Bls on As it was https://galoishlee.github.io/tags/bls/ Recent content in Bls on As it was Hugo zh-CN maocred@gmail.com (Halois) maocred@gmail.com (Halois) This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Mon, 16 Mar 2026 00:00:00 +0800 Hash To Curve https://galoishlee.github.io/hash-to-curve/ Mon, 16 Mar 2026 00:00:00 +0800maocred@gmail.com (Halois) https://galoishlee.github.io/hash-to-curve/ <blockquote> <p>Reading: RFC 9380, <em>Hashing to Elliptic Curves</em>.</p> </blockquote> <p>Core problem: given an arbitrary byte string, produce a point in the correct elliptic-curve subgroup, with the distribution and side-channel properties a protocol actually needs. This is not “hash to an $x$ and try to solve for $y$”.</p> <p>The RFC answer is a pipeline, not a trick:</p> $$ \text{bytes} \rightarrow \text{field elements} \rightarrow \text{curve points} \rightarrow \text{subgroup points} $$<p>plus domain separation and constant-time constraints.<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup></p> <p>This note only tracks that structure: what object the RFC is defining, why <code>encode_to_curve</code> and <code>hash_to_curve</code> differ, and why suites such as secp256k1 and BLS12-381 are built the way they are.</p> Pairing-Friendly Curves 的数学结构与协议动机 https://galoishlee.github.io/pairing-friendly-curves-motivation/ Sun, 14 Dec 2025 08:00:00 +0800maocred@gmail.com (Halois) https://galoishlee.github.io/pairing-friendly-curves-motivation/ <blockquote> <p>Reading: pairing is a verifier interface, not a prestige upgrade.</p> </blockquote> <p>前 3 篇已经把 ECC 子系列的前半段压实了:Web3 为什么不会只用一条曲线,账户层为什么长期停在 secp256k1,以及 signer-side 风险如何从 ECDLP 走向 nonce leakage。到这里,新的问题自然出现:既然账户层不需要 pairing,为什么 BLS signatures、SNARK verifier 和 KZG 却总会把 pairing-friendly curves 拉进来?</p> <p>关键不在“这类曲线更先进”,而在“这类协议的 verifier 从一开始就需要另一种代数接口”。普通离散对数群擅长表达签名关系;pairing-friendly setting 则擅长把分散在多个群元素、多个约束甚至多个消息上的关系压缩成少数几个 pairing checks。也就是说,这里发生的不是曲线选型审美,而是 protocol verification compression。<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> <sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup></p> <p>所以这一篇不会把 pairing 写成完整教材。更有用的顺序是:先定义最小 bilinear map properties,再给出一个 minimal pairing equation pattern,随后分别说明 BLS signatures、SNARK verifier intuition 和 KZG opening verification 为什么会消费同一类接口。最后再把这些数学对象压成工程实现对接边界。</p> <blockquote> <p>Quick Note. This article defines the minimal bilinear map properties needed for protocol use. It also explains why pairings enable aggregate signature verification and polynomial opening verification, gives the minimal pairing equation pattern, and shows the mapping from bilinearity to protocol verification compression. It deliberately avoids expanding into full Miller-loop or final-exponentiation implementation details.</p> </blockquote>