Re: What's the code for doing the reverse of this code over the altbn128 curve

[Laël Cellier <lael.cellier@gmail.com>]

Hi, sorry yes : I initially wanted to have pairings happenning on the same finite field used by the cryptosystems using the altbn254.
But since my aim is diffie Hellman like, I thought after writing the message that I can perform the pairing on the code you wrote. This is in a similar way I intend to use the Weil pairing instead of the optimal ate pairing.

I’ve 4 distinct points creating finite field A and B. My aim is to compute a pair of point for finite field C such as A×B×C=(identity element) with a way to do it being C=(A×B)order−1

The next problem is the current one of this question with https://pari.math.u-bordeaux.fr/archives/pari-users-2507/msg00068.html

Algorithm 4.1.
Input:

• d∈N$d\in \mathbb{N}$ satisfying l∣d$l\mid d$ and d∣(s+1)$d\mid (s+1)$ ,
• v∈Fr$v\in {\mathbb{F}}_r$ ,
• point A∈G0−{O}$A\in G_0-\{\mathcal{O}\}$ . // Note that A$A$ may not be a generator (if l$l$ is composite).

Output:

• Q∈G1−{O}$Q\in G_1-\{\mathcal{O}\}$ satisfying hd,A(Q)=v$h_{d,A}(Q)=v$ if such Q$Q$ exists. Otherwise, nil.

Procedure:

1. u:=(v(s+1)/d)(s+1)/2$u:=(v^{(s+1)/d}{)}^{(s+1)/2}$ ;
2. if u∉Fs$u\notin {\mathbb{F}}_s$ then return nil ;
3. x1:=ξ(A)+u$x_1:=\xi (A)+u$ ; x2:=ξ(A)−u$x_2:=\xi (A)-u$ ;
4. Build a set Li:={Q∈E(Fq):ξ(Q)=xi}$L_i:=\{Q\in E({\mathbb{F}}_q):\xi (Q)=x_i\}$ for i=1,2$i=1,2$ . // Note 0≤#Li≤2$0\le \mathrm{\#}{L}_i\le 2$ .
5. for each Q∈L1∪L2$Q\in L_1\cup L_2$
6.   if lQ=O$lQ=\mathcal{O}$ and hd,A(Q)=v$h_{d,A}(Q)=v$ then return Q$Q$ ;
7. return nil ;

Theorem 4.2. Algorithm 4.1 returns a correct result with O((klogq)3)$O((k\log q{)}^3)$ bit operations.

On Fri, Jul 18, 2025 at 02:12:22PM +0200, Laël Cellier wrote:
> The altbn254 curve is defined here : https://github.com/ethereum/EIPs/blob/master/EIPS/eip-197.md#definition-of-the-groups
> 
> This is the code responsible for mapping points from F_p² to F_p¹² :
> 
>  p=21888242871839275222246405745257275088696311157297823662689037894645226208583;
>  i=ffgen((i^2+1)*Mod(1,p));
>  X=11559732032986387107991004021392285783925812861821192530917403151452391805634*i+10857046999023057135944570762232829481370756359578518086990519993285655852781;
>  Y=4082367875863433681332203403145435568316851327593401208105741076214120093531*i+8495653923123431417604973247489272438418190587263600148770280649306958101930;
>  pt = [X,Y];
>  \\ then define the target field, the target curve and the map from Fp[i] to Fp[w]:
>  w=ffgen((w^12 - 18 * w^6 + 82)*Mod(1,p));
>  E2 = ellinit([0,3],w);
>  map = ffembed(i,w);
>  \\ define the isomorphism:
>  twist(pt)= [ffmap(map,pt[1])*w^2, ffmap(map,pt[2])*w^3];
>  \\ apply to pt
>  pt2=twist(pt);
>  \\ check
>  ellisoncurve(E2,pt2)
>  %11 = 1
>  \\ success!

This code is identical to code I sent to this list and that you rejected.
Puzzled,
Bill.