This document outlines a method to map a secret scalar value x
from one elliptic curve group (secp256k1) to another elliptic curve group (a pairing-friendly curve).
This method leverages a variation of the Schnorr signature scheme to prove that the same secret scalar is used in both groups without revealing the value of x
.
This approach can be useful in applications where compatibility with different cryptographic groups is required. For example, in the context of using the Lightning Network to purchase in a PTLC a key to be used with pairing-based cryptography. In general, it is interesting for Adaptor Signatures, Scriptless Scripts, and Discreet Log Contracts.
- Let
G_secp256k1
be a generator of the secp256k1 elliptic curve group andG_pairing
be a generator of a pairing-friendly elliptic curve group. - Let
x
be the secret scalar to be ported from the secp256k1 group to the pairing-friendly group. - Compute
X_secp256k1 = x * G_secp256k1
andX_pairing = x * G_pairing
.
- Choose a random nonce
r
. - Compute public nonces
R_secp256k1 = r * G_secp256k1
andR_pairing = r * G_pairing
. - Compute a challenge
c = H(R_secp256k1 | R_pairing)
. - Compute the proof of knowledge for
x
:s = r + c * x
.
Send R_secp256k1
, R_pairing
, and s
to the verifier.
- Compute the challenge
c = H(R_secp256k1 | R_pairing)
. - Verify
s * G_secp256k1 == R_secp256k1 + c * X_secp256k1
. - Verify
s * G_pairing == R_pairing + c * X_pairing
.
By using this adapted proof, the same secret scalar x
is shown to be used in both the secp256k1 group and the pairing-friendly group without revealing the value of x
. The verifier can be confident that the secret value x * G_secp256k1
is mapped to x * G_pairing
.
- Security is reduced if the scalar
x
is in the size of the smaller group secp256k1 and not in the size of the pairing-friendly group
This scheme is broken, because s
can have meaning only in relation to a particular group order. Since the group orders differ, we need more complex tools like range proofs to give s
meaning accross groups of different orders.