How Pairings Prove Hidden Scalar Relationships
Yes. With pairings, you can prove hidden scalar relationships without revealing the scalars.
Let the pairing be:
f: G1 x G2 -> GT
The prover creates public curve points using hidden scalars. The verifier maps those public points into GT and checks equality there.
Open the interactive prover / verifier route
The route lets you provide the scalar inputs, tamper with proofs, run a simulated verifier with a lag timer, and see the visible toy GT values that stand in for real target-group outputs.
| What prover wants to prove | Prover gives | Verifier checks | What it proves |
|---|---|---|---|
| "I know secret a" | A = aP | Later challenge or signature check | Prover controls scalar behind A |
| "This signature was made by private key a" | signature = aH(m) | f(signature,Q) = f(H(m),aQ) | Signature matches public key |
| "Two public points use same secret a" | A = aP, B = aQ | f(A,Q) = f(P,B) | Same scalar a links both |
| "Two secrets multiply to ab" | A = aP, B = bQ | f(A,B) = f(P,Q)^(ab) indirectly | Pairing exposes product in GT |
| "Aggregated signature is valid" | signature = signature1 + signature2 + signature3 | Pairing equality with public keys | Many signatures combined correctly |
| "Polynomial commitment opens correctly" | commitment + proof | Pairing equation | Claimed polynomial value is correct |
| "zk-SNARK proof is valid" | proof points | Product of pairings equals target value | Hidden computation satisfied constraints |
1. Same Secret Proof
The prover has secret:
a
Publicly gives:
A = aP
B = aQ
The verifier checks:
f(A,Q) = f(P,B)
Expand both sides:
f(aP,Q) = f(P,Q)^a
f(P,aQ) = f(P,Q)^a
Same result.
So the verifier learns:
A and B are linked by the same hidden scalar a
without learning a.
2. BLS Signature Proof
Private key:
a
Public key:
PK = aQ
Message hash:
H(m)
Signature:
signature = aH(m)
Verifier checks:
f(signature,Q) = f(H(m),PK)
Expand:
f(aH(m),Q) = f(H(m),Q)^a
f(H(m),aQ) = f(H(m),Q)^a
They match.
So the verifier knows:
The signer used the private key corresponding to PK.
3. Aggregated Signatures
Three signatures over the same message:
signature1 = aH(m)
signature2 = bH(m)
signature3 = cH(m)
The aggregator adds points:
signature = signature1 + signature2 + signature3
So:
signature = (a + b + c)H(m)
The verifier checks against the combined public key:
PK = aQ + bQ + cQ
f(signature,Q) = f(H(m),PK)
This proves:
All included signers signed the same message.
4. Product and zk-SNARK-Style Checks
A verifier often checks something like:
f(A,B) = f(C,D)
or product form:
f(A,B) * f(C,D) = f(E,F)
This proves:
The hidden witness satisfies the required algebraic constraints.
For example, hidden values can satisfy:
x * y = z
without revealing x and y.
A toy pairing check can look like:
f(xP,yQ) * f(-zP,Q) = 1_GT
If the product is correct, the target-group terms cancel to the identity.
5. Polynomial Commitments
In a KZG-style opening, the prover wants to convince the verifier:
committed polynomial f evaluates to y at point z
without sending the whole polynomial.
The verifier checks a pairing equation shaped like:
f(C - yG1, G2) = f(proof, tauG2 - zG2)
This works because the proof encodes the quotient relation:
f(tau) - y = q(tau) * (tau - z)
Again, the verifier compares GT outputs instead of learning the hidden setup scalar or the full polynomial.
Mental Model
| Prover does | Verifier does |
|---|---|
| Builds curve points using hidden scalars | Applies pairing |
| Sends public points or proof points | Checks GT equality |
| Keeps secret scalars hidden | Verifies algebraic relationship |
So pairings are useful because they let the verifier check:
hidden scalar math
by comparing:
public GT outputs
That is the core idea behind BLS signatures, BLS aggregation, KZG openings, and pairing-based zk-SNARK verifiers.