1. 引言
BN系列椭圆曲线 E ( F p ) : y 2 = x 3 + b , 其 中 b ≠ 0 E(\mathbb{F}_p):y^2=x^3+b,其中b\neq 0 E(Fp):y2=x3+b,其中b=0,由Paulo S. L. M. Barreto1 和 Michael Naehrig 在2005年论文 Pairing-Friendly Elliptic Curves of Prime Order中首次提出,在该论文中,提出了构建embedding degree为 k = 12 k=12 k=12的BN系列椭圆曲线的有效算法:
- 基域:素数 p = 36 x 4 + 36 x 3 + 24 x 2 + 6 x + 1 p=36x^4+36x^3+24x^2+6x+1 p=36x4+36x3+24x2+6x+1
- scalar域:order (即椭圆曲线上的点的个数) n = 36 x 4 + 36 x 3 + 18 x 2 + 6 x + 1 n=36x^4+36x^3+18x^2+6x+1 n=36x4+36x3+18x2+6x+1
- trace: t = 6 x 2 + 1 t=6x^2+1 t=6x2+1(trace of Frobenius)
- n = p + 1 − t n=p+1-t n=p+1−t
以太坊的alt_bn128曲线,取:
x
=
4965661367192848881
x=4965661367192848881
x=4965661367192848881
从而有:
- p = 21888242871839275222246405745257275088696311157297823662689037894645226208583 p=21888242871839275222246405745257275088696311157297823662689037894645226208583 p=21888242871839275222246405745257275088696311157297823662689037894645226208583
- n = 21888242871839275222246405745257275088548364400416034343698204186575808495617 n=21888242871839275222246405745257275088548364400416034343698204186575808495617 n=21888242871839275222246405745257275088548364400416034343698204186575808495617
- t = 147946756881789318990833708069417712967 t=147946756881789318990833708069417712967 t=147946756881789318990833708069417712967
根据herumi/ate-pairing可知,相应的extension field为:
- F p 2 = F p [ u ] / ( u 2 + 1 ) \mathbb{F}_{p^2}=\mathbb{F}_p[u]/(u^2+1) Fp2=Fp[u]/(u2+1),其中 u 2 = 1 u^2=1 u2=1
- F p 6 = F p 2 [ v ] / ( v 3 − ξ ) \mathbb{F}_{p^6}=\mathbb{F}_{p^2}[v]/(v^3-\xi) Fp6=Fp2[v]/(v3−ξ),其中 v 3 = ξ , ξ = u + 9 v^3=\xi,\xi=u+9 v3=ξ,ξ=u+9
- F p 12 = F p 6 [ w ] / ( w 2 − v ) \mathbb{F}_{p^{12}}=\mathbb{F}_{p^6}[w]/(w^2-v) Fp12=Fp6[w]/(w2−v),其中 w 2 = v w^2=v w2=v
相应的sage脚本为:
# GF(p) p的質數體,x為generator
sage: P.<x> = PolynomialRing(GF(p))
# 用GF(p) extension 建構Fp2,u為generator
sage: F2.<u> = GF(p).extension(x^2 + 1)
# Fp2的Polynomial ring P,t為generator
sage: P.<t> = F2[]
# 用Fp2 extension 建構Fp6,v為generator
sage: F6.<v> = F2.extension(t^3 - u-9)
# 若可以則執行下列:
# Fp6的Polynomial Ring P,y為generator
sage: P.<y> = F6[]
# 用Fp6 extension 建構Fp12,w為generator
sage: F12.<w> = F6.extension(y^2 - v)
Pairing-Friendly Elliptic Curves of Prime Order论文中有:
以太坊黄皮书中与zkSNARK相关的预编译合约使用的是BN128曲线对:
- 曲线C1(基于
F
p
\mathbb{F}_p
Fp)为:
- 曲线C2(基于
F
p
2
\mathbb{F}_{p^2}
Fp2)为:
相应的sage脚本为:
# G1
sage: F1 = GF(21888242871839275222246405745257275088696311157297823662689037894645226208583)
sage: G1 = EllipticCurve(F1,[0,3])
sage: P1 = G1(1,2)
# G2
sage: F2 = GF(21888242871839275222246405745257275088696311157297823662689037894645226208583^2,"i",modulus=x^2 + 1)
sage: TwistB = 3*F2("9+i")^(-1)
sage: G2 = EllipticCurve(F2,[0,TwistB])
sage: P2x = F2("11559732032986387107991004021392285783925812861821192530917403151452391805634*i + 10857046999023057135944570762232829481370756359578518086990519993285655852781")
sage: P2y = F2("4082367875863433681332203403145435568316851327593401208105741076214120093531*i + 8495653923123431417604973247489272438418190587263600148770280649306958101930")
sage: P2 = G2(P2x,P2y)
基于以上BN128曲线对 构建的pairing计算结果对应
F
p
12
\mathbb{F}_{p^{12}}
Fp12,即有:
以太坊EIP-197:Precompiled contracts for optimal ate pairing check on the elliptic curve alt_bn128,以太坊的预编译合约采用以上(公式253)来替代(公式254),从而验证pairing运算结果是否一致。
参考资料
[1] BN128曲线
[2] Paulo S. L. M. Barreto1 和 Michael Naehrig 2005年论文 Pairing-Friendly Elliptic Curves of Prime Order
[3] 以太坊黄皮书
