Skip to content

WeilMOV/ #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
utterances-bot opened this issue Nov 15, 2023 · 4 comments
Open

WeilMOV/ #9

utterances-bot opened this issue Nov 15, 2023 · 4 comments

Comments

@utterances-bot
Copy link

Weil Pairing and the MOV attack on Elliptic Curve Cryptography – Risen Crypto – Mathematical Cryptography, zkSNARKs

https://risencrypto.github.io/WeilMOV/
@skaunov utterances
Copy link

skaunov commented Nov 15, 2023
edited
Loading

"The actual construction/computation of the Weil Pairing using Rational Functions is beyond the scope of this post." =(
This might be useful to move to the beginning. X)

Could you recommend an explainer better than Moonmath manual and https://crypto.stanford.edu/pbc/notes/elliptic/weil2.html?

@RisenCrypto
Copy link
Owner

RisenCrypto commented Nov 17, 2023
edited
Loading

Could you recommend an explainer better than Moonmath manual and https://crypto.stanford.edu/pbc/notes/elliptic/weil2.html?

The mathematics is non-trivial - I spent a lot of time & then gave up. It's way too difficult for anyone except an Algebraic Geometrist. I gave up after I read Ariel Gabizon mention somewhere that the mathematics behind pairings is not relevant for a Cryptographer & is only relevant to a Mathematician. He advised that Cryptographers should regard Pairings as a blackbox.

@skaunov
Copy link

skaunov commented Nov 17, 2023 via email

@whoami730 utterances
Copy link

whoami730 commented Apr 21, 2025
edited
Loading

You should pick $n$ to be the order of the point $T$ and not the order of the group. As per [1], in most cases, $S$ would itself turn out to be $O$ in many cases (in the example mentioned in [1], it seems to be almost always the case), which kind of makes the attack take too long or fail. Even in [2], $n$ as the order of the point $T$ is picked, the gcd of $n$ and $m$ is computed as $d$, and then the point $S$ is computed as $(n/d) T$.

[1]
https://crypto.stackexchange.com/questions/114716/computing-random-point-in-mov-attack-example
[2]
Elliptic Curves - Number Theory and Cryptography, Lawrence C. Washington

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@utterances-bot @skaunov @RisenCrypto @whoami730