# Can I convert $F_{q^{12}}$ to $F_q$?

Cryptography Asked by user212942 on September 11, 2020

And I want to implement this through BLS12-381 Curve.
However, When looking at the documentation for paring or the library, the value of $$F_{q^{12}}$$ is output as the output of pairing.

The paper requires:

Let e : $$G_1$$ × $$G_1$$$$G_2$$ be a bilinear map, z = e($$G_1$$, $$G_1$$) ∈ $$G_2$$

And need to compute (zrG + Pm)

How can I multiply z in $$F_{q^{12}}$$ and $$rG$$ Point in $$F_{q}$$from "$$z$$ $$rG$$"?

Should I replace $$F_{q^{12}}$$ with $$F_{q}$$? If so, how?

And please let me know what to look for to get relevant knowledge.

The paper writes $$z^r cdot G$$; however $$z^r$$ is a member of the extension group $$mathbb{F}_{q^{12}}$$, while point multiplication is formally defined over the integers; you ask "what are we supposed to do here?"

Well, going through the paper, it appears that if we rewrite that equation to $$h(z^r) cdot G$$, where $$h$$ is a function from $$mathbb{F}_{q^{12}}$$ to $$mathbb{F}_{q}$$, that works (assuming, of course, we rewrite the decryption process similarly), so we have:

$$text{Encrypt}(pk, m) = (r cdot pk, h(z^r) cdot G + Pm)$$

$$text{Decrypt}^1(C, sk) = B - h( e( A, sk^{-1}G )) cdot G$$

$$text{Decrypt}^2(C, sk) = B - h( A^{1/b} ) cdot G$$

(see the paper for explanation of the various notations, and the reencrypt process doesn't change)

Any deterministic $$h$$ would work (in the sense that the protocol will work), as can be seen by going through encryption/reencryption/decryption steps. My inclination would be to use a hash function.

Correct answer by poncho on September 11, 2020

## Related Questions

### Low weight linear $varepsilon$-universal hash function

0  Asked on December 2, 2021 by jaytuma

### Diffie-Hellman: difficulty of computing $g^{x^2}$ given $g^x$?

1  Asked on December 2, 2021

### In RSA, given public key $(n,e)$ and $d^ebmod n$, can we factor $n$?

1  Asked on November 30, 2021

### What is this problem called and is it hard? given $g^x$ output ($g^y, xy$)

1  Asked on November 28, 2021

### With RSA or ECC, if I encrypt my private key with my public key, is there a way to recover my private key?

2  Asked on November 28, 2021

### What will be appropriate AES padding characters?

2  Asked on November 23, 2021 by user3769778

### Why does verifiable secret sharing with an honest majority require a broadcast channel?

1  Asked on November 23, 2021

### How does RSA signature verification work?

3  Asked on November 19, 2021

### Is it possible to compute the y-coordinate of a point on SECP256K1, given only the x-coordinate

1  Asked on November 17, 2021

### Generate AES key from weak string

1  Asked on November 13, 2021 by user81531

### Are the Serpent Test Vectors incorrect?

1  Asked on November 11, 2021

### What is the best deterministic authenticated encryption algorithm to date?

0  Asked on November 8, 2021 by gtramontina

### Simple explanation of sliding-window and wNAF methods of elliptic curve point multiplication

1  Asked on November 8, 2021 by simbro

### Can repeatedly encrypting a message with a secure cipher ever produce the original input like what happens in ROT13?

1  Asked on November 8, 2021 by cm9

### Definition of $x^u bmod k$

2  Asked on October 24, 2021

### How to recover RSA messages if they are padded with spaces?

1  Asked on October 24, 2021 by aviral-gupta

### How to compute $m$ value from RSA if $phi(n)$ is not relative prime with the $e$?

1  Asked on October 24, 2021 by user81147

### Code used for McEliece cryptosystem

1  Asked on October 24, 2021

### Chaining one-time signatures

1  Asked on October 24, 2021 by uk-ny