Homomorphic mapping between elliptic curve point and Zq

Question

I'm trying to figure out how to do a mapping between elliptic curve points and Zq without breaking homomorphic properties.

Sorry, I'll write the problem in multiplicative notation because it's easier.

I've got $a = g^bh^r \in \mathbb{G}_1$, where $g$ is a generator of $\mathbb{G}_1$, $h = g^s$ and $r, s, b$ are some values from $Z_q$. I need to have a Pedersen commitment to $g^b$, but since $g^b\in \mathbb{G}_1$ I should map it to $Z_q$ with function $F$ first i.e. $c = G^{F(g^b)}H^R$, where $G,H \in \mathbb{G}_1$ is a commitment key and $R$ is randomly selected from $Z_q$.

The point is, I need to relate $a$ and $c$, so I need to find a mapping function F such that $G^{F(a)} = G^{F(g^b) \cdot F(h^r)}$.

Do you have any idea how to chose $F$ if $\mathbb{G}_1$ is an elliptic curve? Or if it's even possible? In the finite fields, $\bmod q$ would have worked ($q$ is prime). But with points, I'm not sure what to do. Maybe homomorphic hash functions would work, not sure.

Answer 1

I think that you can use a bilinear pairing map for the function $F$. This map is defined from $G_1 \times G_2$ to $\mu_n$. This means that $F(x)=e(x,T)$ that $T \in G_2$.

The feature of this map is as:

$e(g^a,T^b)=e(g,T)^{ab}$

$e(g^bh^r,T)=e(g^b,T).e(h^r,T)=F(g^b).F(h^r)$

The amount of $\mu_n$ is in $F_{q^k}^*$. There is a map from $F_{q^k}$ to $F_q$ that is called Trace map. You can find more information about this map at "Pairing for beginners" book or http://www.m-hikari.com/ija/ija-2011/ija-21-24-2011/yadavIJA21-24-2011.pdf