Pairing-based cryptography

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems.

Definition[edit]

The following definition is commonly used in most academic papers.[1]

Let G_1, G_T be two cyclic groups of prime order q. A pairing is a map:  e: G_1 \times G_1 \rightarrow G_T , which satisfies the following properties:

  1. Bilinearity:  \forall a,b \in F_q^*,\ \forall P,Q \in G_1:\ e\left(P^a, Q^b\right) = e\left(P, Q\right)^{ab}
  2. Non-degeneracy: e\left(P, Q\right) \neq 1
  3. Computability: there exist an efficient algorithm to compute e.

Classification[edit]

If the same group is used for the first two groups (i.e.  G_1 = G_2), the pairing is called symmetric and is a mapping from two elements of one group to an element from a second group.

Some researchers classify pairing instantiations into three (or more) basic types:

  • Type 1:  G_1 = G_2;
  • Type 2:  G_1 \ne G_2 but there is an efficiently computable homomorphism \phi : G_2 \to G_1;
  • Type 3:  G_1 \ne G_2 and there are no efficiently computable homomorphisms between G_1 and G_2.[2]

Usage in cryptography[edit]

If symmetric, pairings can be used to reduce a hard problem in one group to a different, usually easier problem in another group.

For example, in groups equipped with a bilinear mapping such as the Weil pairing or Tate pairing, generalizations of the computational Diffie–Hellman problem are believed to be infeasible while the simpler decisional Diffie–Hellman problem can be easily solved using the pairing function. The first group is sometimes referred to as a Gap Group because of the assumed difference in difficulty between these two problems in the group.

While first used for cryptanalysis,[3] pairings have since been used to construct many cryptographic systems for which no other efficient implementation is known, such as identity based encryption or attribute based encryption.

A contemporary example of using bilinear pairings is exemplified in the Boneh-Lynn-Shacham signature scheme.

Cryptanalysis[edit]

In June 2012 the National Institute of Information and Communications Technology (NICT), Kyushu University, and Fujitsu Laboratories Limited improved the previous bound for successfully computing a discrete logarithm on a supersingular elliptic curve from 676 bits to 923 bits.[4]

References[edit]

  1. ^ Koblitz, Neal; Menezes, Alfred (2005). "Pairing-Based cryptography at high security levels". LNCS 3796. 
  2. ^ Galbraith, Steven; Paterson, Kenneth; Smart, Nigel (2008). "Pairings for Cryptographers". Discrete Applied Mathematics 156 (16): 3113–3121. 
  3. ^ Menezes, Alfred J. Menezes; Okamato, Tatsuaki; Vanstone, Scott A. (1993). "Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field". IEEE Transactions On Information Theory 39 (5). 
  4. ^ "NICT, Kyushu University and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography". Press release from NICT. June 18, 2012. 

External links[edit]