Can I convert $F_{q^{12}}$ to $F_q$?

Question

I seeing a paper about Elliptic curve based proxy re-encryption.
And I want to implement this through BLS12-381 Curve.
However, When looking at the documentation for paring or the library, the value of $F_{q^{12}}$ is output as the output of pairing.
The paper requires:

Let e : $G_1$ × $G_1$ → $G_2$ be a bilinear map, z = e($G_1$, $G_1$) ∈ $G_2$
And need to compute (zrG + Pm)

How can I multiply z in $F_{q^{12}}$ and $rG$ Point in $F_{q}$from "$z$ $rG$"?
Should I replace $F_{q^{12}}$ with $F_{q}$? If so, how?
And please let me know what to look for to get relevant knowledge.

poncho · Accepted Answer

The paper writes $z^r cdot G$; however $z^r$ is a member of the extension group $mathbb{F}_{q^{12}}$, while point multiplication is formally defined over the integers; you ask "what are we supposed to do here?"
Well, going through the paper, it appears that if we rewrite that equation to $h(z^r) cdot G$, where $h$ is a function from $mathbb{F}_{q^{12}}$ to $mathbb{F}_{q}$, that works (assuming, of course, we rewrite the decryption process similarly), so we have:
$text{Encrypt}(pk, m) = (r cdot pk, h(z^r) cdot G + Pm)$
$text{Decrypt}^1(C, sk) = B - h( e( A, sk^{-1}G )) cdot G$
$text{Decrypt}^2(C, sk) = B - h( A^{1/b} ) cdot G$
(see the paper for explanation of the various notations, and the reencrypt process doesn't change)
Any deterministic $h$ would work (in the sense that the protocol will work), as can be seen by going through encryption/reencryption/decryption steps.  My inclination would be to use a hash function.

Can I convert $F_{q^{12}}$ to $F_q$?

One Answer

Add your own answers!

Ask a Question