leaves.iter().enumerate() {
        for (j, p) in leaf.iter().enumerate() {
            println!("leaves[{}][{}]: {}", i, j, p);
        }
    }
    println!("");

    assert!(Groth16::<MNT4_753>::verify(&vk, &vec![root, nullifier], &proof).unwrap());

    // --snip--

    /* Enter your solution here */

    // cast leaked_secret as big integer...
    let s: num_bigint::BigUint = leaked_secret.into();
    // ... and then as an element of MNT6BigFr
    let s_as_mnt6bigfr = MNT6BigFr::from_le_bytes_mod_order(&s.to_bytes_le());
    // take the opposite and cast it again as a big integer...
    let secret_hack_as_bigint: num_bigint::BigUint = (-s_as_mnt6bigfr).into();
    // and finally cast it back to an element of MNT4BigFr
    let secret_hack = MNT4BigFr::from_le_bytes_mod_order(&secret_hack_as_bigint.to_bytes_le());
    // compute the corresponding nullifier
    let nullifier_hack =
        <LeafH as CRHScheme>::evaluate(&leaf_crh_params, vec![secret_hack]).unwrap();
    println!("nullifier_hack: {}", nullifier_hack);
    println!("secret_hack: {}", secret_hack_as_bigint);

    /* End of solution */

    assert_ne!(nullifier, nullifier_hack);

    let c2 = SpendCircuit {
        leaf_params: leaf_crh_params.clone(),
        two_to_one_params: two_to_one_crh_params.clone(),
        root: root.clone(),
        proof: tree_proof.clone(),
        nullifier: nullifier_hack.clone(),
        secret: secret_hack.clone(),
    };

    let proof = Groth16::<MNT4_753>::prove(&pk, c2.clone(), rng).unwrap();

    assert!(Groth16::<MNT4_753>::verify(&vk, &vec![root, nullifier_hack], &proof).unwrap());

    println!("Puzzle solved!");
}

const PUZZLE_DESCRIPTION: &str = r"
Bob was deeply inspired by the Zcash design [1] for private transactions [2] and had some pretty cool ideas on how to adapt it for his requirements. He was also inspired by the Mina design for the lightest blockchain and wanted to combine the two. In order to achieve that, Bob used the MNT7653 cycle of curves to enable efficient infinite recursion, and used elliptic curve public keys to authorize spends. He released a first version of the system to the world and Alice soon announced she was able to double spend by creating two different nullifiers for the same key... 

[1] https://zips.z.cash/protocol/protocol.pdf
";

A Note about Hint 1

The first hint revealed to help solve the puzzle points to Lemma 5.4.7 of the Zcash specifications. It reads:

Let $P=(u,v)\in {\mathbb{J}}^{(r)}.$ Then $(u,-v)\notin {\mathbb{J}}^{(r)}.$

Here, ${\mathbb{J}}^{(r)}$ is (a subgroup of) the Jubjub curve developed by the ZCash team. Its base field is actually the scalar field of BLS12-381, allowing to efficiently prove algebraic statements about this curve using BLS12-381-based SNARKs.

The reason why the "attack" used to solve the puzzle would not apply with this curve is that it is a twisted Edwards curve rather than a curve in short Weierstrass form. In particular, Theorem 5.4.8 in the same document states that the function mapping points in ${\mathbb{J}}^{(r)}$ to their $x$-coordinate is injective, meaning two distinct points have distinct $x$-coordinates. In this case, it is safe to encode a point by recording only its $x$-coordinate in a leaf.

ZK Hack Puzzle 13: Supervillain

• puzzle page
• GitHub repository
• puzzle description:

Bob has been designing a new optimized signature scheme for his L1 based on BLS
signatures. Specifically, he wanted to be able to use the most efficient form
of BLS signature aggregation, where you just add the signatures together rather
than having to delinearize them. In order to do that, he designed a
proof-of-possession scheme based on the B-KEA assumption he found in the the
Sapling security analysis paper by Mary Maller [1]. Based the reasoning in the
Power of Proofs-of-Possession paper [2], he concluded that his scheme would be
secure. After he deployed the protocol, he found it was attacked and there was
a malicious block entered the system, fooling all the light nodes...

BLS aggregate signatures, proofs of possession, ... This should be interesting and quite relevant to Ethereum since the beacon chain uses BLS signature aggregation since the Merge. Let's take a look at the code.

Code Analysis

The package directory is organized as follows:

puzzle-supervillain
├── Cargo.toml
├── public_keys.bin
└── src
    └── main.rs

The code is pretty simpler than in most other puzzles. Let's take a look at main.rs. It first brings a number of items from arkworks crates into scope, in particular related to the BLS12-381 pairing-friendly curve. Let us introduce straightaway some (standard) notation that will help us explain what's going on in this puzzle. In all the following, we will let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ denote the two groups related to this curve, $r$ denote the order of these groups, and ${\mathbb{F}}_r$ denote the corresponding scalar field. Types G1Affine and G2Affine respectively correspond to points in ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ represented in short Weierstrass form. We will also let $G_1$ denote the generator of ${\mathbb{G}}_1$ returned by G1Affine::generator() and $e$ the pairing map from ${\mathbb{G}}_1\times {\mathbb{G}}_2$ to ${\mathbb{G}}_t$ which for any $P\in {\mathbb{G}}_1,$ $Q\in {\mathbb{G}}_2,$ and $a,b\in {\mathbb{F}}_r$ satisfies $$e(aP,bQ)=e(P,Q{)}^{ab}.$$

Function main is also quite simple. First, it creates a vector public_keys of public key/proof pairs $(P_i,Q_i)\in {\mathbb{G}}_1\times {\mathbb{G}}_2$ by deserializing the data in public_keys.bin and checks the proofs (we will come back to what these proofs are and what function pok_verify does in a moment, but the idea is that $Q_i$ should prove possession of the secret key corresponding to public key $P_i):$

    let public_keys: Vec<(G1Affine, G2Affine)> = from_file("public_keys.bin");

    public_keys
        .iter()
        .enumerate()
        .for_each(|(i, (pk, proof))| pok_verify(*pk, i, *proof));

There are 9 public key/proofs pair in total. We can print these public keys and proofs if we want, although there's not much remarkable about them:

    for (i, (pk, proof)) in public_keys.iter().enumerate() {
        println!("public_keys[{}].pk: {}", i, pk);
        println!("public_keys[{}].proof: {}\n", i, proof);
    }

We get:

public_keys[0].pk: (3951285727116295734026345521365512737910419062953537242549018568832618561552329351430853683858605302756892560527243, 2015562491477402081445210194864883205939261701444702459066048593747231321865210770475706036490256666079149530034340)
public_keys[0].proof: (QuadExtField(3882041700531663080715209917545481876729765846180025125888908765171220948117125212571143276457991056473137284787111 + 1050510852775817852847416507597900558865419625189113347525854846152071282929138131519646186856851998395894795581147 * u), QuadExtField(2276155031300751614807654043081790005359418219874201281987179783127300973516686184393036674096389076445085471809656 + 1499576108176939010561117214629143885375859964478472578277936997691719552590218342980721074321136489528861749450818 * u))

[...]

public_keys[8].pk: (1590421703439460875501217084904151928024777767932960691388269493213756601481659194276214126863101251608754666663069, 2514873486426372291261215275870411521130979618244175339961890502447807774325646533262394833397969654866179194151855)
public_keys[8].proof: (QuadExtField(3425299122867009301502774777484371853886695233020764827572267590585668332652640989134711487565285919169053024365378 + 3944021846570525607818281571743626433255634014300232163668270031644045523012218166565184866119660182557753392994734 * u), QuadExtField(109895792935386285998226095339950304065932040948382827892877878577064124319340998704951294008715504779991886183613 + 2408179566338427416508441175406184228438312159836037637845488388439414219265617277506646523139939207977761770383651 * u))

Then, function main defines the index of an extra key and a message for which we will have to forge a signature and expects us to define three things: a new public key, a new proof and an aggregate signature:

    let new_key_index = public_keys.len();
    let message = b"YOUR GITHUB USERNAME";

    /* Enter solution here */

    let new_key = G1Affine::zero();
    let new_proof = G2Affine::zero();
    let aggregate_signature = G2Affine::zero();

    /* End of solution */

The solution should satisfy two conditions. First, the new proof should be valid for the new public key, and second, the aggregate signature should be a valid BLS signature with respect to some aggregate key:

    pok_verify(new_key, new_key_index, new_proof);
    let aggregate_key = public_keys
        .iter()
        .fold(G1Projective::from(new_key), |acc, (pk, _)| acc + pk)
        .into_affine();
    bls_verify(aggregate_key, aggregate_signature, message)

This aggregate key is defined by adding all public keys $P_0,\dots ,P_8$ from the puzzle data to the new key we must specify in our solution. In other words, letting $P_9$ denote the new public key, the aggregate key (let us denote it $P^{\ast })$ is simply the sum of all public keys: $$P^{\ast }=\sum _{i=0}^9{P}_i.$$

That's a good start. In order to progress, let us recall how BLS signatures work.

BLS Signatures

There are many great online resources about BLS signatures such as here or the IETF draft. See also the corresponding chapter in this book. In order to make this write-up more self-contained, let us quickly recall how they work.

The signature and verification functions are defined by these few lines of code:

fn bls_sign(sk: Fr, msg: &[u8]) -> G2Affine {
    hasher().hash(msg).unwrap().mul(sk).into_affine()
}

fn bls_verify(pk: G1Affine, sig: G2Affine, msg: &[u8]) {
    assert!(Bls12_381::multi_pairing(
        &[pk, G1Affine::generator()],
        &[hasher().hash(msg).unwrap().neg(), sig]
    )
    .is_zero());
}

Here, public keys are elements from group ${\mathbb{G}}_1$ and signatures are elements from ${\mathbb{G}}_2$ (this is the choice made in Ethereum but in general, this can be swapped depending on which one should be shorter for a specific use case; elements from ${\mathbb{G}}_2$ are roughly twice longer than elements from ${\mathbb{G}}_1$ and arithmetic is slower in ${\mathbb{G}}_2$ than in ${\mathbb{G}}_1).$

Given a secret key $x,$ the corresponding public key is $P=x{G}_1$ (recall that $G_1$ is a commonly agreed generator of ${\mathbb{G}}_1).$

In order to sign a message $m,$ one first hashes it "into" ${\mathbb{G}}_2$ with some hash function $H:\{0,1{\}}^{\ast }\to {\mathbb{G}}_2$ and multiply the resulting point by $x,$ meaning the signature is $$S=xH(m).$$

The verification function, given a public key $P\in {\mathbb{G}}_1,$ a message $m,$ and a signature $S\in {\mathbb{G}}_2,$ asserts whether $$e(P,-H(m))+e(G_1,S)=0_{{\mathbb{G}}_t}$$ which is equivalent to (but more efficient to compute) $$e(P,H(m))=e(G_1,S).$$ This works since for a signature computed correctly one has $S=xH(m)$ and hence $$e(P,H(m))=e(x{G}_1,H(m))=e(G_1,xH(m))=e(G_1,S).$$ (Note that ${\mathbb{G}}_t$ is denoted additively here, which would make Vitalik happy; multiplicative notation is more common since ${\mathbb{G}}_t$ is a multiplicative subgroup of ${\mathbb{F}}_{q^{12}}$ where $q$ is the size of the base field of BLS12-381).

Hashing into elliptic curves is delicate: this should be done in a way that does not leak any algebraic relation (such as relative discrete logarithms) between resulting points (more formally, $H$ should behave as a random oracle returning a random point for each input). RFC 9380 describes various methods for doing this.

Here, the hash function used for hashing into ${\mathbb{G}}_2$ is the so-called Wahby-Boneh map [WB19]:

fn hasher() -> MapToCurveBasedHasher<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>> {
    let wb_to_curve_hasher =
        MapToCurveBasedHasher::<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>>::new(
            &[1, 3, 3, 7],
        )
        .unwrap();
    wb_to_curve_hasher
}

It's pretty complicated and fortunately there's no need to understand how it works exactly to solve the puzzle.

Aggregating BLS Signatures

BLS signatures have the nice property that they can be aggregated by simply adding them. Namely, if we have $n$ signatures $S_0,\dots ,S_{n-1}$ corresponding to public key/message pairs $(P_i,m_i),$ we can simply take the sum of all signatures $$S=\sum _{i=0}^{n-1}{S}_i.$$ Then, to check that the $n$ messages have been signed, one verifies that $$e(G_1,S)=\sum _{i=0}^{n-1}e(P_i,H(m_i)).$$ This cuts the cost of verification roughly by half (one only has to compute $n+1$ pairings instead of $2n$ when checking signatures one by one; the cost of point additions to compute the aggregate signature $S$ is negligible compared to the cost of a pairing).

This can be shown to be secure assuming all messages are distinct as otherwise a so-called rogue-key attack is possible. To see why, let us take the simple case of two signers with respective public keys $P_0=x_0{G}_1$ and $P_1=x_1{G}_1$ who want to sign the same message $m.$ (A note about the wording: when all signers want to sign a common message, this is more often called a multi-signature scheme rather than an aggregate signature scheme). To be valid, the aggregate signature must satisfy $$e(G_1,S)=e(P_0,H(m))+e(P_1,H(m)).$$ Because messages are the same, this can be written $$e(G_1,S)=e(P_0+P_1,H(m)).$$ Then, assuming signer 0 announced its public key first, signer 1 could just choose its public key as $$P_1=x{G}_1-P_0$$ for some known secret $x.$ Then, signer 1 can compute an aggregate signature on its own for any message $m$ (even messages signer 0 would refuse to sign) simply by computing $S=xH(m):$ this is a valid signature for $m$ under the "aggregate" key $P_0+P_1=x{G}_1.$

There are several solutions to thwart this attack:

• one can use "augmented messages", meaning signer $i$ signs $(P_i,m)$ instead of just $m;$ this was suggested in the original paper where aggregate BLS signatures were proposed [BGLS03] and further formalized in [BNN07];
• one can use "delinearization", meaning each public key $P_i$ is multiplied by a some random-looking scalar $H^{\prime }(i,(P_0,\dots ,P_{n-1})),$ for some hash function $H^{\prime }$ with values in ${\mathbb{F}}_r;$ this was first suggested to solve the corresponding problem for Schnorr multisignatures and later studied for BLS in [BDN18];
• finally (and this is the solution the puzzle is about) one can use "proofs of possession", as suggested in [RY07] (reference [2] in the puzzle description); this means that each signer must prove that it has access to the secret key corresponding to its public key; this thwarts rogue-key attacks since signer 1 does not know the secret key corresponding to $P_1=x{G}_1-P_0$ and hence cannot provide a proof of possession.

Proofs of Possession

What is a proof of possession (PoP) exactly? There is actually no clear security definition. [RY07] defines it as follows:

A POP attests that a party has access to the secret key associated with his/her public key, which is typically accomplished using the functionality of the key pair’s intended scheme. For signature schemes, the simplest POP has a party sign its certificate request message and send both the message and signature to the CA.

Hence, this is somewhat reminiscent of a proof of knowledge, except there is no formal guarantee that there exists an extractor which is capable of extracting the secret key when granted arbitrary access to the party implementing the PoP. In particular, this makes PoPs more cumbersome to use in security proofs. In a protocol based on a proof of knowledge, the security proof is typically modular, meaning it only relies on the assumption that the PoK satisfies extractability. The protocol is then guaranteed to be secure when used with any PoK meeting the definition (which can be proved independently). On the contrary, since PoPs have no formal security definition, one must provide a new security proof for each PoP scheme one may want to use the protocol with.

It has been proved in [RY07] that BLS multi-signatures are secure when used with the PoP which consists in signing its own public key with the corresponding secret key. Namely, if my key pair is $(x,P=x{G}_1),$ then the proof of possession is the point $xH(X)$ on ${\mathbb{G}}_2.$ (There's a slight subtlety here: the hash function used to compute PoPs should be different from the one used to actually sign messages; prepending two different constants to the argument of the hash function does the trick.) In fact, this PoP can even be proved to be a proof of knowledge under a very strong assumption called B-KEA: this is shown in the paper by Maller mentioned in the puzzle description (see Lemma 1).

How does the proof used in the puzzle work exactly? It is defined as follows:

fn derive_point_for_pok(i: usize) -> G2Affine {
    let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(20399u64);
    G2Affine::rand(rng).mul(Fr::from(i as u64 + 1)).into()
}

#[allow(dead_code)]
fn pok_prove(sk: Fr, i: usize) -> G2Affine {
    derive_point_for_pok(i).mul(sk).into()
}

fn pok_verify(pk: G1Affine, i: usize, proof: G2Affine) {
    assert!(Bls12_381::multi_pairing(
        &[pk, G1Affine::generator()],
        &[derive_point_for_pok(i).neg(), proof]
    )
    .is_zero());
}

First, a point in ${\mathbb{G}}_2$ is computed as a function of the index $i$ of the public key in the vector of public keys. This point is equal to $(i+1)Q,$ where $Q$ is a random point in ${\mathbb{G}}_2$ returned by the rand function seeded with some fixed string 20399. Importantly, the same point $Q$ is used in every proofs. The proof $Q_i$ of possession of the secret key $x_i$ for public key $P_i=x_i{G}_1$ is then the point $Q_i$ defined as $$Q_i=x_i(i+1)Q.$$ Hence, this kind of looks like a BLS signature, except that the point which is multiplied by the secret key $x_i$ is $(i+1)Q$ rather than $H(P_i).$ Can we exploit this?

Solving the Puzzle

We are now ready to gather all the pieces and solve the puzzle. The straightforward idea is to mount a rogue key attack by choosing some "rogue" secret key $x$ and define our new public key $P_9$ as $x{G}_1$ minus the sum of all other public keys: $$P_9=x{G}_1-\sum _{i=0}^8{P}_i.$$ This way, the aggregate key $P^{\ast }$ is simply $$\begin{array}{rl}{P}^{\ast }& =\sum _{i=0}^9{P}_i\\ & =\sum _{i=0}^8{P}_i+P_9\\ & =x{G}_1.\end{array}$$ This means that we know the secret key corresponding to $P^{\ast }$ and hence we can forge a valid signature (with respect to $P^{\ast })$ for any message we want by just computing $xH(m).$

Are we done, then? Well, not exactly, as we now have to come with a valid proof of possession of the secret key for $P_9.$ But, we don't know this secret key! It seems like we have just moved the problem elsewhere.

Let us write formally what the proof for $P_9$ should be. For $i=0,\dots ,9,$ let $x_i$ be the secret key corresponding to public key $P_i.$ Since $P_9$ can be written $$P_9=\left(x-\sum _{i=0}^8{x}_i\right)G_1,$$ the secret key corresponding to $P_9$ is $$x_9=x-\sum _{i=0}^8{x}_i.$$ Recall that the proof for the $i$-th public key is $Q_i=x_i(i+1)Q.$ Hence, the valid proof that we must compute is $$\begin{array}{rl}{Q}_9& =x_9(10\cdot Q)\\ & =10\left(x-\sum _{i=0}^8{x}_i\right)Q\\ & =(10x)Q-\sum _{i=0}^{8}10x_{i}Q.\end{array}$$

We can compute the first term since we know $x.$ On the other hand, we don't know secret keys $x_i.$ But we have access to proofs $Q_i=x_i(i+1)Q,$ and this allows us to compute $$x_{i}Q=((i+1{)}^{-1}\mathrm{mod}r)Q_i.$$ Hence, we obtain that the proof we're looking for can be computed from the puzzle data as $$Q_9=(10x)Q-\sum _{i=0}^{8}10((i+1{)}^{-1}\mathrm{mod}r)Q_i.$$

Here is the code computing the new key, the new proof, and the aggregate signature (the rogue secret is generated pseudorandomly):

use ark_bls12_381::{g2::Config, Bls12_381, Fr, G1Affine, G1Projective, G2Affine, G2Projective};
use ark_ec::{
    hashing::{curve_maps::wb::WBMap, map_to_curve_hasher::MapToCurveBasedHasher, HashToCurve},
    pairing::Pairing,
    AffineRepr, CurveGroup,
};
use ark_ff::field_hashers::DefaultFieldHasher;
use ark_ff::Field;

use ark_serialize::{CanonicalDeserialize, Read};

use prompt::{puzzle, welcome};

use sha2::Sha256;
use std::fs::File;
use std::io::Cursor;
use std::ops::{Mul, Neg};

use ark_std::{rand::SeedableRng, UniformRand, Zero};

fn derive_point_for_pok(i: usize) -> G2Affine {
    let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(20399u64);
    G2Affine::rand(rng).mul(Fr::from(i as u64 + 1)).into()
}

#[allow(dead_code)]
fn pok_prove(sk: Fr, i: usize) -> G2Affine {
    derive_point_for_pok(i).mul(sk).into()
}

fn pok_verify(pk: G1Affine, i: usize, proof: G2Affine) {
    assert!(Bls12_381::multi_pairing(
        &[pk, G1Affine::generator()],
        &[derive_point_for_pok(i).neg(), proof]
    )
    .is_zero());
}

fn hasher() -> MapToCurveBasedHasher<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>> {
    let wb_to_curve_hasher =
        MapToCurveBasedHasher::<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>>::new(
            &[1, 3, 3, 7],
        )
        .unwrap();
    wb_to_curve_hasher
}

#[allow(dead_code)]
fn bls_sign(sk: Fr, msg: &[u8]) -> G2Affine {
    hasher().hash(msg).unwrap().mul(sk).into_affine()
}

fn bls_verify(pk: G1Affine, sig: G2Affine, msg: &[u8]) {
    assert!(Bls12_381::multi_pairing(
        &[pk, G1Affine::generator()],
        &[hasher().hash(msg).unwrap().neg(), sig]
    )
    .is_zero());
}

fn from_file<T: CanonicalDeserialize>(path: &str) -> T {
    let mut file = File::open(path).unwrap();
    let mut buffer = Vec::new();
    file.read_to_end(&mut buffer).unwrap();
    T::deserialize_uncompressed_unchecked(Cursor::new(&buffer)).unwrap()
}

fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);

    let public_keys: Vec<(G1Affine, G2Affine)> = from_file("public_keys.bin");

    public_keys
        .iter()
        .enumerate()
        .for_each(|(i, (pk, proof))| pok_verify(*pk, i, *proof));

    for (i, (pk, proof)) in public_keys.iter().enumerate() {
        println!("public_keys[{}].pk: {}", i, pk);
        println!("public_keys[{}].proof: {}\n", i, proof);
    }

    let new_key_index = public_keys.len();
    let message = b"yannickseurin";

    // --snip--

    /* Enter solution here */

    let rng = &mut ark_std::rand::rngs::StdRng::seed_from_u64(23898323u64);
    let rogue_secret = Fr::rand(rng);
    let new_key = public_keys
        .iter()
        .fold(G1Affine::generator().mul(rogue_secret), |acc, (pk, _)| {
            acc - pk
        })
        .into_affine();
    let new_proof = public_keys.iter().enumerate().fold(
        pok_prove(rogue_secret, new_key_index),
        |acc, (i, (_, proof))| {
            let correct =
                Fr::from(new_key_index as u64 + 1) * Fr::from(i as u64 + 1).inverse().unwrap();
            (acc - proof.mul(correct).into_affine()).into_affine()
        },
    );
    let aggregate_signature = bls_sign(rogue_secret, message);

    /* End of solution */

    pok_verify(new_key, new_key_index, new_proof);
    let aggregate_key = public_keys
        .iter()
        .fold(G1Projective::from(new_key), |acc, (pk, _)| acc + pk)
        .into_affine();
    bls_verify(aggregate_key, aggregate_signature, message);

    println!("Puzzle solved!");
}

const PUZZLE_DESCRIPTION: &str = r"
Bob has been designing a new optimized signature scheme for his L1 based on BLS signatures. Specifically, he wanted to be able to use the most efficient form of BLS signature aggregation, where you just add the signatures together rather than having to delinearize them. In order to do that, he designed a proof-of-possession scheme based on the B-KEA assumption he found in the the Sapling security analysis paper by Mary Maller [1]. Based the reasoning in the Power of Proofs-of-Possession paper [2], he concluded that his scheme would be secure. After he deployed the protocol, he found it was attacked and there was a malicious block entered the system, fooling all the light nodes...

[1] https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf
[2] https://rist.tech.cornell.edu/papers/pkreg.pdf
";

Conclusion

The proof of possession used in the puzzle departed from what has been proven secure in the literature: instead of hashing the public key into the group, it used points of the form $(i+1)Q$ for a common random point $Q.$ While this is secure for a single key in isolation, this breaks when multiple public keys are involved as an attacker can use PoPs of other cosigners to maul a PoP for a public key for which it does not know the corresponding secret key, ultimately enabling a rogue key attack.

ZK Hack Puzzle 14: Chaos Theory

• puzzle page
• GitHub repository
• puzzle description:

Bob designed a new one time scheme, that's based on the tried and true method
of encrypt + sign. He combined ElGamal encryption with BLS signatures in a
clever way, such that you use pairings to verify the encrypted message was
not tampered with. Alice, then, figured out a way to reveal the plaintexts...

The puzzle webpage recommends to read background material about authenticated encryption, which usually refers to the combination of symmetric encryption and MACs, which are symmetric-key primitives. Combining public-key encryption and signatures is more usually called signcryption.

Code Analysis

The package directory is organized as follows:

puzzle-chaos-theory
├── Cargo.toml
├── blob.bin
└── src
    └── main.rs

Let us go through the main.rs file to understand how Bob designed his signcryption scheme. It first brings a number of items from arkworks crates into scope, in particular related to the BLS12-381 pairing-friendly curve. Let us introduce straightaway some (standard) notation that will help us explain mathematically how the signcryption scheme works. In all the following, we will let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ denote the two groups related to the BLS12-381 curve, $r$ denote the order of these groups, and ${\mathbb{F}}_r$ denote the corresponding scalar field. Types G1Affine and G2Affine respectively correspond to points in ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ represented in short Weierstrass affine coordinates. We will also let $G_1$ denote the generator of ${\mathbb{G}}_1$ returned by G1Affine::generator() (or G1Projective::generator() in projective form) and $e$ the pairing map from ${\mathbb{G}}_1\times {\mathbb{G}}_2$ to ${\mathbb{G}}_t$ which for any $P\in {\mathbb{G}}_1,$ $Q\in {\mathbb{G}}_2,$ and $a,b\in {\mathbb{F}}_r$ satisfies

$$e(aP,bQ)=e(P,Q{)}^{ab}.$$

A hasher function is defined, returning an instance of the so-called Wahby-Boneh map [WB19] allowing to hash into ${\mathbb{G}}_2:$

fn hasher() -> MapToCurveBasedHasher<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>> {
    let wb_to_curve_hasher =
        MapToCurveBasedHasher::<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>>::new(
            &[1, 3, 3, 7],
        )
        .unwrap();
    wb_to_curve_hasher
}

In all the following we will simply let $H$ denote this hash function.

Then, a tuple struct ElGamal holding two G1Affine points $(C_1,C_2)$ corresponding to ciphertexts is defined together with a method hash_to_curve returning $H(C_1,C_2):$

pub struct ElGamal(G1Affine, G1Affine);

impl ElGamal {
    pub fn hash_to_curve(&self) -> G2Affine {
        let mut data = Vec::new();
        self.serialize_uncompressed(&mut data).unwrap();

        hasher().hash(&data).unwrap()
    }
}

Messages are simply G1Affine points wrapped in a Message struct using the newtype pattern:

pub struct Message(G1Affine);

Finally, two structs are defined for respectively the sender and receiver:

struct Sender {
    pub sk: Fr,
    pub pk: G1Affine,
}

pub struct Receiver {
    pk: G1Affine,
}

Public keys for both the sender and the receiver are G1Affine points. Note that the receiver has a public key field, but no secret key field (decryption is not implemented).

Then comes the implementation of the encryption and signature by the sender:

impl Sender {
    pub fn send(&self, m: Message, r: &Receiver) -> ElGamal {
        let c_2: G1Affine = (r.pk.mul(&self.sk) + m.0).into_affine();
        ElGamal(self.pk, c_2)
    }

    pub fn authenticate(&self, c: &ElGamal) -> G2Affine {
        let hash_c = c.hash_to_curve();
        hash_c.mul(&self.sk).into_affine()
    }
}

Let us express what it does mathematically. Let $P_s=x{G}_1\in {\mathbb{G}}_1$ denote the public key of the sender (self.pk) and $x$ denote the corresponding secret key (self.sk), $P_r\in {\mathbb{G}}_1$ the public key of the receiver (r.pk), and $M\in {\mathbb{G}}_1$ denote the message (m). Then the ciphertext returned by function send is $$(C_1=P_s,C_2=x{P}_r+M).$$

Hence, this is just ElGamal encryption where $P_s=x{G}_1$ plays the role of the randomness of the standard ElGamal ciphertext.

The signature returned by function authenticate is the point in ${\mathbb{G}}_2$ defined as $$S=xH(C_1,C_2).$$

Hence, this is simply a BLS signature computed on the ciphertext.

Although decryption by the receiver is not implemented, verification of ciphertexts is implemented through a function check_auth on the empty struct Auditor:

impl Auditor {
    pub fn check_auth(sender_pk: G1Affine, c: &ElGamal, s: G2Affine) -> bool {
        let lhs = { Bls12_381::pairing(G1Projective::generator(), s) };

        let hash_c = c.hash_to_curve();
        let rhs = { Bls12_381::pairing(sender_pk, hash_c) };

        lhs == rhs
    }
}

This simply checks that the BLS signature $S$ is valid for public key $P_s$ and message $(C_1,C_2):$ $$e(G_1,S)\stackrel{?}{=}e(P_s,H(C_1,C_2)).$$

So to summarize, Bob's signcryption scheme simply encrypts the message using ElGamal and signs the ciphertext using the randomness of the ElGamal ciphertext as secret key for the BLS signature scheme.

Solving the Puzzle

The main function defines a Blob instance (by deserializing data in blob.bin) containing the sender public key $P_s,$ the ciphertext $(C_1,C_2),$ the signature $S$ and the receiver public key $P_r:$

    let blob = Blob::deserialize_uncompressed(data.as_slice()).unwrap();

where Blob is defined as

pub struct Blob {
    pub sender_pk: G1Affine,
    pub c: ElGamal,
    pub s: G2Affine,
    pub rec_pk: G1Affine,
}

It also defines 10 candidate messages:

    let messages = generate_message_space();

where the generate_message_space function is defined as

fn generate_message_space() -> [Message; 10] {
    let g1 = G1Projective::generator();
    let msgs = [
        390183091831u64,
        4987238947234982,
        84327489279482,
        8492374892742,
        5894274824234,
        4982748927426,
        48248927348927427,
        489274982749828,
        99084321987189371,
        8427489729843712893,
    ];
    msgs.iter()
        .map(|&msg_i| Message(g1.mul(Fr::from(msg_i)).into_affine()))
        .collect::<Vec<_>>()
        .try_into()
        .unwrap()
}

Hence, the message is not completely arbitrary in ${\mathbb{G}}_1,$ we know a priori that it corresponds to one of the 10 messages in the messages vector.

The ciphertext is valid, as checked by the following lines:

    // ensure that blob is correct
    assert!(Auditor::check_auth(blob.sender_pk, &blob.c, blob.s));

ElGamal encryption is IND-CPA secure under the decisional Diffie-Hellman (DDH) assumption (which is believed to hold in group ${\mathbb{G}}_1$ of BLS12-381), hence we must find a way to exploit information in the signature.

Since there are only 10 possible messages, if we can find a "test function" which is satisfied only by the real message, then we are done (note that this would not be the case if the space of potential message was too large to exhaustively run the test).

Recall that the message $M$ satisfies $C_2=x{P}_r+M$ or equivalently $$x{P}_r=C_2-M.$$

Also, the signature is $S=xH(C_1,C_2).$

In other words, the discrete log of $C_2-M$ in base $P_r$ (in group ${\mathbb{G}}_1)$ is equal to the discrete log of $S$ in base $H(C_1,C_2)$ (in group ${\mathbb{G}}_2).$ But equality of discrete logs is exactly the property that a pairing allows to test! Here is our test function then: for each potential message, check whether $$e(C_2-M,H(C_1,C_2))\stackrel{?}{=}e(P_r,S).$$

Only for the real message will this equation be satisfied since $C_2-M=x{P}_r$ implies $$e(C_2-M,H(C_1,C_2))=e(x{P}_r,H(C_1,C_2))=e(P_r,xH(C_1,C_2))=e(P_r,S).$$

The attack is straightforward to implement:

use ark_bls12_381::{g2::Config, Bls12_381, Fr, G1Affine, G1Projective, G2Affine, G2Projective};
use ark_ec::{
    hashing::{curve_maps::wb::WBMap, map_to_curve_hasher::MapToCurveBasedHasher, HashToCurve},
    pairing::Pairing,
    CurveGroup, Group,
};
use ark_ff::field_hashers::DefaultFieldHasher;
use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
use sha2::Sha256;
use std::{fs::File, io::Read, ops::Mul};

use prompt::{puzzle, welcome};

#[derive(Debug)]
pub enum Error {
    InvalidMsg,
}

fn hasher() -> MapToCurveBasedHasher<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>> {
    let wb_to_curve_hasher =
        MapToCurveBasedHasher::<G2Projective, DefaultFieldHasher<Sha256, 128>, WBMap<Config>>::new(
            &[1, 3, 3, 7],
        )
        .unwrap();
    wb_to_curve_hasher
}

#[derive(CanonicalSerialize, CanonicalDeserialize)]
pub struct ElGamal(G1Affine, G1Affine);

impl ElGamal {
    pub fn hash_to_curve(&self) -> G2Affine {
        let mut data = Vec::new();
        self.serialize_uncompressed(&mut data).unwrap();

        hasher().hash(&data).unwrap()
    }
}

#[derive(Debug, Clone, Copy, PartialEq)]
pub struct Message(G1Affine);

struct Sender {
    pub sk: Fr,
    pub pk: G1Affine,
}

pub struct Receiver {
    pk: G1Affine,
}

pub struct Auditor {}

impl Sender {
    pub fn send(&self, m: Message, r: &Receiver) -> ElGamal {
        let c_2: G1Affine = (r.pk.mul(&self.sk) + m.0).into_affine();
        ElGamal(self.pk, c_2)
    }

    pub fn authenticate(&self, c: &ElGamal) -> G2Affine {
        let hash_c = c.hash_to_curve();
        hash_c.mul(&self.sk).into_affine()
    }
}

impl Auditor {
    pub fn check_auth(sender_pk: G1Affine, c: &ElGamal, s: G2Affine) -> bool {
        let lhs = { Bls12_381::pairing(G1Projective::generator(), s) };

        let hash_c = c.hash_to_curve();
        let rhs = { Bls12_381::pairing(sender_pk, hash_c) };

        lhs == rhs
    }
}

#[derive(CanonicalSerialize, CanonicalDeserialize)]
pub struct Blob {
    pub sender_pk: G1Affine,
    pub c: ElGamal,
    pub s: G2Affine,
    pub rec_pk: G1Affine,
}

fn generate_message_space() -> [Message; 10] {
    let g1 = G1Projective::generator();
    let msgs = [
        390183091831u64,
        4987238947234982,
        84327489279482,
        8492374892742,
        5894274824234,
        4982748927426,
        48248927348927427,
        489274982749828,
        99084321987189371,
        8427489729843712893,
    ];
    msgs.iter()
        .map(|&msg_i| Message(g1.mul(Fr::from(msg_i)).into_affine()))
        .collect::<Vec<_>>()
        .try_into()
        .unwrap()
}

pub fn main() {
    welcome();
    puzzle(PUZZLE_DESCRIPTION);

    let messages = generate_message_space();

    let mut file = File::open("blob.bin").unwrap();
    let mut data = Vec::new();
    file.read_to_end(&mut data).unwrap();
    let blob = Blob::deserialize_uncompressed(data.as_slice()).unwrap();

    // ensure that blob is correct
    assert!(Auditor::check_auth(blob.sender_pk, &blob.c, blob.s));

    // --snip--

    /* Implement your attack here, to find the index of the encrypted message */

    for (i, m) in messages.iter().enumerate() {
        let lhs = { Bls12_381::pairing(blob.c.1 - m.0, blob.c.hash_to_curve()) };
        let rhs = { Bls12_381::pairing(blob.rec_pk, blob.s) };
        if lhs == rhs {
            println!("Condition satisfied for message index {}", i);
        }
    }

    /* End of attack */
}

const PUZZLE_DESCRIPTION: &str = r"
Bob designed a new one time scheme, that's based on the tried and true method of encrypt + sign. He combined ElGamal encryption with BLS signatures in a clever way, such that you use pairings to verify the encrypted message was not tampered with. Alice, then, figured out a way to reveal the plaintexts...
";

We find that the encrypted message has index 3.

Conclusion

The main takeaway is that adding a BLS signature using the randomness of the ElGamal ciphertext as secret key for signing allowed a test function to discriminate the real plaintext.

In order to securely combine a public key encryption scheme and a signature scheme, one can use generic composition and simply "encrypt-then-sign", but with independent randomness in the encryption part and the signature part. This means that the ElGmal ciphertext should be $$(C_1=u{G}_1,C_2=u{P}_r+M)$$ for some random $u\in {\mathbb{F}}_r$ independent from the sender signing key $x$ (and freshly drawn for each ciphertext). The exact security of this method was studied in [ADR02] where it was shown that combining an IND-CPA-secure encryption scheme (such as ElGamal encryption) and a EUF-CMA-secure signature scheme (such as BLS) yields a so-called "outsider-secure" signcryption scheme. Outsider-security means that the sender is protected against forgery as long as the receiver's secret key is not compromised and conversely the confidentiality of messages sent to the receiver is ensured as long as the sender's secret key is not compromised. By opposition, "insider-security" means that the sender is protected even if the receiver's secret key leaks and vice-versa.

There is actually a more complicated way to combine ElGamal and BLS into a signcryption scheme achieving the stronger notion of insider-security which has been proposed in [LQ04].

The idea is as follow (note that the paper describes the scheme with a symmetric pairing, we transpose it here for an asymmetric pairing). As before, let $(x,P_s=x{G}_1)$ and $(y,P_r=y{G}_1)$ be the sender and receiver secret/public key pairs. To encrypt a message $m,$ the sender draws $r\in {\mathbb{F}}_r$ uniformly at random and computes

$$\begin{array}{rlr}U& =r{G}_1& \text{(compute nonce)}\\ V& =xH(m,U,P_r)\in {\mathbb{G}}_2& \text{(sign)}\\ W& =V\oplus H^{\prime }(U,P_r,r{P}_r)& \text{(encrypt sig. with hashed ElGamal)}\\ Z& =(m\Vert P_s)\oplus H_3(V)& \text{(encrypt message and sender pub key)}.\end{array}$$

The signed ciphertext is $(U,W,Z).$

References

[ABR01] Michel Abdalla, Mihir Bellare, and Phillip Rogaway. DHIES: An encryption scheme based on the Diffie-Hellman Problem. Manuscript, 2001 (preliminary version in the proceedings of CT-RSA 2001).

[ADR02] Jee Hea An, Yevgeniy Dodis, and Tal Rabin. On the Security of Joint Signature and Encryption. In proceedings of EUROCRYPT 2002.

[AHG23] Diego F. Aranha, Youssef El Housni, and Aurore Guillevic. A survey of elliptic curves for proof systems. In Designs, Codes and Cryptography, 2023.

[ANT+20] Diego F. Aranha, Felipe Rodrigues Novaes, Akira Takahashi, Mehdi Tibouchi, and Yuval Yarom. LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage. In proceedings of ACM CCS 2020.

[BB04] Dan Boneh and Xavier Boyen. Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. In proceedings of EUROCRYPT 2004.

[BB08] Dan Boneh and Xavier Boyen. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. In Journal of Cryptology, 2008.

[BCCT13] Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data. In proceedings of STOC 2013.

[BCG+14] Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. In proceedings of IEEE SP 2014.

[BCI+10] Eric Brier, Jean-Sébastien Coron, Thomas Icart, David Madore, Hugues Randriam, and Mehdi Tibouchi. Efficient Indifferentiable Hashing into Ordinary Elliptic Curves. In proceedings of CRYPTO 2010.

[BCM+15] Paulo S. L. M. Barreto, Craig Costello, Rafael Misoczki, Michael Naehrig, Geovandro C. C. F. Pereira, and Gustavo Zanon. Subgroup Security in Pairing-Based Cryptography. In proceedings of Latincrypt 2015.

[BCTV14] Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. Scalable Zero Knowledge via Cycles of Elliptic Curves. In proceedings of CRYPTO 2014.

[BDFG20] Dan Boneh, Justin Drake, Ben Fisch, and Ariel Gabizon. Efficient polynomial commitment schemes for multiple points and polynomials. IACR ePrint report 2020/081, 2020.

[BDN18] Dan Boneh, Manu Drijvers, and Gregory Neven. Compact Multi-signatures for Smaller Blockchains. In proceedings of ASIACRYPT 2018.

[BF03] Dan Boneh and Matthew K. Franklin. Identity-Based Encryption from the Weil Pairing. In SIAM Journal on Computing, 2003.

[BGLS03] Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In proceedings of EUROCRYPT 2003.

[BH19] Joachim Breitner and Nadia Heninger. Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies. In proceedings of FC 2019.

[BL22] Renas Bacho and Julian Loss. On the Adaptive Security of the Threshold BLS Signature Scheme. In proceedings of ACM CCS 2022.

[BLS01] Dan Boneh, Ben Lynn, and Hovav Shacham. Short Signatures from the Weil Pairing. In proceedings of ASIACRYPT 2001.

[BLS04] Dan Boneh, Ben Lynn, and Hovav Shacham. Short Signatures from the Weil Pairing. In Journal of Cryptology, 2004.

[BN05] Paulo S. L. M. Barreto and Michael Naehrig. Pairing-Friendly Elliptic Curves of Prime Order. In proceedings of SAC 2005.

[BN19] Eli Biham and Lior Neumann. Breaking the Bluetooth Pairing - The Fixed Coordinate Invalid Curve Attack. In proceedings of SAC 2019.

[BNN07] Mihir Bellare, Chanathip Namprempre, and Gregory Neven. Unrestricted Aggregate Signatures. In proceedings of ICALP 2007.

[BPW12] David Bernhard, Olivier Pereira, and Bogdan Warinschi. How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios. In proceedings of ASIACRYPT 2012.

[BT04] Jean-Paul Berrut and Lloyd N. Trefethen. Barycentric Lagrange Interpolation. In SIAM Review, 2004.

[CA89] David Chaum and Hans Van Antwerpen. Undeniable Signatures. In proceedings of CRYPTO 1989.

[CF13] Dario Catalano and Dario Fiore. Vector Commitments and Their Applications. In proceedings of PKC 2013.

[CGGM00] Ran Canetti, Oded Goldreich, Shafi Goldwasser, and Silvio Micali. Resettable Zero-Knowledge. In proceedings of STOC 2000.

[Che10] Jung Hee Cheon. Discrete Logarithm Problems with Auxiliary Inputs. In Journal of Cryptology, 2010.

[CHKM10] Sanjit Chatterjee, Darrel Hankerson, Edward Knapp, and Alfred Menezes. Comparing two pairing-based aggregate signature schemes. In Designs, Codes and Cryptography, 2010.

[CJ19] Cas Cremers and Dennis Jackson. Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman. In proceedings of IEEE CSF 2019.

[CM09] Sanjit Chatterjee and Alfred Menezes. On Cryptographic Protocols Employing Asymmetric Pairings - The Role of $\Psi$ Revisited. IACR ePrint report 2009/480, 2009.

[DMWG23] Quang Dao, Jim Miller, Opal Wright, and Paul Grubbs. Weak Fiat-Shamir Attacks on Modern Proof Systems. In proceedings of IEEE SP 2023.

[FKL18] Georg Fuchsbauer, Eike Kiltz, and Julian Loss. The Algebraic Group Model and its Applications. In proceedings of CRYPTO 2018.

[GKR+21] Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, and Markus Schofnegger. Poseidon: A New Hash Function for Zero-Knowledge Proof Systems. In proceedings of USENIX Security 2021.

[GPS08] Steven D. Galbraith, Kenneth G. Paterson, and Nigel P. Smart. Pairings for cryptographers. In Discrete Applied Mathematics, 2008.

[Gro16] Jens Groth. On the Size of Pairing-Based Non-interactive Arguments. In proceedings of EUROCRYPT 2016.

[GWC19] Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge. IACR ePrint report 2019/953, 2019.

[Ham15] Mike Hamburg. Decaf: Eliminating Cofactors Through Point Compression. In proceedings of CRYPTO 2015.

[HGP22] Youssef El Housni, Aurore Guillevic, and Thomas Piellard. Co-factor Clearing and Subgroup Membership Testing on Pairing-Friendly Curves. In proceedings of AFRICACRYPT 2022.

[HLPT20] Thomas Haines, and Sarah Jamie Lewis, and Olivier Pereira, and Vanessa Teague. How not to prove your election outcome. In proceedings of IEEE SP 2020.

[Jou00] Antoine Joux. A One Round Protocol for Tripartite Diffie-Hellman. In proceedings of ANTS 2000.

[JSS15] Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. Practical Invalid Curve Attacks on TLS-ECDH. In proceedings of ESORICS 2015.

[KZG10a] Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Constant-Size Commitments to Polynomials and Their Applications. In proceedings of ASIACRYPT 2010.

[KZG10b] Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Polynomial Commitments. Full version of [KZG10a].

[Lip10] Helger Lipmaa. Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. In proceedings of TCC 2012.

[LL97] Chae Hoon Lim and Pil Joong Lee. A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup. In proceedings of CRYPTO 1997.

[LQ04] Benoît Libert and Jean-Jacques Quisquater. Efficient Signcryption with Key Privacy from Gap Diffie-Hellman Groups. In proceedings of PKC 2004.

[MOV91] Alfred Menezes, Tatsuaki Okamoto, and Scott A. Vanstone. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. In proceedings of STOC 1991.

[NRBB22] Valeria Nikolaenko, Sam Ragsdale, Joseph Bonneau, and Dan Boneh. Powers-of-Tau to the People: Decentralizing Setup Ceremonies. IACR ePrint report 2022/1592, 2022.

[Ped91] Torben P. Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In proceedings of CRYPTO 1991.

[PST13] Charalampos Papamanthou, Elaine Shi, and Roberto Tamassia. Signatures of Correct Computation. In proceedings of TCC 2013.

[Qua21] Nguyen Thoi Minh Quan. 0. IACR ePrint report 2021/323, 2021.

[Rot22] Lior Rotem . Revisiting the Uber Assumption in the Algebraic Group Model: Fine-Grained Bounds in Hidden-Order Groups and Improved Reductions in Bilinear Groups. In proceedings of ITC 2022.

[RY07] Thomas Ristenpart and Scott Yilek. The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks. In proceedings of EUROCRYPT 2007.

[SV07] Nigel P. Smart and Frederik Vercauteren. On computable isomorphisms in efficient asymmetric pairing-based systems. In Discrete Applied Mathematics, 2007.

[VAS+17] Luke Valenta, David Adrian, Antonio Sanso, Shaanan Cohney, Joshua Fried, Marcella Hastings, J. Alex Halderman, and Nadia Heninger. Measuring small subgroup attacks against Diffie-Hellman. In proceedings of NDSS 2017.

[WB19] Riad S. Wahby and Dan Boneh. Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR ePrint report 2019/403, 2019.