Wikipedia

Pairing-based cryptography: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Classification: Journal cites, Added 1 doi to a journal cite using AWB (10870)
Kylras (talk | contribs)
223 edits
Link suggestions feature: 3 links added.
 
(42 intermediate revisions by 31 users not shown)
Line 2:
 
==Definition==
The following definition is commonly used in most academic papers.<ref>{{cite journalbook|last1=Koblitz|first1=Neal|last2=Menezes|first2=Alfred|title=Cryptography and Coding |chapter=Pairing-Based cryptography at high security levels|journalseries=LNCSLecture Notes in Computer Science|date=2005|volume=3796|pages=13–36 |doi=10.1007/11586821_2|isbn=978-3-540-30276-6 }}</ref>
 
Let <math>\mathbb{F}_q</math> be a [[finite field]] over prime <math>q</math>, <math>G_1, G_TG_2</math> be two additive [[cyclic groupsgroup]]s of prime order <math>q</math> and <math>G_T</math> another cyclic group of order <math>q</math> written multiplicatively. A pairing is a map: <math> e: G_1 \times G_2 \rightarrow G_T </math>, which satisfies the following properties:
#; [[Bilinear map|Bilinearity]]: <math> \forall a,b \in F_q\mathbb{F}_q^*,\ P\forallin PG_1,Q Q\in G_1G_2:\ e\left(P^aaP, Q^bbQ\right) = e\left(P, Q\right)^{ab}</math>
#; [[Degeneracy (mathematics)|Non-degeneracy]]: <math>e\left(P, Q\right) \neq 1</math>
#; Computability: thereThere existexists an efficient [[algorithm]] to compute <math>e</math>.
 
== Classification ==
Line 13:
 
Some researchers classify pairing instantiations into three (or more) basic types:
* '''Type 1''':# <math> G_1 = G_2</math>;
* '''Type 2''':# <math> G_1 \ne G_2</math> but there is an ''efficiently computable'' [[homomorphism]] <math>\phi : G_2 \to G_1</math>;
* '''Type 3''':# <math> G_1 \ne G_2</math> and there are no ''efficiently computable'' homomorphisms between <math>G_1</math> and <math>G_2</math>.<ref name="pfc">{{cite journal|last1=Galbraith|first1=Steven|last2=Paterson|first2=Kenneth|last3=Smart|first3=Nigel|title=Pairings for Cryptographers|journal=Discrete Applied Mathematics|date=2008|volume=156|issue=16|pages=3113–3121|doi=10.1016/j.dam.2007.12.010|doi-access=free}}</ref>
 
==Usage in cryptography==
If symmetric, pairings can be used to reduce a hard problem in one group to a different, usually easier problem in another group.
 
For example, in groups equipped with a [[Bilinear map|bilinear mapping]] such as the [[Weil pairing]] or [[Tate pairing]], generalizations of the [[Diffie–Hellman problem|computational Diffie–Hellman problem]] are believed to be infeasible while the simpler [[decisional Diffie–Hellman assumption|decisional Diffie–Hellman problem]] can be easily solved using the [[pairing function]]. The first group is sometimes referred to as a '''Gap Group''' because of the assumed difference in difficulty between these two problems in the group.<ref name=":0">{{Cite book |last1=Boneh |first1=Dan |last2=Lynn |first2=Ben |last3=Shacham |first3=Hovav |chapter=Short Signatures from the Weil Pairing |series=Lecture Notes in Computer Science |date=2001 |volume=2248 |editor-last=Boyd |editor-first=Colin |title=Advances in Cryptology — ASIACRYPT 2001 |chapter-url=https://link.springer.com/chapter/10.1007/3-540-45682-1_30 |language=en |___location=Berlin, Heidelberg |publisher=Springer |pages=514–532 |doi=10.1007/3-540-45682-1_30 |isbn=978-3-540-45682-7}}</ref>
 
Let <math>e</math> be a non-degenerate, efficiently computable, bilinear pairing. Let <math>g</math> be a generator of <math>G</math>. Consider an instance of the [[Computational Diffie–Hellman problem|CDH problem]], <math>g</math>,<math>g^x</math>, <math>g^y</math>. Intuitively, the pairing function <math>e</math> does not help us compute <math>g^{xy}</math>, the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable. Given <math>g^z</math>, we may check to see if <math>g^z=g^{xy}</math> without knowledge of <math>x</math>, <math>y</math>, and <math>z</math>, by testing whether <math>e(g^x,g^y)=e(g,g^z)</math> holds.
While first used for [[Menezes-Okamato-Vanstone_attack|cryptanalysis]], <ref>{{cite journal|last1=Menezes|first1=Alfred J. Menezes|last2=Okamato|first2=Tatsuaki|last3=Vanstone|first3=Scott A.|title=Reducing Elliptic Curve Logarithms
to Logarithms in a Finite Field|journal=IEEE Transactions On Information Theory|date=1993|volume=39|issue=5}}</ref> pairings have also been used to construct many cryptographic systems for which no other efficient implementation is known, such as [[identity based encryption]] or [[attribute based encryption]] schemes.
 
By using the bilinear property <math>x+y+z</math> times, we see that if <math>e(g^x,g^y)=e(g,g)^{xy}=e(g,g)^{z}=e(g,g^z)</math>, then, since <math>G_T</math> is a prime order group, <math>xy=z</math>.
A contemporary example of using bilinear pairings is exemplified in the [[Boneh-Lynn-Shacham]] signature scheme.
 
While first used for [[cryptanalysis]],<ref>{{cite journal|last1=Menezes|first1=Alfred J. Menezes|last2=Okamato|first2=Tatsuaki|last3=Vanstone|first3=Scott A.|title=Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field|journal=IEEE Transactions Onon Information Theory|date=1993|volume=39|issue=5|pages=1639–1646 |doi=10.1109/18.259647 }}</ref> pairings have also been used to construct many cryptographic systems for which no other efficient implementation is known, such as [[identity -based encryption]] or [[attribute -based encryption]] schemes. Thus, the security level of some pairing friendly elliptic curves have been later reduced.
== Cryptanalysis ==
 
Pairing-based cryptography is used in the [[Cryptographic commitment#KZG commitment|KZG cryptographic commitment scheme]].
In June 2012 the National Institute of Information and Communications Technology (NICT), Kyushu University, and Fujitsu Laboratories Limited improved the previous bound for successfully computing a discrete logarithm on a [[supersingular elliptic curve]] from 676 bits to 923 bits.<ref>{{cite web |work=Press release from NICT |date=June 18, 2012 |url=http://www.nict.go.jp/en/press/2012/06/18en-1.html |title=NICT, Kyushu University and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography }}</ref>
 
A contemporary example of using bilinear pairings is exemplified in the [[Boneh-Lynn-ShachamBLS digital signature]] signature scheme.<ref name=":0" />
== References ==
 
Pairing-based cryptography relies on hardness assumptions separate from e.g. the [[elliptic-curve cryptography]], which is older and has been studied for a longer time.
 
== Cryptanalysis ==
In June 2012 the [[National Institute of Information and Communications Technology]] (NICT), [[Kyushu University]], and [[Fujitsu#Fujitsu Laboratories|Fujitsu Laboratories Limited]] improved the previous bound for successfully computing a [[discrete logarithm]] on a [[supersingular elliptic curve]] from 676 bits to 923 bits.<ref>{{cite web |work=Press release from NICT |date=June 18, 2012 |url=http://www.nict.go.jp/en/press/2012/06/18en-1.html |title=NICT, Kyushu University and Fujitsu Laboratories Achieve World Record Cryptanalysis of Next-Generation Cryptography }}</ref>
 
In 2016, the Extended Tower [[General number field sieve|Number Field Sieve]] algorithm<ref>{{Cite journal |last1=Kim |first1=Taechan |last2=Barbulescu |first2=Razvan |date=2015 |title=Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case |url=https://eprint.iacr.org/2015/1027 |journal=Cryptology ePrint Archive |language=en}}</ref> allowed to reduce the complexity of finding discrete logarithm in some resulting groups of pairings. There are several variants of the multiple and extended tower number field sieve algorithm expanding the applicability and improving the complexity of the algorithm. A unified description of all such algorithms with further improvements was published in 2019.<ref>{{cite journal |last1=Sarkar |first1=Palash |last2=Singh |first2=Shashank |year=2019 |title=A unified polynomial selection method for the (tower) number field sieve algorithm |journal=Advances in the Mathematics of Communications |volume=13 |issue=3 |pages=435–455 |doi=10.3934/amc.2019028|doi-access=free }}</ref> In view of these advances, several works<ref>{{citation|last1=Menezes|first1=Alfred|last2=Sarkar|first2=Palash|last3=Singh|first3=Shashank|title=Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography|publisher=Springer-Verlag|series=Lecture Notes in Computer Science|volume=10311|year=2016|pages=83–108|doi=10.1007/978-3-319-61273-7_5 |url=https://doi.org/10.1007/978-3-319-61273-7_5|isbn=978-3-319-61272-0|url-access=subscription}}</ref><ref>{{Cite journal |last1=Barbulescu |first1=Razvan |last2=Duquesne |first2=Sylvain |date=2019-10-01 |title=Updating Key Size Estimations for Pairings |url=https://doi.org/10.1007/s00145-018-9280-5 |journal=Journal of Cryptology |language=en |volume=32 |issue=4 |pages=1298–1336 |doi=10.1007/s00145-018-9280-5 |s2cid=253635514 |issn=1432-1378}}</ref> provided revised concrete estimates on the key sizes of secure pairing-based cryptosystems.
 
== References ==
{{Reflist}}
 
==External links==
*[httphttps://theorycourses.lcscsail.mit.edu/classes/6.897/spring04/L25.pdf Lecture on Pairing-Based Cryptography]
*[http://www.larc.usp.br/~pbarreto/pblounge.html The Pairing-Based Crypto Lounge]
*[http://crypto.stanford.edu/pbc/ Ben Lynn's PBC Library]
 
[[Category:PublicPairing-keybased cryptography| ]]
[[Category:Pairing-basedElliptic curve cryptography]]
 
 
{{crypto-stub}}
Retrieved from "https://en.wikipedia.org/wiki/Pairing-based_cryptography"