(3)Pairing Functions & Element Functions

以下内容源自PBC Library 的 英文manual(Chapter 3/4)。


一,Pairing functions

  • 1.1 Initializing pairings
  • 1.2 Applying pairings
  • 1.3 Other pairing functions

二,Element functions

  • 2.1 Initializing elements
  • 2.2 Assigning elements
  • 2.3 Converting elements
  • 2.4 Element arithmetic
  • 2.5 Exponentiating elements
  • 2.6 Comparing elements
  • 2.7 Element I/O
  • 2.8 Random elements
  • 2.9 Element import/export

一.Pairing functions

An application should first initialize a pairing object. This causes PBC to setup curves, groups and other mathematical miscellany. After that, elements can be initialized and manipulated for cryptographic operations.

Parameters for various pairings are included with the PBC library distribution in the param subdirectory, and some are suitable for cryptographic use. Some programs in the gen subdirectory may be used to generate parameters (see Chapter 7). Also, see the PBC website for many more pairing parameters.

Pairings involve three groups of prime order. The PBC library calls them G1, G2, and GT, and calls the order r. The pairing is a bilinear map that takes two elements as input, one from G1 and one from G2, and outputs an element of GT.

The elements of G2 are at least as long as G1; G1 is guaranteed to be the shorter of the two. Sometimes G1 and G2 are the same group (i.e. the pairing is symmetric) so their elements can be mixed freely. In this case the pairing_is_symmetric function returns 1.

Bilinear pairings are stored in the data type pairing_t. Functions that operate on them start with pairing_.



param子目录中的PBC库分布中包含用于各种配对的参数,其中一些参数适合加密使用。== gen子目录中的某些程序可用于生成参数(请参见第7章)。另外,请参阅PBC网站以获取更多配对参数。==

配对涉及三个主要素数阶的群。 PBC库将它们称为G1,G2和GT,并称阶为r 。配对是一个双线性映射,它以两个元素作为输入,一个来自G1,一个来自G2,并输出GT元素。

G2的元素至少与G1一样长; G1保证是两者中较短的一个。有时G1和G2是同一组(即配对是对称的),因此它们的元素可以自由组合。在这种情况下,pairing_is_symmetric函数返回1。


1.1. Initializing pairings

To initialize a pairing from an ASCIIZ string:

pairing_t pairing; 
pairing_init_set_str(pairing, s); // Where s is a char *.

The string s holds pairing parameters in a text format. The param subdirectory contains several examples.

Alternatively, call:

pairing_t pairing;
pairing_init_pbc_param(pairing, param);

where param is an initialized pbc_param_t (see Chapter 5).

int pairing_init_set_str(pairing_t pairing, const char *s)

Initialize pairing from parameters in a ASCIIZ string str Returns 0 on success, 1 on failure.


int pairing_init_set_buf(pairing_t pairing, const char *s, size_t len)

Same, but read at most len bytes. If len is 0, it behaves as the previous function. Returns 0 on success, 1 on failure.


void pairing_init_pbc_param(struct pairing_s *pairing, pbc_param_t p)

Initialize a pairing with pairing parameters p.


void pairing_clear(pairing_t pairing)

Free the space occupied by pairing. Call whenever a pairing_t variable is no longer needed. Only call this after all elements associated with pairing have been cleared, as they need information stored in the pairing structure.


1.2. Applying pairings

The function pairing_apply can be called to apply a bilinear map. The order of the inputs is important. The first, which holds the output, must be from the group GT. The second must be from G1, the third from G2, and the fourth must be the pairing_t variable that relates them.

In some applications, the programmer may know that many pairings with the same G1 input will be computed. If so, preprocessing should be used to avoid repeating many calculations saving time in the long run. A variable of type pairing_pp_t should be declared, initialized with the fixed G1 element, and then used to compute pairings:

可以调用pairing_apply函数来应用双线性映射。 输入的顺序很重要。 保存输出的第一个必须来自组GT。 第二个必须来自G1,第三个必须来自G2,第四个必须是与它们相关的pairing_t变量。

在某些应用中,程序员可能知道会计算出具有相同G1输入的许多配对。 如果是这样,从长远来看,应该使用预处理以避免重复许多计算,从而节省了时间。 应该声明类型为pairing_pp_t的变量,并使用固定的G1元素进行初始化,然后将其用于计算配对:

pairing_pp_t pp; 
pairing_pp_init(pp, x, pairing); // x is some element of G1 
pairing_pp_apply(r1, y1, pp); // r1 = e(x, y1) 
pairing_pp_apply(r2, y2, pp); // r2 = e(x, y2) 
pairing_pp_clear(pp); // don’t need pp anymore

Never mix and match G1, G2, and GT groups from different pairings.


void pairing_pp_init(pairing_pp_t p, element_t in1, pairing_t pairing)

Get ready to perform a pairing whose first input is in1,and store the results of time-saving precomputation in p.


void pairing_pp_clear(pairing_pp_t p)

Clear p. This should be called after p is no longer needed.


void pairing_pp_apply(element_t out, element_t in2, pairing_pp_t p)

Compute a pairing using in2 and the preprocessed information stored in p and store the output in out. The inputs to the pairing are the element previously used to initialize p and the element in2.


void element_pairing(element_t out, element_t in1, element_t in2)

Computes a pairing: out = e(in1, in2), where in1, in2, out must be in the groups G1, G2, GT.


void element_prod_pairing(element_t out, element_t in1[], element_t in2[], int n)

Computes the product of pairings, that is out = e(in1[0], in2[0]) … e(in1[n-1], in2[n-1]). The arrays in1, in2 must have at least n elements belonging to the groups G1, G2 respectively, and out must belong to the group GT.

计算配对的乘积,即out = e(in1 [0],in2 [0])…e(in1 [n-1],in2 [n-1])。 数组in1,in2必须至少具有分别属于组G1,G2的n个元素,而数组out必须属于组GT。

1.3. Other pairing functions

int pairing_is_symmetric(pairing_t pairing)

Returns true if G1 and G2 are the same group.


int pairing_length_in_bytes_G1(pairing_t pairing)

Returns the length in bytes needed to represent an element of G1.


int pairing_length_in_bytes_x_only_G1(pairing_t pairing)

Returns the length in bytes needed to represent the x-coordinate of an element of G1.


int pairing_length_in_bytes_compressed_G1(pairing_t pairing)

Returns the length in bytes needed to represent a compressed form of an element of G1. There is some overhead in decompressing.

返回G1元素压缩格式所需的字节长度 ,解压缩会有一些开销。

int pairing_length_in_bytes_G2(pairing_t pairing)

Returns the length in bytes needed to represent an element of G2.


int pairing_length_in_bytes_compressed_G2(pairing_t pairing)

Returns the length in bytes needed to represent a compressed form of an element of G2. There is some overhead in decompressing.

返回G2元素压缩格式所需的字节长度 ,解压缩会有一些开销。

int pairing_length_in_bytes_x_only_G2(pairing_t pairing)

Returns the length in bytes needed to represent the x-coordinate of an element of G2.


int pairing_length_in_bytes_GT(pairing_t pairing)

Returns the length in bytes needed to represent an element of GT.


int pairing_length_in_bytes_Zr(pairing_t pairing)

Returns the length in bytes needed to represent an element of Zr.


二.Element functions

Elements of groups, rings and fields are stored in the element_t data type. Variables of this type must be initialized before use, and should be cleared after they are no longer needed.

The element_ functions must be used with caution. Just as division by zero does not make sense for integers, some operations may not make sense for particular elements. For example, in a ring, one cannot in general invert elements.

Another caveat is that many of these functions assume their arguments come from the same ring, group or field. No implicit type casting is performed.

For debug builds, turn on run-time checks by defining PBC_DEBUG before including pbc.h:

#define PBC_DEBUG 

Also, when PBC_DEBUG is defined, the following macros are active. Normally they are replaced with empty statements.


Macro: if expr evaluates to 0, print msg and exit.


Macro: if elements a and b are from different fields then exit.


Macro: if elements a, b and c are from different fields then exit.





#define PBC_DEBUG 








2.1. Initializing elements

When an element is initialized it is associated with an algebraic structure, such as a particular finite field or elliptic curve group.

We use G1 and G2 to denote the input groups to the pairing, and GT for the output group. All have order r, and Zr means the ring of integers modulo r. G1 is the smaller group (the group of points over the base field). With symmetric pairings, G1 = G2.


我们使用G1和G2表示配对的输入组,并使用GT表示输出组。都具有r阶,Zr表示以r为模的整数环。 G1是较小的组(基域上的点组)。对于对称配对,G1 = G2。

void element_init_G1(element_t e, pairing_t pairing)


void element_init_G2(element_t e, pairing_t pairing)


void element_init_GT(element_t e, pairing_t pairing)

Initialize e to be an element of the group G1, G2 or GT of pairing.


void element_init_Zr(element_t e, pairing_t pairing)

Initialize e to be an element of the ring Z_r of pairing. r is the order of the groups G1, G2 and GT that are involved in the pairing.


void element_init_same_as(element_t e, element_t e2)

Initialize e to be an element of the algebraic structure that e2 lies in.


void element_clear(element_t e)

Free the space occupied by e. Call this when the variable e is no longer needed.


2.2. Assigning elements

These functions assign values to elements. When integers are assigned, they are mapped to algebraic structures canonically if it makes sense (e.g. rings and fields).

void element_set0(element_t e)

Set e to zero.


void element_set1(element_t e)

Set e to one.


void element_set_si(element_t e, signed long int i)

Set e to i.


void element_set_mpz(element_t e, mpz_t z)

Set e to z.


void element_set(element_t e, element_t a)

Set e to a.


2.3. Converting elements

void element_to_mpz(mpz_t z, element_t e)

Converts e to a GMP integer z if such an operation makes sense.


void element_from_hash(element_t e, void *data, int len)

Generate an element e deterministically from the len bytes stored in the buffer data.


2.4. Element arithmetic

Unless otherwise stated, all element_t arguments to these functions must have been initialized to be from the same algebraic structure. When one of these functions expects its arguments to be from particular algebraic structures, this is reflected in the name of the function.

The addition and multiplication functions perform addition and multiplication operations in rings and fields. For groups of points on an ellitpic curve, such as the G1 and G2 groups associated with pairings, both addition and multiplication represent the group operation (and similarly both 0 and 1 represent the identity element). It is recommended that programs choose and one convention and stick with it to avoid confusion.

In contrast, the GT group is currently implemented as a subgroup of a finite field, so only multiplicative operations should be used for GT.


除非另有说明,否则这些函数的所有element_t参数都必须已初始化为来自相同的代数结构。 当某个函数的参数是特定的代数结构时,将以函数的名称反映出来。

加法和乘法功能在环和域中执行加法和乘法运算。 对于椭圆曲线上的点组,例如与配对关联的群G1和G2,加法和乘法均表示群操作(类似地,0和1均表示标识元素)。 建议程序选择一个约定,并遵守约定以避免混淆。


void element_add(element_t n, element_t a, element_t b)

Set n to a + b.

void element_sub(element_t n, element_t a, element_t b)

Set n to a - b.

void element_mul(element_t n, element_t a, element_t b)

Set n = a*b.

void element_mul_mpz(element_t n, element_t a, mpz_t z)
void element_mul_si(element_t n, element_t a, signed long int z)

Set n = a z, that is a + a + … + a where there are z a’s.

设置n = a*z,即a + a + … + a,其中有z 个a。

void element_mul_zn(element_t c, element_t a, element_t z)

z must be an element of a integer mod ring (i.e.Zn for some n). Set c = a*z, that is a + a + … + a where there are z a’s.

z必须是一个整数模环的元素(即对于某个n的环Zn)。设置 c = a*z,即a + a + … + a,z个a相加。

void element_div(element_t n, element_t a, element_t b)

Set n = a / b.

void element_double(element_t n, element_t a)

Set n = a + a.

void element_halve(element_t n, element_t a)

Set n = a/2.

void element_square(element_t n, element_t a)

Set n = a2.


void element_neg(element_t n, element_t a)

Set n = -a.

void element_invert(element_t n, element_t a)

Set n to the inverse of a.


2.5. Exponentiating elements(求幂元素)

Exponentiation and multiexponentiation functions. If it is known in advance that a particular element will be exponentiated several times in the future, time can be saved in the long run by first calling the preprocessing function:

求幂和乘幂函数。 如果事先知道某个特定元素将来会被取幂,那么从长远来看,可以通过首先调用预处理函数来节省时间:

element_pp_t g_pp; 
element_pp_init(g_pp, g); 
element_pp_pow(h, pow1, g_pp); // h = g^pow1 
element_pp_pow(h, pow2, g_pp); // h = g^pow2 
element_pp_pow(h, pow3, g_pp); // h = g^pow3 
void element_pow_mpz(element_t x, element_t a, mpz_t n)

Set x = an, that is a times a times … times a where there are n a’s.

设置x = an

void element_pow_zn(element_t x, element_t a, element_t n)

Set x=an,where n is an element of a ring ZN for some N (typically the order of the algebraic structure x lies in).


void element_pow2_mpz(element_t x, element_t a1, mpz_t n1, element_t a2, mpz_t n2)

Sets x = a1n1 a2 n2, and is generally faster than performing two separate exponentiations.

令x=a1n1 a2n2,通常比分别执行求幂运算要快。

void element_pow2_zn(element_t x, element_t a1, element_t n1, element_t a2, element_t n2)

Also sets x = a1n1 a2n2, but n1, n2 must be elements of a ring Zn for some integer n.


void element_pow3_mpz(element_t x, element_t a1, mpz_t n1, element_t a2, mpz_t n2, element_t a3, mpz_t n3)

Sets x = a1n1 a2n2 a3n3, generally faster than performing three separate exponentiations.

x = a1n1 a2n2 a3n3,通常比执行三个单独的求幂运算要快;

void element_pow3_zn(element_t x, element_t a1, element_t n1, element_t a2, element_t n2, element_t a3, element_t n3)

Also sets x = a1n1 a2n2 a3n3, but n1, n2, n3 must be elements of a ring Zn for some integer n.

x = a1n1 a2n2 a3n3,但是,n1,n2,n3必须是对于某个整数n上的环Zn的元素;

void element_pp_init(element_pp_t p, element_t in)

Prepare to exponentiate an element in, and store preprocessing information in p.


void element_pp_clear(element_pp_t p)

Clear p. Should be called after p is no longer needed.


void element_pp_pow(element_t out, mpz_t power, element_pp_t p)

Raise in to power and store the result in out, where in is a previously
preprocessed element, that is, the second argument passed to a previouselement_pp_initcall.


void element_pp_pow_zn(element_t out, element_t power, element_pp_t p)

Same except power is an element ofZn for some integer n.


void element_dlog_brute_force(element_t x, element_t g, element_t h)

Computes x such that gx= h by brute force, where x lies in a field where element_set_mpz() makes sense.


void element_dlog_pollard_rho(element_t x, element_t g, element_t h)

Computes x such that gx = h using Pollard rho method, where x lies in a field where element_set_mpz() makes sense.

使用Pollard rho方法计算x,使得gx=h,其中x位于使得element_set_mpz()有意义的域中;

2.6. Comparing elements

These functions compare elements from the same algebraic structure.

int element_is1(element_t n)

Returns true if n is 1.

int element_is0(element_t n)

Returns true if n is 0.

int element_cmp(element_t a, element_t b)

Returns 0 if a and b are the same, nonzero otherwise.


int element_is_sqr(element_t a)

Returns nonzero if a is a perfect square (quadratic residue), zero otherwise.


int element_sgn(element_t a)
int element_sign(element_t a)

If a is zero, returns 0. For nozero a the behaviour depends on the algebraic structure, but has the property that element_sgn(a) = -element_sgn(-a) and element_sgn(a) = 0 implies a = 0 with overwhelming probability.

如果a为零,则返回0。对于非零a,其行为取决于代数结构,但具有element_sgn(a)= -element_sgn(-a)和element_sgn(a)= 0的性质表示a = 0的可能性很大。

2.7. Element I/O

Functions for producing human-readable outputs for elements. Converting elements to and from bytes are discussed later.


size_telement_out_str(FILE * stream, int base, element_t e)

Output e on stream in base base. The base must be between 2 and 36.


int element_printf(const char *format, …)
int element_fprintf(FILE * stream, const char *format, …)
int element_snprintf(char *buf, size_t size, const char *fmt, …)
int element_vsnprintf(char *buf, size_t size, const char *fmt, va_list ap)

Same as printf family except also has the B conversion specifier for types ofelement_t, and Y, Z conversion specifiers for mpz_t.

For example if e is of type element_t then
element_printf("%B\n", e); will print the value of e in a human-readable form on standard output.



int element_snprint(char *s, size_t n, element_t e)

Convert an element to a human-friendly string. Behaves as snprintfbut only on one element at a time.


int element_set_str(element_t e, const char *s, int base)

Set the element e from s, a null-terminated C string in base base. Whitespace is ignored. Points have the form “[x,y]” or “O”, while polynomials have the form “[a0,…,an]”. Returns number of characters read (unlike GMP’s mpz_set_str). A return code of zero means PBC could not find a well-formed string describing an element.

从s设置元素e,s是基数为null终止的C字符串。空格被忽略。点的形式为“ [x,y]”或“ O”,而多项式的形式为“ [a0,…,an]”。返回读取的字符数(与GMP的mpz_set_str不同)。返回码为零表示PBC无法找到描述元素的格式正确的字符串。

2.8. Random elements

Only works for finite algebraic structures. Effect on polynomial rings, fields of characteristic zero, etc. undefined.

See Section 6.1 for how PBC gets random bits.

仅适用于有限的代数结构。 未定义对多项式环,特征零域等的影响。


void element_random(element_t e)

If the e lies in a finite algebraic structure, assigns a uniformly random element to e.


2.9. Element import/export

Functions for serializing and deserializing elements.


int element_length_in_bytes(element_t e)

Returns the length in bytes the element e will take to represent


int element_to_bytes(unsigned char *data, element_t e)

Converts e to byte, writing the result in the buffer data. The number of bytes it will write can be determined from callingelement_length_in_bytes(). Returns number of bytes written.


int element_from_bytes(element_t e, unsigned char *data)

Reads e from the buffer data, and returns the number of bytes read.


int element_to_bytes_x_only(unsigned char *data, element_t e)

Assumes e is a point on an elliptic curve. Writes the x-coordinate of e to the buffer data


int element_from_bytes_x_only(element_t e, unsigned char *data)

Assumes e is a point on an elliptic curve. Sets e to a point with x-coordinate represented by the buffer data. This is not unique.For each x-coordinate, there exist two different points,at least for the elliptic curves in PBC. (They are inverses of each other.)


int element_length_in_bytes_x_only(element_t e)

Assumes e is a point on an elliptic curve. Returns the length in bytes needed to hold the x-coordinate of e.


int element_to_bytes_compressed(unsigned char *data, element_t e)

If possible, outputs a compressed form of the element e to the buffer of bytes data.Currently only implemented for points on an elliptic curve.


int element_from_bytes_compressed(element_t e, unsigned char *data)

Sets element e to the element in compressed form in the buffer of bytes data. Currently only implemented for points on an elliptic curve.


int element_length_in_bytes_compressed(element_t e)

Returns the number of bytes needed to hold e in compressed form. Currently only implemented for points on an elliptic curve.


int element_item_count(element_t e)

For points, returns the number of coordinates. For polynomials, returns the number of coefficients. Otherwise returns zero.


element_telement_item(element_t e, int i)

For points, returns nth coordinate. For polynomials, returns coefficient of xn. Otherwise returns NULL. The element the return value points to may be modified.


element_telement_x(element_t a)

Equivalent to element_item(a, 0).


element_telement_y(element_t a)

Equivalent to element_item(a, 1).

等价于element_telement_y(element_t a)
