# Can I convert $F_{q^{12}}$ to $F_q$?

Cryptography Asked by user212942 on September 11, 2020

And I want to implement this through BLS12-381 Curve.
However, When looking at the documentation for paring or the library, the value of $$F_{q^{12}}$$ is output as the output of pairing.

The paper requires:

Let e : $$G_1$$ × $$G_1$$$$G_2$$ be a bilinear map, z = e($$G_1$$, $$G_1$$) ∈ $$G_2$$

And need to compute (zrG + Pm)

How can I multiply z in $$F_{q^{12}}$$ and $$rG$$ Point in $$F_{q}$$from "$$z$$ $$rG$$"?

Should I replace $$F_{q^{12}}$$ with $$F_{q}$$? If so, how?

And please let me know what to look for to get relevant knowledge.

The paper writes $$z^r cdot G$$; however $$z^r$$ is a member of the extension group $$mathbb{F}_{q^{12}}$$, while point multiplication is formally defined over the integers; you ask "what are we supposed to do here?"

Well, going through the paper, it appears that if we rewrite that equation to $$h(z^r) cdot G$$, where $$h$$ is a function from $$mathbb{F}_{q^{12}}$$ to $$mathbb{F}_{q}$$, that works (assuming, of course, we rewrite the decryption process similarly), so we have:

$$text{Encrypt}(pk, m) = (r cdot pk, h(z^r) cdot G + Pm)$$

$$text{Decrypt}^1(C, sk) = B - h( e( A, sk^{-1}G )) cdot G$$

$$text{Decrypt}^2(C, sk) = B - h( A^{1/b} ) cdot G$$

(see the paper for explanation of the various notations, and the reencrypt process doesn't change)

Any deterministic $$h$$ would work (in the sense that the protocol will work), as can be seen by going through encryption/reencryption/decryption steps. My inclination would be to use a hash function.

Correct answer by poncho on September 11, 2020