Jun 17, 2026

How Pairings Prove Hidden Scalar Relationships

Yes. With pairings, you can prove hidden scalar relationships without revealing the scalars.

Let the pairing be:

f: G1 x G2 -> GT

The prover creates public curve points using hidden scalars. The verifier maps those public points into GT and checks equality there.

Open the interactive prover / verifier route

The route lets you provide the scalar inputs, tamper with proofs, run a simulated verifier with a lag timer, and see the visible toy GT values that stand in for real target-group outputs.

What prover wants to proveProver givesVerifier checksWhat it proves
"I know secret a"A = aPLater challenge or signature checkProver controls scalar behind A
"This signature was made by private key a"signature = aH(m)f(signature,Q) = f(H(m),aQ)Signature matches public key
"Two public points use same secret a"A = aP, B = aQf(A,Q) = f(P,B)Same scalar a links both
"Two secrets multiply to ab"A = aP, B = bQf(A,B) = f(P,Q)^(ab) indirectlyPairing exposes product in GT
"Aggregated signature is valid"signature = signature1 + signature2 + signature3Pairing equality with public keysMany signatures combined correctly
"Polynomial commitment opens correctly"commitment + proofPairing equationClaimed polynomial value is correct
"zk-SNARK proof is valid"proof pointsProduct of pairings equals target valueHidden computation satisfied constraints

1. Same Secret Proof

The prover has secret:

a

Publicly gives:

A = aP
B = aQ

The verifier checks:

f(A,Q) = f(P,B)

Expand both sides:

f(aP,Q) = f(P,Q)^a
f(P,aQ) = f(P,Q)^a

Same result.

So the verifier learns:

A and B are linked by the same hidden scalar a

without learning a.

2. BLS Signature Proof

Private key:

a

Public key:

PK = aQ

Message hash:

H(m)

Signature:

signature = aH(m)

Verifier checks:

f(signature,Q) = f(H(m),PK)

Expand:

f(aH(m),Q) = f(H(m),Q)^a
f(H(m),aQ) = f(H(m),Q)^a

They match.

So the verifier knows:

The signer used the private key corresponding to PK.

3. Aggregated Signatures

Three signatures over the same message:

signature1 = aH(m)
signature2 = bH(m)
signature3 = cH(m)

The aggregator adds points:

signature = signature1 + signature2 + signature3

So:

signature = (a + b + c)H(m)

The verifier checks against the combined public key:

PK = aQ + bQ + cQ
f(signature,Q) = f(H(m),PK)

This proves:

All included signers signed the same message.

4. Product and zk-SNARK-Style Checks

A verifier often checks something like:

f(A,B) = f(C,D)

or product form:

f(A,B) * f(C,D) = f(E,F)

This proves:

The hidden witness satisfies the required algebraic constraints.

For example, hidden values can satisfy:

x * y = z

without revealing x and y.

A toy pairing check can look like:

f(xP,yQ) * f(-zP,Q) = 1_GT

If the product is correct, the target-group terms cancel to the identity.

5. Polynomial Commitments

In a KZG-style opening, the prover wants to convince the verifier:

committed polynomial f evaluates to y at point z

without sending the whole polynomial.

The verifier checks a pairing equation shaped like:

f(C - yG1, G2) = f(proof, tauG2 - zG2)

This works because the proof encodes the quotient relation:

f(tau) - y = q(tau) * (tau - z)

Again, the verifier compares GT outputs instead of learning the hidden setup scalar or the full polynomial.

Mental Model

Prover doesVerifier does
Builds curve points using hidden scalarsApplies pairing
Sends public points or proof pointsChecks GT equality
Keeps secret scalars hiddenVerifies algebraic relationship

So pairings are useful because they let the verifier check:

hidden scalar math

by comparing:

public GT outputs

That is the core idea behind BLS signatures, BLS aggregation, KZG openings, and pairing-based zk-SNARK verifiers.


Thanks for reading! If you want to see future content, you can follow me on Twitter or get connected over at LinkedIn.


Support My Content

If you find my content helpful, consider supporting a humanitarian cause (building homes for elderly people in rural Terai region of Nepal) that I am planning with your donation:

Ethereum (ETH)

0xB62409A5B227D2aE7D8C66fdaA5EEf4eB4E37959

Thank you for your support!