Pairing-based cryptography explained

Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping

e:G₁ x G₂\toG_T

to construct or analyze cryptographic systems.

Definition

The following definition is commonly used in most academic papers.^[1]

Let

F_q

be a finite field over prime

G_1,G₂

two additive cyclic groups of prime order

and

G_T

another cyclic group of order

written multiplicatively. A pairing is a map:

e:G₁ x G₂ → G_T

, which satisfies the following properties:

Bilinearity:

\foralla,b\in

	*,
F
	q

P\inG_1,Q\inG_{2: e\left(aP,}bQ\right)=e\left(P,Q\right)^ab

Non-degeneracy:

e ≠ 1

Computability: There exists an efficient algorithm to compute

Classification

If the same group is used for the first two groups (i.e.

G₁=G₂

), the pairing is called symmetric and is a mapping from two elements of one group to an element from a second group.

Some researchers classify pairing instantiations into three (or more) basic types:

G₁=G₂

;

G₁\neG₂

but there is an efficiently computable homomorphism

\phi:G₂\toG₁

;

G₁\neG₂

and there are no efficiently computable homomorphisms between

G₁

and

G₂

.^[2]

Usage in cryptography

If symmetric, pairings can be used to reduce a hard problem in one group to a different, usually easier problem in another group.

For example, in groups equipped with a bilinear mapping such as the Weil pairing or Tate pairing, generalizations of the computational Diffie–Hellman problem are believed to be infeasible while the simpler decisional Diffie–Hellman problem can be easily solved using the pairing function. The first group is sometimes referred to as a Gap Group because of the assumed difference in difficulty between these two problems in the group.^[3]

Let

be a non-degenerate, efficiently computable, bilinear pairing. Let

be a generator of

. Consider an instance of the CDH problem,

g^x

g^y

. Intuitively, the pairing function

does not help us compute

g^xy

, the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given

g^z

, we may check to see if

g^z=g^xy

without knowledge of

, and

, by testing whether

e(g^x,g^y)=e(g,g^z)

holds.

By using the bilinear property

x+y+z

times, we see that if

e(g^x,g^y)=e(g,g)^xy=e(g,g)^z=e(g,g^z)

, then, since

G_T

is a prime order group,

xy=z

While first used for cryptanalysis,^[4] pairings have also been used to construct many cryptographic systems for which no other efficient implementation is known, such as identity-based encryption or attribute-based encryption schemes. Thus, the security level of some pairing friendly elliptic curves have been later reduced.

Pairing-based cryptography is used in the KZG cryptographic commitment scheme.

A contemporary example of using bilinear pairings is exemplified in the BLS digital signature scheme.

Pairing-based cryptography relies on hardness assumptions separate from e.g. the elliptic-curve cryptography, which is older and has been studied for a longer time.

Cryptanalysis

In June 2012 the National Institute of Information and Communications Technology (NICT), Kyushu University, and Fujitsu Laboratories Limited improved the previous bound for successfully computing a discrete logarithm on a supersingular elliptic curve from 676 bits to 923 bits.^[5]

In 2016, the Extended Tower Number Field Sieve algorithm^[6] allowed to reduce the complexity of finding discrete logarithm in some resulting groups of pairings. There are several variants of the multiple and extended tower number field sieve algorithm expanding the applicability and improving the complexity of the algorithm. A unified description of all such algorithms with further improvements was published in 2019.^[7] In view of these advances, several works^[8] provided revised concrete estimates on the key sizes of secure pairing-based cryptosystems.

External links

Notes and References

Book: Koblitz. Neal. Menezes. Alfred. Cryptography and Coding . Pairing-Based cryptography at high security levels. Lecture Notes in Computer Science. 2005. 3796. 13–36 . 10.1007/11586821_2. 978-3-540-30276-6 .
Galbraith. Steven. Paterson. Kenneth. Smart. Nigel. Pairings for Cryptographers. Discrete Applied Mathematics. 2008. 156. 16. 3113–3121. 10.1016/j.dam.2007.12.010. free.
Book: Boneh . Dan . Lynn . Ben . Shacham . Hovav . Short Signatures from the Weil Pairing . Lecture Notes in Computer Science . 2001 . 2248 . Boyd . Colin . Advances in Cryptology — ASIACRYPT 2001 . https://link.springer.com/chapter/10.1007/3-540-45682-1_30 . en . Berlin, Heidelberg . Springer . 514–532 . 10.1007/3-540-45682-1_30 . 978-3-540-45682-7.
Menezes. Alfred J. Menezes. Okamato. Tatsuaki. Vanstone. Scott A.. Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. IEEE Transactions on Information Theory. 1993. 39. 5. 1639–1646 . 10.1109/18.259647 .
Web site: Press release from NICT . June 18, 2012 . NICT, Kyushu University and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography .
Kim . Taechan . Barbulescu . Razvan . 2015 . Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case . Cryptology ePrint Archive . en.
Sarkar . Palash . Singh . Shashank . 2019 . A unified polynomial selection method for the (tower) number field sieve algorithm . Advances in the Mathematics of Communications . 13 . 3 . 435–455 . 10.3934/amc.2019028. free .
Barbulescu . Razvan . Duquesne . Sylvain . 2019-10-01 . Updating Key Size Estimations for Pairings . Journal of Cryptology . en . 32 . 4 . 1298–1336 . 10.1007/s00145-018-9280-5 . 253635514 . 1432-1378.